[Samba] Classic Upgrade: Unable to enumerate group memberships
Jason MacChesney
jason.macchesney at ecacs16.ab.ca
Mon Aug 12 08:57:49 MDT 2013
Hello. I'm using Version 4.0.8-SerNet-Ubuntu-5.precise (Also, a heads up on
this release; the folder /var/run/samba must be created upon reboot. When
starting Samba I get this error:
ERROR: can't open /var/run/samba/samba.pid: Error was No such file or
directory)
So anyway, when trying to do a classic upgrade/migration in order to
preserve authentication information on a new domain. After rsyncing the
required files over and downloading samba4, I execute this command:
samba-tool domain classicupgrade --dbdir=samba --use-xattrs=yes
--realm=[domain_name_of_samba3] smb.conf
Reading smb.conf
Provisioning
Exporting account policy
Exporting groups
Ignoring group 'Domain Admins' S-1-5-21-2050790810-484269470-3964389469-1001
listed but then not found: Unable to enumerate group members,
(-1073741722,No such group)
Ignoring group 'Students' S-1-5-21-2050790810-484269470-3964389469-1045
listed but then not found: Unable to enumerate group members,
(-1073741722,No such group)
Ignoring group 'exams' S-1-5-21-2050790810-484269470-3964389469-1374 listed
but then not found: Unable to enumerate group members, (-1073741722,No such
group)
Ignoring group 'Teachers' S-1-5-21-2050790810-484269470-3964389469-1046
listed but then not found: Unable to enumerate group members,
(-1073741722,No such group)
Exporting users
Ignoring group memberships of 'PORTAGE-E49E7EA$'
S-1-5-21-2050790810-484269470-3964389469-1158: Unable to enumerate group
memberships, (-1073741724,No such user)
Ignoring group memberships of 'OUTREACH-04$'
S-1-5-21-2050790810-484269470-3964389469-1036: Unable to enumerate group
memberships, (-1073741724,No such user)
...over and over for each user. Then the usual provisioning info displays
and the AD is up and running, then this message:
DOMAIN SID: S-1-5-21-2050790810-484269470-3964389469
Importing WINS database
ERROR(ldb): uncaught exception - Entry name=OUTREACHLAB-07,type=0x20
already exists
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 860, in
upgrade_from_samba3
import_wins(Ldb(result.paths.winsdb), samba3_winsdb)
File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 365, in
import_wins
"address": ips})
I've tried migrating the groups before/after/inbetween, according to this:
https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO#Migrating_Groups
Samba-tool seemed to be inconsistent in this regard, sometimes adding a
group without issue, sometimes failing due to a bad dn (possibly, I forget
the error.) Regardless, the users would never add to AD. So any direction
would be valued at this point.
Thanks!
(Here's the smb.conf I'm working with:)
[global]
## Browsing/Identification ###
netbios name = PROTEUS
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = BSO
# server string is the equivalent of the NT Description field
server string = %h server
# This gets rid of a bunch of stupid error messages in the logs
smb ports = 139
# Act as a time server
time server = yes
wins support = yes
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
# What naming service and in what order should we use to resolve host names
# to IP addresses
; name resolve order = lmhosts host wins bcast
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
server signing = auto
########## Domains ###########
domain logons = yes
logon path = \\%N\profiles\%U\%a
logon drive = H:
logon home = \\%N\%U
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos
"" %u
delete user script = /usr/sbin/deluser --quiet %u
add machine script = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u
add group script = /usr/sbin/addgroup --force-badname %g
delete group script = /usr/sbin/delgroup %g
add user to group script = /usr/sbin/groupmod -A %u %g
delete user from group script = /usr/sbin/groupmod -D %u %g
set primary group script = /usr/sbin/usermod -g %g %u
client ntlmv2 auth = yes
############ Misc ############
usershare allow guests = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
inherit permissions = yes
inherit acls = yes
read only = no
create mask = 0750
directory mask = 0750
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server. Un-comment the following parameter
# to make sure that only "username" can connect to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
invalid users =+exams
# Hide desktop.ini files to avoid notepad starting up at login:
hide files = /.*/RECYCLER/desktop.ini/Desktop.ini/Thumbs.db/
# Un-comment the following and create the netlogon directory for Domain
Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon
browseable = no
read only = yes
guest ok = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
[profiles]
comment = Users profiles
path = /srv/samba/profiles
browseable = no
guest ok = no
read only = no
create mask = 0600
directory mask = 0700
hide files = /.*/RECYCLER/desktop.ini/Desktop.ini/Thumbs.db/
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
[Vault]
comment = Backed-up user directories
path = /home
browseable = yes
read only = no
valid users = +users
invalid users = +exams
inherit permissions = yes
inherit acls = yes
hide files = /.*/RECYCLER/desktop.ini/Desktop.ini/Thumbs.db/
[Scratch]
comment = Scratch space
path = /scratch
browseable = yes
read only = no
valid users = +users
invalid users = +exams
inherit permissions = yes
inherit acls = yes
hide files = /.*/RECYCLER/desktop.ini/Desktop.ini/Thumbs.db/
[pde]
comment = Space for exam use
path = /home/pde
browseable = yes
read only = no
create mask = 0777
directory mask = 0777
valid users = +teachers +exams
inherit acls = yes
inherit permissions = yes
map acl inherit = yes
More information about the samba
mailing list