[Samba] Migration to Samba 4

Sonic sonicsmith at gmail.com
Sun Apr 26 16:21:08 MDT 2015 

Testing this "classic upgrade" scenario on a test server and have some
issues. I'm using the Sernet 4.2.1 packages on Debian Wheezy.

I copied the required tdb files and the smb.conf to the new test
server (named WHEEZY). Edited the smb.conf to reflect the new
host/netbios name of WHEEZY (remember that I want to keep the old PDC
in service afterword for file and print sharing duties - understanding
that it cannot simply be demoted) for the AD.

Run the "samba-tool domain classicupgrade ..." command and I get some
trouble spots (first is groups):
========================================================
Exporting groups
Ignoring group 'Assistants'
S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Projects'
S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Management'
S-1-5-21-1832519723-2688400599-3493754984-1885 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Print Operators'
S-1-5-21-1832519723-2688400599-3493754984-550 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Domain Admins'
S-1-5-21-1832519723-2688400599-3493754984-512 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Office' S-1-5-21-1832519723-2688400599-3493754984-1901
listed but then not found: Unable to enumerate group members,
(-1073741722,No such group)
Ignoring group 'Accounting'
S-1-5-21-1832519723-2688400599-3493754984-1887 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Domain Users'
S-1-5-21-1832519723-2688400599-3493754984-513 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Domain Computers'
S-1-5-21-1832519723-2688400599-3493754984-515 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
========================================================

And problems with users (guessing these are tied to the group issues):
========================================================
Exporting users
Ignoring group memberships of 'skjidu'
S-1-5-21-1832519723-2688400599-3493754984-1158: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'ngoires'
S-1-5-21-1832519723-2688400599-3493754984-3010: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'rmsorris'
S-1-5-21-1832519723-2688400599-3493754984-1299: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'khifdgym'
S-1-5-21-1832519723-2688400599-3493754984-1279: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'ZATL1$'
S-1-5-21-1832519723-2688400599-3493754984-1083: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'yzswains'
S-1-5-21-1832519723-2688400599-3493754984-1346: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'chjkwier'
S-1-5-21-1832519723-2688400599-3493754984-1130: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'ZATL2$'
S-1-5-21-1832519723-2688400599-3493754984-1080: Unable to enumerate
group memberships, (-1073741724,No such user)
.... and so on...
========================================================

Next area of concern is:
========================================================
Importing idmap database
Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
Adding groups
Importing groups
Could not add group name=Print Operators ((68, "samldb: Account name
(sAMAccountName) 'Print Operators' already in use!"))
Could not modify AD idmap entry for
sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449,
type=ID_TYPE_GID ((32, "Base-DN
'<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not found"))
Could not add posix attrs for AD entry for
sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN
'<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not found"))
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-512, groupname=Domain
Admins existing_groupname=Domain Admins, Ignoring.
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-514, groupname=Domain
Guests existing_groupname=Domain Guests, Ignoring.
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-513, groupname=Domain
Users existing_groupname=Domain Users, Ignoring.
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-515, groupname=Domain
Computers existing_groupname=Domain Computers, Ignoring.
========================================================

It's looking like moving to a Samba 4 AD is not such a straightforward quest.

How to resolve those issues?

Thanks!


On Sat, Nov 15, 2014 at 2:53 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2014-10-28 at 21:24 -0200, Martinx - ジェームズ wrote:
>> Hi!
>>
>> In fact, at your new Samba4 AD DC, if you disable NetBIOS, then, it
>> will not conflict with old NT-Like Domain (which have NetBIOS).
>>
>> So, the only way to join your new Samba 4 AD DC domain is by
>> configuring the DNS, otherwise, it will stay there, quiet...
>>
>> Am I right?!
>
> Not really, and I don't recommend it.
>
>> BTW, I did more or less something like this here in my company, the
>> only difference was that I was migrating "MYDOM" from W2k8R2 (with
>> NetBIOS) to Samba4 (without NetBIOS).
>>
>> Also, I did not copied the SID from old MYDOM, to new MYDOM, in fact,
>> they are different.
>
> If you didn't keep the same name or SID, it isn't an upgrade.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list