samba - Aug 2013 - samba-tool classicupgrade throws uncaught exception

I have a new server running CentOS 6.4 x64, which will serve as our new
Samba4 server. It is set up in a test environment, and I've copied over the
tdb files and the smb.conf file from our samba3 server (Same OS and
version).
I'm trying to do an in-place upgrade on the copied files, but keep hitting
an assert / uncaught exception during the upgrade:

# /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/root/smb3
--use-xattrs=yes --realm=MYDOMAIN.COM --verbose /root/smb3/smb.conf

Reading smb.conf
Provisioning
Exporting account policy
Exporting groups
Exporting users
Ignoring group memberships of 'testuser'
S-1-5-21-XXXXXXXXXXXXXXXXXX-1065:
Unable to enumerate group memberships, (-1073741724,No such user)
  Skipping wellknown rid=501 (for username=nobody)
Ignoring group memberships of 'TEST-PC$'
S-1-5-21-XXXXXXXXXXXXXXXXXX-1097:
Unable to enumerate group memberships, (-1073741724,No such user)
Ignoring group memberships of 'testuser2'
S-1-5-21-XXXXXXXXXXXXXXXXXX-1075:
Unable to enumerate group memberships, (-1073741724,No such user)
Next rid = 9001
Exporting posix attributes
Reading WINS database
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=mydomain,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting acl on sysvol skipped
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              myserver
NetBIOS Domain:        MYDOMAIN
DNS Domain:            mydomain.com
DOMAIN SID:            S-1-5-21-XXXXXXXXXXXXXXXXXX
Importing WINS database
Importing Account policy
Importing idmap database
ERROR(assert): uncaught exception
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 868, in upgrade_from_samba3
    import_idmap(result.idmap, samba3, logger)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 214, in import_idmap
    samba3_idmap = samba3.get_idmap_db()
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
line 402, in get_idmap_db
    return IdmapDatabase(self.statedir_path("winbindd_idmap.tdb"))
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
line 59, in __init__
    self._check_version()
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
line 142, in _check_version
    assert fetch_int32(self.tdb, "IDMAP_VERSION\0") ==
IDMAP_VERSION_V2


The error indicates an idmap problem, so on advise of another poster, I
renamed my winbindd_idmap.tdb file, then tried again (after deleting the
generated tdb files and smb.conf).  This, however, caused another error:

...
...
Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
Importing groups
Could not add group name=Domain Admins ((68, "samldb: Account name
(sAMAccountName) 'Domain Admins' already in use!"))
Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057,
id=502, type=ID_TYPE_GID ((32, "Base-DN
'<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found"))
Could not add posix attrs for AD entry for
sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057, ((32, "Base-DN
'<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found"))
Could not add group name=Domain Users ((68, "samldb: Account name
(sAMAccountName) 'Domain Users' already in use!"))
Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066,
id=100, type=ID_TYPE_GID ((32, "Base-DN
'<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found"))
Could not add posix attrs for AD entry for
sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066, ((32, "Base-DN
'<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found"))
Importing users
User root has been kept in the directory, it should be removed in favour of
the Administrator user
Adding users to groups
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: Could not add member
'S-1-5-21-XXXXXXXXXXXXXXXXXX-1002'
to group 'S-1-5-21-XXXXXXXXXXXXXXXXXX-1057' as either group or user
record
doesn't exist: Base-DN
'<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 913, in upgrade_from_samba3
    add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 316, in add_users_to_group
    raise ProvisioningError("Could not add member '%s' to group
'%s' as
either group or user record doesn't exist: %s" % (member_sid,
group.sid,
emsg))


I'm wondering if my winbindd_idmap.tdb is invalid, as ldbdump
winbindd_idmap.tdb returns nothing, and the tdb file is only 696 bytes.  If
this is the issue, can I "rebuild it" on the samba3 server?

Here's the global section of my smb.conf:

          workgroup = MYDOMAIN
        netbios name = MYSERVER
        server string = "Samba4 AD"
        interfaces = 192.168.0.0/24
        bind interfaces only = Yes
        passdb backend = tdbsam
        username map = /etc/samba/smbusers
        admin users = scott
        wins support = Yes
        smb ports = 139
        time server = Yes
        client ntlmv2 auth = Yes
        log file = /var/log/samba/log.%m
        max log size = 1000
        debug uid = Yes
        deadtime = 15
        socket options = TCP_NODELAY IPTOS_LOWDELAY
        show add printer wizard = No
        load printers = no
        printing = bsd
        disable spoolss = yes
        printcap name = /dev/null
        printcap cache time = 0
        add user script = /usr/sbin/useradd -m -g users %u
        logon script = logon.bat
        logon path         logon drive = H:
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        unix password sync = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*successfully*
        pam password change = Yes

Thanks ahead of time for any assistance, and if you need additional info,
let me know.
--scott

Update: I realized shortly after I sent the email that because I don't use
winbind, I can (and should) delete the file winbindd_idmap.tdb.
So, the second error is now the stopper.  In essence, it's complaining that
it can't find the user or group with sid ending in 1057.

Adding users to groups
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: Could not add member
'S-1-5-21-XXXXXXXXXXXXXXXXXXX-1002'
to group 'S-1-5-21-XXXXXXXXXXXXXXXXXXX-1057' as either group or user
record
doesn't exist: Base-DN
'<SID=S-1-5-21-XXXXXXXXXXXXXXXXXXX-1057>' not found
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 913, in upgrade_from_samba3
    add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
  File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 316, in add_users_to_group
    raise ProvisioningError("Could not add member '%s' to group
'%s' as
either group or user record doesn't exist: %s" % (member_sid,
group.sid,
emsg))



*Scott Goodwin*
IT Lead
Mimic Technologies, Inc
811 First Avenue, Suite 408  |  Seattle, WA 98104
phone: 1.800.918.1670  |  direct: 206.456.9180
fax: 206.623.3491  |  cell: 206.355.7767



On Mon, Aug 19, 2013 at 3:01 PM, Scott Goodwin <scott at
mimicsimulation.com>wrote:
> I have a new server running CentOS 6.4 x64, which will serve as our new
> Samba4 server. It is set up in a test environment, and I've copied over
the
> tdb files and the smb.conf file from our samba3 server (Same OS and
> version).
> I'm trying to do an in-place upgrade on the copied files, but keep
hitting
> an assert / uncaught exception during the upgrade:
>
> # /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/root/smb3
> --use-xattrs=yes --realm=MYDOMAIN.COM --verbose /root/smb3/smb.conf
>
> Reading smb.conf
> Provisioning
> Exporting account policy
> Exporting groups
> Exporting users
> Ignoring group memberships of 'testuser'
S-1-5-21-XXXXXXXXXXXXXXXXXX-1065:
> Unable to enumerate group memberships, (-1073741724,No such user)
>   Skipping wellknown rid=501 (for username=nobody)
> Ignoring group memberships of 'TEST-PC$'
S-1-5-21-XXXXXXXXXXXXXXXXXX-1097:
> Unable to enumerate group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'testuser2'
S-1-5-21-XXXXXXXXXXXXXXXXXX-1075:
> Unable to enumerate group memberships, (-1073741724,No such user)
> Next rid = 9001
> Exporting posix attributes
> Reading WINS database
> Looking up IPv4 addresses
> Looking up IPv6 addresses
> No IPv6 address will be assigned
> Setting up share.ldb
> Setting up secrets.ldb
> Setting up the registry
> Setting up the privileges database
> Setting up idmap db
> Setting up SAM db
> Setting up sam.ldb partitions and settings
> Setting up sam.ldb rootDSE
> Pre-loading the Samba 4 and AD schema
> Adding DomainDN: DC=mydomain,DC=com
> Adding configuration container
> Setting up sam.ldb schema
> Setting up sam.ldb configuration data
> Setting up display specifiers
> Modifying display specifiers
> Adding users container
> Modifying users container
> Adding computers container
> Modifying computers container
> Setting up sam.ldb data
> Setting up well known security principals
> Setting up sam.ldb users and groups
> Setting up self join
> Setting acl on sysvol skipped
> Adding DNS accounts
> Creating CN=MicrosoftDNS,CN=System,DC=mydomain,DC=com
> Creating DomainDnsZones and ForestDnsZones partitions
> Populating DomainDnsZones and ForestDnsZones partitions
> Setting up sam.ldb rootDSE marking as synchronized
> Fixing provision GUIDs
> A Kerberos configuration suitable for Samba 4 has been generated at
> /usr/local/samba/private/krb5.conf
> Setting up fake yp server settings
> Once the above files are installed, your Samba4 server will be ready to use
> Server Role:           active directory domain controller
> Hostname:              myserver
> NetBIOS Domain:        MYDOMAIN
> DNS Domain:            mydomain.com
> DOMAIN SID:            S-1-5-21-XXXXXXXXXXXXXXXXXX
> Importing WINS database
> Importing Account policy
> Importing idmap database
> ERROR(assert): uncaught exception
>   File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 1318, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 868, in upgrade_from_samba3
>     import_idmap(result.idmap, samba3, logger)
>   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 214, in import_idmap
>     samba3_idmap = samba3.get_idmap_db()
>   File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
> line 402, in get_idmap_db
>     return
IdmapDatabase(self.statedir_path("winbindd_idmap.tdb"))
>   File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
> line 59, in __init__
>     self._check_version()
>   File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/samba3/__init__.py",
> line 142, in _check_version
>     assert fetch_int32(self.tdb, "IDMAP_VERSION\0") ==
IDMAP_VERSION_V2
>
>
> The error indicates an idmap problem, so on advise of another poster, I
> renamed my winbindd_idmap.tdb file, then tried again (after deleting the
> generated tdb files and smb.conf).  This, however, caused another error:
>
> ...
> ...
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Importing groups
> Could not add group name=Domain Admins ((68, "samldb: Account name
> (sAMAccountName) 'Domain Admins' already in use!"))
> Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057,
> id=502, type=ID_TYPE_GID ((32, "Base-DN
> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found"))
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057, ((32, "Base-DN
> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found"))
> Could not add group name=Domain Users ((68, "samldb: Account name
> (sAMAccountName) 'Domain Users' already in use!"))
> Could not modify AD idmap entry for sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066,
> id=100, type=ID_TYPE_GID ((32, "Base-DN
> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found"))
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066, ((32, "Base-DN
> '<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1066>' not found"))
> Importing users
> User root has been kept in the directory, it should be removed in favour
> of the Administrator user
> Adding users to groups
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
> ProvisioningError: Could not add member
'S-1-5-21-XXXXXXXXXXXXXXXXXX-1002'
> to group 'S-1-5-21-XXXXXXXXXXXXXXXXXX-1057' as either group or user
record
> doesn't exist: Base-DN
'<SID=S-1-5-21-XXXXXXXXXXXXXXXXXX-1057>' not found
>   File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File
>
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
> line 1318, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 913, in upgrade_from_samba3
>     add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
>   File
"/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
> line 316, in add_users_to_group
>     raise ProvisioningError("Could not add member '%s' to
group '%s' as
> either group or user record doesn't exist: %s" % (member_sid,
group.sid,
> emsg))
>
>
> I'm wondering if my winbindd_idmap.tdb is invalid, as ldbdump
> winbindd_idmap.tdb returns nothing, and the tdb file is only 696 bytes.  If
> this is the issue, can I "rebuild it" on the samba3 server?
>
> Here's the global section of my smb.conf:
>
>           workgroup = MYDOMAIN
>         netbios name = MYSERVER
>         server string = "Samba4 AD"
>         interfaces = 192.168.0.0/24
>         bind interfaces only = Yes
>         passdb backend = tdbsam
>         username map = /etc/samba/smbusers
>         admin users = scott
>         wins support = Yes
>         smb ports = 139
>         time server = Yes
>         client ntlmv2 auth = Yes
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         debug uid = Yes
>         deadtime = 15
>         socket options = TCP_NODELAY IPTOS_LOWDELAY
>         show add printer wizard = No
>         load printers = no
>         printing = bsd
>         disable spoolss = yes
>         printcap name = /dev/null
>         printcap cache time = 0
>         add user script = /usr/sbin/useradd -m -g users %u
>         logon script = logon.bat
>         logon path >         logon drive = H:
>         domain logons = Yes
>         os level = 65
>         preferred master = Yes
>         domain master = Yes
>         unix password sync = Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
> *passwd:*all*authentication*tokens*updated*successfully*
>         pam password change = Yes
>
> Thanks ahead of time for any assistance, and if you need additional info,
> let me know.
>  --scott
>