samba3upgrade clarification on groups

Charles Tryon charles.tryon at
Fri May 25 12:39:44 MDT 2012

OK, this is turning out to be more complicated than I thought.  I must be
missing something obvious here....

I have a wrapper script that I use for my migration test, since it has all
the arguments I use for the script, and it does some extra cleanup steps
after the end of the samba-tool part of the process.

As a part of this wrapper, I am copying the /etc/passwd and /etc/group
files that I grabbed off of the S3 server, into the /etc directory on the
new server.  This is a little tricky because the local users and groups on
the new host are not the same as those on the original host.  So, I "cheat"
a bit and save copies of the original passwd and group file before I copy
the S3 versions, and then move them back again when I'm done.  Other than
some minor warnings about a couple of skipped users ("nobody"=501 and a
domain trust account), and the usual complaints about not finding the wins
and idmap tdb databases, the script finishes without any problem.

However, when I'm done, none of my groups have been imported.

What am I missing here?  Could this be a problem with not having idmap
database from the original (3.0) server?

On Fri, May 25, 2012 at 9:14 AM, Charles Tryon <charles.tryon at>wrote:

> On Thu, May 24, 2012 at 6:06 PM, Andrew Bartlett <abartlet at>wrote:
>> On Thu, 2012-05-24 at 14:57 -0400, Charles Tryon wrote:
>> > I was doing some updates to the samba-tool samba3upgrade Wiki page, and
>> I
>> > just had a quick question for people who have been using this tool...
>> >
>> > My Samba3 DC uses the older tdb backend rather than LDAP.  To the best
>> of
>> > my knowledge, the migration tool does NOT know how to convert the
>> > /etc/group file when migrating to the new domain, so I've simply
>> written a
>> > couple line script which slurps up the group file and issues commands to
>> > create the groups in the new Samba4 domain.
>> The samba3upgrade tool does know how to read /etc/group, if that file is
>> installed on the system doing the upgrade.  It reads it via the same
>> methods that Samba3 uses to make members part of their groups at
>> runtime, as well as the methods for enumerating group members.  Both of
>> these are nss calls in this instance.
>> If there is a desire to upgrade from a 'group' file not installed on the
>> system, I will happily accept patches to do that (ie parse it in
>> python).
>> > My question is: If you are using an LDAP back end, then does the tool
>> > normally build the groups for you?  I know I've seen indications that
>> there
>> > are situations where the groups fail to build correctly, but that makes
>> it
>> > sound like it normally does work.  Since this is not behavior I've seen
>> > myself, I just wanted to note this in the HOWTO.
>> If you know of any situation where groups fail to migrate, please let me
>> know, and we can fix it.  We need to remove notes to the contrary from
>> the wiki page.
> OK, I'll try this out and make the changes on the samba3migrate HOWTO page.
>> Andrew Bartlett
>> --
>> Andrew Bartlett
>> Authentication Developer, Samba Team 
> --
>     Charles Tryon
> _________________________________________________________________________
>   “Risks are not to be evaluated in terms of the probability of success,
> but in terms of the value of the goal.”
>                 - Ralph D. Winter

    Charles Tryon
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list