[Samba] classicupgrade questions

Harry Jede walk2sun at arcor.de
Tue Jul 10 09:01:32 UTC 2018 

Am Mittwoch, 4. Juli 2018, 08:55:19 CEST schrieb Michal via samba:
> I am trying to do a classicupgrade.  (This is not 1st try, I went
> through it once time already; then I deleted all data and trying it
> again, with questions now.)
Long Story. I will try to describe your problem as short as possible


> Command
> 
> samba-tool domain classicupgrade --dbdir=/etc/samba.PDC/
> --realm=ad.nemuh.cz --dns-backend=BIND9_DLZ
> /etc/samba.PDC/smb.PDC.conf
> 
> Problem a)
> ...
> init_sam_from_ldap: Entry found for user: pc0027$
> init_sam_from_ldap: Failed to find Unix account for pc0027$
1. Error

> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'pc0027$'!
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to get user
> information for 'pc0027$', (-1073741724,The specified account does
> not exist.)
"init_sam_from_ldap" is not able to find expected information for the object 
'pc0027$'.

>   File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/__
> init__.py", line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/
> domain.py", line 1636, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/upgrade.py",
> line 568, in upgrade_from_samba3
>     user = s3db.getsampwnam(username)
> 
> The machine LDAP data:
> # pc0027$, machines, nspuh.cz
> dn: uid=pc0027$,ou=machines,dc=nspuh,dc=cz
> uid: pc0027$
> objectClass: account
> objectClass: sambaSamAccount
> sambaPwdMustChange: 2147483647
> sambaAcctFlags: [W          ]
> sambaPwdCanChange: 1158129830
> sambaPwdLastSet: 1158129830
> displayName: PC0027$
> sambaSID: S-1-5-21-..numbers here...-45023
Objectclass is wrong!

"init_sam_from_ldap" searches for "objectClass: posixAcount"

Your problem is, that you are *not* using "objectClass: posixAcount". So 
your machine objects have no posix attributes. I assume you store the 
posix stuff in /etc/passwd shadow and group. This works until today, but is 
depreciated since decades.

i.e.
# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b 
ou=machines,ou=accounts,dc=europa,dc=xx -s onelevel 'uid=ainf17$' 
Enter LDAP Password: 
dn: uid=ainf17$,ou=machines,ou=accounts,dc=europa,dc=xx
cn: ainf17$
uid: ainf17$
uidNumber: 10020
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: posixAccount
objectClass: account
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W          ]
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-21040
sambaPrimaryGroupSID: 
S-1-5-21-3958726613-3318811842-4132420312-515
displayName: ainf17$
sambaDomainName: EUROPA
sambaNTPassword: 91883F44E044F4F12A683E4683B2CE9D
sambaPwdLastSet: 1387993516

These attributes must exist: 
cn uid uidNumber gidNumber homeDirectory sambaSID


After you have modified your machine objects, you should clean up /etc/
passwd. You should also reload all caching daemons.
net cache flush
nscd -i passwd
nscd -i group

Maybe you have more caching daemons, i.e. nslcd or sssd

> When I delete this machine from LDAP, the problem occurs with another
> computer.. and with another.. I finally deleted all machine/computer
> accounts from LDAP to be able to process users.  What's wrong with the
> machine accounts?




> b) After upgrade, a lot of imported users in AD have "account
> disabled". One of them, as far as I can remember, was user "anger":
> dn: uid=anger,ou=People,dc=nspuh,dc=cz
> objectClass: shadowAccount
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: OXUserObject
> objectClass: posixAccount
> objectClass: top
> objectClass: sambaSamAccount
> uid: anger
> shadowMin: 0
> shadowMax: 9999
> shadowWarning: 7
> shadowExpire: 0
> cn: anger
> preferredLanguage: EN
> userCountry: Czech Republic
> mailEnabled: OK
> lnetMailAccess: TRUE
> OXAppointmentDays: 5
> OXGroupID: 500
> OXTaskDays: 5
> OXTimeZone:: RXVyb3BlL3ByYWd1ZSA=
> loginShell: /usr/bin/ksh
> uidNumber: 270
> gidNumber: 20
> homeDirectory: /home/anger
> sambaSID: S-1-5-21-......-1540
> employeeNumber: 114
> sambaPwdLastSet: 1344931739
> mail: anger at nemuh.cz
> mailDomain: nemuh.cz

More information about the samba mailing list