thr3ads.net - samba - [Samba] Classic Upgrade changes domain SID [Aug 2023]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2023-Aug-27 13:09 UTC

[Samba] Classic Upgrade changes domain SID

On Sun, 27 Aug 2023 14:36:49 +0200
Peter Koch via samba <samba at lists.samba.org> wrote:
> >> here's what I did:
> >>
> >>
> >> 5) created all samba-related user-accounts, groups and
> >> groupmappings with:
> >> (awk -F: '$3>=200 && $3<60000{print
"groupadd
> >> -g",$3,$1}'/var/samba/NT4-DC/group | sort awk -F:
'$3>=500 &&
> >> $3<20000{g=$4;if(g==65534)g="nogroup"; print
"useradd
> >>
-u",$3,"-g",g,"\x27"$1"\x27"}'
/var/samba/NT4-DC/passwd | sort awk
> >> -F: '$3>=200 &&
$3<60000{split($4,a,",");for(i in a) print
> >> "usermod -aG",$1,a[i]}' /var/samba/NT4-DC/group ) |
sh
> >>
> >> 6) replaced SERV00 by the netbios name of the new server (i.e.
> >> NS1) in /var/samba/NT4-DC/smb.conf
> >>
>
I think your problems all stem from doing number 5 on your 'what I did'
list.

You do not want those users and groups in /etc/passwd and /etc/group,
they will all come from AD once it is working.

Also the 'netbios name' in smb.conf on your new DC must match the DCs
short hostname.

Have you read this:
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

I suggest you try again.

Rowland

Peter Koch

2023-Aug-27 14:08 UTC

head link

[Samba] Classic Upgrade changes domain SID

Hi Rowland,

Seems like skipping step5 has no influence on the problem
> Also the 'netbios name' in smb.conf on your new DC must match the
DCs
> short hostname.It does. Either I change the netbios name in /var/samba/NT4-DC/smb.conf 
to the
shortname of the new server in uppercase. Or I'm using 
serv00.nav.naev.de as the
FDQN of the new AD-DC.
> Have you read this: 
>
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
> I suggest you try again.I'm sure I know this guide by heart :-)

I was under the impression that Samba4 does NOT need all those
user- and machine$-accounts in /etc/passwd, but the classic
upgrade script does in order to migrate groups, users and computers.

I just repeated the classic upgrade without step 5 and then
I get lots of complains about users and groups, but the domain
SID is still different from the old value:

I noticed that the SIDs of all groups that the upgrade script
complains about, start with S-1-5-21-1415314133-2460755331-2761616138
(that is the domain SID of the old server) while the SIDs of those user
and machine accounts that do not have groupmemberships all start
with S-1-5-352321536-3589954388-2200284306-183212708(that is the
domain SID of the new server).

The SID of user babo in the old server is
S-1-5-21-1415314133-2460755331-2761616138-1158 and the
primary group of user babo has SID
S-1-5-21-1415314133-2460755331-2761616138-21013 (from
pdbedit -vL babo output). So the upgrade script changed babo's
SID from S-1-5-21-1415314133-2460755331-2761616138-1158
to S-1-5-352321536-3589954388-2200284306-183212708-1158.

Here's the new output from classic upgrade script:

INFO 2023-08-27 15:21:22,994 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/netcmd/domain.py #1666: 
Reading smb.conf
INFO 2023-08-27 15:21:22,996 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/netcmd/domain.py #1670: 
Provisioning
INFO 2023-08-27 15:21:23,003 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #507: 
Exporting account policy
INFO 2023-08-27 15:21:23,003 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #511: 
Exporting groups
WARNING 2023-08-27 15:21:23,011 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534: Ignoring 
group 'immo' S-1-5-21-1415314133-2460755331-2761616138-21039 listed but 
then not found: Unable to enumerate group members, (-1073741722,The 
specified group does not exist.)
WARNING 2023-08-27 15:21:23,012 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #534: Ignoring 
group 'azubi' S-1-5-21-1415314133-2460755331-2761616138-21033 listed but
then not found: Unable to enumerate group members, (-1073741722,The 
specified group does not exist.)
... last line repeated for 25 other groups

INFO 2023-08-27 15:21:23,020 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #557: 
Exporting users
WARNING 2023-08-27 15:21:23,145 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #635: Ignoring 
group memberships of 'babo' 
S-1-5-352321536-3589954388-2200284306-183212708-1158: Unable to 
enumerate group memberships, (-1073741724,The specified account does not 
exist.)
WARNING 2023-08-27 15:21:23,146 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #635: Ignoring 
group memberships of 'elzec' 
S-1-5-352321536-3589954388-2200284306-183212708-1036: Unable to 
enumerate group memberships, (-1073741724,The specified account does not 
exist.)
... last line repeated for 758 other user and machine$ accounts

INFO 2023-08-27 15:21:23,784 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #638: Next rid 
= 31031
INFO 2023-08-27 15:21:23,789 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #681: 
Exporting posix attributes
INFO 2023-08-27 15:21:23,914 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #716: Reading 
WINS database
WARNING 2023-08-27 15:21:23,915 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #721: Cannot 
open wins database, Ignoring: [Errno 2] No such file or directory: 
'/var/samba/NT4-DC/wins.dat'
INFO 2023-08-27 15:21:23,918 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2108: Looking up IPv4 addresses
INFO 2023-08-27 15:21:23,918 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2125: Looking up IPv6 addresses
WARNING 2023-08-27 15:21:23,919 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2132: No IPv6 address will be assigned
INFO 2023-08-27 15:21:24,618 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2274: Setting up share.ldb
INFO 2023-08-27 15:21:25,217 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2278: Setting up secrets.ldb
INFO 2023-08-27 15:21:25,580 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2283: Setting up the registry
INFO 2023-08-27 15:21:26,198 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2286: Setting up the privileges database
INFO 2023-08-27 15:21:26,582 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2289: Setting up idmap db
INFO 2023-08-27 15:21:26,865 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2296: Setting up SAM db
INFO 2023-08-27 15:21:26,921 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#880: Setting up sam.ldb partitions and settings
INFO 2023-08-27 15:21:26,922 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#892: Setting up sam.ldb rootDSE
INFO 2023-08-27 15:21:26,955 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1305: Pre-loading the Samba 4 and AD schema
Unable to determine the DomainSID, can not enforce uniqueness constraint 
on local domainSIDs
INFO 2023-08-27 15:21:27,144 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1383: Adding DomainDN: DC=nav,DC=naev,DC=de
INFO 2023-08-27 15:21:27,211 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1415: Adding configuration container
INFO 2023-08-27 15:21:27,271 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1430: Setting up sam.ldb schema
INFO 2023-08-27 15:21:36,498 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1448: Setting up sam.ldb configuration data
INFO 2023-08-27 15:21:36,874 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1489: Setting up display specifiers
INFO 2023-08-27 15:21:43,082 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1497: Modifying display specifiers and extended rights
INFO 2023-08-27 15:21:43,174 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1504: Adding users container
INFO 2023-08-27 15:21:43,178 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1510: Modifying users container
INFO 2023-08-27 15:21:43,179 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1513: Adding computers container
INFO 2023-08-27 15:21:43,183 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1519: Modifying computers container
INFO 2023-08-27 15:21:43,184 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1523: Setting up sam.ldb data
INFO 2023-08-27 15:21:43,520 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1553: Setting up well known security principals
INFO 2023-08-27 15:21:43,660 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1567: Setting up sam.ldb users and groups
INFO 2023-08-27 15:21:44,322 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1575: Setting up self join
Repacking database from v1 to v2 format (first record 
CN=rpc-Ns-Group,CN=Schema,CN=Configuration,DC=nav,DC=naev,DC=de)
Repack: re-packed 10000 records so far
Repacking database from v1 to v2 format (first record 
CN=mSMQConfiguration-Display,CN=405,CN=DisplaySpecifiers,CN=Configuration,DC=nav,DC=naev,DC=de)
Repacking database from v1 to v2 format (first record 
CN=98de1d3e-6611-443b-8b4e-f4337f1ded0b,CN=Operations,CN=DomainUpdates,CN=System,DC=nav,DC=naev,DC=de)
INFO 2023-08-27 15:21:46,655 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#1969: Setting acl on sysvol skipped
INFO 2023-08-27 15:21:46,721 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py 
#1198: Adding DNS accounts
INFO 2023-08-27 15:21:46,865 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py 
#1232: Creating CN=MicrosoftDNS,CN=System,DC=nav,DC=naev,DC=de
INFO 2023-08-27 15:21:46,903 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py 
#1245: Creating DomainDnsZones and ForestDnsZones partitions
INFO 2023-08-27 15:21:47,043 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/sambadns.py 
#1250: Populating DomainDnsZones and ForestDnsZones partitions
Repacking database from v1 to v2 format (first record 
DC=a.root-servers.net,DC=RootDNSServers,CN=MicrosoftDNS,DC=DomainDnsZones,DC=nav,DC=naev,DC=de)
Repacking database from v1 to v2 format (first record 
DC=_kerberos._tcp.dc,DC=_msdcs.nav.naev.de,CN=MicrosoftDNS,DC=ForestDnsZones,DC=nav,DC=naev,DC=de)
INFO 2023-08-27 15:21:47,713 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2012: Setting up sam.ldb rootDSE marking as synchronized
INFO 2023-08-27 15:21:47,744 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2017: Fixing provision GUIDs
INFO 2023-08-27 15:21:49,801 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2348: A Kerberos configuration suitable for Samba AD has been generated 
at /var/samba/private/krb5.conf
INFO 2023-08-27 15:21:49,801 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2350: Merge the contents of this file with your system krb5.conf or 
replace it with this one. Do not create a symlink!
INFO 2023-08-27 15:21:50,549 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#2082: Setting up fake yp server settings
INFO 2023-08-27 15:21:51,078 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#487: Once the above files are installed, your Samba AD server will be 
ready to use
INFO 2023-08-27 15:21:51,079 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#492: Server Role:?????????? active directory domain controller
INFO 2023-08-27 15:21:51,079 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#493: Hostname:????????????? serv00
INFO 2023-08-27 15:21:51,079 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#494: NetBIOS Domain:??????? NAV
INFO 2023-08-27 15:21:51,079 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#495: DNS Domain:??????????? nav.naev.de
INFO 2023-08-27 15:21:51,079 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/provision/__init__.py 
#496: DOMAIN SID: S-1-5-352321536-3589954388-2200284306-183212708

Domain SID ist still different from the old one

INFO 2023-08-27 15:21:51,079 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #747: 
Importing WINS database
INFO 2023-08-27 15:21:51,079 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #753: 
Importing Account policy
INFO 2023-08-27 15:21:51,305 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #757: 
Importing idmap database
WARNING 2023-08-27 15:21:51,305 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #218: Cannot 
open idmap database, Ignoring: [Errno 2] No such file or directory
INFO 2023-08-27 15:21:51,722 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #773: Adding 
groups
INFO 2023-08-27 15:21:51,722 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #776: 
Importing groups
WARNING 2023-08-27 15:21:51,861 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #267: Group 
already exists sid=S-1-5-32-550, groupname=Print Operators 
existing_groupname=Print Operators, Ignoring.
INFO 2023-08-27 15:21:51,996 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #789: 
Committing 'add groups' transaction to disk
INFO 2023-08-27 15:21:52,092 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #792: Adding users
INFO 2023-08-27 15:21:52,093 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #795: 
Importing users
WARNING 2023-08-27 15:22:04,384 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #805: User 
root has been kept in the directory, it should be removed in favour of 
the Administrator user
INFO 2023-08-27 15:23:04,761 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #815: Adding 
users to groups
INFO 2023-08-27 15:23:04,763 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #829: 
Committing 'add users to groups' transaction to disk
INFO 2023-08-27 15:23:04,763 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #834: Setting 
password for administrator
INFO 2023-08-27 15:23:04,830 pid:27386 
/usr/samba/lib64/python3.9/site-packages/samba/upgrade.py #843: 
Administrator password has been set to password of user 'root'

Peter

samba - Aug 2023 - Classic Upgrade changes domain SID

[Samba] Classic Upgrade changes domain SID

[Samba] Classic Upgrade changes domain SID