[Samba] Migration to Samba 4

Rowland Penny rowlandpenny at googlemail.com
Mon Apr 27 02:11:17 MDT 2015


On 26/04/15 23:21, Sonic wrote:
> Testing this "classic upgrade" scenario on a test server and have some
> issues. I'm using the Sernet 4.2.1 packages on Debian Wheezy.
>
> I copied the required tdb files and the smb.conf to the new test
> server (named WHEEZY). Edited the smb.conf to reflect the new
> host/netbios name of WHEEZY (remember that I want to keep the old PDC
> in service afterword for file and print sharing duties - understanding
> that it cannot simply be demoted) for the AD.
>
> Run the "samba-tool domain classicupgrade ..." command and I get some
> trouble spots (first is groups):
> ========================================================
> Exporting groups
> Ignoring group 'Assistants'
> S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Projects'
> S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Management'
> S-1-5-21-1832519723-2688400599-3493754984-1885 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Print Operators'
> S-1-5-21-1832519723-2688400599-3493754984-550 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Domain Admins'
> S-1-5-21-1832519723-2688400599-3493754984-512 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Office' S-1-5-21-1832519723-2688400599-3493754984-1901
> listed but then not found: Unable to enumerate group members,
> (-1073741722,No such group)
> Ignoring group 'Accounting'
> S-1-5-21-1832519723-2688400599-3493754984-1887 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Domain Users'
> S-1-5-21-1832519723-2688400599-3493754984-513 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Domain Computers'
> S-1-5-21-1832519723-2688400599-3493754984-515 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> ========================================================
>
> And problems with users (guessing these are tied to the group issues):
> ========================================================
> Exporting users
> Ignoring group memberships of 'skjidu'
> S-1-5-21-1832519723-2688400599-3493754984-1158: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'ngoires'
> S-1-5-21-1832519723-2688400599-3493754984-3010: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'rmsorris'
> S-1-5-21-1832519723-2688400599-3493754984-1299: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'khifdgym'
> S-1-5-21-1832519723-2688400599-3493754984-1279: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'ZATL1$'
> S-1-5-21-1832519723-2688400599-3493754984-1083: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'yzswains'
> S-1-5-21-1832519723-2688400599-3493754984-1346: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'chjkwier'
> S-1-5-21-1832519723-2688400599-3493754984-1130: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'ZATL2$'
> S-1-5-21-1832519723-2688400599-3493754984-1080: Unable to enumerate
> group memberships, (-1073741724,No such user)
> .... and so on...
> ========================================================
>
> Next area of concern is:
> ========================================================
> Importing idmap database
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Adding groups
> Importing groups
> Could not add group name=Print Operators ((68, "samldb: Account name
> (sAMAccountName) 'Print Operators' already in use!"))
> Could not modify AD idmap entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449,
> type=ID_TYPE_GID ((32, "Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not found"))
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not found"))
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-512, groupname=Domain
> Admins existing_groupname=Domain Admins, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-514, groupname=Domain
> Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-513, groupname=Domain
> Users existing_groupname=Domain Users, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-515, groupname=Domain
> Computers existing_groupname=Domain Computers, Ignoring.
> ========================================================
>
> It's looking like moving to a Samba 4 AD is not such a straightforward quest.
>
> How to resolve those issues?
>
> Thanks!
>
>
> On Sat, Nov 15, 2014 at 2:53 AM, Andrew Bartlett <abartlet at samba.org> wrote:
>> On Tue, 2014-10-28 at 21:24 -0200, Martinx - ジェームズ wrote:
>>> Hi!
>>>
>>> In fact, at your new Samba4 AD DC, if you disable NetBIOS, then, it
>>> will not conflict with old NT-Like Domain (which have NetBIOS).
>>>
>>> So, the only way to join your new Samba 4 AD DC domain is by
>>> configuring the DNS, otherwise, it will stay there, quiet...
>>>
>>> Am I right?!
>> Not really, and I don't recommend it.
>>
>>> BTW, I did more or less something like this here in my company, the
>>> only difference was that I was migrating "MYDOM" from W2k8R2 (with
>>> NetBIOS) to Samba4 (without NetBIOS).
>>>
>>> Also, I did not copied the SID from old MYDOM, to new MYDOM, in fact,
>>> they are different.
>> If you didn't keep the same name or SID, it isn't an upgrade.
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

It sounds to me that you are not going about this the right way, you 
need to follow the instructions on the wiki page:

https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29

Do this in a test environment, get the AD DC working, then once you are 
sure everything is ok, swap your new AD DC for the old PDC. After this, 
you can then upgrade samba on the PDC, change smb.conf to make it a 
member server and then join this to the Domain.

Rowland



More information about the samba mailing list