Hello. I've still got a couple of NT domains and I'd like to upgrade them to AD. In these days I had a chance to try to migrate one of them, but I ran into troubles and had to go back. I don't know when I'll have the chance to try again (probably not before some months), but I need to understand what went wrong before that. The starting situation: Samba 4.8 running as AD and fileserver on FreeBSD 11.2/amd64 (base) with smbpasswd backend. Relevant smb.conf lines:> [global] > workgroup = XXXXXXXXXXXX > server string = XXXX > security = user > encrypt passwords = yes > os level = 255 > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > wins support = yes > wins proxy = yes > dns proxy = yes > logon script=netlogon.cmd > unix password sync=no > time server = Yes > map archive = No > vfs objects=audit > audit:facility=LOCAL7 > audit:priority=INFO > passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd > lanman auth=yesAll users are listed in /etc/passwd (and of course in /var/db/samba4/private/smbpasswd). Sample pdbedit -Lv:> Unix username: xxxxxxxx > NT username: > Account Flags: [UX ] > User SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3010 > Primary Group SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-513 > Full Name: Xxxxxxxx > Home Directory: \\XXXX\xxxxxxxx > HomeDir Drive: > Logon Script: netlogon.cmd > Profile Path: \\xxxx\xxxxxxxx\profile > Domain: XXXXXXXXXXXX > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: never > Kickoff time: never > Password last set: Mon, 22 Dec 2014 10:05:58 CET > Password can change: Mon, 22 Dec 2014 10:05:58 CET > Password must change: never > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFNotice a lot of non domain user (like root, nobody, operator, etc...) are also listed. The same user above in /etc/passwd:> xxxxxxxx:*:1005:1001:Xxxxxxxx:/home/xxxxxxxx:/sbin/nologinAnd in /var/db/samba4/private:> xxxxxxxx:1005:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX ]:LCT-5497DEF6:Goal: I want to create a jail with Samba (still 4.8) which will operate solely as AD DC. Base's jail will be (for now) reconfigured as a domain member. (I've done this more than once in other networks). So I followed the "Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade)" document. Skipping the LDAP section, I checked and removed duplicate SIDs. "net groupmap list" shows nothing. The docs says to copy secrets.tdb, schannel_store.tdb, gencache_notrans.tdb, group_mapping.tdb and account_policy.tdb, which I did. It also says to copy passdb.tdb, but I don't have this!!! I copy smbpasswd, instead: don't know if this was needed or useful. In any case, I tried running: samba-tool domain classicupgrade --dbdir=/root/olddb/ --realm=local.xxxxxxxxxxxxxxx.it --dns-backend=SAMBA_INTERNAL /usr/local/etc/smb.PDC.conf --option="vfs objects = acl_xattr" --option="acl_xattr:ignore system acls = yes"> Reading smb.conf > Provisioning > Exporting account policy > Exporting groups > Exporting users > Next rid = 1000 > Exporting posix attributes > Reading WINS database > Cannot open wins database, Ignoring: [Errno 2] No such file or directory: '/root/olddb/wins.dat' > Looking up IPv4 addresses > Looking up IPv6 addresses > No IPv6 address will be assigned > Setting up secrets.ldb > Setting up the registry > Setting up the privileges database > Setting up idmap db > Setting up SAM db > Setting up sam.ldb partitions and settings > Setting up sam.ldb rootDSE > Pre-loading the Samba 4 and AD schema > Unable to determine the DomainSID, can not enforce uniqueness constraint on local domainSIDs > > Adding DomainDN: DC=local,DC=xxxxxxxxxxxxxxx,DC=it > Adding configuration container > Setting up sam.ldb schema > Setting up sam.ldb configuration data > Setting up display specifiers > Modifying display specifiers and extended rights > Adding users container > Modifying users container > Adding computers container > Modifying computers container > Setting up sam.ldb data > Setting up well known security principals > Setting up sam.ldb users and groups > Setting up self join > Setting acl on sysvol skipped > Adding DNS accounts > Creating CN=MicrosoftDNS,CN=System,DC=local,DC=xxxxxxxxxxxxxxx,DC=it > Creating DomainDnsZones and ForestDnsZones partitions > Populating DomainDnsZones and ForestDnsZones partitions > Setting up sam.ldb rootDSE marking as synchronized > Fixing provision GUIDs > A Kerberos configuration suitable for Samba AD has been generated at /var/db/samba4/private/krb5.conf > Merge the contents of this file with your system krb5.conf or replace it with this one. Do not create a symlink! > Setting up fake yp server settings > Once the above files are installed, your Samba AD server will be ready to use > Admin password: xxxxxxxxxxxxxxxxxxxxxx > Server Role: active directory domain controller > Hostname: dc1 > NetBIOS Domain: XXXXXXXXXXXX > DNS Domain: local.xxxxxxxxxxxxxxx.it > DOMAIN SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXX > Importing WINS database > Importing Account policy > Importing idmap database > Cannot open idmap database, Ignoring: [Errno 2] No such file or directory > Adding groups > Importing groups > Committing 'add groups' transaction to disk > Adding users > Importing users > Committing 'add users' transaction to disk > Adding users to groups > Committing 'add users to groups' transaction to diskThere are a couple of warnings here: I don't know how severe they are. The thing is none of my NT domain users has been imported!!! Has this something to do with missing passdb.tdb? How should I solve this? bye & Thanks av.
On 26/06/2019 15:28, Andrea Venturoli via samba wrote:> Hello. > > I've still got a couple of NT domains and I'd like to upgrade them to > AD. In these days I had a chance to try to migrate one of them, but I > ran into troubles and had to go back. I don't know when I'll have the > chance to try again (probably not before some months), but I need to > understand what went wrong before that. > > > > The starting situation: Samba 4.8 running as AD and fileserver on > FreeBSD 11.2/amd64 (base) with smbpasswd backend. > > Relevant smb.conf lines: >> [global] >> ??????? workgroup = XXXXXXXXXXXX >> ??????? server string = XXXX >> ??????? security = user >> ??????? encrypt passwords = yes >> ??????? os level = 255 >> ??????? local master = yes >> ??????? domain master = yes >> ??????? preferred master = yes >> ??????? domain logons = yes >> ??????? wins support = yes >> ??????? wins proxy = yes >> ??????? dns proxy = yes >> ??????? logon script=netlogon.cmd >> ??????? unix password sync=no >> ??????? time server = Yes >> ??????? map archive = No >> ??????? vfs objects=audit >> ??????? audit:facility=LOCAL7 >> ??????? audit:priority=INFO >> ??????? passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd >> ??????? lanman auth=yes > > All users are listed in /etc/passwd (and of course in > /var/db/samba4/private/smbpasswd). > > Sample pdbedit -Lv: >> Unix username:??????? xxxxxxxx >> NT username:????????? Account Flags:??????? [UX???????? ] >> User SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-3010 >> Primary Group SID: S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-513 >> Full Name:??????????? Xxxxxxxx >> Home Directory:?????? \\XXXX\xxxxxxxx >> HomeDir Drive:??????? Logon Script:???????? netlogon.cmd >> Profile Path:???????? \\xxxx\xxxxxxxx\profile >> Domain:?????????????? XXXXXXXXXXXX >> Account desc:???????? Workstations:???????? Munged dial:????????? >> Logon time:?????????? 0 >> Logoff time:????????? never >> Kickoff time:???????? never >> Password last set:??? Mon, 22 Dec 2014 10:05:58 CET >> Password can change:? Mon, 22 Dec 2014 10:05:58 CET >> Password must change: never >> Last bad password?? : 0 >> Bad password count? : 0 >> Logon hours???????? : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > Notice a lot of non domain user (like root, nobody, operator, etc...) > are also listed. > > The same user above in /etc/passwd: >> xxxxxxxx:*:1005:1001:Xxxxxxxx:/home/xxxxxxxx:/sbin/nologin > And in /var/db/samba4/private: >> xxxxxxxx:1005:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX >> ]:LCT-5497DEF6: > > > > > Goal: I want to create a jail with Samba (still 4.8) which will > operate solely as AD DC. Base's jail will be (for now) reconfigured as > a domain member. > (I've done this more than once in other networks). > > So I followed the "Migrating a Samba NT4 Domain to Samba AD (Classic > Upgrade)" document. > > Skipping the LDAP section, I checked and removed duplicate SIDs. > "net groupmap list" shows nothing. > > The docs says to copy secrets.tdb, schannel_store.tdb, > gencache_notrans.tdb, group_mapping.tdb and account_policy.tdb, which > I did. > It also says to copy passdb.tdb, but I don't have this!!! > I copy smbpasswd, instead: don't know if this was needed or useful. > > In any case, I tried running: > samba-tool domain classicupgrade --dbdir=/root/olddb/ > --realm=local.xxxxxxxxxxxxxxx.it --dns-backend=SAMBA_INTERNAL > /usr/local/etc/smb.PDC.conf --option="vfs objects = acl_xattr" > --option="acl_xattr:ignore system acls = yes" > >> Reading smb.conf >> Provisioning >> Exporting account policy >> Exporting groups >> Exporting users >> Next rid = 1000 >> Exporting posix attributes >> Reading WINS database >> Cannot open wins database, Ignoring: [Errno 2] No such file or >> directory: '/root/olddb/wins.dat' >> Looking up IPv4 addresses >> Looking up IPv6 addresses >> No IPv6 address will be assigned >> Setting up secrets.ldb >> Setting up the registry >> Setting up the privileges database >> Setting up idmap db >> Setting up SAM db >> Setting up sam.ldb partitions and settings >> Setting up sam.ldb rootDSE >> Pre-loading the Samba 4 and AD schema >> Unable to determine the DomainSID, can not enforce uniqueness >> constraint on local domainSIDs >> >> Adding DomainDN: DC=local,DC=xxxxxxxxxxxxxxx,DC=it >> Adding configuration container >> Setting up sam.ldb schema >> Setting up sam.ldb configuration data >> Setting up display specifiers >> Modifying display specifiers and extended rights >> Adding users container >> Modifying users container >> Adding computers container >> Modifying computers container >> Setting up sam.ldb data >> Setting up well known security principals >> Setting up sam.ldb users and groups >> Setting up self join >> Setting acl on sysvol skipped >> Adding DNS accounts >> Creating CN=MicrosoftDNS,CN=System,DC=local,DC=xxxxxxxxxxxxxxx,DC=it >> Creating DomainDnsZones and ForestDnsZones partitions >> Populating DomainDnsZones and ForestDnsZones partitions >> Setting up sam.ldb rootDSE marking as synchronized >> Fixing provision GUIDs >> A Kerberos configuration suitable for Samba AD has been generated at >> /var/db/samba4/private/krb5.conf >> Merge the contents of this file with your system krb5.conf or replace >> it with this one. Do not create a symlink! >> Setting up fake yp server settings >> Once the above files are installed, your Samba AD server will be >> ready to use >> Admin password:??????? xxxxxxxxxxxxxxxxxxxxxx >> Server Role:?????????? active directory domain controller >> Hostname:????????????? dc1 >> NetBIOS Domain:??????? XXXXXXXXXXXX >> DNS Domain:??????????? local.xxxxxxxxxxxxxxx.it >> DOMAIN SID:??????????? S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXX >> Importing WINS database >> Importing Account policy >> Importing idmap database >> Cannot open idmap database, Ignoring: [Errno 2] No such file or >> directory >> Adding groups >> Importing groups >> Committing 'add groups' transaction to disk >> Adding users >> Importing users >> Committing 'add users' transaction to disk >> Adding users to groups >> Committing 'add users to groups' transaction to disk > > There are a couple of warnings here: I don't know how severe they are. > > The thing is none of my NT domain users has been imported!!! > Has this something to do with missing passdb.tdb?Very probably> > How should I solve this?Run: pdbedit -i smbpasswd:/var/db/samba4/private/smbpasswd -e tdbsam:/var/db/samba4/private/passdb.tdb Change: passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd To: passdb backend = tdbsam:/var/db/samba4/private/passdb.tdb And try again. Though I am not sure whether running the DC in a jail is a good idea, also what filesystem are you running on freebsd ? There are problems with ZFS. Rowland
On 6/26/19 4:50 PM, Rowland penny via samba wrote:> Run: > > pdbedit -i smbpasswd:/var/db/samba4/private/smbpasswd -e > tdbsam:/var/db/samba4/private/passdb.tdb > > Change: > > passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd > > To: > > passdb backend = tdbsam:/var/db/samba4/private/passdb.tdb > > And try again.Thanks. Should I try this now (and continue running the actual NT domain) or after the old server is shut down, just for the conversion?> Though I am not sure whether running the DC in a jail is a good idea,Why not? I've got several jailed Samba AD instances working since years. What troubles should I expect?> also what filesystem are you running on freebsd ? > > There are problems with ZFS.In this particular case, it's UFS; in other (already running) cases its either UFS or ZFS. I know the problems with ZFS and while I hope they'll be solved in the future, I currently can live with them. bye & Thanks av.
On 2019-06-26 16:50, Rowland penny via samba wrote:> Run: > > pdbedit -i smbpasswd:/var/db/samba4/private/smbpasswd -e > tdbsam:/var/db/samba4/private/passdb.tdb > > Change: > > passdb backend=smbpasswd:/var/db/samba4/private/smbpasswd > > To: > > passdb backend = tdbsam:/var/db/samba4/private/passdb.tdb > > And try again.Just a note... While the above works with the old NT domain, classicupgrade will still not find the users unless you remove the above "passdb backend" line from old smb.conf. Somehow that line confuses the script. bye & Thanks av.