[Samba] samba-tool domain classicupgrade with LDAP backend

Juan Asensio Sánchez okelet at gmail.com
Thu Jan 3 03:02:05 MST 2013 

Hi

I am testing the migration from our actual Samba domain, based on Samba
3.3.8 and LDAP (389DS) to Samba 4. I have followed the Samba4 Howto, and I
have successfully compiled it. Now I am running the classicupgrade command,
but I am getting some errors.

First of them is that the script is ignoring the "ldap group suffix"
parameter in smb.conf, and is always searching in the "ldap suffix".
Because our LDAP database is very big, the script is getting a timeout as
all groups are not received in time. I have changed the timeout and
timelimit values in ldap.conf to 300, but they are also being ignored. This
is the output of the script:

[root at samba4 ~]# samba-tool domain classicupgrade ~/sambav3/smb.conf
--dbdir ~/sambav3/private --realm XXXXXXXXXX.TEST
Reading smb.conf
Processing section "[netlogon]"
Processing section "[unixscripts]"
Provisioning
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
smbldap_open_connection: connection opened
init_sam_from_ldap: Entry found for user: XXXXXXXXXX$
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
smbldap_open_connection: connection opened
Exporting account policy
Exporting groups
ldapsam_setsamgrent: LDAP search failed: Timed out
ldapsam_enum_group_mapping: Unable to open passdb
ERROR(<class 'passdb.error'>): uncaught exception - Unable to enumerate
group mappings, (-1073741790,Access denied)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 635, in upgrade_from_samba3
    grouplist = s3db.enum_group_mapping()


And this is the LDAP access LOG:

[03/Jan/2013:10:58:01 +0100] conn=24304 op=13 SRCH
base="dc=XXXXXXXXXX,dc=XX" scope=2 filter="(objectClass=sambaGroupMapping)"
attrs="gidNumber sambaSID sambaGroupType sambaSIDList description
displayName cn objectClass"
[03/Jan/2013:10:58:16 +0100] conn=24304 op=14 UNBIND
[03/Jan/2013:10:58:16 +0100] conn=24304 op=14 fd=73 closed - U1

dc=XXXXXXXXXX,dc=XX is our "ldap suffix", not our "ldap group suffix", as
it should. Any ideas how to fix these problems and continue with the tests?

Regards and thanks in advance,

More information about the samba mailing list