Re: [Samba] Problems attaching Windows server as secondary DC.
On Sat, 20 Apr 2013, Matthieu Patou wrote: On 04/13/2013 04:38 PM, simon+sa...@matthews.eu wrote: I have my Samba4 up and running. I was able to get a Windows 2012 server to join the samba4 domain. However, I have not been able to get the Windows server to promote itself to a secondary DC. I would appreciate any suggestions on debugging this issue. One the Server 2012 machine, in the prerequisites check, I see the following message: Verification or prerequisites for Active Directory preparation failed .. Exception: THe RPC server is unavailable. . Adprep could not retrieve data from the server servername ... The servername is correct and resolves to my samba4 server. On the Samba4 server, I see the following in the logs: [2013/04/12 12:02:30, 3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088235 [2013/04/12 12:02:30, 3] ../source4/rpc_server/dcerpc_server.c:961(dcesrv_request) Warning: 60 extra bytes in incoming RPC request [2013/04/12 12:02:30, 3] ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind) ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with system_session [2013/04/12 12:02:33, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED' [2013/04/12 12:02:33, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED] Any ideas? We don't support Windows 2012 yet, for multiple reasons: In order to have a Windows 2012 DC you must have a 2012 compliant schema, up to Windows 2008R2 included the way to do was to run programs provided by Microsoft on existing DC to upgrade the schema and do some adaptation to the database. With windows 2012 they have introduced a way to do it also remotely via webservices that we don't support and we dont' plan to support. So usual upgrade path is not possible. Up to now we have asked and received new schema from Microsoft after each new AD product but for 2012 we didn't really asked so we haven't received it yet, *if* we had it the way to go would be to run something like samba_upgradeprovision so that we would be able to add missing schema entries and modify needed objects, but this is not yet a solution (although it might be a much shorter delay before getting it). Last would be to add an older version of Windows (2003, 2008, 2008R2) to the domain and run the program to upgrade the schema, it won't work until you migrate schema master role to the newly added Windows DC. Then you might run into problems while synchronizing this is a known problem that we are working on and you'll face for sure if you try to join samba to a domain with a Windows 2012 schema. Are you saying that, in addition to not being able to join a Windows 2012 server to a samba domain, the reverse will not work as well? I can't join a Linux box to a Windows 2012 domain as a client (not as a DC, but just a domain member)? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Problems attaching Windows server as secondary DC.
On Mon, 15 Apr 2013, Jonis Maurin Ceará wrote: Only Win 2012 DC, 2008 R2 join fine as DC. Same here with fresh install of S4 and Win 2012. I am trying to join a Windows Server 2012 machine as a secondary DC. This should work, right? Simon 2013/4/15 Friedmar friedmar.m...@me.com simon+samba at matthews.eu writes: I have my Samba4 up and running. I was able to get a Windows 2012 server to join the samba4 domain. However, I have not been able to get the Windows server to promote itself to a secondary DC. I would appreciate any suggestions on debugging this issue. One the Server 2012 machine, in the prerequisites check, I see the following message: Verification or prerequisites for Active Directory preparation failed .. Exception: THe RPC server is unavailable. . Simon you are not alone! Same here: Ubuntu 13.04 and samba4-4.0.1+dfsg1-1+. This exists since long time (12.04 and S4 beta). At present level it seems that Win DC could not join S4 Domains. So you could not get ridd of samba4. Bug or feature? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problems attaching Windows server as secondary DC.
I have my Samba4 up and running. I was able to get a Windows 2012 server to join the samba4 domain. However, I have not been able to get the Windows server to promote itself to a secondary DC. I would appreciate any suggestions on debugging this issue. One the Server 2012 machine, in the prerequisites check, I see the following message: Verification or prerequisites for Active Directory preparation failed .. Exception: THe RPC server is unavailable. . Adprep could not retrieve data from the server servername ... The servername is correct and resolves to my samba4 server. On the Samba4 server, I see the following in the logs: [2013/04/12 12:02:30, 3] ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags) Got NTLMSSP neg_flags=0xe2088235 [2013/04/12 12:02:30, 3] ../source4/rpc_server/dcerpc_server.c:961(dcesrv_request) Warning: 60 extra bytes in incoming RPC request [2013/04/12 12:02:30, 3] ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74(dcesrv_drsuapi_DsBind) ../source4/rpc_server/drsuapi/dcesrv_drsuapi.c:74: doing DsBind with system_session [2013/04/12 12:02:33, 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED' [2013/04/12 12:02:33, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED] Any ideas? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Internal DNS not running
After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Internal DNS not running
On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba_dnsupdate?
Now for the next question. I think (hope?) that I am quite close now. In order to add a machine to the domain, I think that I need to add a record to samba's DNS table. But samba_dnsupdate isn't working: # samba_dnsupdate -d 5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] Processing section [netlogon] Processing section [sysvol] pm_process() returned Yes added interface eth0 ip=fe80::5054:ff:fefd:9729%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.99.19 bcast=192.168.99.255 netmask=255.255.255.0 schema_fsmo_init: we are master[yes] updates allowed[no] As you can see updates are not allowed. But my smb.conf looks like this: [global] workgroup = MYAD realm = MYAD.my.domain netbios name = SAMBA4 server role = active directory domain controller idmap_ldb:use rfc2307 = yes # log file = /var/log/samba/samba.log.%m log level = 3 allow dns updates = True dns forwarder = 192.168.99.2 Simon On Tue, 9 Apr 2013, Ricky Nance wrote: Glad to hear :) Ricky On Tue, Apr 9, 2013 at 8:15 PM, Simon Matthews si...@matthews-family.org.uk wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] was: samba_dnsupdate? now Could not find child xxxxx -- ignoring
OK, solved that problem. nsupdate worked, even if samba_dnsupdate did not. New problem: Lots of entries like this in the log: [2013/04/09 22:25:39.559029, 2] ../source3/smbd/server.c:436(remove_child_pid) Could not find child 15172 -- ignoring [2013/04/09 22:26:39.613172, 2] ../source3/smbd/server.c:436(remove_child_pid) Could not find child 15175 -- ignoring I see a bug that describes this problem, but it is marked as fixed since June 2011. https://bugzilla.samba.org/show_activity.cgi?id=8269 Simon On Tue, 9 Apr 2013, simon+sa...@matthews.eu wrote: Now for the next question. I think (hope?) that I am quite close now. In order to add a machine to the domain, I think that I need to add a record to samba's DNS table. But samba_dnsupdate isn't working: # samba_dnsupdate -d 5 INFO: Current debug levels: all: 5 tdb: 5 printdrivers: 5 lanman: 5 smb: 5 rpc_parse: 5 rpc_srv: 5 rpc_cli: 5 passdb: 5 sam: 5 auth: 5 winbind: 5 vfs: 5 idmap: 5 quota: 5 acls: 5 locking: 5 msdfs: 5 dmapi: 5 registry: 5 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] Processing section [netlogon] Processing section [sysvol] pm_process() returned Yes added interface eth0 ip=fe80::5054:ff:fefd:9729%eth0 bcast=fe80:::::%eth0 netmask=::::: added interface eth0 ip=192.168.99.19 bcast=192.168.99.255 netmask=255.255.255.0 schema_fsmo_init: we are master[yes] updates allowed[no] As you can see updates are not allowed. But my smb.conf looks like this: [global] workgroup = MYAD realm = MYAD.my.domain netbios name = SAMBA4 server role = active directory domain controller idmap_ldb:use rfc2307 = yes # log file = /var/log/samba/samba.log.%m log level = 3 allow dns updates = True dns forwarder = 192.168.99.2 Simon On Tue, 9 Apr 2013, Ricky Nance wrote: Glad to hear :) Ricky On Tue, Apr 9, 2013 at 8:15 PM, Simon Matthews si...@matthews-family.org.uk wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: That looks normal... Can you pastebin your log.samba... first mv or rm /usr/local/samba/var/log.samba, then restart samba, then pastebin log.samba. Also (with samba running) can you give us the output of ps ax | grep samba and the output of netstat -anp | grep LISTEN | grep samba Thanks, Ricky, with your help, I fixed the problem. I had started krb5kdc, not realizing that the krb server was also built into samba. Once I stopped this and re-started SAMBA, the internal dns server started working. Simon On Tue, Apr 9, 2013 at 7:22 PM, simon+sa...@matthews.eu wrote: On Tue, 9 Apr 2013, Ricky Nance wrote: What samba version are you using (samba -V) # samba -V Version 4.0.4 ? Also what is the output of samba-tool testparm -v --suppress-prompt | grep server services # samba-tool testparm -v --suppress-prompt | grep server services server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns Simon On Tue, Apr 9, 2013 at 6:34 PM, simon+sa...@matthews.eu wrote: After running the classicupgrade, configuring and starting krb5, starting the new samba4 server, I started looking at DNS. Nothing is listening on port 53, so I assume the internal DNS is not working. I have NOT specified the use of the BIND_DLZ plugin, so it should be using its internal dns server. Where should I start looking for a solution to this? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Please help: classicupgrade not importing users -- SOLVED
I finally found the solution. I was moving from a Gentoo system to Centos and the layout of the files is different under Gentoo. In the Gentoo layout, the default location for passdb.tdb, schannel_store.tdb and secrets.tdb is in /var/lib/samba/private . When I first tried to import, I had got an error message about secrets.tdb not being found, so I had made a link /var/lib/samba/secrets.tdb that pointed to /var/lib/samba/private/secrets.tdb, but, crucially, I did not do this for the other files in the secrets subdirectory. Once I made the links for the other files, all I had to do was clean up my old tdb files (duplicate and otherwise bad entries) and then the import worked! Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Please help: classicupgrade not importing users
Does anyone have any ideas what I might have done wrong or why this is not working? Simon On Tue, 2 Apr 2013, simon+sa...@matthews.eu wrote: I have tried everything that I can think of, but the users are still not being imported. I deleted and re-created the /usr/local/samba directory (using make install), I added users to the local passwd file (ypcat passwd /etc/passwd) and then stopped ypbind. Still the same. The users are not imported while the groups are. I would really appreciate some help in getting past this step. The transcript of my last attempt at classicupgrade can be found here: http://pastebin.com/tP8bG5Yb I changed the realm that I used to a.b and made edits to the file to make it consistent. Simon On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Ricky Nance wrote: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTOhttps://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO should help. I have been following those instructions. I have a tdb backend, I am working on a VM that does not have SAMBA3 installed. The command: # samba-tool user list does not show my users. Interestingly, the groups seem to be there. If I use # samba-tool group list I see the expected groups. Simon Ricky On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-02 05:35 keltezéssel, simon+sa...@matthews.eu írta: On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding I users. I ran the command: /usr/local/samba/bin/samba-**tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' realm --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder(you would probably need to ldbmodify the user record of each one) todo, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-**tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295:
Re: [Samba] SAMBA4: pdbedit not changing SID
On Tue, 2 Apr 2013, Ricky Nance wrote: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTOhttps://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO should help. I have been following those instructions. I have a tdb backend, I am working on a VM that does not have SAMBA3 installed. The command: # samba-tool user list does not show my users. Interestingly, the groups seem to be there. If I use # samba-tool group list I see the expected groups. Simon Ricky On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-02 05:35 keltezéssel, simon+sa...@matthews.eu írta: On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-**tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder(you would probably need to ldbmodify the user record of each one) todo, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-**tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: krbtgt:4294967295:--dbdir=/**var/lib/samba/ --realm=a.b /etc/samba/smb.confnobody:99:**Nobody Any ideas? What information might help debug this? Simon Could this happen because pdbedit is from the samba3 install? I recommend doing upgrade on a new box/virtual machine where no samba3 is installed, and copying the tdb files to the new box. Regards Geza Gemes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/**mailman/options/sambahttps://lists.samba.org/mailman/options/samba -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Please help: classicupgrade not importing users
I have tried everything that I can think of, but the users are still not being imported. I deleted and re-created the /usr/local/samba directory (using make install), I added users to the local passwd file (ypcat passwd /etc/passwd) and then stopped ypbind. Still the same. The users are not imported while the groups are. I would really appreciate some help in getting past this step. The transcript of my last attempt at classicupgrade can be found here: http://pastebin.com/tP8bG5Yb I changed the realm that I used to a.b and made edits to the file to make it consistent. Simon On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Ricky Nance wrote: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTOhttps://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO should help. I have been following those instructions. I have a tdb backend, I am working on a VM that does not have SAMBA3 installed. The command: # samba-tool user list does not show my users. Interestingly, the groups seem to be there. If I use # samba-tool group list I see the expected groups. Simon Ricky On Tue, Apr 2, 2013 at 12:06 AM, Gémes Géza g...@kzsdabas.hu wrote: 2013-04-02 05:35 keltezéssel, simon+sa...@matthews.eu írta: On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding I users. I ran the command: /usr/local/samba/bin/samba-**tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' realm --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder(you would probably need to ldbmodify the user record of each one) todo, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-**tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-**3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-**3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-**3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: krbtgt:4294967295:--dbdir=/**var/lib/samba/ --realm=a.b /etc/samba/smb.confnobody:99:**Nobody Any ideas? What information might help debug this? Simon Could this happen because pdbedit is from the samba3 install? I recommend doing upgrade on a new box/virtual machine where no samba3 is installed, and copying the tdb files to
Re: [Samba] SAMBA4: pdbedit not changing SID
On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder (you would probably need to ldbmodify the user record of each one) to do, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. If I could change the subject somewhat, I am also not clear on how to configure SAMBA4 and the DNS server if my network has an existing DNS server on another machine and I don't really want to move it. The DNS server is a stock install of bind from the distro's repository: bind-9.8.2-0.17.rc1.el6_4.4.x86_64 Simon-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SAMBA4: pdbedit not changing SID
On Mon, 1 Apr 2013, simon+sa...@matthews.eu wrote: On Tue, 2 Apr 2013, Andrew Bartlett wrote: On Mon, 2013-04-01 at 09:26 +0200, Gémes Géza wrote: 2013-04-01 02:36 keltezéssel, simon+sa...@matthews.eu írta: Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. Hi, Trying to add users one by one (preserving SID) is IMHO a lot harder (you would probably need to ldbmodify the user record of each one) to do, than fixing your samba3 install to have it classicupgraded. Indeed. The only way to safely import a list of users who already have SIDs is to migrate them to Samba 4.0's AD DC using one of the supported migration tools. These are 'samba-tool domain join dc' and 'samba-tool domain classicupgrade'. Perhaps I need to address why the classicupgrade did not work. I see now that I did not pass the --dbdir option when running it before. I'll try again. I went back to trying to get the classicupgrade to work: /usr/local/samba/bin/samba-tool domain classicupgrade \ --dbdir=/var/lib/samba/ --dbdir=/var/lib/samba/ --realm=a.b \ /etc/samba/smb.conf --use-xattrs=yes For the realm, I used a subdomain of one of the two existing dns domains in the LAN. It appears to be processing the information from the old domain tdb files, although I see some errors: Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Could not add group name=Remote Desktop Users ((68, samldb: Account name (sAMAccountName) 'Remote Desktop Users' already in use!)) Could not modify AD idmap entry for sid=S-1-5-21-4254857281-3346836279-4152649156-555, id=5077, type=ID_TYPE_GID ((32, Base-DN 'SID=S-1-5-21-4254857281-3346836279-4152649156-555' not found)) Could not add posix attrs for AD entry for sid=S-1-5-21-4254857281-3346836279-4152649156-555, ((32, Base-DN 'SID=S-1-5-21-4254857281-3346836279-4152649156-555' not found)) Group already exists sid=S-1-5-21-4254857281-3346836279-4152649156-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. However, after this, all I get from pdbedit -L is: # pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: [root@samba ~]# pdbedit -L RAIDSERVER$:4294967295: Administrator:4294967295: krbtgt:4294967295:--dbdir=/var/lib/samba/ --realm=a.b /etc/samba/smb.confnobody:99:Nobody Any ideas? What information might help debug this? Simon-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] SAMBA4: pdbedit not changing SID
Since I don't seem to be having any luck with the classicupgrade, I decided to try starting from scratch and then adding users. I ran the command: /usr/local/samba/bin/samba-tool domain provision --realm=my realm \ --domain=mydomain --adminpass 'mypass' --server-role=dc \ --dns-backend=BIND9_DLZ Then I tried both adding and changing users. In neither case can I change the SID with pdbedit. It seems to be added with a system-defined SID, irrespective of what I specify. pdbedit -v is able to list the user's parameters, including the SID. Any suggestions? I am pretty much stuck here trying to figure out how to migrate from an existing SAMBA3 domain to SAMBA4. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Ran classiupgrade, users not there
On Fri, 29 Mar 2013, simon+sa...@matthews.eu wrote: I am attempting to do an upgrade from SAMBA3 to SAMBA4. I am working on a new VM rather than the existing SAMBA3 server. The old server uses tdbsam as the passdb backend. I copied the contents of /var/lib/samba and the smb.conf from the old machine to the new machine. We run a yp domain, which has the same name as the samba domain. The dns domain is different. Users exist in both the yp passwd map and the samba domain. I followed the instructions on building SAMBA here: http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ then moved to the instructions on migration here: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO#Upgrading_In_Place It appeared to finish normally (it complained about a couple of duplicate entries). However, after the classicupgrad, running /usr/local/samba/bin/pdbedit -L reveals that the users and groups do not exist. Should I expect this? If so, what database holds the user information? I should also mention that I used the dns domain for the realm in the classicupgrade command. The DNS domain is different from the YP/SAMBA domain. Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Ran classiupgrade, users not there
I am attempting to do an upgrade from SAMBA3 to SAMBA4. I am working on a new VM rather than the existing SAMBA3 server. The old server uses tdbsam as the passdb backend. I copied the contents of /var/lib/samba and the smb.conf from the old machine to the new machine. We run a yp domain, which has the same name as the samba domain. The dns domain is different. Users exist in both the yp passwd map and the samba domain. I followed the instructions on building SAMBA here: http://opentodo.net/2013/01/samba4-as-ad-domain-controller-on-centos-6/ then moved to the instructions on migration here: http://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO#Upgrading_In_Place It appeared to finish normally (it complained about a couple of duplicate entries). However, after the classicupgrad, running /usr/local/samba/bin/pdbedit -L reveals that the users and groups do not exist. Should I expect this? If so, what database holds the user information? Simon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba