[Samba] classicupgrade migration issues

Sat Mar 19 17:40:40 UTC 2016

On 19/03/16 17:16, Sonic wrote:
> On Fri, Mar 18, 2016 at 4:04 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> The upgrade code assumes you run on the same host.  I realise now that
>> folks doing an upgrade use that an an opportunity to upgrade hardware,
>> and keep old systems as fallbacks, so the assumptions cause trouble.
>>
>> Make the new host identical in terms of the data needed to upgrade
>> (users/groups/samba databases) upgrade and then remove the posix
>> users/groups and use nss_winbind instead.
> Some progress has been made.
> After adding the groups and users to the new host I still received the
> errors "Exporting groups" until I matched the GID's. So that's a
> necessity.
>
> The problem I'm getting seems to revolve around the "Print Operators"
> account and causes the migration to crash:
> ============================
> Importing idmap database
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Adding groups
> Importing groups
> Could not add group name=Print Operators ((68, "samldb: Account name
> (sAMAccountName) 'Print Operators' already in use!"))
> Could not modify AD idmap entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449,
> type=ID_TYPE_GID ((32, "Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not found"))
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not found"))
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-512, groupname=Domain
> Admins existing_groupname=Domain Admins, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-514, groupname=Domain
> Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-513, groupname=Domain
> Users existing_groupname=Domain Users, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-515, groupname=Domain
> Computers existing_groupname=Domain Computers, Ignoring.
> Committing 'add groups' transaction to disk
> Adding users
> Importing users
> User root has been kept in the directory, it should be removed in
> favour of the Administrator user
> Committing 'add users' transaction to disk
> Adding users to groups
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: Could not add member
> 'S-1-5-21-1832519723-2688400599-3493754984-1000' to group
> 'S-1-5-21-1832519723-2688400599-3493754984-550' as either group or
> user record doesn't exist: Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not found
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 1565, in run
>      useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py",
> line 824, in upgrade_from_samba3
>      add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py",
> line 317, in add_users_to_group
>      raise ProvisioningError("Could not add member '%s' to group '%s'
> as either group or user record doesn't exist: %s" % (member_sid,
> group.sid, emsg))
> ============================
>
> I don't think the missing idmap (simply don't have one) database is an issue.
> But the 3 lines after "Importing groups" having to do with the "Print
> Operators" group are possible issues.
> And then the ERROR (uncaught exception) after an attempt to add a user
> to said "Print Operators" group.
>
> As "Print Operators" in listed as a BUILTIN in the AD scheme this may
> have something to do with the problem.
>
> Any ideas?
>
> Thanks,
>
> Chris

Do you have a group 'Print Operators' in your old system with the the 
SID-RID of 'S-1-5-21-1832519723-2688400599-3493754984-550' ?

If so, this could be your problem, in AD the SID-RID is 'S-1-5-32-550'

Rowland