samba3upgrade migration results, issues, questions
urushkin at telros.ru
Tue Apr 17 03:04:01 MDT 2012
About 3 weeks ago I successfully completed a migration of a small office
(single dc, about 30 machines) from samba3 (system users) to samba4
using samba3upgrade. This migrated domain seems to work fine till now.
The final goal is to migrate to samba4 much more bigger (more than
half-thousand users, ldap backend, several dcs) domain. So, here are
results, issues and questions about migration:
1. All computer accounts migrated without any issues, rejoining, etc.
That's really nice.
2. All user accounts migrated with their saved passwords, but after
migration many (possibly all) users were not able to login. Windows
showed message about "not enough resources", kinit didn't work too with
kinit: krb5_get_init_creds: No ENC-TS found
Changing password didn't help, the only thing that helped was:
samba-tool user setexpiry user (with any flag - --days, --noexpiry)
But that's not a serious issue because it can be solved by short shell
script. Talking about test migration of the big domain this issue also
exists with rare random users and could be solved the same way.
3. Samba shares, winbind: seems that winbind crushes after some amount
of time (wbinfo -p doesn't succeed) and shares becomes unavailable,
here is logs (-d3):
[2012/04/16 11:22:05, 0]
talloc: access after free error - first free may be at
[2012/04/16 11:22:05, 0]
Bad talloc magic value - access after free
[2012/04/16 11:22:05, 0] ../lib/util/fault.c:144(smb_panic_default)
PANIC: Bad talloc magic value - access after free
That's not a problem for migrated domain (no shares, GP are needed), but
it will become a problem for the big domain (test environment of big
domain doesn't behave like this, so maybe it's a building issue? but I'm
tried to rebuild s4 using different later master snapshots). Should I
send bug report or it's a known issue?
4. Groups: "samba-tool group addmember/delmember" doesn't work for some
users, but "net rpc group addmem" works nicely for all. How should I
debug it? Bug report?
5. LDAP: I got some ldap acl issues
Now about plans of migrating the big domain:
6. DNS: is it possible to have two replicated dns servers (bind 9.8 dlz)
now? I can get replicating dns partitions (by manually running
replication of this partitions), but how can I get "private/dns"
directory created and filled up on the second controller?
7. DMB: is it possible to have working domain master browser with samba4
(may be using nmbd somehow) now? If no, any chance of getting it
implemented in s4 soon?
8. WINS: some builds ago it was working as dns proxy and also has
internal records for domain - that was nice and no replication was
needed at all (with working dns of course). Now
(4.0.0alpha20-GIT-b8dea7e) I got:
# host s4wxp 192.168.101.10
s4wxp.test.lan has address 192.168.102.101
# nmblookup -R -U 192.168.101.10 s4wxp
Lookup failed - NT_STATUS_OBJECT_NAME_NOT_FOUND
Also, I tried to configure it as a replicating samba4wins, but got this:
# ldbedit -H /usr/local/samba/private/wins_config.ldb
no matching records - cannot edit
9. WINBIND: is there any plans to implement "idmap backend ad" with
winbind4 soon? How can I replicate uid/gid mappings between DCs to serve
sysvol share the right way.
Seems that it's sufficient to sync sysvols like this:
rsync -avz --delete -AX -e ssh ... ...
Maybe somehow I can use smbd for serving sysvol and netlogon, e.g. via
DFS for example - linking sysvol/domain.com to msdfs:\s3srv\domain.com,
or it's a bad idea?
10. Account lockout: it does not work at the moment, any chance to get
it implemented soon (may be like password complexity - not through GP,
to make it just work)? Bug report?
11. Inter-site replication: does samba handle "options" attribute of
Inter-site transport objects (I want to set it to "1" - USE_NOTIFY)? Bug
More information about the samba-technical