[Samba] need help cleaning up my smb3 databases to complete smb4 classic upgrade

Rowland Penny rowlandpenny at googlemail.com
Mon May 26 03:33:02 MDT 2014 

On 26/05/14 09:38, Adam Wojnarski wrote:
> Since there is no response to my previous e-mail, I have an idea for a
> different approach- perhaps I can use those commands
> net rpc samdump         Dump SAM data of remote NT PDC
> net rpc vampire         Sync a remote NT PDC's data into local passdb
> net rpc getsid          Fetch the domain sid into local secrets.tdb
> to pump my domain data to a fresh tdb database and ensure consistancy this way?
>
> This way I would migrate oldsmb3->newsmb3(as secondary
> DC)->newsmb4(->and then finally be able to build a trust with ad2008
> but that's a different story)
> Or will the invalid entries be copied as well? I prefer to ask prior
> to doing something that will turn out to be a total waste of time. If
> It is supposed to work as I wrote, which options should I use?
>
>
> Or coming back to my previous approach - perhaps I need to dump the db
> in a special way or it's a ssid not connected to users at all and I
> need to check another tdb? I still think that identifying and deleting
> the offending record is the best approach.
>
> Maybe the classic upgrade has some kind of --force equivalent I could
> You to try to migrate overlooking errorous entries in tdb's?
>
> I've been struggling for a few weeks now so any help will be welcome.
>
> Best Regards,
> Adam
>
>
> 2014-05-21 10:59 GMT+02:00 Adam Wojnarski <adam.wojnarski at gmail.com>:
>> Hello Marc,
>> Thank You for Your reply
>>> Hello Adam,
>>>
>>> Am 19.05.2014 10:53, schrieb Adam Wojnarski:
>>>> My issue is:
>>>> How do i find the offending sid in my old dbs and get rid of it?
>>> What kind of backend do you use on your classic domain?
>>>
>>>
>> My smb3 config (excluding hosts shares fallows)
>>
>> [global]
>> workgroup = MyCOMPANYNAME
>> server string = THISHOSTSNAME
>> hosts allow = 192.168. 127.
>> log file = /var/log/samba/%m.log
>> max log size = 50
>> log level = 10
>> security = user
>> passdb backend = tdbsam
>> domain master = yes
>> domain logons = yes
>> logon drive = Q:
>> logon home = \\%N\%U
>> logon path = \\%N\%U\profile
>> add machine script = /usr/sbin/useradd -d /var/lib/nobody -s /sbin/nologin "%u"
>> local master = yes
>> preferred master = yes
>> wins support = yes
>> load printers = no
>> cups options = raw
>> create mask = 0660
>> directory mask = 0770
>> unix extensions = no
>> max open files = 100000
>> [homes]
>> comment = Home Directories
>> browseable = no
>> writable = yes
>> valid users = %S
>> valid users = MYCOMPANYNAME\%S
>> [netlogon]
>> comment = Network Logon Service
>> path = /var/lib/samba/netlogon
>> guest ok = yes
>> writable = no
>> share modes = no
>>
>>
>>>
>>>> I got my samba 4 from git://git.samba.org/samba.git samba-master
>>>> my smb3 server is a an ancient fedora build samba-3.2.15-0.36.fc10.x86_64 -
>>>> am I right to think that upgrading it to a current 3.x line version might
>>>> help things or will the db's collect even more garbage with the upgrade? A
>>>> few people managed it before me so I don't know it's full history.
>>> If you have any concerns, you can simply update to 4.1.7 and if
>>> everything works like it should, then do the classicupgrade to AD a few
>>> days later.
>>>
>>> But why do you want to use a developer/git version and not a released
>>> one (4.1.7)? Releases are stable. I would not run a git version in
>>> production.
>>>
>> Tried the current stable release - I have the exact same error. I
>> googled it multiple times and am sure that It's an issue with the old
>> samba. tried to locate the offending use/host using wbinfo or dumping
>> the winbindd_idmap.tdb file but failed to find it there. I was trying
>> the one from git hoping that a fresher version will do better. From
>> what I learned this haunts users ever since classicupgrade is
>> available.
>>
>>>
>>> Regards,
>>> Marc
>>
>> p.s. listing of all tdb databases I have in my old system
>>
>> # ls  /var/lib/samba/
>> account_policy.tdb      connections.tdb.bak
>> idmap_cache.tdb.bak  mutex.tdb.bak              notify.tdb.bak
>> ntprinters.tdb.bak  scripts             unexpected.tdb.bak
>> wins.dat
>> account_policy.tdb.bak  gencache.tdb                locking.tdb
>>    namelist.debug             ntdrivers.tdb      perfmon
>> sessionid.tdb       winbindd_cache.tdb      wins.tdb
>> brlock.tdb              gencache.tdb.bak            locking.tdb.bak
>>    netlogon                   ntdrivers.tdb.bak  printing
>> sessionid.tdb.bak   winbindd_cache.tdb.bak  wins.tdb.bak
>> brlock.tdb.bak          group_mapping.ldb           messages.tdb
>>    netsamlogon_cache.tdb      ntforms.tdb        private
>> share_info.tdb      winbindd_idmap.tdb
>> browse.dat              group_mapping.tdb.upgraded  messages.tdb.bak
>>    netsamlogon_cache.tdb.bak  ntforms.tdb.bak    registry.tdb
>> share_info.tdb.bak  winbindd_idmap.tdb.bak
>> connections.tdb         idmap_cache.tdb             mutex.tdb
>>    notify.tdb                 ntprinters.tdb     registry.tdb.bak
>> unexpected.tdb      winbindd_privileged
>>
>> # ls  /var/lib/samba/private/
>> passdb.tdb  schannel_store.tdb  secrets.tdb  smbpasswd
>>
>> Best Regards,
>> Adam
Firstly, I am not an expert here, but from reading your first post it 
would seem that the upgrade is trying to map the SID 
'S-1-5-21-1275545348-4294519683-4007804651-512' (this is Domain Admins) 
to a group in your tdbsam database and cannot find anything to map to.

what does 'net groupmap list' return ?

Rowland

More information about the samba mailing list