[Samba] classicupgrade migration issues

Mon Mar 7 19:57:45 UTC 2016

On 07/03/16 19:04, Sonic wrote:
> Sorry for the long post but attempted this several over the past year
> with no success but staying on an NT4 domain is no longer viable. Need
> to get this resolved so hopefully there will be a clue somewhere in
> this montage.
>
> The current PDC is samba-3.6.25 running on Gentoo using tdbsam backend.
> The new AD will be a Debian LXC container running on Debian Jessie
> using samba compiled from git (currently Samba 4.5.0pre1-GIT-8e0e4f5).

Please don't use Samba from git for anything other than testing, I would 
suggest using the latest 4.4.0rc version from here: 
https://download.samba.org/pub/samba/rc/samba-4.4.0rc3.tar.gz

>
> I'm getting the exact same problems as tests that were done in the
> past (previous attempts were done in VM environment vs LXC, so these
> aren't LXC related issues).
>
> For reference samba-master was configured:
> "configure --disable-cups --disable-iprint --without-quotas
> --disable-avahi --with-systemd --without-ntvfs-fileserver"

I would suggest that you just run './configure && make && make install'

Can we (as a start) see the smb.conf from the original 'PDC'

Rowland

>
> Via the Wiki the tdb's and smb.conf were collected and the migration started:
> "samba-tool domain classicupgrade --dbdir=/mnt/samba.PDC/dbdir/
> --use-xattrs=yes --realm=office.example.com --dns-backend=BIND9_DLZ
> /mnt/samba.PDC/smb.conf"
>
> Output during migration:
> ========================================
> Exporting groups
> Ignoring group 'Assistants' S-1-5-21-1832519723-2688400599-3493754984-1891
> listed but then not found: Unable to enumerate group members, (-1
> 073741722,No such group)
> Ignoring group 'Projects' S-1-5-21-1832519723-2688400599-3493754984-1092 listed
> but then not found: Unable to enumerate group members, (-107
> 3741722,No such group)
> Ignoring group 'Management' S-1-5-21-1832519723-2688400599-3493754984-1885
> listed but then not found: Unable to enumerate group members, (-1
> 073741722,No such group)
> Ignoring group 'Print Operators' S-1-5-21-1832519723-2688400599-3493754984-550
> listed but then not found: Unable to enumerate group members,
>   (-1073741722,No such group)
> Ignoring group 'Domain Admins' S-1-5-21-1832519723-2688400599-3493754984-512
> listed but then not found: Unable to enumerate group members, (
> -1073741722,No such group)
> "...
> ========================================
> The above "Unable to enumerate group members" occurred for all groups,
> including "Domain Users" and "Domain Computers".

>
> Similar issue exporting users:
> ========================================
> Exporting users
> Ignoring group memberships of 'usernameone'
> S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate group
> memberships, (-1073741724
> ,No such user)
> ...
> ========================================
> and so on.
>
> Then on importing groups:
> ========================================
> Could not add group name=Print Operators ((68, "samldb: Account name
> (sAMAccountName) 'Print Operators' already in use!"))
> Could not modify AD idmap entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449, type=ID_TYPE_GID
> ((32, "Base-DN '<SID=S-1-5-2
> 1-1832519723-2688400599-3493754984-550>' not found"))
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN
> '<SID=S-1-5-21-1832519723-26884
> 00599-3493754984-550>' not found"))
> Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-512,
> groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
> Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-514,
> groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-513,
> groupname=Domain Users existing_groupname=Domain Users, Ignoring.
> Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-515,
> groupname=Domain Computers existing_groupname=Domain Computers, Igno
> ring.
> ========================================
>
> The rest seemed to be OK, just a warning at the end:
> ========================================
> User root has been kept in the directory, it should be removed in favour of the
> Administrator user
> ========================================
>
> Results:
> The typical tests work fine:
> smbclient -L localhost -U%
> smbclient //localhost/netlogon -UAdministrator -c 'ls'
> DNS passes tests
> Kerberos test passes
>
> Problems I see:
> ========================================
> samba-tool dbcheck
> Checking 573 objects
> Bad talloc magic value - unknown value
> Aborted
>
> "samba-tool user list"
> Only 5 imported users out of over 300 show up after that commend. However:
> "samba-tool group listmembers "Domain Users""
> does appear to list all of the users (when is a user not a user?) and
> "samba-tool group list"
> does list the previous ignored groups in the Exporting groups section
>
> "pdbedit -v -L"
> only lists the created and additional 5 imported users, however
> "pdbedit -v usernameone"
> will list the details for the specific user.
> ========================================
>
> Note that I also attempted this after checking the tdb's for errors
> and repacking them using tdbtool - no difference.
> Thanks to all who can assist.
>
> Chris
>