Upgrade from S3 to a Samba4 DC [with LDAPSAM] [SUCCESS!]

Andrew Bartlett abartlet at samba.org
Mon Sep 12 17:32:37 MDT 2011 

On Mon, 2011-09-12 at 11:20 -0400, Adam Tauno Williams wrote:
> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> 
> > Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> >
> >> Quoting Adam Tauno Williams <awilliam at whitemice.org>:
> >>> Quoting tataia <iongigixx at gmail.com>:
> >>>> It happens for groups that have sambaGroupType =5
> >>>> replace 5 with 4
> >>> Gotcha.  And it goes much further.  Are users with the same name  
> >>> as groups an issue?  There is only one uid=bie object in the  
> >>> LDAPSAM.
> >> Hrm... so I manually exclude user "bie" and import users completes.
> >> But then the script fails while adding users to group.  I've  
> >> verified that sambaSID=S-1-5-21-2037442776-3290224752-88127236-9272  
> >> [a user] and sambaSID=S-1-5-21-2037442776-3290224752-88127236-1201  
> >> [a group] both exist (and both exist only once).
> >
> > Setting the "debug level" in the S3 smb.conf file seems to work  
> > [which is handy].
> >
> > ???? Is there a way or level to specifically log what LDB is trying  
> > to do / look for / add ???
> >
> > Both S-1-5-21-2037442776-3290224752-88127236-9272 and  
> > S-1-5-21-2037442776-3290224752-88127236-1201 exist in the S3 LDAPSAM.
> >
> > At a debug level of 256 this output looks like -
> >
> > [root at localhost samba-master]# ./source4/setup/upgrade_from_s3  
> > smb.conf /tmp/x --libdir=/root/s3
> > Reading smb.conf
> > INFO: Current debug levels:
> >   all: 256
> >   tdb: 256
> >   printdrivers: 256
> >   lanman: 256
> >   smb: 256
> >   rpc_parse: 256
> >   rpc_srv: 256
> >   rpc_cli: 256
> >   passdb: 256
> >   sam: 256
> >   auth: 256
> >   winbind: 256
> >   vfs: 256
> >   idmap: 256
> >   quota: 256
> >   acls: 256
> >   locking: 256
> >   msdfs: 256
> >   dmapi: 256
> >   registry: 256
> > doing parameter domain master = yes
> > doing parameter preferred master = yes
> > doing parameter domain logons = yes
> > doing parameter logon script = %G.bat
> > doing parameter logon path = \\BARBEL\PROFILES\%U
> > doing parameter logon drive = f:
> > doing parameter logon home = \\ARABIS-RED\HOMEDIR
> > doing parameter wins support = yes
> > doing parameter name resolve order = wins host
> > doing parameter dns proxy = yes
> > doing parameter map to guest = Bad User
> > doing parameter passdb backend = ldapsam:ldap://192.168.1.9/
> > doing parameter ldap ssl = no
> > doing parameter ldap admin dn =  
> > uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US
> > doing parameter ldap suffix = o=Morrison Industries,c=US
> > doing parameter ldap group suffix = ou=Groups,ou=SAM
> > doing parameter ldapsam:trusted = yes
> > doing parameter idmap backend = ldap:ldap://localhost
> > WARNING: The "idmap backend" option is deprecated
> > doing parameter ldap idmap suffix = ou=idMap,ou=CIFS,ou=SubSystems
> > doing parameter idmap uid = 40000-50000
> > WARNING: The "idmap uid" option is deprecated
> > doing parameter idmap gid = 40000-50000
> > WARNING: The "idmap gid" option is deprecated
> > doing parameter winbind use default domain = yes
> > doing parameter username map = /etc/samba/username.map
> > doing parameter deadtime = 15
> > doing parameter log level = 0 winbind:2
> > Provisioning
> > /root/s3/secrets.tdb
> > no talloc stackframe around, leaking memory
> > Exporting account policy
> > Exporting groups
> > Exporting users
> >   Skipping wellknown rid=998 (for username=pc01845$)
> >   Skipping wellknown rid=500 (for username=root)
> > Next rid = 9973
> > Looking up IPv4 addresses
> > Looking up IPv6 addresses
> > No IPv6 address will be assigned
> > Setting up share.ldb
> > Setting up secrets.ldb
> > Setting up the registry
> > Setting up the privileges database
> > Setting up idmap db
> > Setting up SAM db
> > Setting up sam.ldb partitions and settings
> > Setting up sam.ldb rootDSE
> > Pre-loading the Samba 4 and AD schema
> > Adding DomainDN: DC=micore,DC=us
> > Adding configuration container
> > Setting up sam.ldb schema
> > Reopening sam.ldb with new schema
> > Setting up sam.ldb configuration data
> > Setting up display specifiers
> > Adding users container
> > Modifying users container
> > Adding computers container
> > Modifying computers container
> > Setting up sam.ldb data
> > Setting up sam.ldb users and groups
> > Setting up self join
> > Setting up sam.ldb rootDSE marking as synchronized
> > Assuming bind9 DNS server backend
> > Adding DNS accounts
> > Populating CN=System,DC=micore,DC=us
> > See /tmp/x/private/named.conf for an example configuration include  
> > file for BIND
> > and /tmp/x/private/named.txt for further documentation required for  
> > secure DNS updates
> > A Kerberos configuration suitable for Samba 4 has been generated at  
> > /tmp/x/private/krb5.conf
> > Fixing provision GUIDs
> > Please install the phpLDAPadmin configuration located at  
> > /tmp/x/private/phpldapadmin-config.php into  
> > /etc/phpldapadmin/config.php
> > Once the above files are installed, your Samba4 server will be ready to use
> > Server Role:           domain controller
> > Hostname:              BARBEL
> > NetBIOS Domain:        BACKBONE
> > DNS Domain:            micore.us
> > DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
> > Admin password:        ************************
> > Importing WINS database
> > Importing Account policy
> > Could not set account policy, ((21, "objectclass_attrs: attribute  
> > 'minPwdLength' on entry 'DC=micore,DC=us' contains at least one  
> > invalid value!"))
> > Importing idmap database
> > Cannot open idmap database, Ignoring: (2): No such file or directory
> > Ignoring unknown parameter "server role"
> > Importing groups
> > Group already exists  
> > sid=S-1-5-21-2037442776-3290224752-88127236-514, groupname=Domain  
> > Guests existing_groupname=Domain Guests, Ignoring.
> > Group already exists sid=S-1-5-32-544, groupname=Administrators  
> > existing_groupname=Administrators, Ignoring.
> > Could not add group name=Print Operators ((68, "samldb: Account name  
> > (sAMAccountName) 'Print Operators' already in use!"))
> > Could not add group name=Mor-Value Parts ((68, "samldb: Account name  
> > (sAMAccountName) 'Mor-Value Parts' already in use!"))
> > Group already exists  
> > sid=S-1-5-21-2037442776-3290224752-88127236-512, groupname=Domain  
> > Admins existing_groupname=Domain Admins, Ignoring.
> > Importing users
> > Adding users to groups
> > ProvisioningError: Could not add member  
> > 'S-1-5-21-2037442776-3290224752-88127236-9272' to group  
> > 'S-1-5-21-2037442776-3290224752-88127236-1201' as either group or  
> > user record doesn't exist: Unable to find GUID for DN
> 
> BAM! The script has completed successfully;  primarily this required  
> hacking some print statements into the script to help pin-point what  
> exactly was happening and then performing some janitorial work in the  
> elderly LDAPSAM.
> 
> 1 - Group "displayName" has to be case-insensitive unique.
> 1.1. - You [obviously, these is NT land] can't have groups and users  
> of the same name.
> 2 - If the script doesn't import a user building the group membership  
> will fail;  although the script never complains about a user it didn't  
> import.
> 3 - If a sambaSAMAccount object isn't fully initialized [for example,  
> has not password] it doesn't appear to get imported.
> 4 - If you have groups with the same name a Built-In group import of  
> the groups will merrily pass it over but membership assignment will  
> fail since that is based on SID.  This can be initially confusing [see  
> #2].  We had a "Print Operators" group with a SID other than the  
> expected built-in SID, this crashed the script.  I suspect in LDAPSAMs  
> that have been around a very long time [like ours] running into  
> something like this probably won't be that uncommon.

If you could prepare some patches to assist sites like yours in
debugging Samba3 upgrades I would very much appreciate it.  In
particular, details about the users which didn't import and what is
special about them would be useful.  I'm quite willing to make it fail
if it cannot import a user, if that would make debugging easier.

Your feedback here is particularly valuable.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list