[Samba] Starting S4 in production

Andrew Bartlett abartlet at samba.org
Mon Feb 11 03:57:06 MST 2013 

On Mon, 2013-02-11 at 09:54 +0100, Hervé Hénoch wrote:
> Hello,
> 
> I would try to migrate S3 to S4 in production but these messages (in 
> bold) blocks me to do this. I can authenticate users et computers yet !, 
> So what does they mean ?
> 
> Regards
> 
> 
> root at vspdc:~# /usr/local/samba/bin/samba-tool domain classicupgrade 
> --dbdir=/root/smb3/varlib  --dns-backend=BIND9_DLZ --use-xattrs=yes  
> --realm=sc.isc84.org /root/smb3/etc/smb.conf
> Reading smb.conf
> Provisioning
> Exporting account policy
> Exporting groups
> *Severe DB error, sambaSamAccount can't miss the samba SIDattribute*
> Ignoring group 'Domain Users' 
> S-1-5-21-1031258178-388409940-3248586695-513 listed but then not found: 
> Unable to enumerate group members, 
> (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
> *Ignoring group 'Administrators' S-1-5-32-544 listed but then not found: 
> Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> Ignoring group 'Account Operators' S-1-5-32-548 listed but then not 
> found: Unable to enumerate members for alias, 
> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> Ignoring group 'Print Operators' S-1-5-32-550 listed but then not found: 
> Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> Ignoring group 'Backup Operators' S-1-5-32-551 listed but then not 
> found: Unable to enumerate members for alias, 
> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
> Ignoring group 'Replicators' S-1-5-32-552 listed but then not found: 
> Unable to enumerate members for alias, 
> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)*
> Exporting users
> Could not convert  S-1-5-21-1031258178-388409940-3248586695-5444 to SID
>    Skipping wellknown rid=500 (for username=root)
> Ignoring group memberships of 'nobody' 
> S-1-5-21-1031258178-388409940-3248586695-2998: Unable to enumerate group 
> memberships, *(-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)*

None of these errors are fatal - they are just invalid aspects of your
passdb database that we were able to skip over harmlessly.  For example,
it does not matter that we could not list members of "domain users" as
users a members of that group via their primary group ID.   Similarly,
as we already recreate the administrator account, the domain
administrators group and the administrators alias, these being incorrect
in your passdb is harmless.

We skipped importing 'root' as we created a new 'administrator' account
instead, and used the 'root' password.

Even the 'missing sambaSID attribute' error can't be too much of a
problem, as this cannot have been a working part of your existing domain
anyway.

If you have problems with your upgraded DC, diagnose them from what
errors are directly produced - as the upgrade appears to have progressed
fine!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list