[Samba] classicupgrade migration issues

Rowland penny rpenny at samba.org
Fri Mar 18 18:59:29 UTC 2016


On 18/03/16 18:39, Andrew Bartlett wrote:
> On Fri, 2016-03-18 at 10:31 -0400, Sonic wrote:
>> On Mon, Mar 7, 2016 at 4:38 PM, Andrew Bartlett <abartlet at samba.org>
>> wrote:
>>> Also just check you have the unix users and groups that you are
>>> trying
>>> to upgrade.
>> Do the mapped unix groups need to be added to the new host before
>> attempting the upgrade? There is nothing in the docs regarding that.
>> Am I mistaken in thinking that the AD does not rely on matching or
>> mapped unix groups and users?
> Yes.  You are correct to understand that Samba AD does not rely on
> matching mapped unix groups, but the classicupgrade process relies on
> being able to find the information about the OLD unix groups, otherwise
> it can't upgrade them!
>
>> Here's the first two "errors" on migration:
>> ==========================================
>> Ignoring group 'Assistants'
>> S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
>> found: Unable to enumerate group members, (-1073741722,No such group)
>> Ignoring group 'Projects'
>> S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
>> found: Unable to enumerate group members, (-1073741722,No such group)
>> ==========================================
>>
>> However the groups do exist on the original PDC host and mapped to
>> unix groups:
>> ==========================================
>> # net groupmap list
>> Assistants (S-1-5-21-1832519723-2688400599-3493754984-1891) -> asst
>> Projects (S-1-5-21-1832519723-2688400599-3493754984-1092) -> projects
>> ...
>> ==========================================
>>
>> I do not have those unix groups on the new host (but also didn't
>> think
>> they were needed). And the migration did indeed create them in the AD
>> as samba-tool shows:
>> ==========================================
>> # samba-tool group list
>> ...
>> Assistants
>> ...
>> Projects
>> ...
>> ==========================================
>>
>> And then the user "errors":
>> ==========================================
>> Exporting users
>> Ignoring group memberships of 'usernameone'
>> S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate
>> group
>> memberships, (-1073741724
>> ,No such user)
>> ...
>> ==========================================
>> For 300 users and systems.
> Exactly.  Think about it a little - how can it determine the group
> membership, if the users/groups do not exist locally on the host doing
> the migration?
>
>> Out of approx 300 only 5 PDC users get listed after migration:
>> ==========================================
>> # samba-tool user list
>> Administrator
>> dns-kwad
>> usernameone
>> usernametwo
>> usernamethree
>> krbtgt
>> usernamefour
>> Guest
>> usernamefive
>> root
>> ==========================================
>>
>> However the users and computers are listed as group members:
>> ==========================================
>> # samba-tool group listmembers 'Domain Users' |wc -l
>> 270
>> # samba-tool group listmembers 'Domain Computers' |wc -l
>> 35
>> ==========================================
> This is expected.
>
>> It's important the I keep the same SIDs, secrets, etc. when moving to
>> the new AD structure from the old PDC structure.
>> But either I'm doing something wrong or Samba is not cooperating.
>>
>> Thanks for your assistance.
> In short, Samba has many features, but not a crystal ball.  The
> information to do the upgrade needs to be present to do the upgrade.
>   Samba3 mapped groups are really that - mapped from the posix group
> information, so Samba's databases don't contain member info.  That
> means we need the underlying unix info to be able to fill in those
> details.
>
> You are welcome to do the upgrade on one host, and then backup the DB
> and restore it on another (with the same hostname), if you don't want
> to put the unix groups there for the duration of the upgrade.
>
> The only exception here is upgrading sites with the passdb ldap
> backend.  There we use a trick the passdb code already had
> (ldapsam:trusted=yes) to read the posix info over LDAP directly, to try
> and make this a little easier.
>
> Perhaps work with Rowland to add some clarifying text to the wiki?
>
> Thanks,
>
> Andrew Bartlett
>

I have never had to run the classicupgrade, so I had to guess from the 
error messages and it sounds like I sort of got it right, the upgrade 
has to be able to read all user and group databases.

Andrew, could the upgrade code be made to read copies of /etc/passwd & 
/etc/group from the original Samba machine and if so, would it help in 
cases like this ?

I am more than willing to help with updating the wiki.

Rowland




More information about the samba mailing list