[Samba] Classic Upgrade changes domain SID
Rowland Penny
rpenny at samba.org
Sun Aug 27 11:16:24 UTC 2023
On Sun, 27 Aug 2023 12:56:28 +0200
Peter Koch via samba <samba at lists.samba.org> wrote:
> Dear Rowland:
>
> Thanks for the quick response
>
> > Can you please post the command that you used to carry out the
> > classic
>
> here's what I did:
>
> 1) Old WORKGROUP is NAV, old NETBIOS NAME is SERV00,
> old fqdn is v480.naev.de, so I decided to use:
> - new domain = NAV
> - new realm = NAV.NAEV.DE
> - new netbios name = NS1 (or SERV00)
> - fqdn of new server = ns1.nav.naev.de (or serv00.nav.naev.de)
>
> 2) removed ISO-8859 special characters from users fullnames
>
> 3) delete group mappings for windows standard groups (in particular
> Domain Admins)
>
> 4) Copied smb.conf, secrets.tdb, schannel_store.tdb, passdb.tdb,
> group_mapping.tdb,
> account_policy.tdb, /etc/passwd, /etc/group from old server
> to /var/samba/NT4-DC directory of new server
>
> 5) created all samba-related user-accounts, groups and groupmappings
> with: (awk -F: '$3>=200 && $3<60000{print "groupadd -g",$3,$1}'
> /var/samba/NT4-DC/group | sort
> awk -F: '$3>=500 && $3<20000{g=$4;if(g==65534)g="nogroup"; print
> "useradd -u",$3,"-g",g,"\x27"$1"\x27"}' /var/samba/NT4-DC/passwd |
> sort
> awk -F: '$3>=200 && $3<60000{split($4,a,",");for(i in a) print
> "usermod -aG",$1,a[i]}' /var/samba/NT4-DC/group
> ) | sh
>
> 6) replaced SERV00 by the netbios name of the new server (i.e. NS1) in
> /var/samba/NT4-DC/smb.conf
>
> 7) Started classic upgrade:
> cd /var/samba
> kill `cat /var/samba/run/samba.pid`
> rm -rf private/* smb.conf log.* sysvol
> /usr/samba/bin/samba-tool domain classicupgrade \
> --dbdir=/var/samba/NT4-DC/ \
> --realm=NAV.NAEV.DE \
> --dns-backend=SAMBA_INTERNAL \
> /var/samba/NT4-DC/smb.conf
>
> Here's the output:
> INFO 2023-08-27 12:43:39,895 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/netcmd/domain.py #1666:
> Reading smb.conf
> lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
> lpcfg_do_global_parameter: WARNING: The "domain logons" option is
> deprecated INFO 2023-08-27 12:43:39,898 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/netcmd/domain.py #1670:
> Provisioning
> INFO 2023-08-27 12:43:39,905 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #507:
> Exporting account policy
> INFO 2023-08-27 12:43:39,906 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #511:
> Exporting groups
> WARNING 2023-08-27 12:43:39,926 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534:
> Ignoring group 'notare'
> S-1-5-21-1415314133-2460755331-2761616138-21015 listed but then not
> found: Unable to enumerate group members, (-1073741722,The specified
> group does not exist.)
> WARNING 2023-08-27 12:43:39,935 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534:
> Ignoring group 'sap' S-1-5-21-1415314133-2460755331-2761616138-21061
> listed but then not found: Unable to enumerate group members,
> (-1073741722,The specified group does not exist.)
> WARNING 2023-08-27 12:43:39,935 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534:
> Ignoring group 'control'
> S-1-5-21-1415314133-2460755331-2761616138-21045 listed but then not
> found: Unable to enumerate group members, (-1073741722,The specified
> group does not exist.)
> INFO 2023-08-27 12:43:39,940 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #557:
> Exporting users
> INFO 2023-08-27 12:43:40,231 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #567:
> Skipping wellknown rid=501 (for username=nobody)
> INFO 2023-08-27 12:43:41,842 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #638: Next
> rid = 31031
> INFO 2023-08-27 12:43:41,847 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #681:
> Exporting posix attributes
> INFO 2023-08-27 12:43:42,344 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #716:
> Reading WINS database
> WARNING 2023-08-27 12:43:42,344 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #721: Cannot
> open wins database, Ignoring: [Errno 2] No such file or directory:
> '/var/samba/NT4-DC/wins.dat'
> INFO 2023-08-27 12:43:42,347 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2108: Looking up IPv4 addresses
> INFO 2023-08-27 12:43:42,348 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2125: Looking up IPv6 addresses
> WARNING 2023-08-27 12:43:42,348 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2132: No IPv6 address will be assigned
> INFO 2023-08-27 12:43:43,048 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2274: Setting up share.ldb
> INFO 2023-08-27 12:43:43,252 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2278: Setting up secrets.ldb
> INFO 2023-08-27 12:43:43,396 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2283: Setting up the registry
> INFO 2023-08-27 12:43:44,594 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2286: Setting up the privileges database
> INFO 2023-08-27 12:43:44,984 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2289: Setting up idmap db
> INFO 2023-08-27 12:43:45,255 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2296: Setting up SAM db
> INFO 2023-08-27 12:43:45,300 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #880: Setting up sam.ldb partitions and settings
> INFO 2023-08-27 12:43:45,301 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #892: Setting up sam.ldb rootDSE
> INFO 2023-08-27 12:43:45,345 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1305: Pre-loading the Samba 4 and AD schema
> Unable to determine the DomainSID, can not enforce uniqueness
> constraint on local domainSIDs
> INFO 2023-08-27 12:43:45,544 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1383: Adding DomainDN: DC=nav,DC=naev,DC=de
> INFO 2023-08-27 12:43:45,612 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1415: Adding configuration container
> INFO 2023-08-27 12:43:45,679 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1430: Setting up sam.ldb schema
> INFO 2023-08-27 12:43:56,781 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1448: Setting up sam.ldb configuration data
> INFO 2023-08-27 12:43:57,175 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1489: Setting up display specifiers
> INFO 2023-08-27 12:44:04,609 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1497: Modifying display specifiers and extended rights
> INFO 2023-08-27 12:44:04,713 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1504: Adding users container
> INFO 2023-08-27 12:44:04,717 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1510: Modifying users container
> INFO 2023-08-27 12:44:04,719 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1513: Adding computers container
> INFO 2023-08-27 12:44:04,723 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1519: Modifying computers container
> INFO 2023-08-27 12:44:04,725 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1523: Setting up sam.ldb data
> INFO 2023-08-27 12:44:05,088 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1553: Setting up well known security principals
> INFO 2023-08-27 12:44:05,258 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1567: Setting up sam.ldb users and groups
> INFO 2023-08-27 12:44:05,968 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1575: Setting up self join
> Repacking database from v1 to v2 format (first record
> CN=ms-DS-ManagedPasswordPreviousId,CN=Schema,CN=Configuration,DC=nav,DC=naev,DC=de)
> Repack: re-packed 10000 records so far
> Repacking database from v1 to v2 format (first record
> CN=sitesContainer-Display,CN=41F,CN=DisplaySpecifiers,CN=Configuration,DC=nav,DC=naev,DC=de)
> Repacking database from v1 to v2 format (first record
> CN=8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c,CN=Operations,CN=DomainUpdates,CN=System,DC=nav,DC=naev,DC=de)
> INFO 2023-08-27 12:44:08,346 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #1969: Setting acl on sysvol skipped
> INFO 2023-08-27 12:44:08,413 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py
> #1198: Adding DNS accounts
> INFO 2023-08-27 12:44:08,550 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py
> #1232: Creating CN=MicrosoftDNS,CN=System,DC=nav,DC=naev,DC=de
> INFO 2023-08-27 12:44:08,590 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py
> #1245: Creating DomainDnsZones and ForestDnsZones partitions
> INFO 2023-08-27 12:44:08,738 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py
> #1250: Populating DomainDnsZones and ForestDnsZones partitions
> Repacking database from v1 to v2 format (first record
> DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=nav,DC=naev,DC=de)
> Repacking database from v1 to v2 format (first record
> DC=_kerberos._tcp.dc,DC=_msdcs.nav.naev.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=nav,DC=naev,DC=de)
> INFO 2023-08-27 12:44:10,269 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2012: Setting up sam.ldb rootDSE marking as synchronized
> INFO 2023-08-27 12:44:10,401 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2017: Fixing provision GUIDs
> INFO 2023-08-27 12:44:12,992 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2348: A Kerberos configuration suitable for Samba AD has been
> generated at /var/samba/private/krb5.conf
> INFO 2023-08-27 12:44:12,993 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2350: Merge the contents of this file with your system krb5.conf or
> replace it with this one. Do not create a symlink!
> INFO 2023-08-27 12:44:13,405 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #2082: Setting up fake yp server settings
> INFO 2023-08-27 12:44:13,659 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #487: Once the above files are installed, your Samba AD server will be
> ready to use
> INFO 2023-08-27 12:44:13,660 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #492: Server Role: active directory domain controller
> INFO 2023-08-27 12:44:13,660 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #493: Hostname: serv00
> INFO 2023-08-27 12:44:13,660 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #494: NetBIOS Domain: NAV
> INFO 2023-08-27 12:44:13,660 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #495: DNS Domain: nav.naev.de
> INFO 2023-08-27 12:44:13,660 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py
> #496: DOMAIN SID:
> S-1-5-352321536-3589954388-2200284306-183212708
> INFO 2023-08-27 12:44:13,660 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #747:
> Importing WINS database
> INFO 2023-08-27 12:44:13,660 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #753:
> Importing Account policy
> INFO 2023-08-27 12:44:13,732 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #757:
> Importing idmap database
> WARNING 2023-08-27 12:44:13,732 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #218: Cannot
> open idmap database, Ignoring: [Errno 2] No such file or directory
> INFO 2023-08-27 12:44:14,144 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #773: Adding
> groups
> INFO 2023-08-27 12:44:14,145 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #776:
> Importing groups
> WARNING 2023-08-27 12:44:14,284 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #267: Group
> already exists sid=S-1-5-32-550, groupname=Print Operators
> existing_groupname=Print Operators, Ignoring.
> INFO 2023-08-27 12:44:14,421 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #789:
> Committing 'add groups' transaction to disk
> INFO 2023-08-27 12:44:14,838 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #792: Adding
> users
> INFO 2023-08-27 12:44:14,839 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #795:
> Importing users
> WARNING 2023-08-27 12:44:51,050 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #805: User
> root has been kept in the directory, it should be removed in favour of
> the Administrator user
> INFO 2023-08-27 12:47:57,275 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #815: Adding
> users to groups
> INFO 2023-08-27 12:47:58,328 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #829:
> Committing 'add users to groups' transaction to disk
> INFO 2023-08-27 12:47:58,524 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #834:
> Setting password for administrator
> INFO 2023-08-27 12:47:58,591 pid:14448
> /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #843:
> Administrator password has been set to password of user 'root'
>
> One more thing: The new domain SID is different from the old one.
> But it does not even start with S-1-5-21 !!!
>
> Peter
>
Can I please see the original smb.conf (the one from the old machine)
and your new smb.conf (the one on your new DC)
Can you please confirm that your old machine had the FQDN
'serv00.v480.naev.de' and the new one is 'ns1.nav.naev.de'
Rowland
More information about the samba
mailing list