[Samba] Problems with migrating users and groups with classicupgrade
Robert Moskowitz
rgm at htt-consult.com
Thu Sep 17 09:36:46 UTC 2015
On 09/17/2015 03:58 AM, Rowland Penny wrote:
> On 16/09/15 22:15, Robert Moskowitz wrote:
>>
>>
>> On 09/16/2015 05:03 PM, Rowland Penny wrote:
>>> On 16/09/15 19:17, Robert Moskowitz wrote:
>>>> I am assuming that I need to migrate my users and groups if I
>>>> expect to move my user profiles.
>>>>
>>>> Migrating computers is a second question. But on with details.
>>>>
>>>> My current setup is a ClearOS server running as a PDC. I get the
>>>> following information from it:
>>>>
>>>> # wbinfo -u
>>>> winadmin
>>>> guest
>>>> rgm
>>>> abba
>>>> imma
>>>> guest2
>>>> superrgm
>>>>
>>>> After running:
>>>>
>>>> samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/
>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ
>>>> /root/samba.PDC/etc/smb.conf
>>>>
>>>> and getting all the services running here I get:
>>>>
>>>> # wbinfo -u
>>>> administrator
>>>> dns-homebase
>>>> dhcpduser
>>>> krbtgt
>>>> guest
>>>>
>>>> So what went wrong? Why did not my users make it through the
>>>> migration? I am attaching the output of the upgrade. I have
>>>> already changed the password, so don't yell at me for not blanking
>>>> that out.
>>>>
>>>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/
>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ
>>>> /root/samba.PDC/etc/smb.conf
>>>> Reading smb.conf
>>>> NOTE: Service printers is flagged unavailable.
>>>> NOTE: Service print$ is flagged unavailable.
>>>> Unknown parameter encountered: "force directory security mode"
>>>> Ignoring unknown parameter "force directory security mode"
>>>> Provisioning
>>>> Exporting account policy
>>>> Exporting groups
>>>> Exporting users
>>>> Next rid = 1000
>>>> Exporting posix attributes
>>>> Reading WINS database
>>>> Looking up IPv4 addresses
>>>> Looking up IPv6 addresses
>>>> No IPv6 address will be assigned
>>>> Setting up share.ldb
>>>> Setting up secrets.ldb
>>>> Setting up the registry
>>>> Setting up the privileges database
>>>> Setting up idmap db
>>>> Setting up SAM db
>>>> Setting up sam.ldb partitions and settings
>>>> Setting up sam.ldb rootDSE
>>>> Pre-loading the Samba 4 and AD schema
>>>> Adding DomainDN: DC=home,DC=htt
>>>> Adding configuration container
>>>> Setting up sam.ldb schema
>>>> Setting up sam.ldb configuration data
>>>> Setting up display specifiers
>>>> Modifying display specifiers
>>>> Adding users container
>>>> Modifying users container
>>>> Adding computers container
>>>> Modifying computers container
>>>> Setting up sam.ldb data
>>>> Setting up well known security principals
>>>> Setting up sam.ldb users and groups
>>>> Setting up self join
>>>> Setting acl on sysvol skipped
>>>> Adding DNS accounts
>>>> Creating CN=MicrosoftDNS,CN=System,DC=home,DC=htt
>>>> Creating DomainDnsZones and ForestDnsZones partitions
>>>> Populating DomainDnsZones and ForestDnsZones partitions
>>>> Unable to find group id for BIND,
>>>> set permissions to sam.ldb* files manually
>>>> BIND version unknown, please modify
>>>> /var/lib/samba/private/named.conf manually.
>>>> See /var/lib/samba/private/named.conf for an example configuration
>>>> include file for BIND
>>>> and /var/lib/samba/private/named.txt for further documentation
>>>> required for secure DNS updates
>>>> Setting up sam.ldb rootDSE marking as synchronized
>>>> Fixing provision GUIDs
>>>> A Kerberos configuration suitable for Samba 4 has been generated at
>>>> /var/lib/samba/private/krb5.conf
>>>> Setting up fake yp server settings
>>>> Once the above files are installed, your Samba4 server will be
>>>> ready to use
>>>> Admin password: ~G6;C~ojZ3<elpCAx[MH
>>>> Server Role: active directory domain controller
>>>> Hostname: homebase
>>>> NetBIOS Domain: HOME
>>>> DNS Domain: home.htt
>>>> DOMAIN SID: S-1-5-21-4240919292-2417995422-4236335894
>>>> Importing WINS database
>>>> Importing Account policy
>>>> Importing idmap database
>>>> Cannot open idmap database, Ignoring: [Errno 2] No such file or
>>>> directory
>>>> Adding groups
>>>> Importing groups
>>>> Committing 'add groups' transaction to disk
>>>> Adding users
>>>> Importing users
>>>> Committing 'add users' transaction to disk
>>>> Adding users to groups
>>>> Committing 'add users to groups' transaction to disk
>>>>
>>>>
>>>>
>>>
>>> what version of Clearos, where were the users & groups stored, can
>>> you post the smb.conf from the Clearos server
>>
>> # cat /etc/clearos-release
>> ClearOS Community release 6.6.0 (Final)
>>
>> But I built it on 6.0. Back in Dec 2013.
>>
>> I am using linux users:
>>
>> # ls /home/ -ls
>> total 216
>> 4 drwx------. 3 abba allusers 4096 Jun 10 22:48 abba
>> 4 drwx------ 2 guest2 allusers 4096 Apr 13 2013 guest2
>> 184 drwx------ 120 imma allusers 184320 Sep 13 18:25 imma
>> 16 drwx------. 2 root root 16384 Apr 11 2013 lost+found
>> 4 drwx------. 2 rgm allusers 4096 Apr 11 2013 rgm
>> 4 drwx------ 2 superrgm allusers 4096 Apr 13 2013 superrgm
>>
>>
>> # cat /etc/samba/smb.conf
>> [global]
>> # General
>> netbios name = HOMEBASE
>> workgroup = HOME
>> server string = home
>> security = user
>>
>> # Logging
>> syslog = 0
>> log level = 1
>> log file = /var/log/samba/%L-%m
>> max log size = 0
>> utmp = Yes
>>
>> # Network
>> bind interfaces only = No
>> interfaces = lo eth0
>> smb ports = 139
>>
>> # Printing
>> printcap name = /etc/printcap
>> load printers = Yes
>>
>> # Security settings
>> guest account = guest
>> #restrict anonymous = 2
>>
>> # WINS
>> wins support = Yes
>> wins server =
>>
>> # PDC/BDC
>> domain logons = Yes
>> add machine script = /usr/sbin/samba-add-machine "%u"
>> logon drive = H:
>> logon script = %U.cmd
>> logon path = \\%L\profiles\%U
>> logon home = \\%L\%U
>>
>> # Winbind
>> idmap config * : backend = ldap
>> idmap config * : range = 20000000-29999999
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind offline logon = false
>> winbind use default domain = true
>> winbind separator = +
>> template homedir = /home/%U
>> template shell = /sbin/nologin
>>
>> # Other
>> preferred master = Yes
>> domain master = Yes
>> passwd program = /usr/sbin/userpasswd %u
>> passwd chat = *password:* %n\n *password:* %n\n *successfully.*
>> passwd chat timeout = 10
>> username map = /etc/samba/smbusers
>> wide links = No
>>
>> # LDAP settings
>> include = /etc/samba/smb.ldap.conf
>>
>> # Winbind LDAP settings
>> include = /etc/samba/smb.winbind.conf
>>
>> #============================ Share Definitions
>> ==============================
>>
>> # Flexshare
>> # include = /etc/samba/flexshare.conf
>>
>> include = /etc/samba/flexshare.conf
>>
>> include = /etc/samba/extras.conf
>>
>> [homes]
>> comment = Home Directories
>> path = /home/%U
>> valid users = %D\%S, %D+%S, %S
>> read only = No
>> browseable = No
>> available = Yes
>>
>> [printers]
>> comment = Print Spool
>> path = /var/spool/samba
>> printing = cups
>> cups options = raw
>> use client driver = Yes
>> printable = Yes
>> read only = No
>> browseable = No
>> available = No
>>
>> [print$]
>> comment = Printer Drivers
>> path = /var/samba/drivers
>> read only = No
>> browseable = No
>> available = No
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /var/samba/netlogon
>> read only = No
>> locking = No
>> browseable = No
>> available = Yes
>>
>> [profiles]
>> comment = Profile Share
>> path = /var/samba/profiles
>> read only = No
>> profile acls = Yes
>> browseable = No
>> available = Yes
>> force group = domain_users
>> force directory mode = 02775
>> force directory security mode = 02775
>>
>>
>>
>
> What is in the include files, it looks like the user & group info is
> stored in ldap
# more /etc/samba/smb.ldap.conf
# Please do not edit - this file is automatically generated.
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap passwd sync = No
ldap suffix = dc=home,dc=htt
ldap user suffix = ou=Users,ou=Accounts
ldap connection timeout = 8
ldap ssl = Off
# more /etc/samba/smb.winbind.conf
# Please do not edit - this file is automatically generated.
idmap config * : ldap_url = ldap://127.0.0.1
idmap config * : ldap_base_dn = ou=Idmap,dc=home,dc=htt
idmap config * : ldap_user_dn = cn=manager,ou=Internal,dc=home,dc=htt
Other interesting files under /etc/samba are:
# more localsid
S-1-5-21-4240919292-2417995422-4236335894
# more domainsid
S-1-5-21-4240919292-2417995422-4236335894
# more smbusers
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
# more lmhosts
127.0.0.1 localhost
More information about the samba
mailing list