Web lists-archives.com

Re: [Samba] Migrating from Samba 3: no groups/users are imported ("listed, but then not found", "does not belong to our domain")




On Tue, 04 Sep 2018 10:26:38 +0700
Konstantin Boyandin via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Rowland Penny via samba писал 2018-09-03 17:12:
> > On Mon, 03 Sep 2018 04:27:07 +0000
> > "Konstantin Boyandin \(lists\) via samba" <samba@xxxxxxxxxxxxxxx> 
> > wrote:
> > 
> >> Hello,
> >> 
> >> Going further with migrating NT4 domain (Samba 3) to Samba 4.
> >> Thanks for the previous suggestions.
> >> 
> >> When doing
> >> 
> >> # samba-tool domain classicupgrade --dbdir=/usr/local/samba.LAN/
> >> --realm=ad-lan.com
> >> --dns-backend=BIND9_DLZ /usr/local/samba.LAN/smb.conf
> >> --option="interfaces=lo ens3" --option="bind interfaces only=yes"
> >> 
> >> I see in stderr the below:
> >> 
> >> Ignoring group 'ossi'
> >> S-1-5-21-1411277624-4092985889-3405756581-3001 listed but then not
> >> found: Unable to enumerate group members, (-1073741722,The
> >> specified group does not exist.)
> >> 
> >> for every group from existing LDAP backend of Samba 3, and
> >> 
> >> sid S-1-5-21-1411277624-4092985889-3405756581-2062 does not belong
> >> to our domain
> >> 
> > 
> > Okay, I take it your PDC was called pdclan and the domain was called
> > 'LAN', I have no idea what the dns domain was.
> > 
> > You have now created a new AD DC using the dns domain 'ad-lan.com'
> > and the new AD DC is called 'dc'
> > 
> > So from my reading there are three Samba workgroup names in play:
> > 
> > PDCLAN
> > LAN
> > AD-LAN
> > 
> > I think this, (along with using '--realm=ad-lan.com' instead of
> > 'realm = ad-lan' in smb.conf) is your problem. You are trying to
> > change the domain from 'LAN' to 'AD-LAN', Samba is undoubtedly
> > treating this as a new domain and creating a new SID for it.
> 
> That's intentional.
> 
> LAN is NT4 (Samba 3) domain, and I may not just upgrade it without 
> thorough testing - too many resources are using it, and breaking down 
> network is not an option.
> 
> So yes, I create a new domain, under real-life domain name (I own 
> ad-lan.com) and, after transferring everything into it, testing in 
> sandbox environment, I will begin transferring everything from Samba
> 3 into the Samba 4 domain (i.e., both LAN and AD-LAN will co-exist in
> the same network for some time).
> 
> So the question, how do I do the upgrade to Samba 4 while importing
> the users/groups from Samba 3 domain in this case? Alternately, how
> can I import Samba 3 entities from Samba 3LDAP backend *after*
> creating a separate Samba 4 domain?
> 
> Also, what's wrong with '--realm=ad-lan.com' ?

The main thing is that the upgrade code ignores it!

The classic upgrade is built upon doing just that, upgrading an
NT4-style domain to an AD domain using the same workgroup name.

You seem to be trying to do some hybrid method and might as well
create a new domain. You cannot have a domain called 'LAN' and a
domain called 'AD-LAN' with the same SID.

What most people do is to create a test domain in a sandbox, carry
out the upgrade multiple times, correcting errors, until they know
just what they have to do to get a new AD domain. Once they are sure
it will work, they do it for real. You should also be aware that once
your clients see your new AD domain, they will not go back to the
NT4-style domain.
If the upgrade is carried out correctly, your clients shouldn't
notice.

Your method (which is creating a new domain) will mean you will have
to rejoin the computers to the domain.
  
Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba