Sorry for the long post but attempted this several over the past year with no success but staying on an NT4 domain is no longer viable. Need to get this resolved so hopefully there will be a clue somewhere in this montage. The current PDC is samba-3.6.25 running on Gentoo using tdbsam backend. The new AD will be a Debian LXC container running on Debian Jessie using samba compiled from git (currently Samba 4.5.0pre1-GIT-8e0e4f5). I'm getting the exact same problems as tests that were done in the past (previous attempts were done in VM environment vs LXC, so these aren't LXC related issues). For reference samba-master was configured: "configure --disable-cups --disable-iprint --without-quotas --disable-avahi --with-systemd --without-ntvfs-fileserver" Via the Wiki the tdb's and smb.conf were collected and the migration started: "samba-tool domain classicupgrade --dbdir=/mnt/samba.PDC/dbdir/ --use-xattrs=yes --realm=office.example.com --dns-backend=BIND9_DLZ /mnt/samba.PDC/smb.conf" Output during migration: =======================================Exporting groups Ignoring group 'Assistants' S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not found: Unable to enumerate group members, (-1 073741722,No such group) Ignoring group 'Projects' S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not found: Unable to enumerate group members, (-107 3741722,No such group) Ignoring group 'Management' S-1-5-21-1832519723-2688400599-3493754984-1885 listed but then not found: Unable to enumerate group members, (-1 073741722,No such group) Ignoring group 'Print Operators' S-1-5-21-1832519723-2688400599-3493754984-550 listed but then not found: Unable to enumerate group members, (-1073741722,No such group) Ignoring group 'Domain Admins' S-1-5-21-1832519723-2688400599-3493754984-512 listed but then not found: Unable to enumerate group members, ( -1073741722,No such group) "... =======================================The above "Unable to enumerate group members" occurred for all groups, including "Domain Users" and "Domain Computers". Similar issue exporting users: =======================================Exporting users Ignoring group memberships of 'usernameone' S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate group memberships, (-1073741724 ,No such user) ... =======================================and so on. Then on importing groups: =======================================Could not add group name=Print Operators ((68, "samldb: Account name (sAMAccountName) 'Print Operators' already in use!")) Could not modify AD idmap entry for sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449, type=ID_TYPE_GID ((32, "Base-DN '<SID=S-1-5-2 1-1832519723-2688400599-3493754984-550>' not found")) Could not add posix attrs for AD entry for sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN '<SID=S-1-5-21-1832519723-26884 00599-3493754984-550>' not found")) Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-514, groupname=Domain Guests existing_groupname=Domain Guests, Ignoring. Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-513, groupname=Domain Users existing_groupname=Domain Users, Ignoring. Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-515, groupname=Domain Computers existing_groupname=Domain Computers, Igno ring. ======================================= The rest seemed to be OK, just a warning at the end: =======================================User root has been kept in the directory, it should be removed in favour of the Administrator user ======================================= Results: The typical tests work fine: smbclient -L localhost -U% smbclient //localhost/netlogon -UAdministrator -c 'ls' DNS passes tests Kerberos test passes Problems I see: =======================================samba-tool dbcheck Checking 573 objects Bad talloc magic value - unknown value Aborted "samba-tool user list" Only 5 imported users out of over 300 show up after that commend. However: "samba-tool group listmembers "Domain Users"" does appear to list all of the users (when is a user not a user?) and "samba-tool group list" does list the previous ignored groups in the Exporting groups section "pdbedit -v -L" only lists the created and additional 5 imported users, however "pdbedit -v usernameone" will list the details for the specific user. ======================================= Note that I also attempted this after checking the tdb's for errors and repacking them using tdbtool - no difference. Thanks to all who can assist. Chris
On 07/03/16 19:04, Sonic wrote:> Sorry for the long post but attempted this several over the past year > with no success but staying on an NT4 domain is no longer viable. Need > to get this resolved so hopefully there will be a clue somewhere in > this montage. > > The current PDC is samba-3.6.25 running on Gentoo using tdbsam backend. > The new AD will be a Debian LXC container running on Debian Jessie > using samba compiled from git (currently Samba 4.5.0pre1-GIT-8e0e4f5).Please don't use Samba from git for anything other than testing, I would suggest using the latest 4.4.0rc version from here: https://download.samba.org/pub/samba/rc/samba-4.4.0rc3.tar.gz> > I'm getting the exact same problems as tests that were done in the > past (previous attempts were done in VM environment vs LXC, so these > aren't LXC related issues). > > For reference samba-master was configured: > "configure --disable-cups --disable-iprint --without-quotas > --disable-avahi --with-systemd --without-ntvfs-fileserver"I would suggest that you just run './configure && make && make install' Can we (as a start) see the smb.conf from the original 'PDC' Rowland> > Via the Wiki the tdb's and smb.conf were collected and the migration started: > "samba-tool domain classicupgrade --dbdir=/mnt/samba.PDC/dbdir/ > --use-xattrs=yes --realm=office.example.com --dns-backend=BIND9_DLZ > /mnt/samba.PDC/smb.conf" > > Output during migration: > =======================================> Exporting groups > Ignoring group 'Assistants' S-1-5-21-1832519723-2688400599-3493754984-1891 > listed but then not found: Unable to enumerate group members, (-1 > 073741722,No such group) > Ignoring group 'Projects' S-1-5-21-1832519723-2688400599-3493754984-1092 listed > but then not found: Unable to enumerate group members, (-107 > 3741722,No such group) > Ignoring group 'Management' S-1-5-21-1832519723-2688400599-3493754984-1885 > listed but then not found: Unable to enumerate group members, (-1 > 073741722,No such group) > Ignoring group 'Print Operators' S-1-5-21-1832519723-2688400599-3493754984-550 > listed but then not found: Unable to enumerate group members, > (-1073741722,No such group) > Ignoring group 'Domain Admins' S-1-5-21-1832519723-2688400599-3493754984-512 > listed but then not found: Unable to enumerate group members, ( > -1073741722,No such group) > "... > =======================================> The above "Unable to enumerate group members" occurred for all groups, > including "Domain Users" and "Domain Computers".> > Similar issue exporting users: > =======================================> Exporting users > Ignoring group memberships of 'usernameone' > S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate group > memberships, (-1073741724 > ,No such user) > ... > =======================================> and so on. > > Then on importing groups: > =======================================> Could not add group name=Print Operators ((68, "samldb: Account name > (sAMAccountName) 'Print Operators' already in use!")) > Could not modify AD idmap entry for > sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449, type=ID_TYPE_GID > ((32, "Base-DN '<SID=S-1-5-2 > 1-1832519723-2688400599-3493754984-550>' not found")) > Could not add posix attrs for AD entry for > sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN > '<SID=S-1-5-21-1832519723-26884 > 00599-3493754984-550>' not found")) > Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-512, > groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. > Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-514, > groupname=Domain Guests existing_groupname=Domain Guests, Ignoring. > Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-513, > groupname=Domain Users existing_groupname=Domain Users, Ignoring. > Group already exists sid=S-1-5-21-1832519723-2688400599-3493754984-515, > groupname=Domain Computers existing_groupname=Domain Computers, Igno > ring. > =======================================> > The rest seemed to be OK, just a warning at the end: > =======================================> User root has been kept in the directory, it should be removed in favour of the > Administrator user > =======================================> > Results: > The typical tests work fine: > smbclient -L localhost -U% > smbclient //localhost/netlogon -UAdministrator -c 'ls' > DNS passes tests > Kerberos test passes > > Problems I see: > =======================================> samba-tool dbcheck > Checking 573 objects > Bad talloc magic value - unknown value > Aborted > > "samba-tool user list" > Only 5 imported users out of over 300 show up after that commend. However: > "samba-tool group listmembers "Domain Users"" > does appear to list all of the users (when is a user not a user?) and > "samba-tool group list" > does list the previous ignored groups in the Exporting groups section > > "pdbedit -v -L" > only lists the created and additional 5 imported users, however > "pdbedit -v usernameone" > will list the details for the specific user. > =======================================> > Note that I also attempted this after checking the tdb's for errors > and repacking them using tdbtool - no difference. > Thanks to all who can assist. > > Chris >
On Mon, Mar 7, 2016 at 2:57 PM, Rowland penny <rpenny at samba.org> wrote:> Please don't use Samba from git for anything other than testing, I would > suggest using the latest 4.4.0rc version from here: > https://download.samba.org/pub/samba/rc/samba-4.4.0rc3.tar.gzOther failed attempts were with releases so I'm doubting that's the issue.>> For reference samba-master was configured: >> "configure --disable-cups --disable-iprint --without-quotas >> --disable-avahi --with-systemd --without-ntvfs-fileserver" > I would suggest that you just run './configure && make && make install'Do you see something wrong with my configure arguments? Certainly none of the stuff I removed should be needed with an AD, plus as the init type is systemd I do need that.> Can we (as a start) see the smb.conf from the original 'PDC'Here's the version used for the migration (just shortened it up and left the salient parts): ====================================[global] workgroup = EXAMPLE netbios name = AD server string = cry me a river wins support = Yes time server = Yes security = user map to guest = bad user passdb backend = tdbsam preferred master = Yes local master = Yes domain master = Yes domain logons = Yes logon path logon home = \\%N\%U logon drive = u: logon script = scripts\agents.cmd [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon read only = Yes browseable = No ==================================== Chris
On Mon, 2016-03-07 at 14:04 -0500, Sonic wrote:> Sorry for the long post but attempted this several over the past year > with no success but staying on an NT4 domain is no longer viable. > Need > to get this resolved so hopefully there will be a clue somewhere in > this montage.The big issue that you face is that Samba hasn't, until now, had an fsck for the databases. That means that when we go to upgrade, for the first time we are being strict. Also just check you have the unix users and groups that you are trying to upgrade.> Problems I see: > =======================================> samba-tool dbcheck > Checking 573 objects > Bad talloc magic value - unknown value > Aborted >This is a serious issue in our code. I'm working on it, but if you could save that DB aside, I would like you to run a new Samba branch on it if you can, to see if we can instead give a good error or confirm I've addressed the issue. Thanks, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Andrew Bartlett
2016-Mar-08 08:31 UTC
[Samba] dbcheck segfaults (was: Re: classicupgrade migration issues)
On Tue, 2016-03-08 at 10:38 +1300, Andrew Bartlett wrote:> On Mon, 2016-03-07 at 14:04 -0500, Sonic wrote: > >> > Problems I see: > > =======================================> > samba-tool dbcheck > > Checking 573 objects > > Bad talloc magic value - unknown value > > Aborted > > > > This is a serious issue in our code. I'm working on it, but if you > could save that DB aside, I would like you to run a new Samba branch > on > it if you can, to see if we can instead give a good error or confirm > I've addressed the issue.Those patches are now in git master. If you can make git master segfault (ever, but specifically in dbcheck :-), please let me know. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Mon, Mar 7, 2016 at 4:38 PM, Andrew Bartlett <abartlet at samba.org> wrote:> The big issue that you face is that Samba hasn't, until now, had an > fsck for the databases. That means that when we go to upgrade, for the > first time we are being strict.Is there anything better than tdbtool against the Samba 3 tdb files?> Also just check you have the unix users and groups that you are trying > to upgrade.If you mean some possible ghost users I did find two with null primary group ID's that did not show up under smbpasswd, but did when using pdbedit. I deleted those two but it made no difference in the results.>> Problems I see: >> =======================================>> samba-tool dbcheck >> Checking 573 objects >> Bad talloc magic value - unknown value >> Aborted >> > > This is a serious issue in our code. I'm working on it, but if you > could save that DB aside, I would like you to run a new Samba branch on > it if you can, to see if we can instead give a good error or confirm > I've addressed the issue.No problem, be happy to do this. Also I'm pretty sure I can recreate this problem just by running the migration again. Chris
On Mon, Mar 7, 2016 at 4:38 PM, Andrew Bartlett <abartlet at samba.org> wrote:> Also just check you have the unix users and groups that you are trying > to upgrade.Do the mapped unix groups need to be added to the new host before attempting the upgrade? There is nothing in the docs regarding that. Am I mistaken in thinking that the AD does not rely on matching or mapped unix groups and users? Here's the first two "errors" on migration: =========================================Ignoring group 'Assistants' S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not found: Unable to enumerate group members, (-1073741722,No such group) Ignoring group 'Projects' S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not found: Unable to enumerate group members, (-1073741722,No such group) ========================================= However the groups do exist on the original PDC host and mapped to unix groups: =========================================# net groupmap list Assistants (S-1-5-21-1832519723-2688400599-3493754984-1891) -> asst Projects (S-1-5-21-1832519723-2688400599-3493754984-1092) -> projects ... ========================================= I do not have those unix groups on the new host (but also didn't think they were needed). And the migration did indeed create them in the AD as samba-tool shows: =========================================# samba-tool group list ... Assistants ... Projects ... ========================================= And then the user "errors": =========================================Exporting users Ignoring group memberships of 'usernameone' S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate group memberships, (-1073741724 ,No such user) ... =========================================For 300 users and systems. Out of approx 300 only 5 PDC users get listed after migration: =========================================# samba-tool user list Administrator dns-kwad usernameone usernametwo usernamethree krbtgt usernamefour Guest usernamefive root ========================================= However the users and computers are listed as group members: =========================================# samba-tool group listmembers 'Domain Users' |wc -l 270 # samba-tool group listmembers 'Domain Computers' |wc -l 35 ========================================= It's important the I keep the same SIDs, secrets, etc. when moving to the new AD structure from the old PDC structure. But either I'm doing something wrong or Samba is not cooperating. Thanks for your assistance. Chris