Upgrade from S3 to a Samba4 DC [with LDAPSAM]
Adam Tauno Williams
awilliam at whitemice.org
Sun Sep 11 05:57:48 MDT 2011
On Fri, 2011-09-09 at 14:27 +0200, Tarjei Huse wrote:
> On 09/08/2011 11:11 PM, Andrew Bartlett wrote:
> > On Thu, 2011-09-08 at 16:56 -0400, Adam Tauno Williams wrote:
> >> Quoting tataia <iongigixx at gmail.com>:
> >>> It happens for groups that have sambaGroupType =5
> >>> replace 5 with 4
> >> Gotcha. And it goes much further. Are users with the same name as
> >> groups an issue? There is only one uid=bie object in the LDAPSAM.
> > Users with the same name as groups have always been prohibited in
> > Windows, even with NT4. I'm not sure there is anything we can do except
> > fail here, but I'm open to suggestions.
> Document it?
It is reasonably well documented [I knew about it]. That is just an
NT/Windows thing. Anyone managing Windows should already know about
that [from the Microsoft documentation], IMO. The only really issue
regarding that is that S3 LDAPSAM was pretty fast-and-loose with
enforcing rules. Does S3 LDAPSAM even use the "cn" attribute as the
group name? It appears to use the "description" attribute in most
places [at least that is what appears on the screen when looking at a
security descriptor].
> Would it be possible for the upgrade script to have a pre flight test
> that checks for gotchas like this and lists the offending entries with
> suggested changes?
I'm not certain that is really why the script was failing. Renaming the
group to not be so-named did *not* resolve the issue. The script didn't
fail with a particularly clear error messages.
Just -
s4_passdb.add_sam_account(userdata[username])
passdb.error: Unable to add sam account 'bie', (-1073741725,User exists)
Which doesn't really indicate why it can't add the SAM account; would
an already existing *group* of the same name cause a "User exists"
error?
More information about the samba-technical
mailing list