On Mon, 2016-11-28 at 14:03 +0000, Rowland Penny via samba wrote:> On Mon, 28 Nov 2016 14:22:00 +0100 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > > > > > > > NT4-PDC: > > > > # net groupmap list > > Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) -> > > users > > Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) -> > > root > > Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) -> > > klienten > > > > User pl13 is member of group "Domain Users": > > > > # pdbedit -Lv pl13 > > Unix username: pl13 > > NT username: > > Account Flags: [U ] > > User SID: S-1-5-21-2940660672-4062535256-4144655499- > > 2026 > > Primary Group SID: S-1-5-21-2940660672-4062535256-4144655499-513 > > > > This group seems not to be converted, see server after classic > > upgrade: > > > > # net groupmap list > > # > > > > -> no groups > > > > This puts all these users into some new group: > > Yes, and the group is called 'Domain Users' ;-) > > In AD, ALL users are members of 'Domain Users' but are not > explicitly added to the 'Domain Users' object > > > > > > > # pdbedit -L | grep pl > > > > pl01:4294967295: > > pl02:4294967295: > > pl03:4294967295: > > pl04:4294967295: > > pl05:4294967295: > > > > while on the old server this was: > > > > # pdbedit -L | grep pl | sort > > > > pl01:501: > > pl02:502: > > pl03:503: > > pl04:504: > > pl05:505: > > > > Am I on the right track here? > > > > Yes, you have found the reason why most of your users are being > ignored ;-) > > in the upgrade python code, there is is this: > > if entry['rid'] < 1000: > logger.info(" Skipping wellknown rid=%d (for > username=%s)", entry['rid'], username) > continue > > Which basically means, if the 'RID' is less than '1000', ignore and > move > to next user. what I don't fully understand is why the users are > getting the '4294967295' number. > > The cure, change all users RIDs to be more than '1000' before the > upgrade.G'Day Rowland, While your comments on the RID < 1000 issue are correct, your interpretation of the pdbedit output is not correct. That value is not the RID, but in deference to the smbpasswd file format from long before you joined Samba, it is the unix UID value for the username specified. That is probably also why the -1 / 4294967295 values show up, if the user doens't exist locally where the tool is being run. Listing with --verbose will show the full SID, and so the applicable RID. Hopefully these are not below 1000, as changing the SID has annoying implications for profiles and other things. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Am 2016-11-29 um 09:56 schrieb Andrew Bartlett:> While your comments on the RID < 1000 issue are correct, your > interpretation of the pdbedit output is not correct. That value is not > the RID, but in deference to the smbpasswd file format from long before > you joined Samba, it is the unix UID value for the username specified. > That is probably also why the -1 / 4294967295 values show up, if the > user doens't exist locally where the tool is being run. > > Listing with --verbose will show the full SID, and so the applicable > RID. > > Hopefully these are not below 1000, as changing the SID has annoying > implications for profiles and other things. > > I hope this helps, > > Andrew Bartlettthanks, Andrew as it dawns on me it is the fact that some of the users there are very very old. I think we started with samba-2.x there. As I understand this you point me at: # pdbedit -L --verbose pl04 Unix username: pl04 [..] User SID: S-1-5-21-2940660672-4062535256-4144655499-2008 ----------------------------------------------------------------^^^^ ? When I run # pdbedit -L --verbose | grep "User SID" I only get one user with that part <1000, and that is "nobody". - I think that these "pl??" users there aren't used much anymore, maybe I can get rid of most of them or simply recreate them after the conversion (just some minor services related, I hope). Thanks, Stefan, the "we never had this before" guy ;-)
On Tue, 29 Nov 2016 21:56:21 +1300 Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2016-11-28 at 14:03 +0000, Rowland Penny via samba wrote: > > On Mon, 28 Nov 2016 14:22:00 +0100 > > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: > > > > > > > > > > > NT4-PDC: > > > > > > # net groupmap list > > > Domain Users (S-1-5-21-2940660672-4062535256-4144655499-513) -> > > > users > > > Domain-Admins (S-1-5-21-2940660672-4062535256-4144655499-512) -> > > > root > > > Klienten (S-1-5-21-2940660672-4062535256-4144655499-1010) -> > > > klienten > > > > > > User pl13 is member of group "Domain Users": > > > > > > # pdbedit -Lv pl13 > > > Unix username: pl13 > > > NT username: > > > Account Flags: [U ] > > > User SID: S-1-5-21-2940660672-4062535256-4144655499- > > > 2026 > > > Primary Group > > > SID: S-1-5-21-2940660672-4062535256-4144655499-513 > > > > > > This group seems not to be converted, see server after classic > > > upgrade: > > > > > > # net groupmap list > > > # > > > > > > -> no groups > > > > > > This puts all these users into some new group: > > > > Yes, and the group is called 'Domain Users' ;-) > > > > In AD, ALL users are members of 'Domain Users' but are not > > explicitly added to the 'Domain Users' object > > > > > > > > > > > # pdbedit -L | grep pl > > > > > > pl01:4294967295: > > > pl02:4294967295: > > > pl03:4294967295: > > > pl04:4294967295: > > > pl05:4294967295: > > > > > > while on the old server this was: > > > > > > # pdbedit -L | grep pl | sort > > > > > > pl01:501: > > > pl02:502: > > > pl03:503: > > > pl04:504: > > > pl05:505: > > > > > > Am I on the right track here? > > > > > > > Yes, you have found the reason why most of your users are being > > ignored ;-) > > > > in the upgrade python code, there is is this: > > > > if entry['rid'] < 1000: > > logger.info(" Skipping wellknown rid=%d (for > > username=%s)", entry['rid'], username) > > continue > > > > Which basically means, if the 'RID' is less than '1000', ignore and > > move > > to next user. what I don't fully understand is why the users are > > getting the '4294967295' number. > > > > The cure, change all users RIDs to be more than '1000' before the > > upgrade. > > G'Day Rowland, > > While your comments on the RID < 1000 issue are correct, your > interpretation of the pdbedit output is not correct. That value is > not the RID, but in deference to the smbpasswd file format from long > before you joined Samba, it is the unix UID value for the username > specified. That is probably also why the -1 / 4294967295 values show > up, if the user doens't exist locally where the tool is being run. > > Listing with --verbose will show the full SID, and so the applicable > RID. > > Hopefully these are not below 1000, as changing the SID has annoying > implications for profiles and other things. > > I hope this helps, > > Andrew Bartlett >OK, thanks for explaining that, but the users are highly likely not to exist locally, most people do as the wiki recommends and test the upgrade on a new machine. Rowland
On Tue, 2016-11-29 at 10:16 +0100, Stefan G. Weichinger wrote:> Am 2016-11-29 um 09:56 schrieb Andrew Bartlett: > > > > > While your comments on the RID < 1000 issue are correct, your > > interpretation of the pdbedit output is not correct. That value is > > not > > the RID, but in deference to the smbpasswd file format from long > > before > > you joined Samba, it is the unix UID value for the username > > specified. > > That is probably also why the -1 / 4294967295 values show up, if > > the > > user doens't exist locally where the tool is being run. > > > > Listing with --verbose will show the full SID, and so the > > applicable > > RID. > > > > Hopefully these are not below 1000, as changing the SID has > > annoying > > implications for profiles and other things. > > > > I hope this helps, > > > > Andrew Bartlett > > thanks, Andrew > > as it dawns on me it is the fact that some of the users there are > very > very old. I think we started with samba-2.x there. > > As I understand this you point me at: > > # pdbedit -L --verbose pl04 > Unix username: pl04 > [..] > User SID: S-1-5-21-2940660672-4062535256-4144655499-2008 > > ----------------------------------------------------------------^^^^ > ? > > When I run > > # pdbedit -L --verbose | grep "User SID" > > I only get one user with that part <1000, and that is "nobody".Good. That user will be replaced by the guest account in AD, so that should be fine.> - > > I think that these "pl??" users there aren't used much anymore, maybe > I > can get rid of most of them or simply recreate them after the > conversion > (just some minor services related, I hope). > > Thanks, Stefan, the "we never had this before" guy ;-)I'll let you choose the way forward for your site, but if you can just re-create what fails to convert because it is just a service account, that seems quite reasonable. In the days of passdb on the NT4-like domain controller, there wasn't and still isn't any kind of fsck for the database. That means that all manner of incorrect, odd or unexpected combinations of entries can persist, without warning or notice. Duplicate SIDs, which is not an issue you have faced thankfully, are quite common it seems. I suspect Rowland jumped on the rid < 1000 suggestion quite reasonably because we have seen that too, but usually just because of confusion around the Administrator account. (Samba won't normally create such sids). When users are transferred to Samba's AD DC, they get put into a quite strict database. The reason why we strictly suggest migration on an isolated test network is that this almost never goes smoothly, and manual intervention is almost always required. I wish you all the best with your migration. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Am 2016-11-29 um 12:10 schrieb Rowland Penny via samba:> OK, thanks for explaining that, but the users are highly likely not to > exist locally, most people do as the wiki recommends and test the > upgrade on a new machine.just a small update: I replayed the upgrade in my VM but additionally added the users/groups to /etc/passwd and /etc/group (had them in an extra list anyway as I migrated servers lately). Now the classicupgrade runs through much better, only one "no such user" left -> nice! - It fails at wins.dat: Importing WINS database ERROR(ldb): uncaught exception - Entry name=PRE01SRV,type=0x00 already exists If I "grep PRE01SRV wins.dat" I get 2 lines: "PRE01SRV#20" 1480493288 192.168.16.168 64R "PRE01SRV#00" 1480493288 192.168.16.168 64R should I edit this, remove one, if yes, which of them?