[Samba] [PATCH] Re: Changing administrator password after Samba4 classic upgrade

Mario Codeniera mario.codeniera at gmail.com
Thu Jan 10 21:46:07 MST 2013

Hi Andrew,

Sorry for the late response took me a while to figure out the internal DNS.

For your queries these are the concern/issues

For your testing domain or configuration:
 - What was working
I used to run smoothly the classic upgrade in a new Server (running a
Centos 6.3 using OpenLDAP 2.4 before migrating to Samba4 from CentOS 5.5
and Samba 3.3.10 with OpenLDAP 2.3.43 as backend)

Copy the backup ldif (from the production server) to the new server
(testing domain) and connecting to the new ldap server
    $sudo slapadd -c -l thebackup.ldif
Meaning i have a fully running OpenLDAP 2.4 running, which I used to
configure some files like nslcd.conf, pam_ldap.conf, and dap.conf
I used the following commands to check
    $getent group
    $getent passwd
If displays the groups and the users from the ldap database, I can
successfully migrated it to Samba4.
As based on my test if doesn't have output from the ldap, I can't proceed
to classicupgrade.

Hope someone give insights more? If no need to change the configurations
stated above, or maybe it is a shortcut of what I am doing. As for my
understanding "samba-tool domain classicugrade" need to have LDAP running,
and those configurations needed in order to run it properly the LDAP.
That's why you need to run still the ldap when issuing the classicupgrade.

The patch you given was working fine and even without adding a patch,
probably I just got some mistakes before especially on the users and groups
in the database.

Then copied the tdb files to the new server and on my case generate error
on secrets.tdb, what I did issue the command
    $sudo /usr/local/samba/bin/smbpasswd -w xxx -c
    $cp /var/lib/samba/private/secrets.tdb    /tmp/livedata/samba
        assume xxx the password and /tmp/livedata/samba where your tdb
files also located

Then run the classicupgrade but modified/delete some users and groups that
the conflict or not recognised by the "samba-tool domain classicupgrade"
based on the display.

 - What was not working
Some suggested, NO need to the configure the nslcd.conf, pam_ldap.conf, and
the ldap.conf (locally connected) to the LDAP server.
But on my case, it doesn't work if I will not change them, in short I can't
upgrade to Samba4, using classicupgrade command.

Not able to test client from the production that no need to re-authenticate
(re-connecting to the samba4 domain from samba3)

 - What you changed
I used to retain the SID, meaning just copy the SID from the production
domain, my assumptions  that the existing machines in the LDAP database,
will be automatically connected without re-authentication.
    $set netlocalid zzz
    where zzz is the SID

Modified users and groups in the LDAP Server
    Deleted 'Everyone' group
    Change SID of user uid=administrator from 20001 to 500
    Deleted the Group list of "Administrators" and added from the list of
"Administrators' zzz-512
        where zzz SID
    Remove oneGroup, but uncommon group or custom made group

 - What is now working
Work fine no yet problems encountered (coz not yet connected to the

For your attempt to apply this to your production domain:
 - What is working
So far as I mimicking the testing domain, no problems encountered in
migration or running the "classicupgrade" command

 - What is not working
 As I observed the internal DNS having the problem especially once change
with an IP address coz only using a DHCP.

Not authororitative for 'aaaa.bbbb', forwarding
RuntimeError: kinit for xxx$@yyy failed (Cannot contact any KDC for
requested realm)
../source4/dsdb/dns/dns_update.c294: Failed DNS update -

 - What was working but is now not working
 Not yet so far

 - What you have attempted to do to fix it
 What I did as internal DNS having the probs, I used to re-run again
"samba-tool domain classicupgrade" from scratch which solved the problems
 but so far on the trial of connecting to the 2 actual clients for testing
purposes (that no need to re-authenticate) if that will be the case lots of
work to do.

My question
How do able to change the internal DNS server ip? I think it is not using
localhost nor


Mario Codeniera

On Fri, Jan 4, 2013 at 5:46 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Fri, 2013-01-04 at 14:09 +1300, Mario Codeniera wrote:
> > Thanks so much Andrew, it is working fine.
> >
> > But when I try to reinstall and recompile without removing the 'root'
> > account from the OpenLDAP and it doesn't have an error (just for
> > curiosity), and the root account password is also the administrator
> > password after migration.
> >
> > I am on the process of connecting it to the real machine which previously
> > connected with the DC-Samba3, seems some problem but I have
> > to re-investigate it  the cause maybe a DNS et al. I don't want to
> > re-connect (re-establish) it to the Samba4, coz I retain the SID of
> Samba4
> > from Samba3.
> >
> > I used to connect new machine but machines after migration (samba3
> > machines), at first able to connect because you able to login. But after
> it
> > you can't able to see it, I even try administration tools, again as said
> on
> > previous paragraph needs to check other causes.
> Mario,
> I'm really sorry, but I've tried a couple of times to make sense of what
> you have written above, but I just can't.
> Please can you clearly state:
> For your testing domain or configuration:
>  - What was working
>  - What was not working
>  - What you changed
>  - What is now working
> For your attempt to apply this to your production domain:
>  - What is working
>  - What is not working
>  - What was working but is now not working
>  - What you have attempted to do to fix it
> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list