samba3upgrade migration results, issues, questions

Andrew Bartlett abartlet at samba.org
Tue Apr 24 02:09:24 MDT 2012 

On Mon, 2012-04-23 at 16:42 +0400, Sergey Urushkin wrote:
> Hi.
> 
> >> 2. All user accounts migrated with their saved passwords, but after
> >> migration many (possibly all) users were not able to login. Windows
> >> showed message about "not enough resources", kinit didn't work too 
> >> with
> >> this message:
> >>  kinit: krb5_get_init_creds: No ENC-TS found
> >> Changing password didn't help, the only thing that helped was:
> >>  samba-tool user setexpiry user (with any flag - --days, --noexpiry)
> >> But that's not a serious issue because it can be solved by short 
> >> shell
> >> script. Talking about test migration of the big domain this issue 
> >> also
> >> exists with rare random users and could be solved the same way.
> >
> > I think this may simply be an issue with the upgrade of the maxPwdAge
> > policy from S3.  Can you try the attached patch?
> 
> Tried it (I see it's already in the master). With the small domain tdbs
> nothing is changed. With the big domain at least one account is ok now,
> but administrator is still affected.
> 
> Here is administrator's openldap data before migration:
> 
> dn: uid=Administrator,....
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> objectClass: krb5Principal
> objectClass: krb5KDCEntry
> cn: Administrator
> sn: Administrator
> uid: Administrator
> gidNumber: 512
> homeDirectory: /home/Administrator
> loginShell: /bin/bash
> description: Built-in account for administering the computer/domain
> sambaSID: S-1-5-21-1234567890-1234567890-1234567890-500
> sambaPrimaryGroupSID: S-1-5-21-1234567890-1234567890-1234567890-512
> displayName:: 0JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YAg0YHQtdGC0Lg=
> sambaPasswordHistory:
> 00000000000000000000000000000000000000000000000000000000
>  00000000
> krb5PrincipalName: Administrator at TELROS.RU
> krb5KDCFlags: 126
> gecos: Administrator
> sambaKickoffTime: 1999999999
> sambaHomePath: \\fsrv\home
> sambaPwdMustChange: 1325408428
> sambaPwdLastSet: 1322816429
> sambaLMPassword: xxxxxxx
> sambaNTPassword: xxxxxxx
> krb5KeyVersionNumber: 15
> krb5Key:: xxx
> krb5Key:: xxx
> uidNumber: 500
> sambaAcctFlags: [UX         ]
> sambaBadPasswordCount: 0
> sambaBadPasswordTime: 0

For the administrator, because it is a default AD account, we do not
import it, but instead we simply bring across the password (only).  That
means we will not bring across the 'password does not expire' flag, but
the password should be valid for as long as the expiry.  What expiry
time did you have in your old domain?

> Also, I seemed another problem (which didn't exist earlier) about
> samba3upgrade. No group membership (except "domain users") is migrated.
> I can see many messages like this:
> Ignoring group 'groupname'
> S-1-5-21-1234567890-1234567890-1234567890-1423 listed but then not
> found: <class 'passdb.error'>
> 
> And no errors after "Adding users to groups"
> 
> I do have members in my openldap groups (memberUid attributes).

The issue here is that Samba4 simply can't see them.  What version of
Samba 3.x are you upgrading from?

What do the groups look like in the directory?

This is a recurring issue, and a large number of people have difficulty
upgrading LDAP groups for some reason.  We may need to find another way
to read the group list (we can bind directly to LDAP, rather than via
the samba3 passdb code if need be).

> >> 7. DMB: is it possible to have working domain master browser with 
> >> samba4
> >> (may be using nmbd somehow) now? If no, any chance of getting it
> >> implemented in s4 soon?
> >
> > You could try and use nmbd, but the part you would also need is what 
> > we
> > are calling s3fs, using smbd as the file server for Samba4 as an AD 
> > DC.
> > This isn't ready yet.
> 
> I tried to play with nmbd earlier, but didn't get a result, is there any
> howto about this? I'd like to test it and report about results.

Not at this stage.

> >
> >> 8. WINS: some builds ago it was working as dns proxy and also has
> >> internal records for domain - that was nice and no replication was
> >> needed at all (with working dns of course). Now
> >> (4.0.0alpha20-GIT-b8dea7e) I got:
> >>  # host s4wxp 192.168.101.10
> >>  s4wxp.test.lan has address 192.168.102.101
> >>  # nmblookup -R -U 192.168.101.10 s4wxp
> >>  Lookup failed - NT_STATUS_OBJECT_NAME_NOT_FOUND
> >>
> >> Also, I tried to configure it as a replicating samba4wins, but got 
> >> this:
> >>  # ldbedit -H /usr/local/samba/private/wins_config.ldb
> >>  no matching records - cannot edit
> >> Bug reports?
> 
> What's about this issue?

I'm sorry, I've not looked into our wins stuff in a long time.

> >> 11. Inter-site replication: does samba handle "options" attribute of
> >> Inter-site transport objects (I want to set it to "1" - USE_NOTIFY)? 
> >> Bug
> >> report?
> >
> > I don't think we know very much about inter-site stuff at the moment.
> 
> But what's the default samba behavior about this for now? Does it
> replicate catalog data between sites the same way as the data in a
> single site? More primary question is if some user changes his password
> on the s4 DC in the site A, when this changes will be available on the
> s4 DC in the site B?

Samba attempts replication to all DCs at the moment, as I understand it.

Thanks for getting back to me.  We will do our best to get to the bottom
of the remaining issues you face, particularly around group membership.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list