samba - Apr 2015 - Migration to Samba 4

Testing this "classic upgrade" scenario on a test server and have some
issues. I'm using the Sernet 4.2.1 packages on Debian Wheezy.

I copied the required tdb files and the smb.conf to the new test
server (named WHEEZY). Edited the smb.conf to reflect the new
host/netbios name of WHEEZY (remember that I want to keep the old PDC
in service afterword for file and print sharing duties - understanding
that it cannot simply be demoted) for the AD.

Run the "samba-tool domain classicupgrade ..." command and I get some
trouble spots (first is groups):
=======================================================Exporting groups
Ignoring group 'Assistants'
S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Projects'
S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Management'
S-1-5-21-1832519723-2688400599-3493754984-1885 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Print Operators'
S-1-5-21-1832519723-2688400599-3493754984-550 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Domain Admins'
S-1-5-21-1832519723-2688400599-3493754984-512 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Office' S-1-5-21-1832519723-2688400599-3493754984-1901
listed but then not found: Unable to enumerate group members,
(-1073741722,No such group)
Ignoring group 'Accounting'
S-1-5-21-1832519723-2688400599-3493754984-1887 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Domain Users'
S-1-5-21-1832519723-2688400599-3493754984-513 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Domain Computers'
S-1-5-21-1832519723-2688400599-3493754984-515 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
=======================================================
And problems with users (guessing these are tied to the group issues):
=======================================================Exporting users
Ignoring group memberships of 'skjidu'
S-1-5-21-1832519723-2688400599-3493754984-1158: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'ngoires'
S-1-5-21-1832519723-2688400599-3493754984-3010: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'rmsorris'
S-1-5-21-1832519723-2688400599-3493754984-1299: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'khifdgym'
S-1-5-21-1832519723-2688400599-3493754984-1279: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'ZATL1$'
S-1-5-21-1832519723-2688400599-3493754984-1083: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'yzswains'
S-1-5-21-1832519723-2688400599-3493754984-1346: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'chjkwier'
S-1-5-21-1832519723-2688400599-3493754984-1130: Unable to enumerate
group memberships, (-1073741724,No such user)
Ignoring group memberships of 'ZATL2$'
S-1-5-21-1832519723-2688400599-3493754984-1080: Unable to enumerate
group memberships, (-1073741724,No such user)
.... and so on...
=======================================================
Next area of concern is:
=======================================================Importing idmap database
Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
Adding groups
Importing groups
Could not add group name=Print Operators ((68, "samldb: Account name
(sAMAccountName) 'Print Operators' already in use!"))
Could not modify AD idmap entry for
sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449,
type=ID_TYPE_GID ((32, "Base-DN
'<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not
found"))
Could not add posix attrs for AD entry for
sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN
'<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not
found"))
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-512, groupname=Domain
Admins existing_groupname=Domain Admins, Ignoring.
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-514, groupname=Domain
Guests existing_groupname=Domain Guests, Ignoring.
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-513, groupname=Domain
Users existing_groupname=Domain Users, Ignoring.
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-515, groupname=Domain
Computers existing_groupname=Domain Computers, Ignoring.
=======================================================
It's looking like moving to a Samba 4 AD is not such a straightforward
quest.

How to resolve those issues?

Thanks!


On Sat, Nov 15, 2014 at 2:53 AM, Andrew Bartlett <abartlet at samba.org>
wrote:
> On Tue, 2014-10-28 at 21:24 -0200, Martinx - ????? wrote:
>> Hi!
>>
>> In fact, at your new Samba4 AD DC, if you disable NetBIOS, then, it
>> will not conflict with old NT-Like Domain (which have NetBIOS).
>>
>> So, the only way to join your new Samba 4 AD DC domain is by
>> configuring the DNS, otherwise, it will stay there, quiet...
>>
>> Am I right?!
>
> Not really, and I don't recommend it.
>
>> BTW, I did more or less something like this here in my company, the
>> only difference was that I was migrating "MYDOM" from W2k8R2
(with
>> NetBIOS) to Samba4 (without NetBIOS).
>>
>> Also, I did not copied the SID from old MYDOM, to new MYDOM, in fact,
>> they are different.
>
> If you didn't keep the same name or SID, it isn't an upgrade.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 26/04/15 23:21, Sonic wrote:
> Testing this "classic upgrade" scenario on a test server and have
some
> issues. I'm using the Sernet 4.2.1 packages on Debian Wheezy.
>
> I copied the required tdb files and the smb.conf to the new test
> server (named WHEEZY). Edited the smb.conf to reflect the new
> host/netbios name of WHEEZY (remember that I want to keep the old PDC
> in service afterword for file and print sharing duties - understanding
> that it cannot simply be demoted) for the AD.
>
> Run the "samba-tool domain classicupgrade ..." command and I get
some
> trouble spots (first is groups):
> =======================================================> Exporting
groups
> Ignoring group 'Assistants'
> S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Projects'
> S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Management'
> S-1-5-21-1832519723-2688400599-3493754984-1885 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Print Operators'
> S-1-5-21-1832519723-2688400599-3493754984-550 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Domain Admins'
> S-1-5-21-1832519723-2688400599-3493754984-512 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Office'
S-1-5-21-1832519723-2688400599-3493754984-1901
> listed but then not found: Unable to enumerate group members,
> (-1073741722,No such group)
> Ignoring group 'Accounting'
> S-1-5-21-1832519723-2688400599-3493754984-1887 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Domain Users'
> S-1-5-21-1832519723-2688400599-3493754984-513 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Domain Computers'
> S-1-5-21-1832519723-2688400599-3493754984-515 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> =======================================================>
> And problems with users (guessing these are tied to the group issues):
> =======================================================> Exporting users
> Ignoring group memberships of 'skjidu'
> S-1-5-21-1832519723-2688400599-3493754984-1158: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'ngoires'
> S-1-5-21-1832519723-2688400599-3493754984-3010: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'rmsorris'
> S-1-5-21-1832519723-2688400599-3493754984-1299: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'khifdgym'
> S-1-5-21-1832519723-2688400599-3493754984-1279: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'ZATL1$'
> S-1-5-21-1832519723-2688400599-3493754984-1083: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'yzswains'
> S-1-5-21-1832519723-2688400599-3493754984-1346: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'chjkwier'
> S-1-5-21-1832519723-2688400599-3493754984-1130: Unable to enumerate
> group memberships, (-1073741724,No such user)
> Ignoring group memberships of 'ZATL2$'
> S-1-5-21-1832519723-2688400599-3493754984-1080: Unable to enumerate
> group memberships, (-1073741724,No such user)
> .... and so on...
> =======================================================>
> Next area of concern is:
> =======================================================> Importing idmap
database
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Adding groups
> Importing groups
> Could not add group name=Print Operators ((68, "samldb: Account name
> (sAMAccountName) 'Print Operators' already in use!"))
> Could not modify AD idmap entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449,
> type=ID_TYPE_GID ((32, "Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not
found"))
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not
found"))
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-512, groupname=Domain
> Admins existing_groupname=Domain Admins, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-514, groupname=Domain
> Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-513, groupname=Domain
> Users existing_groupname=Domain Users, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-515, groupname=Domain
> Computers existing_groupname=Domain Computers, Ignoring.
> =======================================================>
> It's looking like moving to a Samba 4 AD is not such a straightforward
quest.
>
> How to resolve those issues?
>
> Thanks!
>
>
> On Sat, Nov 15, 2014 at 2:53 AM, Andrew Bartlett <abartlet at
samba.org> wrote:
>> On Tue, 2014-10-28 at 21:24 -0200, Martinx - ????? wrote:
>>> Hi!
>>>
>>> In fact, at your new Samba4 AD DC, if you disable NetBIOS, then, it
>>> will not conflict with old NT-Like Domain (which have NetBIOS).
>>>
>>> So, the only way to join your new Samba 4 AD DC domain is by
>>> configuring the DNS, otherwise, it will stay there, quiet...
>>>
>>> Am I right?!
>> Not really, and I don't recommend it.
>>
>>> BTW, I did more or less something like this here in my company, the
>>> only difference was that I was migrating "MYDOM" from
W2k8R2 (with
>>> NetBIOS) to Samba4 (without NetBIOS).
>>>
>>> Also, I did not copied the SID from old MYDOM, to new MYDOM, in
fact,
>>> they are different.
>> If you didn't keep the same name or SID, it isn't an upgrade.
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT         
http://catalyst.net.nz/services/samba
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
It sounds to me that you are not going about this the right way, you 
need to follow the instructions on the wiki page:

https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29

Do this in a test environment, get the AD DC working, then once you are 
sure everything is ok, swap your new AD DC for the old PDC. After this, 
you can then upgrade samba on the PDC, change smb.conf to make it a 
member server and then join this to the Domain.

Rowland

On Mon, Apr 27, 2015 at 4:11 AM, Rowland Penny
<rowlandpenny at googlemail.com> wrote:
> It sounds to me that you are not going about this the right way, you need
to
> follow the instructions on the wiki page:
>
>
https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
That's the wiki page I used.

The LDAP stuff doesn't apply as the current PDC is using tdbsam.
There are no duplicate SIDs.
I don't get the "Provisioning Error: Please remove common user/group
names before upgrade" message so I assume that's not an issue.
I changed the netbios name in the copied smb.conf as instructed as the
new AD will be a different box with a different hostname.
I copied the databases listed under the classicupgrade process
section. That is: secrets.tdb, schannel_store.tdb, passdb.tdb,
gencache_notrans.tdb, group_mapping.tdb, and account_policy.tdb. Is
that list complete or just an example? Do I need more .tdb files than
those that are listed?

There is nothing listed in regards to manually adding Linux groups
that exist in the old system that are involved in group maps to the
new host. Is that something that needs to be done? If so, it seems
like an important step to leave out.

Apparently something is missing from the page or I'm missing something
when trying to follow it. So far have not figured out what it is.

Chris