[Samba] Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")

Mario Codeniera mario.codeniera at gmail.com
Tue Sep 11 05:40:11 UTC 2018


Hi Konstantin,

>From my understanding of your situation, you wanted a new Samba AD from
your existing PDC.

Ignoring group 'ossi' S-1-5-21-1411277624-4092985889-3405756581-3001
> listed but then not found: Unable to enumerate group members,
> (-1073741722,The specified group does not exist.)
> for every group from existing LDAP backend of Samba 3, and
> sid S-1-5-21-1411277624-4092985889-3405756581-2062 does not belong to
> our domain
> for every user ID.
> After I start the upgraded domain:
> # net getdomainsid
> SID for domain AD-LAN is: S-1-5-21-2473926874-590573496-2946143095
> and on original Samba 3 domain controller:
> # net getdomainsid
> SID for local machine PDCLAN is:
> S-1-5-21-1411277624-402985889-3405756581
> SID for domain LAN is: S-1-5-21-1411277624-4092985889-3405756581


It's normal you got that error because you have different SIDs, referring
to your new machine and the existing PDC.
There 2 options you can do 1) Change the SID of the new machine with your
PDC

check first: (here you get S-1-5-21-2473926874-590573496-2946143095)
>
> *net getdomainsidnet getlocalsid*



> then modify the sid, from your original sid.
>
> *net setlocalsid  S-1-5-21-1411277624-4092985889-3405756581*


> *net getdomainsid**net getlocalsid*


Alternatively 2) modify the ldif (after the slapcat - refer to the howto),
but the disadvantage to this your clients will need to re-join as SID is
different. I assume your openldap working well here. The advantage you can
change any workgroup or realm with this...
ex. search (*S-1-5-21-1411277624-4092985889-3405756581)* and replace with
(S-1-5-21-2473926874-590573496-2946143095) and those dc=x,dc=x...

install the smbldap-tools, change the config to add the new SID, check the
ldap client settings (ldap.conf), smbldap-populate,

> example config...

cp -rf /var/lib/samba /usr/local/samba-jan2018
> cp /etc/samba/smb.conf /usr/local/samba-jan2018/
> systemctl stop nmb smb
> samba-tool domain classicupgrade --dbdir=/usr/local/samba-jan2018/private
> --realm=lumad.sandbox.net --dns-backend=SAMBA_INTERNAL
> /usr/local/samba-jan2018/smb.conf


With option 2, regardless how old your pdc for sure still work as long you
exported correctly the ldap (as per testing many times using samba
4.x), but we still working with samba 3.3.10 :-) for our production.


Or try to add on your existing PDC with the config lines,  I add lately
that able to login our Windows 10 (1803) (but again smb1 we still enable on
the clients, that's why we keen on the upgrade to the samba AD).

>      client NTLMv2 auth = yes
>      use spnego = no
>      client use spnego = no

     ntlm auth = Yes



 Cheers,
Mario




On Thu, Sep 6, 2018 at 9:04 PM Konstantin Boyandin via samba <
samba at lists.samba.org> wrote:

> Rowland Penny via samba wrote 2018-09-06 14:37:
> > On Thu, 06 Sep 2018 12:22:11 +0700
> > Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> >
> >> Rowland Penny via samba wrote 2018-09-05 15:56:
> >> > On Wed, 05 Sep 2018 15:26:30 +0700
> >> > Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> >> >>
> >> >> Exactly that. I need to create a separate domain; after all the
> >> >> checks are done that switching to it works, the computers will
> >> >> rejoin the new domain. Our Samba 3 domain is used for years; since
> >> >> Window 10 is unable to join it any more, we are finally migrating
> >> >> everything to Samba 4.
> >> >
> >> > Then you might as well just provision a new domain, dump your users,
> >> > groups etc to a file. Write a script to parse the file and then add
> >> > them to your new AD.
> >>
> >> Current approach does import users and groups; it only fails to
> >> assign users to groups properly. It can do already, but I would
> >> prefer less manual interaction.
> >>
> >> >> Note: every user belongs to "Domain Users" group, other group
> >> >> memberships are lost.
> >> >
> >> > Yes, every AD users primary group is Domain Users, your other
> >> > problem is very probably being caused by the way you are trying to
> >> > bend the classicupgrade upgrade script
> >>
> >> I am not sure what I am "bending".
> >
> > The whole idea behind a classicupgrade is that you start with an
> > NT4-style PDC and end up with an AD DC. Your users, groups, etc have
> > the same RID's, the domain has the SID, all passwords are retained,
> > all RFC2307 attrinutes are retained and finally, the clients do not
> > notice.
> >
> >> The classic upgrade did fail in exactly the same way even when I
> >> tried to do it literally as the corresponding guide tells:
> >
> > Then there must be something wrong with your PDC, perhaps it was just
> > too old.
>
> samba-3.6.23 based (CentOS 6).
>
> In any case, re-adding users to groups manually is a lesser evil, it can
> be done in batch mode.
>
> Sincerely,
> Konstantin
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list