Hi,
I am stuck in a bad place and I'm not sure where to go next. I'd sure
appreciate some advice or direct help in troubleshooting this problem.
If I can provide additional information I'd be happy to send it along
privately. Some logs are very large - like the debuglevel 10 classicupgrade
output is about 160MB. But there is Dropbox, right?
I've included what I could think of below but I'm sure I checked things that
I forgot to include. It's a much longer message than I expected so your
indulgence and attention is especially appreciated.
I have a samba 3 server that has been upgraded several times over many
years and has accumulated a lot of cruft. The goal is to do a successful
classic upgrade to samba 4 v4.0.4.
The samba 3 server was copied and upgraded from a RHEL5 to a centos6 server
on a private network for this exercise. I virtualized 2 existing windows XP
workstations to use for testing. I setup their DNS to point to the test
samba4 server.
In prep for using classic-upgrade I went through and removed accounts that
reported bad information (bad gid, no unix account). Cut down the number of
users considerably. A predecessor decided to make all unix accounts samba
logins including lp, news, uucp, etc. these were all removed, though root
was left, of course. And I removed /var/lib/samba/wins.dat.
The classic upgrade complained about some missing groups and I was generally
able to add groups for the domain gid's it complained about. The
samba-tools domain classicupgrade appeared to go through but when I made
sure that bind, smb, nmb and windbind were all shut down and started
/usr/local/samba/sbin/samba. The domain was visible to clients in windows
explorer, already joined workstations could login but not load their roaming
profiles. The domain controller was not visible and could not be directly
addressed by using \\themissingservername.
In investigating it looks like sysvol is setup in smb.conf, and ADMIN$ and
IPC$ are setup in private/share.ldb
I checked and it appears all the users got successfully imported.
It is parsing the samba3 smb.conf, but does not create shares in the samba4
smb.conf
The samba-tool command I used for classicupgrade is:
/usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/var/lib/samba
--dns-backend=SAMBA_INTERNAL --use-xattrs=yes --realm=mydomain.local
/etc/samba/smb.conf
Let's call the server myserverl.
The generated smb.conf does not have any of the shares many from the samba3
server setup. Here it is sanitized:
**
[global]
workgroup = MYDOMAIN
realm = mydomain.local
netbios name = MYSERVER
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 208.67.222.222
[netlogon]
path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
**
I start the domain with /usr/local/samba/sbin/samba -I -M single -d2
When I try to login I get the following output repeating:
idmapping sid_to_xid failed for
id[1]=S-1-5-21-1509466807-1292110410-277592076-515: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[3]=S-1-1-0: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[4]=S-1-5-2: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[5]=S-1-5-11: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for
id[3]=S-1-5-21-1509466807-1292110410-277592076-572: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[4]=S-1-1-0: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[5]=S-1-5-2: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[6]=S-1-5-11: NT_STATUS_NONE_MAPPED
I have been generally successful at mapping domain sids (S-1-5-21-domain
sid-rid in the old samba3 config then re-running the classicupgrade after
removing the samb4 smb.conf. When I try to map the Everyone and other two
SID's in the list classicupgrade fails pretty miserably at the end. I use
the samba3 net grouplist function for the above.
When logged into an xp workstation already joined to the samba3 domain I can
see my and other workstations in the domain but not the server. I get the
following errors in the workstation application system log:
**
Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 15
Date: 4/9/2013
Time: 9:19:59 AM
User: N/A
Computer: ACCT1
Description:
Automatic certificate enrollment for local system failed to contact the
active directory (0x8007054b). The specified domain either does not exist
or could not be contacted.
Enrollment will not be performed.
**
Followed by
**
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 4/9/2013
Time: 9:22:22 AM
User: NT AUTHORITY\SYSTEM
Computer: ACCT1
Description:
Windows cannot determine the user or