[Samba] SAMBA4: pdbedit not changing SID

simon+samba at matthews.eu simon+samba at matthews.eu
Tue Apr 2 00:42:46 MDT 2013 


On Tue, 2 Apr 2013, Ricky Nance wrote:

> http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO<https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO>
> should
> help.

I have been following those instructions. I have a tdb backend, I am 
working on a VM that does not have SAMBA3 installed. The command:
# samba-tool user list
does not show my users.

Interestingly, the groups seem to be there. If I use
# samba-tool group list
I see the expected groups.

Simon



>
> Ricky
>
>
> On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza <geza at kzsdabas.hu> wrote:
>
>> 2013-04-02 05:35 keltezéssel, simon+samba at matthews.eu írta:
>>
>>
>>>
>>> On Mon, 1 Apr 2013, simon+samba at matthews.eu wrote:
>>>
>>>
>>>> On Tue, 2 Apr 2013, Andrew Bartlett wrote:
>>>>
>>>>    On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote:
>>>>>>   2013-04-01 02:36 keltezéssel, simon+samba at matthews.eu írta:
>>>>>>>   Since I don't seem to be having any luck with the classicupgrade,
>>>>> I > >   decided to try starting from scratch and then adding users.
>>>>>>>>>   I ran the command:
>>>>>>>   /usr/local/samba/bin/samba-**tool domain provision --realm=<my
>>>>> realm> \ > > --domain=<mydomain> --adminpass 'mypass' --server-role=dc  \
>>>>>>>   --dns-backend=BIND9_DLZ
>>>>>>>>>   Then I tried both adding and changing users. In neither case
>>>>> can I > >   change the SID with pdbedit. It seems to be added with a > >
>>>>> system-defined SID, irrespective of what I specify. pdbedit -v is > >
>>>>> able to list the user's parameters, including the SID.
>>>>>>>>>   Any suggestions? I am pretty much stuck here trying to figure
>>>>> out how > >   to migrate from an existing SAMBA3 domain to SAMBA4.
>>>>>>>>>>   Hi,
>>>>>>>   Trying to add users one by one (preserving SID) is IMHO a lot
>>>>> harder >   (you would probably need to ldbmodify the user record of each
>>>>> one) to >   do, than fixing your samba3 install to have it classicupgraded.
>>>>>
>>>>>   Indeed.  The only way to safely import a list of users who already
>>>>> have
>>>>>   SIDs is to migrate them to Samba 4.0's AD DC using one of the
>>>>> supported
>>>>>   migration tools.
>>>>>
>>>>>   These are 'samba-tool domain join dc' and 'samba-tool domain
>>>>>   classicupgrade'.
>>>>>
>>>>
>>>> Perhaps I need to address why the "classicupgrade" did not work. I see
>>>> now that I did not pass the --dbdir option when running it before. I'll try
>>>> again.
>>>>
>>>>
>>> I went back to trying to get the classicupgrade to work:
>>> /usr/local/samba/bin/samba-**tool domain classicupgrade  \
>>> --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b  \
>>> /etc/samba/smb.conf --use-xattrs=yes
>>>
>>> For the realm, I used a subdomain of one of the two existing dns domains
>>> in the LAN. It appears to be processing the information from the old domain
>>> tdb files, although I see some errors:
>>> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
>>> Importing groups
>>> Could not add group name=Remote Desktop Users ((68, "samldb: Account name
>>> (sAMAccountName) 'Remote Desktop Users' already in use!"))
>>> Could not modify AD idmap entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555,
>>> id=5077, type=ID_TYPE_GID ((32, "Base-DN '<SID=S-1-5-21-4254857281-**3346836279-4152649156-555>'
>>> not found"))
>>> Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555,
>>> ((32, "Base-DN '<SID=S-1-5-21-4254857281-**3346836279-4152649156-555>'
>>> not found"))
>>> Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512,
>>> groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
>>>
>>> However, after this, all I get from pdbedit -L is:
>>> # pdbedit -L
>>> RAIDSERVER$:4294967295:
>>> Administrator:4294967295:
>>> [root at samba ~]# pdbedit -L
>>> RAIDSERVER$:4294967295:
>>> Administrator:4294967295:
>>> krbtgt:4294967295:--dbdir=/**var/lib/samba/ --realm=a.b
>>> /etc/samba/smb.confnobody:99:**Nobody
>>>
>>> Any ideas? What information might help debug this?
>>>
>>> Simon
>>>
>>>
>>>  Could this happen because pdbedit is from the samba3 install?
>>
>> I recommend doing upgrade on a new box/virtual machine where no samba3 is
>> installed, and copying the tdb files to the new box.
>>
>> Regards
>>
>> Geza Gemes
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>
>
>
>
> --
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list