Update: Upon further investigation, the group with SID ending in -1057 is my Domain Admins group, which is mapped to unix group "smbadmins". SID ending in -1066 (see my original posting) is Domain Users, which I have mapped to unix group "users". I suspect that if I remove these two mappings, the classic upgrade may succeed, at which point I can re-add them.
Two things: 1) Is it a problem that my Domain Admins and Domain Users groups do not have the standard NT4 domain suffixes (I think Domain Admins typically ends with -512. Can't remember what the suffix for Domain Users is, but it isn't -1066). 2) Is there a way to remove these mappings from the .tdb files I have copied over to the new server? I know I can remove the mapping from my old server, then re-copy the tdb files over, then re-add the mapping on my samba3 server, but the Domain Users mapping would impact users (I'm pretty sure), and I want to avoid that if possible. So, I'm hoping there is a way to manually edit the tdb's in the test environment where my samba4 server is, or some tool that can assist in such. Thanks for any advice. *Scott Goodwin* IT Lead Mimic Technologies, Inc 811 First Avenue, Suite 408 | Seattle, WA 98104 phone: 1.800.918.1670 | direct: 206.456.9180 fax: 206.623.3491 | cell: 206.355.7767 On Mon, Aug 19, 2013 at 4:57 PM, Scott Goodwin <sc...@mimicsimulation.com>wrote: > Update: I realized shortly after I sent the email that because I don't use > winbind, I can (and should) delete the file winbindd_idmap.tdb. > So, the second error is now the stopper. In essence, it's complaining > that it can't find the user or group with sid ending in 1057. > > Adding users to groups > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - > ProvisioningError: Could not add member 'S-1-5-21-XXXXXXXXXXXXXXXXXXX-1002' > to group 'S-1-5-21-XXXXXXXXXXXXXXXXXXX-1057' as either group or user > record doesn't exist: Base-DN '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXXX-1057>' > not found > File > "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", > line 1318, in run > useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) > File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", > line 913, in upgrade_from_samba3 > add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger) > File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", > line 316, in add_users_to_group > raise ProvisioningError("Could not add member '%s' to group '%s' as > either group or user record doesn't exist: %s" % (member_sid, group.sid, > emsg)) > > > > *Scott Goodwin* > IT Lead > Mimic Technologies, Inc > 811 First Avenue, Suite 408 | Seattle, WA 98104 > phone: 1.800.918.1670 | direct: 206.456.9180 > fax: 206.623.3491 | cell: 206.355.7767 > > > > On Mon, Aug 19, 2013 at 3:01 PM, Scott Goodwin > <sc...@mimicsimulation.com>wrote: > >> I have a new server running CentOS 6.4 x64, which will serve as our new >> Samba4 server. It is set up in a test environment, and I've copied over the >> tdb files and the smb.conf file from our samba3 server (Same OS and >> version). >> I'm trying to do an in-place upgrade on the copied files, but keep >> hitting an assert / uncaught exception during the upgrade: >> >> # /usr/local/samba/bin/samba-tool domain classicupgrade >> --dbdir=/root/smb3 --use-xattrs=yes --realm=MYDOMAIN.COM --verbose >> /root/smb3/smb.conf >> >> Reading smb.conf >> Provisioning >> Exporting account policy >> Exporting groups >> Exporting users >> Ignoring group memberships of 'testuser' >> S-1-5-21-XXXXXXXXXXXXXXXXXX-1065: Unable to enumerate group memberships, >> (-1073741724,No such user) >> Skipping wellknown rid=501 (for username=nobody) >> Ignoring group memberships of 'TEST-PC$' S-1-5-21-XXXXXXXXXXXXXXXXXX-1097: >> Unable to enumerate group memberships, (-1073741724,No such user) >> Ignoring group memberships of 'testuser2' S-1-5-21-XXXXXXXXXXXXXXXXXX-1075: >> Unable to enumerate group memberships, (-1073741724,No such user) >> Next rid = 9001 >> Exporting posix attributes >> Reading WINS database >> Looking up IPv4 addresses >> Looking up IPv6 addresses >> No IPv6 address will be assigned >> Setting up share.ldb >> Setting up secrets.ldb >> Setting up the registry >> Setting up the privileges database >> Setting up idmap db >> Setting up SAM db >> Setting up sam.ldb partitions and settings >> Setting up sam.ldb rootDSE >> Pre-loading the Samba 4 and AD schema >> Adding DomainDN: DC=mydomain,DC=com >> Adding configuration container >> Setting up sam.ldb schema >> Setting up sam.ldb configuration data >> Setting up display specifiers >> Modifying display specifiers >> Adding users container >> Modifying users container >> Adding computers container >> Modifying computers container >> Setting up sam.ldb data >> Setting up well known security principals >> Setting up sam.ldb users and groups >> Setting up self join >> Setting acl on sysvol skipped >> Adding DNS accounts >> Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com >> Creating DomainDnsZones and ForestDnsZones partitions >> Populating DomainDnsZones and ForestDnsZones partitions >> Setting up sam.ldb rootDSE marking as synchronized >> Fixing provision GUIDs >> A Kerberos configuration suitable for Samba 4 has been generated at >> /usr/local/samba/private/krb5.conf >> Setting up fake yp server settings >> Once the above files are installed, your Samba4 server will be ready to >> use >> Server Role: active directory domain controller >> Hostname: myserver >> NetBIOS Domain: MYDOMAIN >> DNS Domain: mydomain.com >> DOMAIN SID: S-1-5-21-XXXXXXXXXXXXXXXXXX >> Importing WINS database >> Importing Account policy >> Importing idmap database >> ERROR(assert): uncaught exception >> File >> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File >> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", >> line 1318, in run >> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) >> File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", >> line 868, in upgrade_from_samba3 >> import_idmap(result.idmap, samba3, logger) >> File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", >> line 214, in import_idmap >> samba3_idmap = samba3.get_idmap_db() >> File >> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py", >> line 402, in get_idmap_db >> return IdmapDatabase(self.statedir_path("winbindd_idmap.tdb")) >> File >> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py", >> line 59, in __init__ >> self._check_version() >> File >> "/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py", >> line 142, in _check_version >> assert fetch_int32(self.tdb, "IDMAP_VERSION\0") == IDMAP_VERSION_V2 >> >> >> The error indicates an idmap problem, so on advise of another poster, I >> renamed my winbindd_idmap.tdb file, then tried again (after deleting the >> generated tdb files and smb.conf). This, however, caused another error: >> >> ... >> ... >> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory >> Importing groups >> Could not add group name=Domain Admins ((68, "samldb: Account name >> (sAMAccountName) 'Domain Admins' already in use!")) >> Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057, >> id=502, type=ID_TYPE_GID ((32, "Base-DN >> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found")) >> Could not add posix attrs for AD entry for >> sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057, ((32, "Base-DN >> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found")) >> Could not add group name=Domain Users ((68, "samldb: Account name >> (sAMAccountName) 'Domain Users' already in use!")) >> Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066, >> id=100, type=ID_TYPE_GID ((32, "Base-DN >> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found")) >> Could not add posix attrs for AD entry for >> sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066, ((32, "Base-DN >> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found")) >> Importing users >> User root has been kept in the directory, it should be removed in favour >> of the Administrator user >> Adding users to groups >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - >> ProvisioningError: Could not add member 'S-1-5-21-XXXXXXXXXXXXXXXXXX-1002' >> to group 'S-1-5-21-XXXXXXXXXXXXXXXXXX-1057' as either group or user record >> doesn't exist: Base-DN '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found >> File >> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", >> line 175, in _run >> return self.run(*args, **kwargs) >> File >> "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py", >> line 1318, in run >> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) >> File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", >> line 913, in upgrade_from_samba3 >> add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger) >> File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py", >> line 316, in add_users_to_group >> raise ProvisioningError("Could not add member '%s' to group '%s' as >> either group or user record doesn't exist: %s" % (member_sid, group.sid, >> emsg)) >> >> >> I'm wondering if my winbindd_idmap.tdb is invalid, as ldbdump >> winbindd_idmap.tdb returns nothing, and the tdb file is only 696 bytes. If >> this is the issue, can I "rebuild it" on the samba3 server? >> >> Here's the global section of my smb.conf: >> >> workgroup = MYDOMAIN >> netbios name = MYSERVER >> server string = "Samba4 AD" >> interfaces = 192.168.0.0/24 >> bind interfaces only = Yes >> passdb backend = tdbsam >> username map = /etc/samba/smbusers >> admin users = scott >> wins support = Yes >> smb ports = 139 >> time server = Yes >> client ntlmv2 auth = Yes >> log file = /var/log/samba/log.%m >> max log size = 1000 >> debug uid = Yes >> deadtime = 15 >> socket options = TCP_NODELAY IPTOS_LOWDELAY >> show add printer wizard = No >> load printers = no >> printing = bsd >> disable spoolss = yes >> printcap name = /dev/null >> printcap cache time = 0 >> add user script = /usr/sbin/useradd -m -g users %u >> logon script = logon.bat >> logon path = >> logon drive = H: >> domain logons = Yes >> os level = 65 >> preferred master = Yes >> domain master = Yes >> unix password sync = Yes >> passwd program = /usr/bin/passwd %u >> passwd chat = *New*password* %n\n *Retype*new*password* %n\n >> *passwd:*all*authentication*tokens*updated*successfully* >> pam password change = Yes >> >> Thanks ahead of time for any assistance, and if you need additional info, >> let me know. >> --scott >> > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba