[Samba] samba-tool domain classicupgrade with LDAP backend

Andrew Bartlett abartlet at samba.org
Thu Jan 3 21:43:14 MST 2013

On Thu, 2013-01-03 at 12:52 +0100, Juan Asensio Sánchez wrote:
> Hi again
> Well, finally I got it, adding "ldap timeout" to smb.conf. 

Good.  The 'ldap suffix' is used because while we write new groups under
'ldap group suffix' we always search under 'ldap suffix' for all
objects.  That is, it is a default, not a restriction.

This hasn't changed in a number of releases, and the 'passdb' code used
as the upgrade source is actually the same code that powers the classic
DC implementation.  

> Now I am getting
> another error when running the domain classicupgrade command of samba-tool:

> ...
> init_sam_from_ldap: Entry found for user: XXXXXXXX
> init_sam_from_ldap: Entry found for user: XXXXXXXX$
> Next rid = 12801001
> Failed to connect to ldap URL 'ldap://XXXXXXX.XXXXXXX.XX' - LDAP client
> internal error: NT_STATUS_BAD_NETWORK_NAME
> Failed to connect to 'ldap://XXXXXXX.XXXXXXX.XX' with backend 'ldap': (null)
> Could not open ldb connection to ldap://XXXXXXX.XXXXXXX.XX, the error
> message is: (1, None)
> Exporting posix attributes
> ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
> variable 'ldb_object' referenced before assignment
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
> 1318, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
> line 800, in upgrade_from_samba3
>     homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object,
> base_dn, username, "homeDirectory")
> I don't understand why the NT_STATUS_BAD_NETWORK_NAME error is thrown; I
> can ping and telnet the server XXXXXXX.XXXXXXX.XX in port 389 (previously
> it was on port 636 and ldaps, but changed to ldap and 389 to try to avoid
> the error); indeed, the script has obtained all groups and users
> previously...

In this second stage of the migration, we use the ldb API and ldb's
ildap driver (a new implementation of an LDAP client) to connect to the
server.  We do this in the hope of migrating some extra information that
isn't available via passdb.  

ldb and the idlap driver does not read ldap.conf, nslcd.conf or PAM as
Mario suggests, but I'm pretty sure it does use the 'name resolve order'
from smb.conf, so perhaps restore that to the default value and try

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list