Upgrade from S3 to a Samba4 DC [with LDAPSAM] [SUCCESS!]

Adam Tauno Williams awilliam at whitemice.org
Mon Sep 12 09:20:10 MDT 2011


Quoting Adam Tauno Williams <awilliam at whitemice.org>:

> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
>
>> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
>>> Quoting tataia <iongigixx at gmail.com>:
>>>> It happens for groups that have sambaGroupType =5
>>>> replace 5 with 4
>>> Gotcha.  And it goes much further.  Are users with the same name  
>>> as groups an issue?  There is only one uid=bie object in the  
>>> LDAPSAM.
>> Hrm... so I manually exclude user "bie" and import users completes.
>> But then the script fails while adding users to group.  I've  
>> verified that sambaSID=S-1-5-21-2037442776-3290224752-88127236-9272  
>> [a user] and sambaSID=S-1-5-21-2037442776-3290224752-88127236-1201  
>> [a group] both exist (and both exist only once).
>
> Setting the "debug level" in the S3 smb.conf file seems to work  
> [which is handy].
>
> ???? Is there a way or level to specifically log what LDB is trying  
> to do / look for / add ???
>
> Both S-1-5-21-2037442776-3290224752-88127236-9272 and  
> S-1-5-21-2037442776-3290224752-88127236-1201 exist in the S3 LDAPSAM.
>
> At a debug level of 256 this output looks like -
>
> [root at localhost samba-master]# ./source4/setup/upgrade_from_s3  
> smb.conf /tmp/x --libdir=/root/s3
> Reading smb.conf
> INFO: Current debug levels:
>   all: 256
>   tdb: 256
>   printdrivers: 256
>   lanman: 256
>   smb: 256
>   rpc_parse: 256
>   rpc_srv: 256
>   rpc_cli: 256
>   passdb: 256
>   sam: 256
>   auth: 256
>   winbind: 256
>   vfs: 256
>   idmap: 256
>   quota: 256
>   acls: 256
>   locking: 256
>   msdfs: 256
>   dmapi: 256
>   registry: 256
> doing parameter domain master = yes
> doing parameter preferred master = yes
> doing parameter domain logons = yes
> doing parameter logon script = %G.bat
> doing parameter logon path = \\BARBEL\PROFILES\%U
> doing parameter logon drive = f:
> doing parameter logon home = \\ARABIS-RED\HOMEDIR
> doing parameter wins support = yes
> doing parameter name resolve order = wins host
> doing parameter dns proxy = yes
> doing parameter map to guest = Bad User
> doing parameter passdb backend = ldapsam:ldap://192.168.1.9/
> doing parameter ldap ssl = no
> doing parameter ldap admin dn =  
> uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US
> doing parameter ldap suffix = o=Morrison Industries,c=US
> doing parameter ldap group suffix = ou=Groups,ou=SAM
> doing parameter ldapsam:trusted = yes
> doing parameter idmap backend = ldap:ldap://localhost
> WARNING: The "idmap backend" option is deprecated
> doing parameter ldap idmap suffix = ou=idMap,ou=CIFS,ou=SubSystems
> doing parameter idmap uid = 40000-50000
> WARNING: The "idmap uid" option is deprecated
> doing parameter idmap gid = 40000-50000
> WARNING: The "idmap gid" option is deprecated
> doing parameter winbind use default domain = yes
> doing parameter username map = /etc/samba/username.map
> doing parameter deadtime = 15
> doing parameter log level = 0 winbind:2
> Provisioning
> /root/s3/secrets.tdb
> no talloc stackframe around, leaking memory
> Exporting account policy
> Exporting groups
> Exporting users
>   Skipping wellknown rid=998 (for username=pc01845$)
>   Skipping wellknown rid=500 (for username=root)
> Next rid = 9973
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=micore,DC=us
> Adding configuration container
> Setting up sam.ldb schema
> Reopening sam.ldb with new schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up sam.ldb users and groups
> Setting up self join
> Setting up sam.ldb rootDSE marking as synchronized
> Assuming bind9 DNS server backend
> Adding DNS accounts
> Populating CN=System,DC=micore,DC=us
> See /tmp/x/private/named.conf for an example configuration include  
> file for BIND
> and /tmp/x/private/named.txt for further documentation required for  
> secure DNS updates
> A Kerberos configuration suitable for Samba 4 has been generated at  
> /tmp/x/private/krb5.conf
> Fixing provision GUIDs
> Please install the phpLDAPadmin configuration located at  
> /tmp/x/private/phpldapadmin-config.php into  
> /etc/phpldapadmin/config.php
> Once the above files are installed, your Samba4 server will be ready to use
> Server Role:           domain controller
> Hostname:              BARBEL
> NetBIOS Domain:        BACKBONE
> DNS Domain:            micore.us
> DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
> Admin password:        ************************
> Importing WINS database
> Importing Account policy
> Could not set account policy, ((21, "objectclass_attrs: attribute  
> 'minPwdLength' on entry 'DC=micore,DC=us' contains at least one  
> invalid value!"))
> Importing idmap database
> Cannot open idmap database, Ignoring: (2): No such file or directory
> Ignoring unknown parameter "server role"
> Importing groups
> Group already exists  
> sid=S-1-5-21-2037442776-3290224752-88127236-514, groupname=Domain  
> Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists sid=S-1-5-32-544, groupname=Administrators  
> existing_groupname=Administrators, Ignoring.
> Could not add group name=Print Operators ((68, "samldb: Account name  
> (sAMAccountName) 'Print Operators' already in use!"))
> Could not add group name=Mor-Value Parts ((68, "samldb: Account name  
> (sAMAccountName) 'Mor-Value Parts' already in use!"))
> Group already exists  
> sid=S-1-5-21-2037442776-3290224752-88127236-512, groupname=Domain  
> Admins existing_groupname=Domain Admins, Ignoring.
> Importing users
> Adding users to groups
> ProvisioningError: Could not add member  
> 'S-1-5-21-2037442776-3290224752-88127236-9272' to group  
> 'S-1-5-21-2037442776-3290224752-88127236-1201' as either group or  
> user record doesn't exist: Unable to find GUID for DN

BAM! The script has completed successfully;  primarily this required  
hacking some print statements into the script to help pin-point what  
exactly was happening and then performing some janitorial work in the  
elderly LDAPSAM.

1 - Group "displayName" has to be case-insensitive unique.
1.1. - You [obviously, these is NT land] can't have groups and users  
of the same name.
2 - If the script doesn't import a user building the group membership  
will fail;  although the script never complains about a user it didn't  
import.
3 - If a sambaSAMAccount object isn't fully initialized [for example,  
has not password] it doesn't appear to get imported.
4 - If you have groups with the same name a Built-In group import of  
the groups will merrily pass it over but membership assignment will  
fail since that is based on SID.  This can be initially confusing [see  
#2].  We had a "Print Operators" group with a SID other than the  
expected built-in SID, this crashed the script.  I suspect in LDAPSAMs  
that have been around a very long time [like ours] running into  
something like this probably won't be that uncommon.



More information about the samba-technical mailing list