samba3upgrade migration results, issues, questions
urushkin at telros.ru
Tue Apr 24 06:22:30 MDT 2012
24.04.2012 12:09, Andrew Bartlett написал:
> On Mon, 2012-04-23 at 16:42 +0400, Sergey Urushkin wrote:
>>>> 2. All user accounts migrated with their saved passwords, but after
>>>> migration many (possibly all) users were not able to login. Windows
>>>> showed message about "not enough resources", kinit didn't work too
>>>> this message:
>>>> kinit: krb5_get_init_creds: No ENC-TS found
>>>> Changing password didn't help, the only thing that helped was:
>>>> samba-tool user setexpiry user (with any flag - --days, --noexpiry)
>>>> But that's not a serious issue because it can be solved by short
>>>> script. Talking about test migration of the big domain this issue
>>>> exists with rare random users and could be solved the same way.
>>> I think this may simply be an issue with the upgrade of the maxPwdAge
>>> policy from S3. Can you try the attached patch?
>> Tried it (I see it's already in the master). With the small domain tdbs
>> nothing is changed. With the big domain at least one account is ok now,
>> but administrator is still affected.
>> Here is administrator's openldap data before migration:
>> dn: uid=Administrator,....
>> objectClass: top
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> objectClass: sambaSamAccount
>> objectClass: krb5Principal
>> objectClass: krb5KDCEntry
>> cn: Administrator
>> sn: Administrator
>> uid: Administrator
>> gidNumber: 512
>> homeDirectory: /home/Administrator
>> loginShell: /bin/bash
>> description: Built-in account for administering the computer/domain
>> sambaSID: S-1-5-21-1234567890-1234567890-1234567890-500
>> sambaPrimaryGroupSID: S-1-5-21-1234567890-1234567890-1234567890-512
>> displayName:: 0JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YAg0YHQtdGC0Lg=
>> krb5PrincipalName: Administrator at TELROS.RU
>> krb5KDCFlags: 126
>> gecos: Administrator
>> sambaKickoffTime: 1999999999
>> sambaHomePath: \\fsrv\home
>> sambaPwdMustChange: 1325408428
>> sambaPwdLastSet: 1322816429
>> sambaLMPassword: xxxxxxx
>> sambaNTPassword: xxxxxxx
>> krb5KeyVersionNumber: 15
>> krb5Key:: xxx
>> krb5Key:: xxx
>> uidNumber: 500
>> sambaAcctFlags: [UX ]
>> sambaBadPasswordCount: 0
>> sambaBadPasswordTime: 0
> For the administrator, because it is a default AD account, we do not
> import it, but instead we simply bring across the password (only). That
> means we will not bring across the 'password does not expire' flag, but
> the password should be valid for as long as the expiry.
Alright, but many users in the migrated small domain are not 'well
known' and do have this problem.
I can send you the small domain tdbs if it would help.
About the big domain. I used this script to check how many accounts
beginning with 'a' are bad in just migrated domain.
for i in `samba-tool user list | grep ^a` ;do
samba-tool user setpassword --newpassword=111111 $i > /dev/null
echo 111111 | kinit --password-file=STDIN $i || echo $i
According to it about a half of them are affected. Here is
openldap-samba data for one of them:
sambaAcctFlags: [U ]
I can see (timestamps) that password shouldn't be expired.
> What expiry
> time did you have in your old domain?
small - never. big - 30 days.
>> Also, I seemed another problem (which didn't exist earlier) about
>> samba3upgrade. No group membership (except "domain users") is migrated.
>> I can see many messages like this:
>> Ignoring group 'groupname'
>> S-1-5-21-1234567890-1234567890-1234567890-1423 listed but then not
>> found: <class 'passdb.error'>
>> And no errors after "Adding users to groups"
>> I do have members in my openldap groups (memberUid attributes).
> The issue here is that Samba4 simply can't see them. What version of
> Samba 3.x are you upgrading from?
small - 3.0. big - 3.5.
> What do the groups look like in the directory?
> This is a recurring issue, and a large number of people have difficulty
> upgrading LDAP groups for some reason. We may need to find another way
> to read the group list (we can bind directly to LDAP, rather than via
> the samba3 passdb code if need be).
A temporary solution would be to add script that imports ldap groups
using 'getent group' to the wiki (similar to that about unix groups or
just called 'before you begin - save all your group information to a file').
I solve it this way.
>>>> 8. WINS: some builds ago it was working as dns proxy and also has
>>>> internal records for domain - that was nice and no replication was
>>>> needed at all (with working dns of course). Now
>>>> (4.0.0alpha20-GIT-b8dea7e) I got:
>>>> # host s4wxp 192.168.101.10
>>>> s4wxp.test.lan has address 192.168.102.101
>>>> # nmblookup -R -U 192.168.101.10 s4wxp
>>>> Lookup failed - NT_STATUS_OBJECT_NAME_NOT_FOUND
>>>> Also, I tried to configure it as a replicating samba4wins, but got
>>>> # ldbedit -H /usr/local/samba/private/wins_config.ldb
>>>> no matching records - cannot edit
>>>> Bug reports?
>> What's about this issue?
> I'm sorry, I've not looked into our wins stuff in a long time.
But someone apparently did... :) Ok, maybe I don't need it at all with
>>>> 11. Inter-site replication: does samba handle "options" attribute of
>>>> Inter-site transport objects (I want to set it to "1" - USE_NOTIFY)?
>>> I don't think we know very much about inter-site stuff at the moment.
>> But what's the default samba behavior about this for now? Does it
>> replicate catalog data between sites the same way as the data in a
>> single site? More primary question is if some user changes his password
>> on the s4 DC in the site A, when this changes will be available on the
>> s4 DC in the site B?
> Samba attempts replication to all DCs at the moment, as I understand it.
Well, that's exactly what I need now.
More information about the samba-technical