[Samba] Classicupgrade failure

Rowland penny rpenny at samba.org
Wed Jun 26 14:50:35 UTC 2019 

On 26/06/2019 15:28, Andrea Venturoli via samba wrote:
> Hello.
>
> I've still got a couple of NT domains and I'd like to upgrade them to 
> AD. In these days I had a chance to try to migrate one of them, but I 
> ran into troubles and had to go back. I don't know when I'll have the 
> chance to try again (probably not before some months), but I need to 
> understand what went wrong before that.
>
>
>
> The starting situation: Samba 4.8 running as AD and fileserver on 
> FreeBSD 11.2/amd64 (base) with smbpasswd backend.
>
> Relevant smb.conf lines:
>> [global]
>>         workgroup = XXXXXXXXXXXX
>>         server string = XXXX
>>         security = user
>>         encrypt passwords = yes
>>         os level = 255
>>         local master = yes
>>         domain master = yes
>>         preferred master = yes
>>         domain logons = yes
>>         wins support = yes
>>         wins proxy = yes
>>         dns proxy = yes
>>         logon script=netlogon.cmd
>>         unix password sync=no
>>         time server = Yes
>>         map archive = No
>>         vfs objects=audit
>>         audit:facility=LOCAL7
>>         audit:priority=INFO
>>         passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd
>>         lanman auth=yes
>
> All users are listed in /etc/passwd (and of course in 
> /var/db/samba4/private/smbpasswd).
>
> Sample pdbedit -Lv:
>> Unix username:        xxxxxxxx
>> NT username:          Account Flags:        [UX         ]
>> User SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3010
>> Primary Group SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-513
>> Full Name:            Xxxxxxxx
>> Home Directory:       \\XXXX\xxxxxxxx
>> HomeDir Drive:        Logon Script:         netlogon.cmd
>> Profile Path:         \\xxxx\xxxxxxxx\profile
>> Domain:               XXXXXXXXXXXX
>> Account desc:         Workstations:         Munged dial:          
>> Logon time:           0
>> Logoff time:          never
>> Kickoff time:         never
>> Password last set:    Mon, 22 Dec 2014 10:05:58 CET
>> Password can change:  Mon, 22 Dec 2014 10:05:58 CET
>> Password must change: never
>> Last bad password   : 0
>> Bad password count  : 0
>> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> Notice a lot of non domain user (like root, nobody, operator, etc...) 
> are also listed.
>
> The same user above in /etc/passwd:
>> xxxxxxxx:*:1005:1001:Xxxxxxxx:/home/xxxxxxxx:/sbin/nologin
> And in /var/db/samba4/private:
>> xxxxxxxx:1005:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX 
>> ]:LCT-5497DEF6:
>
>
>
>
> Goal: I want to create a jail with Samba (still 4.8) which will 
> operate solely as AD DC. Base's jail will be (for now) reconfigured as 
> a domain member.
> (I've done this more than once in other networks).
>
> So I followed the "Migrating a Samba NT4 Domain to Samba AD (Classic 
> Upgrade)" document.
>
> Skipping the LDAP section, I checked and removed duplicate SIDs.
> "net groupmap list" shows nothing.
>
> The docs says to copy secrets.tdb, schannel_store.tdb, 
> gencache_notrans.tdb, group_mapping.tdb and account_policy.tdb, which 
> I did.
> It also says to copy passdb.tdb, but I don't have this!!!
> I copy smbpasswd, instead: don't know if this was needed or useful.
>
> In any case, I tried running:
> samba-tool domain classicupgrade --dbdir=/root/olddb/ 
> --realm=local.xxxxxxxxxxxxxxx.it --dns-backend=SAMBA_INTERNAL 
> /usr/local/etc/smb.PDC.conf --option="vfs objects = acl_xattr" 
> --option="acl_xattr:ignore system acls = yes"
>
>> Reading smb.conf
>> Provisioning
>> Exporting account policy
>> Exporting groups
>> Exporting users
>> Next rid = 1000
>> Exporting posix attributes
>> Reading WINS database
>> Cannot open wins database, Ignoring: [Errno 2] No such file or 
>> directory: '/root/olddb/wins.dat'
>> Looking up IPv4 addresses
>> Looking up IPv6 addresses
>> No IPv6 address will be assigned
>> Setting up secrets.ldb
>> Setting up the registry
>> Setting up the privileges database
>> Setting up idmap db
>> Setting up SAM db
>> Setting up sam.ldb partitions and settings
>> Setting up sam.ldb rootDSE
>> Pre-loading the Samba 4 and AD schema
>> Unable to determine the DomainSID, can not enforce uniqueness 
>> constraint on local domainSIDs
>>
>> Adding DomainDN: DC=local,DC=xxxxxxxxxxxxxxx,DC=it
>> Adding configuration container
>> Setting up sam.ldb schema
>> Setting up sam.ldb configuration data
>> Setting up display specifiers
>> Modifying display specifiers and extended rights
>> Adding users container
>> Modifying users container
>> Adding computers container
>> Modifying computers container
>> Setting up sam.ldb data
>> Setting up well known security principals
>> Setting up sam.ldb users and groups
>> Setting up self join
>> Setting acl on sysvol skipped
>> Adding DNS accounts
>> Creating CN=MicrosoftDNS,CN=System,DC=local,DC=xxxxxxxxxxxxxxx,DC=it
>> Creating DomainDnsZones and ForestDnsZones partitions
>> Populating DomainDnsZones and ForestDnsZones partitions
>> Setting up sam.ldb rootDSE marking as synchronized
>> Fixing provision GUIDs
>> A Kerberos configuration suitable for Samba AD has been generated at 
>> /var/db/samba4/private/krb5.conf
>> Merge the contents of this file with your system krb5.conf or replace 
>> it with this one. Do not create a symlink!
>> Setting up fake yp server settings
>> Once the above files are installed, your Samba AD server will be 
>> ready to use
>> Admin password:        xxxxxxxxxxxxxxxxxxxxxx
>> Server Role:           active directory domain controller
>> Hostname:              dc1
>> NetBIOS Domain:        XXXXXXXXXXXX
>> DNS Domain:            local.xxxxxxxxxxxxxxx.it
>> DOMAIN SID:            S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXX
>> Importing WINS database
>> Importing Account policy
>> Importing idmap database
>> Cannot open idmap database, Ignoring: [Errno 2] No such file or 
>> directory
>> Adding groups
>> Importing groups
>> Committing 'add groups' transaction to disk
>> Adding users
>> Importing users
>> Committing 'add users' transaction to disk
>> Adding users to groups
>> Committing 'add users to groups' transaction to disk
>
> There are a couple of warnings here: I don't know how severe they are.
>
> The thing is none of my NT domain users has been imported!!!
> Has this something to do with missing passdb.tdb?
Very probably
>
> How should I solve this?

Run:

pdbedit -i smbpasswd:/var/db/samba4/private/smbpasswd -e 
tdbsam:/var/db/samba4/private/passdb.tdb

Change:

passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd

To:

passdb backend = tdbsam:/var/db/samba4/private/passdb.tdb

And try again.

Though I am not sure whether running the DC in a jail is a good idea, 
also what filesystem are you running on freebsd ?

There are problems with ZFS.

Rowland

More information about the samba mailing list