Johannes Paechnatz
2012-Oct-15 09:52 UTC
[Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb
Hello. I tried the migration from samba3 domain master (pdc) to a samba4. samba4 -V: Version 4.1.0pre1-GIT-2c3a808 I used the wiki entry about samba3 migration as a guide, copied over the data etc. but I have some questions left. fyi - samba3 tdbsam backend. I removed/edited serveral user accounts with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore) until all user accounts got migrated. 1. machine accounts: some machine accounts don't have Logon hours FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF what seem to be a problem. Could I manually change fields (which fields?) in the tdbsam dump? I tried pdbedit -Z of the specific account, but that seems to change it to an epoch style timestamp and migration fails again - so I removed them in the tdbsam dump to get the migration working, after that additional steps all user and machine accounts get migrated. 2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the samba4 server is stand alone and starting of smbd works without error. BUT if I change the server role to active directory domain controller and try samba instead of smbd, I get an error: Failed to find record for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an new and empty ADS from scratch does work - but I need the migration ;-) I tried to modify the secrets.tdb before I start the classicupgrade without success. This is a show-stopper ;-) Do you could provide me a hint / solution to this? Thanks. cu Joh.Paechnatz -- Johannes Paechnatz --> googleplus: http://goo.gl/GVNoM --> facebook: http://www.facebook.com/jpaechnatz --> jabber/xmpp: jpaechnatz at gmail.com --> icq: 22621122 --> skype: jpaechnatz --> blog: http://simplyroot.blogspot.com/ amazon wishlist: --> http://www.amazon.de/registry/wishlist/3L6U7SE47GQ1Z Backup u. Sync sicher via Wuala: http://www.wuala.com/referral/BBN3CFN4HKFF74HN3B7M Encfs4win: http://goo.gl/djpLB Callsign: DO2PJ Try JT65a: http://jt65.w6cqz.org/
Andrew Bartlett
2012-Oct-16 03:44 UTC
[Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb
On Mon, 2012-10-15 at 11:52 +0200, Johannes Paechnatz wrote:> Hello. > > I tried the migration from samba3 domain master (pdc) to a samba4. > > samba4 -V: > Version 4.1.0pre1-GIT-2c3a808 > > I used the wiki entry about samba3 migration as a guide, copied over > the data etc. but I have some questions left. > > fyi - samba3 tdbsam backend. I removed/edited serveral user accounts > with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore) > until all user accounts got migrated.What was your 'unix charset' (we may need to add a conversion here, as we assume UTF8 at the ldb layer).> 1. machine accounts: some machine accounts don't have Logon hours > FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF what seem to be a problem. > Could I manually change fields (which fields?) in the tdbsam dump? I > tried pdbedit -Z of the specific account, but that seems to change it > to an epoch style timestamp and migration fails again - so I removed > them in the tdbsam dump to get the migration working, after that > additional steps all user and machine accounts get migrated.Can you give me some more detail about what is wrong here? We generally do want to convert any valid samba3 account.> 2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the > samba4 server is stand alone and starting of smbd works without error. > BUT if I change the server role to active directory domain controller > and try samba instead of smbd, I get an error: Failed to find record > for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such > object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an > new and empty ADS from scratch does work - but I need the migration > ;-) > I tried to modify the secrets.tdb before I start the classicupgrade > without success. > > This is a show-stopper ;-)Exactly what command did you run? We should upgrade a ROLE_DOMAIN_PDC into an 'server role = active directory domain controller'. Are you sure you are using the smb.conf produced by the upgrade? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org