Giuseppe Arvati
2014-Feb-28 15:59 UTC
[Samba] samba4 classicupgrade problem idmapping sid_to_xid failed
Hi,
I'm sorry for the long email but I tried to put any informations useful to
solve the problem
I'm trying to use classicupgrade
to migrate a samba3 server that use local user
and tdb files
on a test CentOS 6.5 VM with samba 4.1.5 builded
from sources
My goal is to migrate users and data and then admin the
imported user via Microsoft RSAT tools without have
to create local user on Centos server
after I copied the config files from samba3
I ran this command:
samba-tool domain classicupgrade --dbdir=/usr/local/samba3/samba
--use-xattrs=yes --realm=apam.loc /usr/local/samba3/smb.conf
The command ends without rilevant errors and these are the
last lines of samba-tool output
...
Ignoring group memberships of 'AGMB10$'
S-1-5-21-576720093-3400387741-2704278951-1064: Unable to enumerate group
memberships, (-1073741724,No such user)
Ignoring group memberships of 'CLIENT$'
S-1-5-21-576720093-3400387741-2704278951-1111: Unable to enumerate group
memberships, (-1073741724,No such user)
Next rid = 3361
Exporting posix attributes
Reading WINS database
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=apam,DC=loc
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Modifying display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting acl on sysvol skipped
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=apam,DC=loc
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Server Role: active directory domain controller
Hostname: apamfs1
NetBIOS Domain: APAM
DNS Domain: apam.loc
DOMAIN SID: S-1-5-21-576720093-3400387741-2704278951
Importing WINS database
Importing Account policy
Importing idmap database
Adding groups
Importing groups
Group already exists sid=S-1-5-21-576720093-3400387741-2704278951-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Group already exists sid=S-1-5-21-576720093-3400387741-2704278951-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Commiting 'add groups' transaction to disk
Adding users
Importing users
User root has been kept in the directory, it should be removed in favour
of the Administrator user
Commiting 'add users' transaction to disk
Adding users to groups
Commiting 'add users to groups' transaction to disk
Setting password for administrator
Administrator password has been set to password of user 'root'
the smb.conf generated is minimal
# Global parameters
[global]
workgroup = APAM
realm = apam.loc
netbios name = APAMFS1
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/apam.loc/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[root at apamfs1 ~]#
then I started samba4:
#/usr/local/samba/sbin/samba -i -M single -d3
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
samba version 4.1.5 started.
Copyright Andrew Tridgell and the Samba Team 1992-2013
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'sasl-DIGEST-MD5' registered
GENSEC backend 'schannel' registered
GENSEC backend 'spnego' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
NTPTR backend 'simple_ldb'
NTVFS backend 'default' for type 1 registered
NTVFS backend 'posix' for type 1 registered
NTVFS backend 'unixuid' for type 1 registered
NTVFS backend 'unixuid' for type 3 registered
NTVFS backend 'unixuid' for type 2 registered
NTVFS backend 'cifs' for type 1 registered
NTVFS backend 'smb2' for type 1 registered
NTVFS backend 'simple' for type 1 registered
NTVFS backend 'cifsposix' for type 1 registered
NTVFS backend 'default' for type 3 registered
NTVFS backend 'default' for type 2 registered
NTVFS backend 'nbench' for type 1 registered
PROCESS_MODEL 'single' registered
PROCESS_MODEL 'onefork' registered
PROCESS_MODEL 'prefork' registered
PROCESS_MODEL 'standard' registered
AUTH backend 'sam' registered
AUTH backend 'sam_ignoredomain' registered
AUTH backend 'anonymous' registered
AUTH backend 'winbind' registered
AUTH backend 'winbind_wbclient' registered
AUTH backend 'name_to_ntstatus' registered
AUTH backend 'unix' registered
SHARE backend [classic] registered.
SHARE backend [ldb] registered.
ldb_wrap open of privilege.ldb
samba: using 'single' process model
DCERPC endpoint server 'rpcecho' registered
DCERPC endpoint server 'epmapper' registered
DCERPC endpoint server 'remote' registered
DCERPC endpoint server 'srvsvc' registered
DCERPC endpoint server 'wkssvc' registered
DCERPC endpoint server 'unixinfo' registered
DCERPC endpoint server 'samr' registered
DCERPC endpoint server 'winreg' registered
DCERPC endpoint server 'netlogon' registered
DCERPC endpoint server 'dssetup' registered
DCERPC endpoint server 'lsarpc' registered
DCERPC endpoint server 'backupkey' registered
DCERPC endpoint server 'spoolss' registered
DCERPC endpoint server 'drsuapi' registered
DCERPC endpoint server 'browser' registered
DCERPC endpoint server 'eventlog6' registered
DCERPC endpoint server 'dnsserver' registered
dreplsrv_partition[CN=Configuration,DC=apam,DC=loc] loaded
dreplsrv_partition[CN=Schema,CN=Configuration,DC=apam,DC=loc] loaded
dreplsrv_partition[DC=apam,DC=loc] loaded
dreplsrv_partition[DC=ForestDnsZones,DC=apam,DC=loc] loaded
dreplsrv_partition[DC=DomainDnsZones,DC=apam,DC=loc] loaded
ldb_wrap open of secrets.ldb
ldb_wrap open of idmap.ldb
kccsrv_partition[DC=apam,DC=loc] loaded
kccsrv_partition[CN=Configuration,DC=apam,DC=loc] loaded
kccsrv_partition[CN=Schema,CN=Configuration,DC=apam,DC=loc] loaded
kccsrv_partition[DC=DomainDnsZones,DC=apam,DC=loc] loaded
kccsrv_partition[DC=ForestDnsZones,DC=apam,DC=loc] loaded
Calling DNS name update script
Calling SPN name update script
/usr/local/samba/sbin/smbd: smbd version 4.1.5 started.
/usr/local/samba/sbin/smbd: Copyright Andrew Tridgell and the Samba Team
1992-2013
Terminating connection - 'wbsrv: wbsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv: wbsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
idmapping sid_to_xid failed for id[0]=S-1-5-32-545: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for
id[0]=S-1-5-21-576720093-3400387741-2704278951-501: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for
id[1]=S-1-5-21-576720093-3400387741-2704278951-514: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[2]=S-1-1-0: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[3]=S-1-5-2: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[4]=S-1-5-32-546: NT_STATUS_NONE_MAPPED
/usr/local/samba/sbin/smbd: Unable to connect to CUPS server
localhost:631 - Connessione rifiutata
/usr/local/samba/sbin/smbd: failed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL
Child /usr/local/samba/sbin/samba_spnupdate exited with status 0 - Success
Completed SPN update check OK
Child /usr/local/samba/sbin/samba_dnsupdate exited with status 0 - Success
Completed DNS update check OK
Registered APAMFS1<00> with 192.168.4.1 on interface 192.168.4.255
Registered APAMFS1<03> with 192.168.4.1 on interface 192.168.4.255
Registered APAMFS1<20> with 192.168.4.1 on interface 192.168.4.255
Registered APAM<1b> with 192.168.4.1 on interface 192.168.4.255
Registered APAM<1c> with 192.168.4.1 on interface 192.168.4.255
Registered APAM<00> with 192.168.4.1 on interface 192.168.4.255
/usr/local/samba/sbin/samba -i -M single -d3
some tests
[root at apamfs1 ~]wbinfo -u
return list of all user imported
[root at apamfs1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: garvati at APAM.LOC
[root at apamfs1 ~]kinit administrator at APAM.LOC
Password for administrator at APAM.LOC:
Warning: Your password will expire in 89 days on Thu May 29 11:22:27 2014
[root at apamfs1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at APAM.LOC
Valid starting Expires Service principal
02/28/14 15:02:01 03/01/14 01:02:01 krbtgt/APAM.LOC at APAM.LOC
renew until 03/01/14 15:01:57
[root at apamfs1 ~]# id administrator
uid=0(root) gid=1000(APAM\Domain Users) gruppi=0(root),1000(APAM\Domain
Users)
[root at apamfs1 ~]#
but when I try to do a smbclient connection
[root at apamfs1 ~]# smbclient //localhost/netlogon -UAdministrator
Enter Administrator's password:
session setup failed: NT_STATUS_INVALID_NETWORK_RESPONSE
and on samba output I get
idmapping sid_to_xid failed for
id[2]=S-1-5-21-576720093-3400387741-2704278951-520: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for
id[3]=S-1-5-21-576720093-3400387741-2704278951-572: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for
id[4]=S-1-5-21-576720093-3400387741-2704278951-519: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for
id[5]=S-1-5-21-576720093-3400387741-2704278951-518: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[7]=S-1-1-0: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[8]=S-1-5-2: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[9]=S-1-5-11: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[10]=S-1-5-32-544: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[11]=S-1-5-32-545: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[12]=S-1-5-32-554: NT_STATUS_NONE_MAPPED
[root at apamfs1 ~]# /usr/local/samba/bin/wbinfo --name-to-sid garvati
S-1-5-21-576720093-3400387741-2704278951-3002 SID_USER (1)
[root at apamfs1 ~]# /usr/local/samba/bin/wbinfo --sid-to-uid
S-1-5-21-576720093-3400387741-2704278951-3002
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-576720093-3400387741-2704278951-3002 to uid
All users have an SID but this SID isn't mapped to an ID
the /usr/local/samba/private/idmap.ldb have only 4 records
[root at apamfs1 ~]# ldbsearch -H /usr/local/samba/private/idmap.ldb -a
# record 1
dn: CN=CONFIG
cn: CONFIG
upperBound: 4000000
lowerBound: None
xidNumber: None
distinguishedName: CN=CONFIG
# record 2
dn: CN=S-1-5-21-576720093-3400387741-2704278951-500
cn: S-1-5-21-576720093-3400387741-2704278951-500
objectClass: sidMap
objectSid: S-1-5-21-576720093-3400387741-2704278951-500
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-576720093-3400387741-2704278951-500
# record 3
dn: CN=S-1-5-7
cn: S-1-5-7
objectClass: sidMap
objectSid: S-1-5-7
type: ID_TYPE_UID
xidNumber: 99
distinguishedName: CN=S-1-5-7
# record 4
dn: CN=S-1-5-21-576720093-3400387741-2704278951-513
cn: S-1-5-21-576720093-3400387741-2704278951-513
objectClass: sidMap
objectSid: S-1-5-21-576720093-3400387741-2704278951-513
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-576720093-3400387741-2704278951-513
# returned 4 records
# 4 entries
# 0 referrals
Now I'm ready for some questions
1) did I do some errors during classicupgrade preocedure?
2) how can I solve the sid_to_xid error ?
thank you for any help
giuseppe
Reasonably Related Threads
Wisdom of the Ancients
