thr3ads.net - samba - [Samba] Classic Upgrade changes domain SID [Aug 2023]

If this information is useful, please help other people find it:
Share via:

Peter Koch

2023-Aug-27 12:36 UTC

[Samba] Classic Upgrade changes domain SID

Rowland Penny via samba wrote:> On Sun, 27 Aug 2023 12:56:28 +0200
> Peter Koch via samba<samba at lists.samba.org>  wrote:
>
>> Dear Rowland:
>>
>> Thanks for the quick response
>>
>>> Can you please post the command that you used to carry out the
>>> classic
>> here's what I did:
>>
>> 1) Old WORKGROUP is NAV, old NETBIOS NAME is SERV00,
>> old fqdn is v480.naev.de, so I decided to use:
>> - new domain = NAV
>> - new realm = NAV.NAEV.DE
>> - new netbios name = NS1 (or SERV00)
>> - fqdn of new server = ns1.nav.naev.de (or serv00.nav.naev.de)
>>
>> 2) removed ISO-8859 special characters from users fullnames
>>
>> 3) delete group mappings for windows standard groups (in particular
>> Domain Admins)
>>
>> 4) Copied smb.conf, secrets.tdb, schannel_store.tdb, passdb.tdb,
>> group_mapping.tdb,
>> account_policy.tdb, /etc/passwd, /etc/group from old server
>> to /var/samba/NT4-DC directory of new server
>>
>> 5) created all samba-related user-accounts, groups and groupmappings
>> with:
>> (awk -F: '$3>=200 && $3<60000{print "groupadd
-g",$3,$1}'/var/samba/NT4-DC/group | sort
>>      awk -F: '$3>=500 &&
$3<20000{g=$4;if(g==65534)g="nogroup"; print "useradd
-u",$3,"-g",g,"\x27"$1"\x27"}'
/var/samba/NT4-DC/passwd | sort
>>      awk -F: '$3>=200 &&
$3<60000{split($4,a,",");for(i in a) print "usermod
-aG",$1,a[i]}' /var/samba/NT4-DC/group
>> ) | sh
>>
>> 6) replaced SERV00 by the netbios name of the new server (i.e. NS1) in
>> /var/samba/NT4-DC/smb.conf
>>
>> 7) Started classic upgrade:
>> cd /var/samba
>> kill `cat /var/samba/run/samba.pid`
>> rm -rf private/* smb.conf log.* sysvol
>> /usr/samba/bin/samba-tool domain classicupgrade \
>>       --dbdir=/var/samba/NT4-DC/ \
>>       --realm=NAV.NAEV.DE \
>>       --dns-backend=SAMBA_INTERNAL \
>>       /var/samba/NT4-DC/smb.conf
>>
>> Here's the output:
>> INFO 2023-08-27 12:43:39,895 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/netcmd/domain.py #1666: Reading
smb.conf
>> lpcfg_do_global_parameter: WARNING: The "syslog" option is
deprecated
>> lpcfg_do_global_parameter: WARNING: The "domain logons"
option is deprecated
>> INFO 2023-08-27 12:43:39,898 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/netcmd/domain.py #1670:
Provisioning
>> INFO 2023-08-27 12:43:39,905 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #507: Exporting
account policy
>> INFO 2023-08-27 12:43:39,906 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #511: Exporting groups
>> WARNING 2023-08-27 12:43:39,926 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534: Ignoring group
'notare' S-1-5-21-1415314133-2460755331-2761616138-21015 listed but then
not found: Unable to enumerate group members, (-1073741722,The specified group
does not exist.)
>> WARNING 2023-08-27 12:43:39,935 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534: Ignoring group
'sap' S-1-5-21-1415314133-2460755331-2761616138-21061 listed but then
not found: Unable to enumerate group members, (-1073741722,The specified group
does not exist.)
>> WARNING 2023-08-27 12:43:39,935 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534: Ignoring group
'control' S-1-5-21-1415314133-2460755331-2761616138-21045 listed but
then not found: Unable to enumerate group members, (-1073741722,The specified
group does not exist.)
>> INFO 2023-08-27 12:43:39,940 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #557: Exporting users
>> INFO 2023-08-27 12:43:40,231 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #567: Skipping
wellknown rid=501 (for username=nobody)
>> INFO 2023-08-27 12:43:41,842 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #638: Next rid = 31031
>> INFO 2023-08-27 12:43:41,847 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #681: Exporting posix
attributes
>> INFO 2023-08-27 12:43:42,344 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #716: Reading WINS
database
>> WARNING 2023-08-27 12:43:42,344 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #721: Cannot open wins
database, Ignoring: [Errno 2] No such file or directory:
'/var/samba/NT4-DC/wins.dat'
>> INFO 2023-08-27 12:43:42,347 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2108:
Looking up IPv4 addresses
>> INFO 2023-08-27 12:43:42,348 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2125:
Looking up IPv6 addresses
>> WARNING 2023-08-27 12:43:42,348 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2132: No
IPv6 address will be assigned
>> INFO 2023-08-27 12:43:43,048 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2274:
Setting up share.ldb
>> INFO 2023-08-27 12:43:43,252 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2278:
Setting up secrets.ldb
>> INFO 2023-08-27 12:43:43,396 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2283:
Setting up the registry
>> INFO 2023-08-27 12:43:44,594 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2286:
Setting up the privileges database
>> INFO 2023-08-27 12:43:44,984 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2289:
Setting up idmap db
>> INFO 2023-08-27 12:43:45,255 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2296:
Setting up SAM db
>> INFO 2023-08-27 12:43:45,300 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #880:
Setting up sam.ldb partitions and settings
>> INFO 2023-08-27 12:43:45,301 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #892:
Setting up sam.ldb rootDSE
>> INFO 2023-08-27 12:43:45,345 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1305:
Pre-loading the Samba 4 and AD schema
>> Unable to determine the DomainSID, can not enforce uniqueness
constraint on local domainSIDs
>> INFO 2023-08-27 12:43:45,544 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1383:
Adding DomainDN: DC=nav,DC=naev,DC=de
>> INFO 2023-08-27 12:43:45,612 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1415:
Adding configuration container
>> INFO 2023-08-27 12:43:45,679 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1430:
Setting up sam.ldb schema
>> INFO 2023-08-27 12:43:56,781 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1448:
Setting up sam.ldb configuration data
>> INFO 2023-08-27 12:43:57,175 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1489:
Setting up display specifiers
>> INFO 2023-08-27 12:44:04,609 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1497:
Modifying display specifiers and extended rights
>> INFO 2023-08-27 12:44:04,713 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1504:
Adding users container
>> INFO 2023-08-27 12:44:04,717 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1510:
Modifying users container
>> INFO 2023-08-27 12:44:04,719 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1513:
Adding computers container
>> INFO 2023-08-27 12:44:04,723 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1519:
Modifying computers container
>> INFO 2023-08-27 12:44:04,725 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1523:
Setting up sam.ldb data
>> INFO 2023-08-27 12:44:05,088 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1553:
Setting up well known security principals
>> INFO 2023-08-27 12:44:05,258 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1567:
Setting up sam.ldb users and groups
>> INFO 2023-08-27 12:44:05,968 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1575:
Setting up self join
>> Repacking database from v1 to v2 format (first record
CN=ms-DS-ManagedPasswordPreviousId,CN=Schema,CN=Configuration,DC=nav,DC=naev,DC=de)
>> Repack: re-packed 10000 records so far Repacking database from v1 to v2
format (first record
CN=sitesContainer-Display,CN=41F,CN=DisplaySpecifiers,CN=Configuration,DC=nav,DC=naev,DC=de)
>> Repacking database from v1 to v2 format (first record
CN=8ddf6913-1c7b-4c59-a5af-b9ca3b3d2c4c,CN=Operations,CN=DomainUpdates,CN=System,DC=nav,DC=naev,DC=de)
>> INFO 2023-08-27 12:44:08,346 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #1969:
Setting acl on sysvol skipped
>> INFO 2023-08-27 12:44:08,413 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py #1198:
Adding DNS accounts
>> INFO 2023-08-27 12:44:08,550 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py #1232:
Creating CN=MicrosoftDNS,CN=System,DC=nav,DC=naev,DC=de
>> INFO 2023-08-27 12:44:08,590 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py #1245:
Creating DomainDnsZones and ForestDnsZones partitions
>> INFO 2023-08-27 12:44:08,738 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py #1250:
Populating DomainDnsZones and ForestDnsZones partitions
>> Repacking database from v1 to v2 format (first record
DC=m.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=nav,DC=naev,DC=de)
>> Repacking database from v1 to v2 format (first record
DC=_kerberos._tcp.dc,DC=_msdcs.nav.naev.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=nav,DC=naev,DC=de)
>> INFO 2023-08-27 12:44:10,269 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2012:
Setting up sam.ldb rootDSE marking as synchronized
>> INFO 2023-08-27 12:44:10,401 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2017:
Fixing provision GUIDs
>> INFO 2023-08-27 12:44:12,992 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2348: A
Kerberos configuration suitable for Samba AD has been generated at
/var/samba/private/krb5.conf
>> INFO 2023-08-27 12:44:12,993 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2350:
Merge the contents of this file with your system krb5.conf or replace it with
this one. Do not create a symlink!
>> INFO 2023-08-27 12:44:13,405 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #2082:
Setting up fake yp server settings
>> INFO 2023-08-27 12:44:13,659 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #487: Once
the above files are installed, your Samba AD server will be ready to use
>> INFO 2023-08-27 12:44:13,660 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #492:
Server Role:           active directory domain controller
>> INFO 2023-08-27 12:44:13,660 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #493:
Hostname:              serv00
>> INFO 2023-08-27 12:44:13,660 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #494:
NetBIOS Domain:        NAV
>> INFO 2023-08-27 12:44:13,660 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #495: DNS
Domain:            nav.naev.de
>> INFO 2023-08-27 12:44:13,660 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py #496:
DOMAIN SID: S-1-5-352321536-3589954388-2200284306-183212708
>> INFO 2023-08-27 12:44:13,660 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #747: Importing WINS
database
>> INFO 2023-08-27 12:44:13,660 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #753: Importing
Account policy
>> INFO 2023-08-27 12:44:13,732 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #757: Importing idmap
database
>> WARNING 2023-08-27 12:44:13,732 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #218: Cannot open
idmap database, Ignoring: [Errno 2] No such file or directory
>> INFO 2023-08-27 12:44:14,144 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #773: Adding groups
>> INFO 2023-08-27 12:44:14,145 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #776: Importing groups
>> WARNING 2023-08-27 12:44:14,284 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #267: Group already
exists sid=S-1-5-32-550, groupname=Print Operators existing_groupname=Print
Operators, Ignoring.
>> INFO 2023-08-27 12:44:14,421 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #789: Committing
'add groups' transaction to disk
>> INFO 2023-08-27 12:44:14,838 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #792: Adding users
>> INFO 2023-08-27 12:44:14,839 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #795: Importing users
>> WARNING 2023-08-27 12:44:51,050 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #805: User root has
been kept in the directory, it should be removed in favour of the Administrator
user
>> INFO 2023-08-27 12:47:57,275 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #815: Adding users to
groups
>> INFO 2023-08-27 12:47:58,328 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #829: Committing
'add users to groups' transaction to disk
>> INFO 2023-08-27 12:47:58,524 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #834: Setting password
for administrator
>> INFO 2023-08-27 12:47:58,591 pid:14448
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #843: Administrator
password has been set to password of user 'root'
>>
>> One more thing: The new domain SID is different from the old one.
>> But it does not even start with S-1-5-21 !!!
>>
>> Peter
>>
> Can I please see the original smb.conf (the one from the old machine)
> and your new smb.conf (the one on your new DC)old one:

# Global parameters
[global]
 ??????? unix charset = ISO-8859-1
 ??????? workgroup = NAV
 ??????? netbios name = SERV00
 ??????? server string = Fileserver der XXX
 ??????? interfaces = 10.64.2.20
 ??????? log level = 1
 ??????? syslog = 2
 ??????? max log size = 10000
 ??????? logon script = logon.bat %u %G %m
 ??????? logon path = \\%L\NT-Profiles\%U
 ??????? logon drive = h:
 ??????? domain logons = Yes
 ??????? os level = 34
 ??????? preferred master = Yes
 ??????? domain master = Yes
 ??????? wins support = Yes
 ??????? admin users = root
 ??????? create mask = 0640
 ??????? directory mask = 0750
 ??????? map archive = No
 ??????? map readonly = No
 ??????? wide links = Yes
 ??????? unix extensions = No
 ??????? acl map full control = No
 ??????? force unknown acl user = Yes
 ??????? default case = lower

[netlogon]
 ??????? comment = Logon-Script Verzeichnis auf %L
 ??????? path = /home/nt-logon
 ??????? write list = @edvte
 ??????? root preexec = /home/nt-logon/root-preexec '%u' '%m'
...other shares

new one:

# Global parameters
[global]
 ??????? netbios name = SERV00
 ??????? realm = NAV.NAEV.DE
 ??????? server role = active directory domain controller
 ??????? workgroup = NAV
 ??????? idmap_ldb:use rfc2307 = yes

[sysvol]
 ??????? path = /var/samba/locks/sysvol
 ??????? read only = No

[netlogon]
 ??????? path = /var/samba/locks/sysvol/nav.naev.de/scripts
 ??????? read only = No> Can you please confirm that your old machine had the FQDN
> 'serv00.v480.naev.de' and the new one is 'ns1.nav.naev.de'The old machine had FQDN v480.naev.de and the new one is
ns1.nav.naev.de (or serv00.nav.naev.de, I tried both variants)

Peter

Rowland Penny

2023-Aug-27 13:09 UTC

head link

[Samba] Classic Upgrade changes domain SID

On Sun, 27 Aug 2023 14:36:49 +0200
Peter Koch via samba <samba at lists.samba.org> wrote:
> >> here's what I did:
> >>
> >>
> >> 5) created all samba-related user-accounts, groups and
> >> groupmappings with:
> >> (awk -F: '$3>=200 && $3<60000{print
"groupadd
> >> -g",$3,$1}'/var/samba/NT4-DC/group | sort awk -F:
'$3>=500 &&
> >> $3<20000{g=$4;if(g==65534)g="nogroup"; print
"useradd
> >>
-u",$3,"-g",g,"\x27"$1"\x27"}'
/var/samba/NT4-DC/passwd | sort awk
> >> -F: '$3>=200 &&
$3<60000{split($4,a,",");for(i in a) print
> >> "usermod -aG",$1,a[i]}' /var/samba/NT4-DC/group ) |
sh
> >>
> >> 6) replaced SERV00 by the netbios name of the new server (i.e.
> >> NS1) in /var/samba/NT4-DC/smb.conf
> >>
>
I think your problems all stem from doing number 5 on your 'what I did'
list.

You do not want those users and groups in /etc/passwd and /etc/group,
they will all come from AD once it is working.

Also the 'netbios name' in smb.conf on your new DC must match the DCs
short hostname.

Have you read this:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

I suggest you try again.

Rowland

samba - Aug 2023 - Classic Upgrade changes domain SID

[Samba] Classic Upgrade changes domain SID

[Samba] Classic Upgrade changes domain SID