[Samba] classicupgrade questions
Michal67M at seznam.cz
Michal67M at seznam.cz
Wed Jul 11 06:27:16 UTC 2018
---------- Původní e-mail ----------> Problem a)"
> ...
> init_sam_from_ldap: Entry found for user: pc0027$
> init_sam_from_ldap: Failed to find Unix account for pc0027$
1. Error
> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'pc0027$'!
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to get user
> information for 'pc0027$', (-1073741724,The specified account does
> not exist.)
"init_sam_from_ldap" is not able to find expected information for the object
'pc0027$'.
> File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/__
> init__.py", line 176, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/
> domain.py", line 1636, in run
> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
> File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/upgrade.py",
> line 568, in upgrade_from_samba3
> user = s3db.getsampwnam(username)
>
> The machine LDAP data:
> # pc0027$, machines, nspuh.cz
> dn: uid=pc0027$,ou=machines,dc=nspuh,dc=cz
> uid: pc0027$
> objectClass: account
> objectClass: sambaSamAccount
> sambaPwdMustChange: 2147483647
> sambaAcctFlags: [W ]
> sambaPwdCanChange: 1158129830
> sambaPwdLastSet: 1158129830
> displayName: PC0027$
> sambaSID: S-1-5-21-..numbers here...-45023
Objectclass is wrong!
"init_sam_from_ldap" searches for "objectClass: posixAcount"
Your problem is, that you are *not* using "objectClass: posixAcount". So
your machine objects have no posix attributes. I assume you store the posix
stuff in /etc/passwd shadow and group. This works until today, but is
depreciated since decades.
i.e.
# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b ou=machines,ou=
accounts,dc=europa,dc=xx -s onelevel 'uid=ainf17$'
Enter LDAP Password:
dn: uid=ainf17$,ou=machines,ou=accounts,dc=europa,dc=xx
cn: ainf17$
uid: ainf17$
uidNumber: 10020
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: posixAccount
objectClass: account
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W ]
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-21040
sambaPrimaryGroupSID: S-1-5-21-3958726613-3318811842-4132420312-515
displayName: ainf17$
sambaDomainName: EUROPA
sambaNTPassword: 91883F44E044F4F12A683E4683B2CE9D
sambaPwdLastSet: 1387993516
These attributes must exist:
cn uid uidNumber gidNumber homeDirectory sambaSID
"
Yes, you're right, I (already) added machines posixAccount attribs into
LDAP data and classicupgrade was satisfied.
"
> b) After upgrade, a lot of imported users in AD have "account
> disabled". One of them, as far as I can remember, was user "anger":
> dn: uid=anger,ou=People,dc=nspuh,dc=cz
> objectClass: shadowAccount
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: OXUserObject
> objectClass: posixAccount
> objectClass: top
> objectClass: sambaSamAccount
> uid: anger
> shadowMin: 0
> shadowMax: 9999
> shadowWarning: 7
> shadowExpire: 0
> cn: anger
> preferredLanguage: EN
> userCountry: Czech Republic
> mailEnabled: OK
> lnetMailAccess: TRUE
> OXAppointmentDays: 5
> OXGroupID: 500
> OXTaskDays: 5
> OXTimeZone:: RXVyb3BlL3ByYWd1ZSA=
> loginShell: /usr/bin/ksh
> uidNumber: 270
> gidNumber: 20
> homeDirectory: /home/anger
> sambaSID: S-1-5-21-......-1540
> employeeNumber: 114
> sambaPwdLastSet: 1344931739
> mail: anger at nemuh.cz
> mailDomain: nemuh.cz
> o: UHN a.s.
> description:: WmRlbsSbayBBbmdlcg==
> givenName:: WmRlbsSbaw==
> sn: ANGER
> gecos: MUDr. Zdenek Anger
> ou: -
>
> Why is imported/upgraded account locked?
I do not know. Maybe the "OX..." attributes, maybe the base64 encoded
attributes, maybe something else.
"
I stopped searching for this for now, as I went into bigger problems
elsewhere :-]
"
> c) After upgrade, national characters in (probably) user description
> and givenName are not correctly displayed - there a question marks in
> the names (in AD administration), every user (with national
> characters in their names) has the problem.
> Why?
Maybe the migration script does not handle base64 encooded strings
correctly.
i.e.
givenName:: WmRlbsSbaw==
# echo -n WmRlbsSbaw== | base64 -d ;echo
Zdeněk
If a value is base64 encoded, then the field separator is a double colon.
"
Yes, this was because running classicupgrade on different (new) server
with different language encoding. After removing unix charset from samba
config the names are correct.
Thanks, Michal
More information about the samba
mailing list