[Samba] classicupgrade questions

Michal67M at seznam.cz Michal67M at seznam.cz
Wed Jul 11 06:27:16 UTC 2018


---------- Původní e-mail ----------> Problem a)"

> ...

> init_sam_from_ldap: Entry found for user: pc0027$

> init_sam_from_ldap: Failed to find Unix account for pc0027$

1. Error

 
 
> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'pc0027$'!

> ERROR(<class 'passdb.error'>): uncaught exception - Unable to get user

> information for 'pc0027$', (-1073741724,The specified account does

> not exist.)

"init_sam_from_ldap" is not able to find expected information for the object
'pc0027$'.

 
 
>   File

> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/__

> init__.py", line 176, in _run

>     return self.run(*args, **kwargs)

>   File

> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/

> domain.py", line 1636, in run

>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)

>   File

> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/upgrade.py",

> line 568, in upgrade_from_samba3

>     user = s3db.getsampwnam(username)

> 

> The machine LDAP data:

> # pc0027$, machines, nspuh.cz

> dn: uid=pc0027$,ou=machines,dc=nspuh,dc=cz

> uid: pc0027$

> objectClass: account

> objectClass: sambaSamAccount

> sambaPwdMustChange: 2147483647

> sambaAcctFlags: [W          ]

> sambaPwdCanChange: 1158129830

> sambaPwdLastSet: 1158129830

> displayName: PC0027$

> sambaSID: S-1-5-21-..numbers here...-45023

Objectclass is wrong!

 
 
"init_sam_from_ldap" searches for "objectClass: posixAcount"

 
 
Your problem is, that you are *not* using "objectClass: posixAcount". So 
your machine objects have no posix attributes. I assume you store the posix 
stuff in /etc/passwd shadow and group. This works until today, but is 
depreciated since decades.

 
 
i.e.

# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b ou=machines,ou=
accounts,dc=europa,dc=xx -s onelevel 'uid=ainf17$' 

Enter LDAP Password: 

dn: uid=ainf17$,ou=machines,ou=accounts,dc=europa,dc=xx

cn: ainf17$

uid: ainf17$

uidNumber: 10020

gidNumber: 515

homeDirectory: /dev/null

loginShell: /bin/false

description: Computer

gecos: Computer

objectClass: posixAccount

objectClass: account

objectClass: sambaSamAccount

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPwdMustChange: 2147483647

sambaAcctFlags: [W ]

sambaSID: S-1-5-21-3958726613-3318811842-4132420312-21040

sambaPrimaryGroupSID: S-1-5-21-3958726613-3318811842-4132420312-515

displayName: ainf17$

sambaDomainName: EUROPA

sambaNTPassword: 91883F44E044F4F12A683E4683B2CE9D

sambaPwdLastSet: 1387993516

 
 
These attributes must exist: 

cn uid uidNumber gidNumber homeDirectory sambaSID

 

"
  Yes, you're right, I (already) added machines posixAccount attribs into 
LDAP data and classicupgrade was satisfied.

 
"


 
 
 
 
 
 
 
> b) After upgrade, a lot of imported users in AD have "account

> disabled". One of them, as far as I can remember, was user "anger":

> dn: uid=anger,ou=People,dc=nspuh,dc=cz

> objectClass: shadowAccount

> objectClass: person

> objectClass: inetOrgPerson

> objectClass: OXUserObject

> objectClass: posixAccount

> objectClass: top

> objectClass: sambaSamAccount

> uid: anger

> shadowMin: 0

> shadowMax: 9999

> shadowWarning: 7

> shadowExpire: 0

> cn: anger

> preferredLanguage: EN

> userCountry: Czech Republic

> mailEnabled: OK

> lnetMailAccess: TRUE

> OXAppointmentDays: 5

> OXGroupID: 500

> OXTaskDays: 5

> OXTimeZone:: RXVyb3BlL3ByYWd1ZSA=

> loginShell: /usr/bin/ksh

> uidNumber: 270

> gidNumber: 20

> homeDirectory: /home/anger

> sambaSID: S-1-5-21-......-1540

> employeeNumber: 114

> sambaPwdLastSet: 1344931739

> mail: anger at nemuh.cz

> mailDomain: nemuh.cz

> o: UHN a.s.

> description:: WmRlbsSbayBBbmdlcg==

> givenName:: WmRlbsSbaw==

> sn: ANGER

> gecos: MUDr. Zdenek Anger

> ou: -

> 

>   Why is imported/upgraded account locked?

I do not know. Maybe the "OX..." attributes, maybe the base64 encoded 
attributes, maybe something else.

"



  I stopped searching for this for now, as I went into bigger problems 
elsewhere :-]




"





> c) After upgrade, national characters in (probably) user description

> and givenName are not correctly displayed - there a question marks in

> the names (in AD administration), every user (with national

> characters in their names) has the problem.

>   Why?  
 
Maybe the migration script does not handle base64 encooded strings 
correctly.

i.e.

 
 
givenName:: WmRlbsSbaw==

 
 
# echo -n WmRlbsSbaw== | base64 -d ;echo

Zdeněk

 
 
If a value is base64 encoded, then the field separator is a double colon.

"



  Yes, this was because running classicupgrade on different (new) server 
with different language encoding. After removing unix charset from samba 
config the names are correct.




  Thanks, Michal


More information about the samba mailing list