samba - May 2017 - Unable_to_migrate_shares_from_AD_to_file_server

Hi All,
        I am trying to migrate shares from my Win2k12 R2 AD
server(SJCLAB2.LOCAL) to Ubuntu 16.04 samba fileserver present in same
domain. Samba version is 4.3.11-Ubuntu.
Before migrating shares I was able to successfully join fileserver to
Active Directory.

Below is my samba server configuration.
#======================= Global Settings ======================
[global]


   workgroup = SJCLAB2
   security = ADS
   realm = SJCLAB2.LOCAL
   wins server = SJCLAB2.LOCAL
   password server = SJCLAB2.LOCAL
   server string = %h server (Samba, Ubuntu)
   domain master = no
   local master = no
   preferred master = no
   printcap name = /etc/printcap
   load printers = no
   dns proxy = no
   interfaces = 127.0.0.0/8 ens4
   bind interfaces only = yes
   log file = /var/log/samba/log.%m
   log level = 10
   max log size = 1000
   panic action = /usr/share/samba/panic-action %d
   server role = member server
   passdb backend = tdbsam
   map untrusted to domain = Yes
   obey pam restrictions = yes
   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
   pam password change = yes
   map to guest = bad user

############ Misc ############
   template shell = /bin/bash
   client use spnego = yes
   client ntlmv2 auth = yes
   encrypt passwords = yes
   restrict anonymous = 2
    idmap config *:backend = tdb
    idmap config *:range = 10000-20000
    winbind enum users = yes
    winbind enum groups = yes
    # This way users log in with username instead of username at example.org
    winbind use default domain = yes
    # Inherit groups in groups
    winbind nested groups = yes
    winbind refresh tickets = yes
    winbind offline logon = true

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = no

[sjc_demouser2]    -------------------->Share present on AD and create on
file server
  browseable = yes
  users=@SJCLAB2/administrator
  force unknown acl user = yes
  writable = yes
  create mask = 0700
  directory mask = 0770
  acl group control = yes
  acl check permissions = True
  nt acl support = yes
  force directory security mode = 770
  inherit permissions = yes
  inherit acls = yes
  inherit owner = no
  map acl inherit = yes
  path = /home/sjc_demouser2
  dos filemode = yes
  vfs objects = acl_xattr


After joining I tried to migrate shares on my AD to fileserver using "net
rpc" while preserving acls with the below command.

#net rpc share migrate shares sjc_demouser2 -U administrator -S
sjclab2.local --destination=localhost --acls -v -d=10

After running the above command I got the  error
*"*WERR_ACCESS_DENIED*".*
Below is the snippet of debug message that got generated.
rpc_api_pipe: host localhost
signed SMB2 message
rpc_read_send: data_to_read: 20
     r: struct ncacn_packet
        rpc_vers                 : 0x05 (5)
        rpc_vers_minor           : 0x00 (0)
        ptype                    : DCERPC_PKT_RESPONSE (2)
        pfc_flags                : 0x03 (3)
               1: DCERPC_PFC_FLAG_FIRST
               1: DCERPC_PFC_FLAG_LAST
               0: DCERPC_PFC_FLAG_PENDING_CANCEL_OR_HDR_SIGNING
               0: DCERPC_PFC_FLAG_CONC_MPX
               0: DCERPC_PFC_FLAG_DID_NOT_EXECUTE
               0: DCERPC_PFC_FLAG_MAYBE
               0: DCERPC_PFC_FLAG_OBJECT_UUID
        drep: ARRAY(4)
            [0]                      : 0x10 (16)
            [1]                      : 0x00 (0)
            [2]                      : 0x00 (0)
            [3]                      : 0x00 (0)
        frag_length              : 0x0024 (36)
        auth_length              : 0x0000 (0)
        call_id                  : 0x00000008 (8)
        u                        : union dcerpc_payload(case 2)
        response: struct dcerpc_response
            alloc_hint               : 0x0000000c (12)
            context_id               : 0x0000 (0)
            cancel_count             : 0x00 (0)
            _pad                     : DATA_BLOB length=1
[0000] 00                                                 .
            stub_and_verifier        : DATA_BLOB length=12
[0000] 1C 00 02 00 00 00 00 00   05 00 00 00               ........ ....
Got pdu len 36, data_len 12
rpc_api_pipe: got frag len of 36 at offset 0: NT_STATUS_OK
rpc_api_pipe: host localhost returned 12 bytes.
     srvsvc_NetShareAdd: struct srvsvc_NetShareAdd
        out: struct srvsvc_NetShareAdd
            parm_error               : *
                parm_error               : 0x00000000 (0)
            result                   : WERR_ACCESS_DENIED
cannot add share: WERR_ACCESS_DENIED
signed SMB2 message
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
signed SMB2 message
return code = -1
Freeing parametrics:

Later I tried "net rpc share migrate files"
#net rpc share migrate files sjc_demouser2 -U administrator -S
sjclab2.local destination=localhost --acls -v -d=10
Observed that I was able to migrate files from my AD share to fileserver
share but when directories are migrated, I got the error
"NT_STATUS_REVISION_MISMATCH "
Below is the snippet of debug message that got generated.

signed SMB2 message
signed SMB2 message
signed SMB2 message
signed SMB2 message
signed SMB2 message
got mask: \*, name: tst
got dir: tst
opening dir \tst on originating server
signed SMB2 message
creating dir \tst on the destination server
signed SMB2 message
signed SMB2 message
cannot check for directory \tst: NT_STATUS_REVISION_MISMATCH
signed SMB2 message
signed SMB2 message
listing \* failed with error: NT_STATUS_REVISION_MISMATCH
could not handle files for share: sjc_demouser2
rpc command function failed! (NT_STATUS_REVISION_MISMATCH)
signed SMB2 message
return code = -1
Freeing parametrics:

Can someone please tell me why I was unable to migrate shares using net rpc
and got error "WERR_ACCESS_DENIED"?
Also please tell me why I got an error "NT_STATUS_REVISION_MISMATCH"
when
migrate files command was run on share containing directories?

Please excuse me for the lengthy text.Thanks in advance.

Regards,
S.Srikar.

On Wed, 31 May 2017 21:32:32 +0530
Srikar Somineni via samba <samba at lists.samba.org> wrote:
> Hi All,
>         I am trying to migrate shares from my Win2k12 R2 AD
> server(SJCLAB2.LOCAL) to Ubuntu 16.04 samba fileserver present in same
> domain. Samba version is 4.3.11-Ubuntu.
> Before migrating shares I was able to successfully join fileserver to
> Active Directory.
> 
> Below is my samba server configuration.
> #======================= Global Settings ======================> 
> [global]
> 
> 
>    workgroup = SJCLAB2
>    security = ADS
>    realm = SJCLAB2.LOCAL
>    wins server = SJCLAB2.LOCAL
>    password server = SJCLAB2.LOCAL
>    server string = %h server (Samba, Ubuntu)
>    domain master = no
>    local master = no
>    preferred master = no
>    printcap name = /etc/printcap
>    load printers = no
>    dns proxy = no
>    interfaces = 127.0.0.0/8 ens4
>    bind interfaces only = yes
>    log file = /var/log/samba/log.%m
>    log level = 10
>    max log size = 1000
>    panic action = /usr/share/samba/panic-action %d
>    server role = member server
>    passdb backend = tdbsam
>    map untrusted to domain = Yes
>    obey pam restrictions = yes
>    unix password sync = yes
>    passwd program = /usr/bin/passwd %u
>    passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
>    pam password change = yes
>    map to guest = bad user
> 
> ############ Misc ############
>    template shell = /bin/bash
>    client use spnego = yes
>    client ntlmv2 auth = yes
>    encrypt passwords = yes
>    restrict anonymous = 2
>     idmap config *:backend = tdb
>     idmap config *:range = 10000-20000
>     winbind enum users = yes
>     winbind enum groups = yes
>     # This way users log in with username instead of
> username at example.org winbind use default domain = yes
>     # Inherit groups in groups
>     winbind nested groups = yes
>     winbind refresh tickets = yes
>     winbind offline logon = true
> 
> # Allow users who've been granted usershare privileges to create
> # public shares, not just authenticated ones
>    usershare allow guests = no
> 
> [sjc_demouser2]    -------------------->Share present on AD and
> create on file server
>   browseable = yes
>   users=@SJCLAB2/administrator
>   force unknown acl user = yes
>   writable = yes
>   create mask = 0700
>   directory mask = 0770
>   acl group control = yes
>   acl check permissions = True
>   nt acl support = yes
>   force directory security mode = 770
>   inherit permissions = yes
>   inherit acls = yes
>   inherit owner = no
>   map acl inherit = yes
>   path = /home/sjc_demouser2
>   dos filemode = yes
>   vfs objects = acl_xattr
> 
> 
You seem to have several problems with your smb.conf

You seem to be trying to put all your users and groups into the '*'
domain, this is meant for the BUILTIN users etc.

You have 'unix password sync = yes' , why ? You cannot have users
in /etc/passwd and AD, they have to be in AD, so this line is not
required.

You have 'users=@SJCLAB2/administrator' in the share, Administrator is
a Windows user and should be mapped to the Unix user 'root' by a
user.map by a line in the [global] part of smb.conf

You would be better off setting the ACLs on the share from Windows, you
wouldn't need all those extraneous lines.

Can I suggest that you spend sometime reading the Samba wiki:

https://wiki.samba.org/index.php/Main_Page

Rowland