Hello,
I realize again test by resuming all 0 with the following configuration
and I arrive at the same result.
-------------------- smb.conf
[global]
netbios name = svdom
server string = Gestionnaire de domaine
workgroup = dom.domain
hosts allow = 192.168.15. 192.168.6. 10.0.7.
security = user
domain master = yes
domain logons = yes
prefered master = yes
local master = yes
os level = 252
log level = 1
encrypt passwords = yes
username map = /etc/samba/smbusers
passdb expand explicit = no
add machine script = /usr/sbin/smbldap-useradd -w '%u'
add user script = /usr/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/sbin/smbldap-userdel -r '%u'
add group script = /usr/sbin/smbldap-groupadd -g '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
ldap admin dn = cn=Manager,dc=dom,dc=domain
ldap suffix = dc=dom,dc=domain
ldap passwd sync = yes
ldap ssl = no
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
passdb backend = ldapsam:ldap://ldap2.dom.domain
idmap backend = ldapsam:ldap://ldap2.dom.domain
nt acl support = yes
map untrusted to domain = yes
wins support = yes
wins proxy = no
dns proxy = yes
name resolve order = wins lmhosts bcast
interfaces = eth* lo
bind interfaces only = yes
time server = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT
SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192
lock directory = /var/lib/samba
log file = /var/log/samba/users/log-%U.log
veto oplock files = /*.mdb/*.doc/*.xls/*.ppt/*.FIC/*.NDX/*.xlsx/
guest account = nobody
logon script = %G.bat
logon path = \\svdom\profiles\%U
load printers = no
printcap name = /dev/null
printcap cache time = 0
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = no
[share...]
-------------------------------- samba-tool domain classicupgrade
--dbdir=/root/samba3/dbdir/ --realm=dom.domain
--dns-backend=SAMBA_INTERNAL /root/samba3/etc/smb.conf -d 10
INFO: Current debug levels:
all: 10
tdb: 10
printdrivers: 10
lanman: 10
smb: 10
rpc_parse: 10
rpc_srv: 10
rpc_cli: 10
passdb: 10
sam: 10
auth: 10
winbind: 10
vfs: 10
idmap: 10
quota: 10
acls: 10
locking: 10
msdfs: 10
dmapi: 10
registry: 10
scavenger: 10
dns: 10
ldb: 10
tevent: 10
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
Processing section "[global]"
WARNING: The "syslog" option is deprecated
Processing section "[homes]"
Processing section "[printers]"
Processing section "[print$]"
pm_process() returned Yes
Reading smb.conf
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
doing parameter netbios name = svct02
doing parameter server string = Gestionnaire de domaine
doing parameter workgroup = dom.domain
doing parameter hosts allow = 192.168.15. 192.168.6. 10.0.7.
doing parameter security = user
doing parameter domain master = yes
doing parameter domain logons = yes
doing parameter prefered master = yes
doing parameter local master = yes
doing parameter os level = 252
doing parameter log level = 1
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Provisioning
Exporting account policy
Exporting groups
Severe DB error, sambaSamAccount can't miss the samba SIDattribute
Ignoring group 'Backup Operators'
S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not found:
Unable to enumerate group members, (-1073741596,This error indicates
that the requested operation cannot be completed due to a catastrophic
media failure or an on-disk data structure corruption.)
Severe DB error, sambaSamAccount can't miss the samba SIDattribute
Ignoring group 'Domain Users'
S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not found:
Unable to enumerate group members, (-1073741596,This error indicates
that the requested operation cannot be completed due to a catastrophic
media failure or an on-disk data structure corruption.)
Exporting users
sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to our
domain
sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to our
domain
Fixing account svimp02$ which had both ACB_NORMAL (U) and ACB_WSTRUST
(W) set. Account will be marked as ACB_WSTRUST (W), i.e. as a domain member
Skipping wellknown rid=501 (for username=nobody)
Next rid = 3867
Failed to connect to ldap URL 'ldap://ldap2.dom.domain' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://ldap2.dom.domain' with backend
'ldap': LDAP
client internal error: NT_STATUS_BAD_NETWORK_NAME
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: Could not open ldb connection to
ldap://ldap2.dom.domain, the error message is: (1, 'LDAP client internal
error: NT_STATUS_BAD_NETWORK_NAME')
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line
1566, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 671,
in upgrade_from_samba3
raise ProvisioningError("Could not open ldb connection to %s, the
error message is: %s" % (url, e))
------------- ldapsearch -h ldap2.dom.domain -xb
"ou=Groups,dc=dom,dc=domain" -W -D
"cn=Manager,dc=dom,dc=domain"
cn="Backup Operators"
# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=dom,dc=domain> with scope subtree
# filter: cn=Backup Operators
# requesting: ALL
#
# Backup Operators, Groups, dom.domain
dn: cn=Backup Operators,ou=Groups,dc=dom,dc=domain
cn: Backup Operators
description: Domain Unix group
displayName: Backup Operators
gidNumber: 551
memberUid: backupmanager
memberUid: backuppc
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
---------------- ldapsearch -h ldap2.dom.domain -xb
"ou=Groups,dc=dom,dc=domain" -W -D
"cn=Manager,dc=dom,dc=domain"
cn="Domain Users"
# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=dom,dc=domain> with scope subtree
# filter: cn=Domain Users
# requesting: ALL
#
# Domain Users, Groups, dom.domain
dn: cn=Domain Users,ou=Groups,dc=dom,dc=domain
cn: Domain Users
description: Domain Unix group
displayName: Domain Users
gidNumber: 513
memberUid: [...]
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaGroupType: 2
sambaSID: S-1-5-21-3199360825-2299538094-1836089394-513
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
ldap2 is a DNS alias of ns1.
------------------------------- ping ldap2.dom.domain
PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64
time=0.574 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64
time=0.345 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64
time=0.235 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64
time=0.292 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64
time=0.601 ms
------------------------------- ping ldap2
--- ns1.dom.domain ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4056ms
rtt min/avg/max/mdev = 0.235/0.409/0.601/0.150 ms
PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data.
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64
time=0.451 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64
time=0.677 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64
time=0.356 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64
time=0.296 ms
64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64
time=0.479 ms
--- ns1.dom.domain ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4068ms
rtt min/avg/max/mdev = 0.296/0.451/0.677/0.133 ms
I have exhausted all my resources and on the internet the error message
is quite generic or an unmanaged error.
*Philippe MALADJIAN
Responsable informatique | administrateur système*
Le 06/09/2018 à 11:44, Rowland Penny via samba a écrit :> On Thu, 6 Sep 2018 11:08:21 +0200
> Philippe Maladjian via samba <samba at lists.samba.org> wrote:
>> Before the classicupdate on my ldap I can change the rootdn to match
>> my.domain and not domain.fr?
> I suppose you could try it, dump the entire ldap to an ldif, manually
> change all 'dc=domain,dc=fr' to 'dc=my,dc=domain'. You
would then have
> to move the old ldap out of the way and add your new ldif to ldap.
> Change your smb.conf to match. This could sort your ldap problem
> (don't know, never tried it), not sure what you may have to do to
> Samba, or how you would do it, again because I have never tried to do
> this.
>
> Rowland
>
>
>
On Tue, 18 Sep 2018 11:30:04 +0200 Philippe Maladjian via samba <samba at lists.samba.org> wrote:> Hello, > > I realize again test by resuming all 0 with the following > configuration and I arrive at the same result. > > -------------------- smb.conf > > [global] > netbios name = svdom > server string = Gestionnaire de domaine > workgroup = dom.domain > > hosts allow = 192.168.15. 192.168.6. 10.0.7. > security = user > domain master = yes > domain logons = yes > prefered master = yes > local master = yes > os level = 252 > log level = 1 > > encrypt passwords = yes > username map = /etc/samba/smbusers > passdb expand explicit = no > > add machine script = /usr/sbin/smbldap-useradd -w '%u' > add user script = /usr/sbin/smbldap-useradd -a -m '%u' > delete user script = /usr/sbin/smbldap-userdel -r '%u' > add group script = /usr/sbin/smbldap-groupadd -g '%g' > delete group script = /usr/sbin/smbldap-groupdel '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' > '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x > '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g > '%g' '%u' > > ldap admin dn = cn=Manager,dc=dom,dc=domain > ldap suffix = dc=dom,dc=domain > ldap passwd sync = yes > ldap ssl = no > > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=Users > > passdb backend = ldapsam:ldap://ldap2.dom.domain > idmap backend = ldapsam:ldap://ldap2.dom.domain > > nt acl support = yes > map untrusted to domain = yes > > wins support = yes > wins proxy = no > dns proxy = yes > name resolve order = wins lmhosts bcast > interfaces = eth* lo > bind interfaces only = yes > time server = yes > socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT > SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 > > lock directory = /var/lib/samba > log file = /var/log/samba/users/log-%U.log > > veto oplock files = /*.mdb/*.doc/*.xls/*.ppt/*.FIC/*.NDX/*.xlsx/ > guest account = nobody > > logon script = %G.bat > logon path = \\svdom\profiles\%U > > load printers = no > printcap name = /dev/null > printcap cache time = 0 > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > template shell = /bin/false > winbind use default domain = no > > [share...] > > -------------------------------- samba-tool domain classicupgrade > --dbdir=/root/samba3/dbdir/ --realm=dom.domain > --dns-backend=SAMBA_INTERNAL /root/samba3/etc/smb.conf -d 10 > INFO: Current debug levels: > all: 10 > tdb: 10 > printdrivers: 10 > lanman: 10 > smb: 10 > rpc_parse: 10 > rpc_srv: 10 > rpc_cli: 10 > passdb: 10 > sam: 10 > auth: 10 > winbind: 10 > vfs: 10 > idmap: 10 > quota: 10 > acls: 10 > locking: 10 > msdfs: 10 > dmapi: 10 > registry: 10 > scavenger: 10 > dns: 10 > ldb: 10 > tevent: 10 > lpcfg_load: refreshing parameters from /etc/samba/smb.conf > Processing section "[global]" > WARNING: The "syslog" option is deprecated > Processing section "[homes]" > Processing section "[printers]" > Processing section "[print$]" > pm_process() returned Yes > Reading smb.conf > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[global]" > doing parameter netbios name = svct02 > doing parameter server string = Gestionnaire de domaine > doing parameter workgroup = dom.domain > doing parameter hosts allow = 192.168.15. 192.168.6. 10.0.7. > doing parameter security = user > doing parameter domain master = yes > doing parameter domain logons = yes > doing parameter prefered master = yes > doing parameter local master = yes > doing parameter os level = 252 > doing parameter log level = 1 > WARNING: The "idmap backend" option is deprecated > WARNING: The "idmap uid" option is deprecated > WARNING: The "idmap gid" option is deprecated > Provisioning > Exporting account policy > Exporting groups > Severe DB error, sambaSamAccount can't miss the samba SIDattribute > Ignoring group 'Backup Operators' > S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not > found: Unable to enumerate group members, (-1073741596,This error > indicates that the requested operation cannot be completed due to a > catastrophic media failure or an on-disk data structure corruption.) > Severe DB error, sambaSamAccount can't miss the samba SIDattribute > Ignoring group 'Domain Users' > S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not > found: Unable to enumerate group members, (-1073741596,This error > indicates that the requested operation cannot be completed due to a > catastrophic media failure or an on-disk data structure corruption.) > Exporting users > sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to > our domain > sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to > our domain > Fixing account svimp02$ which had both ACB_NORMAL (U) and > ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. > as a domain member Skipping wellknown rid=501 (for username=nobody) > Next rid = 3867 > Failed to connect to ldap URL 'ldap://ldap2.dom.domain' - LDAP client > internal error: NT_STATUS_BAD_NETWORK_NAME > Failed to connect to 'ldap://ldap2.dom.domain' with backend 'ldap': > LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught > exception - ProvisioningError: Could not open ldb connection to > ldap://ldap2.dom.domain, the error message is: (1, 'LDAP client > internal error: NT_STATUS_BAD_NETWORK_NAME') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", > line 1566, in run > useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) > File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line > 671, in upgrade_from_samba3 > raise ProvisioningError("Could not open ldb connection to %s, > the error message is: %s" % (url, e)) > > ------------- ldapsearch -h ldap2.dom.domain -xb > "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain" > cn="Backup Operators" > # extended LDIF > # > # LDAPv3 > # base <ou=Groups,dc=dom,dc=domain> with scope subtree > # filter: cn=Backup Operators > # requesting: ALL > # > > # Backup Operators, Groups, dom.domain > dn: cn=Backup Operators,ou=Groups,dc=dom,dc=domain > cn: Backup Operators > description: Domain Unix group > displayName: Backup Operators > gidNumber: 551 > memberUid: backupmanager > memberUid: backuppc > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > sambaGroupType: 2 > sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > ---------------- ldapsearch -h ldap2.dom.domain -xb > "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain" > cn="Domain Users" > # extended LDIF > # > # LDAPv3 > # base <ou=Groups,dc=dom,dc=domain> with scope subtree > # filter: cn=Domain Users > # requesting: ALL > # > > # Domain Users, Groups, dom.domain > dn: cn=Domain Users,ou=Groups,dc=dom,dc=domain > cn: Domain Users > description: Domain Unix group > displayName: Domain Users > gidNumber: 513 > memberUid: [...] > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > sambaGroupType: 2 > sambaSID: S-1-5-21-3199360825-2299538094-1836089394-513 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > ldap2 is a DNS alias of ns1. > > ------------------------------- ping ldap2.dom.domain > > PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data. > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64 > time=0.574 ms > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64 > time=0.345 ms > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64 > time=0.235 ms > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64 > time=0.292 ms > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64 > time=0.601 ms > > > ------------------------------- ping ldap2 > > --- ns1.dom.domain ping statistics --- > 5 packets transmitted, 5 received, 0% packet loss, time 4056ms > rtt min/avg/max/mdev = 0.235/0.409/0.601/0.150 ms > PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data. > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64 > time=0.451 ms > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64 > time=0.677 ms > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64 > time=0.356 ms > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64 > time=0.296 ms > 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64 > time=0.479 ms > > --- ns1.dom.domain ping statistics --- > 5 packets transmitted, 5 received, 0% packet loss, time 4068ms > rtt min/avg/max/mdev = 0.296/0.451/0.677/0.133 ms > > > I have exhausted all my resources and on the internet the error > message is quite generic or an unmanaged error. > > *Philippe MALADJIAN > Responsable informatique | administrateur système* > > > > > Le 06/09/2018 à 11:44, Rowland Penny via samba a écrit : > > On Thu, 6 Sep 2018 11:08:21 +0200 > > Philippe Maladjian via samba <samba at lists.samba.org> wrote: > >> Before the classicupdate on my ldap I can change the rootdn to > >> match my.domain and not domain.fr? > > I suppose you could try it, dump the entire ldap to an ldif, > > manually change all 'dc=domain,dc=fr' to 'dc=my,dc=domain'. You > > would then have to move the old ldap out of the way and add your > > new ldif to ldap. Change your smb.conf to match. This could sort > > your ldap problem (don't know, never tried it), not sure what you > > may have to do to Samba, or how you would do it, again because I > > have never tried to do this. > > > > Rowland > > > > > >I think this proves that the way you are trying to classicupgrade just doesn't work. If I remember correctly you want to use a new SID instead of the old SID, a new SID equals a new, different domain. Can I suggest you dump all the users into a file, then dump all the groups into another file, finally dump all the group memberships to another file. Provision a new domain, this will get you a new valid SID. parse the three files for the Well Known SIDs and remove these. Write a script to parse the users file extracting the users name and password etc and use this to create a new user with samba-tool. Do the same for the groups and then the group memberships You should end up with new fully functioning AD domain. If you can share an ldif from your PDC ldap with me, I am prepared to help you with this. Rowland
Hello, On my current installation samba announces domain dom.domain, windows machines and users are registered on domain dom.hilaire, root dn of my ldap is dc = domain, dc = fr. At first I tested a migration by applying the vm of my server samba3 and my ldap. I migrated these VMs out of the production network and validated that with a pc from my production network (once the network settings changed) I could connect to the test domain. Then I copied the file smb.conf and all the tdb to the new samba server 4. I started the migration procedure via samba-tool and got the error on the groups Domain Users and Backup Operators as well as the login error with my ldap directory. After some exchanges I exported in a ldif my directory to modify the root dn in dc = dom, dc = domain so that it corresponds to the Windows domain name. I re-imported everything in my directory. When I restart the migration procedure by samba-tool I have the same error. As I have the same installation problem with the production version I do not see any relationship with the SID. The samba domain name does not change, it's only the root dn of my ldap directory that I change before the migration. *Philippe MALADJIAN Responsable informatique | administrateur système* Le 18/09/2018 à 12:15, Rowland Penny via samba a écrit :> On Tue, 18 Sep 2018 11:30:04 +0200 > Philippe Maladjian via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> I realize again test by resuming all 0 with the following >> configuration and I arrive at the same result. >> >> -------------------- smb.conf >> >> [global] >> netbios name = svdom >> server string = Gestionnaire de domaine >> workgroup = dom.domain >> >> hosts allow = 192.168.15. 192.168.6. 10.0.7. >> security = user >> domain master = yes >> domain logons = yes >> prefered master = yes >> local master = yes >> os level = 252 >> log level = 1 >> >> encrypt passwords = yes >> username map = /etc/samba/smbusers >> passdb expand explicit = no >> >> add machine script = /usr/sbin/smbldap-useradd -w '%u' >> add user script = /usr/sbin/smbldap-useradd -a -m '%u' >> delete user script = /usr/sbin/smbldap-userdel -r '%u' >> add group script = /usr/sbin/smbldap-groupadd -g '%g' >> delete group script = /usr/sbin/smbldap-groupdel '%g' >> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' >> '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x >> '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g >> '%g' '%u' >> >> ldap admin dn = cn=Manager,dc=dom,dc=domain >> ldap suffix = dc=dom,dc=domain >> ldap passwd sync = yes >> ldap ssl = no >> >> ldap user suffix = ou=Users >> ldap group suffix = ou=Groups >> ldap machine suffix = ou=Computers >> ldap idmap suffix = ou=Users >> >> passdb backend = ldapsam:ldap://ldap2.dom.domain >> idmap backend = ldapsam:ldap://ldap2.dom.domain >> >> nt acl support = yes >> map untrusted to domain = yes >> >> wins support = yes >> wins proxy = no >> dns proxy = yes >> name resolve order = wins lmhosts bcast >> interfaces = eth* lo >> bind interfaces only = yes >> time server = yes >> socket options = TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT >> SO_KEEPALIVE SO_RCVBUF=8192 SO_SNDBUF=8192 >> >> lock directory = /var/lib/samba >> log file = /var/log/samba/users/log-%U.log >> >> veto oplock files = /*.mdb/*.doc/*.xls/*.ppt/*.FIC/*.NDX/*.xlsx/ >> guest account = nobody >> >> logon script = %G.bat >> logon path = \\svdom\profiles\%U >> >> load printers = no >> printcap name = /dev/null >> printcap cache time = 0 >> idmap uid = 16777216-33554431 >> idmap gid = 16777216-33554431 >> template shell = /bin/false >> winbind use default domain = no >> >> [share...] >> >> -------------------------------- samba-tool domain classicupgrade >> --dbdir=/root/samba3/dbdir/ --realm=dom.domain >> --dns-backend=SAMBA_INTERNAL /root/samba3/etc/smb.conf -d 10 >> INFO: Current debug levels: >> all: 10 >> tdb: 10 >> printdrivers: 10 >> lanman: 10 >> smb: 10 >> rpc_parse: 10 >> rpc_srv: 10 >> rpc_cli: 10 >> passdb: 10 >> sam: 10 >> auth: 10 >> winbind: 10 >> vfs: 10 >> idmap: 10 >> quota: 10 >> acls: 10 >> locking: 10 >> msdfs: 10 >> dmapi: 10 >> registry: 10 >> scavenger: 10 >> dns: 10 >> ldb: 10 >> tevent: 10 >> lpcfg_load: refreshing parameters from /etc/samba/smb.conf >> Processing section "[global]" >> WARNING: The "syslog" option is deprecated >> Processing section "[homes]" >> Processing section "[printers]" >> Processing section "[print$]" >> pm_process() returned Yes >> Reading smb.conf >> lp_load_ex: refreshing parameters >> Initialising global parameters >> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit >> (16384) Processing section "[global]" >> doing parameter netbios name = svct02 >> doing parameter server string = Gestionnaire de domaine >> doing parameter workgroup = dom.domain >> doing parameter hosts allow = 192.168.15. 192.168.6. 10.0.7. >> doing parameter security = user >> doing parameter domain master = yes >> doing parameter domain logons = yes >> doing parameter prefered master = yes >> doing parameter local master = yes >> doing parameter os level = 252 >> doing parameter log level = 1 >> WARNING: The "idmap backend" option is deprecated >> WARNING: The "idmap uid" option is deprecated >> WARNING: The "idmap gid" option is deprecated >> Provisioning >> Exporting account policy >> Exporting groups >> Severe DB error, sambaSamAccount can't miss the samba SIDattribute >> Ignoring group 'Backup Operators' >> S-1-5-21-3199360825-2299538094-1836089394-551 listed but then not >> found: Unable to enumerate group members, (-1073741596,This error >> indicates that the requested operation cannot be completed due to a >> catastrophic media failure or an on-disk data structure corruption.) >> Severe DB error, sambaSamAccount can't miss the samba SIDattribute >> Ignoring group 'Domain Users' >> S-1-5-21-3199360825-2299538094-1836089394-513 listed but then not >> found: Unable to enumerate group members, (-1073741596,This error >> indicates that the requested operation cannot be completed due to a >> catastrophic media failure or an on-disk data structure corruption.) >> Exporting users >> sid S-1-5-21-629504534-1699756358-2856581066-3658 does not belong to >> our domain >> sid S-1-5-21-629504534-1699756358-2856581066-3632 does not belong to >> our domain >> Fixing account svimp02$ which had both ACB_NORMAL (U) and >> ACB_WSTRUST (W) set. Account will be marked as ACB_WSTRUST (W), i.e. >> as a domain member Skipping wellknown rid=501 (for username=nobody) >> Next rid = 3867 >> Failed to connect to ldap URL 'ldap://ldap2.dom.domain' - LDAP client >> internal error: NT_STATUS_BAD_NETWORK_NAME >> Failed to connect to 'ldap://ldap2.dom.domain' with backend 'ldap': >> LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught >> exception - ProvisioningError: Could not open ldb connection to >> ldap://ldap2.dom.domain, the error message is: (1, 'LDAP client >> internal error: NT_STATUS_BAD_NETWORK_NAME') >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >> return self.run(*args, **kwargs) >> File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", >> line 1566, in run >> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) >> File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line >> 671, in upgrade_from_samba3 >> raise ProvisioningError("Could not open ldb connection to %s, >> the error message is: %s" % (url, e)) >> >> ------------- ldapsearch -h ldap2.dom.domain -xb >> "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain" >> cn="Backup Operators" >> # extended LDIF >> # >> # LDAPv3 >> # base <ou=Groups,dc=dom,dc=domain> with scope subtree >> # filter: cn=Backup Operators >> # requesting: ALL >> # >> >> # Backup Operators, Groups, dom.domain >> dn: cn=Backup Operators,ou=Groups,dc=dom,dc=domain >> cn: Backup Operators >> description: Domain Unix group >> displayName: Backup Operators >> gidNumber: 551 >> memberUid: backupmanager >> memberUid: backuppc >> objectClass: top >> objectClass: posixGroup >> objectClass: sambaGroupMapping >> sambaGroupType: 2 >> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-551 >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> ---------------- ldapsearch -h ldap2.dom.domain -xb >> "ou=Groups,dc=dom,dc=domain" -W -D "cn=Manager,dc=dom,dc=domain" >> cn="Domain Users" >> # extended LDIF >> # >> # LDAPv3 >> # base <ou=Groups,dc=dom,dc=domain> with scope subtree >> # filter: cn=Domain Users >> # requesting: ALL >> # >> >> # Domain Users, Groups, dom.domain >> dn: cn=Domain Users,ou=Groups,dc=dom,dc=domain >> cn: Domain Users >> description: Domain Unix group >> displayName: Domain Users >> gidNumber: 513 >> memberUid: [...] >> objectClass: top >> objectClass: posixGroup >> objectClass: sambaGroupMapping >> sambaGroupType: 2 >> sambaSID: S-1-5-21-3199360825-2299538094-1836089394-513 >> >> # search result >> search: 2 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> ldap2 is a DNS alias of ns1. >> >> ------------------------------- ping ldap2.dom.domain >> >> PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data. >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64 >> time=0.574 ms >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64 >> time=0.345 ms >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64 >> time=0.235 ms >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64 >> time=0.292 ms >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64 >> time=0.601 ms >> >> >> ------------------------------- ping ldap2 >> >> --- ns1.dom.domain ping statistics --- >> 5 packets transmitted, 5 received, 0% packet loss, time 4056ms >> rtt min/avg/max/mdev = 0.235/0.409/0.601/0.150 ms >> PING ns1.dom.domain (192.168.15.31) 56(84) bytes of data. >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=1 ttl=64 >> time=0.451 ms >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=2 ttl=64 >> time=0.677 ms >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=3 ttl=64 >> time=0.356 ms >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=4 ttl=64 >> time=0.296 ms >> 64 bytes from ns1.dom.domain (192.168.15.31): icmp_seq=5 ttl=64 >> time=0.479 ms >> >> --- ns1.dom.domain ping statistics --- >> 5 packets transmitted, 5 received, 0% packet loss, time 4068ms >> rtt min/avg/max/mdev = 0.296/0.451/0.677/0.133 ms >> >> >> I have exhausted all my resources and on the internet the error >> message is quite generic or an unmanaged error. >> >> *Philippe MALADJIAN >> Responsable informatique | administrateur système* >> >> >> >> >> Le 06/09/2018 à 11:44, Rowland Penny via samba a écrit : >>> On Thu, 6 Sep 2018 11:08:21 +0200 >>> Philippe Maladjian via samba <samba at lists.samba.org> wrote: >>>> Before the classicupdate on my ldap I can change the rootdn to >>>> match my.domain and not domain.fr? >>> I suppose you could try it, dump the entire ldap to an ldif, >>> manually change all 'dc=domain,dc=fr' to 'dc=my,dc=domain'. You >>> would then have to move the old ldap out of the way and add your >>> new ldif to ldap. Change your smb.conf to match. This could sort >>> your ldap problem (don't know, never tried it), not sure what you >>> may have to do to Samba, or how you would do it, again because I >>> have never tried to do this. >>> >>> Rowland >>> >>> >>> > I think this proves that the way you are trying to classicupgrade just > doesn't work. > > If I remember correctly you want to use a new SID instead of the old > SID, a new SID equals a new, different domain. > > Can I suggest you dump all the users into a file, then dump all the > groups into another file, finally dump all the group memberships to > another file. > > Provision a new domain, this will get you a new valid SID. > > parse the three files for the Well Known SIDs and remove these. > > Write a script to parse the users file extracting the users name and > password etc and use this to create a new user with samba-tool. > > Do the same for the groups and then the group memberships > > You should end up with new fully functioning AD domain. > > If you can share an ldif from your PDC ldap with me, I am prepared to > help you with this. > > Rowland > >