domain samba3upgrade fails

Greg Dickie greg at justaguy.ca
Tue Mar 27 12:17:19 MDT 2012 

Hi again,

  I've made some progress by either patching the source or the LDAP
slapcat dump, however now I'm getting this error: (see below)


So it's trying to add a user with SID
S-1-5-21-743015788-4153008934-1122164905-1000
to a group with SID
S-1-5-21-743015788-4153008934-1122164905-1032

Both the user and group exists in LDAP and look ok .

I'm looking through the code to see how these GUIDs get allocated but I
thought someone might know what is wrong just by seeing the error. 

It looks like the upgrade script makes a few assumptions about what is
in the LDAP. I'm guessing we are breaking another one of those.....


Adding users to groups
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: Could not add member
'S-1-5-21-743015788-4153008934-1122164905-1000' to group
'S-1-5-21-743015788-4153008934-1122164905-1032' as either group or user
record doesn't exist: Unable to find GUID for DN 

  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 160, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 923, in run
    useeadb=eadb)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", line
698, in upgrade_from_samba3
    add_users_to_group(result.samdb, g, groupmembers[g.nt_name], logger)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", line
242, in add_users_to_group
    raise ProvisioningError("Could not add member '%s' to group '%s' as
either group or user record doesn't exist: %s" % (member_sid, group.sid,
emsg))



If you have any clues please let me know,
thanks,
Greg

On Sat, 2012-03-24 at 22:53 -0400, Greg Dickie wrote:
> Hi Andrew,
> 
>    I actually commented out the line that sets that flag just to see how
> far it gets without it (I don't think I really care about that field).
> It gets further but then starts complaining about duplicate users which
> do not seem to be duplicate in LDAP as far as I can tell (already
> checked for duplicate SIDS). I think there are certain assumptions about
> the LDAP that we aren't meeting. I'll trace through it and see if I can
> massage it through.
> 
> Thanks alot,
> Greg
> 
> 
> On Sun, 2012-03-25 at 13:36 +1100, Andrew Bartlett wrote:
> > On Sat, 2012-03-24 at 17:30 -0400, Greg Dickie wrote:
> > > Hi,
> > > 
> > >   I'm trying to upgrade an LDAP backed samba3 domain to samba4 using the
> > > samba-tool domain samba3upgrade procedure. It seems to go quite well
> > > until it starts to import users. At that point I get this:
> > > 
> > > Group already exists sid=S-1-5-21-743015788-4153008934-1122164905-514,
> > > groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> > > Importing users
> > > Failed to modify account record CN=auser,CN=Users,DC=domain,DC=local to
> > > set user attributes: Unsupported critical extension
> > > 1.3.6.1.4.1.7165.4.3.20
> > > ERROR(<class 'passdb.error'>): uncaught exception - Unable to add sam
> > > account 'auser', (-1073741637,NT_STATUS_NOT_SUPPORTED)
> > >   File
> > > "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 160, in _run
> > >     return self.run(*args, **kwargs)
> > >   File
> > > "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> > > line 923, in run
> > >     useeadb=eadb)
> > >   File
> > > "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", line
> > > 691, in upgrade_from_samba3
> > >     s4_passdb.add_sam_account(userdata[username])
> > > 
> > > 
> > > 
> > > This seems to be an error returned from the builtin LDAP server? Any
> > > idea what the problem could be?
> > 
> > The OID DSDB_CONTROL_PASSWORD_BYPASS_LAST_SET_OID
> > "1.3.6.1.4.1.7165.4.3.20" in this case is to indicate to the lower
> > layers that the pwdLastSet value should be migrated (rather than reset
> > to now).  Clearly that isn't being handled properly in the password_hash
> > module, I'll dig into this and fix it up in the next few days. 
> > 
> > Andrew Bartlett
> > 
> 

-- 
Greg Dickie
just a guy
514-983-5400

More information about the samba-technical mailing list