[Samba] Migration samba 3 to 4

Philippe Maladjian pmaladjian at hilaire.fr
Tue Sep 18 12:20:19 UTC 2018


Hello,

On my current installation samba announces domain dom.domain, windows 
machines and users are registered on domain dom.hilaire, root dn of my 
ldap is dc = domain, dc = fr.

At first I tested a migration by applying the vm of my server samba3 and 
my ldap. I migrated these VMs out of the production network and 
validated that with a pc from my production network (once the network 
settings changed) I could connect to the test domain.

Then I copied the file smb.conf and all the tdb to the new samba server 
4. I started the migration procedure via samba-tool and got the error on 
the groups Domain Users and Backup Operators as well as the login error 
with my ldap directory.

After some exchanges I exported in a ldif my directory to modify the 
root dn in dc = dom, dc = domain so that it corresponds to the Windows 
domain name. I re-imported everything in my directory.

When I restart the migration procedure by samba-tool I have the same 
error. As I have the same installation problem with the production 
version I do not see any relationship with the SID. The samba domain 
name does not change, it's only the root dn of my ldap directory that I 
change before the migration.

*Philippe MALADJIAN
Responsable informatique | administrateur système*

Le 18/09/2018 à 12:15, Rowland Penny via samba a écrit :

> On Tue, 18 Sep 2018 11:30:04 +0200
> Philippe Maladjian via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I realize again test by resuming all 0 with the following
>> configuration and I arrive at the same result.
>>
>> -------------------- smb.conf
>>
>> [global]
>>       netbios name = svdom
>>       server string = Gestionnaire de domaine
>>       workgroup = dom.domain
>>
>>       hosts allow = 192.168.15. 192.168.6. 10.0.7.
>>       security = user
>>       domain master = yes
>>       domain logons = yes
>>       prefered master = yes
>>       local master = yes
>>       os level = 252
>>       log level = 1
>>
>>       encrypt passwords = yes
>>       username map = /etc/samba/smbusers
>>       passdb expand explicit = no
>>
>>       add machine script = /usr/sbin/smbldap-useradd -w '%u'
>>       add user script = /usr/sbin/smbldap-useradd -a -m '%u'
>>       delete user script = /usr/sbin/smbldap-userdel -r '%u'
>>       add group script = /usr/sbin/smbldap-groupadd -g '%g'
>>       delete group script = /usr/sbin/smbldap-groupdel '%g'
>>       add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
>> '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x
>> '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g
>> '%g' '%u'
>>
>>       ldap admin dn = cn=Manager,dc=dom,dc=domain
>>       ldap suffix = dc=dom,dc=domain
>>       ldap passwd sync = yes
>>       ldap ssl = no
>>
>>       ldap user suffix = ou=Users
>>       ldap group suffix = ou=Groups
>>       ldap machine suffix = ou=Computers
>>       ldap idmap suffix = ou=Users
>>
>>       passdb backend = ldapsam:ldap://ldap2.dom.domain
>>       idmap backend = ldapsam:ldap://ldap2.dom.domain
>>
>>       nt acl support = yes
>>       map untrusted to domain = yes
>>
>>       wins support = yes
>>       wins proxy = no
>>           dns proxy = yes
>>       name resolve order = wins lmhosts bcast
>>       interfaces = eth* lo
>>       bind interfaces only = yes
>>       time server = yes
>>       socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
>> SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>>       lock directory = /var/lib/samba
>>       log file = /var/log/samba/users/log-%U.log
>>
>>       veto oplock files = /*.mdb/*.doc/*.xls/*.ppt/*.FIC/*.NDX/*.xlsx/
>>       guest account = nobody
>>
>>       logon script = %G.bat
>>       logon path = \\svdom\profiles\%U
>>
>>       load printers = no
>>       printcap name = /dev/null
>>       printcap cache time = 0
>>       idmap uid = 16777216-33554431
>>       idmap gid = 16777216-33554431
>>       template shell = /bin/false
>>       winbind use default domain = no
>>
>> [share...]
>>
>> -------------------------------- samba-tool domain classicupgrade
>> --dbdir=/root/samba3/dbdir/ --realm=dom.domain
>> --dns-backend=SAMBA_INTERNAL /root/samba3/etc/smb.conf -d 10
>> INFO: Current debug levels:
>>     all: 10
>>     tdb: 10
>>     printdrivers: 10
>>     lanman: 10
>>     smb: 10
>>     rpc_parse: 10
>>     rpc_srv: 10
>>     rpc_cli: 10
>>     passdb: 10
>>     sam: 10
>>     auth: 10
>>     winbind: 10
>>     vfs: 10
>>     idmap: 10
>>     quota: 10
>>     acls: 10
>>     locking: 10
>>     msdfs: 10
>>     dmapi: 10
>>     registry: 10
>>     scavenger: 10
>>     dns: 10
>>     ldb: 10
>>     tevent: 10
>> lpcfg_load: refreshing parameters from /etc/samba/smb.conf
>> Processing section "[global]"
>> WARNING: The "syslog" option is deprecated
>> Processing section "[homes]"
>> Processing section "[printers]"
>> Processing section "[print$]"
>> pm_process() returned Yes
>> Reading smb.conf
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384) Processing section "[global]"
>> doing parameter netbios name = svct02
>> doing parameter server string = Gestionnaire de domaine
>> doing parameter workgroup = dom.domain
>> doing parameter hosts allow = 192.168.15. 192.168.6. 10.0.7.
>> doing parameter security = user
>> doing parameter domain master = yes
>> doing parameter domain logons = yes
>> doing parameter prefered master = yes
>> doing parameter local master = yes
>> doing parameter os level = 252
>> doing parameter log level = 1
>> WARNING: The "idmap backend" option is deprecated
>> WARNING: The "idmap uid" option is deprecated
>> WARNING: The "idmap gid" option is deprecated
>> Provisioning
>> Exporting account policy
>> Exporting groups
>> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
>> Ignoring group 'Backup Operators'
>> S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not
>> found: Unable to enumerate group members, (-1073741596,This error
>> indicates that the requested operation cannot be completed due to a
>> catastrophic media failure or an on-disk data structure corruption.)
>> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
>> Ignoring group 'Domain Users'
>> S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not
>> found: Unable to enumerate group members, (-1073741596,This error
>> indicates that the requested operation cannot be completed due to a
>> catastrophic media failure or an on-disk data structure corruption.)
>> Exporting users
>> sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to
>> our domain
>> sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to
>> our domain
>>     Fixing account svimp02$ which had both ACB_NORMAL (U) and
>> ACB_WSTRUST (W) set.  Account will be marked as ACB_WSTRUST (W), i.e.
>> as a domain member Skipping wellknown rid=501 (for username=nobody)
>> Next rid = 3867
>> Failed to connect to ldap URL 'ldap://ldap2.dom.domain' - LDAP client
>> internal error: NT_STATUS_BAD_NETWORK_NAME
>> Failed to connect to 'ldap://ldap2.dom.domain' with backend 'ldap':
>> LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>> exception - ProvisioningError: Could not open ldb connection to
>> ldap://ldap2.dom.domain, the error message is: (1, 'LDAP client
>> internal error: NT_STATUS_BAD_NETWORK_NAME')
>>     File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>       return self.run(*args, **kwargs)
>>     File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
>> line 1566, in run
>>       useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>>     File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line
>> 671, in upgrade_from_samba3
>>       raise ProvisioningError("Could not open ldb connection to %s,
>> the error message is: %s" % (url, e))
>>
>> ------------- ldapsearch -h ldap2.dom.domain -xb
>> "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain"
>> cn="Backup Operators"
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=Groups,dc=dom,dc=domain> with scope subtree
>> # filter: cn=Backup Operators
>> # requesting: ALL
>> #
>>
>> # Backup Operators, Groups, dom.domain
>> dn: cn=Backup Operators,ou=Groups,dc=dom,dc=domain
>> cn: Backup Operators
>> description: Domain Unix group
>> displayName: Backup Operators
>> gidNumber: 551
>> memberUid: backupmanager
>> memberUid: backuppc
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> ---------------- ldapsearch -h ldap2.dom.domain -xb
>> "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain"
>> cn="Domain Users"
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=Groups,dc=dom,dc=domain> with scope subtree
>> # filter: cn=Domain Users
>> # requesting: ALL
>> #
>>
>> # Domain Users, Groups, dom.domain
>> dn: cn=Domain Users,ou=Groups,dc=dom,dc=domain
>> cn: Domain Users
>> description: Domain Unix group
>> displayName: Domain Users
>> gidNumber: 513
>> memberUid: [...]
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-513
>>
>> # search result
>> search: 2
>> result: 0 Success
>>
>> # numResponses: 2
>> # numEntries: 1
>>
>> ldap2 is a DNS alias of ns1.
>>
>> ------------------------------- ping ldap2.dom.domain
>>
>> PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64
>> time=0.574 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64
>> time=0.345 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64
>> time=0.235 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64
>> time=0.292 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64
>> time=0.601 ms
>>
>>
>> ------------------------------- ping ldap2
>>
>> --- ns1.dom.domain ping statistics ---
>> 5 packets transmitted, 5 received, 0% packet loss, time 4056ms
>> rtt min/avg/max/mdev = 0.235/0.409/0.601/0.150 ms
>> PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64
>> time=0.451 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64
>> time=0.677 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64
>> time=0.356 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64
>> time=0.296 ms
>> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64
>> time=0.479 ms
>>
>> --- ns1.dom.domain ping statistics ---
>> 5 packets transmitted, 5 received, 0% packet loss, time 4068ms
>> rtt min/avg/max/mdev = 0.296/0.451/0.677/0.133 ms
>>
>>
>> I have exhausted all my resources and on the internet the error
>> message is quite generic or an unmanaged error.
>>
>> *Philippe MALADJIAN
>> Responsable informatique | administrateur système*
>>
>>
>> 	
>>
>> Le 06/09/2018 à 11:44, Rowland Penny via samba a écrit :
>>> On Thu, 6 Sep 2018 11:08:21 +0200
>>> Philippe Maladjian via samba <samba at lists.samba.org> wrote:
>>>> Before the classicupdate on my ldap I can change the rootdn to
>>>> match my.domain and not domain.fr?
>>> I suppose you could try it, dump the entire ldap to an ldif,
>>> manually change all 'dc=domain,dc=fr' to 'dc=my,dc=domain'. You
>>> would then have to move the old ldap out of the way and add your
>>> new ldif to ldap. Change your smb.conf to match. This could sort
>>> your ldap problem (don't know, never tried it), not sure what you
>>> may have to do to Samba, or how you would do it, again because I
>>> have never tried to do this.
>>>
>>> Rowland
>>>    
>>>
>>>
> I think this proves that the way you are trying to classicupgrade just
> doesn't work.
>
> If I remember correctly you want to use a new SID instead of the old
> SID, a new SID equals a new, different domain.
>
> Can I suggest you dump all the users into a file, then dump all the
> groups into another file, finally dump all the group memberships to
> another file.
>
> Provision a new domain, this will get you a new valid SID.
>
> parse the three files for the Well Known SIDs and remove these.
>
> Write a script to parse the users file extracting the users name and
> password etc and use this to create a new user with samba-tool.
>
> Do the same for the groups and then the group memberships
>
> You should end up with new fully functioning AD domain.
>
> If you can share an ldif from your PDC ldap with me, I am prepared to
> help you with this.
>
> Rowland
>
>


More information about the samba mailing list