Le 05/09/2018 à 18:32, Rowland Penny via samba a écrit :> On Wed, 5 Sep 2018 16:53:50 +0200
> Philippe Maladjian via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> Indeed when I copied the result for the mailing I made a mistake.
>> MY.DOMAIN is a dummy name. The result of the migration command is
>>
>> Reading smb.conf
>> WARNING: The "idmap backend" option is deprecated
>> WARNING: The "idmap uid" option is deprecated
>> WARNING: The "idmap gid" option is deprecated
>> Provisioning
>> Exporting account policy
>> Exporting groups
>> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
>> Ignoring group 'Backup Operators'
>> S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not
>> found: Unable to enumerate group members, (-1073741596,This error
>> indicates that the requested operation cannot be completed due to a
>> catastrophic media failure or an on-disk data structure corruption.)
>> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
>> Ignoring group 'Domain Users'
>> S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not
>> found: Unable to enumerate group members, (-1073741596,This error
>> indicates that the requested operation cannot be completed due to a
>> catastrophic media failure or an on-disk data structure corruption.)
>> Exporting users
>> sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to
>> our domain
>> sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to
>> our domain
>>     Fixing account svimp02$ which had both ACB_NORMAL (U) and
>> ACB_WSTRUST (W) set.  Account will be marked as ACB_WSTRUST (W), i.e.
>> as a domain member Skipping wellknown rid=501 (for username=nobody)
>> Next rid = 3867
>> krb5_init_context failed (Invalid argument)
>> smb_krb5_context_init_basic failed (Invalid argument)
>> Failed to connect to ldap URL 'ldap://ldap2.my.domain' - LDAP
client
>> internal error: NT_STATUS_BAD_NETWORK_NAME
>> Failed to connect to 'ldap://ldap2.my.domain' with backend
'ldap':
>> LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME
>> ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught
>> exception - ProvisioningError: Could not open ldb connection to
>> ldap://ldap2.my.domain, the error message is: (1, 'LDAP client
>> internal error: NT_STATUS_BAD_NETWORK_NAME')
>> Since my new samba server I tried to make a ldap request
>>
>> # ldapsearch -h ldap2 -xb "ou=Groups,dc=domain,dc=fr" -W -D
>> "cn=Manager,dc=domain,dc=fr" cn="Backup Operators"
> If you are going to sanitise an object, please use it everywhere.
>
> The upgrade is trying to use ldap2.my.domain
> in the ldapsearch you use 'dc=domain,dc=fr' from which I would have
> expected 'ldap2.domain.fr'
my.domain is the internal dns domain name, it is also used by the 
current samba domain controller and windows station.
domain.fr is the root name of the ldap directory. It was not a good idea 
to have two different names and I think that taking advantage of the 
update to change domain.fr to my.domain is the right time.
>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=Groups,dc=domain,dc=fr> with scope subtree
>> # filter: cn=Backup Operators
>> # requesting: ALL
>> #
>>
>> *************
>> # Backup Operators, Groups, domain.fr
>> dn: cn=Backup Operators,ou=Groups,dc=domain,dc=fr
>> cn: Backup Operators
>> description: Domain Unix group
>> displayName: Backup Operators
>> gidNumber: 551
>> memberUid: backupmanager
>> memberUid: backuppc
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551
>>
> There doesn't seem to be anything wrong there
>> *******************
>>
>>
>> I do not understand the NT_STATUS_DAB_NETWORK_NAME error because the
>> server is accessible with its ip or by its name dns (ldap2)
>>
> Yes, but is it accessible by 'ldap2.domain.fr'
# ping ldap2.my.domain (dns name)
OK>
> Is a firewall running on the old PDC ?
No>
> I would also like to point out that I think I have worked out what
> 'domain' is and you really shouldn't use this for an AD domain.
Sorry I did not understand ?>    
> Rowland
>
>
>
Philippe.