[Samba] Fwd: Migrating server

Harry Jede walk2sun at arcor.de
Thu Mar 8 14:04:05 UTC 2018

Hi Rob,

first things first. Thanks for the attached logs.txt!!!

> Hi Harry,
> Here are the outputs. I've attached them as logs with this email too.
> root at sam3dc:/tmp/ldifs-gr# ldapmodify -Y external -H ldapi:///  -f
> olcdbindex.ldif
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifying entry "olcDatabase={1}hdb,cn=config"
> root at sam3dc:/tmp/ldifs-gr# service slapd stop
>  * Stopping OpenLDAP slapd
>    [ OK ]
> root at sam3dc:/tmp/ldifs-gr# slapindex -v -n 1
> Runnig as root!
> There's a fair chance slapd will fail to start.
I've overseen this very imortant error message, sorry.

> Check file permissions!
We have run the slapindex command as root. So root becomes
 the owner of the files. That is surely wrong, openldap
 should be the owner.
This happens because of the no so sophistecated install
 scripts of debian/ubuntu. This is not easy fixable without
 breaking thousands of installations.

Do the following:
stop slapd

# chown -R openldap:openldap /etc/ldap/slapd.d/cn\=config/
# chown -R openldap:openldap /var/lib/ldap/ 

start slapd

> indexing id=00000001
> indexing id=00000002
> indexing id=00000003
> indexing id=00000004
> indexing id=00000005
> indexing id=00000006
> It goes on and completes the indexing

> root at sam3dc:/tmp/ldifs-gr# service slapd start
>  * Starting OpenLDAP slapd
>    [ OK ]
> net getdomainsid
> SID for local machine sam3dc is:
> S-1-5-21-286905455-3929894668-3957719032 SID for domain mydomain is:
> S-1-5-21-3936576374-1604348213-1812465911
And this is why I prefer this command!!!
You have different SIDs for PDC and DOMAIN and that is wrong!
> net getlocalsid
> SID for local machine sam3dc is:
> S-1-5-21-286905455-3929894668-3957719032
Nice command but did not help here. Just to show.

> getent passwd sadmin
> sadmin:x:1359:1359::/home/sadmin:/bin/sh
> getent passwd tadmin
> tadmin:x:1262:1150:Temp Admin,,,:/home/tadmin:/bin/bash
> root at sam3dc:/# getent group 512
> root at sam3dc:/#
> root at sam3dc:/# getent group 1359
> sadmin:x:1359:
getent group 1150

and let us look if these groups are in ldap

## a long one liner
# for g in 512 1359 1150; do ldapsearch -xLLL -b dc=mydomain "(&(objectclass=posixgroup)(gidnumber=$g))";done

> SYSLOG during the netdomainsid and getlocalsid

until tuesday i'm offline


	Harry Jede

More information about the samba mailing list