[Samba] Issue with computer accounts with classicupgrade
mike.brady at devnull.net.nz
Tue Aug 11 22:35:46 UTC 2015
I have an old Centos5/Samba3.5 domain with LDAP backend that I am
attempting to migrate to the latest Samba 4.2 on Centos 7.1. Samba in
both cases has been installed using Sernet packages.
I had successfully run the classicupgrade process, but in subsequent
testing found that in the 3.5 domain all the computer accounts have the
posixAccount class and therefore have a uidNumber. Unfortunately the
uidNumbers are duplicated with the user uidNumbers which doesn't seem
to be an issue in the 3.5 domain, but is in the Samba 4 domain.
My first attempt at fixing this was to use an LDIF file to remove the
posixAccount class and its attributes for all the machine accounts, as
I did not believe that they were required. But, this gave the following
error when running the classicupgrade:
samba-tool domain classicupgrade -d 3 --dbdir=/root/samba.PDC/
--use-xattrs=yes --realm=ad.companyname.co.nz --dns-backend=BIND9_DLZ
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
Processing section "[global]"
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Exporting account policy
init_sam_from_ldap: Failed to find Unix account for VM07$
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'VM07$'!
ERROR(<class 'passdb.error'>): uncaught exception - Unable to get user
information for 'VM07$', (-1073741724,No such user)
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line
1452, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/lib64/python2.7/site-packages/samba/upgrade.py", line 566,
user = s3db.getsampwnam(username)
So I created another LDIF that just changes all the machine account
uidNumbers to something that does not conflict with the user uidNumbers.
The classicupgrade process completes with this. I haven't done any
further testing yet, but this should resolve the issues that I was
seeing because of the duplicated uidNumbers.
Using ADSIEdit to look at a freshly installed domain, shows that
computer accounts do not have uidNumber, gidNumber, etc assigned. I am
therefore puzzled as to why the classicupgrade seems to need them.
I am not sure what the end result should be with regards to the machine
accounts after the classicupgrade and am therefore looking for advice on
what I should be doing (as opposed to what I have done) to resolve this
More information about the samba