[Samba] Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")

Konstantin Boyandin lists at boyandin.info
Wed Sep 5 08:26:30 UTC 2018 

Rowland Penny via samba wrote 2018-09-04 14:24:
> On Tue, 04 Sep 2018 10:26:38 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> 
>> Rowland Penny via samba wrote 2018-09-03 17:12:
>> > On Mon, 03 Sep 2018 04:27:07 +0000
>> > "Konstantin Boyandin \(lists\) via samba" <samba at lists.samba.org>
>> > wrote:
>> >
>> >> Hello,
>> >>
>> >> Going further with migrating NT4 domain (Samba 3) to Samba 4.
>> >> Thanks for the previous suggestions.
>> >>
>> >> When doing
>> >>
>> >> # samba-tool domain classicupgrade --dbdir=/usr/local/samba.LAN/
>> >> --realm=ad-lan.com
>> >> --dns-backend=BIND9_DLZ /usr/local/samba.LAN/smb.conf
>> >> --option="interfaces=lo ens3" --option="bind interfaces only=yes"
>> >>
>> >> I see in stderr the below:
>> >>
>> >> Ignoring group 'ossi'
>> >> S-1-5-21-1411277624-4092985889-3405756581-3001 listed but then not
>> >> found: Unable to enumerate group members, (-1073741722,The
>> >> specified group does not exist.)
>> >>
>> >> for every group from existing LDAP backend of Samba 3, and
>> >>
>> >> sid S-1-5-21-1411277624-4092985889-3405756581-2062 does not belong
>> >> to our domain
>> >>
>> >
>> > Okay, I take it your PDC was called pdclan and the domain was called
>> > 'LAN', I have no idea what the dns domain was.
>> >
>> > You have now created a new AD DC using the dns domain 'ad-lan.com'
>> > and the new AD DC is called 'dc'
>> >
>> > So from my reading there are three Samba workgroup names in play:
>> >
>> > PDCLAN
>> > LAN
>> > AD-LAN
>> >
>> > I think this, (along with using '--realm=ad-lan.com' instead of
>> > 'realm = ad-lan' in smb.conf) is your problem. You are trying to
>> > change the domain from 'LAN' to 'AD-LAN', Samba is undoubtedly
>> > treating this as a new domain and creating a new SID for it.
>> 
>> That's intentional.
>> 
>> LAN is NT4 (Samba 3) domain, and I may not just upgrade it without
>> thorough testing - too many resources are using it, and breaking down
>> network is not an option.
>> 
>> So yes, I create a new domain, under real-life domain name (I own
>> ad-lan.com) and, after transferring everything into it, testing in
>> sandbox environment, I will begin transferring everything from Samba
>> 3 into the Samba 4 domain (i.e., both LAN and AD-LAN will co-exist in
>> the same network for some time).
>> 
>> So the question, how do I do the upgrade to Samba 4 while importing
>> the users/groups from Samba 3 domain in this case? Alternately, how
>> can I import Samba 3 entities from Samba 3LDAP backend *after*
>> creating a separate Samba 4 domain?
>> 
>> Also, what's wrong with '--realm=ad-lan.com' ?
> 
> The main thing is that the upgrade code ignores it!
> 
> The classic upgrade is built upon doing just that, upgrading an
> NT4-style domain to an AD domain using the same workgroup name.
> 
> You seem to be trying to do some hybrid method and might as well
> create a new domain. You cannot have a domain called 'LAN' and a
> domain called 'AD-LAN' with the same SID.
> 
> What most people do is to create a test domain in a sandbox, carry
> out the upgrade multiple times, correcting errors, until they know
> just what they have to do to get a new AD domain. Once they are sure
> it will work, they do it for real. You should also be aware that once
> your clients see your new AD domain, they will not go back to the
> NT4-style domain.
> If the upgrade is carried out correctly, your clients shouldn't
> notice.
> 
> Your method (which is creating a new domain) will mean you will have
> to rejoin the computers to the domain.

Exactly that. I need to create a separate domain; after all the checks 
are done that switching to it works, the computers will rejoin the new 
domain. Our Samba 3 domain is used for years; since Window 10 is unable 
to join it any more, we are finally migrating everything to Samba 4.

Actually, I did the following:
- loaded the dump of LDAP backend of existing Samba 3
- replaced domain SID part in the dump; replaced domain controller 
NetBIOS name as well (I cose the same SID Smaba 4 was creating when 
trying to do classic upgrade with existing remote LDAP backend)
- imported the resulting LDAP dump into local sandbox OpenLDAP server
- re-ran the classic upgrade using the above local LDAP installation

After some cursing and fixing minor typos, I received the Samba 4 domain 
in viable state

My only remaining problem I couldn't solve is that source groups/users 
are still not recognized, i.e. I see multiple

Ignoring group 'project' S-1-5-21-2473926874-590573496-2946143095-3001 
listed but then not found: Unable to enumerate group members, 
(-1073741722,The specified group does not exist.)

records in stderr of classic upgrade command.

It isn't blocker, since both users and groups are actually added to the 
new domain and I can re-add users to groups manually - but I am still 
unsure why that happens. The entire output of upgrade command is like 
this:

---------------- output of classic upgrade below
Reading smb.conf
WARNING: The "syslog" option is deprecated
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Unknown parameter encountered: "printer admin"
Ignoring unknown parameter "printer admin"
Provisioning
Exporting account policy
Exporting groups
Ignoring group 'Domain Admins' 
S-1-5-21-2473926874-590573496-2946143095-512 listed but then not found: 
Unable to enumerate group members, (-1073741722,The specified group does 
not exist.)
[...and 18 more records like above...]
Exporting users
   Skipping wellknown rid=500 (for username=root)
Ignoring group memberships of 'user' 
S-1-5-21-2473926874-590573496-2946143095-3020: Unable to enumerate group 
memberships, (-1073741724,The specified account does not exist.)
[...same line for the rest of existing users...]
Next rid = 3323
Exporting posix attributes
Reading WINS database
Cannot open wins database, Ignoring: [Errno 2] No such file or 
directory: '/usr/local/samba.LAN/wins.dat'
WARNING: The "syslog" option is deprecated
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=ad-lan,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting acl on sysvol skipped
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=ad-lan,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
See /var/lib/samba/private/named.conf for an example configuration 
include file for BIND
and /var/lib/samba/private/named.txt for further documentation required 
for secure DNS updates
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba AD has been generated at 
/var/lib/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba AD server will be ready 
to use
Admin password:        [replaced]
Server Role:           active directory domain controller
Hostname:              dc
NetBIOS Domain:        AD-LAN
DNS Domain:            ad-lan.com
DOMAIN SID:            S-1-5-21-2473926874-590573496-2946143095
Importing WINS database
Importing Account policy
Importing idmap database
Cannot open idmap database, Ignoring: [Errno 2] No such file or 
directory
WARNING: The "syslog" option is deprecated
Adding groups
Importing groups
Group already exists sid=S-1-5-21-2473926874-590573496-2946143095-512, 
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-2473926874-590573496-2946143095-513, 
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Group already exists sid=S-1-5-21-2473926874-590573496-2946143095-514, 
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-2473926874-590573496-2946143095-515, 
groupname=Domain Computers existing_groupname=Domain Computers, 
Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators 
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-548, groupname=Account Operators 
existing_groupname=Account Operators, Ignoring.
Group already exists sid=S-1-5-32-550, groupname=Print Operators 
existing_groupname=Print Operators, Ignoring.
Group already exists sid=S-1-5-32-551, groupname=Backup Operators 
existing_groupname=Backup Operators, Ignoring.
Group already exists sid=S-1-5-32-552, groupname=Replicators 
existing_groupname=Replicator, Ignoring.
Committing 'add groups' transaction to disk
Adding users
Importing users
Committing 'add users' transaction to disk
Adding users to groups
Committing 'add users to groups' transaction to disk
WARNING: The "syslog" option is deprecated
WARNING: The "syslog" option is deprecated
---------------- output of classic upgrade above

Note: every user belongs to "Domain Users" group, other group 
memberships are lost.

I would appreciate assistance with above, if possible.

Sincerely,
Konstantin

More information about the samba mailing list