samba3upgrade migration results, issues, questions

Sergey Urushkin urushkin at telros.ru
Tue Apr 24 06:22:30 MDT 2012 


24.04.2012 12:09, Andrew Bartlett написал:
> On Mon, 2012-04-23 at 16:42 +0400, Sergey Urushkin wrote:
>> Hi.
>>
>>>> 2. All user accounts migrated with their saved passwords, but after
>>>> migration many (possibly all) users were not able to login. Windows
>>>> showed message about "not enough resources", kinit didn't work too 
>>>> with
>>>> this message:
>>>>  kinit: krb5_get_init_creds: No ENC-TS found
>>>> Changing password didn't help, the only thing that helped was:
>>>>  samba-tool user setexpiry user (with any flag - --days, --noexpiry)
>>>> But that's not a serious issue because it can be solved by short 
>>>> shell
>>>> script. Talking about test migration of the big domain this issue 
>>>> also
>>>> exists with rare random users and could be solved the same way.
>>> I think this may simply be an issue with the upgrade of the maxPwdAge
>>> policy from S3.  Can you try the attached patch?
>> Tried it (I see it's already in the master). With the small domain tdbs
>> nothing is changed. With the big domain at least one account is ok now,
>> but administrator is still affected.
>>
>> Here is administrator's openldap data before migration:
>>
>> dn: uid=Administrator,....
>> objectClass: top
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: sambaSamAccount
>> objectClass: krb5Principal
>> objectClass: krb5KDCEntry
>> cn: Administrator
>> sn: Administrator
>> uid: Administrator
>> gidNumber: 512
>> homeDirectory: /home/Administrator
>> loginShell: /bin/bash
>> description: Built-in account for administering the computer/domain
>> sambaSID: S-1-5-21-1234567890-1234567890-1234567890-500
>> sambaPrimaryGroupSID: S-1-5-21-1234567890-1234567890-1234567890-512
>> displayName:: 0JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YAg0YHQtdGC0Lg=
>> sambaPasswordHistory:
>> 00000000000000000000000000000000000000000000000000000000
>>  00000000
>> krb5PrincipalName: Administrator at TELROS.RU
>> krb5KDCFlags: 126
>> gecos: Administrator
>> sambaKickoffTime: 1999999999
>> sambaHomePath: \\fsrv\home
>> sambaPwdMustChange: 1325408428
>> sambaPwdLastSet: 1322816429
>> sambaLMPassword: xxxxxxx
>> sambaNTPassword: xxxxxxx
>> krb5KeyVersionNumber: 15
>> krb5Key:: xxx
>> krb5Key:: xxx
>> uidNumber: 500
>> sambaAcctFlags: [UX         ]
>> sambaBadPasswordCount: 0
>> sambaBadPasswordTime: 0
> For the administrator, because it is a default AD account, we do not
> import it, but instead we simply bring across the password (only).  That
> means we will not bring across the 'password does not expire' flag, but
> the password should be valid for as long as the expiry.
Alright, but many users in the migrated small domain are not 'well
known' and do have this problem.
I can send you the small domain tdbs if it would help.
About the big domain. I used this script to check how many accounts
beginning  with 'a' are bad in just migrated domain.

for i in `samba-tool user list | grep ^a` ;do
    samba-tool user setpassword --newpassword=111111 $i > /dev/null
    echo 111111 | kinit --password-file=STDIN $i || echo $i
done

According to it about a half of them are affected. Here is
openldap-samba data for one of them:
sambaLogonScript: netlogon.bat
sambaSID: S-1-5-21-530720856-2058831417-1202159320-1968
sambaPrimaryGroupSID: S-1-5-21-530720856-2058831417-1202159320-513
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
sambaAcctFlags: [U          ]
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
sambaKickoffTime: 1999999999
sambaHomePath: \\fsrv\home
sambaPwdMustChange: 1335676980
sambaPwdLastSet: 1333084981
sambaLMPassword: ea70ccc05b2b2d890000000000000000
sambaNTPassword: d460c18f7a68e2b049468d1aea8e70e5

I can see (timestamps) that password shouldn't be expired.

>   What expiry
> time did you have in your old domain?
small - never. big - 30 days.
>> Also, I seemed another problem (which didn't exist earlier) about
>> samba3upgrade. No group membership (except "domain users") is migrated.
>> I can see many messages like this:
>> Ignoring group 'groupname'
>> S-1-5-21-1234567890-1234567890-1234567890-1423 listed but then not
>> found: <class 'passdb.error'>
>>
>> And no errors after "Adding users to groups"
>>
>> I do have members in my openldap groups (memberUid attributes).
> The issue here is that Samba4 simply can't see them.  What version of
> Samba 3.x are you upgrading from?
small - 3.0. big - 3.5.
>
> What do the groups look like in the directory?
dn: cn=somegroup,ou=Groups,ou=Samba,ou=Services,dc=telros,dc=ru
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: somegroup
gidNumber: 1604
sambaSID: S-1-5-21-530720856-2058831417-1202159320-1581
sambaGroupType: 2
displayName: somegroup
description: tttttttt
memberUid: user1
memberUid: user2
memberUid: user3
memberUid: user4

>
> This is a recurring issue, and a large number of people have difficulty
> upgrading LDAP groups for some reason.  We may need to find another way
> to read the group list (we can bind directly to LDAP, rather than via
> the samba3 passdb code if need be).
A temporary solution would be to add script that imports ldap groups
using 'getent group' to the wiki (similar to that about unix groups or
just called 'before you begin - save all your group information to a file').
I solve it this way.
>>>> 8. WINS: some builds ago it was working as dns proxy and also has
>>>> internal records for domain - that was nice and no replication was
>>>> needed at all (with working dns of course). Now
>>>> (4.0.0alpha20-GIT-b8dea7e) I got:
>>>>  # host s4wxp 192.168.101.10
>>>>  s4wxp.test.lan has address 192.168.102.101
>>>>  # nmblookup -R -U 192.168.101.10 s4wxp
>>>>  Lookup failed - NT_STATUS_OBJECT_NAME_NOT_FOUND
>>>>
>>>> Also, I tried to configure it as a replicating samba4wins, but got 
>>>> this:
>>>>  # ldbedit -H /usr/local/samba/private/wins_config.ldb
>>>>  no matching records - cannot edit
>>>> Bug reports?
>> What's about this issue?
> I'm sorry, I've not looked into our wins stuff in a long time.
But someone apparently did... :) Ok, maybe I don't need it at all with
working dns?
>
>>>> 11. Inter-site replication: does samba handle "options" attribute of
>>>> Inter-site transport objects (I want to set it to "1" - USE_NOTIFY)? 
>>>> Bug
>>>> report?
>>> I don't think we know very much about inter-site stuff at the moment.
>> But what's the default samba behavior about this for now? Does it
>> replicate catalog data between sites the same way as the data in a
>> single site? More primary question is if some user changes his password
>> on the s4 DC in the site A, when this changes will be available on the
>> s4 DC in the site B?
> Samba attempts replication to all DCs at the moment, as I understand it.
Well, that's exactly what I need now.

Thanks.

-- 
Best regards,
Sergey Urushkin

More information about the samba-technical mailing list