Upgrade from S3 to a Samba4 DC [with LDAPSAM] [NOTE!]

Adam Tauno Williams awilliam at whitemice.org
Mon Sep 12 07:28:34 MDT 2011 

Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> On Fri, 2011-09-09 at 14:27 +0200, Tarjei Huse wrote:
>> On 09/08/2011 11:11 PM, Andrew Bartlett wrote:
>> > On Thu, 2011-09-08 at 16:56 -0400, Adam Tauno Williams wrote:
>> >> Quoting tataia <iongigixx at gmail.com>:
>> >>> It happens for groups that have sambaGroupType =5
>> >>> replace 5 with 4
>> >> Gotcha.  And it goes much further.  Are users with the same name as
>> >> groups an issue?  There is only one uid=bie object in the LDAPSAM.
>> > Users with the same name as groups have always been prohibited in
>> > Windows, even with NT4.  I'm not sure there is anything we can do except
>> > fail here, but I'm open to suggestions.
>> Document it?
> It is reasonably well documented [I knew about it].  That is just an
> NT/Windows thing.  Anyone managing Windows should already know about
> that [from the Microsoft documentation], IMO.  The only really issue
> regarding that is that S3 LDAPSAM was pretty fast-and-loose with
> enforcing rules.   Does S3 LDAPSAM even use the "cn" attribute as the
> group name?  It appears to use the "description" attribute in most
> places [at least that is what appears on the screen when looking at a
> security descriptor].

Indeed it does use "description" as the name of at least the group and  
that value is case-insensitive [again, obvious in hind-sight].

I resolved by duplicate issue which resulted in -

Failed to create user record CN=bie,CN=Users,DC=micore,DC=us: samldb:  
Account name (sAMAccountName) 'bie' already in use!
Traceback (most recent call last):
   File "./source4/setup/upgrade_from_s3", line 129, in <module>
     upgrade_from_samba3(samba3, logger, targetdir,  
session_info=system_session(), useeadb=eadb)
   File "bin/python/samba/upgrade.py", line 640, in upgrade_from_samba3
     s4_passdb.add_sam_account(userdata[username])
passdb.error: Unable to add sam account 'bie', (-1073741725,User exists)

- by changing the *description* attribute of the posixGroup in the S3  
LDAPSAM.  Previously I had changed the "cn" which did not resolve the  
issue.

More information about the samba-technical mailing list