[Samba] Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")
Konstantin Boyandin (lists)
lists at boyandin.info
Mon Sep 3 04:27:07 UTC 2018
Hello,
Going further with migrating NT4 domain (Samba 3) to Samba 4. Thanks for
the previous suggestions.
When doing
# samba-tool domain classicupgrade --dbdir=/usr/local/samba.LAN/
--realm=ad-lan.com --dns-backend=BIND9_DLZ /usr/local/samba.LAN/smb.conf
--option="interfaces=lo ens3" --option="bind interfaces only=yes"
I see in stderr the below:
Ignoring group 'ossi' S-1-5-21-1411277624-4092985889-3405756581-3001
listed but then not found: Unable to enumerate group members,
(-1073741722,The specified group does not exist.)
for every group from existing LDAP backend of Samba 3, and
sid S-1-5-21-1411277624-4092985889-3405756581-2062 does not belong to
our domain
for every user ID.
After I start the upgraded domain:
# net getdomainsid
SID for domain AD-LAN is: S-1-5-21-2473926874-590573496-2946143095
and on original Samba 3 domain controller:
# net getdomainsid
SID for local machine PDCLAN is:
S-1-5-21-1411277624-402985889-3405756581
SID for domain LAN is: S-1-5-21-1411277624-4092985889-3405756581
I.e., the domains SID are different (which is expected).
How do I make the groups/users be imported?
The smb.conf used is below:
--------------------------------- smb.conf below
[global]
unix charset = UTF8
workgroup = AD-LAN
netbios name = DC
server max protocol = NT1
server string = AD-LAN.COM domain controller
passdb backend =ldapsam:"ldap://10.1.0.10"
username map = /etc/samba/smbusers
interfaces = ens3 lo
bind interfaces only = yes
enable privileges = yes
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 0
name resolve order = wins bcast host
time server = Yes
printcap name = CUPS
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -W '%u'
shutdown script = /var/lib/samba/scripts/shutdown.sh
abort shutdown script = /sbin/shutdown -c
logon script = %u.bat
logon drive = W:
logon home = \\%L\%u
logon path = \\%L\profiles\%u
domain logons = Yes
domain master = Yes
wins support = Yes
ldapsam:trusted = no
ldap ssl = off
ldap suffix = dc=company,dc=lan
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=company,dc=lan
idmap backend = ldap://10.1.0.10
idmap uid = 500-20000
idmap gid = 500-20000
printer admin = root
printing = cups
--------------------------------- smb.conf above
Sincerely,
Konstantin
More information about the samba
mailing list