Hello, I need to do a classic migration on a machine which has until now been running samba as an old NT4-style PDC. I made a copy of that machine in a VM to test the process. Until now, things don't work quite right. I was following the classic upgrade howto from wiki.samba.org. I was using the method with internal DNS. Classicupgrade itself ran without errors, I followed the steps after provisioning in the setup guide until the connection test with smbclient: smbclient -L localhost -U% session setup failed: NT_STATUS_INTERNAL_ERROR With log level raised to 5, I can find in log.smbd: [2017/11/25 16:41:48.248479, 1] ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) Failed to generate session_info (user and group token) for session setup: NT_STATUS_INTERNAL_ERROR Turning log level to 10 I get an awful lot of info, including several messages: Duplicate base-DN matches found for <SID=1-5-11> These errors also occur during the classicupgrade when run with log level 10. But I can't find anything useful in all these log messages. I can post full logs if you want, but I'm not going to attach them here due to the size. I am running Debian 9 with samba 4.5.12. Before you ask, no I cannot upgrade. This is what comes with debian and I will have to stick with it. Thanks, Andreas -------------- next part -------------- [global] local master = yes domain master = yes preferred master = yes unix charset = iso8859-15 workgroup = WG interfaces = lo, eth1 bind interfaces only = yes obey pam restrictions = Yes passdb backend = tdbsam pam password change = Yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n unix password sync = Yes logging = syslog file log file = /var/log/samba/log.smbd max log size = 4000 log level = 1 printcap name = /dev/null add user script = /usr/sbin/adduser --quiet --disabled-password --force-badname %u delete user script = /usr/sbin/deluser --quiet --remove-home %u add group script = /usr/sbin/adduser --group --quiet %g delete group script = /usr/sbin/deluser --group --quiet %g add user to group script = /usr/sbin/adduser --quiet %u %g delete user from group script = /usr/sbin/deluser --quiet %u %g add machine script = /usr/sbin/adduser --quiet --ingroup machines --shell /bin/false --home /dev/null --no-create-home --disabled-password --force-badname %u logon script = netlogon.cmd domain logons = Yes os level = 65 dns proxy = No wins support = Yes ldap ssl = no panic action = /usr/share/samba/panic-action %d create mask = 0770 directory mask = 0770 load printers = no printing = bsd show add printer wizard = no disable spoolss = yes usershare max shares = 0
Am 25.11.2017 um 16:49 schrieb Andreas Heinlein via samba:> Hello, > > I need to do a classic migration on a machine which has until now been > running samba as an old NT4-style PDC. I made a copy of that machine in > a VM to test the process. Until now, things don't work quite right. I > was following the classic upgrade howto from wiki.samba.org. I was using > the method with internal DNS. Classicupgrade itself ran without errors, > I followed the steps after provisioning in the setup guide until the > connection test with smbclient: > > smbclient -L localhost -U% > session setup failed: NT_STATUS_INTERNAL_ERROR > > With log level raised to 5, I can find in log.smbd: > > [2017/11/25 16:41:48.248479, 1] > ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) > Failed to generate session_info (user and group token) for session > setup: NT_STATUS_INTERNAL_ERROR > > Turning log level to 10 I get an awful lot of info, including several > messages: > > Duplicate base-DN matches found for <SID=1-5-11> > > These errors also occur during the classicupgrade when run with log > level 10. But I can't find anything useful in all these log messages. > > I can post full logs if you want, but I'm not going to attach them here > due to the size. > > I am running Debian 9 with samba 4.5.12. Before you ask, no I cannot > upgrade. This is what comes with debian and I will have to stick with it. > > Thanks, > > Andreas > > >I'd inspect the ldap dump file you use for the classic upgrade and remove the duplicate objects with SID=1-5-11 in that file before running classic upgrade.
On Sat, 25 Nov 2017 16:49:24 +0100 Andreas Heinlein via samba <samba at lists.samba.org> wrote:> Hello, > > I need to do a classic migration on a machine which has until now been > running samba as an old NT4-style PDC. I made a copy of that machine > in a VM to test the process. Until now, things don't work quite > right. I was following the classic upgrade howto from wiki.samba.org. > I was using the method with internal DNS. Classicupgrade itself ran > without errors, I followed the steps after provisioning in the setup > guide until the connection test with smbclient: > > smbclient -L localhost -U% > session setup failed: NT_STATUS_INTERNAL_ERRORI have just discovered there was a link error on the 'classic upgrade' page (now fixed), it took you to the entire page instead of the relevant section, so how much of the page did you follow ?> > With log level raised to 5, I can find in log.smbd: > > [2017/11/25 16:41:48.248479, 1] > ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego) > Failed to generate session_info (user and group token) for session > setup: NT_STATUS_INTERNAL_ERROR > > Turning log level to 10 I get an awful lot of info, including several > messages: > > Duplicate base-DN matches found for <SID=1-5-11>This is 'Authenticated Users' and is stored in AD as 'CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=samdom,DC=example,DC=com' and should only be found once. Rowland
Hello, I just wanted to say that after some hours of digging, I found the problem. It turned out to be quite trivial... The winbind package was missing on that machine. This is a separate package in Debian; after installing it everything seems to work. There were two factors that led me to remove winbind at first: 1. The wiki says "Configuring Winbindd on a Samba AD DC - Only required if using the DC as a file server". That is misleading, obviously winbindd itself is actually required. 2. The Debian winbind package has a weird bug that causes it to unconditionally try to start winbindd as a standalone service even on a samba AD DC (https://bugs.debian.org/863285), which obviously fails. I came across that error, tried to start winbindd manually and got a message explaining "server role = 'active directory domain controller' not compatible with running the winbindd binary. You should start 'samba' instead, and it will control starting the internal AD DC winbindd implementation, which is not the same as this one." That too led me to the assumption that a separate winbind package is now no longer needed and I could remove it. Only after looking through the logs again, I found the message that samba failed to start /usr/sbin/winbindd, which is in the winbind package. So the actual problem is now gone, but maybe someone wants to look into these potentially misleading messages. Thank you for your help! Andreas
On Wed, 29 Nov 2017 18:57:53 +0100 Andreas Heinlein via samba <samba at lists.samba.org> wrote:> Hello, > > I just wanted to say that after some hours of digging, I found the > problem. It turned out to be quite trivial... > > The winbind package was missing on that machine. This is a separate > package in Debian; after installing it everything seems to work.Debian used to install the winbind package when you installed the 'samba' package, you now need to install it separately.> > There were two factors that led me to remove winbind at first: > 1. The wiki says "Configuring Winbindd on a Samba AD DC - Only > required if using the DC as a file server". That is misleading, > obviously winbindd itself is actually required.You are confusing setting up 'winbindd' with installing the winbind package.> 2. The Debian winbind package has a weird bug that causes it to > unconditionally try to start winbindd as a standalone service even on > a samba AD DC (https://bugs.debian.org/863285), which obviously > fails. I came across that error, tried to start winbindd manually and > got a message explaining "server role = 'active directory domain > controller' not compatible with running the winbindd binary. You > should start 'samba' instead, and it will control starting the > internal AD DC winbindd implementation, which is not the same as this > one." That too led me to the assumption that a separate winbind > package is now no longer needed and I could remove it.Debian needs to deal with its bug, it also needs to update that message, samba no longer starts its internal winbind (I think it has been removed), it starts the separate 'winbindd' deamon, this is why you need the winbind package.> > Only after looking through the logs again, I found the message that > samba failed to start /usr/sbin/winbindd, which is in the winbind > package. > > So the actual problem is now gone, but maybe someone wants to look > into these potentially misleading messages. >The Samba wiki is mainly written around using a self compiled Samba and not on a package install, but you have made a few valid points, so I will look into updating the wiki. Rowland