Juan Asensio Sánchez
2013-Jan-03 10:02 UTC
[Samba] samba-tool domain classicupgrade with LDAP backend
Hi
I am testing the migration from our actual Samba domain, based on Samba
3.3.8 and LDAP (389DS) to Samba 4. I have followed the Samba4 Howto, and I
have successfully compiled it. Now I am running the classicupgrade command,
but I am getting some errors.
First of them is that the script is ignoring the "ldap group suffix"
parameter in smb.conf, and is always searching in the "ldap suffix".
Because our LDAP database is very big, the script is getting a timeout as
all groups are not received in time. I have changed the timeout and
timelimit values in ldap.conf to 300, but they are also being ignored. This
is the output of the script:
[root at samba4 ~]# samba-tool domain classicupgrade ~/sambav3/smb.conf
--dbdir ~/sambav3/private --realm XXXXXXXXXX.TEST
Reading smb.conf
Processing section "[netlogon]"
Processing section "[unixscripts]"
Provisioning
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
smbldap_open_connection: connection opened
init_sam_from_ldap: Entry found for user: XXXXXXXXXX$
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
smbldap_open_connection: connection opened
Exporting account policy
Exporting groups
ldapsam_setsamgrent: LDAP search failed: Timed out
ldapsam_enum_group_mapping: Unable to open passdb
ERROR(<class 'passdb.error'>): uncaught exception - Unable to
enumerate
group mappings, (-1073741790,Access denied)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py",
line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 635, in upgrade_from_samba3
grouplist = s3db.enum_group_mapping()
And this is the LDAP access LOG:
[03/Jan/2013:10:58:01 +0100] conn=24304 op=13 SRCH
base="dc=XXXXXXXXXX,dc=XX" scope=2
filter="(objectClass=sambaGroupMapping)"
attrs="gidNumber sambaSID sambaGroupType sambaSIDList description
displayName cn objectClass"
[03/Jan/2013:10:58:16 +0100] conn=24304 op=14 UNBIND
[03/Jan/2013:10:58:16 +0100] conn=24304 op=14 fd=73 closed - U1
dc=XXXXXXXXXX,dc=XX is our "ldap suffix", not our "ldap group
suffix", as
it should. Any ideas how to fix these problems and continue with the tests?
Regards and thanks in advance,
Juan Asensio Sánchez
2013-Jan-03 11:52 UTC
[Samba] samba-tool domain classicupgrade with LDAP backend
Hi again
Well, finally I got it, adding "ldap timeout" to smb.conf. Now I am
getting
another error when running the domain classicupgrade command of samba-tool:
...
init_sam_from_ldap: Entry found for user: XXXXXXXX
init_sam_from_ldap: Entry found for user: XXXXXXXX$
Next rid = 12801001
Failed to connect to ldap URL 'ldap://XXXXXXX.XXXXXXX.XX' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://XXXXXXX.XXXXXXX.XX' with backend
'ldap': (null)
Could not open ldb connection to ldap://XXXXXXX.XXXXXXX.XX, the error
message is: (1, None)
Exporting posix attributes
ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception -
local
variable 'ldb_object' referenced before assignment
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py",
line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 800, in upgrade_from_samba3
homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object,
base_dn, username, "homeDirectory")
I don't understand why the NT_STATUS_BAD_NETWORK_NAME error is thrown; I
can ping and telnet the server XXXXXXX.XXXXXXX.XX in port 389 (previously
it was on port 636 and ldaps, but changed to ldap and 389 to try to avoid
the error); indeed, the script has obtained all groups and users
previously...
Any ideas?
2013/1/3 Juan Asensio S?nchez <okelet at gmail.com>
> Hi
>
> I am testing the migration from our actual Samba domain, based on Samba
> 3.3.8 and LDAP (389DS) to Samba 4. I have followed the Samba4 Howto, and
> I have successfully compiled it. Now I am running the classicupgrade
> command, but I am getting some errors.
>
> First of them is that the script is ignoring the "ldap group
suffix"
> parameter in smb.conf, and is always searching in the "ldap
suffix".
> Because our LDAP database is very big, the script is getting a timeout as
> all groups are not received in time. I have changed the timeout and
> timelimit values in ldap.conf to 300, but they are also being ignored. This
> is the output of the script:
>
> [root at samba4 ~]# samba-tool domain classicupgrade ~/sambav3/smb.conf
> --dbdir ~/sambav3/private --realm XXXXXXXXXX.TEST
> Reading smb.conf
> Processing section "[netlogon]"
> Processing section "[unixscripts]"
> Provisioning
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
> smbldap_open_connection: connection opened
> init_sam_from_ldap: Entry found for user: XXXXXXXXXX$
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
> smbldap_open_connection: connection opened
> Exporting account policy
> Exporting groups
> ldapsam_setsamgrent: LDAP search failed: Timed out
> ldapsam_enum_group_mapping: Unable to open passdb
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to
enumerate
> group mappings, (-1073741790,Access denied)
> File
>
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
>
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py",
line
> 1318, in run
> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
> File
"/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
> line 635, in upgrade_from_samba3
> grouplist = s3db.enum_group_mapping()
>
>
> And this is the LDAP access LOG:
>
> [03/Jan/2013:10:58:01 +0100] conn=24304 op=13 SRCH
> base="dc=XXXXXXXXXX,dc=XX" scope=2
filter="(objectClass=sambaGroupMapping)"
> attrs="gidNumber sambaSID sambaGroupType sambaSIDList description
> displayName cn objectClass"
> [03/Jan/2013:10:58:16 +0100] conn=24304 op=14 UNBIND
> [03/Jan/2013:10:58:16 +0100] conn=24304 op=14 fd=73 closed - U1
>
> dc=XXXXXXXXXX,dc=XX is our "ldap suffix", not our "ldap
group suffix", as
> it should. Any ideas how to fix these problems and continue with the tests?
>
> Regards and thanks in advance,
>
Maybe Matching Threads
- Samba4 domain classicupgrade "conversion not supported"
- Samba4 - Classicupgrade - pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain
- Another problem with samba4 classicupgrade
- Unknown "Search Filter" in LDAP by SAMBA !!!
- samba issue