Upgrade from S3 to a Samba4 DC [with LDAPSAM]

Adam Tauno Williams awilliam at whitemice.org
Mon Sep 12 06:24:51 MDT 2011

Quoting Adam Tauno Williams <awilliam at whitemice.org>:

> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
>> Quoting tataia <iongigixx at gmail.com>:
>>> It happens for groups that have sambaGroupType =5
>>> replace 5 with 4
>> Gotcha.  And it goes much further.  Are users with the same name as  
>> groups an issue?  There is only one uid=bie object in the LDAPSAM.
> Hrm... so I manually exclude user "bie" and import users completes.
> But then the script fails while adding users to group.  I've  
> verified that sambaSID=S-1-5-21-2037442776-3290224752-88127236-9272  
> [a user] and sambaSID=S-1-5-21-2037442776-3290224752-88127236-1201  
> [a group] both exist (and both exist only once).

Setting the "debug level" in the S3 smb.conf file seems to work [which  
is handy].

???? Is there a way or level to specifically log what LDB is trying to  
do / look for / add ???

Both S-1-5-21-2037442776-3290224752-88127236-9272 and  
S-1-5-21-2037442776-3290224752-88127236-1201 exist in the S3 LDAPSAM.

At a debug level of 256 this output looks like -

[root at localhost samba-master]# ./source4/setup/upgrade_from_s3  
smb.conf /tmp/x --libdir=/root/s3
Reading smb.conf
INFO: Current debug levels:
   all: 256
   tdb: 256
   printdrivers: 256
   lanman: 256
   smb: 256
   rpc_parse: 256
   rpc_srv: 256
   rpc_cli: 256
   passdb: 256
   sam: 256
   auth: 256
   winbind: 256
   vfs: 256
   idmap: 256
   quota: 256
   acls: 256
   locking: 256
   msdfs: 256
   dmapi: 256
   registry: 256
doing parameter domain master = yes
doing parameter preferred master = yes
doing parameter domain logons = yes
doing parameter logon script = %G.bat
doing parameter logon path = \\BARBEL\PROFILES\%U
doing parameter logon drive = f:
doing parameter logon home = \\ARABIS-RED\HOMEDIR
doing parameter wins support = yes
doing parameter name resolve order = wins host
doing parameter dns proxy = yes
doing parameter map to guest = Bad User
doing parameter passdb backend = ldapsam:ldap://
doing parameter ldap ssl = no
doing parameter ldap admin dn =  
uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US
doing parameter ldap suffix = o=Morrison Industries,c=US
doing parameter ldap group suffix = ou=Groups,ou=SAM
doing parameter ldapsam:trusted = yes
doing parameter idmap backend = ldap:ldap://localhost
WARNING: The "idmap backend" option is deprecated
doing parameter ldap idmap suffix = ou=idMap,ou=CIFS,ou=SubSystems
doing parameter idmap uid = 40000-50000
WARNING: The "idmap uid" option is deprecated
doing parameter idmap gid = 40000-50000
WARNING: The "idmap gid" option is deprecated
doing parameter winbind use default domain = yes
doing parameter username map = /etc/samba/username.map
doing parameter deadtime = 15
doing parameter log level = 0 winbind:2
no talloc stackframe around, leaking memory
Exporting account policy
Exporting groups
Exporting users
   Skipping wellknown rid=998 (for username=pc01845$)
   Skipping wellknown rid=500 (for username=root)
Next rid = 9973
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=micore,DC=us
Adding configuration container
Setting up sam.ldb schema
Reopening sam.ldb with new schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up sam.ldb users and groups
Setting up self join
Setting up sam.ldb rootDSE marking as synchronized
Assuming bind9 DNS server backend
Adding DNS accounts
Populating CN=System,DC=micore,DC=us
See /tmp/x/private/named.conf for an example configuration include  
file for BIND
and /tmp/x/private/named.txt for further documentation required for  
secure DNS updates
A Kerberos configuration suitable for Samba 4 has been generated at  
Fixing provision GUIDs
Please install the phpLDAPadmin configuration located at  
/tmp/x/private/phpldapadmin-config.php into /etc/phpldapadmin/config.php
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           domain controller
Hostname:              BARBEL
NetBIOS Domain:        BACKBONE
DNS Domain:            micore.us
DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
Admin password:        ************************
Importing WINS database
Importing Account policy
Could not set account policy, ((21, "objectclass_attrs: attribute  
'minPwdLength' on entry 'DC=micore,DC=us' contains at least one  
invalid value!"))
Importing idmap database
Cannot open idmap database, Ignoring: (2): No such file or directory
Ignoring unknown parameter "server role"
Importing groups
Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-514,  
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators  
existing_groupname=Administrators, Ignoring.
Could not add group name=Print Operators ((68, "samldb: Account name  
(sAMAccountName) 'Print Operators' already in use!"))
Could not add group name=Mor-Value Parts ((68, "samldb: Account name  
(sAMAccountName) 'Mor-Value Parts' already in use!"))
Group already exists sid=S-1-5-21-2037442776-3290224752-88127236-512,  
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Importing users
Adding users to groups
ProvisioningError: Could not add member  
'S-1-5-21-2037442776-3290224752-88127236-9272' to group  
'S-1-5-21-2037442776-3290224752-88127236-1201' as either group or user  
record doesn't exist: Unable to find GUID for DN

More information about the samba-technical mailing list