Samba3 to Samba4 migration issues
Chirana Gheorghita Eugeniu Theodor
office at adaptcom.ro
Tue Nov 6 12:03:38 MST 2012
Hello,
Just got home.
Duplicate sids were corrected.... This is what happens if you let employees
do a well documented job. :)
Same error occured even after addind that parameter. I do not understand
what unix account samba whants for those machine accounts. Seems that it
does not have a problem with the ou=Users entries:
The LDAP server is successfully connected
Skipping wellknown rid=500 (for username=root)
init_sam_from_ldap: Entry found for user: catalin
Home server: CERBERUS
init_sam_from_ldap: Entry found for user: parlitu
init_sam_from_ldap: Entry found for user: valig
init_sam_from_ldap: Entry found for user: ion
init_sam_from_ldap: Entry found for user: pascu
init_sam_from_ldap: Entry found for user: paraschiv
init_sam_from_ldap: Entry found for user: ddaniel
init_sam_from_ldap: Entry found for user: H9101201$
Home server: CERBERUS
Home server: CERBERUS
init_sam_from_ldap: Failed to find Unix account for H9101201$
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'H9101201$'!
ERROR(<class 'passdb.error'>): uncaught exception - Unable to get user
information for 'H9101201$', (-1073741724,No such user)
File "/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/samba/lib64/python2.6/site-packages/samba/upgrade.py", line 694,
in upgrade_from_samba3
user = s3db.getsampwnam(username)
I also changen the entry :
netbios name = cerberus
in the config but same error.
On Tue, Nov 6, 2012 at 4:56 PM, Ricky Nance <ricky.nance at weaubleau.k12.mo.us
> wrote:
> First, add ldapsam:trusted = yes to your global section of your smb.conf
> and give the migration a retry (please keep track if you get a different
> error after adding that), if that fails with the same error, don't worry
> about letting me know, do the following if you end up with more errors or
> the same error.
>
> Duplicate id: sambaSID: S-1-5-21-3911796660-3176143098-666610135-4013
> Duplicate id: sambaSID: S-1-5-21-3911796660-3176143098-666610135-4041
> Duplicate id: sambaSID: S-1-5-21-3911796660-3176143098-666610135-5036
>
> If you are still having errors try fixing the above duplicate SID's, then
> see if you get the same error, if you do, can you send me the file
> migration-error.tar.xz generated by the following commands.
>
> /samba/bin/samba-tool domain classicupgrade --dbdir=/samba/s3/private/
> --use-xattrs=yes --realm=aviamotors.ro /samba/s3/private/smb.conf -d3
> 2>&1 | tee > migration-error.txt
>
> tar --xz -cf migration-error.tar.xz migration-error.txt
>
> I am at work right now, but when I get home I will see about duplicating
> your setup on one of my VM's and see if I get the same results. Also, be
> careful who you send a ldap database to, the sambaLMPassword and
> sambaNTPassword lines on each user contains the hash of the password for
> that user, and it can easily be reversed. I can assure you I will not
> misuse your information, but others may not be as nice. That is something
> to keep in mind though. I would however trust anyone with the @samba.orgemail addresses, as they are samba devs (I am working on becoming part of
> the team, but just not there quite yet with my programming expertise).
>
> Ricky
>
> On Tue, Nov 6, 2012 at 8:27 AM, Chirana Gheorghita Eugeniu Theodor <
> office at adaptcom.ro> wrote:
>
>> yes removed path/to/samba/private and /path/to/samba/etc and retried .
>> Same error. That error is a copy paste issue. Syntax is correct:
>>
>> /samba/bin/samba-tool domain classicupgrade --dbdir=/samba/s3/private/
>> --use-xattrs=yes --realm=aviamotors.ro /samba/s3/private/smb.conf
>>
>> I'll send you the ldif dump from the ldap server that is live now and the
>> smb.conf which is used in the current samba3 production. (you find them
>> attached)
>>
>> Thanks
>>
>>
>>
>> On Tue, Nov 6, 2012 at 2:59 PM, Ricky Nance <
>> ricky.nance at weaubleau.k12.mo.us> wrote:
>>
>>> > [root at cerberus ~]# /samba/bin/samba-tool domain classicupgrade
>>> > --dbdir=/samba/s3/private/ --use-xattrs=yes --realm=
>>> aviamotor.ro/samba/s3/private/smb.conf
>>>
>>> Is there really not a space between --realm=aviamotor.ro and
>>> /samba/s3/private/smb.conf (or is that just a bad paste)? Did you check for
>>> duplicate sid's? Can you post (or email me) your smb.conf? When (assuming
>>> you did) you tried a second time did you make sure to remove
>>> /path/to/samba/private and /path/to/samba/etc?
>>>
>>> Ricky
>>>
>>>
>>> On Tue, Nov 6, 2012 at 3:11 AM, Chirana Gheorghita Eugeniu Theodor <
>>> office at adaptcom.ro> wrote:
>>>
>>>> The machine account is with a trailling $ so the correct snippet is:
>>>>
>>>> dn: uid=H9101200$,ou=Computers,dc=aviamotors,dc=ro
>>>> displayName: Machine
>>>> objectClass: sambaSamAccount
>>>> objectClass: account
>>>> sambaAcctFlags: [W ]
>>>> sambaSID: S-1-5-21-3911796660-3176143098-666610135-9999
>>>> uid: H9101200$
>>>> sambaNTPassword: ****************************
>>>> sambaPwdLastSet: 1257150878
>>>>
>>>> On Tue, Nov 6, 2012 at 10:51 AM, Chirana Gheorghita Eugeniu Theodor <
>>>> office at adaptcom.ro> wrote:
>>>>
>>>> > Hello guys,
>>>> > For some time the long waited release candidates are online and I just
>>>> > decided to migrate a samba3 ad to a fully functional samba4 RC4.
>>>> > The setup:
>>>> > Centos 6.3 64bit
>>>> > Intel server
>>>> > Ldap database of samba3 is on another machine.
>>>> >
>>>> > I copied the tdb files and the smb.conf as instructed in the HOWTO ,
>>>> setup
>>>> > nsswitch to get users from ldap and getent passwd works ok.
>>>> > I arrived at the step where I do the samba-tool classicupgrade and
>>>> > surprise:
>>>> > the all users seem to be read and validated ok but when it gets to
>>>> reading
>>>> > the machine accounts it fails with:
>>>> >
>>>> > [root at cerberus ~]# /samba/bin/samba-tool domain classicupgrade
>>>> > --dbdir=/samba/s3/private/ --use-xattrs=yes --realm=
>>>> aviamotor.ro/samba/s3/private/smb.conf
>>>> > Reading smb.conf
>>>> > doing parameter time server = Yes
>>>> > doing parameter load printers = yes
>>>> > doing parameter printing = cups
>>>> > WARNING: Ignoring invalid value 'cups' for parameter 'printing'
>>>> > doing parameter printcap name = cups
>>>> > doing parameter logon script = scripts\%U.bat
>>>> > doing parameter domain logons = Yes
>>>> > doing parameter os level = 98
>>>> > doing parameter preferred master = Yes
>>>> > doing parameter domain master = Yes
>>>> > doing parameter wins support = Yes
>>>> > doing parameter remote announce = 10.124.112.8
>>>> > doing parameter ldap admin dn = cn=manager,dc=aviamotors,dc=ro
>>>> > doing parameter ldap group suffix = ou=Groups
>>>> > doing parameter ldap idmap suffix = ou=Users
>>>> > doing parameter ldap machine suffix = ou=Computers
>>>> > doing parameter ldap passwd sync = Yes
>>>> > doing parameter ldap suffix = dc=aviamotors,dc=ro
>>>> > doing parameter ldap user suffix = ou=Users
>>>> > doing parameter lanman auth = Yes
>>>> > doing parameter lm announce = no
>>>> > doing parameter min protocol = NT1
>>>> > doing parameter full_audit:prefix = %u|%I|%m|%S
>>>> > doing parameter full_audit:failure = connect
>>>> > doing parameter full_audit:success = connect disconnect mkdir rmdir
>>>> open
>>>> > close read pread write pwrite sendfile rename unlink chmod fchmod
>>>> chown
>>>> > fchown chdir ftruncate lock symlink readlink link mknod realpath
>>>> > doing parameter full_audit:facility = local7
>>>> > doing parameter full_audit:priority = notice
>>>> > doing parameter dos filemode = yes
>>>> > Processing section "[profile]"
>>>> > doing parameter path = /tmp
>>>> > Processing section "[netlogon]"
>>>> > doing parameter path = /var/lib/samba/netlogon
>>>> > doing parameter read only = No
>>>> > Processing section "[groups]"
>>>> > doing parameter comment = All groups
>>>> > doing parameter path = /home1/groups
>>>> > doing parameter invalid users = elsa
>>>> > doing parameter read only = No
>>>> > doing parameter dos filemode = Yes
>>>> > doing parameter create mask = 0770
>>>> > doing parameter directory mask = 0770
>>>> > doing parameter directory security mask = 0700
>>>> > Unknown parameter encountered: "directory security mask"
>>>> > Ignoring unknown parameter "directory security mask"
>>>> > Processing section "[conta]"
>>>> > doing parameter comment = Contabilitate
>>>> > doing parameter path = /home1/conta
>>>> > doing parameter read only = No
>>>> > doing parameter create mask = 0770
>>>> > doing parameter directory mask = 0770
>>>> > doing parameter directory security mask = 0700
>>>> > Unknown parameter encountered: "directory security mask"
>>>> > Ignoring unknown parameter "directory security mask"
>>>> > doing parameter veto files =
>>>> /*.mp3/*.avi/*.mpg/*.mpeg/*.jpg/*.jpeg/*.wma/
>>>> > doing parameter hide files =
>>>> /*.mp3/*.avi/*.mpg/*.mpeg/*.jpg/*.jpeg/*.wma/
>>>> > doing parameter vfs objects = full_audit
>>>> > Processing section "[marketing]"
>>>> > doing parameter path = /home1/marketing
>>>> > doing parameter read only = No
>>>> > doing parameter create mask = 0770
>>>> > doing parameter directory mask = 0770
>>>> > doing parameter directory security mask = 0700
>>>> > Unknown parameter encountered: "directory security mask"
>>>> > Ignoring unknown parameter "directory security mask"
>>>> > doing parameter vfs objects = full_audit
>>>> > Processing section "[ru]"
>>>> > doing parameter comment = ru
>>>> > doing parameter path = /home1/ru
>>>> > doing parameter read only = No
>>>> > doing parameter create mask = 0770
>>>> > doing parameter directory mask = 0770
>>>> > doing parameter directory security mask = 0770
>>>> > Unknown parameter encountered: "directory security mask"
>>>> > Ignoring unknown parameter "directory security mask"
>>>> > doing parameter vfs objects = full_audit
>>>> > Processing section "[p1]"
>>>> > doing parameter comment = Users Profile
>>>> > doing parameter writeable = yes
>>>> > doing parameter path = /home2
>>>> > doing parameter create mask = 0600
>>>> > doing parameter directory mask = 0700
>>>> > doing parameter profile acls = yes
>>>> > doing parameter root preexec = /etc/samba/mkdir.sh %U '%g' %H %P
>>>> > Processing section "[aaa]"
>>>> > doing parameter writeable = no
>>>> > doing parameter path = /home2/aaa
>>>> > doing parameter create mask = 0600
>>>> > doing parameter comment = sql
>>>> > doing parameter directory mask = 0700
>>>> > Processing section "[printers]"
>>>> > doing parameter comment = All Printers
>>>> > doing parameter path = /var/spool/samba/
>>>> > doing parameter guest ok = Yes
>>>> > doing parameter printable = Yes
>>>> > doing parameter browseable = No
>>>> > doing parameter public = yes
>>>> > Processing section "[print$]"
>>>> > doing parameter path = /var/lib/samba/printing
>>>> > doing parameter write list = "@Domain Admins", root
>>>> > doing parameter read only = yes
>>>> > doing parameter browseable = yes
>>>> > doing parameter guest ok = Yes
>>>> > Processing section "[kituri]"
>>>> > doing parameter path = /home/kituri
>>>> > doing parameter write list = "@Domain Admins"
>>>> > Processing section "[update]"
>>>> > doing parameter path = /home/update
>>>> > doing parameter write list = "@Domain Admins"
>>>> > Processing section "[toatalumea]"
>>>> > doing parameter path = /home1/groups/toatalumea
>>>> > doing parameter read only = No
>>>> > doing parameter write list = "Users"
>>>> > doing parameter create mask = 0777
>>>> > doing parameter directory mask = 0777
>>>> > doing parameter vfs objects = full_audit
>>>> > pm_process() returned Yes
>>>> > Provisioning
>>>> > smbldap_search_domain_info: Searching
>>>> > for:[(&(objectClass=sambaDomain)(sambaDomainName=AVIAMOTORS.RO))]
>>>> > smbldap_open_connection: connection opened
>>>> > ldap_connect_system: successful connection to the LDAP server
>>>> > The LDAP server is successfully connected
>>>> > ldapsam_getsampwnam: Unable to locate user [LINUXRETEA$] count=0
>>>> > Exporting account policy
>>>> > Exporting groups
>>>> > ldapsam_setsamgrent: 21 entries in the base!
>>>> > init_group_from_ldap: Entry found for group: 548
>>>> > init_group_from_ldap: Entry found for group: 544
>>>> > init_group_from_ldap: Entry found for group: 551
>>>> > init_group_from_ldap: Entry found for group: 503
>>>> > init_group_from_ldap: Entry found for group: 509
>>>> > init_group_from_ldap: Entry found for group: 512
>>>> > init_group_from_ldap: Entry found for group: 515
>>>> > init_group_from_ldap: Entry found for group: 514
>>>> > init_group_from_ldap: Entry found for group: 513
>>>> > init_group_from_ldap: Entry found for group: 1001
>>>> > init_group_from_ldap: Entry found for group: 517
>>>> > init_group_from_ldap: Entry found for group: 507
>>>> > init_group_from_ldap: Entry found for group: 508
>>>> > init_group_from_ldap: Entry found for group: 550
>>>> > init_group_from_ldap: Entry found for group: 552
>>>> > init_group_from_ldap: Entry found for group: 1011
>>>> > init_group_from_ldap: Entry found for group: 504
>>>> > init_group_from_ldap: Entry found for group: 524
>>>> > init_group_from_ldap: Entry found for group: 500
>>>> > init_group_from_ldap: Entry found for group: 510
>>>> > init_group_from_ldap: Entry found for group: 580
>>>> > ldapsam_enum_aliasmem: Did not find alias
>>>> > Ignoring group 'Account Operators' S-1-5-32-548 listed but then not
>>>> found:
>>>> > Unable to enumerate members for alias,
>>>> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>>>> > ldapsam_enum_aliasmem: Did not find alias
>>>> > Ignoring group 'Administrators' S-1-5-32-544 listed but then not
>>>> found:
>>>> > Unable to enumerate members for alias,
>>>> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>>>> > ldapsam_enum_aliasmem: Did not find alias
>>>> > Ignoring group 'Backup Operators' S-1-5-32-551 listed but then not
>>>> found:
>>>> > Unable to enumerate members for alias,
>>>> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>>>> > ldapsam_enum_aliasmem: Did not find alias
>>>> > Ignoring group 'Print Operators' S-1-5-32-550 listed but then not
>>>> found:
>>>> > Unable to enumerate members for alias,
>>>> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>>>> > ldapsam_enum_aliasmem: Did not find alias
>>>> > Ignoring group 'Replicators' S-1-5-32-552 listed but then not found:
>>>> > Unable to enumerate members for alias,
>>>> (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>>>> > Exporting users
>>>> > smbldap_search_paged: base => [dc=aviamotors,dc=ro], filter =>
>>>> > [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize =>
>>>> [1024]
>>>> > smbldap_search_paged: search was successful
>>>> > init_sam_from_ldap: Entry found for user: nobody
>>>> > Home server: LINUXRETEA
>>>> > Home server: LINUXRETEA
>>>> > smbldap_search_domain_info: Searching
>>>> > for:[(&(objectClass=sambaDomain)(sambaDomainName=AVIAMOTORS.RO))]
>>>> > smbldap_open_connection: connection opened
>>>> > ldap_connect_system: successful connection to the LDAP server
>>>> > The LDAP server is successfully connected
>>>> > Skipping wellknown rid=500 (for username=root)
>>>> > init_sam_from_ldap: Entry found for user: catalin
>>>> > Home server: LINUXRETEA
>>>> > init_sam_from_ldap: Entry found for user: parlitu
>>>> > init_sam_from_ldap: Entry found for user: valig
>>>> > init_sam_from_ldap: Entry found for user: ion
>>>> > init_sam_from_ldap: Entry found for user: pascu
>>>> > init_sam_from_ldap: Entry found for user: paraschiv
>>>> > init_sam_from_ldap: Entry found for user: ddaniel
>>>> > init_sam_from_ldap: Entry found for user: H9101201$
>>>> > Home server: LINUXRETEA
>>>> > Home server: LINUXRETEA
>>>> > init_sam_from_ldap: Failed to find Unix account for H9101201$
>>>> > ldapsam_getsampwnam: init_sam_from_ldap failed for user 'H9101201$'!
>>>> > ERROR(<class 'passdb.error'>): uncaught exception - Unable to get user
>>>> > information for 'H9101201$', (-1073741724,No such user)
>>>> > File
>>>> "/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>>>> > line 175, in _run
>>>> > return self.run(*args, **kwargs)
>>>> > File "/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>>>> line
>>>> > 1318, in run
>>>> > useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>>> > File "/samba/lib64/python2.6/site-packages/samba/upgrade.py", line
>>>> 694,
>>>> > in upgrade_from_samba3
>>>> > user = s3db.getsampwnam(username)
>>>> >
>>>> > the ldif snipped for a machine account is:
>>>> >
>>>> > dn: uid=H9101200,ou=Computers,dc=aviamotors,dc=ro
>>>> > displayName: Machine
>>>> > objectClass: sambaSamAccount
>>>> > objectClass: account
>>>> > sambaAcctFlags: [W ]
>>>> > sambaSID: S-1-5-21-3911796660-3176143098-666610135-9999
>>>> > uid: H9101200
>>>> > sambaNTPassword: ****************************
>>>> > sambaPwdLastSet: 1257150878
>>>> >
>>>> > What am I missing here?
>>>> >
>>>> > --
>>>> > ___________________________________________________
>>>> > Cu stima/Best regards/Mit freundlichen Grüßen,
>>>> >
>>>> > Chirana-Gheorghita Eugeniu-Theodor
>>>> > Bucharest, Romania
>>>> >
>>>> > e-mail : office at adaptcom.ro
>>>> > mobile: 0743 698721
>>>> > 0747 447675
>>>> >
>>>>
>>>>
>>>>
>>>> --
>>>> ___________________________________________________
>>>> Cu stima/Best regards/Mit freundlichen Grüßen/最好的问候,
>>>>
>>>> Chirana-Gheorghita Eugeniu-Theodor
>>>> Bucharest, Romania
>>>>
>>>> e-mail : office at adaptcom.ro
>>>> mobile: 0743 698721
>>>> 0747 447675
>>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>
>>
>> --
>> ___________________________________________________
>> Cu stima/Best regards/Mit freundlichen Grüßen/最好的问候,
>>
>> Chirana-Gheorghita Eugeniu-Theodor
>> Bucharest, Romania
>>
>> e-mail : office at adaptcom.ro
>> mobile: 0743 698721
>> 0747 447675
>>
>
>
>
> --
>
>
>
--
___________________________________________________
Cu stima/Best regards/Mit freundlichen Grüßen/最好的问候,
Chirana-Gheorghita Eugeniu-Theodor
Bucharest, Romania
e-mail : office at adaptcom.ro
mobile: 0743 698721
0747 447675
--
___________________________________________________
Cu stima/Best regards/Mit freundlichen Grüßen/最好的问候,
Chirana-Gheorghita Eugeniu-Theodor
Bucharest, Romania
e-mail : office at adaptcom.ro
mobile: 0743 698721
0747 447675
More information about the samba-technical
mailing list