[Samba] Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")

Konstantin Boyandin lists at boyandin.info
Tue Sep 4 03:26:38 UTC 2018 

Rowland Penny via samba писал 2018-09-03 17:12:
> On Mon, 03 Sep 2018 04:27:07 +0000
> "Konstantin Boyandin \(lists\) via samba" <samba at lists.samba.org> 
> wrote:
> 
>> Hello,
>> 
>> Going further with migrating NT4 domain (Samba 3) to Samba 4. Thanks
>> for the previous suggestions.
>> 
>> When doing
>> 
>> # samba-tool domain classicupgrade --dbdir=/usr/local/samba.LAN/
>> --realm=ad-lan.com
>> --dns-backend=BIND9_DLZ /usr/local/samba.LAN/smb.conf
>> --option="interfaces=lo ens3" --option="bind interfaces only=yes"
>> 
>> I see in stderr the below:
>> 
>> Ignoring group 'ossi' S-1-5-21-1411277624-4092985889-3405756581-3001
>> listed but then not found: Unable to enumerate group members,
>> (-1073741722,The specified group does not exist.)
>> 
>> for every group from existing LDAP backend of Samba 3, and
>> 
>> sid S-1-5-21-1411277624-4092985889-3405756581-2062 does not belong to
>> our domain
>> 
> 
> Okay, I take it your PDC was called pdclan and the domain was called
> 'LAN', I have no idea what the dns domain was.
> 
> You have now created a new AD DC using the dns domain 'ad-lan.com' and
> the new AD DC is called 'dc'
> 
> So from my reading there are three Samba workgroup names in play:
> 
> PDCLAN
> LAN
> AD-LAN
> 
> I think this, (along with using '--realm=ad-lan.com' instead of 'realm
> = ad-lan' in smb.conf) is your problem. You are trying to change the
> domain from 'LAN' to 'AD-LAN', Samba is undoubtedly treating this as a
> new domain and creating a new SID for it.

That's intentional.

LAN is NT4 (Samba 3) domain, and I may not just upgrade it without 
thorough testing - too many resources are using it, and breaking down 
network is not an option.

So yes, I create a new domain, under real-life domain name (I own 
ad-lan.com) and, after transferring everything into it, testing in 
sandbox environment, I will begin transferring everything from Samba 3 
into the Samba 4 domain (i.e., both LAN and AD-LAN will co-exist in the 
same network for some time).

So the question, how do I do the upgrade to Samba 4 while importing the 
users/groups from Samba 3 domain in this case? Alternately, how can I 
import Samba 3 entities from Samba 3LDAP backend *after* creating a 
separate Samba 4 domain?

Also, what's wrong with '--realm=ad-lan.com' ?

Thanks.

Sincerely,
Konstantin

More information about the samba mailing list