On Mon, 28 Nov 2016 10:54:55 +0100 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 2016-11-28 um 10:27 schrieb Rowland Penny via samba: > > > Have you read this: > > > > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_%28Classic_Upgrade%29 > > > > Particularly this part: > > > > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_%28Classic_Upgrade%29#Upgrading_on_a_new_server > > Yes, as you can see from my subdir-tree ... exactly as the Wiki. > > (btw "wins.dat" is not mentioned in the wiki but was needed here) > > > Accepted practice is to test first in a test domain and then do it > > again in production, once you know exactly what needs fixing in your > > old setup (hopefully nothing) > > > > The upgrade should read from ldap and the Samba databases, > > not /etc/passwd & /etc/group > > As there is no LDAP on the old server and no passwd/group needed: > what am I missing that is leading to: > > Ignoring group memberships of 'pl13' > S-1-5-21-2940660672-4062535256-4144655499-2026: Unable to enumerate > group memberships, (-1073741724,No such user) > > ? > > Thanks, Stefan >OK, that error message is coming from here: try: group_memberships = s3db.enum_group_memberships(user); for group in group_memberships: if str(group) in groupmembers: if user.user_sid not in groupmembers[str(group)]: groupmembers[str(group)].append(user.user_sid) else: groupmembers[str(group)] = [user.user_sid]; except passdb.error, e: logger.warn("Ignoring group memberships of '%s' %s: %s", username, user.user_sid, e) and it seems that it cannot find the user 'pl13' If there are only a few of these, then they can be ignored, but if there are a lot, it needs sorting. If you examine this line: group_memberships = s3db.enum_group_memberships(user); it uses 's3db' to get the group memberships of the user, 's3db' is obtained here: def get_sam_db(self): return passdb.PDB(self.lp.get('passdb backend')) In English, this means 'what is to the right of 'passd backend =' in smb.conf So, at this point, it might help if you posted your smb.conf. Rowland
Am 2016-11-28 um 11:19 schrieb Rowland Penny via samba:>> >> Ignoring group memberships of 'pl13' >> S-1-5-21-2940660672-4062535256-4144655499-2026: Unable to enumerate >> group memberships, (-1073741724,No such user) >> >> ?> If there are only a few of these, then they can be ignored, but if > there are a lot, it needs sorting.I'd like to sort it out, yes ... seems that more than the half of the users are affected/listed.> In English, this means 'what is to the right of 'passd backend =' in > smb.conf > > So, at this point, it might help if you posted your smb.conf.will do asap, as soon as I have anonymized it (afternoon, appointments now). For a quick glance these 2 results: # testparm -sv | grep "passdb backend" passdb backend = tdbsam # pdbedit -Lv pl13 Unix username: pl13 NT username: Account Flags: [U ] User SID: S-1-5-21-2940660672-4062535256-4144655499-2026 Primary Group SID: S-1-5-21-2940660672-4062535256-4144655499-513 Full Name: Home Directory: "" HomeDir Drive: Logon Script: Profile Path: "" Domain: SERVER Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 9223372036854775807 seconds since the Epoch Kickoff time: 9223372036854775807 seconds since the Epoch Password last set: Mon, 19 Jul 2004 10:10:15 CEST Password can change: Mon, 19 Jul 2004 10:10:15 CEST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF as you see from the date in "Password last set" these users are old. They were created long ago so maybe we have some issue related to the fact that this started with samba-2.x or so ... ?
Am 2016-11-28 um 11:19 schrieb Rowland Penny via samba:> In English, this means 'what is to the right of 'passd backend =' in > smb.conf > > So, at this point, it might help if you posted your smb.conf.ok, not so busy anymore. no real need to anonymize anything, here the smb.conf of the NT4-samba-PDC without [shares] (yes, it could be streamlined a bit, sure) [global] # Default options browseable = yes create mask = 0660 deadtime = 10 directory mask = 0770 disable spoolss = yes dns proxy = no dont descend = ./lost+found encrypt passwords = yes guest account = nobody hide files = /.*/lost+found/ hide unreadable = yes invalid users = root bin daemon adm sync shutdown halt mail news uucp proxy www-data backup sshd load printers = no locking = yes log file = /var/log/samba/log.%m map to guest = bad user max log size = 1000 name resolve order = lmhosts host wins bcast netbios name = SERVER obey pam restrictions = yes passdb backend = tdbsam printcap name = /dev/null printing = bsd security = user server string = %h file server domain logons = Yes show add printer wizard = no syslog = 0 unix charset = UTF8 unix password sync = no use sendfile = yes workgroup = BUERO server max protocol = NT1 acl allow execute always = Yes os level = 80 preferred master = Yes domain master = Yes wins support = Yes log level = 2 add user script = /usr/sbin/useradd -m %u add group script = /usr/sbin/groupadd %g add user to group script = /usr/sbin/usermod -G %g %u add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null %u unix extensions = no # turn off roaming profiles logon path = "" logon home = ""
NT4-PDC: # net groupmap list Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) -> users Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) -> root Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) -> klienten User pl13 is member of group "Domain Users": # pdbedit -Lv pl13 Unix username: pl13 NT username: Account Flags: [U ] User SID: S-1-5-21-2940660672-4062535256-4144655499-2026 Primary Group SID: S-1-5-21-2940660672-4062535256-4144655499-513 This group seems not to be converted, see server after classic upgrade: # net groupmap list # -> no groups This puts all these users into some new group: # pdbedit -L | grep pl pl01:4294967295: pl02:4294967295: pl03:4294967295: pl04:4294967295: pl05:4294967295: while on the old server this was: # pdbedit -L | grep pl | sort pl01:501: pl02:502: pl03:503: pl04:504: pl05:505: Am I on the right track here?