samba - Mar 2016 - classicupgrade migration issues

On Mon, Mar 7, 2016 at 4:38 PM, Andrew Bartlett <abartlet at samba.org>
wrote:
> Also just check you have the unix users and groups that you are trying
> to upgrade.
Do the mapped unix groups need to be added to the new host before
attempting the upgrade? There is nothing in the docs regarding that.
Am I mistaken in thinking that the AD does not rely on matching or
mapped unix groups and users?

Here's the first two "errors" on migration:
=========================================Ignoring group 'Assistants'
S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
Ignoring group 'Projects'
S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
found: Unable to enumerate group members, (-1073741722,No such group)
=========================================
However the groups do exist on the original PDC host and mapped to unix groups:
=========================================# net groupmap list
Assistants (S-1-5-21-1832519723-2688400599-3493754984-1891) -> asst
Projects (S-1-5-21-1832519723-2688400599-3493754984-1092) -> projects
...
=========================================
I do not have those unix groups on the new host (but also didn't think
they were needed). And the migration did indeed create them in the AD
as samba-tool shows:
=========================================# samba-tool group list
...
Assistants
...
Projects
...
=========================================
And then the user "errors":
=========================================Exporting users
Ignoring group memberships of 'usernameone'
S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate group
memberships, (-1073741724
,No such user)
...
=========================================For 300 users and systems.

Out of approx 300 only 5 PDC users get listed after migration:
=========================================# samba-tool user list
Administrator
dns-kwad
usernameone
usernametwo
usernamethree
krbtgt
usernamefour
Guest
usernamefive
root
=========================================
However the users and computers are listed as group members:
=========================================# samba-tool group listmembers
'Domain Users' |wc -l
270
# samba-tool group listmembers 'Domain Computers' |wc -l
35
=========================================
It's important the I keep the same SIDs, secrets, etc. when moving to
the new AD structure from the old PDC structure.
But either I'm doing something wrong or Samba is not cooperating.

Thanks for your assistance.

Chris

On 18/03/16 14:31, Sonic wrote:
> On Mon, Mar 7, 2016 at 4:38 PM, Andrew Bartlett <abartlet at
samba.org> wrote:
>> Also just check you have the unix users and groups that you are trying
>> to upgrade.
> Do the mapped unix groups need to be added to the new host before
> attempting the upgrade? There is nothing in the docs regarding that.
No, I am sure you don't have to create any Unix groups, all your groups 
etc should end up in AD.
> Am I mistaken in thinking that the AD does not rely on matching or
> mapped unix groups and users?
There isn't really such a concept as mapped in AD. (Except of course for 
Administrator)

>
> Here's the first two "errors" on migration:
> =========================================> Ignoring group
'Assistants'
> S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Projects'
> S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> =========================================>
> However the groups do exist on the original PDC host and mapped to unix
groups:
> =========================================> # net groupmap list
> Assistants (S-1-5-21-1832519723-2688400599-3493754984-1891) -> asst
> Projects (S-1-5-21-1832519723-2688400599-3493754984-1092) -> projects
> ...
> =========================================
I wonder if this is your problem?

The Domain group is found and checked for users and none are found, 
could this be because the users are actually members of the Unix group 
that is mapped to the Samba group i.e the Samba group has no members.
> I do not have those unix groups on the new host (but also didn't think
> they were needed). And the migration did indeed create them in the AD
> as samba-tool shows:
> =========================================> # samba-tool group list
> ...
> Assistants
> ...
> Projects
> ...
> =========================================>
> And then the user "errors":
> =========================================> Exporting users
> Ignoring group memberships of 'usernameone'
> S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate group
> memberships, (-1073741724
> ,No such user)
> ...
> =========================================> For 300 users and systems.
>
> Out of approx 300 only 5 PDC users get listed after migration:
> =========================================> # samba-tool user list
> Administrator
> dns-kwad
> usernameone
> usernametwo
> usernamethree
> krbtgt
> usernamefour
> Guest
> usernamefive
> root
> =========================================>
> However the users and computers are listed as group members:
> =========================================> # samba-tool group
listmembers 'Domain Users' |wc -l
> 270
> # samba-tool group listmembers 'Domain Computers' |wc -l
> 35
> =========================================>
> It's important the I keep the same SIDs, secrets, etc. when moving to
> the new AD structure from the old PDC structure.
> But either I'm doing something wrong or Samba is not cooperating.
>
> Thanks for your assistance.
>
> Chris
I wonder if it would work, if you add the users to the relevant Samba 
group not the mapped group ???

Rowland

On Fri, Mar 18, 2016 at 12:01 PM, Rowland penny <rpenny at samba.org>
wrote:
> The Domain group is found and checked for users and none are found, could
> this be because the users are actually members of the Unix group that is
> mapped to the Samba group i.e the Samba group has no members.
Correct me if I'm wrong but in the old PDC world Samba users and
groups were all members of the underlying Unix system. You couldn't
add a user to Samba unless they existed as a Unix user. Similarly with
groups. And groupmap mapped Samba groups to Unix groups. So in the
case shown the domain group "Assistants" is mapped to the Unix group
"asst". Perfectly normal. And adding any user using 'nix tools to
the
'nix group makes them members of the mapped Samba Domain group as well
- isn't this the point of group mapping?

In the original PDC the Samba Domain group "Assistants" clearly
exists, as well as its mapped 'nix counterpart "asst". And every
member of "asst" is automatically a member of "Assistants"
due to the
group mapping.

And indeed on the PDC:
=========================================# net rpc user info usernameX
Accounting
Assistants
Domain Users
Print Operators
Office
Projects
=========================================clearly shows any usernameX as members
of their respective domain
groups (due to group mapping).

So why does the migration report it ignores these groups? Yet they do
actually exist after the migration. However, they have no members:
=========================================# samba-tool group listmembers
'Assistants' |wc -l
0
=========================================All of the ignored groups do get
migrated yet even though they all
have members in the PDC none of them have any members after the
migration.
BTW, I think that "samba-tool group listmembers NONEXISTENTGROUP"
should output that the group doesn't exist.

And, as posted earlier, why do I appear to have all of the users in
the "Domain Users" and "Domain Computers" groups:
=========================================# samba-tool group listmembers
'Domain Users' |wc -l
270
# samba-tool group listmembers 'Domain Computers' |wc -l
35
=========================================and
yet only 5 shown (username*) using the following command.
=========================================# samba-tool user list
Administrator
dns-kwad
usernameone
usernametwo
usernamethree
krbtgt
usernamefour
Guest
usernamefive
root
=========================================
What are the ramifications of the above? When is user not a user? What
does it mean to be a member of "Domain Users" yet not listed in the
Samba user list after the migration?

And most of all what is the fix or workaround?

Thanks again.

Chris

On Fri, 2016-03-18 at 10:31 -0400, Sonic wrote:
> On Mon, Mar 7, 2016 at 4:38 PM, Andrew Bartlett <abartlet at
samba.org>
> wrote:
> > Also just check you have the unix users and groups that you are
> > trying
> > to upgrade.
> 
> Do the mapped unix groups need to be added to the new host before
> attempting the upgrade? There is nothing in the docs regarding that.
> Am I mistaken in thinking that the AD does not rely on matching or
> mapped unix groups and users?
Yes.  You are correct to understand that Samba AD does not rely on
matching mapped unix groups, but the classicupgrade process relies on
being able to find the information about the OLD unix groups, otherwise
it can't upgrade them!
> Here's the first two "errors" on migration:
> =========================================> Ignoring group
'Assistants'
> S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> Ignoring group 'Projects'
> S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
> found: Unable to enumerate group members, (-1073741722,No such group)
> =========================================> 
> However the groups do exist on the original PDC host and mapped to
> unix groups:
> =========================================> # net groupmap list
> Assistants (S-1-5-21-1832519723-2688400599-3493754984-1891) -> asst
> Projects (S-1-5-21-1832519723-2688400599-3493754984-1092) -> projects
> ...
> =========================================> 
> I do not have those unix groups on the new host (but also didn't
> think
> they were needed). And the migration did indeed create them in the AD
> as samba-tool shows:
> =========================================> # samba-tool group list
> ...
> Assistants
> ...
> Projects
> ...
> =========================================> 
> And then the user "errors":
> =========================================> Exporting users
> Ignoring group memberships of 'usernameone'
> S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate
> group
> memberships, (-1073741724
> ,No such user)
> ...
> =========================================> For 300 users and systems.
Exactly.  Think about it a little - how can it determine the group
membership, if the users/groups do not exist locally on the host doing
the migration?
> Out of approx 300 only 5 PDC users get listed after migration:
> =========================================> # samba-tool user list
> Administrator
> dns-kwad
> usernameone
> usernametwo
> usernamethree
> krbtgt
> usernamefour
> Guest
> usernamefive
> root
> =========================================> 
> However the users and computers are listed as group members:
> =========================================> # samba-tool group
listmembers 'Domain Users' |wc -l
> 270
> # samba-tool group listmembers 'Domain Computers' |wc -l
> 35
> =========================================
This is expected.
> It's important the I keep the same SIDs, secrets, etc. when moving to
> the new AD structure from the old PDC structure.
> But either I'm doing something wrong or Samba is not cooperating.
> 
> Thanks for your assistance.
In short, Samba has many features, but not a crystal ball.  The
information to do the upgrade needs to be present to do the upgrade. 
 Samba3 mapped groups are really that - mapped from the posix group
information, so Samba's databases don't contain member info.  That
means we need the underlying unix info to be able to fill in those
details.

You are welcome to do the upgrade on one host, and then backup the DB
and restore it on another (with the same hostname), if you don't want
to put the unix groups there for the duration of the upgrade.

The only exception here is upgrading sites with the passdb ldap
backend.  There we use a trick the passdb code already had
(ldapsam:trusted=yes) to read the posix info over LDAP directly, to try
and make this a little easier. 

Perhaps work with Rowland to add some clarifying text to the wiki?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 18/03/16 18:39, Andrew Bartlett wrote:
> On Fri, 2016-03-18 at 10:31 -0400, Sonic wrote:
>> On Mon, Mar 7, 2016 at 4:38 PM, Andrew Bartlett <abartlet at
samba.org>
>> wrote:
>>> Also just check you have the unix users and groups that you are
>>> trying
>>> to upgrade.
>> Do the mapped unix groups need to be added to the new host before
>> attempting the upgrade? There is nothing in the docs regarding that.
>> Am I mistaken in thinking that the AD does not rely on matching or
>> mapped unix groups and users?
> Yes.  You are correct to understand that Samba AD does not rely on
> matching mapped unix groups, but the classicupgrade process relies on
> being able to find the information about the OLD unix groups, otherwise
> it can't upgrade them!
>
>> Here's the first two "errors" on migration:
>> =========================================>> Ignoring group
'Assistants'
>> S-1-5-21-1832519723-2688400599-3493754984-1891 listed but then not
>> found: Unable to enumerate group members, (-1073741722,No such group)
>> Ignoring group 'Projects'
>> S-1-5-21-1832519723-2688400599-3493754984-1092 listed but then not
>> found: Unable to enumerate group members, (-1073741722,No such group)
>> =========================================>>
>> However the groups do exist on the original PDC host and mapped to
>> unix groups:
>> =========================================>> # net groupmap list
>> Assistants (S-1-5-21-1832519723-2688400599-3493754984-1891) -> asst
>> Projects (S-1-5-21-1832519723-2688400599-3493754984-1092) ->
projects
>> ...
>> =========================================>>
>> I do not have those unix groups on the new host (but also didn't
>> think
>> they were needed). And the migration did indeed create them in the AD
>> as samba-tool shows:
>> =========================================>> # samba-tool group
list
>> ...
>> Assistants
>> ...
>> Projects
>> ...
>> =========================================>>
>> And then the user "errors":
>> =========================================>> Exporting users
>> Ignoring group memberships of 'usernameone'
>> S-1-5-21-1832519723-2688400599-3493754984-1448: Unable to enumerate
>> group
>> memberships, (-1073741724
>> ,No such user)
>> ...
>> =========================================>> For 300 users and
systems.
> Exactly.  Think about it a little - how can it determine the group
> membership, if the users/groups do not exist locally on the host doing
> the migration?
>
>> Out of approx 300 only 5 PDC users get listed after migration:
>> =========================================>> # samba-tool user
list
>> Administrator
>> dns-kwad
>> usernameone
>> usernametwo
>> usernamethree
>> krbtgt
>> usernamefour
>> Guest
>> usernamefive
>> root
>> =========================================>>
>> However the users and computers are listed as group members:
>> =========================================>> # samba-tool group
listmembers 'Domain Users' |wc -l
>> 270
>> # samba-tool group listmembers 'Domain Computers' |wc -l
>> 35
>> =========================================> This is expected.
>
>> It's important the I keep the same SIDs, secrets, etc. when moving
to
>> the new AD structure from the old PDC structure.
>> But either I'm doing something wrong or Samba is not cooperating.
>>
>> Thanks for your assistance.
> In short, Samba has many features, but not a crystal ball.  The
> information to do the upgrade needs to be present to do the upgrade.
>   Samba3 mapped groups are really that - mapped from the posix group
> information, so Samba's databases don't contain member info.  That
> means we need the underlying unix info to be able to fill in those
> details.
>
> You are welcome to do the upgrade on one host, and then backup the DB
> and restore it on another (with the same hostname), if you don't want
> to put the unix groups there for the duration of the upgrade.
>
> The only exception here is upgrading sites with the passdb ldap
> backend.  There we use a trick the passdb code already had
> (ldapsam:trusted=yes) to read the posix info over LDAP directly, to try
> and make this a little easier.
>
> Perhaps work with Rowland to add some clarifying text to the wiki?
>
> Thanks,
>
> Andrew Bartlett
>
I have never had to run the classicupgrade, so I had to guess from the 
error messages and it sounds like I sort of got it right, the upgrade 
has to be able to read all user and group databases.

Andrew, could the upgrade code be made to read copies of /etc/passwd & 
/etc/group from the original Samba machine and if so, would it help in 
cases like this ?

I am more than willing to help with updating the wiki.

Rowland

On Fri, Mar 18, 2016 at 2:39 PM, Andrew Bartlett <abartlet at samba.org>
wrote:
> Exactly.  Think about it a little - how can it determine the group
> membership, if the users/groups do not exist locally on the host doing
> the migration?
To clarify then:
Do I need both the users and groups on the new host as they are on the
old host, or just the groups? Is there any constraint that the GID's
and or UID's need to be the same on the new host?
Once the migration is done can I then remove the added 'nix groups
and/or users with no ill effects?

Thank you,

Chris