[Samba] Classic Upgrade changes domain SID
Peter Koch
sambamailinglist at gmail.com
Sun Aug 27 12:36:49 UTC 2023
Rowland Penny via samba wrote:
> On Sun, 27 Aug 2023 12:56:28 +0200
> Peter Koch via samba<samba at lists.samba.org> wrote:
>
>> Dear Rowland:
>>
>> Thanks for the quick response
>>
>>> Can you please post the command that you used to carry out the
>>> classic
>> here's what I did:
>>
>> 1) Old WORKGROUP is NAV, old NETBIOS NAME is SERV00,
>> old fqdn is v480.naev.de, so I decided to use:
>> - new domain = NAV
>> - new realm = NAV.NAEV.DE
>> - new netbios name = NS1 (or SERV00)
>> - fqdn of new server = ns1.nav.naev.de (or serv00.nav.naev.de)
>>
>> 2) removed ISO-8859 special characters from users fullnames
>>
>> 3) delete group mappings for windows standard groups (in particular
>> Domain Admins)
>>
>> 4) Copied smb.conf, secrets.tdb, schannel_store.tdb, passdb.tdb,
>> group_mapping.tdb,
>> account_policy.tdb, /etc/passwd, /etc/group from old server
>> to /var/samba/NT4-DC directory of new server
>>
>> 5) created all samba-related user-accounts, groups and groupmappings
>> with:
>> (awk -F: '$3>=200 && $3<60000{print "groupadd -g",$3,$1}'/var/samba/NT4-DC/group | sort
>> awk -F: '$3>=500 && $3<20000{g=$4;if(g==65534)g="nogroup"; print "useradd -u",$3,"-g",g,"\x27"$1"\x27"}' /var/samba/NT4-DC/passwd | sort
>> awk -F: '$3>=200 && $3<60000{split($4,a,",");for(i in a) print "usermod -aG",$1,a[i]}' /var/samba/NT4-DC/group
>> ) | sh
>>
>> 6) replaced SERV00 by the netbios name of the new server (i.e. NS1) in
>> /var/samba/NT4-DC/smb.conf
>>
>> 7) Started classic upgrade:
>> cd /var/samba
>> kill `cat /var/samba/run/samba.pid`
>> rm -rf private/* smb.conf log.* sysvol
>> /usr/samba/bin/samba-tool domain classicupgrade \
>> --dbdir=/var/samba/NT4-DC/ \
>> --realm=NAV.NAEV.DE \
>> --dns-backend=SAMBA_INTERNAL \
>> /var/samba/NT4-DC/smb.conf
>>
>> Here's the output:
>> INFO 2023-08-27 12:43:39,895 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/netcmd/domain.py #1666: Reading smb.conf
>> lpcfg_do_global_parameter: WARNING: The "syslog" option is deprecated
>> lpcfg_do_global_parameter: WARNING: The "domain logons" option is deprecated
>> INFO 2023-08-27 12:43:39,898 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/netcmd/domain.py #1670: Provisioning
>> INFO 2023-08-27 12:43:39,905 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #507: Exporting account policy
>> INFO 2023-08-27 12:43:39,906 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #511: Exporting groups
>> WARNING 2023-08-27 12:43:39,926 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534: Ignoring group 'notare' S-1-5-21-1415314133-2460755331-2761616138-21015 listed but then not found: Unable to enumerate group members, (-1073741722,The specified group does not exist.)
>> WARNING 2023-08-27 12:43:39,935 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534: Ignoring group 'sap' S-1-5-21-1415314133-2460755331-2761616138-21061 listed but then not found: Unable to enumerate group members, (-1073741722,The specified group does not exist.)
>> WARNING 2023-08-27 12:43:39,935 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534: Ignoring group 'control' S-1-5-21-1415314133-2460755331-2761616138-21045 listed but then not found: Unable to enumerate group members, (-1073741722,The specified group does not exist.)
>> INFO 2023-08-27 12:43:39,940 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #557: Exporting users
>> INFO 2023-08-27 12:43:40,231 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #567: Skipping wellknown rid=501 (for username=nobody)
>> INFO 2023-08-27 12:43:41,842 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #638: Next rid = 31031
>> INFO 2023-08-27 12:43:41,847 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #681: Exporting posix attributes
>> INFO 2023-08-27 12:43:42,344 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #716: Reading WINS database
>> WARNING 2023-08-27 12:43:42,344 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #721: Cannot open wins database, Ignoring: [Errno 2] No such file or directory: '/var/samba/NT4-DC/wins.dat'
>> INFO 2023-08-27 12:43:42,347 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2108: Looking up IPv4 addresses
>> INFO 2023-08-27 12:43:42,348 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2125: Looking up IPv6 addresses
>> WARNING 2023-08-27 12:43:42,348 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2132: No IPv6 address will be assigned
>> INFO 2023-08-27 12:43:43,048 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2274: Setting up share.ldb
>> INFO 2023-08-27 12:43:43,252 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2278: Setting up secrets.ldb
>> INFO 2023-08-27 12:43:43,396 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2283: Setting up the registry
>> INFO 2023-08-27 12:43:44,594 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2286: Setting up the privileges database
>> INFO 2023-08-27 12:43:44,984 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2289: Setting up idmap db
>> INFO 2023-08-27 12:43:45,255 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2296: Setting up SAM db
>> INFO 2023-08-27 12:43:45,300 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #880: Setting up sam.ldb partitions and settings
>> INFO 2023-08-27 12:43:45,301 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #892: Setting up sam.ldb rootDSE
>> INFO 2023-08-27 12:43:45,345 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1305: Pre-loading the Samba 4 and AD schema
>> Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs
>> INFO 2023-08-27 12:43:45,544 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1383: Adding DomainDN: DC=nav,DC=naev,DC=de
>> INFO 2023-08-27 12:43:45,612 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1415: Adding configuration container
>> INFO 2023-08-27 12:43:45,679 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1430: Setting up sam.ldb schema
>> INFO 2023-08-27 12:43:56,781 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1448: Setting up sam.ldb configuration data
>> INFO 2023-08-27 12:43:57,175 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1489: Setting up display specifiers
>> INFO 2023-08-27 12:44:04,609 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1497: Modifying display specifiers and extended rights
>> INFO 2023-08-27 12:44:04,713 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1504: Adding users container
>> INFO 2023-08-27 12:44:04,717 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1510: Modifying users container
>> INFO 2023-08-27 12:44:04,719 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1513: Adding computers container
>> INFO 2023-08-27 12:44:04,723 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1519: Modifying computers container
>> INFO 2023-08-27 12:44:04,725 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1523: Setting up sam.ldb data
>> INFO 2023-08-27 12:44:05,088 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1553: Setting up well known security principals
>> INFO 2023-08-27 12:44:05,258 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1567: Setting up sam.ldb users and groups
>> INFO 2023-08-27 12:44:05,968 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1575: Setting up self join
>> Repacking database from v1 to v2 format (first record CN=ms-DS-ManagedPasswordPreviousId,CN=Schema,CN=Configuration,DC=nav,DC=naev,DC=de)
>> Repack: re-packed 10000 records so far Repacking database from v1 to v2 format (first record CN=sitesContainer-Display,CN=41F,CN=DisplaySpecifiers,CN=Configuration,DC=nav,DC=naev,DC=de)
>> Repacking database from v1 to v2 format (first record CN=8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c,CN=Operations,CN=DomainUpdates,CN=System,DC=nav,DC=naev,DC=de)
>> INFO 2023-08-27 12:44:08,346 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1969: Setting acl on sysvol skipped
>> INFO 2023-08-27 12:44:08,413 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py #1198: Adding DNS accounts
>> INFO 2023-08-27 12:44:08,550 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py #1232: Creating CN=MicrosoftDNS,CN=System,DC=nav,DC=naev,DC=de
>> INFO 2023-08-27 12:44:08,590 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py #1245: Creating DomainDnsZones and ForestDnsZones partitions
>> INFO 2023-08-27 12:44:08,738 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py #1250: Populating DomainDnsZones and ForestDnsZones partitions
>> Repacking database from v1 to v2 format (first record DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=nav,DC=naev,DC=de)
>> Repacking database from v1 to v2 format (first record DC=_kerberos._tcp.dc,DC=_msdcs.nav.naev.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=nav,DC=naev,DC=de)
>> INFO 2023-08-27 12:44:10,269 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2012: Setting up sam.ldb rootDSE marking as synchronized
>> INFO 2023-08-27 12:44:10,401 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2017: Fixing provision GUIDs
>> INFO 2023-08-27 12:44:12,992 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2348: A Kerberos configuration suitable for Samba AD has been generated at /var/samba/private/krb5.conf
>> INFO 2023-08-27 12:44:12,993 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2350: Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink!
>> INFO 2023-08-27 12:44:13,405 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2082: Setting up fake yp server settings
>> INFO 2023-08-27 12:44:13,659 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #487: Once the above files are installed, your Samba AD server will be ready to use
>> INFO 2023-08-27 12:44:13,660 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #492: Server Role: active directory domain controller
>> INFO 2023-08-27 12:44:13,660 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #493: Hostname: serv00
>> INFO 2023-08-27 12:44:13,660 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #494: NetBIOS Domain: NAV
>> INFO 2023-08-27 12:44:13,660 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #495: DNS Domain: nav.naev.de
>> INFO 2023-08-27 12:44:13,660 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #496: DOMAIN SID: S-1-5-352321536-3589954388-2200284306-183212708
>> INFO 2023-08-27 12:44:13,660 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #747: Importing WINS database
>> INFO 2023-08-27 12:44:13,660 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #753: Importing Account policy
>> INFO 2023-08-27 12:44:13,732 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #757: Importing idmap database
>> WARNING 2023-08-27 12:44:13,732 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #218: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
>> INFO 2023-08-27 12:44:14,144 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #773: Adding groups
>> INFO 2023-08-27 12:44:14,145 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #776: Importing groups
>> WARNING 2023-08-27 12:44:14,284 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #267: Group already exists sid=S-1-5-32-550, groupname=Print Operators existing_groupname=Print Operators, Ignoring.
>> INFO 2023-08-27 12:44:14,421 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #789: Committing 'add groups' transaction to disk
>> INFO 2023-08-27 12:44:14,838 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #792: Adding users
>> INFO 2023-08-27 12:44:14,839 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #795: Importing users
>> WARNING 2023-08-27 12:44:51,050 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #805: User root has been kept in the directory, it should be removed in favour of the Administrator user
>> INFO 2023-08-27 12:47:57,275 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #815: Adding users to groups
>> INFO 2023-08-27 12:47:58,328 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #829: Committing 'add users to groups' transaction to disk
>> INFO 2023-08-27 12:47:58,524 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #834: Setting password for administrator
>> INFO 2023-08-27 12:47:58,591 pid:14448 /usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #843: Administrator password has been set to password of user 'root'
>>
>> One more thing: The new domain SID is different from the old one.
>> But it does not even start with S-1-5-21 !!!
>>
>> Peter
>>
> Can I please see the original smb.conf (the one from the old machine)
> and your new smb.conf (the one on your new DC)
old one:
# Global parameters
[global]
unix charset = ISO-8859-1
workgroup = NAV
netbios name = SERV00
server string = Fileserver der XXX
interfaces = 10.64.2.20
log level = 1
syslog = 2
max log size = 10000
logon script = logon.bat %u %G %m
logon path = \\%L\NT-Profiles\%U
logon drive = h:
domain logons = Yes
os level = 34
preferred master = Yes
domain master = Yes
wins support = Yes
admin users = root
create mask = 0640
directory mask = 0750
map archive = No
map readonly = No
wide links = Yes
unix extensions = No
acl map full control = No
force unknown acl user = Yes
default case = lower
[netlogon]
comment = Logon-Script Verzeichnis auf %L
path = /home/nt-logon
write list = @edvte
root preexec = /home/nt-logon/root-preexec '%u' '%m'
...other shares
new one:
# Global parameters
[global]
netbios name = SERV00
realm = NAV.NAEV.DE
server role = active directory domain controller
workgroup = NAV
idmap_ldb:use rfc2307 = yes
[sysvol]
path = /var/samba/locks/sysvol
read only = No
[netlogon]
path = /var/samba/locks/sysvol/nav.naev.de/scripts
read only = No
> Can you please confirm that your old machine had the FQDN
> 'serv00.v480.naev.de' and the new one is 'ns1.nav.naev.de'
The old machine had FQDN v480.naev.de and the new one is
ns1.nav.naev.de (or serv00.nav.naev.de, I tried both variants)
Peter
More information about the samba
mailing list