[Samba] Samba 3 classicupgrade to Samba AD
Max Olivas
molivas at northglenn.org
Mon Jan 14 14:14:21 MST 2013
Hey All,
Thanks for the feedback. I've cleaned up my .tdb files some and have moved farther with the upgrade command but I'm still getting errors. This is what I'm getting now:
idmapping sid_to_xid failed for id[0]=S-1-5-32-544: NT_STATUS_NONE_MAPPED
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER')
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py", line 926, in upgrade_from_samba3
result.names.domaindn, result.lp, use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1476, in setsysvolacl
setntacl(lp,sysvol, SYSVOL_ACL, str(domainsid), use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=s4_passdb)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 154, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)
I see that sid is for the Administrators group but I'm not sure what I need to do to it to complete the upgrade command without errors? Any help is much appreciated.
Thanks,
Max
>>> Andrew Bartlett <abartlet at samba.org> 1/4/2013 3:37 PM >>>
On Fri, 2013-01-04 at 15:24 -0500, Adam Tauno Williams wrote:
> On Fri, 2013-01-04 at 12:28 -0700, Max Olivas wrote:
> > Hey All,
> >
> > I have a Samba 3 PDC (Debian, Samba version 3.5.6 with NIS groups and no winbind) with about 300 users, 200 client PC's, 15 member servers(mixed Windows Server 2003/2008 and Samba 3), and I'm attempting the classicupgrade to Samba AD. To test I've created a new Ubuntu 12.04 LTS and followed the HOWTO, successfully creating a blank Samba AD and testing adding users/PC's and connecting with Windows AD tools. I then attempted the classicupgrade (rolled VM back and copied .tdb files and smb.conf from current PDC) but I'm getting several errors.
> > Importing groups
> > Importing users
> > Failed to create user record CN=watersan ,CN=Computers,DC=northglenn,DC=org: Entry CN=watersan,CN=Computers,DC=northglenn,DC=org already exists
> > ERROR(<class 'passdb.error'>): uncaught exception - Unable to add sam account 'watersan $', (-1073741725,User exists)
> > Hopefully someone sees something that I"m doing blatently wrong and can point out my mistake. Thanks in advance for any help!
>
> I'd wager the error message is exact and meaningful - you have a
> duplicate sambaSID in your LDAPSAM. Also the machine account "watersan
> $" contains a space. That seems odd.
>
> I had several of these inconsistencies in my old LDAPSAM that I needed
> to correct before the upgrade completed.
Adam,
I agree. As we have never had an internal passdb consistency checker
before, the checks being done as part of the import are often the first
time a Samba 3.x site will discover a number of internal
inconsistancies.
For example, we already check for usernames and group names that
overlap, and duplicate SIDs. The detection of duplicate usernames is
left to this stage because we can give a clearer error message at this
point. The script is just python however, and so it isn't hard to
improve if someone wants to provide a patch to improve it.
Max,
Your issue might be that what we fill in as CN is a duplicate, rather
than the username.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list