thr3ads.net - samba - [Samba] classicupgrade migration issues [Mar 2016]

If this information is useful, please help other people find it:
Share via:

Sonic

2016-Mar-19 17:16 UTC

[Samba] classicupgrade migration issues

On Fri, Mar 18, 2016 at 4:04 PM, Andrew Bartlett <abartlet at samba.org>
wrote:> The upgrade code assumes you run on the same host.  I realise now that
> folks doing an upgrade use that an an opportunity to upgrade hardware,
> and keep old systems as fallbacks, so the assumptions cause trouble.
>
> Make the new host identical in terms of the data needed to upgrade
> (users/groups/samba databases) upgrade and then remove the posix
> users/groups and use nss_winbind instead.
Some progress has been made.
After adding the groups and users to the new host I still received the
errors "Exporting groups" until I matched the GID's. So that's
a
necessity.

The problem I'm getting seems to revolve around the "Print
Operators"
account and causes the migration to crash:
===========================Importing idmap database
Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
Adding groups
Importing groups
Could not add group name=Print Operators ((68, "samldb: Account name
(sAMAccountName) 'Print Operators' already in use!"))
Could not modify AD idmap entry for
sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449,
type=ID_TYPE_GID ((32, "Base-DN
'<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not
found"))
Could not add posix attrs for AD entry for
sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN
'<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not
found"))
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-512, groupname=Domain
Admins existing_groupname=Domain Admins, Ignoring.
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-514, groupname=Domain
Guests existing_groupname=Domain Guests, Ignoring.
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-513, groupname=Domain
Users existing_groupname=Domain Users, Ignoring.
Group already exists
sid=S-1-5-21-1832519723-2688400599-3493754984-515, groupname=Domain
Computers existing_groupname=Domain Computers, Ignoring.
Committing 'add groups' transaction to disk
Adding users
Importing users
User root has been kept in the directory, it should be removed in
favour of the Administrator user
Committing 'add users' transaction to disk
Adding users to groups
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
- ProvisioningError: Could not add member
'S-1-5-21-1832519723-2688400599-3493754984-1000' to group
'S-1-5-21-1832519723-2688400599-3493754984-550' as either group or
user record doesn't exist: Base-DN
'<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not found
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 1565, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py",
line 824, in upgrade_from_samba3
    add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py",
line 317, in add_users_to_group
    raise ProvisioningError("Could not add member '%s' to group
'%s'
as either group or user record doesn't exist: %s" % (member_sid,
group.sid, emsg))
===========================
I don't think the missing idmap (simply don't have one) database is an
issue.
But the 3 lines after "Importing groups" having to do with the
"Print
Operators" group are possible issues.
And then the ERROR (uncaught exception) after an attempt to add a user
to said "Print Operators" group.

As "Print Operators" in listed as a BUILTIN in the AD scheme this may
have something to do with the problem.

Any ideas?

Thanks,

Chris

Rowland penny

2016-Mar-19 17:40 UTC

head link

[Samba] classicupgrade migration issues

On 19/03/16 17:16, Sonic wrote:> On Fri, Mar 18, 2016 at 4:04 PM, Andrew Bartlett <abartlet at
samba.org> wrote:
>> The upgrade code assumes you run on the same host.  I realise now that
>> folks doing an upgrade use that an an opportunity to upgrade hardware,
>> and keep old systems as fallbacks, so the assumptions cause trouble.
>>
>> Make the new host identical in terms of the data needed to upgrade
>> (users/groups/samba databases) upgrade and then remove the posix
>> users/groups and use nss_winbind instead.
> Some progress has been made.
> After adding the groups and users to the new host I still received the
> errors "Exporting groups" until I matched the GID's. So
that's a
> necessity.
>
> The problem I'm getting seems to revolve around the "Print
Operators"
> account and causes the migration to crash:
> ===========================> Importing idmap database
> Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
> Adding groups
> Importing groups
> Could not add group name=Print Operators ((68, "samldb: Account name
> (sAMAccountName) 'Print Operators' already in use!"))
> Could not modify AD idmap entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, id=449,
> type=ID_TYPE_GID ((32, "Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not
found"))
> Could not add posix attrs for AD entry for
> sid=S-1-5-21-1832519723-2688400599-3493754984-550, ((32, "Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not
found"))
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-512, groupname=Domain
> Admins existing_groupname=Domain Admins, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-514, groupname=Domain
> Guests existing_groupname=Domain Guests, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-513, groupname=Domain
> Users existing_groupname=Domain Users, Ignoring.
> Group already exists
> sid=S-1-5-21-1832519723-2688400599-3493754984-515, groupname=Domain
> Computers existing_groupname=Domain Computers, Ignoring.
> Committing 'add groups' transaction to disk
> Adding users
> Importing users
> User root has been kept in the directory, it should be removed in
> favour of the Administrator user
> Committing 'add users' transaction to disk
> Adding users to groups
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
> - ProvisioningError: Could not add member
> 'S-1-5-21-1832519723-2688400599-3493754984-1000' to group
> 'S-1-5-21-1832519723-2688400599-3493754984-550' as either group or
> user record doesn't exist: Base-DN
> '<SID=S-1-5-21-1832519723-2688400599-3493754984-550>' not
found
>    File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 176, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 1565, in run
>      useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>    File
"/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py",
> line 824, in upgrade_from_samba3
>      add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)
>    File
"/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py",
> line 317, in add_users_to_group
>      raise ProvisioningError("Could not add member '%s' to
group '%s'
> as either group or user record doesn't exist: %s" % (member_sid,
> group.sid, emsg))
> ===========================>
> I don't think the missing idmap (simply don't have one) database is
an issue.
> But the 3 lines after "Importing groups" having to do with the
"Print
> Operators" group are possible issues.
> And then the ERROR (uncaught exception) after an attempt to add a user
> to said "Print Operators" group.
>
> As "Print Operators" in listed as a BUILTIN in the AD scheme this
may
> have something to do with the problem.
>
> Any ideas?
>
> Thanks,
>
> Chris
Do you have a group 'Print Operators' in your old system with the the 
SID-RID of 'S-1-5-21-1832519723-2688400599-3493754984-550' ?

If so, this could be your problem, in AD the SID-RID is 'S-1-5-32-550'

Rowland

Sonic

2016-Mar-19 17:59 UTC

head link

[Samba] classicupgrade migration issues

On Sat, Mar 19, 2016 at 1:40 PM, Rowland penny <rpenny at samba.org>
wrote:> Do you have a group 'Print Operators' in your old system with the
the
> SID-RID of 'S-1-5-21-1832519723-2688400599-3493754984-550' ?
Yes.
> If so, this could be your problem, in AD the SID-RID is
'S-1-5-32-550'
Maybe I can delete that group and then bring the files over to the new
host. Although not sure of the impact on the in use host.

Chris

Andrew Bartlett

2016-Mar-19 19:07 UTC

head link

[Samba] classicupgrade migration issues

On Sat, 2016-03-19 at 13:16 -0400, Sonic wrote:> 
> As "Print Operators" in listed as a BUILTIN in the AD scheme this
may
> have something to do with the problem.
> 
> Any ideas?
Exactly.  Anything already defined in AD needs to be skipped.  Usually
the script does this, but sometimes the name is used in the upgraded
database, but with the wrong sid (typically RID > 1000), and so the
migration fails.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Reasonably Related Threads

Search for more seemingly similar threads

samba - Mar 2016 - classicupgrade migration issues

[Samba] classicupgrade migration issues

[Samba] classicupgrade migration issues

[Samba] classicupgrade migration issues

[Samba] classicupgrade migration issues

Reasonably Related Threads