[Samba] classicupgrade migration issues

Andrew Bartlett abartlet at samba.org
Fri Mar 18 18:39:03 UTC 2016 

On Fri, 2016-03-18 at 10:31 -0400, Sonic wrote:
> On Mon, Mar 7, 2016 at 4:38 PM, Andrew Bartlett <abartlet at samba.org>
> wrote:
> > Also just check you have the unix users and groups that you are
> > trying
> > to upgrade.
> 
> Do the mapped unix groups need to be added to the new host before
> attempting the upgrade? There is nothing in the docs regarding that.
> Am I mistaken in thinking that the AD does not rely on matching or
> mapped unix groups and users?

Yes.  You are correct to understand that Samba AD does not rely on
matching mapped unix groups, but the classicupgrade process relies on
being able to find the information about the OLD unix groups, otherwise
it can't upgrade them!

> Here's the first two "errors" on migration:
> ==========================================
> Ignoring group 'Assistants'
> S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Projects'
> S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> ==========================================
> 
> However the groups do exist on the original PDC host and mapped to
> unix groups:
> ==========================================
> # net groupmap list
> Assistants (S-1-5-21-1832519723-2688400599-3493754984-1891) -> asst
> Projects (S-1-5-21-1832519723-2688400599-3493754984-1092) -> projects
> ...
> ==========================================
> 
> I do not have those unix groups on the new host (but also didn't
> think
> they were needed). And the migration did indeed create them in the AD
> as samba-tool shows:
> ==========================================
> # samba-tool group list
> ...
> Assistants
> ...
> Projects
> ...
> ==========================================
> 
> And then the user "errors":
> ==========================================
> Exporting users
> Ignoring group memberships of 'usernameone'
> S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate
> group
> memberships, (-1073741724
> ,No such user)
> ...
> ==========================================
> For 300 users and systems.

Exactly.  Think about it a little - how can it determine the group
membership, if the users/groups do not exist locally on the host doing
the migration?

> Out of approx 300 only 5 PDC users get listed after migration:
> ==========================================
> # samba-tool user list
> Administrator
> dns-kwad
> usernameone
> usernametwo
> usernamethree
> krbtgt
> usernamefour
> Guest
> usernamefive
> root
> ==========================================
> 
> However the users and computers are listed as group members:
> ==========================================
> # samba-tool group listmembers 'Domain Users' |wc -l
> 270
> # samba-tool group listmembers 'Domain Computers' |wc -l
> 35
> ==========================================

This is expected.

> It's important the I keep the same SIDs, secrets, etc. when moving to
> the new AD structure from the old PDC structure.
> But either I'm doing something wrong or Samba is not cooperating.
> 
> Thanks for your assistance.

In short, Samba has many features, but not a crystal ball.  The
information to do the upgrade needs to be present to do the upgrade. 
 Samba3 mapped groups are really that - mapped from the posix group
information, so Samba's databases don't contain member info.  That
means we need the underlying unix info to be able to fill in those
details.

You are welcome to do the upgrade on one host, and then backup the DB
and restore it on another (with the same hostname), if you don't want
to put the unix groups there for the duration of the upgrade.

The only exception here is upgrading sites with the passdb ldap
backend.  There we use a trick the passdb code already had
(ldapsam:trusted=yes) to read the posix info over LDAP directly, to try
and make this a little easier. 

Perhaps work with Rowland to add some clarifying text to the wiki?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list