[Samba] samba-tool domain classicupgrade with LDAP backend

Thu Jan 3 04:52:39 MST 2013

Hi again

Well, finally I got it, adding "ldap timeout" to smb.conf. Now I am getting
another error when running the domain classicupgrade command of samba-tool:

...
init_sam_from_ldap: Entry found for user: XXXXXXXX
init_sam_from_ldap: Entry found for user: XXXXXXXX$
Next rid = 12801001
Failed to connect to ldap URL 'ldap://XXXXXXX.XXXXXXX.XX' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://XXXXXXX.XXXXXXX.XX' with backend 'ldap': (null)
Could not open ldb connection to ldap://XXXXXXX.XXXXXXX.XX, the error
message is: (1, None)
Exporting posix attributes
ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
variable 'ldb_object' referenced before assignment
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 800, in upgrade_from_samba3
    homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object,
base_dn, username, "homeDirectory")

I don't understand why the NT_STATUS_BAD_NETWORK_NAME error is thrown; I
can ping and telnet the server XXXXXXX.XXXXXXX.XX in port 389 (previously
it was on port 636 and ldaps, but changed to ldap and 389 to try to avoid
the error); indeed, the script has obtained all groups and users
previously...

Any ideas?

2013/1/3 Juan Asensio Sánchez <okelet at gmail.com>

> Hi
>
> I am testing the migration from our actual Samba domain, based on Samba
> 3.3.8 and LDAP (389DS) to Samba 4. I have followed the Samba4 Howto, and
> I have successfully compiled it. Now I am running the classicupgrade
> command, but I am getting some errors.
>
> First of them is that the script is ignoring the "ldap group suffix"
> parameter in smb.conf, and is always searching in the "ldap suffix".
> Because our LDAP database is very big, the script is getting a timeout as
> all groups are not received in time. I have changed the timeout and
> timelimit values in ldap.conf to 300, but they are also being ignored. This
> is the output of the script:
>
> [root at samba4 ~]# samba-tool domain classicupgrade ~/sambav3/smb.conf
> --dbdir ~/sambav3/private --realm XXXXXXXXXX.TEST
> Reading smb.conf
> Processing section "[netlogon]"
> Processing section "[unixscripts]"
> Provisioning
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
> smbldap_open_connection: connection opened
> init_sam_from_ldap: Entry found for user: XXXXXXXXXX$
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
> smbldap_open_connection: connection opened
> Exporting account policy
> Exporting groups
> ldapsam_setsamgrent: LDAP search failed: Timed out
> ldapsam_enum_group_mapping: Unable to open passdb
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to enumerate
> group mappings, (-1073741790,Access denied)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
> 1318, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
> line 635, in upgrade_from_samba3
>     grouplist = s3db.enum_group_mapping()
>
>
> And this is the LDAP access LOG:
>
> [03/Jan/2013:10:58:01 +0100] conn=24304 op=13 SRCH
> base="dc=XXXXXXXXXX,dc=XX" scope=2 filter="(objectClass=sambaGroupMapping)"
> attrs="gidNumber sambaSID sambaGroupType sambaSIDList description
> displayName cn objectClass"
> [03/Jan/2013:10:58:16 +0100] conn=24304 op=14 UNBIND
> [03/Jan/2013:10:58:16 +0100] conn=24304 op=14 fd=73 closed - U1
>
> dc=XXXXXXXXXX,dc=XX is our "ldap suffix", not our "ldap group suffix", as
> it should. Any ideas how to fix these problems and continue with the tests?
>
> Regards and thanks in advance,
>