samba3upgrade: Failure to find users when adding group members

Andrew Bartlett abartlet at
Wed Nov 9 15:35:04 MST 2011

On Wed, 2011-11-09 at 16:40 -0500, Adam Tauno Williams wrote:
> I've still got to do both the above, but the attached patches did fix
> the import problem.  It now goes on to a provisioning error but that may
> be an error in our daya.

> Cannot open idmap database, Ignoring: [Errno 2] No such file or
> directory
> Ignoring unknown parameter "server role"
> Importing groups
> Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-514,
> groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists sid=S-1-5-32-544, groupname=Administrators
> existing_groupname=Administrators, Ignoring.
> Group already exists sid=S-1-5-32-550, groupname=Print Operators
> existing_groupname=Print Operators, Ignoring.
> Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-512,
> groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> Importing users
> Adding users to groups
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: Could not add member
> 'S-1-5-21-2037442776-3290224752-88127236-1062' to group
> 'S-1-5-21-2037442776-3290224752-88127236-514' as either group or user
> record doesn't exist: Unable to find GUID for DN 

Thanks for testing the patches, we are now back on to errors in your
database, or in the import scripts.  Can you look up your original LDAP
directory, and tell me if S-1-5-21-2037442776-3290224752-88127236-1062
is a valid user in your LDAP tree, or if not, what it refers to?

We know that S-1-5-21-2037442776-3290224752-88127236-514 is valid, as
the trace above indicates that it refers domain guests, and has already
been added (by provision).  The puzzling thing here is that typically
normal accounts would not be members of the domain guests group.

Once we figure this out, we can decide what to do about it (either fix
your LDAP DB or make the script autocorrect or just warn about common
configuration errors). 


Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list