[Samba] Migration samba 3 to 4

Rowland Penny rpenny at samba.org
Tue Sep 18 10:15:52 UTC 2018


On Tue, 18 Sep 2018 11:30:04 +0200
Philippe Maladjian via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> I realize again test by resuming all 0 with the following
> configuration and I arrive at the same result.
> 
> -------------------- smb.conf
> 
> [global]
>      netbios name = svdom
>      server string = Gestionnaire de domaine
>      workgroup = dom.domain
> 
>      hosts allow = 192.168.15. 192.168.6. 10.0.7.
>      security = user
>      domain master = yes
>      domain logons = yes
>      prefered master = yes
>      local master = yes
>      os level = 252
>      log level = 1
> 
>      encrypt passwords = yes
>      username map = /etc/samba/smbusers
>      passdb expand explicit = no
> 
>      add machine script = /usr/sbin/smbldap-useradd -w '%u'
>      add user script = /usr/sbin/smbldap-useradd -a -m '%u'
>      delete user script = /usr/sbin/smbldap-userdel -r '%u'
>      add group script = /usr/sbin/smbldap-groupadd -g '%g'
>      delete group script = /usr/sbin/smbldap-groupdel '%g'
>      add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
> '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x
> '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g
> '%g' '%u'
> 
>      ldap admin dn = cn=Manager,dc=dom,dc=domain
>      ldap suffix = dc=dom,dc=domain
>      ldap passwd sync = yes
>      ldap ssl = no
> 
>      ldap user suffix = ou=Users
>      ldap group suffix = ou=Groups
>      ldap machine suffix = ou=Computers
>      ldap idmap suffix = ou=Users
> 
>      passdb backend = ldapsam:ldap://ldap2.dom.domain
>      idmap backend = ldapsam:ldap://ldap2.dom.domain
> 
>      nt acl support = yes
>      map untrusted to domain = yes
> 
>      wins support = yes
>      wins proxy = no
>          dns proxy = yes
>      name resolve order = wins lmhosts bcast
>      interfaces = eth* lo
>      bind interfaces only = yes
>      time server = yes
>      socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT 
> SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
> 
>      lock directory = /var/lib/samba
>      log file = /var/log/samba/users/log-%U.log
> 
>      veto oplock files = /*.mdb/*.doc/*.xls/*.ppt/*.FIC/*.NDX/*.xlsx/
>      guest account = nobody
> 
>      logon script = %G.bat
>      logon path = \\svdom\profiles\%U
> 
>      load printers = no
>      printcap name = /dev/null
>      printcap cache time = 0
>      idmap uid = 16777216-33554431
>      idmap gid = 16777216-33554431
>      template shell = /bin/false
>      winbind use default domain = no
> 
> [share...]
> 
> -------------------------------- samba-tool domain classicupgrade 
> --dbdir=/root/samba3/dbdir/ --realm=dom.domain 
> --dns-backend=SAMBA_INTERNAL /root/samba3/etc/smb.conf -d 10
> INFO: Current debug levels:
>    all: 10
>    tdb: 10
>    printdrivers: 10
>    lanman: 10
>    smb: 10
>    rpc_parse: 10
>    rpc_srv: 10
>    rpc_cli: 10
>    passdb: 10
>    sam: 10
>    auth: 10
>    winbind: 10
>    vfs: 10
>    idmap: 10
>    quota: 10
>    acls: 10
>    locking: 10
>    msdfs: 10
>    dmapi: 10
>    registry: 10
>    scavenger: 10
>    dns: 10
>    ldb: 10
>    tevent: 10
> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
> Processing section "[global]"
> WARNING: The "syslog" option is deprecated
> Processing section "[homes]"
> Processing section "[printers]"
> Processing section "[print$]"
> pm_process() returned Yes
> Reading smb.conf
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[global]"
> doing parameter netbios name = svct02
> doing parameter server string = Gestionnaire de domaine
> doing parameter workgroup = dom.domain
> doing parameter hosts allow = 192.168.15. 192.168.6. 10.0.7.
> doing parameter security = user
> doing parameter domain master = yes
> doing parameter domain logons = yes
> doing parameter prefered master = yes
> doing parameter local master = yes
> doing parameter os level = 252
> doing parameter log level = 1
> WARNING: The "idmap backend" option is deprecated
> WARNING: The "idmap uid" option is deprecated
> WARNING: The "idmap gid" option is deprecated
> Provisioning
> Exporting account policy
> Exporting groups
> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
> Ignoring group 'Backup Operators' 
> S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not
> found: Unable to enumerate group members, (-1073741596,This error
> indicates that the requested operation cannot be completed due to a
> catastrophic media failure or an on-disk data structure corruption.)
> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
> Ignoring group 'Domain Users' 
> S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not
> found: Unable to enumerate group members, (-1073741596,This error
> indicates that the requested operation cannot be completed due to a
> catastrophic media failure or an on-disk data structure corruption.)
> Exporting users
> sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to
> our domain
> sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to
> our domain
>    Fixing account svimp02$ which had both ACB_NORMAL (U) and
> ACB_WSTRUST (W) set.  Account will be marked as ACB_WSTRUST (W), i.e.
> as a domain member Skipping wellknown rid=501 (for username=nobody)
> Next rid = 3867
> Failed to connect to ldap URL 'ldap://ldap2.dom.domain' - LDAP client 
> internal error: NT_STATUS_BAD_NETWORK_NAME
> Failed to connect to 'ldap://ldap2.dom.domain' with backend 'ldap':
> LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: Could not open ldb connection to 
> ldap://ldap2.dom.domain, the error message is: (1, 'LDAP client
> internal error: NT_STATUS_BAD_NETWORK_NAME')
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> line 1566, in run
>      useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>    File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line
> 671, in upgrade_from_samba3
>      raise ProvisioningError("Could not open ldb connection to %s,
> the error message is: %s" % (url, e))
> 
> ------------- ldapsearch -h ldap2.dom.domain -xb 
> "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain" 
> cn="Backup Operators"
> # extended LDIF
> #
> # LDAPv3
> # base <ou=Groups,dc=dom,dc=domain> with scope subtree
> # filter: cn=Backup Operators
> # requesting: ALL
> #
> 
> # Backup Operators, Groups, dom.domain
> dn: cn=Backup Operators,ou=Groups,dc=dom,dc=domain
> cn: Backup Operators
> description: Domain Unix group
> displayName: Backup Operators
> gidNumber: 551
> memberUid: backupmanager
> memberUid: backuppc
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> sambaGroupType: 2
> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> ---------------- ldapsearch -h ldap2.dom.domain -xb 
> "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain" 
> cn="Domain Users"
> # extended LDIF
> #
> # LDAPv3
> # base <ou=Groups,dc=dom,dc=domain> with scope subtree
> # filter: cn=Domain Users
> # requesting: ALL
> #
> 
> # Domain Users, Groups, dom.domain
> dn: cn=Domain Users,ou=Groups,dc=dom,dc=domain
> cn: Domain Users
> description: Domain Unix group
> displayName: Domain Users
> gidNumber: 513
> memberUid: [...]
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> sambaGroupType: 2
> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-513
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> ldap2 is a DNS alias of ns1.
> 
> ------------------------------- ping ldap2.dom.domain
> 
> PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64 
> time=0.574 ms
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64 
> time=0.345 ms
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64 
> time=0.235 ms
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64 
> time=0.292 ms
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64 
> time=0.601 ms
> 
> 
> ------------------------------- ping ldap2
> 
> --- ns1.dom.domain ping statistics ---
> 5 packets transmitted, 5 received, 0% packet loss, time 4056ms
> rtt min/avg/max/mdev = 0.235/0.409/0.601/0.150 ms
> PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64 
> time=0.451 ms
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64 
> time=0.677 ms
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64 
> time=0.356 ms
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64 
> time=0.296 ms
> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64 
> time=0.479 ms
> 
> --- ns1.dom.domain ping statistics ---
> 5 packets transmitted, 5 received, 0% packet loss, time 4068ms
> rtt min/avg/max/mdev = 0.296/0.451/0.677/0.133 ms
> 
> 
> I have exhausted all my resources and on the internet the error
> message is quite generic or an unmanaged error.
> 
> *Philippe MALADJIAN
> Responsable informatique | administrateur système*
> 
> 
> 	
> 
> Le 06/09/2018 à 11:44, Rowland Penny via samba a écrit :
> > On Thu, 6 Sep 2018 11:08:21 +0200
> > Philippe Maladjian via samba <samba at lists.samba.org> wrote:
> >> Before the classicupdate on my ldap I can change the rootdn to
> >> match my.domain and not domain.fr?
> > I suppose you could try it, dump the entire ldap to an ldif,
> > manually change all 'dc=domain,dc=fr' to 'dc=my,dc=domain'. You
> > would then have to move the old ldap out of the way and add your
> > new ldif to ldap. Change your smb.conf to match. This could sort
> > your ldap problem (don't know, never tried it), not sure what you
> > may have to do to Samba, or how you would do it, again because I
> > have never tried to do this.
> >
> > Rowland
> >   
> >
> >

I think this proves that the way you are trying to classicupgrade just
doesn't work.

If I remember correctly you want to use a new SID instead of the old
SID, a new SID equals a new, different domain.

Can I suggest you dump all the users into a file, then dump all the
groups into another file, finally dump all the group memberships to
another file.

Provision a new domain, this will get you a new valid SID.

parse the three files for the Well Known SIDs and remove these.

Write a script to parse the users file extracting the users name and
password etc and use this to create a new user with samba-tool.

Do the same for the groups and then the group memberships

You should end up with new fully functioning AD domain.

If you can share an ldif from your PDC ldap with me, I am prepared to
help you with this.

Rowland




More information about the samba mailing list