samba3upgrade migration results, issues, questions
urushkin at telros.ru
Thu May 3 05:16:42 MDT 2012
Andrew Bartlett писал 02.05.2012 07:30:
> On Tue, 2012-04-24 at 16:22 +0400, Sergey Urushkin wrote:
>> 24.04.2012 12:09, Andrew Bartlett написал:
>> > On Mon, 2012-04-23 at 16:42 +0400, Sergey Urushkin wrote:
>> >> Hi.
>> >>>> 2. All user accounts migrated with their saved passwords, but
>> >>>> migration many (possibly all) users were not able to login.
>> >>>> showed message about "not enough resources", kinit didn't work
>> >>>> with
>> >>>> this message:
>> >>>> kinit: krb5_get_init_creds: No ENC-TS found
>> >>>> Changing password didn't help, the only thing that helped was:
>> >>>> samba-tool user setexpiry user (with any flag - --days,
>> >>>> But that's not a serious issue because it can be solved by
>> >>>> shell
>> >>>> script. Talking about test migration of the big domain this
>> >>>> also
>> >>>> exists with rare random users and could be solved the same way.
>> >>> I think this may simply be an issue with the upgrade of the
>> >>> policy from S3. Can you try the attached patch?
>> >> Tried it (I see it's already in the master). With the small
>> domain tdbs
>> >> nothing is changed. With the big domain at least one account is
>> ok now,
>> >> but administrator is still affected.
>> >> Here is administrator's openldap data before migration:
>> >> dn: uid=Administrator,....
>> >> objectClass: top
>> >> objectClass: inetOrgPerson
>> >> objectClass: posixAccount
>> >> objectClass: shadowAccount
>> >> objectClass: sambaSamAccount
>> >> objectClass: krb5Principal
>> >> objectClass: krb5KDCEntry
>> >> cn: Administrator
>> >> sn: Administrator
>> >> uid: Administrator
>> >> gidNumber: 512
>> >> homeDirectory: /home/Administrator
>> >> loginShell: /bin/bash
>> >> description: Built-in account for administering the
>> >> sambaSID: S-1-5-21-1234567890-1234567890-1234567890-500
>> >> sambaPrimaryGroupSID:
>> >> displayName:: 0JDQtNC80LjQvdC40YHRgtGA0LDRgtC+0YAg0YHQtdGC0Lg=
>> >> sambaPasswordHistory:
>> >> 00000000000000000000000000000000000000000000000000000000
>> >> 00000000
>> >> krb5PrincipalName: Administrator at TELROS.RU
>> >> krb5KDCFlags: 126
>> >> gecos: Administrator
>> >> sambaKickoffTime: 1999999999
>> >> sambaHomePath: \\fsrv\home
>> >> sambaPwdMustChange: 1325408428
>> >> sambaPwdLastSet: 1322816429
>> >> sambaLMPassword: xxxxxxx
>> >> sambaNTPassword: xxxxxxx
>> >> krb5KeyVersionNumber: 15
>> >> krb5Key:: xxx
>> >> krb5Key:: xxx
>> >> uidNumber: 500
>> >> sambaAcctFlags: [UX ]
>> >> sambaBadPasswordCount: 0
>> >> sambaBadPasswordTime: 0
>> > For the administrator, because it is a default AD account, we do
>> > import it, but instead we simply bring across the password (only).
>> > means we will not bring across the 'password does not expire'
>> flag, but
>> > the password should be valid for as long as the expiry.
>> Alright, but many users in the migrated small domain are not 'well
>> known' and do have this problem.
>> I can send you the small domain tdbs if it would help.
>> About the big domain. I used this script to check how many accounts
>> beginning with 'a' are bad in just migrated domain.
>> for i in `samba-tool user list | grep ^a` ;do
>> samba-tool user setpassword --newpassword=111111 $i > /dev/null
>> echo 111111 | kinit --password-file=STDIN $i || echo $i
>> According to it about a half of them are affected. Here is
>> openldap-samba data for one of them:
>> sambaLogonScript: netlogon.bat
>> sambaSID: S-1-5-21-530720856-2058831417-1202159320-1968
>> sambaPrimaryGroupSID: S-1-5-21-530720856-2058831417-1202159320-513
>> sambaAcctFlags: [U ]
>> sambaBadPasswordCount: 0
>> sambaBadPasswordTime: 0
>> sambaKickoffTime: 1999999999
>> sambaHomePath: \\fsrv\home
>> sambaPwdMustChange: 1335676980
>> sambaPwdLastSet: 1333084981
>> sambaLMPassword: ea70ccc05b2b2d890000000000000000
>> sambaNTPassword: d460c18f7a68e2b049468d1aea8e70e5
> What does a working account look like?
> I don't see anything particularly wrong offhand, but I'll keep
> into it.
After looking deeply I discovered that the only difference between bad
and good accounts is noexpiry 'X' sambaAcctFlag.
All accounts that has this flag are good, others are bad. That's why
administrator is bad (if it does expire by default after migration).
Also, to exclude assumption all bad accounts are really expired, here
is one's password age data:
With maximum lifetime of the password equal to month (as is) it should
expire not earlier than may 27. Server's time is also right.
All these forced me to try:
# samba-tool user add testuser 111111 # or net rpc user add
User 'testuser' created successfully
# echo 111111 | kinit --password-file=STDIN testuser
kinit: krb5_get_init_creds: No ENC-TS found
So, seems that's not the migration issue...
Also, I can see that 'net rpc ... -U administrator' does work while
administrator is bad account (shares, kinit, logon doesn't work).
>> I can see (timestamps) that password shouldn't be expired.
>> > What expiry
>> > time did you have in your old domain?
>> small - never. big - 30 days.
>> >> Also, I seemed another problem (which didn't exist earlier) about
>> >> samba3upgrade. No group membership (except "domain users") is
>> >> I can see many messages like this:
>> >> Ignoring group 'groupname'
>> >> S-1-5-21-1234567890-1234567890-1234567890-1423 listed but then
>> >> found: <class 'passdb.error'>
>> >> And no errors after "Adding users to groups"
>> >> I do have members in my openldap groups (memberUid attributes).
>> > The issue here is that Samba4 simply can't see them. What version
>> > Samba 3.x are you upgrading from?
>> small - 3.0. big - 3.5.
>> > What do the groups look like in the directory?
>> dn: cn=somegroup,ou=Groups,ou=Samba,ou=Services,dc=telros,dc=ru
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> cn: somegroup
>> gidNumber: 1604
>> sambaSID: S-1-5-21-530720856-2058831417-1202159320-1581
>> sambaGroupType: 2
>> displayName: somegroup
>> description: tttttttt
>> memberUid: user1
>> memberUid: user2
>> memberUid: user3
>> memberUid: user4
> OK, thanks. We should be able import that - it is a normal domain
> SID_NAME_DOM_GRP = 2, /* domain group */
>> > This is a recurring issue, and a large number of people have
>> > upgrading LDAP groups for some reason. We may need to find
>> another way
>> > to read the group list (we can bind directly to LDAP, rather than
>> > the samba3 passdb code if need be).
>> A temporary solution would be to add script that imports ldap groups
>> using 'getent group' to the wiki (similar to that about unix groups
>> just called 'before you begin - save all your group information to a
>> I solve it this way.\
> Attached is an alternate approach that may solve your issue. If you
> test it for me, I would very much appreciate it.
Tried today's master snapshot and now group migration works again.
More information about the samba-technical