samba - Sep 2018 - Migration samba 3 to 4

Hello,

Indeed when I copied the result for the mailing I made a mistake. 
MY.DOMAIN is a dummy name. The result of the migration command is

Reading smb.conf
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Provisioning
Exporting account policy
Exporting groups
Severe DB error, sambaSamAccount can't miss the samba SIDattribute
Ignoring group 'Backup Operators' 
S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not found: 
Unable to enumerate group members, (-1073741596,This error indicates 
that the requested operation cannot be completed due to a catastrophic 
media failure or an on-disk data structure corruption.)
Severe DB error, sambaSamAccount can't miss the samba SIDattribute
Ignoring group 'Domain Users' 
S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not found: 
Unable to enumerate group members, (-1073741596,This error indicates 
that the requested operation cannot be completed due to a catastrophic 
media failure or an on-disk data structure corruption.)
Exporting users
sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to our 
domain
sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to our 
domain
   Fixing account svimp02$ which had both ACB_NORMAL (U) and ACB_WSTRUST 
(W) set.  Account will be marked as ACB_WSTRUST (W), i.e. as a domain member
   Skipping wellknown rid=501 (for username=nobody)
Next rid = 3867
krb5_init_context failed (Invalid argument)
smb_krb5_context_init_basic failed (Invalid argument)
Failed to connect to ldap URL 'ldap://ldap2.my.domain' - LDAP client 
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://ldap2.my.domain' with backend
'ldap': LDAP
client internal error: NT_STATUS_BAD_NETWORK_NAME
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: Could not open ldb connection to 
ldap://ldap2.my.domain, the error message is: (1, 'LDAP client internal 
error: NT_STATUS_BAD_NETWORK_NAME')
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", 
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line
1566, in run
     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
   File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 671,
in upgrade_from_samba3
     raise ProvisioningError("Could not open ldb connection to %s, the 
error message is: %s" % (url, e))


Since my new samba server I tried to make a ldap request

# ldapsearch -h ldap2 -xb "ou=Groups,dc=domain,dc=fr" -W -D 
"cn=Manager,dc=domain,dc=fr" cn="Backup Operators"

# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=domain,dc=fr> with scope subtree
# filter: cn=Backup Operators
# requesting: ALL
#

*************
# Backup Operators, Groups, domain.fr
dn: cn=Backup Operators,ou=Groups,dc=domain,dc=fr
cn: Backup Operators
description: Domain Unix group
displayName: Backup Operators
gidNumber: 551
memberUid: backupmanager
memberUid: backuppc
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

*******************


I do not understand the NT_STATUS_DAB_NETWORK_NAME error because the 
server is accessible with its ip or by its name dns (ldap2)

*Philippe MALADJIAN
Responsable informatique | administrateur système*
Ligne directe : +33 (0)4 72 14 50 66 | pmaladjian at hilaire.fr 
<mailto:pmaladjian at hilaire.fr>

Hilaire s.a.s. <http://www.hilaire.fr> 	*HILAIRE s.a.s.*
203 - 205 rue Jean Voillot, 69100 Villeurbanne - France
Tél. : +33 (0)4 72 37 58 23 - Fax : +33 (0)4 78 26 02 03
http://www.hilaire.fr

Le 05/09/2018 à 13:02, Rowland Penny via samba a écrit :
> On Wed, 5 Sep 2018 11:42:04 +0200
> Philippe Maladjian via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> I'm testing with this link but i'have the same error.
>>
>> # samba-tool domain classicupgrade --dbdir=/root/samba3/dbdir/
>> --realm=dom.hilaire
>> --dns-backend=SAMBA_INTERNAL /root/samba3/etc/smb.conf
>>
> Okay, you have these in your smb.conf:
>
>           workgroup = MY.DOMAIN
>           passdb backend = ldapsam:ldap://ldap2.my.domain
>
> You have this error message:
>
> Failed to connect to ldap URL 'ldap://ldap2.MYDOMAIN' - LDAP client
> internal error: NT_STATUS_BAD_NETWORK_NAME
>
> Is this bad sanitisation ?
>
> Does the workgroup 'MY.DOMAIN' actually have a dot in it ?
> Why is the upgrade reading 'ldap2.my.domain' as
'ldap2.MYDOMAIN' ?
> Is the old ldap server still running and accessible ?
> Can you post the ldap object for 'Domain Users'
> What is the DNS domain name of the computer you are running the upgrade
> on.
>
> Rowland
>

On Wed, 5 Sep 2018 16:53:50 +0200
Philippe Maladjian via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> Indeed when I copied the result for the mailing I made a mistake. 
> MY.DOMAIN is a dummy name. The result of the migration command is
> 
> Reading smb.conf
> WARNING: The "idmap backend" option is deprecated
> WARNING: The "idmap uid" option is deprecated
> WARNING: The "idmap gid" option is deprecated
> Provisioning
> Exporting account policy
> Exporting groups
> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
> Ignoring group 'Backup Operators' 
> S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not
> found: Unable to enumerate group members, (-1073741596,This error
> indicates that the requested operation cannot be completed due to a
> catastrophic media failure or an on-disk data structure corruption.)
> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
> Ignoring group 'Domain Users' 
> S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not
> found: Unable to enumerate group members, (-1073741596,This error
> indicates that the requested operation cannot be completed due to a
> catastrophic media failure or an on-disk data structure corruption.)
> Exporting users
> sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to
> our domain
> sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to
> our domain
>    Fixing account svimp02$ which had both ACB_NORMAL (U) and
> ACB_WSTRUST (W) set.  Account will be marked as ACB_WSTRUST (W), i.e.
> as a domain member Skipping wellknown rid=501 (for username=nobody)
> Next rid = 3867
> krb5_init_context failed (Invalid argument)
> smb_krb5_context_init_basic failed (Invalid argument)
> Failed to connect to ldap URL 'ldap://ldap2.my.domain' - LDAP
client
> internal error: NT_STATUS_BAD_NETWORK_NAME
> Failed to connect to 'ldap://ldap2.my.domain' with backend
'ldap':
> LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: Could not open ldb connection to 
> ldap://ldap2.my.domain, the error message is: (1, 'LDAP client
> internal error: NT_STATUS_BAD_NETWORK_NAME')
> Since my new samba server I tried to make a ldap request
> 
> # ldapsearch -h ldap2 -xb "ou=Groups,dc=domain,dc=fr" -W -D 
> "cn=Manager,dc=domain,dc=fr" cn="Backup Operators"
If you are going to sanitise an object, please use it everywhere.

The upgrade is trying to use ldap2.my.domain
in the ldapsearch you use 'dc=domain,dc=fr' from which I would have
expected 'ldap2.domain.fr' 
> 
> # extended LDIF
> #
> # LDAPv3
> # base <ou=Groups,dc=domain,dc=fr> with scope subtree
> # filter: cn=Backup Operators
> # requesting: ALL
> #
> 
> *************
> # Backup Operators, Groups, domain.fr
> dn: cn=Backup Operators,ou=Groups,dc=domain,dc=fr
> cn: Backup Operators
> description: Domain Unix group
> displayName: Backup Operators
> gidNumber: 551
> memberUid: backupmanager
> memberUid: backuppc
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> sambaGroupType: 2
> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551
> 
There doesn't seem to be anything wrong there
> 
> *******************
> 
> 
> I do not understand the NT_STATUS_DAB_NETWORK_NAME error because the 
> server is accessible with its ip or by its name dns (ldap2)
>
Yes, but is it accessible by 'ldap2.domain.fr'

Is a firewall running on the old PDC ?

I would also like to point out that I think I have worked out what
'domain' is and you really shouldn't use this for an AD domain.
  
Rowland

Le 05/09/2018 à 18:32, Rowland Penny via samba a écrit :
> On Wed, 5 Sep 2018 16:53:50 +0200
> Philippe Maladjian via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> Indeed when I copied the result for the mailing I made a mistake.
>> MY.DOMAIN is a dummy name. The result of the migration command is
>>
>> Reading smb.conf
>> WARNING: The "idmap backend" option is deprecated
>> WARNING: The "idmap uid" option is deprecated
>> WARNING: The "idmap gid" option is deprecated
>> Provisioning
>> Exporting account policy
>> Exporting groups
>> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
>> Ignoring group 'Backup Operators'
>> S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not
>> found: Unable to enumerate group members, (-1073741596,This error
>> indicates that the requested operation cannot be completed due to a
>> catastrophic media failure or an on-disk data structure corruption.)
>> Severe DB error, sambaSamAccount can't miss the samba SIDattribute
>> Ignoring group 'Domain Users'
>> S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not
>> found: Unable to enumerate group members, (-1073741596,This error
>> indicates that the requested operation cannot be completed due to a
>> catastrophic media failure or an on-disk data structure corruption.)
>> Exporting users
>> sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to
>> our domain
>> sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to
>> our domain
>>     Fixing account svimp02$ which had both ACB_NORMAL (U) and
>> ACB_WSTRUST (W) set.  Account will be marked as ACB_WSTRUST (W), i.e.
>> as a domain member Skipping wellknown rid=501 (for username=nobody)
>> Next rid = 3867
>> krb5_init_context failed (Invalid argument)
>> smb_krb5_context_init_basic failed (Invalid argument)
>> Failed to connect to ldap URL 'ldap://ldap2.my.domain' - LDAP
client
>> internal error: NT_STATUS_BAD_NETWORK_NAME
>> Failed to connect to 'ldap://ldap2.my.domain' with backend
'ldap':
>> LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME
>> ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught
>> exception - ProvisioningError: Could not open ldb connection to
>> ldap://ldap2.my.domain, the error message is: (1, 'LDAP client
>> internal error: NT_STATUS_BAD_NETWORK_NAME')
>> Since my new samba server I tried to make a ldap request
>>
>> # ldapsearch -h ldap2 -xb "ou=Groups,dc=domain,dc=fr" -W -D
>> "cn=Manager,dc=domain,dc=fr" cn="Backup Operators"
> If you are going to sanitise an object, please use it everywhere.
>
> The upgrade is trying to use ldap2.my.domain
> in the ldapsearch you use 'dc=domain,dc=fr' from which I would have
> expected 'ldap2.domain.fr'
my.domain is the internal dns domain name, it is also used by the 
current samba domain controller and windows station.

domain.fr is the root name of the ldap directory. It was not a good idea 
to have two different names and I think that taking advantage of the 
update to change domain.fr to my.domain is the right time.
>
>> # extended LDIF
>> #
>> # LDAPv3
>> # base <ou=Groups,dc=domain,dc=fr> with scope subtree
>> # filter: cn=Backup Operators
>> # requesting: ALL
>> #
>>
>> *************
>> # Backup Operators, Groups, domain.fr
>> dn: cn=Backup Operators,ou=Groups,dc=domain,dc=fr
>> cn: Backup Operators
>> description: Domain Unix group
>> displayName: Backup Operators
>> gidNumber: 551
>> memberUid: backupmanager
>> memberUid: backuppc
>> objectClass: top
>> objectClass: posixGroup
>> objectClass: sambaGroupMapping
>> sambaGroupType: 2
>> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551
>>
> There doesn't seem to be anything wrong there
>> *******************
>>
>>
>> I do not understand the NT_STATUS_DAB_NETWORK_NAME error because the
>> server is accessible with its ip or by its name dns (ldap2)
>>
> Yes, but is it accessible by 'ldap2.domain.fr'
# ping ldap2.my.domain (dns name)
OK
>
> Is a firewall running on the old PDC ?
No
>
> I would also like to point out that I think I have worked out what
> 'domain' is and you really shouldn't use this for an AD domain.
Sorry I did not understand ?
>    
> Rowland
>
>
>
Philippe.