samba - Sep 2018 - Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")

Rowland Penny via samba писал 2018-09-05 15:56:
> On Wed, 05 Sep 2018 15:26:30 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
>> 
>> Exactly that. I need to create a separate domain; after all the
>> checks are done that switching to it works, the computers will rejoin
>> the new domain. Our Samba 3 domain is used for years; since Window 10
>> is unable to join it any more, we are finally migrating everything to
>> Samba 4.
> 
> Then you might as well just provision a new domain, dump your users,
> groups etc to a file. Write a script to parse the file and then add
> them to your new AD.
Current approach does import users and groups; it only fails to assign 
users to groups properly. It can do already, but I would prefer less 
manual interaction.
>> Note: every user belongs to "Domain Users" group, other group
>> memberships are lost.
> 
> Yes, every AD users primary group is Domain Users, your other problem
> is very probably being caused by the way you are trying to bend the
> classicupgrade upgrade script
I am not sure what I am "bending".

The classic upgrade did fail in exactly the same way even when I tried 
to do it literally as the corresponding guide tells:

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

(i.e. while keeping same workgroup name)

All I did was to ensure the new domain with unique SID is generated. 
 From the viewpoint of LDAP database, domain SID matches groups/users 
SID, so a) why the above problem b) why classic upgrade *does* copy 
users/groups anyway?

Thanks.

Sincerely,
Konstantin

On Thu, 06 Sep 2018 12:22:11 +0700
Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> Rowland Penny via samba писал 2018-09-05 15:56:
> > On Wed, 05 Sep 2018 15:26:30 +0700
> > Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> >> 
> >> Exactly that. I need to create a separate domain; after all the
> >> checks are done that switching to it works, the computers will
> >> rejoin the new domain. Our Samba 3 domain is used for years; since
> >> Window 10 is unable to join it any more, we are finally migrating
> >> everything to Samba 4.
> > 
> > Then you might as well just provision a new domain, dump your users,
> > groups etc to a file. Write a script to parse the file and then add
> > them to your new AD.
> 
> Current approach does import users and groups; it only fails to
> assign users to groups properly. It can do already, but I would
> prefer less manual interaction.
> 
> >> Note: every user belongs to "Domain Users" group, other
group
> >> memberships are lost.
> > 
> > Yes, every AD users primary group is Domain Users, your other
> > problem is very probably being caused by the way you are trying to
> > bend the classicupgrade upgrade script
> 
> I am not sure what I am "bending".
The whole idea behind a classicupgrade is that you start with an
NT4-style PDC and end up with an AD DC. Your users, groups, etc have
the same RID's, the domain has the SID, all passwords are retained,
all RFC2307 attrinutes are retained and finally, the clients do not
notice.
> 
> The classic upgrade did fail in exactly the same way even when I
> tried to do it literally as the corresponding guide tells:
Then there must be something wrong with your PDC, perhaps it was just
too old.

Sorry

Rowland

Rowland Penny via samba wrote 2018-09-06 14:37:
> On Thu, 06 Sep 2018 12:22:11 +0700
> Konstantin Boyandin via samba <samba at lists.samba.org> wrote:
> 
>> Rowland Penny via samba wrote 2018-09-05 15:56:
>> > On Wed, 05 Sep 2018 15:26:30 +0700
>> > Konstantin Boyandin via samba <samba at lists.samba.org>
wrote:
>> >>
>> >> Exactly that. I need to create a separate domain; after all
the
>> >> checks are done that switching to it works, the computers will
>> >> rejoin the new domain. Our Samba 3 domain is used for years;
since
>> >> Window 10 is unable to join it any more, we are finally
migrating
>> >> everything to Samba 4.
>> >
>> > Then you might as well just provision a new domain, dump your
users,
>> > groups etc to a file. Write a script to parse the file and then
add
>> > them to your new AD.
>> 
>> Current approach does import users and groups; it only fails to
>> assign users to groups properly. It can do already, but I would
>> prefer less manual interaction.
>> 
>> >> Note: every user belongs to "Domain Users" group,
other group
>> >> memberships are lost.
>> >
>> > Yes, every AD users primary group is Domain Users, your other
>> > problem is very probably being caused by the way you are trying to
>> > bend the classicupgrade upgrade script
>> 
>> I am not sure what I am "bending".
> 
> The whole idea behind a classicupgrade is that you start with an
> NT4-style PDC and end up with an AD DC. Your users, groups, etc have
> the same RID's, the domain has the SID, all passwords are retained,
> all RFC2307 attrinutes are retained and finally, the clients do not
> notice.
> 
>> The classic upgrade did fail in exactly the same way even when I
>> tried to do it literally as the corresponding guide tells:
> 
> Then there must be something wrong with your PDC, perhaps it was just
> too old.
samba-3.6.23 based (CentOS 6).

In any case, re-adding users to groups manually is a lesser evil, it can 
be done in batch mode.

Sincerely,
Konstantin