samba - Apr 2013 - classic upgrade sort of succeeds but really fails - Advice?

Hi,

I am stuck in a bad place and I'm not sure where to go next. I'd sure
appreciate some advice or direct help in troubleshooting this problem.

If I can provide additional information I'd be happy to send it along
privately. Some logs are very large - like the debuglevel 10 classicupgrade
output is about 160MB. But there is Dropbox, right? 

I've included what I could think of below but I'm sure I checked things
that
I forgot to include. It's a much longer message than I expected so your
indulgence and attention is especially appreciated.

I have a samba 3 server that has been upgraded several times over many
years and has accumulated a lot of "cruft". The goal is to do a
successful
"classic upgrade" to samba 4 v4.0.4.

The samba 3 server was copied and upgraded from a RHEL5 to a centos6 server
on a private network for this exercise. I virtualized 2 existing windows XP
workstations to use for testing. I setup their DNS to point to the test
samba4 server.

In prep for using classic-upgrade I went through and removed accounts that
reported bad information (bad gid, no unix account). Cut down the number of
users considerably. A predecessor decided to make all unix accounts samba
logins including lp, news, uucp, etc. these were all removed, though root
was left, of course. And I removed /var/lib/samba/wins.dat.

The classic upgrade complained about some missing groups and I was generally
able to add groups for the domain gid's it complained about.  The
samba-tools domain classicupgrade appeared to go through but when I made
sure that bind, smb, nmb and windbind were all shut down and started
/usr/local/samba/sbin/samba. The domain was visible to clients in windows
explorer, already joined workstations could login but not load their roaming
profiles. The domain controller was not visible and could not be directly
addressed by using \\themissingservername.

In investigating it looks like sysvol is setup in smb.conf, and ADMIN$ and
IPC$ are setup in private/share.ldb

I checked and it appears all the users got successfully imported.

It is parsing the samba3 smb.conf, but does not create shares in the samba4
smb.conf

The samba-tool command I used for classicupgrade is:

/usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/var/lib/samba
--dns-backend=SAMBA_INTERNAL --use-xattrs=yes  --realm=mydomain.local
/etc/samba/smb.conf

Let's call the server "myserverl".

The generated smb.conf does not have any of the shares many from the samba3
server setup. Here it is <sanitized>:
************** 
[global]
	workgroup = MYDOMAIN
	realm = mydomain.local
	netbios name = MYSERVER
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes
	dns forwarder = 208.67.222.222
[netlogon]
	path = /usr/local/samba/var/locks/sysvol/mydomain.local/scripts
	read only = No
[sysvol]
	path = /usr/local/samba/var/locks/sysvol
	read only = No
**************

I start the domain with /usr/local/samba/sbin/samba -I -M single -d2
When I try to login I get the following output repeating:
idmapping sid_to_xid failed for
id[1]=S-1-5-21-1509466807-1292110410-277592076-515: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[3]=S-1-1-0: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[4]=S-1-5-2: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[5]=S-1-5-11: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for
id[3]=S-1-5-21-1509466807-1292110410-277592076-572: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[4]=S-1-1-0: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[5]=S-1-5-2: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[6]=S-1-5-11: NT_STATUS_NONE_MAPPED

I have been generally successful at mapping domain sids (S-1-5-21-<domain
sid>-<rid> in the old samba3 config then re-running the classicupgrade
after
removing the samb4 smb.conf. When I try to map the Everyone and other two
SID's in the list classicupgrade fails pretty miserably at the end. I use
the samba3 net grouplist function for the above.

When logged into an xp workstation already joined to the samba3 domain I can
see my and other workstations in the domain but not the server. I get the
following errors in the workstation application system log:
**************
Event Type:	Error
Event Source:	AutoEnrollment
Event Category:	None
Event ID:	15
Date:		4/9/2013
Time:		9:19:59 AM
User:		N/A
Computer:	ACCT1
Description:
Automatic certificate enrollment for local system failed to contact the
active directory (0x8007054b).  The specified domain either does not exist
or could not be contacted.
  Enrollment will not be performed.
**************
Followed by
**************
Event Type:	Error
Event Source:	Userenv
Event Category:	None
Event ID:	1053
Date:		4/9/2013
Time:		9:22:22 AM
User:		NT AUTHORITY\SYSTEM
Computer:	ACCT1
Description:
Windows cannot determine the user or computer name. (The specified domain
either does not exist or could not be contacted. ). Group Policy processing
aborted. 
**************

If I unjoin an xp workstation and try to re-join the domain I get a message
that reports an unknown error on the workstation. Pretty much the same
errors as above from Samba4. 

To make sure I was not insane, but just missing something (maybe in the
samba3 smb.conf???) that was making the upgrade fail, I did a regular
provision with a different domain on a fresh /usr/local/samba directory. It
went smoothly and I was able to use it without event. Join, create users,
etc.

So I need to get past this point. Is there a viable alternative to using
classicupgrade that is more likely to work? I don't know if I can setup a
new domain and migrate user accounts and shares to the new domain. If I have
to recreate the accounts it's OK if I can use simplemigration or other
Microsoft tool to migrate the profiles to the account on the new domain. I
doubt I can use the Microsoft server migration tools to do this. I need help
and advice.

I don't mind and maybe it would be good to create a clean new domain with
Samba4 if I could get the users settings and files moved over safely and
reliably. I can manually setup all the other shares and don't mind doing
that at all. It's a lot of work, but trying to get classicupgrade to work
has been a lot of work. 

Maybe a clean install, create the users, then migrate the settings and files
would result in a far better server and leave a lot of old baggage behind. I
just need to see a viable path forward from here.

With hopeful regards,
	-Stephanie