Konstantin Boyandin (lists)
2018-Sep-03 04:27 UTC
[Samba] Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")
Hello, Going further with migrating NT4 domain (Samba 3) to Samba 4. Thanks for the previous suggestions. When doing # samba-tool domain classicupgrade --dbdir=/usr/local/samba.LAN/ --realm=ad-lan.com --dns-backend=BIND9_DLZ /usr/local/samba.LAN/smb.conf --option="interfaces=lo ens3" --option="bind interfaces only=yes" I see in stderr the below: Ignoring group 'ossi' S-1-5-21-1411277624-4092985889-3405756581-3001 listed but then not found: Unable to enumerate group members, (-1073741722,The specified group does not exist.) for every group from existing LDAP backend of Samba 3, and sid S-1-5-21-1411277624-4092985889-3405756581-2062 does not belong to our domain for every user ID. After I start the upgraded domain: # net getdomainsid SID for domain AD-LAN is: S-1-5-21-2473926874-590573496-2946143095 and on original Samba 3 domain controller: # net getdomainsid SID for local machine PDCLAN is: S-1-5-21-1411277624-402985889-3405756581 SID for domain LAN is: S-1-5-21-1411277624-4092985889-3405756581 I.e., the domains SID are different (which is expected). How do I make the groups/users be imported? The smb.conf used is below: --------------------------------- smb.conf below [global] unix charset = UTF8 workgroup = AD-LAN netbios name = DC server max protocol = NT1 server string = AD-LAN.COM domain controller passdb backend =ldapsam:"ldap://10.1.0.10" username map = /etc/samba/smbusers interfaces = ens3 lo bind interfaces only = yes enable privileges = yes log level = 1 syslog = 0 log file = /var/log/samba/%m max log size = 0 name resolve order = wins bcast host time server = Yes printcap name = CUPS add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%g' '%u' delete user from group script = /usr/sbin/smbldap-groupmod -x '%g' '%u' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/sbin/smbldap-useradd -W '%u' shutdown script = /var/lib/samba/scripts/shutdown.sh abort shutdown script = /sbin/shutdown -c logon script = %u.bat logon drive = W: logon home = \\%L\%u logon path = \\%L\profiles\%u domain logons = Yes domain master = Yes wins support = Yes ldapsam:trusted = no ldap ssl = off ldap suffix = dc=company,dc=lan ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=company,dc=lan idmap backend = ldap://10.1.0.10 idmap uid = 500-20000 idmap gid = 500-20000 printer admin = root printing = cups --------------------------------- smb.conf above Sincerely, Konstantin
Rowland Penny
2018-Sep-03 10:12 UTC
[Samba] Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")
On Mon, 03 Sep 2018 04:27:07 +0000 "Konstantin Boyandin \(lists\) via samba" <samba at lists.samba.org> wrote:> Hello, > > Going further with migrating NT4 domain (Samba 3) to Samba 4. Thanks > for the previous suggestions. > > When doing > > # samba-tool domain classicupgrade --dbdir=/usr/local/samba.LAN/ > --realm=ad-lan.com > --dns-backend=BIND9_DLZ /usr/local/samba.LAN/smb.conf > --option="interfaces=lo ens3" --option="bind interfaces only=yes" > > I see in stderr the below: > > Ignoring group 'ossi' S-1-5-21-1411277624-4092985889-3405756581-3001 > listed but then not found: Unable to enumerate group members, > (-1073741722,The specified group does not exist.) > > for every group from existing LDAP backend of Samba 3, and > > sid S-1-5-21-1411277624-4092985889-3405756581-2062 does not belong to > our domain >Okay, I take it your PDC was called pdclan and the domain was called 'LAN', I have no idea what the dns domain was. You have now created a new AD DC using the dns domain 'ad-lan.com' and the new AD DC is called 'dc' So from my reading there are three Samba workgroup names in play: PDCLAN LAN AD-LAN I think this, (along with using '--realm=ad-lan.com' instead of 'realm = ad-lan' in smb.conf) is your problem. You are trying to change the domain from 'LAN' to 'AD-LAN', Samba is undoubtedly treating this as a new domain and creating a new SID for it. Rowland
Konstantin Boyandin
2018-Sep-04 03:26 UTC
[Samba] Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")
Rowland Penny via samba писал 2018-09-03 17:12:> On Mon, 03 Sep 2018 04:27:07 +0000 > "Konstantin Boyandin \(lists\) via samba" <samba at lists.samba.org> > wrote: > >> Hello, >> >> Going further with migrating NT4 domain (Samba 3) to Samba 4. Thanks >> for the previous suggestions. >> >> When doing >> >> # samba-tool domain classicupgrade --dbdir=/usr/local/samba.LAN/ >> --realm=ad-lan.com >> --dns-backend=BIND9_DLZ /usr/local/samba.LAN/smb.conf >> --option="interfaces=lo ens3" --option="bind interfaces only=yes" >> >> I see in stderr the below: >> >> Ignoring group 'ossi' S-1-5-21-1411277624-4092985889-3405756581-3001 >> listed but then not found: Unable to enumerate group members, >> (-1073741722,The specified group does not exist.) >> >> for every group from existing LDAP backend of Samba 3, and >> >> sid S-1-5-21-1411277624-4092985889-3405756581-2062 does not belong to >> our domain >> > > Okay, I take it your PDC was called pdclan and the domain was called > 'LAN', I have no idea what the dns domain was. > > You have now created a new AD DC using the dns domain 'ad-lan.com' and > the new AD DC is called 'dc' > > So from my reading there are three Samba workgroup names in play: > > PDCLAN > LAN > AD-LAN > > I think this, (along with using '--realm=ad-lan.com' instead of 'realm > = ad-lan' in smb.conf) is your problem. You are trying to change the > domain from 'LAN' to 'AD-LAN', Samba is undoubtedly treating this as a > new domain and creating a new SID for it.That's intentional. LAN is NT4 (Samba 3) domain, and I may not just upgrade it without thorough testing - too many resources are using it, and breaking down network is not an option. So yes, I create a new domain, under real-life domain name (I own ad-lan.com) and, after transferring everything into it, testing in sandbox environment, I will begin transferring everything from Samba 3 into the Samba 4 domain (i.e., both LAN and AD-LAN will co-exist in the same network for some time). So the question, how do I do the upgrade to Samba 4 while importing the users/groups from Samba 3 domain in this case? Alternately, how can I import Samba 3 entities from Samba 3LDAP backend *after* creating a separate Samba 4 domain? Also, what's wrong with '--realm=ad-lan.com' ? Thanks. Sincerely, Konstantin
Reasonably Related Threads
- Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")
- Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")
- Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")
- Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")
- Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")