samba - Jun 2014 - Samba 3.6 to 4.1 problem with classicupgrade

Hello, 

 

I run Samba 3.6.3. on ubuntu server, whre the domain works fine. Hoever when
I try to migrate to Samba 4.1 from sernet distribution, I finish with
Classicupgrade on the below error. I know it hase to do with bad group
mapping, but I am not able to find the mistake. Please help.  

 

root at server:/var/lib/samba# samba-tool domain classicupgrade
--dbdir=/var/lib/samba.PDC/dbdir/ --use-xattrs=yes --realm=samba.gyohavl.cz
--dns-backend=SAMBA_INTERNAL /etc/samba.PDC/smb.PDC.conf

Reading smb.conf

WARNING: The "idmap uid" option is deprecated

WARNING: The "idmap gid" option is deprecated

Processing section "[homes]"

Processing section "[netlogon]"

Unknown parameter encountered: "share modes"

Ignoring unknown parameter "share modes"

Processing section "[profiles]"

Processing section "[data]"

Unknown parameter encountered: "share modes"

Ignoring unknown parameter "share modes"

Processing section "[intranet]"

Processing section "[aplikace]"

Processing section "[dokumenty]"

Processing section "[zav]"

Processing section "[bakalari]"

Processing section "[langmaster]"

Provisioning

Exporting account policy

Exporting groups

Exporting users

Next rid = 6187

Exporting posix attributes

Reading WINS database

lpcfg_load: refreshing parameters from /etc/samba/smb.conf

lpcfg_load: refreshing parameters from /etc/samba/smb.conf

Looking up IPv4 addresses

More than one IPv4 address found. Using 10.1.1.1

Looking up IPv6 addresses

No IPv6 address will be assigned

Processing section "[netlogon]"

Processing section "[sysvol]"

Module 'acl_xattr' loaded

connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and
'force unknown acl user = true' for service Unknown Service (snum == -1)

connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and
'force unknown acl user = true' for service Unknown Service (snum == -1)

Setting up share.ldb

Setting up secrets.ldb

Setting up the registry

key added: key=SOFTWARE,hive=NONE

key added: key=Microsoft,key=SOFTWARE,hive=NONE

key added: key=Windows NT,key=Microsoft,key=SOFTWARE,hive=NONE

key added: key=CurrentVersion,key=Windows
NT,key=Microsoft,key=SOFTWARE,hive=NONE

key added: key=SYSTEM,hive=NONE

key added: key=CurrentControlSet,key=SYSTEM,hive=NONE

key added: key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE

key added:
key=ProductOptions,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE

key added: key=Print,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE

key added: key=Terminal
Server,key=Control,key=CurrentControlSet,key=SYSTEM,hive=NONE

key added: key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE

key added:
key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE

key added:
key=Parameters,key=Netlogon,key=Services,key=CurrentControlSet,key=SYSTEM,hi
ve=NONE

key added:
key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hive=NONE

key added:
key=Parameters,key=Alerter,key=Services,key=CurrentControlSet,key=SYSTEM,hiv
e=NONE

Setting up the privileges database

Setting up idmap db

Setting up SAM db

Setting up sam.ldb partitions and settings

Setting up sam.ldb rootDSE

Pre-loading the Samba 4 and AD schema

partition_metadata: Migrating partition metadata

Adding DomainDN: DC=samba,DC=gyohavl,DC=cz

DN: DC=samba,DC=gyohavl,DC=cz is a NC

Adding configuration container

DN: CN=Configuration,DC=samba,DC=gyohavl,DC=cz is a NC

Setting up sam.ldb schema

DN: CN=Schema,CN=Configuration,DC=samba,DC=gyohavl,DC=cz is a NC

Setting up sam.ldb configuration data

Setting up display specifiers

Modifying display specifiers

Adding users container

Modifying users container

Adding computers container

Modifying computers container

Setting up sam.ldb data

Setting up well known security principals

Setting up sam.ldb users and groups

Setting up self join

Setting acl on sysvol skipped

Adding DNS accounts

Creating CN=MicrosoftDNS,CN=System,DC=samba,DC=gyohavl,DC=cz

Creating DomainDnsZones and ForestDnsZones partitions

DN: DC=DomainDnsZones,DC=samba,DC=gyohavl,DC=cz is a NC

DN: DC=ForestDnsZones,DC=samba,DC=gyohavl,DC=cz is a NC

Populating DomainDnsZones and ForestDnsZones partitions

Setting up sam.ldb rootDSE marking as synchronized

Fixing provision GUIDs

A Kerberos configuration suitable for Samba 4 has been generated at
/var/lib/samba/private/krb5.conf

Setting up fake yp server settings

Once the above files are installed, your Samba4 server will be ready to use

Server Role:           active directory domain controller

Hostname:              samba

NetBIOS Domain:        OHAVLOVA

DNS Domain:            samba.gyohavl.cz

DOMAIN SID:            S-1-5-21-3580906303-2510493029-2036897744

Importing WINS database

Importing Account policy

Importing idmap database

Processing section "[netlogon]"

Processing section "[sysvol]"

Adding groups

Importing groups

Could not add group name=Domain Users ((68, "samldb: Account name
(sAMAccountName) 'Domain Users' already in use!"))

Could not modify AD idmap entry for
sid=S-1-5-21-3580906303-2510493029-2036897744-1018, id=500, type=ID_TYPE_GID
((32, "Base-DN
'<SID=S-1-5-21-3580906303-2510493029-2036897744-1018>' not
found"))

Could not add posix attrs for AD entry for
sid=S-1-5-21-3580906303-2510493029-2036897744-1018, ((32, "Base-DN
'<SID=S-1-5-21-3580906303-2510493029-2036897744-1018>' not
found"))

Group already exists sid=S-1-5-21-3580906303-2510493029-2036897744-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.

Group already exists sid=S-1-5-21-3580906303-2510493029-2036897744-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.

Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.

Commiting 'add groups' transaction to disk

Adding users

Importing users

User root has been kept in the directory, it should be removed in favour of
the Administrator user

Commiting 'add users' transaction to disk

Adding users to groups

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: Could not add member
'S-1-5-21-3580906303-2510493029-2036897744-3970' to group
'S-1-5-21-3580906303-2510493029-2036897744-1018' as either group or user
record doesn't exist: Base-DN
'<SID=S-1-5-21-3580906303-2510493029-2036897744-1018>' not found

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
175, in _run

    return self.run(*args, **kwargs)

  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
1318,
in run

    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)

  File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 956,
in
upgrade_from_samba3

    add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)

  File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 316,
in
add_users_to_group

    raise ProvisioningError("Could not add member '%s' to group
'%s' as
either group or user record doesn't exist: %s" % (member_sid,
group.sid,
emsg))

Hello Martin,

Am 30.06.2014 23:27, schrieb Martin Homola:
> Importing groups
> 
> Could not add group name=Domain Users ((68, "samldb: Account name
> (sAMAccountName) 'Domain Users' already in use!"))
> 
> Could not modify AD idmap entry for
> sid=S-1-5-21-3580906303-2510493029-2036897744-1018, id=500,
type=ID_TYPE_GID
> ((32, "Base-DN
'<SID=S-1-5-21-3580906303-2510493029-2036897744-1018>' not
> found"))
> 
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-3580906303-2510493029-2036897744-1018, ((32, "Base-DN
> '<SID=S-1-5-21-3580906303-2510493029-2036897744-1018>' not
found"))
> 
> Group already exists sid=S-1-5-21-3580906303-2510493029-2036897744-513,
> groupname=Domain Users existing_groupname=Domain Users, Ignoring.
What RID does your Domain User group have in your old installation?
Anything else that -513? Then rename/delete it, before you run the
provisioning.


Regards,
Marc