[Samba] Migration samba 3 to 4

Tue Sep 18 09:30:04 UTC 2018

Hello,

I realize again test by resuming all 0 with the following configuration 
and I arrive at the same result.

-------------------- smb.conf

[global]
     netbios name = svdom
     server string = Gestionnaire de domaine
     workgroup = dom.domain

     hosts allow = 192.168.15. 192.168.6. 10.0.7.
     security = user
     domain master = yes
     domain logons = yes
     prefered master = yes
     local master = yes
     os level = 252
     log level = 1

     encrypt passwords = yes
     username map = /etc/samba/smbusers
     passdb expand explicit = no

     add machine script = /usr/sbin/smbldap-useradd -w '%u'
     add user script = /usr/sbin/smbldap-useradd -a -m '%u'
     delete user script = /usr/sbin/smbldap-userdel -r '%u'
     add group script = /usr/sbin/smbldap-groupadd -g '%g'
     delete group script = /usr/sbin/smbldap-groupdel '%g'
     add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
     delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
     set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

     ldap admin dn = cn=Manager,dc=dom,dc=domain
     ldap suffix = dc=dom,dc=domain
     ldap passwd sync = yes
     ldap ssl = no

     ldap user suffix = ou=Users
     ldap group suffix = ou=Groups
     ldap machine suffix = ou=Computers
     ldap idmap suffix = ou=Users

     passdb backend = ldapsam:ldap://ldap2.dom.domain
     idmap backend = ldapsam:ldap://ldap2.dom.domain

     nt acl support = yes
     map untrusted to domain = yes

     wins support = yes
     wins proxy = no
         dns proxy = yes
     name resolve order = wins lmhosts bcast
     interfaces = eth* lo
     bind interfaces only = yes
     time server = yes
     socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT 
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192

     lock directory = /var/lib/samba
     log file = /var/log/samba/users/log-%U.log

     veto oplock files = /*.mdb/*.doc/*.xls/*.ppt/*.FIC/*.NDX/*.xlsx/
     guest account = nobody

     logon script = %G.bat
     logon path = \\svdom\profiles\%U

     load printers = no
     printcap name = /dev/null
     printcap cache time = 0
     idmap uid = 16777216-33554431
     idmap gid = 16777216-33554431
     template shell = /bin/false
     winbind use default domain = no

[share...]

-------------------------------- samba-tool domain classicupgrade 
--dbdir=/root/samba3/dbdir/ --realm=dom.domain 
--dns-backend=SAMBA_INTERNAL /root/samba3/etc/smb.conf -d 10
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
   scavenger: 10
   dns: 10
   ldb: 10
   tevent: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
WARNING: The "syslog" option is deprecated
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
pm_process() returned Yes
Reading smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
doing parameter netbios name = svct02
doing parameter server string = Gestionnaire de domaine
doing parameter workgroup = dom.domain
doing parameter hosts allow = 192.168.15. 192.168.6. 10.0.7.
doing parameter security = user
doing parameter domain master = yes
doing parameter domain logons = yes
doing parameter prefered master = yes
doing parameter local master = yes
doing parameter os level = 252
doing parameter log level = 1
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Provisioning
Exporting account policy
Exporting groups
Severe DB error, sambaSamAccount can't miss the samba SIDattribute
Ignoring group 'Backup Operators' 
S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not found: 
Unable to enumerate group members, (-1073741596,This error indicates 
that the requested operation cannot be completed due to a catastrophic 
media failure or an on-disk data structure corruption.)
Severe DB error, sambaSamAccount can't miss the samba SIDattribute
Ignoring group 'Domain Users' 
S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not found: 
Unable to enumerate group members, (-1073741596,This error indicates 
that the requested operation cannot be completed due to a catastrophic 
media failure or an on-disk data structure corruption.)
Exporting users
sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to our 
domain
sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to our 
domain
   Fixing account svimp02$ which had both ACB_NORMAL (U) and ACB_WSTRUST 
(W) set.  Account will be marked as ACB_WSTRUST (W), i.e. as a domain member
   Skipping wellknown rid=501 (for username=nobody)
Next rid = 3867
Failed to connect to ldap URL 'ldap://ldap2.dom.domain' - LDAP client 
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://ldap2.dom.domain' with backend 'ldap': LDAP 
client internal error: NT_STATUS_BAD_NETWORK_NAME
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: Could not open ldb connection to 
ldap://ldap2.dom.domain, the error message is: (1, 'LDAP client internal 
error: NT_STATUS_BAD_NETWORK_NAME')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 
1566, in run
     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
   File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 671, 
in upgrade_from_samba3
     raise ProvisioningError("Could not open ldb connection to %s, the 
error message is: %s" % (url, e))

------------- ldapsearch -h ldap2.dom.domain -xb 
"ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain" 
cn="Backup Operators"
# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=dom,dc=domain> with scope subtree
# filter: cn=Backup Operators
# requesting: ALL
#

# Backup Operators, Groups, dom.domain
dn: cn=Backup Operators,ou=Groups,dc=dom,dc=domain
cn: Backup Operators
description: Domain Unix group
displayName: Backup Operators
gidNumber: 551
memberUid: backupmanager
memberUid: backuppc
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

---------------- ldapsearch -h ldap2.dom.domain -xb 
"ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain" 
cn="Domain Users"
# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=dom,dc=domain> with scope subtree
# filter: cn=Domain Users
# requesting: ALL
#

# Domain Users, Groups, dom.domain
dn: cn=Domain Users,ou=Groups,dc=dom,dc=domain
cn: Domain Users
description: Domain Unix group
displayName: Domain Users
gidNumber: 513
memberUid: [...]
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-3199360825-2299538094-1836089394-513

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

ldap2 is a DNS alias of ns1.

------------------------------- ping ldap2.dom.domain

PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64 
time=0.574 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64 
time=0.345 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64 
time=0.235 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64 
time=0.292 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64 
time=0.601 ms

------------------------------- ping ldap2

--- ns1.dom.domain ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4056ms
rtt min/avg/max/mdev = 0.235/0.409/0.601/0.150 ms
PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64 
time=0.451 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64 
time=0.677 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64 
time=0.356 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64 
time=0.296 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64 
time=0.479 ms

--- ns1.dom.domain ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4068ms
rtt min/avg/max/mdev = 0.296/0.451/0.677/0.133 ms

I have exhausted all my resources and on the internet the error message 
is quite generic or an unmanaged error.

*Philippe MALADJIAN
Responsable informatique | administrateur système*

Le 06/09/2018 à 11:44, Rowland Penny via samba a écrit :
> On Thu, 6 Sep 2018 11:08:21 +0200
> Philippe Maladjian via samba <samba at lists.samba.org> wrote:
>> Before the classicupdate on my ldap I can change the rootdn to match
>> my.domain and not domain.fr?
> I suppose you could try it, dump the entire ldap to an ldif, manually
> change all 'dc=domain,dc=fr' to 'dc=my,dc=domain'. You would then have
> to move the old ldap out of the way and add your new ldif to ldap.
> Change your smb.conf to match. This could sort your ldap problem
> (don't know, never tried it), not sure what you may have to do to
> Samba, or how you would do it, again because I have never tried to do
> this.
>
> Rowland
>   
>
>