[Samba] Migration samba 3 to 4
Philippe Maladjian
pmaladjian at hilaire.fr
Tue Sep 18 12:20:19 UTC 2018
Hello,
On my current installation samba announces domain dom.domain, windows
machines and users are registered on domain dom.hilaire, root dn of my
ldap is dc = domain, dc = fr.
At first I tested a migration by applying the vm of my server samba3 and
my ldap. I migrated these VMs out of the production network and
validated that with a pc from my production network (once the network
settings changed) I could connect to the test domain.
Then I copied the file smb.conf and all the tdb to the new samba server
4. I started the migration procedure via samba-tool and got the error on
the groups Domain Users and Backup Operators as well as the login error
with my ldap directory.
After some exchanges I exported in a ldif my directory to modify the
root dn in dc = dom, dc = domain so that it corresponds to the Windows
domain name. I re-imported everything in my directory.
When I restart the migration procedure by samba-tool I have the same
error. As I have the same installation problem with the production
version I do not see any relationship with the SID. The samba domain
name does not change, it's only the root dn of my ldap directory that I
change before the migration.
*Philippe MALADJIAN
Responsable informatique | administrateur système*
Le 18/09/2018 à 12:15, Rowland Penny via samba a écrit :
> On Tue, 18 Sep 2018 11:30:04 +0200
> Philippe Maladjian via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I realize again test by resuming all 0 with the following
>> configuration and I arrive at the same result.
>>
>> -------------------- smb.conf
>>
>> [global]
>> netbios name = svdom
>> server string = Gestionnaire de domaine
>> workgroup = dom.domain
>>
>> hosts allow = 192.168.15. 192.168.6. 10.0.7.
>> security = user
>> domain master = yes
>> domain logons = yes
>> prefered master = yes
>> local master = yes
>> os level = 252
>> log level = 1
>>
>> encrypt passwords = yes
>> username map = /etc/samba/smbusers
>> passdb expand explicit = no
>>
>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>> add user script = /usr/sbin/smbldap-useradd -a -m '%u'
>> delete user script = /usr/sbin/smbldap-userdel -r '%u'
>> add group script = /usr/sbin/smbldap-groupadd -g '%g'
>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
>> '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x
>> '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g
>> '%g' '%u'
>>
>> ldap admin dn = cn=Manager,dc=dom,dc=domain
>> ldap suffix = dc=dom,dc=domain
>> ldap passwd sync = yes
>> ldap ssl = no
>>
>> ldap user suffix = ou=Users
>> ldap group suffix = ou=Groups
>> ldap machine suffix = ou=Computers
>> ldap idmap suffix = ou=Users
>>
>> passdb backend = ldapsam:ldap://ldap2.dom.domain
>> idmap backend = ldapsam:ldap://ldap2.dom.domain
>>
>> nt acl support = yes
>> map untrusted to domain = yes
>>
>> wins support = yes
>> wins proxy = no
>> dns proxy = yes
>> name resolve order = wins lmhosts bcast
>> interfaces = eth* lo
>> bind interfaces only = yes
>> time server = yes
>> socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
>> SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>> lock directory = /var/lib/samba
>> log file = /var/log/samba/users/log-%U.log
>>
>> veto oplock files = /*.mdb/*.doc/*.xls/*.ppt/*.FIC/*.NDX/*.xlsx/
>> guest account = nobody
>>
>> logon script = %G.bat
>> logon path = \\svdom\profiles\%U
>>
>> load printers = no
>> printcap name = /dev/null
>> printcap cache time = 0
>> idmap uid = 16777216-33554431
>> idmap gid = 16777216-33554431
>> template shell = /bin/false
>> winbind use default domain = no
>>
>> [share...]
>>
>> -------------------------------- samba-tool domain classicupgrade
>> --dbdir=/root/samba3/dbdir/ --realm=dom.domain
>> --dns-backend=SAMBA_INTERNAL /root/samba3/etc/smb.conf -d 10
>> INFO: Current debug levels:
>> all: 10
>> tdb: 10
>> printdrivers: 10
>> lanman: 10
>> smb: 10
>> rpc_parse: 10
>> rpc_srv: 10
>> rpc_cli: 10
>> passdb: 10
>> sam: 10
>> auth: 10
>> winbind: 10
>> vfs: 10
>> idmap: 10
>> quota: 10
>> acls: 10
>> locking: 10
>> msdfs: 10
>> dmapi: 10
>> registry: 10
>> scavenger: 10
>> dns: 10
>> ldb: 10
>> tevent: 10
>> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
>> Processing section "[global]"
>> WARNING: The "syslog" option is deprecated
>> Processing section "[homes]"
>> Processing section "[printers]"
>> Processing section "[print$]"
>> pm_process() returned Yes
>> Reading smb.conf
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384) Processing section "[global]"
>> doing parameter netbios name = svct02
>> doing parameter server string = Gestionnaire de domaine
>> doing parameter workgroup = dom.domain
>> doing parameter hosts allow = 192.168.15. 192.168.6. 10.0.7.
>> doing parameter security = user
>> doing parameter domain master = yes
>> doing parameter domain logons = yes
>> doing parameter prefered master = yes
>> doing parameter local master = yes
>> doing parameter os level = 252
>> doing parameter log level = 1
>> WARNING: The "idmap backend" option is deprecated
>> WARNING: The "idmap uid" option is deprecated
>> WARNING: The "idmap gid" option is deprecated
>> Provisioning
>> Exporting account policy
>> Exporting groups
>> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
>> Ignoring group 'Backup Operators'
>> S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not
>> found: Unable to enumerate group members, (-1073741596,This error
>> indicates that the requested operation cannot be completed due to a
>> catastrophic media failure or an on-disk data structure corruption.)
>> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
>> Ignoring group 'Domain Users'
>> S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not
>> found: Unable to enumerate group members, (-1073741596,This error
>> indicates that the requested operation cannot be completed due to a
>> catastrophic media failure or an on-disk data structure corruption.)
>> Exporting users
>> sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to
>> our domain
>> sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to
>> our domain
>> Fixing account svimp02$ which had both ACB_NORMAL (U) and
>> ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e.
>> as a domain member Skipping wellknown rid=501 (for username=nobody)
>> Next rid = 3867
>> Failed to connect to ldap URL 'ldap://ldap2.dom.domain' - LDAP client
>> internal error: NT_STATUS_BAD_NETWORK_NAME
>> Failed to connect to 'ldap://ldap2.dom.domain' with backend 'ldap':
>> LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>> exception - ProvisioningError: Could not open ldb connection to
>> ldap://ldap2.dom.domain, the error message is: (1, 'LDAP client
>> internal error: NT_STATUS_BAD_NETWORK_NAME')
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
>> line 1566, in run
>> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>> File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line
>> 671, in upgrade_from_samba3
>> raise ProvisioningError("Could not open ldb connection to %s,
>> the error message is: %s" % (url, e))
>>
>> ------------- ldapsearch -h ldap2.dom.domain -xb
>> "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain"
>> cn="Backup Operators"
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=Groups,dc=dom,dc=domain> with scope subtree
>> # filter: cn=Backup Operators
>> # requesting: ALL
>> #
>>
>> # Backup Operators, Groups, dom.domain
>> dn: cn=Backup Operators,ou=Groups,dc=dom,dc=domain
>> cn: Backup Operators
>> description: Domain Unix group
>> displayName: Backup Operators
>> gidNumber: 551
>> memberUid: backupmanager
>> memberUid: backuppc
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> ---------------- ldapsearch -h ldap2.dom.domain -xb
>> "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain"
>> cn="Domain Users"
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=Groups,dc=dom,dc=domain> with scope subtree
>> # filter: cn=Domain Users
>> # requesting: ALL
>> #
>>
>> # Domain Users, Groups, dom.domain
>> dn: cn=Domain Users,ou=Groups,dc=dom,dc=domain
>> cn: Domain Users
>> description: Domain Unix group
>> displayName: Domain Users
>> gidNumber: 513
>> memberUid: [...]
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-513
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> ldap2 is a DNS alias of ns1.
>>
>> ------------------------------- ping ldap2.dom.domain
>>
>> PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64
>> time=0.574 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64
>> time=0.345 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64
>> time=0.235 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64
>> time=0.292 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64
>> time=0.601 ms
>>
>>
>> ------------------------------- ping ldap2
>>
>> --- ns1.dom.domain ping statistics ---
>> 5 packets transmitted, 5 received, 0% packet loss, time 4056ms
>> rtt min/avg/max/mdev = 0.235/0.409/0.601/0.150 ms
>> PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64
>> time=0.451 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64
>> time=0.677 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64
>> time=0.356 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64
>> time=0.296 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64
>> time=0.479 ms
>>
>> --- ns1.dom.domain ping statistics ---
>> 5 packets transmitted, 5 received, 0% packet loss, time 4068ms
>> rtt min/avg/max/mdev = 0.296/0.451/0.677/0.133 ms
>>
>>
>> I have exhausted all my resources and on the internet the error
>> message is quite generic or an unmanaged error.
>>
>> *Philippe MALADJIAN
>> Responsable informatique | administrateur système*
>>
>>
>>
>>
>> Le 06/09/2018 à 11:44, Rowland Penny via samba a écrit :
>>> On Thu, 6 Sep 2018 11:08:21 +0200
>>> Philippe Maladjian via samba <samba at lists.samba.org> wrote:
>>>> Before the classicupdate on my ldap I can change the rootdn to
>>>> match my.domain and not domain.fr?
>>> I suppose you could try it, dump the entire ldap to an ldif,
>>> manually change all 'dc=domain,dc=fr' to 'dc=my,dc=domain'. You
>>> would then have to move the old ldap out of the way and add your
>>> new ldif to ldap. Change your smb.conf to match. This could sort
>>> your ldap problem (don't know, never tried it), not sure what you
>>> may have to do to Samba, or how you would do it, again because I
>>> have never tried to do this.
>>>
>>> Rowland
>>>
>>>
>>>
> I think this proves that the way you are trying to classicupgrade just
> doesn't work.
>
> If I remember correctly you want to use a new SID instead of the old
> SID, a new SID equals a new, different domain.
>
> Can I suggest you dump all the users into a file, then dump all the
> groups into another file, finally dump all the group memberships to
> another file.
>
> Provision a new domain, this will get you a new valid SID.
>
> parse the three files for the Well Known SIDs and remove these.
>
> Write a script to parse the users file extracting the users name and
> password etc and use this to create a new user with samba-tool.
>
> Do the same for the groups and then the group memberships
>
> You should end up with new fully functioning AD domain.
>
> If you can share an ldif from your PDC ldap with me, I am prepared to
> help you with this.
>
> Rowland
>
>
More information about the samba
mailing list