[Samba] Classicupgrade failure

Andrea Venturoli ml at netfence.it
Wed Jun 26 14:28:10 UTC 2019


I've still got a couple of NT domains and I'd like to upgrade them to 
AD. In these days I had a chance to try to migrate one of them, but I 
ran into troubles and had to go back. I don't know when I'll have the 
chance to try again (probably not before some months), but I need to 
understand what went wrong before that.

The starting situation: Samba 4.8 running as AD and fileserver on 
FreeBSD 11.2/amd64 (base) with smbpasswd backend.

Relevant smb.conf lines:
> [global]
>         workgroup = XXXXXXXXXXXX
>         server string = XXXX
>         security = user
>         encrypt passwords = yes
>         os level = 255
>         local master = yes
>         domain master = yes
>         preferred master = yes
>         domain logons = yes
>         wins support = yes
>         wins proxy = yes
>         dns proxy = yes
>         logon script=netlogon.cmd
>         unix password sync=no
>         time server = Yes
>         map archive = No
>         vfs objects=audit
>         audit:facility=LOCAL7
>         audit:priority=INFO
>         passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd
>         lanman auth=yes

All users are listed in /etc/passwd (and of course in 

Sample pdbedit -Lv:
> Unix username:        xxxxxxxx
> NT username:          
> Account Flags:        [UX         ]
> User SID:             S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3010
> Full Name:            Xxxxxxxx
> Home Directory:       \\XXXX\xxxxxxxx
> HomeDir Drive:        
> Logon Script:         netlogon.cmd
> Profile Path:         \\xxxx\xxxxxxxx\profile
> Domain:               XXXXXXXXXXXX
> Account desc:         
> Workstations:         
> Munged dial:          
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    Mon, 22 Dec 2014 10:05:58 CET
> Password can change:  Mon, 22 Dec 2014 10:05:58 CET
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0

Notice a lot of non domain user (like root, nobody, operator, etc...) 
are also listed.

The same user above in /etc/passwd:
> xxxxxxxx:*:1005:1001:Xxxxxxxx:/home/xxxxxxxx:/sbin/nologin
And in /var/db/samba4/private:

Goal: I want to create a jail with Samba (still 4.8) which will operate 
solely as AD DC. Base's jail will be (for now) reconfigured as a domain 
(I've done this more than once in other networks).

So I followed the "Migrating a Samba NT4 Domain to Samba AD (Classic 
Upgrade)" document.

Skipping the LDAP section, I checked and removed duplicate SIDs.
"net groupmap list" shows nothing.

The docs says to copy secrets.tdb, schannel_store.tdb, 
gencache_notrans.tdb, group_mapping.tdb and account_policy.tdb, which I did.
It also says to copy passdb.tdb, but I don't have this!!!
I copy smbpasswd, instead: don't know if this was needed or useful.

In any case, I tried running:
samba-tool domain classicupgrade --dbdir=/root/olddb/ 
--realm=local.xxxxxxxxxxxxxxx.it --dns-backend=SAMBA_INTERNAL 
/usr/local/etc/smb.PDC.conf --option="vfs objects = acl_xattr" 
--option="acl_xattr:ignore system acls = yes"

> Reading smb.conf
> Provisioning
> Exporting account policy
> Exporting groups
> Exporting users
> Next rid = 1000
> Exporting posix attributes
> Reading WINS database
> Cannot open wins database, Ignoring: [Errno 2] No such file or directory: '/root/olddb/wins.dat'
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
> Adding DomainDN: DC=local,DC=xxxxxxxxxxxxxxx,DC=it
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers and extended rights
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Setting acl on sysvol skipped
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=local,DC=xxxxxxxxxxxxxxx,DC=it
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba AD has been generated at /var/db/samba4/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
> Setting up fake yp server settings
> Once the above files are installed, your Samba AD server will be ready to use
> Admin password:        xxxxxxxxxxxxxxxxxxxxxx
> Server Role:           active directory domain controller
> Hostname:              dc1
> NetBIOS Domain:        XXXXXXXXXXXX
> DNS Domain:            local.xxxxxxxxxxxxxxx.it
> Importing WINS database
> Importing Account policy
> Importing idmap database
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Adding groups
> Importing groups
> Committing 'add groups' transaction to disk
> Adding users
> Importing users
> Committing 'add users' transaction to disk
> Adding users to groups
> Committing 'add users to groups' transaction to disk

There are a couple of warnings here: I don't know how severe they are.

The thing is none of my NT domain users has been imported!!!
Has this something to do with missing passdb.tdb?

How should I solve this?

  bye & Thanks

More information about the samba mailing list