[Samba] Is there a guide to fsck a samba3 passdb.tdb?

2013-04-11 Thread Stephanie Sullivan 
I've come to realize the underlying cause (at least one) for my
contemplating suicide (not quite that bad yet) because of the classicupgrade
process. It may be that my very old samba3 passdb.tdb needs to a get a
fsck. if this were a filesystem, no problem but I don't know how to
approach recovering the integrity of the passdb and other samba3 tdb files.
I'm hoping there is a tool or guide I have not been able to find.

Could I please get any of:
1) A how-to clean up a passdb
2) A link to a how-to clean up a passdb
3) A warning that it's futile and end it all, or just manually migrate
things to a brand new domain
4) A how-to or link to a how-to for another approach
a. An example of creating a new server, joining
   it into the existing samba3 PDC let all the
   valid info replicate, then promote the samba4
   server to the primary, retire the old one.
   Or will a messy passdb and other files make
   this just another propagation of historic
   nastiness from the problematic samba3 files??
5) An opinion on if I should give up on using my beloved linux server for
windows networking and drink the MS coolaid...

As always, any advise is appreciated.
Thanks,
  -Stephanie

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Changing server IP related questions

2013-04-11 Thread Stephanie Sullivan 
I have samba4 as a AD DC which I built on a private subnet. I need to move
it to the subnet where it will operate at a new IP address. The DC is using
the internal DNS.

 

I tried to find a way to dump the zones for the domain so I can see all the
records, but samba-tool dns query true zone xfer kind of function so you can
get all the information for all the records that are in the zone. I don't
want to miss changing an IP address in the zone for the DC because I missed
one trying to manually walk the zone.

 

Is there a ldb file where the zone is actually stored that can more readily
be viewed and edited with ldbedit?

 

A  list of the DNS records I'll need to edit besides the server's A record
would be great. 

 

Is there anything else I'll need to edit in the active directory or other
config? 

 

   Thanks,

-Stephanie

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] classic upgrade sort of succeeds but really fails - Advice?

2013-04-09 Thread Stephanie Sullivan 
Hi,

I am stuck in a bad place and I'm not sure where to go next. I'd sure
appreciate some advice or direct help in troubleshooting this problem.

If I can provide additional information I'd be happy to send it along
privately. Some logs are very large - like the debuglevel 10 classicupgrade
output is about 160MB. But there is Dropbox, right? 

I've included what I could think of below but I'm sure I checked things that
I forgot to include. It's a much longer message than I expected so your
indulgence and attention is especially appreciated.

I have a samba 3 server that has been upgraded several times over many
years and has accumulated a lot of cruft. The goal is to do a successful
classic upgrade to samba 4 v4.0.4.

The samba 3 server was copied and upgraded from a RHEL5 to a centos6 server
on a private network for this exercise. I virtualized 2 existing windows XP
workstations to use for testing. I setup their DNS to point to the test
samba4 server.

In prep for using classic-upgrade I went through and removed accounts that
reported bad information (bad gid, no unix account). Cut down the number of
users considerably. A predecessor decided to make all unix accounts samba
logins including lp, news, uucp, etc. these were all removed, though root
was left, of course. And I removed /var/lib/samba/wins.dat.

The classic upgrade complained about some missing groups and I was generally
able to add groups for the domain gid's it complained about.  The
samba-tools domain classicupgrade appeared to go through but when I made
sure that bind, smb, nmb and windbind were all shut down and started
/usr/local/samba/sbin/samba. The domain was visible to clients in windows
explorer, already joined workstations could login but not load their roaming
profiles. The domain controller was not visible and could not be directly
addressed by using \\themissingservername.

In investigating it looks like sysvol is setup in smb.conf, and ADMIN$ and
IPC$ are setup in private/share.ldb

I checked and it appears all the users got successfully imported.

It is parsing the samba3 smb.conf, but does not create shares in the samba4
smb.conf

The samba-tool command I used for classicupgrade is:

/usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/var/lib/samba
--dns-backend=SAMBA_INTERNAL --use-xattrs=yes  --realm=mydomain.local
/etc/samba/smb.conf

Let's call the server myserverl.

The generated smb.conf does not have any of the shares many from the samba3
server setup. Here it is sanitized:
** 
[global]
workgroup = MYDOMAIN
realm = mydomain.local
netbios name = MYSERVER
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 208.67.222.222
[netlogon]
path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
**

I start the domain with /usr/local/samba/sbin/samba -I -M single -d2
When I try to login I get the following output repeating:
idmapping sid_to_xid failed for
id[1]=S-1-5-21-1509466807-1292110410-277592076-515: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[3]=S-1-1-0: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[4]=S-1-5-2: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[5]=S-1-5-11: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for
id[3]=S-1-5-21-1509466807-1292110410-277592076-572: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[4]=S-1-1-0: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[5]=S-1-5-2: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[6]=S-1-5-11: NT_STATUS_NONE_MAPPED

I have been generally successful at mapping domain sids (S-1-5-21-domain
sid-rid in the old samba3 config then re-running the classicupgrade after
removing the samb4 smb.conf. When I try to map the Everyone and other two
SID's in the list classicupgrade fails pretty miserably at the end. I use
the samba3 net grouplist function for the above.

When logged into an xp workstation already joined to the samba3 domain I can
see my and other workstations in the domain but not the server. I get the
following errors in the workstation application system log:
**
Event Type: Error
Event Source:   AutoEnrollment
Event Category: None
Event ID:   15
Date:   4/9/2013
Time:   9:19:59 AM
User:   N/A
Computer:   ACCT1
Description:
Automatic certificate enrollment for local system failed to contact the
active directory (0x8007054b).  The specified domain either does not exist
or could not be contacted.
  Enrollment will not be performed.
**
Followed by
**
Event Type: Error
Event Source:   Userenv
Event Category: None
Event ID:   1053
Date:   4/9/2013
Time:   9:22:22 AM
User:   NT AUTHORITY\SYSTEM
Computer:   ACCT1
Description:
Windows cannot determine the user or