Samba3 to Samba4 migration issues
Gémes Géza
geza at kzsdabas.hu
Tue Nov 6 12:29:05 MST 2012
Hi,
See below
> The machine account is with a trailling $ so the correct snippet is:
>
> dn: uid=H9101200$,ou=Computers,dc=aviamotors,dc=ro
> displayName: Machine
> objectClass: sambaSamAccount
> objectClass: account
> sambaAcctFlags: [W ]
> sambaSID: S-1-5-21-3911796660-3176143098-666610135-9999
> uid: H9101200$
> sambaNTPassword: ****************************
> sambaPwdLastSet: 1257150878
>
> On Tue, Nov 6, 2012 at 10:51 AM, Chirana Gheorghita Eugeniu Theodor <
> office at adaptcom.ro> wrote:
>
>> Hello guys,
>> For some time the long waited release candidates are online and I just
>> decided to migrate a samba3 ad to a fully functional samba4 RC4.
>> The setup:
>> Centos 6.3 64bit
>> Intel server
>> Ldap database of samba3 is on another machine.
>>
>> I copied the tdb files and the smb.conf as instructed in the HOWTO , setup
>> nsswitch to get users from ldap and getent passwd works ok.
>> I arrived at the step where I do the samba-tool classicupgrade and
>> surprise:
>> the all users seem to be read and validated ok but when it gets to reading
>> the machine accounts it fails with:
>>
>> [root at cerberus ~]# /samba/bin/samba-tool domain classicupgrade
>> --dbdir=/samba/s3/private/ --use-xattrs=yes --realm=aviamotor.ro/samba/s3/private/smb.conf
>> Reading smb.conf
>> doing parameter time server = Yes
>> doing parameter load printers = yes
>> doing parameter printing = cups
>> WARNING: Ignoring invalid value 'cups' for parameter 'printing'
>> doing parameter printcap name = cups
>> doing parameter logon script = scripts\%U.bat
>> doing parameter domain logons = Yes
>> doing parameter os level = 98
>> doing parameter preferred master = Yes
>> doing parameter domain master = Yes
>> doing parameter wins support = Yes
>> doing parameter remote announce = 10.124.112.8
>> doing parameter ldap admin dn = cn=manager,dc=aviamotors,dc=ro
>> doing parameter ldap group suffix = ou=Groups
>> doing parameter ldap idmap suffix = ou=Users
>> doing parameter ldap machine suffix = ou=Computers
>> doing parameter ldap passwd sync = Yes
>> doing parameter ldap suffix = dc=aviamotors,dc=ro
>> doing parameter ldap user suffix = ou=Users
>> doing parameter lanman auth = Yes
>> doing parameter lm announce = no
>> doing parameter min protocol = NT1
>> doing parameter full_audit:prefix = %u|%I|%m|%S
>> doing parameter full_audit:failure = connect
>> doing parameter full_audit:success = connect disconnect mkdir rmdir open
>> close read pread write pwrite sendfile rename unlink chmod fchmod chown
>> fchown chdir ftruncate lock symlink readlink link mknod realpath
>> doing parameter full_audit:facility = local7
>> doing parameter full_audit:priority = notice
>> doing parameter dos filemode = yes
>> Processing section "[profile]"
>> doing parameter path = /tmp
>> Processing section "[netlogon]"
>> doing parameter path = /var/lib/samba/netlogon
>> doing parameter read only = No
>> Processing section "[groups]"
>> doing parameter comment = All groups
>> doing parameter path = /home1/groups
>> doing parameter invalid users = elsa
>> doing parameter read only = No
>> doing parameter dos filemode = Yes
>> doing parameter create mask = 0770
>> doing parameter directory mask = 0770
>> doing parameter directory security mask = 0700
>> Unknown parameter encountered: "directory security mask"
>> Ignoring unknown parameter "directory security mask"
>> Processing section "[conta]"
>> doing parameter comment = Contabilitate
>> doing parameter path = /home1/conta
>> doing parameter read only = No
>> doing parameter create mask = 0770
>> doing parameter directory mask = 0770
>> doing parameter directory security mask = 0700
>> Unknown parameter encountered: "directory security mask"
>> Ignoring unknown parameter "directory security mask"
>> doing parameter veto files = /*.mp3/*.avi/*.mpg/*.mpeg/*.jpg/*.jpeg/*.wma/
>> doing parameter hide files = /*.mp3/*.avi/*.mpg/*.mpeg/*.jpg/*.jpeg/*.wma/
>> doing parameter vfs objects = full_audit
>> Processing section "[marketing]"
>> doing parameter path = /home1/marketing
>> doing parameter read only = No
>> doing parameter create mask = 0770
>> doing parameter directory mask = 0770
>> doing parameter directory security mask = 0700
>> Unknown parameter encountered: "directory security mask"
>> Ignoring unknown parameter "directory security mask"
>> doing parameter vfs objects = full_audit
>> Processing section "[ru]"
>> doing parameter comment = ru
>> doing parameter path = /home1/ru
>> doing parameter read only = No
>> doing parameter create mask = 0770
>> doing parameter directory mask = 0770
>> doing parameter directory security mask = 0770
>> Unknown parameter encountered: "directory security mask"
>> Ignoring unknown parameter "directory security mask"
>> doing parameter vfs objects = full_audit
>> Processing section "[p1]"
>> doing parameter comment = Users Profile
>> doing parameter writeable = yes
>> doing parameter path = /home2
>> doing parameter create mask = 0600
>> doing parameter directory mask = 0700
>> doing parameter profile acls = yes
>> doing parameter root preexec = /etc/samba/mkdir.sh %U '%g' %H %P
>> Processing section "[aaa]"
>> doing parameter writeable = no
>> doing parameter path = /home2/aaa
>> doing parameter create mask = 0600
>> doing parameter comment = sql
>> doing parameter directory mask = 0700
>> Processing section "[printers]"
>> doing parameter comment = All Printers
>> doing parameter path = /var/spool/samba/
>> doing parameter guest ok = Yes
>> doing parameter printable = Yes
>> doing parameter browseable = No
>> doing parameter public = yes
>> Processing section "[print$]"
>> doing parameter path = /var/lib/samba/printing
>> doing parameter write list = "@Domain Admins", root
>> doing parameter read only = yes
>> doing parameter browseable = yes
>> doing parameter guest ok = Yes
>> Processing section "[kituri]"
>> doing parameter path = /home/kituri
>> doing parameter write list = "@Domain Admins"
>> Processing section "[update]"
>> doing parameter path = /home/update
>> doing parameter write list = "@Domain Admins"
>> Processing section "[toatalumea]"
>> doing parameter path = /home1/groups/toatalumea
>> doing parameter read only = No
>> doing parameter write list = "Users"
>> doing parameter create mask = 0777
>> doing parameter directory mask = 0777
>> doing parameter vfs objects = full_audit
>> pm_process() returned Yes
>> Provisioning
>> smbldap_search_domain_info: Searching
>> for:[(&(objectClass=sambaDomain)(sambaDomainName=AVIAMOTORS.RO))]
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> The LDAP server is successfully connected
>> ldapsam_getsampwnam: Unable to locate user [LINUXRETEA$] count=0
>> Exporting account policy
>> Exporting groups
>> ldapsam_setsamgrent: 21 entries in the base!
>> init_group_from_ldap: Entry found for group: 548
>> init_group_from_ldap: Entry found for group: 544
>> init_group_from_ldap: Entry found for group: 551
>> init_group_from_ldap: Entry found for group: 503
>> init_group_from_ldap: Entry found for group: 509
>> init_group_from_ldap: Entry found for group: 512
>> init_group_from_ldap: Entry found for group: 515
>> init_group_from_ldap: Entry found for group: 514
>> init_group_from_ldap: Entry found for group: 513
>> init_group_from_ldap: Entry found for group: 1001
>> init_group_from_ldap: Entry found for group: 517
>> init_group_from_ldap: Entry found for group: 507
>> init_group_from_ldap: Entry found for group: 508
>> init_group_from_ldap: Entry found for group: 550
>> init_group_from_ldap: Entry found for group: 552
>> init_group_from_ldap: Entry found for group: 1011
>> init_group_from_ldap: Entry found for group: 504
>> init_group_from_ldap: Entry found for group: 524
>> init_group_from_ldap: Entry found for group: 500
>> init_group_from_ldap: Entry found for group: 510
>> init_group_from_ldap: Entry found for group: 580
>> ldapsam_enum_aliasmem: Did not find alias
>> Ignoring group 'Account Operators' S-1-5-32-548 listed but then not found:
>> Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>> ldapsam_enum_aliasmem: Did not find alias
>> Ignoring group 'Administrators' S-1-5-32-544 listed but then not found:
>> Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>> ldapsam_enum_aliasmem: Did not find alias
>> Ignoring group 'Backup Operators' S-1-5-32-551 listed but then not found:
>> Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>> ldapsam_enum_aliasmem: Did not find alias
>> Ignoring group 'Print Operators' S-1-5-32-550 listed but then not found:
>> Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>> ldapsam_enum_aliasmem: Did not find alias
>> Ignoring group 'Replicators' S-1-5-32-552 listed but then not found:
>> Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
>> Exporting users
>> smbldap_search_paged: base => [dc=aviamotors,dc=ro], filter =>
>> [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
>> smbldap_search_paged: search was successful
>> init_sam_from_ldap: Entry found for user: nobody
>> Home server: LINUXRETEA
>> Home server: LINUXRETEA
>> smbldap_search_domain_info: Searching
>> for:[(&(objectClass=sambaDomain)(sambaDomainName=AVIAMOTORS.RO))]
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> The LDAP server is successfully connected
>> Skipping wellknown rid=500 (for username=root)
>> init_sam_from_ldap: Entry found for user: catalin
>> Home server: LINUXRETEA
>> init_sam_from_ldap: Entry found for user: parlitu
>> init_sam_from_ldap: Entry found for user: valig
>> init_sam_from_ldap: Entry found for user: ion
>> init_sam_from_ldap: Entry found for user: pascu
>> init_sam_from_ldap: Entry found for user: paraschiv
>> init_sam_from_ldap: Entry found for user: ddaniel
>> init_sam_from_ldap: Entry found for user: H9101201$
>> Home server: LINUXRETEA
>> Home server: LINUXRETEA
>> init_sam_from_ldap: Failed to find Unix account for H9101201$
>> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'H9101201$'!
>> ERROR(<class 'passdb.error'>): uncaught exception - Unable to get user
>> information for 'H9101201$', (-1073741724,No such user)
>> File "/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>> return self.run(*args, **kwargs)
>> File "/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", line
>> 1318, in run
>> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>> File "/samba/lib64/python2.6/site-packages/samba/upgrade.py", line 694,
>> in upgrade_from_samba3
>> user = s3db.getsampwnam(username)
>>
>> the ldif snipped for a machine account is:
>>
>> dn: uid=H9101200,ou=Computers,dc=aviamotors,dc=ro
>> displayName: Machine
>> objectClass: sambaSamAccount
>> objectClass: account
>> sambaAcctFlags: [W ]
>> sambaSID: S-1-5-21-3911796660-3176143098-666610135-9999
>> uid: H9101200
>> sambaNTPassword: ****************************
>> sambaPwdLastSet: 1257150878
>>
>> What am I missing here?
>>
>> --
>> ___________________________________________________
>> Cu stima/Best regards/Mit freundlichen Grüßen,
>>
>> Chirana-Gheorghita Eugeniu-Theodor
>> Bucharest, Romania
>>
>> e-mail : office at adaptcom.ro
>> mobile: 0743 698721
>> 0747 447675
>>
>
>
You need to posixify your accounts, including the machine accounts,
which translates into adding the posixAccount objectclass to them,
together with some "must" attributes of it (e.g. uidNumber)
Regards
Geza Gemes
More information about the samba-technical
mailing list