Discussion:
[Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb
Johannes Paechnatz
2012-10-15 09:52:59 UTC
Permalink
Hello.

I tried the migration from samba3 domain master (pdc) to a samba4.

samba4 -V:
Version 4.1.0pre1-GIT-2c3a808

I used the wiki entry about samba3 migration as a guide, copied over
the data etc. but I have some questions left.

fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
until all user accounts got migrated.

1. machine accounts: some machine accounts don't have Logon hours
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF what seem to be a problem.
Could I manually change fields (which fields?) in the tdbsam dump? I
tried pdbedit -Z of the specific account, but that seems to change it
to an epoch style timestamp and migration fails again - so I removed
them in the tdbsam dump to get the migration working, after that
additional steps all user and machine accounts get migrated.

2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the
samba4 server is stand alone and starting of smbd works without error.
BUT if I change the server role to active directory domain controller
and try samba instead of smbd, I get an error: Failed to find record
for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such
object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an
new and empty ADS from scratch does work - but I need the migration
;-)
I tried to modify the secrets.tdb before I start the classicupgrade
without success.

This is a show-stopper ;-)

Do you could provide me a hint / solution to this?

Thanks.


cu Joh.Paechnatz
--
Johannes Paechnatz

--> googleplus: http://goo.gl/GVNoM
--> facebook: http://www.facebook.com/jpaechnatz
--> jabber/xmpp: jpaechnatz at gmail.com
--> icq: 22621122
--> skype: jpaechnatz
--> blog: http://simplyroot.blogspot.com/

amazon wishlist:
--> http://www.amazon.de/registry/wishlist/3L6U7SE47GQ1Z

Backup u. Sync sicher via Wuala:
http://www.wuala.com/referral/BBN3CFN4HKFF74HN3B7M

Encfs4win:
http://goo.gl/djpLB

Callsign: DO2PJ
Try JT65a: http://jt65.w6cqz.org/
Andrew Bartlett
2012-10-16 03:44:39 UTC
Permalink
Post by Johannes Paechnatz
Hello.
I tried the migration from samba3 domain master (pdc) to a samba4.
Version 4.1.0pre1-GIT-2c3a808
I used the wiki entry about samba3 migration as a guide, copied over
the data etc. but I have some questions left.
fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
until all user accounts got migrated.
What was your 'unix charset' (we may need to add a conversion here, as
we assume UTF8 at the ldb layer).
Post by Johannes Paechnatz
1. machine accounts: some machine accounts don't have Logon hours
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF what seem to be a problem.
Could I manually change fields (which fields?) in the tdbsam dump? I
tried pdbedit -Z of the specific account, but that seems to change it
to an epoch style timestamp and migration fails again - so I removed
them in the tdbsam dump to get the migration working, after that
additional steps all user and machine accounts get migrated.
Can you give me some more detail about what is wrong here? We generally
do want to convert any valid samba3 account.
Post by Johannes Paechnatz
2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the
samba4 server is stand alone and starting of smbd works without error.
BUT if I change the server role to active directory domain controller
and try samba instead of smbd, I get an error: Failed to find record
for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such
object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an
new and empty ADS from scratch does work - but I need the migration
;-)
I tried to modify the secrets.tdb before I start the classicupgrade
without success.
This is a show-stopper ;-)
Exactly what command did you run?

We should upgrade a ROLE_DOMAIN_PDC into an 'server role = active
directory domain controller'. Are you sure you are using the smb.conf
produced by the upgrade?

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Johannes Paechnatz
2012-10-16 06:45:45 UTC
Permalink
Post by Andrew Bartlett
Post by Johannes Paechnatz
fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
until all user accounts got migrated.
What was your 'unix charset' (we may need to add a conversion here, as
we assume UTF8 at the ldb layer).
old samba3 server:
LANG="de_DE"
LC_ALL="de_DE"

smb.conf:
display charset = ISO8859-1
unix charset = ISO8859-1
I remember the reason for this was a software that couldn't handle
UTF-8 (which is fixed meanwhile) - and I know that we need to convert
the whole content of the filesystem when we migrate...
Post by Andrew Bartlett
Post by Johannes Paechnatz
1. machine accounts: some machine accounts don't have Logon hours
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF what seem to be a problem.
Could I manually change fields (which fields?) in the tdbsam dump? I
tried pdbedit -Z of the specific account, but that seems to change it
to an epoch style timestamp and migration fails again - so I removed
them in the tdbsam dump to get the migration working, after that
additional steps all user and machine accounts get migrated.
Can you give me some more detail about what is wrong here? We generally
do want to convert any valid samba3 account.
old samba3 server:
add machine script = /usr/sbin/useradd -c Machine -d /dev/null -g 1000
-s /bin/false %u

all machine accounts are added via this entry - so I thought they are the same.

example:

Failed to modify account record
CN=w-2000-007,CN=Computers,DC=SAMBA4SRV to set user attributes:
objectclass_attrs: attribute 'logonHours' on entry
'CN=w-2000-007,CN=Computers,DC=SAMBA4SRV' contains at least one
invalid value!
ERROR(<class 'passdb.error'>): uncaught exception - Unable to add sam
account 'w-2000-007$', (-1073741811,Unexpected information received)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
1321, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 883,
in upgrade_from_samba3
s4_passdb.add_sam_account(userdata[username])

on samba3
pdbedit -Lv

Unix username: w-2000-007$
NT username:
Account Flags: [W ]
User SID: S-1-5-21-2800255703-2035631742-3861056042-3132
Primary Group SID: S-1-5-21-2800255703-2035631742-3861056042-513
Full Name: W-2000-007$
Home Directory: \\filesrv\w-2000-007_
HomeDir Drive: L:
Logon Script: logon-users.bat
Profile Path: ""
Domain: BFE
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 9223372036854775807 seconds since the Epoch
Kickoff time: 9223372036854775807 seconds since the Epoch
Password last set: Mon, 19 Sep 2011 08:25:53 CEST
Password can change: Mon, 19 Sep 2011 08:25:53 CEST
Password must change: Sun, 18 Dec 2011 07:25:53 CET
Last bad password : 0
Bad password count : 0
Logon hours : 0000000000000000000000000000000030ACC81063

other successful migrated account:

Unix username: W-4000-026$
NT username:
Account Flags: [W ]
User SID: S-1-5-21-2800255703-2035631742-3861056042-2219
Primary Group SID: S-1-5-21-2800255703-2035631742-3861056042-513
Full Name: W-4000-026$
Home Directory: \\filesrv\w-4000-026_
HomeDir Drive: L:
Logon Script: logon-joh.bat
Profile Path: ""
Domain: BFE
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 9223372036854775807 seconds since the Epoch
Kickoff time: 9223372036854775807 seconds since the Epoch
Password last set: Mon, 14 Mar 2011 08:54:54 CET
Password can change: Mon, 14 Mar 2011 08:54:54 CET
Password must change: Sun, 12 Jun 2011 09:54:54 CEST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

tdbdump of both (made on the samba4 machine, if tdbtools version matters?):

{
key(17) = "USER_w-2000-007$\00"
data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00q\E0vN\8F\19zFq\87\EDN\0C\00\00\00w-2000-007$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-2000-007$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00<\0C\00\00\01\02\00\00\00\00\00\00\10\00\00\00\8C\9A\F1\16\AA@\90\1Ef\0E\95\B2\CAW\7F\97\00\00\00\00\80\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\000\AC\C8\10c\7F\00\00\00\80\00\10\00\00\00\00\00\00\00\00\00\00\00\00"
}

{
key(13) = "RID_00000c3c\00"
data(12) = "w-2000-007$\00"
}


{
key(17) = "USER_w-4000-026$\00"
data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00\CE\C9}M\00\00\00\00\CEp\F4M\0C\00\00\00W-4000-026$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-4000-026$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\AB\08\00\00\01\02\00\00\00\00\00\00\10\00\00\00\90\13\ADS\0FBn\F8j\99
\03\C5Dy\E1\00\00\00\00\80\00\00\00\A8\00\15\00\00\00
\00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"
}


{
key(13) = "RID_000008ab\00"
data(12) = "w-4000-026$\00"
}
Post by Andrew Bartlett
Post by Johannes Paechnatz
2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the
samba4 server is stand alone and starting of smbd works without error.
BUT if I change the server role to active directory domain controller
and try samba instead of smbd, I get an error: Failed to find record
for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such
object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an
new and empty ADS from scratch does work - but I need the migration
;-)
I tried to modify the secrets.tdb before I start the classicupgrade
without success.
This is a show-stopper ;-)
Exactly what command did you run?
samba-tool domain classicupgrade --dbdir=/root/daten --use-xattrs=yes
--realm=BFETV.BFE-SYSTEMHAUS.DE /root/daten/smb.conf
Post by Andrew Bartlett
We should upgrade a ROLE_DOMAIN_PDC into an 'server role = active
directory domain controller'. Are you sure you are using the smb.conf
produced by the upgrade?
yes. I made a small script that removes all old data before I try a
new migration run:

rm /etc/samba/smb.conf
rm /var/lib/samba/private/*.ldb
rm /var/lib/samba/private/*.tdb
rm /var/lib/samba/private/sam.ldb.d/*
samba-tool domain classicupgrade --dbdir=/root/daten --use-xattrs=yes
--realm=BFETV.BFE-SYSTEMHAUS.DE /root/daten/smb.conf

Please let me know if you need more data/information.

cu Joh.Paechnatz
--
Johannes Paechnatz

--> googleplus: http://goo.gl/GVNoM
--> facebook: http://www.facebook.com/jpaechnatz
--> jabber/xmpp: jpaechnatz at gmail.com
--> icq: 22621122
--> skype: jpaechnatz
--> blog: http://simplyroot.blogspot.com/

amazon wishlist:
--> http://www.amazon.de/registry/wishlist/3L6U7SE47GQ1Z

Backup u. Sync sicher via Wuala:
http://www.wuala.com/referral/BBN3CFN4HKFF74HN3B7M

Encfs4win:
http://goo.gl/djpLB

Callsign: DO2PJ
Try JT65a: http://jt65.w6cqz.org/
Andrew Bartlett
2012-10-16 07:00:14 UTC
Permalink
Post by Johannes Paechnatz
Post by Andrew Bartlett
Post by Johannes Paechnatz
fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
until all user accounts got migrated.
What was your 'unix charset' (we may need to add a conversion here, as
we assume UTF8 at the ldb layer).
LANG="de_DE"
LC_ALL="de_DE"
display charset = ISO8859-1
unix charset = ISO8859-1
I remember the reason for this was a software that couldn't handle
UTF-8 (which is fixed meanwhile) - and I know that we need to convert
the whole content of the filesystem when we migrate...
OK, that's certainly the issue here. Can you please file a bug, so we
can try and handle or at least detect it more clearly at classicupgrade
time?
Post by Johannes Paechnatz
Post by Andrew Bartlett
Post by Johannes Paechnatz
1. machine accounts: some machine accounts don't have Logon hours
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF what seem to be a problem.
Could I manually change fields (which fields?) in the tdbsam dump? I
tried pdbedit -Z of the specific account, but that seems to change it
to an epoch style timestamp and migration fails again - so I removed
them in the tdbsam dump to get the migration working, after that
additional steps all user and machine accounts get migrated.
Can you give me some more detail about what is wrong here? We generally
do want to convert any valid samba3 account.
add machine script = /usr/sbin/useradd -c Machine -d /dev/null -g 1000
-s /bin/false %u
all machine accounts are added via this entry - so I thought they are the same.
Well, that doesn't control the samba passdb.tdb record, which is where
the failure is.
Post by Johannes Paechnatz
Failed to modify account record
objectclass_attrs: attribute 'logonHours' on entry
'CN=w-2000-007,CN=Computers,DC=SAMBA4SRV' contains at least one
invalid value!
ERROR(<class 'passdb.error'>): uncaught exception - Unable to add sam
account 'w-2000-007$', (-1073741811,Unexpected information received)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
1321, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 883,
in upgrade_from_samba3
s4_passdb.add_sam_account(userdata[username])
on samba3
pdbedit -Lv
Unix username: w-2000-007$
Account Flags: [W ]
User SID: S-1-5-21-2800255703-2035631742-3861056042-3132
Primary Group SID: S-1-5-21-2800255703-2035631742-3861056042-513
Full Name: W-2000-007$
Home Directory: \\filesrv\w-2000-007_
Logon Script: logon-users.bat
Profile Path: ""
Domain: BFE
Logon time: 0
Logoff time: 9223372036854775807 seconds since the Epoch
Kickoff time: 9223372036854775807 seconds since the Epoch
Password last set: Mon, 19 Sep 2011 08:25:53 CEST
Password can change: Mon, 19 Sep 2011 08:25:53 CEST
Password must change: Sun, 18 Dec 2011 07:25:53 CET
Last bad password : 0
Bad password count : 0
Logon hours : 0000000000000000000000000000000030ACC81063
That looks like an un-initialised value to me...
Post by Johannes Paechnatz
Unix username: W-4000-026$
Account Flags: [W ]
User SID: S-1-5-21-2800255703-2035631742-3861056042-2219
Primary Group SID: S-1-5-21-2800255703-2035631742-3861056042-513
Full Name: W-4000-026$
Home Directory: \\filesrv\w-4000-026_
Logon Script: logon-joh.bat
Profile Path: ""
Domain: BFE
Logon time: 0
Logoff time: 9223372036854775807 seconds since the Epoch
Kickoff time: 9223372036854775807 seconds since the Epoch
Password last set: Mon, 14 Mar 2011 08:54:54 CET
Password can change: Mon, 14 Mar 2011 08:54:54 CET
Password must change: Sun, 12 Jun 2011 09:54:54 CEST
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
{
key(17) = "USER_w-2000-007$\00"
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\000\AC\C8\10c\7F\00\00\00\80\00\10\00\00\00\00\00\00\00\00\00\00\00\00"
}
{
key(13) = "RID_00000c3c\00"
data(12) = "w-2000-007$\00"
}
{
key(17) = "USER_w-4000-026$\00"
data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00\CE\C9}M\00\00\00\00\CEp\F4M\0C\00\00\00W-4000-026$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-4000-026$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\AB\08\00\00\01\02\00\00\00\00\00\00\10\00\00\00\90\13\ADS\0FBn\F8j\99
\03\C5Dy\E1\00\00\00\00\80\00\00\00\A8\00\15\00\00\00
\00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"
}
{
key(13) = "RID_000008ab\00"
data(12) = "w-4000-026$\00"
}
Please make sure you change the password on those accounts (rejoin) them
as you probably just exposed the machine account passwords there.

One thing we have found out with the classicupgrade script is that is is
the first consistency checker samba3 passdb backends have had, and so
the first time we really notice stuff like this.
Post by Johannes Paechnatz
Post by Andrew Bartlett
Post by Johannes Paechnatz
2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the
samba4 server is stand alone and starting of smbd works without error.
BUT if I change the server role to active directory domain controller
and try samba instead of smbd, I get an error: Failed to find record
for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such
object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an
new and empty ADS from scratch does work - but I need the migration
;-)
I tried to modify the secrets.tdb before I start the classicupgrade
without success.
This is a show-stopper ;-)
Exactly what command did you run?
samba-tool domain classicupgrade --dbdir=/root/daten --use-xattrs=yes
--realm=BFETV.BFE-SYSTEMHAUS.DE /root/daten/smb.conf
Post by Andrew Bartlett
We should upgrade a ROLE_DOMAIN_PDC into an 'server role = active
directory domain controller'. Are you sure you are using the smb.conf
produced by the upgrade?
yes. I made a small script that removes all old data before I try a
rm /etc/samba/smb.conf
rm /var/lib/samba/private/*.ldb
rm /var/lib/samba/private/*.tdb
rm /var/lib/samba/private/sam.ldb.d/*
samba-tool domain classicupgrade --dbdir=/root/daten --use-xattrs=yes
--realm=BFETV.BFE-SYSTEMHAUS.DE /root/daten/smb.conf
Please let me know if you need more data/information.
Please show me the input and output smb.conf files.

Thanks,

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Loading...