[Samba] Classicupgrade failure
Andrea Venturoli
ml at netfence.it
Wed Jun 26 14:28:10 UTC 2019
Hello.
I've still got a couple of NT domains and I'd like to upgrade them to
AD. In these days I had a chance to try to migrate one of them, but I
ran into troubles and had to go back. I don't know when I'll have the
chance to try again (probably not before some months), but I need to
understand what went wrong before that.
The starting situation: Samba 4.8 running as AD and fileserver on
FreeBSD 11.2/amd64 (base) with smbpasswd backend.
Relevant smb.conf lines:
> [global]
> workgroup = XXXXXXXXXXXX
> server string = XXXX
> security = user
> encrypt passwords = yes
> os level = 255
> local master = yes
> domain master = yes
> preferred master = yes
> domain logons = yes
> wins support = yes
> wins proxy = yes
> dns proxy = yes
> logon script=netlogon.cmd
> unix password sync=no
> time server = Yes
> map archive = No
> vfs objects=audit
> audit:facility=LOCAL7
> audit:priority=INFO
> passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd
> lanman auth=yes
All users are listed in /etc/passwd (and of course in
/var/db/samba4/private/smbpasswd).
Sample pdbedit -Lv:
> Unix username: xxxxxxxx
> NT username:
> Account Flags: [UX ]
> User SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3010
> Primary Group SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-513
> Full Name: Xxxxxxxx
> Home Directory: \\XXXX\xxxxxxxx
> HomeDir Drive:
> Logon Script: netlogon.cmd
> Profile Path: \\xxxx\xxxxxxxx\profile
> Domain: XXXXXXXXXXXX
> Account desc:
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Mon, 22 Dec 2014 10:05:58 CET
> Password can change: Mon, 22 Dec 2014 10:05:58 CET
> Password must change: never
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Notice a lot of non domain user (like root, nobody, operator, etc...)
are also listed.
The same user above in /etc/passwd:
> xxxxxxxx:*:1005:1001:Xxxxxxxx:/home/xxxxxxxx:/sbin/nologin
And in /var/db/samba4/private:
> xxxxxxxx:1005:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX ]:LCT-5497DEF6:
Goal: I want to create a jail with Samba (still 4.8) which will operate
solely as AD DC. Base's jail will be (for now) reconfigured as a domain
member.
(I've done this more than once in other networks).
So I followed the "Migrating a Samba NT4 Domain to Samba AD (Classic
Upgrade)" document.
Skipping the LDAP section, I checked and removed duplicate SIDs.
"net groupmap list" shows nothing.
The docs says to copy secrets.tdb, schannel_store.tdb,
gencache_notrans.tdb, group_mapping.tdb and account_policy.tdb, which I did.
It also says to copy passdb.tdb, but I don't have this!!!
I copy smbpasswd, instead: don't know if this was needed or useful.
In any case, I tried running:
samba-tool domain classicupgrade --dbdir=/root/olddb/
--realm=local.xxxxxxxxxxxxxxx.it --dns-backend=SAMBA_INTERNAL
/usr/local/etc/smb.PDC.conf --option="vfs objects = acl_xattr"
--option="acl_xattr:ignore system acls = yes"
> Reading smb.conf
> Provisioning
> Exporting account policy
> Exporting groups
> Exporting users
> Next rid = 1000
> Exporting posix attributes
> Reading WINS database
> Cannot open wins database, Ignoring: [Errno 2] No such file or directory: '/root/olddb/wins.dat'
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
>
> Adding DomainDN: DC=local,DC=xxxxxxxxxxxxxxx,DC=it
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers and extended rights
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Setting acl on sysvol skipped
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=local,DC=xxxxxxxxxxxxxxx,DC=it
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba AD has been generated at /var/db/samba4/private/krb5.conf
> Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
> Setting up fake yp server settings
> Once the above files are installed, your Samba AD server will be ready to use
> Admin password: xxxxxxxxxxxxxxxxxxxxxx
> Server Role: active directory domain controller
> Hostname: dc1
> NetBIOS Domain: XXXXXXXXXXXX
> DNS Domain: local.xxxxxxxxxxxxxxx.it
> DOMAIN SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXX
> Importing WINS database
> Importing Account policy
> Importing idmap database
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Adding groups
> Importing groups
> Committing 'add groups' transaction to disk
> Adding users
> Importing users
> Committing 'add users' transaction to disk
> Adding users to groups
> Committing 'add users to groups' transaction to disk
There are a couple of warnings here: I don't know how severe they are.
The thing is none of my NT domain users has been imported!!!
Has this something to do with missing passdb.tdb?
How should I solve this?
bye & Thanks
av.
More information about the samba
mailing list