Upgrade from S3 to a Samba4 DC [with LDAPSAM]

Mon Sep 12 16:20:08 MDT 2011

On Sun, 2011-09-11 at 07:57 -0400, Adam Tauno Williams wrote:
> On Fri, 2011-09-09 at 14:27 +0200, Tarjei Huse wrote:
> > On 09/08/2011 11:11 PM, Andrew Bartlett wrote:
> > > On Thu, 2011-09-08 at 16:56 -0400, Adam Tauno Williams wrote:
> > >> Quoting tataia <iongigixx at gmail.com>:
> > >>> It happens for groups that have sambaGroupType =5
> > >>> replace 5 with 4
> > >> Gotcha.  And it goes much further.  Are users with the same name as  
> > >> groups an issue?  There is only one uid=bie object in the LDAPSAM.
> > > Users with the same name as groups have always been prohibited in
> > > Windows, even with NT4.  I'm not sure there is anything we can do except
> > > fail here, but I'm open to suggestions.
> > Document it?
> 
> It is reasonably well documented [I knew about it].  That is just an
> NT/Windows thing.  Anyone managing Windows should already know about
> that [from the Microsoft documentation], IMO.  The only really issue
> regarding that is that S3 LDAPSAM was pretty fast-and-loose with
> enforcing rules.   Does S3 LDAPSAM even use the "cn" attribute as the
> group name?  It appears to use the "description" attribute in most
> places [at least that is what appears on the screen when looking at a
> security descriptor].
> 
> > Would it be possible for the upgrade script to have a pre flight test
> > that checks for gotchas like this and lists the offending entries with
> > suggested changes?
> 
> I'm not certain that is really why the script was failing.  Renaming the
> group to not be so-named did *not* resolve the issue.  The script didn't
> fail with a particularly clear error messages.
> 
> Just -
> s4_passdb.add_sam_account(userdata[username])
> passdb.error: Unable to add sam account 'bie', (-1073741725,User exists)
> 
> Which doesn't really indicate why it can't add the SAM account;  would
> an already existing *group* of the same name cause a "User exists"
> error?

Yes, it would cause that error from that interface (we could fix that
interface I guess). 

I took an alternate approach, and we now (as of current master) perform
a pre-flight check for duplicate user and group names, as well as user
and group SIDs before the provision stage.  

The advantage of this approach is that we list all the duplicates, and
we have the space to make verbose recommendations (patches from
experienced users most welcome)

The command has also been renamed in preparation for the Samba 4.0 alpha
17 release, it is now 'samba-tool domain samba3upgrade'.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org