samba - Jul 2018 - classicupgrade questions

I am trying to do a classicupgrade.  (This is not 1st try, I went through it
once time already; then I deleted all data and trying it again, with 
questions now.)

Command 

samba-tool domain classicupgrade --dbdir=/etc/samba.PDC/ --realm=ad.nemuh.cz
--dns-backend=BIND9_DLZ /etc/samba.PDC/smb.PDC.conf

Problem a)
...
init_sam_from_ldap: Entry found for user: pc0027$
init_sam_from_ldap: Failed to find Unix account for pc0027$
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'pc0027$'!
ERROR(<class 'passdb.error'>): uncaught exception - Unable to get
user
information for 'pc0027$', (-1073741724,The specified account does not 
exist.)
  File "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/__
init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/
domain.py", line 1636, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba.ad/lib64/python2.7/site-packages/samba/upgrade.py",
line 568, in upgrade_from_samba3
    user = s3db.getsampwnam(username)

The machine LDAP data:
# pc0027$, machines, nspuh.cz
dn: uid=pc0027$,ou=machines,dc=nspuh,dc=cz
uid: pc0027$
objectClass: account
objectClass: sambaSamAccount
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W          ]
sambaPwdCanChange: 1158129830
sambaPwdLastSet: 1158129830
displayName: PC0027$
sambaSID: S-1-5-21-..numbers here...-45023

When I delete this machine from LDAP, the problem occurs with another 
computer.. and with another.. I finally deleted all machine/computer 
accounts from LDAP to be able to process users.  What's wrong with the 
machine accounts?


b) After upgrade, a lot of imported users in AD have "account
disabled". One
of them, as far as I can remember, was user "anger":
dn: uid=anger,ou=People,dc=nspuh,dc=cz
objectClass: shadowAccount
objectClass: person
objectClass: inetOrgPerson
objectClass: OXUserObject
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
uid: anger
shadowMin: 0
shadowMax: 9999
shadowWarning: 7
shadowExpire: 0
cn: anger
preferredLanguage: EN
userCountry: Czech Republic
mailEnabled: OK
lnetMailAccess: TRUE
OXAppointmentDays: 5
OXGroupID: 500
OXTaskDays: 5
OXTimeZone:: RXVyb3BlL3ByYWd1ZSAloginShell: /usr/bin/ksh
uidNumber: 270
gidNumber: 20
homeDirectory: /home/anger
sambaSID: S-1-5-21-......-1540
employeeNumber: 114
sambaPwdLastSet: 1344931739
mail: anger at nemuh.cz
mailDomain: nemuh.cz
o: UHN a.s.
description:: WmRlbsSbayBBbmdlcg=givenName:: WmRlbsSbaw=sn: ANGER
gecos: MUDr. Zdenek Anger
ou: -

  Why is imported/upgraded account locked? 

c) After upgrade, national characters in (probably) user description and 
givenName are not correctly displayed - there a question marks in the names 
(in AD administration), every user (with national characters in their names)
has the problem. 
  Why?   

Thanks, Michal

Am Mittwoch, 4. Juli 2018, 08:55:19 CEST schrieb Michal via
samba:
> I am trying to do a classicupgrade.  (This is not 1st try, I went
> through it once time already; then I deleted all data and trying it
> again, with questions now.)
Long Story. I will try to describe your problem as short as possible

> Command
> 
> samba-tool domain classicupgrade --dbdir=/etc/samba.PDC/
> --realm=ad.nemuh.cz --dns-backend=BIND9_DLZ
> /etc/samba.PDC/smb.PDC.conf
> 
> Problem a)
> ...
> init_sam_from_ldap: Entry found for user: pc0027$
> init_sam_from_ldap: Failed to find Unix account for pc0027$
1. Error
> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'pc0027$'!
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to
get user
> information for 'pc0027$', (-1073741724,The specified account does
> not exist.)
"init_sam_from_ldap" is not able to find expected information for the
object
'pc0027$'.
>   File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/__
> init__.py", line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/
> domain.py", line 1636, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File
>
"/usr/local/samba.ad/lib64/python2.7/site-packages/samba/upgrade.py",
> line 568, in upgrade_from_samba3
>     user = s3db.getsampwnam(username)
> 
> The machine LDAP data:
> # pc0027$, machines, nspuh.cz
> dn: uid=pc0027$,ou=machines,dc=nspuh,dc=cz
> uid: pc0027$
> objectClass: account
> objectClass: sambaSamAccount
> sambaPwdMustChange: 2147483647
> sambaAcctFlags: [W          ]
> sambaPwdCanChange: 1158129830
> sambaPwdLastSet: 1158129830
> displayName: PC0027$
> sambaSID: S-1-5-21-..numbers here...-45023
Objectclass is wrong!

"init_sam_from_ldap" searches for "objectClass: posixAcount"

Your problem is, that you are *not* using "objectClass: posixAcount".
So
your machine objects have no posix attributes. I assume you store the 
posix stuff in /etc/passwd shadow and group. This works until today, but is 
depreciated since decades.

i.e.
# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b 
ou=machines,ou=accounts,dc=europa,dc=xx -s onelevel 'uid=ainf17$' 
Enter LDAP Password: 
dn: uid=ainf17$,ou=machines,ou=accounts,dc=europa,dc=xx
cn: ainf17$
uid: ainf17$
uidNumber: 10020
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
objectClass: posixAccount
objectClass: account
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W          ]
sambaSID: S-1-5-21-3958726613-3318811842-4132420312-21040
sambaPrimaryGroupSID: 
S-1-5-21-3958726613-3318811842-4132420312-515
displayName: ainf17$
sambaDomainName: EUROPA
sambaNTPassword: 91883F44E044F4F12A683E4683B2CE9D
sambaPwdLastSet: 1387993516

These attributes must exist: 
cn uid uidNumber gidNumber homeDirectory sambaSID


After you have modified your machine objects, you should clean up /etc/
passwd. You should also reload all caching daemons.
net cache flush
nscd -i passwd
nscd -i group

Maybe you have more caching daemons, i.e. nslcd or sssd
> When I delete this machine from LDAP, the problem occurs with another
> computer.. and with another.. I finally deleted all machine/computer
> accounts from LDAP to be able to process users.  What's wrong with the
> machine accounts?


> b) After upgrade, a lot of imported users in AD have "account
> disabled". One of them, as far as I can remember, was user
"anger":
> dn: uid=anger,ou=People,dc=nspuh,dc=cz
> objectClass: shadowAccount
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: OXUserObject
> objectClass: posixAccount
> objectClass: top
> objectClass: sambaSamAccount
> uid: anger
> shadowMin: 0
> shadowMax: 9999
> shadowWarning: 7
> shadowExpire: 0
> cn: anger
> preferredLanguage: EN
> userCountry: Czech Republic
> mailEnabled: OK
> lnetMailAccess: TRUE
> OXAppointmentDays: 5
> OXGroupID: 500
> OXTaskDays: 5
> OXTimeZone:: RXVyb3BlL3ByYWd1ZSA> loginShell: /usr/bin/ksh
> uidNumber: 270
> gidNumber: 20
> homeDirectory: /home/anger
> sambaSID: S-1-5-21-......-1540
> employeeNumber: 114
> sambaPwdLastSet: 1344931739
> mail: anger at nemuh.cz
> mailDomain: nemuh.cz

See inline comments:

On Tue, 10 Jul 2018 11:01:32 +0200
Harry Jede via samba <samba at lists.samba.org> wrote:
> Am Mittwoch, 4. Juli 2018, 08:55:19 CEST schrieb Michal via samba:
> > I am trying to do a classicupgrade.  (This is not 1st try, I went
> > through it once time already; then I deleted all data and trying it
> > again, with questions now.)
> Long Story. I will try to describe your problem as short as possible
> 
> 
> > Command
> > 
> > samba-tool domain classicupgrade --dbdir=/etc/samba.PDC/
> > --realm=ad.nemuh.cz --dns-backend=BIND9_DLZ
> > /etc/samba.PDC/smb.PDC.conf
> > 
> > Problem a)
> > ...
> > init_sam_from_ldap: Entry found for user: pc0027$
> > init_sam_from_ldap: Failed to find Unix account for pc0027$
> 1. Error
> 
> > ldapsam_getsampwnam: init_sam_from_ldap failed for user
'pc0027$'!
> > ERROR(<class 'passdb.error'>): uncaught exception -
Unable to get
> > user information for 'pc0027$', (-1073741724,The specified
account
> > does not exist.)
> "init_sam_from_ldap" is not able to find expected information for
the
> object 'pc0027$'.
> 
> >   File
> >
"/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/__
> > init__.py", line 176, in _run
> >     return self.run(*args, **kwargs)
> >   File
> > "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/
> > domain.py", line 1636, in run
> >     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
> >   File
> >
"/usr/local/samba.ad/lib64/python2.7/site-packages/samba/upgrade.py",
> > line 568, in upgrade_from_samba3
> >     user = s3db.getsampwnam(username)
> > 
> > The machine LDAP data:
> > # pc0027$, machines, nspuh.cz
> > dn: uid=pc0027$,ou=machines,dc=nspuh,dc=cz
> > uid: pc0027$
> > objectClass: account
> > objectClass: sambaSamAccount
> > sambaPwdMustChange: 2147483647
> > sambaAcctFlags: [W          ]
> > sambaPwdCanChange: 1158129830
> > sambaPwdLastSet: 1158129830
> > displayName: PC0027$
> > sambaSID: S-1-5-21-..numbers here...-45023
> Objectclass is wrong!
> 
> "init_sam_from_ldap" searches for "objectClass:
posixAcount"
> 
> Your problem is, that you are *not* using "objectClass:
posixAcount".
> So your machine objects have no posix attributes. I assume you store
> the posix stuff in /etc/passwd shadow and group. This works until
> today, but is depreciated since decades.
Good point, as you say, he will need the 'posixaccount' objectclass and
a 'uidNumber' attribute.
> 
> i.e.
> # ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b 
> ou=machines,ou=accounts,dc=europa,dc=xx -s onelevel 'uid=ainf17$' 
> Enter LDAP Password: 
> dn: uid=ainf17$,ou=machines,ou=accounts,dc=europa,dc=xx
> cn: ainf17$
> uid: ainf17$
> uidNumber: 10020
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> objectClass: posixAccount
> objectClass: account
> objectClass: sambaSamAccount
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaAcctFlags: [W          ]
> sambaSID: S-1-5-21-3958726613-3318811842-4132420312-21040
> sambaPrimaryGroupSID: 
> S-1-5-21-3958726613-3318811842-4132420312-515
> displayName: ainf17$
> sambaDomainName: EUROPA
> sambaNTPassword: 91883F44E044F4F12A683E4683B2CE9D
> sambaPwdLastSet: 1387993516
> 
> These attributes must exist: 
> cn uid uidNumber gidNumber homeDirectory sambaSID
Problem is, that is from LDAP, it would be helpful to see what he gets
after the upgrade, if anything.
> 
> 
> After you have modified your machine objects, you should clean
> up /etc/ passwd. You should also reload all caching daemons.
> net cache flush
Agreed
> nscd -i passwd
> nscd -i group
Not if 'winbind' is running.

Rowland

Am Mittwoch, 4. Juli 2018, 08:55:19 CEST schrieb Michal via samba:
My mailer (kmail) is broken...
> b) After upgrade, a lot of imported users in AD have "account
> disabled". One of them, as far as I can remember, was user
"anger":
> dn: uid=anger,ou=People,dc=nspuh,dc=cz
> objectClass: shadowAccount
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: OXUserObject
> objectClass: posixAccount
> objectClass: top
> objectClass: sambaSamAccount
> uid: anger
> shadowMin: 0
> shadowMax: 9999
> shadowWarning: 7
> shadowExpire: 0
> cn: anger
> preferredLanguage: EN
> userCountry: Czech Republic
> mailEnabled: OK
> lnetMailAccess: TRUE
> OXAppointmentDays: 5
> OXGroupID: 500
> OXTaskDays: 5
> OXTimeZone:: RXVyb3BlL3ByYWd1ZSA> loginShell: /usr/bin/ksh
> uidNumber: 270
> gidNumber: 20
> homeDirectory: /home/anger
> sambaSID: S-1-5-21-......-1540
> employeeNumber: 114
> sambaPwdLastSet: 1344931739
> mail: anger at nemuh.cz
> mailDomain: nemuh.cz
> o: UHN a.s.
> description:: WmRlbsSbayBBbmdlcg=> givenName:: WmRlbsSbaw=> sn: ANGER
> gecos: MUDr. Zdenek Anger
> ou: -
> 
>   Why is imported/upgraded account locked?
I do not know, maybe the "OX..." attributes, maybe the base64 encoded 
values, maybe something else.
 
> c) After upgrade, national characters in (probably) user description
> and givenName are not correctly displayed - there a question marks in
> the names (in AD administration), every user (with national
> characters in their names) has the problem.
>   Why?  
# echo -n WmRlbsSbaw== | base64 -d ;echo
Zdeněk

If an attribute contain non ascii characters its value is base64 encoded.

The field separator in ldiff changes from colon to double colon. Maybe the 
migration is written by a native english (wo)man. They often do not think 
that "umlaute" and accents are used.

 
> Thanks, Michal

-- 

Gruss
	Harry Jede

On Tue, 10 Jul 2018 12:14:15 +0200
Harry Jede via samba <samba at lists.samba.org> wrote:
> > and givenName are not correctly displayed - there a question marks
> > in the names (in AD administration), every user (with national
> > c) After upgrade, national characters in (probably) user description
> > characters in their names) has the problem.
> >   Why?  
> # echo -n WmRlbsSbaw== | base64 -d ;echo
> Zdeněk
> 
> If an attribute contain non ascii characters its value is base64
> encoded.
> 
> The field separator in ldiff changes from colon to double colon.
> Maybe the migration is written by a native english (wo)man. 
It is my understanding that most of it was written by a native
Australian.
>They
> often do not think that "umlaute" and accents are used.
Probably, because we never use them, we just look at the word, mentally
remove the 'funny' marks and then pronounce it in English, this may
sound nothing like the correct pronunciation ;-)
  
Rowland

---------- Původní e-mail ----------> Problem a)"
> ...
> init_sam_from_ldap: Entry found for user: pc0027$
> init_sam_from_ldap: Failed to find Unix account for pc0027$
1. Error

 
 
> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'pc0027$'!
> ERROR(<class 'passdb.error'>): uncaught exception - Unable to
get user
> information for 'pc0027$', (-1073741724,The specified account does
> not exist.)
"init_sam_from_ldap" is not able to find expected information for the
object
'pc0027$'.

 
 
>   File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/__
> init__.py", line 176, in _run
>     return self.run(*args, **kwargs)
>   File
> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/
> domain.py", line 1636, in run
>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File
>
"/usr/local/samba.ad/lib64/python2.7/site-packages/samba/upgrade.py",
> line 568, in upgrade_from_samba3
>     user = s3db.getsampwnam(username)
> 
> The machine LDAP data:
> # pc0027$, machines, nspuh.cz
> dn: uid=pc0027$,ou=machines,dc=nspuh,dc=cz
> uid: pc0027$
> objectClass: account
> objectClass: sambaSamAccount
> sambaPwdMustChange: 2147483647
> sambaAcctFlags: [W          ]
> sambaPwdCanChange: 1158129830
> sambaPwdLastSet: 1158129830
> displayName: PC0027$
> sambaSID: S-1-5-21-..numbers here...-45023
Objectclass is wrong!

 
 
"init_sam_from_ldap" searches for "objectClass: posixAcount"

 
 
Your problem is, that you are *not* using "objectClass: posixAcount".
So
your machine objects have no posix attributes. I assume you store the posix 
stuff in /etc/passwd shadow and group. This works until today, but is 
depreciated since decades.

 
 
i.e.

# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b
ou=machines,ouaccounts,dc=europa,dc=xx -s onelevel 'uid=ainf17$'

Enter LDAP Password: 

dn: uid=ainf17$,ou=machines,ou=accounts,dc=europa,dc=xx

cn: ainf17$

uid: ainf17$

uidNumber: 10020

gidNumber: 515

homeDirectory: /dev/null

loginShell: /bin/false

description: Computer

gecos: Computer

objectClass: posixAccount

objectClass: account

objectClass: sambaSamAccount

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPwdMustChange: 2147483647

sambaAcctFlags: [W ]

sambaSID: S-1-5-21-3958726613-3318811842-4132420312-21040

sambaPrimaryGroupSID: S-1-5-21-3958726613-3318811842-4132420312-515

displayName: ainf17$

sambaDomainName: EUROPA

sambaNTPassword: 91883F44E044F4F12A683E4683B2CE9D

sambaPwdLastSet: 1387993516

 
 
These attributes must exist: 

cn uid uidNumber gidNumber homeDirectory sambaSID

 

"
  Yes, you're right, I (already) added machines posixAccount attribs into 
LDAP data and classicupgrade was satisfied.

 
"


 
 
 
 
 
 
 
> b) After upgrade, a lot of imported users in AD have "account
> disabled". One of them, as far as I can remember, was user
"anger":
> dn: uid=anger,ou=People,dc=nspuh,dc=cz
> objectClass: shadowAccount
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: OXUserObject
> objectClass: posixAccount
> objectClass: top
> objectClass: sambaSamAccount
> uid: anger
> shadowMin: 0
> shadowMax: 9999
> shadowWarning: 7
> shadowExpire: 0
> cn: anger
> preferredLanguage: EN
> userCountry: Czech Republic
> mailEnabled: OK
> lnetMailAccess: TRUE
> OXAppointmentDays: 5
> OXGroupID: 500
> OXTaskDays: 5
> OXTimeZone:: RXVyb3BlL3ByYWd1ZSA
> loginShell: /usr/bin/ksh
> uidNumber: 270
> gidNumber: 20
> homeDirectory: /home/anger
> sambaSID: S-1-5-21-......-1540
> employeeNumber: 114
> sambaPwdLastSet: 1344931739
> mail: anger at nemuh.cz
> mailDomain: nemuh.cz
> o: UHN a.s.
> description:: WmRlbsSbayBBbmdlcg=
> givenName:: WmRlbsSbaw=
> sn: ANGER
> gecos: MUDr. Zdenek Anger
> ou: -
> 
>   Why is imported/upgraded account locked?
I do not know. Maybe the "OX..." attributes, maybe the base64 encoded 
attributes, maybe something else.

"



  I stopped searching for this for now, as I went into bigger problems 
elsewhere :-]




"




> c) After upgrade, national characters in (probably) user description
> and givenName are not correctly displayed - there a question marks in
> the names (in AD administration), every user (with national
> characters in their names) has the problem.
>   Why?  
 
Maybe the migration script does not handle base64 encooded strings 
correctly.

i.e.

 
 
givenName:: WmRlbsSbaw=
 
 
# echo -n WmRlbsSbaw== | base64 -d ;echo

Zdeněk

 
 
If a value is base64 encoded, then the field separator is a double colon.

"



  Yes, this was because running classicupgrade on different (new) server 
with different language encoding. After removing unix charset from samba 
config the names are correct.




  Thanks, Michal