[Samba] samba-tool domain classicupgrade with LDAP backend
Juan Asensio Sánchez
okelet at gmail.com
Fri Jan 4 00:57:20 MST 2013
I forgot to explain my scenario... I have one Samba3 test-production with
LDAP backend (it's a test server, but used intensively), so to make the
tests I created a new virtual machine in a separated/isolated network. This
is a clean CentOS 6.3 machine, just installed the compile dependencies and
then compile and install Samba; I didn't modify resolv.conf, neither
nscd.conf, so the name resolution is using an "official" DNS server. After
posting the message, I continued investigating and I found this message
where the user reports the same problem than me. The solution there is to
use the IP address instead of the DNS name, and he says that the problem
can be due to his configuration, but I have the same problem... so I could
think this is bug, not a server configuration problem I can connect
perfectly to the LDAP server, use ldapsearch command, etc. Indeed, the
script retrieves correctly the users, but only fails when exporting the
The problem with us about "ldap group suffix" is that our LDAP has multiple
organizations, each one with their own users and groups:
- - ou=People,o=suborg1,dc=myorg,dc=es
- - ou=Groups,o=suborg1,dc=myorg,dc=es
- - ou=People,o=suborg2,dc=myorg,dc=es
- - ou=Groups,o=suborg2,dc=myorg,dc=es
So, in our Samba3 configuration we have "ldap suffix" to "dc=myorg,dc=es"
but "ldap group suffix" to "ou=Groups,o=suborg1" (for the Samba3 domain
controller for suborg1; each suborganization has its own domain under its
tree and its own domain controller using that domain). Then, all users
(from any suborganization) can login in any organization/domain/domain
controller (we have resolved the problem with SIDs from one domain to
another using a plugin in the 389DS LDAP server).
Our target (is and here comes my big doubt) is to configure Samba4 to host
multiple domains under the same forest, replicating our current environment
and stablishing trust relationships between the domains. Is this possible?
How should I do it?
Regards again, and thanks for your help.
2013/1/4 Andrew Bartlett <abartlet at samba.org>
> On Thu, 2013-01-03 at 12:52 +0100, Juan Asensio Sánchez wrote:
> > Hi again
> > Well, finally I got it, adding "ldap timeout" to smb.conf.
> Good. The 'ldap suffix' is used because while we write new groups under
> 'ldap group suffix' we always search under 'ldap suffix' for all
> objects. That is, it is a default, not a restriction.
> This hasn't changed in a number of releases, and the 'passdb' code used
> as the upgrade source is actually the same code that powers the classic
> DC implementation.
> > Now I am getting
> > another error when running the domain classicupgrade command of
> > ...
> > init_sam_from_ldap: Entry found for user: XXXXXXXX
> > init_sam_from_ldap: Entry found for user: XXXXXXXX$
> > Next rid = 12801001
> > Failed to connect to ldap URL 'ldap://XXXXXXX.XXXXXXX.XX' - LDAP client
> > internal error: NT_STATUS_BAD_NETWORK_NAME
> > Failed to connect to 'ldap://XXXXXXX.XXXXXXX.XX' with backend 'ldap':
> > Could not open ldb connection to ldap://XXXXXXX.XXXXXXX.XX, the error
> > message is: (1, None)
> > Exporting posix attributes
> > ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
> > variable 'ldb_object' referenced before assignment
> > File
> > "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py",
> > 1318, in run
> > useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
> > File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
> > line 800, in upgrade_from_samba3
> > homes[username] = get_posix_attr_from_ldap_backend(logger,
> > base_dn, username, "homeDirectory")
> > I don't understand why the NT_STATUS_BAD_NETWORK_NAME error is thrown; I
> > can ping and telnet the server XXXXXXX.XXXXXXX.XX in port 389 (previously
> > it was on port 636 and ldaps, but changed to ldap and 389 to try to avoid
> > the error); indeed, the script has obtained all groups and users
> > previously...
> In this second stage of the migration, we use the ldb API and ldb's
> ildap driver (a new implementation of an LDAP client) to connect to the
> server. We do this in the hope of migrating some extra information that
> isn't available via passdb.
> ldb and the idlap driver does not read ldap.conf, nslcd.conf or PAM as
> Mario suggests, but I'm pretty sure it does use the 'name resolve order'
> from smb.conf, so perhaps restore that to the default value and try
> Andrew Bartlett
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
More information about the samba