Upgrade from S3 to a Samba4 DC [with LDAPSAM] [SUCCESS!]

Matthias Dieter Wallnöfer mdw at samba.org
Tue Sep 13 09:55:30 MDT 2011 

Andrew,

I've found another issue: older versions than Samba 3.4 don't 
incorporate the "state directory" parameter yet. Instead there has to be 
used the "lock directory" directive. Could this patch work? 
http://gitweb.samba.org/samba.git/?p=mdw/samba.git;a=commitdiff;h=472b320a17320f69450950763ff999267cddd080

Thanks,
Matthias

Matthias Dieter Wallnöfer wrote:
> Andrew,
>
> just my two cents: if I would like to perform the upgrade by using s3's testparm I need the following patch: http://gitweb.samba.org/mdw/samba.git/?p=mdw/samba.git;a=commitdiff;h=9b16083e7d50275daf7c33f659f336360d553b1e. Obviously this approach isn't tested by torture since it broke yesterday. Could we apply that one?
>
> Thanks,
> Matthias
>
> On Mon, 2011-09-12 at 11:20 -0400, Adam Tauno Williams wrote:
>> Quoting Adam Tauno Williams<awilliam at whitemice.org>:
>>
>>> Quoting Adam Tauno Williams<awilliam at whitemice.org>:
>>>
>>>> Quoting Adam Tauno Williams<awilliam at whitemice.org>:
>>>>> Quoting tataia<iongigixx at gmail.com>:
>>>>>> It happens for groups that have sambaGroupType =5
>>>>>> replace 5 with 4
>>>>> Gotcha.  And it goes much further.  Are users with the same name 
>>>>> as groups an issue?  There is only one uid=bie object in the 
>>>>> LDAPSAM.
>>>> Hrm... so I manually exclude user "bie" and import users completes.
>>>> But then the script fails while adding users to group.  I've 
>>>> verified that sambaSID=S-1-5-21-2037442776-3290224752-88127236-9272 
>>>> [a user] and sambaSID=S-1-5-21-2037442776-3290224752-88127236-1201 
>>>> [a group] both exist (and both exist only once).
>>> Setting the "debug level" in the S3 smb.conf file seems to work 
>>> [which is handy].
>>>
>>> ???? Is there a way or level to specifically log what LDB is trying 
>>> to do / look for / add ???
>>>
>>> Both S-1-5-21-2037442776-3290224752-88127236-9272 and 
>>> S-1-5-21-2037442776-3290224752-88127236-1201 exist in the S3 LDAPSAM.
>>>
>>> At a debug level of 256 this output looks like -
>>>
>>> [root at localhost samba-master]# ./source4/setup/upgrade_from_s3 
>>> smb.conf /tmp/x --libdir=/root/s3
>>> Reading smb.conf
>>> INFO: Current debug levels:
>>>     all: 256
>>>     tdb: 256
>>>     printdrivers: 256
>>>     lanman: 256
>>>     smb: 256
>>>     rpc_parse: 256
>>>     rpc_srv: 256
>>>     rpc_cli: 256
>>>     passdb: 256
>>>     sam: 256
>>>     auth: 256
>>>     winbind: 256
>>>     vfs: 256
>>>     idmap: 256
>>>     quota: 256
>>>     acls: 256
>>>     locking: 256
>>>     msdfs: 256
>>>     dmapi: 256
>>>     registry: 256
>>> doing parameter domain master = yes
>>> doing parameter preferred master = yes
>>> doing parameter domain logons = yes
>>> doing parameter logon script = %G.bat
>>> doing parameter logon path = \\BARBEL\PROFILES\%U
>>> doing parameter logon drive = f:
>>> doing parameter logon home = \\ARABIS-RED\HOMEDIR
>>> doing parameter wins support = yes
>>> doing parameter name resolve order = wins host
>>> doing parameter dns proxy = yes
>>> doing parameter map to guest = Bad User
>>> doing parameter passdb backend = ldapsam:ldap://192.168.1.9/
>>> doing parameter ldap ssl = no
>>> doing parameter ldap admin dn = 
>>> uid=CIFSDC,ou=System,ou=Entities,ou=SAM,o=Morrison Industries,c=US
>>> doing parameter ldap suffix = o=Morrison Industries,c=US
>>> doing parameter ldap group suffix = ou=Groups,ou=SAM
>>> doing parameter ldapsam:trusted = yes
>>> doing parameter idmap backend = ldap:ldap://localhost
>>> WARNING: The "idmap backend" option is deprecated
>>> doing parameter ldap idmap suffix = ou=idMap,ou=CIFS,ou=SubSystems
>>> doing parameter idmap uid = 40000-50000
>>> WARNING: The "idmap uid" option is deprecated
>>> doing parameter idmap gid = 40000-50000
>>> WARNING: The "idmap gid" option is deprecated
>>> doing parameter winbind use default domain = yes
>>> doing parameter username map = /etc/samba/username.map
>>> doing parameter deadtime = 15
>>> doing parameter log level = 0 winbind:2
>>> Provisioning
>>> /root/s3/secrets.tdb
>>> no talloc stackframe around, leaking memory
>>> Exporting account policy
>>> Exporting groups
>>> Exporting users
>>>     Skipping wellknown rid=998 (for username=pc01845$)
>>>     Skipping wellknown rid=500 (for username=root)
>>> Next rid = 9973
>>> Looking up IPv4 addresses
>>> Looking up IPv6 addresses
>>> No IPv6 address will be assigned
>>> Setting up share.ldb
>>> Setting up secrets.ldb
>>> Setting up the registry
>>> Setting up the privileges database
>>> Setting up idmap db
>>> Setting up SAM db
>>> Setting up sam.ldb partitions and settings
>>> Setting up sam.ldb rootDSE
>>> Pre-loading the Samba 4 and AD schema
>>> Adding DomainDN: DC=micore,DC=us
>>> Adding configuration container
>>> Setting up sam.ldb schema
>>> Reopening sam.ldb with new schema
>>> Setting up sam.ldb configuration data
>>> Setting up display specifiers
>>> Adding users container
>>> Modifying users container
>>> Adding computers container
>>> Modifying computers container
>>> Setting up sam.ldb data
>>> Setting up sam.ldb users and groups
>>> Setting up self join
>>> Setting up sam.ldb rootDSE marking as synchronized
>>> Assuming bind9 DNS server backend
>>> Adding DNS accounts
>>> Populating CN=System,DC=micore,DC=us
>>> See /tmp/x/private/named.conf for an example configuration include 
>>> file for BIND
>>> and /tmp/x/private/named.txt for further documentation required for 
>>> secure DNS updates
>>> A Kerberos configuration suitable for Samba 4 has been generated at 
>>> /tmp/x/private/krb5.conf
>>> Fixing provision GUIDs
>>> Please install the phpLDAPadmin configuration located at 
>>> /tmp/x/private/phpldapadmin-config.php into 
>>> /etc/phpldapadmin/config.php
>>> Once the above files are installed, your Samba4 server will be ready to use
>>> Server Role:           domain controller
>>> Hostname:              BARBEL
>>> NetBIOS Domain:        BACKBONE
>>> DNS Domain:            micore.us
>>> DOMAIN SID:            S-1-5-21-2037442776-3290224752-88127236
>>> Admin password:        ************************
>>> Importing WINS database
>>> Importing Account policy
>>> Could not set account policy, ((21, "objectclass_attrs: attribute 
>>> 'minPwdLength' on entry 'DC=micore,DC=us' contains at least one 
>>> invalid value!"))
>>> Importing idmap database
>>> Cannot open idmap database, Ignoring: (2): No such file or directory
>>> Ignoring unknown parameter "server role"
>>> Importing groups
>>> Group already exists 
>>> sid=S-1-5-21-2037442776-3290224752-88127236-514, groupname=Domain 
>>> Guests existing_groupname=Domain Guests, Ignoring.
>>> Group already exists sid=S-1-5-32-544, groupname=Administrators 
>>> existing_groupname=Administrators, Ignoring.
>>> Could not add group name=Print Operators ((68, "samldb: Account name 
>>> (sAMAccountName) 'Print Operators' already in use!"))
>>> Could not add group name=Mor-Value Parts ((68, "samldb: Account name 
>>> (sAMAccountName) 'Mor-Value Parts' already in use!"))
>>> Group already exists 
>>> sid=S-1-5-21-2037442776-3290224752-88127236-512, groupname=Domain 
>>> Admins existing_groupname=Domain Admins, Ignoring.
>>> Importing users
>>> Adding users to groups
>>> ProvisioningError: Could not add member 
>>> 'S-1-5-21-2037442776-3290224752-88127236-9272' to group 
>>> 'S-1-5-21-2037442776-3290224752-88127236-1201' as either group or 
>>> user record doesn't exist: Unable to find GUID for DN
>> BAM! The script has completed successfully;  primarily this required 
>> hacking some print statements into the script to help pin-point what 
>> exactly was happening and then performing some janitorial work in the 
>> elderly LDAPSAM.
>>
>> 1 - Group "displayName" has to be case-insensitive unique.
>> 1.1. - You [obviously, these is NT land] can't have groups and users 
>> of the same name.
>> 2 - If the script doesn't import a user building the group membership 
>> will fail;  although the script never complains about a user it didn't 
>> import.
>> 3 - If a sambaSAMAccount object isn't fully initialized [for example, 
>> has not password] it doesn't appear to get imported.
>> 4 - If you have groups with the same name a Built-In group import of 
>> the groups will merrily pass it over but membership assignment will 
>> fail since that is based on SID.  This can be initially confusing [see 
>> #2].  We had a "Print Operators" group with a SID other than the 
>> expected built-in SID, this crashed the script.  I suspect in LDAPSAMs 
>> that have been around a very long time [like ours] running into 
>> something like this probably won't be that uncommon.
> If you could prepare some patches to assist sites like yours in
> debugging Samba3 upgrades I would very much appreciate it.  In
> particular, details about the users which didn't import and what is
> special about them would be useful.  I'm quite willing to make it fail
> if it cannot import a user, if that would make debugging easier.
>
> Your feedback here is particularly valuable.
>
> Thanks,
>
> Andrew Bartlett
>

More information about the samba-technical mailing list