samba3upgrade migration results, issues, questions
urushkin at telros.ru
Mon Apr 23 06:42:32 MDT 2012
>> 2. All user accounts migrated with their saved passwords, but after
>> migration many (possibly all) users were not able to login. Windows
>> showed message about "not enough resources", kinit didn't work too
>> this message:
>> kinit: krb5_get_init_creds: No ENC-TS found
>> Changing password didn't help, the only thing that helped was:
>> samba-tool user setexpiry user (with any flag - --days, --noexpiry)
>> But that's not a serious issue because it can be solved by short
>> script. Talking about test migration of the big domain this issue
>> exists with rare random users and could be solved the same way.
> I think this may simply be an issue with the upgrade of the maxPwdAge
> policy from S3. Can you try the attached patch?
Tried it (I see it's already in the master). With the small domain tdbs
nothing is changed. With the big domain at least one account is ok now,
but administrator is still affected.
Here is administrator's openldap data before migration:
description: Built-in account for administering the computer/domain
krb5PrincipalName: Administrator at TELROS.RU
sambaAcctFlags: [UX ]
Also, I seemed another problem (which didn't exist earlier) about
samba3upgrade. No group membership (except "domain users") is migrated.
I can see many messages like this:
Ignoring group 'groupname'
S-1-5-21-1234567890-1234567890-1234567890-1423 listed but then not
found: <class 'passdb.error'>
And no errors after "Adding users to groups"
I do have members in my openldap groups (memberUid attributes).
>> 7. DMB: is it possible to have working domain master browser with
>> (may be using nmbd somehow) now? If no, any chance of getting it
>> implemented in s4 soon?
> You could try and use nmbd, but the part you would also need is what
> are calling s3fs, using smbd as the file server for Samba4 as an AD
> This isn't ready yet.
I tried to play with nmbd earlier, but didn't get a result, is there any
howto about this? I'd like to test it and report about results.
>> 8. WINS: some builds ago it was working as dns proxy and also has
>> internal records for domain - that was nice and no replication was
>> needed at all (with working dns of course). Now
>> (4.0.0alpha20-GIT-b8dea7e) I got:
>> # host s4wxp 192.168.101.10
>> s4wxp.test.lan has address 192.168.102.101
>> # nmblookup -R -U 192.168.101.10 s4wxp
>> Lookup failed - NT_STATUS_OBJECT_NAME_NOT_FOUND
>> Also, I tried to configure it as a replicating samba4wins, but got
>> # ldbedit -H /usr/local/samba/private/wins_config.ldb
>> no matching records - cannot edit
>> Bug reports?
What's about this issue?
>> 11. Inter-site replication: does samba handle "options" attribute of
>> Inter-site transport objects (I want to set it to "1" - USE_NOTIFY)?
> I don't think we know very much about inter-site stuff at the moment.
But what's the default samba behavior about this for now? Does it
replicate catalog data between sites the same way as the data in a
single site? More primary question is if some user changes his password
on the s4 DC in the site A, when this changes will be available on the
s4 DC in the site B?
More information about the samba-technical