[Samba] Problems with migrating users and groups with classicupgrade

Rowland Penny rowlandpenny241155 at gmail.com
Thu Sep 17 09:52:33 UTC 2015 

On 17/09/15 10:36, Robert Moskowitz wrote:
>
>
> On 09/17/2015 03:58 AM, Rowland Penny wrote:
>> On 16/09/15 22:15, Robert Moskowitz wrote:
>>>
>>>
>>> On 09/16/2015 05:03 PM, Rowland Penny wrote:
>>>> On 16/09/15 19:17, Robert Moskowitz wrote:
>>>>> I am assuming that I need to migrate my users and groups if I 
>>>>> expect to move my user profiles.
>>>>>
>>>>> Migrating computers is a second question.  But on with details.
>>>>>
>>>>> My current setup is a ClearOS server running as a PDC.  I get the 
>>>>> following information from it:
>>>>>
>>>>> # wbinfo -u
>>>>> winadmin
>>>>> guest
>>>>> rgm
>>>>> abba
>>>>> imma
>>>>> guest2
>>>>> superrgm
>>>>>
>>>>> After running:
>>>>>
>>>>> samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/ 
>>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ 
>>>>> /root/samba.PDC/etc/smb.conf
>>>>>
>>>>> and getting all the services running here I get:
>>>>>
>>>>> # wbinfo -u
>>>>> administrator
>>>>> dns-homebase
>>>>> dhcpduser
>>>>> krbtgt
>>>>> guest
>>>>>
>>>>> So what went wrong?  Why did not my users make it through the 
>>>>> migration?  I am attaching the output of the upgrade. I have 
>>>>> already changed the password, so don't yell at me for not blanking 
>>>>> that out.
>>>>>
>>>>> # samba-tool domain classicupgrade --dbdir=/root/samba.PDC/dbdir/ 
>>>>> --use-xattrs=yes --realm=HOME.HTT --dns-backend=BIND9_DLZ 
>>>>> /root/samba.PDC/etc/smb.conf
>>>>> Reading smb.conf
>>>>> NOTE: Service printers is flagged unavailable.
>>>>> NOTE: Service print$ is flagged unavailable.
>>>>> Unknown parameter encountered: "force directory security mode"
>>>>> Ignoring unknown parameter "force directory security mode"
>>>>> Provisioning
>>>>> Exporting account policy
>>>>> Exporting groups
>>>>> Exporting users
>>>>> Next rid = 1000
>>>>> Exporting posix attributes
>>>>> Reading WINS database
>>>>> Looking up IPv4 addresses
>>>>> Looking up IPv6 addresses
>>>>> No IPv6 address will be assigned
>>>>> Setting up share.ldb
>>>>> Setting up secrets.ldb
>>>>> Setting up the registry
>>>>> Setting up the privileges database
>>>>> Setting up idmap db
>>>>> Setting up SAM db
>>>>> Setting up sam.ldb partitions and settings
>>>>> Setting up sam.ldb rootDSE
>>>>> Pre-loading the Samba 4 and AD schema
>>>>> Adding DomainDN: DC=home,DC=htt
>>>>> Adding configuration container
>>>>> Setting up sam.ldb schema
>>>>> Setting up sam.ldb configuration data
>>>>> Setting up display specifiers
>>>>> Modifying display specifiers
>>>>> Adding users container
>>>>> Modifying users container
>>>>> Adding computers container
>>>>> Modifying computers container
>>>>> Setting up sam.ldb data
>>>>> Setting up well known security principals
>>>>> Setting up sam.ldb users and groups
>>>>> Setting up self join
>>>>> Setting acl on sysvol skipped
>>>>> Adding DNS accounts
>>>>> Creating CN=MicrosoftDNS,CN=System,DC=home,DC=htt
>>>>> Creating DomainDnsZones and ForestDnsZones partitions
>>>>> Populating DomainDnsZones and ForestDnsZones partitions
>>>>> Unable to find group id for BIND,
>>>>>                 set permissions to sam.ldb* files manually
>>>>> BIND version unknown, please modify 
>>>>> /var/lib/samba/private/named.conf manually.
>>>>> See /var/lib/samba/private/named.conf for an example configuration 
>>>>> include file for BIND
>>>>> and /var/lib/samba/private/named.txt for further documentation 
>>>>> required for secure DNS updates
>>>>> Setting up sam.ldb rootDSE marking as synchronized
>>>>> Fixing provision GUIDs
>>>>> A Kerberos configuration suitable for Samba 4 has been generated 
>>>>> at /var/lib/samba/private/krb5.conf
>>>>> Setting up fake yp server settings
>>>>> Once the above files are installed, your Samba4 server will be 
>>>>> ready to use
>>>>> Admin password:        ~G6;C~ojZ3<elpCAx[MH
>>>>> Server Role:           active directory domain controller
>>>>> Hostname:              homebase
>>>>> NetBIOS Domain:        HOME
>>>>> DNS Domain:            home.htt
>>>>> DOMAIN SID: S-1-5-21-4240919292-2417995422-4236335894
>>>>> Importing WINS database
>>>>> Importing Account policy
>>>>> Importing idmap database
>>>>> Cannot open idmap database, Ignoring: [Errno 2] No such file or 
>>>>> directory
>>>>> Adding groups
>>>>> Importing groups
>>>>> Committing 'add groups' transaction to disk
>>>>> Adding users
>>>>> Importing users
>>>>> Committing 'add users' transaction to disk
>>>>> Adding users to groups
>>>>> Committing 'add users to groups' transaction to disk
>>>>>
>>>>>
>>>>>
>>>>
>>>> what version of Clearos, where were the users & groups stored, can 
>>>> you post the smb.conf from the Clearos server
>>>
>>> # cat /etc/clearos-release
>>> ClearOS Community release 6.6.0 (Final)
>>>
>>> But I built it on 6.0.  Back in Dec 2013.
>>>
>>> I am using linux users:
>>>
>>> # ls /home/ -ls
>>> total 216
>>>   4 drwx------.   3 abba     allusers   4096 Jun 10 22:48 abba
>>>   4 drwx------    2 guest2   allusers   4096 Apr 13  2013 guest2
>>> 184 drwx------  120 imma     allusers 184320 Sep 13 18:25 imma
>>>  16 drwx------.   2 root     root      16384 Apr 11  2013 lost+found
>>>   4 drwx------.   2 rgm      allusers   4096 Apr 11  2013 rgm
>>>   4 drwx------    2 superrgm allusers   4096 Apr 13  2013 superrgm
>>>
>>>
>>> # cat /etc/samba/smb.conf
>>> [global]
>>> # General
>>> netbios name = HOMEBASE
>>> workgroup = HOME
>>> server string = home
>>> security = user
>>>
>>> # Logging
>>> syslog = 0
>>> log level = 1
>>> log file = /var/log/samba/%L-%m
>>> max log size = 0
>>> utmp = Yes
>>>
>>> # Network
>>> bind interfaces only = No
>>> interfaces = lo eth0
>>> smb ports = 139
>>>
>>> # Printing
>>> printcap name = /etc/printcap
>>> load printers = Yes
>>>
>>> # Security settings
>>> guest account = guest
>>> #restrict anonymous = 2
>>>
>>> # WINS
>>> wins support = Yes
>>> wins server =
>>>
>>> # PDC/BDC
>>> domain logons = Yes
>>> add machine script = /usr/sbin/samba-add-machine "%u"
>>> logon drive = H:
>>> logon script = %U.cmd
>>> logon path = \\%L\profiles\%U
>>> logon home = \\%L\%U
>>>
>>> # Winbind
>>> idmap config * : backend = ldap
>>> idmap config * : range = 20000000-29999999
>>> winbind enum users = Yes
>>> winbind enum groups = Yes
>>> winbind offline logon = false
>>> winbind use default domain = true
>>> winbind separator = +
>>> template homedir = /home/%U
>>> template shell = /sbin/nologin
>>>
>>> # Other
>>> preferred master = Yes
>>> domain master = Yes
>>> passwd program = /usr/sbin/userpasswd %u
>>> passwd chat = *password:* %n\n *password:* %n\n *successfully.*
>>> passwd chat timeout = 10
>>> username map = /etc/samba/smbusers
>>> wide links = No
>>>
>>> # LDAP settings
>>> include = /etc/samba/smb.ldap.conf
>>>
>>> # Winbind LDAP settings
>>> include = /etc/samba/smb.winbind.conf
>>>
>>> #============================ Share Definitions 
>>> ==============================
>>>
>>> # Flexshare
>>> # include = /etc/samba/flexshare.conf
>>>
>>> include = /etc/samba/flexshare.conf
>>>
>>> include = /etc/samba/extras.conf
>>>
>>> [homes]
>>>     comment = Home Directories
>>>     path = /home/%U
>>>     valid users = %D\%S, %D+%S, %S
>>>     read only = No
>>>     browseable = No
>>>     available = Yes
>>>
>>> [printers]
>>>     comment = Print Spool
>>>     path = /var/spool/samba
>>>     printing = cups
>>>     cups options = raw
>>>     use client driver = Yes
>>>     printable = Yes
>>>     read only = No
>>>     browseable = No
>>>     available = No
>>>
>>> [print$]
>>>     comment = Printer Drivers
>>>     path = /var/samba/drivers
>>>     read only = No
>>>     browseable = No
>>>     available = No
>>>
>>> [netlogon]
>>>     comment = Network Logon Service
>>>     path = /var/samba/netlogon
>>>     read only = No
>>>     locking = No
>>>     browseable = No
>>>     available = Yes
>>>
>>> [profiles]
>>>     comment = Profile Share
>>>     path = /var/samba/profiles
>>>     read only = No
>>>     profile acls = Yes
>>>     browseable = No
>>>     available = Yes
>>>     force group = domain_users
>>>     force directory mode = 02775
>>>     force directory security mode = 02775
>>>
>>>
>>>
>>
>> What is in the include files, it looks like the user & group info is 
>> stored in ldap
>
> # more /etc/samba/smb.ldap.conf
> # Please do not edit - this file is automatically generated.
>
> passdb backend = ldapsam:ldap://127.0.0.1
> ldap admin dn = cn=manager,ou=Internal,dc=home,dc=htt
> ldap group suffix = ou=Groups,ou=Accounts
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers,ou=Accounts
> ldap passwd sync = No
> ldap suffix = dc=home,dc=htt
> ldap user suffix = ou=Users,ou=Accounts
> ldap connection timeout = 8
> ldap ssl = Off
>
> # more /etc/samba/smb.winbind.conf
> # Please do not edit - this file is automatically generated.
>
>
> idmap config * : ldap_url = ldap://127.0.0.1
> idmap config * : ldap_base_dn = ou=Idmap,dc=home,dc=htt
> idmap config * : ldap_user_dn = cn=manager,ou=Internal,dc=home,dc=htt
>
> Other interesting files under /etc/samba are:
>
> # more localsid
> S-1-5-21-4240919292-2417995422-4236335894
> # more domainsid
> S-1-5-21-4240919292-2417995422-4236335894
> # more smbusers
> # Unix_name = SMB_name1 SMB_name2 ...
> root = administrator admin
> nobody = guest pcguest smbguest
> # more lmhosts
> 127.0.0.1 localhost
>
>

OK, did you read this page on the wiki?

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29

Specifically, the part with the heading 'LDAP' ?

Rowland

More information about the samba mailing list