samba - Apr 2013 - classicupgrade from LDAP - failed to find Unix account for machine account

Hi all,

We have a somewhat crufty Samba 3 PDC NT-style domain backed on to an 
OpenLDAP server that we use for both Linux and Windows 7 authentication, 
thanks to the magic of ldapsam and smbk5pwd.

I am investigating the feasability of moving to Samba 4 and have tried 
upgrading with the classicupgrade tool in both the Samba 4.0.0 packages in 
Debian unstable and also with GIT v4-0-stable (b341371).

The current roadblock is that a machine account produces an error in the 
migration:

init_sam_from_ldap: Failed to find Unix account for CICHLID$
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'CICHLID$'!
ERROR(<class 'passdb.error'>): uncaught exception - Unable to get
user
information for 'CICHLID$', (-1073741724,No such user)

Notably all of our Linux machines joined to the domain have posixAccount 
credentials, but the Windows machines do not.

The LDAP entry for this machine is:
dn: uid=CICHLID$,ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
objectClass: sambaSamAccount
objectClass: account
displayName: CICHLID$
sambaAcctFlags: [W          ]
sambaNTPassword: {elided}
sambaPwdLastSet: 1364267120
sambaSID: S-1-5-21-3342141748-1574249315-1264630062-1075
uid: CICHLID$

The entries for all our Windows 7 machines look similar.

The Linux machines all also have a posixAccount objectClass with the 
appropriate attributes.

Importantly, we have ldapsam:trusted set in our Samba 3 config, and with 
the add machine script set to:
"/usr/sbin/cpu -C /etc/cpu/cpu-samba.conf useradd -d /dev/null -o %u"
(where cpu-samba.conf sets the default container to the Computers OU, 
disables the home directory and shell, and sets the GID to the computers 
group).

Any suggestions? I am particularly curious as to why the add machine 
script doesn't appear to be doing anything for Windows machines joined to 
the domain, and why the classicupgrade script is trying to look for user 
account details for machine accounts.

Thanks,

David Adam
zanchey at ucc.gu.uwa.edu.au

On Thu, 2013-04-04 at 15:30 +0800, David Adam wrote:
> Hi all,
> 
> We have a somewhat crufty Samba 3 PDC NT-style domain backed on to an 
> OpenLDAP server that we use for both Linux and Windows 7 authentication, 
> thanks to the magic of ldapsam and smbk5pwd.
> 
> I am investigating the feasability of moving to Samba 4 and have tried 
> upgrading with the classicupgrade tool in both the Samba 4.0.0 packages in 
> Debian unstable and also with GIT v4-0-stable (b341371).
> 
> The current roadblock is that a machine account produces an error in the 
> migration:
> 
> init_sam_from_ldap: Failed to find Unix account for CICHLID$
> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'CICHLID$'!
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to
get user
> information for 'CICHLID$', (-1073741724,No such user)
> 
> Notably all of our Linux machines joined to the domain have posixAccount 
> credentials, but the Windows machines do not.
> 
> The LDAP entry for this machine is:
> dn: uid=CICHLID$,ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
> objectClass: sambaSamAccount
> objectClass: account
> displayName: CICHLID$
> sambaAcctFlags: [W          ]
> sambaNTPassword: {elided}
> sambaPwdLastSet: 1364267120
> sambaSID: S-1-5-21-3342141748-1574249315-1264630062-1075
> uid: CICHLID$
> 
> The entries for all our Windows 7 machines look similar.
> 
> The Linux machines all also have a posixAccount objectClass with the 
> appropriate attributes.
> 
> Importantly, we have ldapsam:trusted set in our Samba 3 config, and with 
> the add machine script set to:
> "/usr/sbin/cpu -C /etc/cpu/cpu-samba.conf useradd -d /dev/null -o
%u"
> (where cpu-samba.conf sets the default container to the Computers OU, 
> disables the home directory and shell, and sets the GID to the computers 
> group).
> 
> Any suggestions? I am particularly curious as to why the add machine 
> script doesn't appear to be doing anything for Windows machines joined
to
> the domain, and why the classicupgrade script is trying to look for user 
> account details for machine accounts.
So, what has happened is that I've forced on the 'ldapsam:trusted'
in
our classicupgrade script, as it makes it much, much easier to set up a
migration, as you don't have to set up nss_ldap and then tear it down
again.  

I had assumed that almost all installations of Samba as a DC on LDAP
would store the unix account with the Samba account. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org