Upgrade from S3 to a Samba4 DC [with LDAPSAM] [NOTE!]
Adam Tauno Williams
awilliam at whitemice.org
Mon Sep 12 07:28:34 MDT 2011
Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> On Fri, 2011-09-09 at 14:27 +0200, Tarjei Huse wrote:
>> On 09/08/2011 11:11 PM, Andrew Bartlett wrote:
>> > On Thu, 2011-09-08 at 16:56 -0400, Adam Tauno Williams wrote:
>> >> Quoting tataia <iongigixx at gmail.com>:
>> >>> It happens for groups that have sambaGroupType =5
>> >>> replace 5 with 4
>> >> Gotcha. And it goes much further. Are users with the same name as
>> >> groups an issue? There is only one uid=bie object in the LDAPSAM.
>> > Users with the same name as groups have always been prohibited in
>> > Windows, even with NT4. I'm not sure there is anything we can do except
>> > fail here, but I'm open to suggestions.
>> Document it?
> It is reasonably well documented [I knew about it]. That is just an
> NT/Windows thing. Anyone managing Windows should already know about
> that [from the Microsoft documentation], IMO. The only really issue
> regarding that is that S3 LDAPSAM was pretty fast-and-loose with
> enforcing rules. Does S3 LDAPSAM even use the "cn" attribute as the
> group name? It appears to use the "description" attribute in most
> places [at least that is what appears on the screen when looking at a
> security descriptor].
Indeed it does use "description" as the name of at least the group and
that value is case-insensitive [again, obvious in hind-sight].
I resolved by duplicate issue which resulted in -
Failed to create user record CN=bie,CN=Users,DC=micore,DC=us: samldb:
Account name (sAMAccountName) 'bie' already in use!
Traceback (most recent call last):
File "./source4/setup/upgrade_from_s3", line 129, in <module>
upgrade_from_samba3(samba3, logger, targetdir,
session_info=system_session(), useeadb=eadb)
File "bin/python/samba/upgrade.py", line 640, in upgrade_from_samba3
s4_passdb.add_sam_account(userdata[username])
passdb.error: Unable to add sam account 'bie', (-1073741725,User exists)
- by changing the *description* attribute of the posixGroup in the S3
LDAPSAM. Previously I had changed the "cn" which did not resolve the
issue.
More information about the samba-technical
mailing list