[Samba] samba-tool classicupgrade throws uncaught exception

Scott Goodwin scott at mimicsimulation.com
Tue Aug 20 12:33:39 MDT 2013


Update:
Upon further investigation, the group with SID ending in -1057 is my Domain
Admins group, which is mapped to unix group "smbadmins".  SID ending in
-1066 (see my original posting) is Domain Users, which I have mapped to
unix group "users".
I suspect that if I remove these two mappings, the classic upgrade may
succeed, at which point I can re-add them.

Two things:
1) Is it a problem that my Domain Admins and Domain Users groups do not
have the standard NT4 domain suffixes (I think Domain Admins typically ends
with -512. Can't remember what the suffix for Domain Users is, but it isn't
-1066).
2) Is there a way to remove these mappings from the .tdb files I have
copied over to the new server?  I know I can remove the mapping from my old
server, then re-copy the tdb files over, then re-add the mapping on my
samba3 server, but the Domain Users mapping would impact users (I'm pretty
sure), and I want to avoid that if possible.  So, I'm hoping there is a way
to manually edit the tdb's in the test environment where my samba4 server
is, or some tool that can assist in such.


Thanks for any advice.


*Scott Goodwin*
IT Lead
Mimic Technologies, Inc
811 First Avenue, Suite 408  |  Seattle, WA 98104
phone: 1.800.918.1670  |  direct: 206.456.9180
fax: 206.623.3491  |  cell: 206.355.7767



On Mon, Aug 19, 2013 at 4:57 PM, Scott Goodwin <scott at mimicsimulation.com>wrote:

> Update: I realized shortly after I sent the email that because I don't use
> winbind, I can (and should) delete the file winbindd_idmap.tdb.
> So, the second error is now the stopper.  In essence, it's complaining
> that it can't find the user or group with sid ending in 1057.
>
> Adding users to groups
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: Could not add member 'S-1-5-21-XXXXXXXXXXXXXXXXXXX-1002'
> to group 'S-1-5-21-XXXXXXXXXXXXXXXXXXX-1057' as either group or user
> record doesn't exist: Base-DN '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXXX-1057>'
> not found
>    File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 1318, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 913, in upgrade_from_samba3
>     add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 316, in add_users_to_group
>     raise ProvisioningError("Could not add member '%s' to group '%s' as
> either group or user record doesn't exist: %s" % (member_sid, group.sid,
> emsg))
>
>
>
> *Scott Goodwin*
> IT Lead
> Mimic Technologies, Inc
> 811 First Avenue, Suite 408  |  Seattle, WA 98104
> phone: 1.800.918.1670  |  direct: 206.456.9180
> fax: 206.623.3491  |  cell: 206.355.7767
>
>
>
> On Mon, Aug 19, 2013 at 3:01 PM, Scott Goodwin <scott at mimicsimulation.com>wrote:
>
>> I have a new server running CentOS 6.4 x64, which will serve as our new
>> Samba4 server. It is set up in a test environment, and I've copied over the
>> tdb files and the smb.conf file from our samba3 server (Same OS and
>> version).
>> I'm trying to do an in-place upgrade on the copied files, but keep
>> hitting an assert / uncaught exception during the upgrade:
>>
>> # /usr/local/samba/bin/samba-tool domain classicupgrade
>> --dbdir=/root/smb3 --use-xattrs=yes --realm=MYDOMAIN.COM --verbose
>> /root/smb3/smb.conf
>>
>> Reading smb.conf
>> Provisioning
>> Exporting account policy
>> Exporting groups
>> Exporting users
>> Ignoring group memberships of 'testuser'
>> S-1-5-21-XXXXXXXXXXXXXXXXXX-1065: Unable to enumerate group memberships,
>> (-1073741724,No such user)
>>   Skipping wellknown rid=501 (for username=nobody)
>> Ignoring group memberships of 'TEST-PC$' S-1-5-21-XXXXXXXXXXXXXXXXXX-1097:
>> Unable to enumerate group memberships, (-1073741724,No such user)
>> Ignoring group memberships of 'testuser2' S-1-5-21-XXXXXXXXXXXXXXXXXX-1075:
>> Unable to enumerate group memberships, (-1073741724,No such user)
>> Next rid = 9001
>> Exporting posix attributes
>> Reading WINS database
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up share.ldb
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> Adding DomainDN: DC=mydomain,DC=com
>> Adding configuration container
>> Setting up sam.ldb schema
>> Setting up sam.ldb configuration data
>> Setting up display specifiers
>> Modifying display specifiers
>> Adding users container
>> Modifying users container
>> Adding computers container
>> Modifying computers container
>> Setting up sam.ldb data
>> Setting up well known security principals
>> Setting up sam.ldb users and groups
>> Setting up self join
>> Setting acl on sysvol skipped
>> Adding DNS accounts
>> Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com
>> Creating DomainDnsZones and ForestDnsZones partitions
>> Populating DomainDnsZones and ForestDnsZones partitions
>> Setting up sam.ldb rootDSE marking as synchronized
>> Fixing provision GUIDs
>> A Kerberos configuration suitable for Samba 4 has been generated at
>> /usr/local/samba/private/krb5.conf
>> Setting up fake yp server settings
>> Once the above files are installed, your Samba4 server will be ready to
>> use
>> Server Role:           active directory domain controller
>> Hostname:              myserver
>> NetBIOS Domain:        MYDOMAIN
>> DNS Domain:            mydomain.com
>> DOMAIN SID:            S-1-5-21-XXXXXXXXXXXXXXXXXX
>> Importing WINS database
>> Importing Account policy
>> Importing idmap database
>> ERROR(assert): uncaught exception
>>   File
>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>     return self.run(*args, **kwargs)
>>   File
>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>> line 1318, in run
>>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
>> line 868, in upgrade_from_samba3
>>     import_idmap(result.idmap, samba3, logger)
>>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
>> line 214, in import_idmap
>>     samba3_idmap = samba3.get_idmap_db()
>>   File
>> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
>> line 402, in get_idmap_db
>>     return IdmapDatabase(self.statedir_path("winbindd_idmap.tdb"))
>>   File
>> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
>> line 59, in __init__
>>     self._check_version()
>>   File
>> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
>> line 142, in _check_version
>>     assert fetch_int32(self.tdb, "IDMAP_VERSION\0") == IDMAP_VERSION_V2
>>
>>
>> The error indicates an idmap problem, so on advise of another poster, I
>> renamed my winbindd_idmap.tdb file, then tried again (after deleting the
>> generated tdb files and smb.conf).  This, however, caused another error:
>>
>> ...
>> ...
>> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
>> Importing groups
>> Could not add group name=Domain Admins ((68, "samldb: Account name
>> (sAMAccountName) 'Domain Admins' already in use!"))
>> Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057,
>> id=502, type=ID_TYPE_GID ((32, "Base-DN
>> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found"))
>> Could not add posix attrs for AD entry for
>> sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057, ((32, "Base-DN
>> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found"))
>> Could not add group name=Domain Users ((68, "samldb: Account name
>> (sAMAccountName) 'Domain Users' already in use!"))
>> Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066,
>> id=100, type=ID_TYPE_GID ((32, "Base-DN
>> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found"))
>> Could not add posix attrs for AD entry for
>> sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066, ((32, "Base-DN
>> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found"))
>> Importing users
>> User root has been kept in the directory, it should be removed in favour
>> of the Administrator user
>> Adding users to groups
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>> ProvisioningError: Could not add member 'S-1-5-21-XXXXXXXXXXXXXXXXXX-1002'
>> to group 'S-1-5-21-XXXXXXXXXXXXXXXXXX-1057' as either group or user record
>> doesn't exist: Base-DN '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found
>>   File
>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>     return self.run(*args, **kwargs)
>>   File
>> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
>> line 1318, in run
>>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
>> line 913, in upgrade_from_samba3
>>     add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
>>   File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
>> line 316, in add_users_to_group
>>     raise ProvisioningError("Could not add member '%s' to group '%s' as
>> either group or user record doesn't exist: %s" % (member_sid, group.sid,
>> emsg))
>>
>>
>> I'm wondering if my winbindd_idmap.tdb is invalid, as ldbdump
>> winbindd_idmap.tdb returns nothing, and the tdb file is only 696 bytes.  If
>> this is the issue, can I "rebuild it" on the samba3 server?
>>
>> Here's the global section of my smb.conf:
>>
>>           workgroup = MYDOMAIN
>>         netbios name = MYSERVER
>>         server string = "Samba4 AD"
>>         interfaces = 192.168.0.0/24
>>         bind interfaces only = Yes
>>         passdb backend = tdbsam
>>         username map = /etc/samba/smbusers
>>         admin users = scott
>>         wins support = Yes
>>         smb ports = 139
>>         time server = Yes
>>         client ntlmv2 auth = Yes
>>         log file = /var/log/samba/log.%m
>>         max log size = 1000
>>         debug uid = Yes
>>         deadtime = 15
>>         socket options = TCP_NODELAY IPTOS_LOWDELAY
>>         show add printer wizard = No
>>         load printers = no
>>         printing = bsd
>>         disable spoolss = yes
>>         printcap name = /dev/null
>>         printcap cache time = 0
>>         add user script = /usr/sbin/useradd -m -g users %u
>>         logon script = logon.bat
>>         logon path =
>>         logon drive = H:
>>         domain logons = Yes
>>         os level = 65
>>         preferred master = Yes
>>         domain master = Yes
>>         unix password sync = Yes
>>         passwd program = /usr/bin/passwd %u
>>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>> *passwd:*all*authentication*tokens*updated*successfully*
>>         pam password change = Yes
>>
>> Thanks ahead of time for any assistance, and if you need additional info,
>> let me know.
>>  --scott
>>
>
>


More information about the samba mailing list