samba - May 2019 - error adding users to Domain Admins group during classicupgrade

Hi,

  I'm trying to migrate a NT4 domain under Samba3 to an AD DC under Samba4
on a separate server.  During the classicupgrade, there were a number
warnings while importing groups:

WARNING 2019-05-13 15:09:56,728 pid:25284
/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #299: Could
not add group name=Domain Admins ((68, 'Entry CN=Domain
Admins,CN=Users,DC=ifa,DC=hawaii,DC=edu already exists'))

WARNING 2019-05-13 15:09:56,729 pid:25284
/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #161: Could
not modify AD idmap entry for
sid=S-1-5-21-280721883-191778108-123917971-512, id=512, type=ID_TYPE_GID
((32, "Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-512>' not
found"))

WARNING 2019-05-13 15:09:56,730 pid:25284
/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #130: Could
not add posix attrs for AD entry for
sid=S-1-5-21-280721883-191778108-123917971-512, ((32, "Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-512>' not
found"))

WARNING 2019-05-13 15:09:56,733 pid:25284
/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #299: Could
not add group name=Domain Users ((68, 'Entry CN=Domain
Users,CN=Users,DC=ifa,DC=hawaii,DC=edu already exists'))

WARNING 2019-05-13 15:09:56,734 pid:25284
/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #161: Could
not modify AD idmap entry for
sid=S-1-5-21-280721883-191778108-123917971-513, id=513, type=ID_TYPE_GID
((32, "Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-513>' not
found"))

WARNING 2019-05-13 15:09:56,735 pid:25284
/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #130: Could
not add posix attrs for AD entry for
sid=S-1-5-21-280721883-191778108-123917971-513, ((32, "Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-513>' not
found"))

WARNING 2019-05-13 15:09:56,738 pid:25284
/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #299: Could
not add group name=Domain Guests ((68, 'Entry CN=Domain
Guests,CN=Users,DC=ifa,DC=hawaii,DC=edu already exists'))

WARNING 2019-05-13 15:09:56,739 pid:25284
/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #161: Could
not modify AD idmap entry for
sid=S-1-5-21-280721883-191778108-123917971-514, id=65534, type=ID_TYPE_GID
((32, "Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-514>' not
found"))

WARNING 2019-05-13 15:09:56,740 pid:25284
/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #130: Could
not add posix attrs for AD entry for
sid=S-1-5-21-280721883-191778108-123917971-514, ((32, "Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-514>' not
found"))


Soon after when adding users to groups, the process bombed out with
the following error:


ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: Could not add member
'S-1-5-21-2342696748-4272319941-312989834-1001' to group
'S-1-5-21-280721883-191778108-123917971-512' as either group or user
record
doesn't exist: Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-512>'
not found

  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 185, in _run

    return self.run(*args, **kwargs)

  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
line 1663, in run

    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)

  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py",
line 822, in upgrade_from_samba3

    add_users_to_group(result.samdb, g, groupmembers[str(g.sid)], logger)

  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py",
line 322, in add_users_to_group

    raise ProvisioningError("Could not add member '%s' to group
'%s' as
either group or user record doesn't exist: %s" % (member_sid,
group.sid,
emsg))


The user in question does exist and has been successfully imported.  It's
the group (Domain Admins) that didn't exist.  I'd appreciate your help
in
getting over this.


  Thanks,


--Ruisheng Peng

On 14/05/2019 08:44, Ruisheng Peng via samba wrote:
> Hi,
>
>    I'm trying to migrate a NT4 domain under Samba3 to an AD DC under
Samba4
> on a separate server.  During the classicupgrade, there were a number
> warnings while importing groups:
>
> WARNING 2019-05-13 15:09:56,728 pid:25284
> /usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #299: Could
> not add group name=Domain Admins ((68, 'Entry CN=Domain
> Admins,CN=Users,DC=ifa,DC=hawaii,DC=edu already exists'))
>
> WARNING 2019-05-13 15:09:56,729 pid:25284
> /usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #161: Could
> not modify AD idmap entry for
> sid=S-1-5-21-280721883-191778108-123917971-512, id=512, type=ID_TYPE_GID
> ((32, "Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-512>' not
> found"))

You will get errors like this because the groups will already have been 
created before the users and groups are migrated, you can ignore these.
> Soon after when adding users to groups, the process bombed out with
> the following error:
>
>
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
> ProvisioningError: Could not add member
> 'S-1-5-21-2342696748-4272319941-312989834-1001' to group
> 'S-1-5-21-280721883-191778108-123917971-512' as either group or
user record
> doesn't exist: Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-512>'
> not found
Why does the user have a different SID to the group ?

That would make them members of different domains.

Is it like this in your old domain ?

Rowland

Thanks for the quick reply Rowland!

I see what I did wrong:  I edited the smb.PDC.conf on the AD DC server with
a new domain name hoping both the AD DC and the existing NT4 PDC would be
up and running so I could move clients over one at a time to minimize down
time. So that's a no go. Instead of classicupgrade, if I provision the new
AD DC with a new domain name, would there be a way to import users and
groups from the NT4 domain into the new AD domain so their profiles and
files on existing samba shares could be readily used under AD DC?  There's
not a lot of users, I could move them one at a time manually if that's what
takes.

  Thanks,

--Ruisheng

On Mon, May 13, 2019 at 10:13 PM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 14/05/2019 08:44, Ruisheng Peng via samba wrote:
> > Hi,
> >
> >    I'm trying to migrate a NT4 domain under Samba3 to an AD DC
under
> Samba4
> > on a separate server.  During the classicupgrade, there were a number
> > warnings while importing groups:
> >
> > WARNING 2019-05-13 15:09:56,728 pid:25284
> > /usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #299:
> Could
> > not add group name=Domain Admins ((68, 'Entry CN=Domain
> > Admins,CN=Users,DC=ifa,DC=hawaii,DC=edu already exists'))
> >
> > WARNING 2019-05-13 15:09:56,729 pid:25284
> > /usr/local/samba/lib64/python2.7/site-packages/samba/upgrade.py #161:
> Could
> > not modify AD idmap entry for
> > sid=S-1-5-21-280721883-191778108-123917971-512, id=512,
type=ID_TYPE_GID
> > ((32, "Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-512>' not
> > found"))
>
>
> You will get errors like this because the groups will already have been
> created before the users and groups are migrated, you can ignore these.
>
> > Soon after when adding users to groups, the process bombed out with
> > the following error:
> >
> >
> > ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught exception -
> > ProvisioningError: Could not add member
> > 'S-1-5-21-2342696748-4272319941-312989834-1001' to group
> > 'S-1-5-21-280721883-191778108-123917971-512' as either group
or user
> record
> > doesn't exist: Base-DN
'<SID=S-1-5-21-280721883-191778108-123917971-512>'
> > not found
>
> Why does the user have a different SID to the group ?
>
> That would make them members of different domains.
>
> Is it like this in your old domain ?
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>