[Samba] Classicupgrade failure
rpenny at samba.org
Wed Jun 26 14:50:35 UTC 2019
On 26/06/2019 15:28, Andrea Venturoli via samba wrote:
> I've still got a couple of NT domains and I'd like to upgrade them to
> AD. In these days I had a chance to try to migrate one of them, but I
> ran into troubles and had to go back. I don't know when I'll have the
> chance to try again (probably not before some months), but I need to
> understand what went wrong before that.
> The starting situation: Samba 4.8 running as AD and fileserver on
> FreeBSD 11.2/amd64 (base) with smbpasswd backend.
> Relevant smb.conf lines:
>> workgroup = XXXXXXXXXXXX
>> server string = XXXX
>> security = user
>> encrypt passwords = yes
>> os level = 255
>> local master = yes
>> domain master = yes
>> preferred master = yes
>> domain logons = yes
>> wins support = yes
>> wins proxy = yes
>> dns proxy = yes
>> logon script=netlogon.cmd
>> unix password sync=no
>> time server = Yes
>> map archive = No
>> vfs objects=audit
>> passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd
>> lanman auth=yes
> All users are listed in /etc/passwd (and of course in
> Sample pdbedit -Lv:
>> Unix username: xxxxxxxx
>> NT username: Account Flags: [UX ]
>> User SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3010
>> Primary Group SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-513
>> Full Name: Xxxxxxxx
>> Home Directory: \\XXXX\xxxxxxxx
>> HomeDir Drive: Logon Script: netlogon.cmd
>> Profile Path: \\xxxx\xxxxxxxx\profile
>> Domain: XXXXXXXXXXXX
>> Account desc: Workstations: Munged dial:
>> Logon time: 0
>> Logoff time: never
>> Kickoff time: never
>> Password last set: Mon, 22 Dec 2014 10:05:58 CET
>> Password can change: Mon, 22 Dec 2014 10:05:58 CET
>> Password must change: never
>> Last bad password : 0
>> Bad password count : 0
>> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
> Notice a lot of non domain user (like root, nobody, operator, etc...)
> are also listed.
> The same user above in /etc/passwd:
> And in /var/db/samba4/private:
> Goal: I want to create a jail with Samba (still 4.8) which will
> operate solely as AD DC. Base's jail will be (for now) reconfigured as
> a domain member.
> (I've done this more than once in other networks).
> So I followed the "Migrating a Samba NT4 Domain to Samba AD (Classic
> Upgrade)" document.
> Skipping the LDAP section, I checked and removed duplicate SIDs.
> "net groupmap list" shows nothing.
> The docs says to copy secrets.tdb, schannel_store.tdb,
> gencache_notrans.tdb, group_mapping.tdb and account_policy.tdb, which
> I did.
> It also says to copy passdb.tdb, but I don't have this!!!
> I copy smbpasswd, instead: don't know if this was needed or useful.
> In any case, I tried running:
> samba-tool domain classicupgrade --dbdir=/root/olddb/
> --realm=local.xxxxxxxxxxxxxxx.it --dns-backend=SAMBA_INTERNAL
> /usr/local/etc/smb.PDC.conf --option="vfs objects = acl_xattr"
> --option="acl_xattr:ignore system acls = yes"
>> Reading smb.conf
>> Exporting account policy
>> Exporting groups
>> Exporting users
>> Next rid = 1000
>> Exporting posix attributes
>> Reading WINS database
>> Cannot open wins database, Ignoring: [Errno 2] No such file or
>> directory: '/root/olddb/wins.dat'
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> Unable to determine the DomainSID, can not enforce uniqueness
>> constraint on local domainSIDs
>> Adding DomainDN: DC=local,DC=xxxxxxxxxxxxxxx,DC=it
>> Adding configuration container
>> Setting up sam.ldb schema
>> Setting up sam.ldb configuration data
>> Setting up display specifiers
>> Modifying display specifiers and extended rights
>> Adding users container
>> Modifying users container
>> Adding computers container
>> Modifying computers container
>> Setting up sam.ldb data
>> Setting up well known security principals
>> Setting up sam.ldb users and groups
>> Setting up self join
>> Setting acl on sysvol skipped
>> Adding DNS accounts
>> Creating CN=MicrosoftDNS,CN=System,DC=local,DC=xxxxxxxxxxxxxxx,DC=it
>> Creating DomainDnsZones and ForestDnsZones partitions
>> Populating DomainDnsZones and ForestDnsZones partitions
>> Setting up sam.ldb rootDSE marking as synchronized
>> Fixing provision GUIDs
>> A Kerberos configuration suitable for Samba AD has been generated at
>> Merge the contents of this file with your system krb5.conf or replace
>> it with this one. Do not create a symlink!
>> Setting up fake yp server settings
>> Once the above files are installed, your Samba AD server will be
>> ready to use
>> Admin password: xxxxxxxxxxxxxxxxxxxxxx
>> Server Role: active directory domain controller
>> Hostname: dc1
>> NetBIOS Domain: XXXXXXXXXXXX
>> DNS Domain: local.xxxxxxxxxxxxxxx.it
>> DOMAIN SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXX
>> Importing WINS database
>> Importing Account policy
>> Importing idmap database
>> Cannot open idmap database, Ignoring: [Errno 2] No such file or
>> Adding groups
>> Importing groups
>> Committing 'add groups' transaction to disk
>> Adding users
>> Importing users
>> Committing 'add users' transaction to disk
>> Adding users to groups
>> Committing 'add users to groups' transaction to disk
> There are a couple of warnings here: I don't know how severe they are.
> The thing is none of my NT domain users has been imported!!!
> Has this something to do with missing passdb.tdb?
> How should I solve this?
pdbedit -i smbpasswd:/var/db/samba4/private/smbpasswd -e
passdb backend = tdbsam:/var/db/samba4/private/passdb.tdb
And try again.
Though I am not sure whether running the DC in a jail is a good idea,
also what filesystem are you running on freebsd ?
There are problems with ZFS.
More information about the samba