samba3upgrade migration results, issues, questions

Sergey Urushkin urushkin at telros.ru
Mon Apr 23 06:42:32 MDT 2012


Hi.

>> 2. All user accounts migrated with their saved passwords, but after
>> migration many (possibly all) users were not able to login. Windows
>> showed message about "not enough resources", kinit didn't work too 
>> with
>> this message:
>>  kinit: krb5_get_init_creds: No ENC-TS found
>> Changing password didn't help, the only thing that helped was:
>>  samba-tool user setexpiry user (with any flag - --days, --noexpiry)
>> But that's not a serious issue because it can be solved by short 
>> shell
>> script. Talking about test migration of the big domain this issue 
>> also
>> exists with rare random users and could be solved the same way.
>
> I think this may simply be an issue with the upgrade of the maxPwdAge
> policy from S3.  Can you try the attached patch?

Tried it (I see it's already in the master). With the small domain tdbs
nothing is changed. With the big domain at least one account is ok now,
but administrator is still affected.

Here is administrator's openldap data before migration:

dn: uid=Administrator,....
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
objectClass: krb5Principal
objectClass: krb5KDCEntry
cn: Administrator
sn: Administrator
uid: Administrator
gidNumber: 512
homeDirectory: /home/Administrator
loginShell: /bin/bash
description: Built-in account for administering the computer/domain
sambaSID: S-1-5-21-1234567890-1234567890-1234567890-500
sambaPrimaryGroupSID: S-1-5-21-1234567890-1234567890-1234567890-512
displayName:: 0JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YAg0YHQtdGC0Lg=
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
 00000000
krb5PrincipalName: Administrator at TELROS.RU
krb5KDCFlags: 126
gecos: Administrator
sambaKickoffTime: 1999999999
sambaHomePath: \\fsrv\home
sambaPwdMustChange: 1325408428
sambaPwdLastSet: 1322816429
sambaLMPassword: xxxxxxx
sambaNTPassword: xxxxxxx
krb5KeyVersionNumber: 15
krb5Key:: xxx
krb5Key:: xxx
uidNumber: 500
sambaAcctFlags: [UX         ]
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0


Also, I seemed another problem (which didn't exist earlier) about
samba3upgrade. No group membership (except "domain users") is migrated.
I can see many messages like this:
Ignoring group 'groupname'
S-1-5-21-1234567890-1234567890-1234567890-1423 listed but then not
found: <class 'passdb.error'>

And no errors after "Adding users to groups"

I do have members in my openldap groups (memberUid attributes).


>> 7. DMB: is it possible to have working domain master browser with 
>> samba4
>> (may be using nmbd somehow) now? If no, any chance of getting it
>> implemented in s4 soon?
>
> You could try and use nmbd, but the part you would also need is what 
> we
> are calling s3fs, using smbd as the file server for Samba4 as an AD 
> DC.
> This isn't ready yet.

I tried to play with nmbd earlier, but didn't get a result, is there any
howto about this? I'd like to test it and report about results.

>
>> 8. WINS: some builds ago it was working as dns proxy and also has
>> internal records for domain - that was nice and no replication was
>> needed at all (with working dns of course). Now
>> (4.0.0alpha20-GIT-b8dea7e) I got:
>>  # host s4wxp 192.168.101.10
>>  s4wxp.test.lan has address 192.168.102.101
>>  # nmblookup -R -U 192.168.101.10 s4wxp
>>  Lookup failed - NT_STATUS_OBJECT_NAME_NOT_FOUND
>>
>> Also, I tried to configure it as a replicating samba4wins, but got 
>> this:
>>  # ldbedit -H /usr/local/samba/private/wins_config.ldb
>>  no matching records - cannot edit
>> Bug reports?

What's about this issue?

>> 11. Inter-site replication: does samba handle "options" attribute of
>> Inter-site transport objects (I want to set it to "1" - USE_NOTIFY)? 
>> Bug
>> report?
>
> I don't think we know very much about inter-site stuff at the moment.

But what's the default samba behavior about this for now? Does it
replicate catalog data between sites the same way as the data in a
single site? More primary question is if some user changes his password
on the s4 DC in the site A, when this changes will be available on the
s4 DC in the site B?


-- 
Best regards,
Sergey Urushkin


More information about the samba-technical mailing list