Web lists-archives.com

Re: [Samba] Fwd: Migrating server

Hi Rob,

first things first. Thanks for the attached logs.txt!!!

> Hi Harry,
> Here are the outputs. I've attached them as logs with this email too.
> root@sam3dc:/tmp/ldifs-gr# ldapmodify -Y external -H ldapi:///  -f
> olcdbindex.ldif
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> modifying entry "olcDatabase={1}hdb,cn=config"
> root@sam3dc:/tmp/ldifs-gr# service slapd stop
>  * Stopping OpenLDAP slapd
>    [ OK ]
> root@sam3dc:/tmp/ldifs-gr# slapindex -v -n 1
> Runnig as root!
> There's a fair chance slapd will fail to start.
I've overseen this very imortant error message, sorry.

> Check file permissions!
We have run the slapindex command as root. So root becomes
 the owner of the files. That is surely wrong, openldap
 should be the owner.
This happens because of the no so sophistecated install
 scripts of debian/ubuntu. This is not easy fixable without
 breaking thousands of installations.

Do the following:
stop slapd

# chown -R openldap:openldap /etc/ldap/slapd.d/cn\=config/
# chown -R openldap:openldap /var/lib/ldap/ 

start slapd

> indexing id=00000001
> indexing id=00000002
> indexing id=00000003
> indexing id=00000004
> indexing id=00000005
> indexing id=00000006
> It goes on and completes the indexing

> root@sam3dc:/tmp/ldifs-gr# service slapd start
>  * Starting OpenLDAP slapd
>    [ OK ]
> net getdomainsid
> SID for local machine sam3dc is:
> S-1-5-21-286905455-3929894668-3957719032 SID for domain mydomain is:
> S-1-5-21-3936576374-1604348213-1812465911
And this is why I prefer this command!!!
You have different SIDs for PDC and DOMAIN and that is wrong!
> net getlocalsid
> SID for local machine sam3dc is:
> S-1-5-21-286905455-3929894668-3957719032
Nice command but did not help here. Just to show.

> getent passwd sadmin
> sadmin:x:1359:1359::/home/sadmin:/bin/sh
> getent passwd tadmin
> tadmin:x:1262:1150:Temp Admin,,,:/home/tadmin:/bin/bash
> root@sam3dc:/# getent group 512
> root@sam3dc:/#
> root@sam3dc:/# getent group 1359
> sadmin:x:1359:
getent group 1150

and let us look if these groups are in ldap

## a long one liner
# for g in 512 1359 1150; do ldapsearch -xLLL -b dc=mydomain "(&(objectclass=posixgroup)(gidnumber=$g))";done

> SYSLOG during the netdomainsid and getlocalsid

until tuesday i'm offline


	Harry Jede
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba