[Samba] classicupgrade migration issues

Sonic sonicsmith at gmail.com
Mon Mar 7 19:04:57 UTC 2016 

Sorry for the long post but attempted this several over the past year
with no success but staying on an NT4 domain is no longer viable. Need
to get this resolved so hopefully there will be a clue somewhere in
this montage.

The current PDC is samba-3.6.25 running on Gentoo using tdbsam backend.
The new AD will be a Debian LXC container running on Debian Jessie
using samba compiled from git (currently Samba 4.5.0pre1-GIT-8e0e4f5).

I'm getting the exact same problems as tests that were done in the
past (previous attempts were done in VM environment vs LXC, so these
aren't LXC related issues).

For reference samba-master was configured:
"configure --disable-cups --disable-iprint --without-quotas
--disable-avahi --with-systemd --without-ntvfs-fileserver"

Via the Wiki the tdb's and smb.conf were collected and the migration started:
"samba-tool domain classicupgrade --dbdir=/mnt/samba.PDC/dbdir/
--use-xattrs=yes --realm=office.example.com --dns-backend=BIND9_DLZ
/mnt/samba.PDC/smb.conf"

Output during migration:
========================================
Exporting groups
Ignoring group 'Assistants' S-1-5-21-1832519723-2688400599-3493754984-1891
listed but then not found: Unable to enumerate group members, (-1
073741722,No such group)
Ignoring group 'Projects' S-1-5-21-1832519723-2688400599-3493754984-1092 listed
but then not found: Unable to enumerate group members, (-107
3741722,No such group)
Ignoring group 'Management' S-1-5-21-1832519723-2688400599-3493754984-1885
listed but then not found: Unable to enumerate group members, (-1
073741722,No such group)
Ignoring group 'Print Operators' S-1-5-21-1832519723-2688400599-3493754984-550
listed but then not found: Unable to enumerate group members,
 (-1073741722,No such group)
Ignoring group 'Domain Admins' S-1-5-21-1832519723-2688400599-3493754984-512
listed but then not found: Unable to enumerate group members, (
-1073741722,No such group)
"...
========================================
The above "Unable to enumerate group members" occurred for all groups,
including "Domain Users" and "Domain Computers".

Similar issue exporting users:
========================================
Exporting users
Ignoring group memberships of 'usernameone'
S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate group
memberships, (-1073741724
,No such user)
...
========================================
and so on.

Then on importing groups:
========================================
Could not add group name=Print Operators ((68, "samldb: Account name
(sAMAccountName) 'Print Operators' already in use!"))
Could not modify AD idmap entry for
sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449, type=ID_TYPE_GID
((32, "Base-DN '<SID=S-1-5-2
1-1832519723-2688400599-3493754984-550>' not found"))
Could not add posix attrs for AD entry for
sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN
'<SID=S-1-5-21-1832519723-26884
00599-3493754984-550>' not found"))
Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-515,
groupname=Domain Computers existing_groupname=Domain Computers, Igno
ring.
========================================

The rest seemed to be OK, just a warning at the end:
========================================
User root has been kept in the directory, it should be removed in favour of the
Administrator user
========================================

Results:
The typical tests work fine:
smbclient -L localhost -U%
smbclient //localhost/netlogon -UAdministrator -c 'ls'
DNS passes tests
Kerberos test passes

Problems I see:
========================================
samba-tool dbcheck
Checking 573 objects
Bad talloc magic value - unknown value
Aborted

"samba-tool user list"
Only 5 imported users out of over 300 show up after that commend. However:
"samba-tool group listmembers "Domain Users""
does appear to list all of the users (when is a user not a user?) and
"samba-tool group list"
does list the previous ignored groups in the Exporting groups section

"pdbedit -v -L"
only lists the created and additional 5 imported users, however
"pdbedit -v usernameone"
will list the details for the specific user.
========================================

Note that I also attempted this after checking the tdb's for errors
and repacking them using tdbtool - no difference.
Thanks to all who can assist.

Chris

More information about the samba mailing list