samba3upgrade migration results, issues, questions

Andrew Bartlett abartlet at samba.org
Wed Apr 18 18:49:56 MDT 2012 

On Tue, 2012-04-17 at 13:04 +0400, Sergey Urushkin wrote:
> Hi.
> 
> About 3 weeks ago I successfully completed a migration of a small office
> (single dc, about 30 machines) from samba3 (system users) to samba4
> using samba3upgrade. This migrated domain seems to work fine till now.
> The final goal is to migrate to samba4 much more bigger (more than
> half-thousand users, ldap backend, several dcs) domain. So, here are
> results, issues and questions about migration:
> 
> 1. All computer accounts migrated without any issues, rejoining, etc.
> That's really nice.

Great!

> 2. All user accounts migrated with their saved passwords, but after
> migration many (possibly all) users were not able to login. Windows
> showed message about "not enough resources", kinit didn't work too with
> this message:
>  kinit: krb5_get_init_creds: No ENC-TS found
> Changing password didn't help, the only thing that helped was:
>  samba-tool user setexpiry user (with any flag - --days, --noexpiry)
> But that's not a serious issue because it can be solved by short shell
> script. Talking about test migration of the big domain this issue also
> exists with rare random users and could be solved the same way.

I think this may simply be an issue with the upgrade of the maxPwdAge
policy from S3.  Can you try the attached patch?

> 3. Samba shares, winbind: seems that winbind crushes after some amount
> of time (wbinfo -p doesn't succeed) and shares becomes unavailable,
> here is logs (-d3):
> [2012/04/16 11:22:05,  0]
> ../source4/lib/cmdline/popt_common.c:58(popt_s4_talloc_log_fn)
>   talloc: access after free error - first free may be at
> ../source4/libnet/libnet_group.c:409
> [2012/04/16 11:22:05,  0]
> ../source4/lib/cmdline/popt_common.c:58(popt_s4_talloc_log_fn)
>   Bad talloc magic value - access after free
> [2012/04/16 11:22:05,  0] ../lib/util/fault.c:144(smb_panic_default)
>   PANIC: Bad talloc magic value - access after free

A full backtrace on current master may help here.  We are aware of some
major underlying issues in the rpc client library, which sometimes
causes things like this.  

> That's not a problem for migrated domain (no shares, GP are needed), but
> it will become a problem for the big domain (test environment of big
> domain doesn't behave like this, so maybe it's a building issue? but I'm
> tried to rebuild s4 using different later master snapshots). Should I
> send bug report or it's a known issue?
> 
> 4. Groups: "samba-tool group addmember/delmember" doesn't work for some
> users, but "net rpc group addmem" works nicely for all. How should I
> debug it? Bug report?

That is odd.  A bug report would be fine - getting the errors as to why
it fails would be most useful.  The odd thing is, both tools end up
changing the same database in a very similar way.

> 5. LDAP: I got some ldap acl issues
> https://bugzilla.samba.org/show_bug.cgi?id=8868
> 
> Now about plans of migrating the big domain:
> 
> 6. DNS: is it possible to have two replicated dns servers (bind 9.8 dlz)
> now? I can get replicating dns partitions (by manually running
> replication of this partitions), but how can I get "private/dns"
> directory created and filled up on the second controller?

There is an ongoing thread about these issues.  Someone needs to sit
down and make this 'just work', but it isn't quite done yet. 

> 7. DMB: is it possible to have working domain master browser with samba4
> (may be using nmbd somehow) now? If no, any chance of getting it
> implemented in s4 soon?

You could try and use nmbd, but the part you would also need is what we
are calling s3fs, using smbd as the file server for Samba4 as an AD DC.
This isn't ready yet. 

> 8. WINS: some builds ago it was working as dns proxy and also has
> internal records for domain - that was nice and no replication was
> needed at all (with working dns of course). Now
> (4.0.0alpha20-GIT-b8dea7e) I got:
>  # host s4wxp 192.168.101.10
>  s4wxp.test.lan has address 192.168.102.101
>  # nmblookup -R -U 192.168.101.10 s4wxp
>  Lookup failed - NT_STATUS_OBJECT_NAME_NOT_FOUND
> 
> Also, I tried to configure it as a replicating samba4wins, but got this:
>  # ldbedit -H /usr/local/samba/private/wins_config.ldb
>  no matching records - cannot edit
> Bug reports?
> 
> 9. WINBIND: is there any plans to implement "idmap backend ad" with
> winbind4 soon? How can I replicate uid/gid mappings between DCs to serve
> sysvol share the right way.

There are plans, but no progress on an implementation.  We understand
the current situation is highly frustrating. 

> Seems that it's sufficient to sync sysvols like this:
>   rsync -avz --delete -AX -e ssh ... ...
> Or not?
> Maybe somehow I can use smbd for serving sysvol and netlogon, e.g. via
> DFS for example - linking sysvol/domain.com to msdfs:\s3srv\domain.com,
> or it's a bad idea?
> 
> 10. Account lockout: it does not work at the moment, any chance to get
> it implemented soon (may be like password complexity - not through GP,
> to make it just work)? Bug report?

This remains a todo, sorry.  Patches are welcome.

> 11. Inter-site replication: does samba handle "options" attribute of
> Inter-site transport objects (I want to set it to "1" - USE_NOTIFY)? Bug
> report?

I don't think we know very much about inter-site stuff at the moment. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s4-s3upgrade-Do-not-ever-set-a-domain-wide-maxPwdAge.patch
Type: text/x-patch
Size: 1008 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120419/8803a22e/attachment.bin>

More information about the samba-technical mailing list