Web lists-archives.com

Re: [Samba] classicupgrade questions




---------- Původní e-mail ----------> Problem a)"

> ...

> init_sam_from_ldap: Entry found for user: pc0027$

> init_sam_from_ldap: Failed to find Unix account for pc0027$

1. Error

 
 
> ldapsam_getsampwnam: init_sam_from_ldap failed for user 'pc0027$'!

> ERROR(<class 'passdb.error'>): uncaught exception - Unable to get user

> information for 'pc0027$', (-1073741724,The specified account does

> not exist.)

"init_sam_from_ldap" is not able to find expected information for the object
'pc0027$'.

 
 
>   File

> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/__

> init__.py", line 176, in _run

>     return self.run(*args, **kwargs)

>   File

> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/netcmd/

> domain.py", line 1636, in run

>     useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)

>   File

> "/usr/local/samba.ad/lib64/python2.7/site-packages/samba/upgrade.py",

> line 568, in upgrade_from_samba3

>     user = s3db.getsampwnam(username)

> 

> The machine LDAP data:

> # pc0027$, machines, nspuh.cz

> dn: uid=pc0027$,ou=machines,dc=nspuh,dc=cz

> uid: pc0027$

> objectClass: account

> objectClass: sambaSamAccount

> sambaPwdMustChange: 2147483647

> sambaAcctFlags: [W          ]

> sambaPwdCanChange: 1158129830

> sambaPwdLastSet: 1158129830

> displayName: PC0027$

> sambaSID: S-1-5-21-..numbers here...-45023

Objectclass is wrong!

 
 
"init_sam_from_ldap" searches for "objectClass: posixAcount"

 
 
Your problem is, that you are *not* using "objectClass: posixAcount". So 
your machine objects have no posix attributes. I assume you store the posix 
stuff in /etc/passwd shadow and group. This works until today, but is 
depreciated since decades.

 
 
i.e.

# ldapsearch -xLLL -D cn=admin,dc=europa,dc=xx -W -b ou=machines,ou=
accounts,dc=europa,dc=xx -s onelevel 'uid=ainf17$' 

Enter LDAP Password: 

dn: uid=ainf17$,ou=machines,ou=accounts,dc=europa,dc=xx

cn: ainf17$

uid: ainf17$

uidNumber: 10020

gidNumber: 515

homeDirectory: /dev/null

loginShell: /bin/false

description: Computer

gecos: Computer

objectClass: posixAccount

objectClass: account

objectClass: sambaSamAccount

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPwdMustChange: 2147483647

sambaAcctFlags: [W ]

sambaSID: S-1-5-21-3958726613-3318811842-4132420312-21040

sambaPrimaryGroupSID: S-1-5-21-3958726613-3318811842-4132420312-515

displayName: ainf17$

sambaDomainName: EUROPA

sambaNTPassword: 91883F44E044F4F12A683E4683B2CE9D

sambaPwdLastSet: 1387993516

 
 
These attributes must exist: 

cn uid uidNumber gidNumber homeDirectory sambaSID

 

"
  Yes, you're right, I (already) added machines posixAccount attribs into 
LDAP data and classicupgrade was satisfied.

 
"


 
 
 
 
 
 
 
> b) After upgrade, a lot of imported users in AD have "account

> disabled". One of them, as far as I can remember, was user "anger":

> dn: uid=anger,ou=People,dc=nspuh,dc=cz

> objectClass: shadowAccount

> objectClass: person

> objectClass: inetOrgPerson

> objectClass: OXUserObject

> objectClass: posixAccount

> objectClass: top

> objectClass: sambaSamAccount

> uid: anger

> shadowMin: 0

> shadowMax: 9999

> shadowWarning: 7

> shadowExpire: 0

> cn: anger

> preferredLanguage: EN

> userCountry: Czech Republic

> mailEnabled: OK

> lnetMailAccess: TRUE

> OXAppointmentDays: 5

> OXGroupID: 500

> OXTaskDays: 5

> OXTimeZone:: RXVyb3BlL3ByYWd1ZSA=

> loginShell: /usr/bin/ksh

> uidNumber: 270

> gidNumber: 20

> homeDirectory: /home/anger

> sambaSID: S-1-5-21-......-1540

> employeeNumber: 114

> sambaPwdLastSet: 1344931739

> mail: anger@xxxxxxxx

> mailDomain: nemuh.cz

> o: UHN a.s.

> description:: WmRlbsSbayBBbmdlcg==

> givenName:: WmRlbsSbaw==

> sn: ANGER

> gecos: MUDr. Zdenek Anger

> ou: -

> 

>   Why is imported/upgraded account locked?

I do not know. Maybe the "OX..." attributes, maybe the base64 encoded 
attributes, maybe something else.

"



  I stopped searching for this for now, as I went into bigger problems 
elsewhere :-]




"





> c) After upgrade, national characters in (probably) user description

> and givenName are not correctly displayed - there a question marks in

> the names (in AD administration), every user (with national

> characters in their names) has the problem.

>   Why?  
 
Maybe the migration script does not handle base64 encooded strings 
correctly.

i.e.

 
 
givenName:: WmRlbsSbaw==

 
 
# echo -n WmRlbsSbaw== | base64 -d ;echo

Zdeněk

 
 
If a value is base64 encoded, then the field separator is a double colon.

"



  Yes, this was because running classicupgrade on different (new) server 
with different language encoding. After removing unix charset from samba 
config the names are correct.




  Thanks, Michal
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba