[Samba] Problems with migrating users and groups with classicupgrade

Robert Moskowitz rgm at htt-consult.com
Thu Sep 17 09:36:46 UTC 2015 


On 09/17/2015 03:58 AM, Rowland Penny wrote:
> On 16/09/15 22:15, Robert Moskowitz wrote:
>>
>>
>> On 09/16/2015 05:03 PM, Rowland Penny wrote:
>>> On 16/09/15 19:17, Robert Moskowitz wrote:
>>>> I am assuming that I need to migrate my users and groups if I 
>>>> expect to move my user profiles.
>>>>
>>>> Migrating computers is a second question.  But on with details.
>>>>
>>>> My current setup is a ClearOS server running as a PDC.  I get the 
>>>> following information from it:
>>>>
>>>> # wbinfo -u
>>>> winadmin
>>>> guest
>>>> rgm
>>>> abba
>>>> imma
>>>> guest2
>>>> superrgm
>>>>
>>>> After running:
>>>>
>>>> samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/ 
>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ 
>>>> /root/samba.PDC/etc/smb.conf
>>>>
>>>> and getting all the services running here I get:
>>>>
>>>> # wbinfo -u
>>>> administrator
>>>> dns-homebase
>>>> dhcpduser
>>>> krbtgt
>>>> guest
>>>>
>>>> So what went wrong?  Why did not my users make it through the 
>>>> migration?  I am attaching the output of the upgrade.  I have 
>>>> already changed the password, so don't yell at me for not blanking 
>>>> that out.
>>>>
>>>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/ 
>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ 
>>>> /root/samba.PDC/etc/smb.conf
>>>> Reading smb.conf
>>>> NOTE: Service printers is flagged unavailable.
>>>> NOTE: Service print$ is flagged unavailable.
>>>> Unknown parameter encountered: "force directory security mode"
>>>> Ignoring unknown parameter "force directory security mode"
>>>> Provisioning
>>>> Exporting account policy
>>>> Exporting groups
>>>> Exporting users
>>>> Next rid = 1000
>>>> Exporting posix attributes
>>>> Reading WINS database
>>>> Looking up IPv4 addresses
>>>> Looking up IPv6 addresses
>>>> No IPv6 address will be assigned
>>>> Setting up share.ldb
>>>> Setting up secrets.ldb
>>>> Setting up the registry
>>>> Setting up the privileges database
>>>> Setting up idmap db
>>>> Setting up SAM db
>>>> Setting up sam.ldb partitions and settings
>>>> Setting up sam.ldb rootDSE
>>>> Pre-loading the Samba 4 and AD schema
>>>> Adding DomainDN: DC=home,DC=htt
>>>> Adding configuration container
>>>> Setting up sam.ldb schema
>>>> Setting up sam.ldb configuration data
>>>> Setting up display specifiers
>>>> Modifying display specifiers
>>>> Adding users container
>>>> Modifying users container
>>>> Adding computers container
>>>> Modifying computers container
>>>> Setting up sam.ldb data
>>>> Setting up well known security principals
>>>> Setting up sam.ldb users and groups
>>>> Setting up self join
>>>> Setting acl on sysvol skipped
>>>> Adding DNS accounts
>>>> Creating CN=MicrosoftDNS,CN=System,DC=home,DC=htt
>>>> Creating DomainDnsZones and ForestDnsZones partitions
>>>> Populating DomainDnsZones and ForestDnsZones partitions
>>>> Unable to find group id for BIND,
>>>>                 set permissions to sam.ldb* files manually
>>>> BIND version unknown, please modify 
>>>> /var/lib/samba/private/named.conf manually.
>>>> See /var/lib/samba/private/named.conf for an example configuration 
>>>> include file for BIND
>>>> and /var/lib/samba/private/named.txt for further documentation 
>>>> required for secure DNS updates
>>>> Setting up sam.ldb rootDSE marking as synchronized
>>>> Fixing provision GUIDs
>>>> A Kerberos configuration suitable for Samba 4 has been generated at 
>>>> /var/lib/samba/private/krb5.conf
>>>> Setting up fake yp server settings
>>>> Once the above files are installed, your Samba4 server will be 
>>>> ready to use
>>>> Admin password:        ~G6;C~ojZ3<elpCAx[MH
>>>> Server Role:           active directory domain controller
>>>> Hostname:              homebase
>>>> NetBIOS Domain:        HOME
>>>> DNS Domain:            home.htt
>>>> DOMAIN SID: S-1-5-21-4240919292-2417995422-4236335894
>>>> Importing WINS database
>>>> Importing Account policy
>>>> Importing idmap database
>>>> Cannot open idmap database, Ignoring: [Errno 2] No such file or 
>>>> directory
>>>> Adding groups
>>>> Importing groups
>>>> Committing 'add groups' transaction to disk
>>>> Adding users
>>>> Importing users
>>>> Committing 'add users' transaction to disk
>>>> Adding users to groups
>>>> Committing 'add users to groups' transaction to disk
>>>>
>>>>
>>>>
>>>
>>> what version of Clearos, where were the users & groups stored, can 
>>> you post the smb.conf from the Clearos server
>>
>> # cat /etc/clearos-release
>> ClearOS Community release 6.6.0 (Final)
>>
>> But I built it on 6.0.  Back in Dec 2013.
>>
>> I am using linux users:
>>
>> # ls /home/ -ls
>> total 216
>>   4 drwx------.   3 abba     allusers   4096 Jun 10 22:48 abba
>>   4 drwx------    2 guest2   allusers   4096 Apr 13  2013 guest2
>> 184 drwx------  120 imma     allusers 184320 Sep 13 18:25 imma
>>  16 drwx------.   2 root     root      16384 Apr 11  2013 lost+found
>>   4 drwx------.   2 rgm      allusers   4096 Apr 11  2013 rgm
>>   4 drwx------    2 superrgm allusers   4096 Apr 13  2013 superrgm
>>
>>
>> # cat /etc/samba/smb.conf
>> [global]
>> # General
>> netbios name = HOMEBASE
>> workgroup = HOME
>> server string = home
>> security = user
>>
>> # Logging
>> syslog = 0
>> log level = 1
>> log file = /var/log/samba/%L-%m
>> max log size = 0
>> utmp = Yes
>>
>> # Network
>> bind interfaces only = No
>> interfaces = lo eth0
>> smb ports = 139
>>
>> # Printing
>> printcap name = /etc/printcap
>> load printers = Yes
>>
>> # Security settings
>> guest account = guest
>> #restrict anonymous = 2
>>
>> # WINS
>> wins support = Yes
>> wins server =
>>
>> # PDC/BDC
>> domain logons = Yes
>> add machine script = /usr/sbin/samba-add-machine "%u"
>> logon drive = H:
>> logon script = %U.cmd
>> logon path = \\%L\profiles\%U
>> logon home = \\%L\%U
>>
>> # Winbind
>> idmap config * : backend = ldap
>> idmap config * : range = 20000000-29999999
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind offline logon = false
>> winbind use default domain = true
>> winbind separator = +
>> template homedir = /home/%U
>> template shell = /sbin/nologin
>>
>> # Other
>> preferred master = Yes
>> domain master = Yes
>> passwd program = /usr/sbin/userpasswd %u
>> passwd chat = *password:* %n\n *password:* %n\n *successfully.*
>> passwd chat timeout = 10
>> username map = /etc/samba/smbusers
>> wide links = No
>>
>> # LDAP settings
>> include = /etc/samba/smb.ldap.conf
>>
>> # Winbind LDAP settings
>> include = /etc/samba/smb.winbind.conf
>>
>> #============================ Share Definitions 
>> ==============================
>>
>> # Flexshare
>> # include = /etc/samba/flexshare.conf
>>
>> include = /etc/samba/flexshare.conf
>>
>> include = /etc/samba/extras.conf
>>
>> [homes]
>>     comment = Home Directories
>>     path = /home/%U
>>     valid users = %D\%S, %D+%S, %S
>>     read only = No
>>     browseable = No
>>     available = Yes
>>
>> [printers]
>>     comment = Print Spool
>>     path = /var/spool/samba
>>     printing = cups
>>     cups options = raw
>>     use client driver = Yes
>>     printable = Yes
>>     read only = No
>>     browseable = No
>>     available = No
>>
>> [print$]
>>     comment = Printer Drivers
>>     path = /var/samba/drivers
>>     read only = No
>>     browseable = No
>>     available = No
>>
>> [netlogon]
>>     comment = Network Logon Service
>>     path = /var/samba/netlogon
>>     read only = No
>>     locking = No
>>     browseable = No
>>     available = Yes
>>
>> [profiles]
>>     comment = Profile Share
>>     path = /var/samba/profiles
>>     read only = No
>>     profile acls = Yes
>>     browseable = No
>>     available = Yes
>>     force group = domain_users
>>     force directory mode = 02775
>>     force directory security mode = 02775
>>
>>
>>
>
> What is in the include files, it looks like the user & group info is 
> stored in ldap

# more /etc/samba/smb.ldap.conf
# Please do not edit - this file is automatically generated.

passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
ldap group suffix = ou=Groups,ou=Accounts
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers,ou=Accounts
ldap passwd sync = No
ldap suffix = dc=home,dc=htt
ldap user suffix = ou=Users,ou=Accounts
ldap connection timeout = 8
ldap ssl = Off

# more /etc/samba/smb.winbind.conf
# Please do not edit - this file is automatically generated.


idmap config * : ldap_url = ldap://127.0.0.1
idmap config * : ldap_base_dn = ou=Idmap,dc=home,dc=htt
idmap config * : ldap_user_dn = cn=manager,ou=Internal,dc=home,dc=htt

Other interesting files under /etc/samba are:

# more localsid
S-1-5-21-4240919292-2417995422-4236335894
# more domainsid
S-1-5-21-4240919292-2417995422-4236335894
# more smbusers
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
# more lmhosts
127.0.0.1 localhost

More information about the samba mailing list