[Samba] error adding users to Domain Admins group during classicupgrade

Ruisheng Peng rpeng at ifa.hawaii.edu
Tue May 14 09:15:16 UTC 2019


Thanks for the quick reply Rowland!

I see what I did wrong:  I edited the smb.PDC.conf on the AD DC server with
a new domain name hoping both the AD DC and the existing NT4 PDC would be
up and running so I could move clients over one at a time to minimize down
time. So that's a no go. Instead of classicupgrade, if I provision the new
AD DC with a new domain name, would there be a way to import users and
groups from the NT4 domain into the new AD domain so their profiles and
files on existing samba shares could be readily used under AD DC?  There's
not a lot of users, I could move them one at a time manually if that's what
takes.

  Thanks,

--Ruisheng

On Mon, May 13, 2019 at 10:13 PM Rowland penny via samba <
samba at lists.samba.org> wrote:

> On 14/05/2019 08:44, Ruisheng Peng via samba wrote:
> > Hi,
> >
> >    I'm trying to migrate a NT4 domain under Samba3 to an AD DC under
> Samba4
> > on a separate server.  During the classicupgrade, there were a number
> > warnings while importing groups:
> >
> > WARNING 2019-05-13 15:09:56,728 pid:25284
> > /usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #299:
> Could
> > not add group name=Domain Admins ((68, 'Entry CN=Domain
> > Admins,CN=Users,DC=ifa,DC=hawaii,DC=edu already exists'))
> >
> > WARNING 2019-05-13 15:09:56,729 pid:25284
> > /usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #161:
> Could
> > not modify AD idmap entry for
> > sid=S-1-5-21-280721883-191778108-123917971-512, id=512, type=ID_TYPE_GID
> > ((32, "Base-DN '<SID=S-1-5-21-280721883-191778108-123917971-512>' not
> > found"))
>
>
> You will get errors like this because the groups will already have been
> created before the users and groups are migrated, you can ignore these.
>
> > Soon after when adding users to groups, the process bombed out with
> > the following error:
> >
> >
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > ProvisioningError: Could not add member
> > 'S-1-5-21-2342696748-4272319941-312989834-1001' to group
> > 'S-1-5-21-280721883-191778108-123917971-512' as either group or user
> record
> > doesn't exist: Base-DN '<SID=S-1-5-21-280721883-191778108-123917971-512>'
> > not found
>
> Why does the user have a different SID to the group ?
>
> That would make them members of different domains.
>
> Is it like this in your old domain ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>


More information about the samba mailing list