[Samba] classicupgrade from LDAP - failed to find Unix account for machine account
Hi all,
We have a somewhat crufty Samba 3 PDC NT-style domain backed on to an
OpenLDAP server that we use for both Linux and Windows 7 authentication,
thanks to the magic of ldapsam and smbk5pwd.
I am investigating the feasability of moving to Samba 4 and have tried
upgrading with the classicupgrade tool in both the Samba 4.0.0 packages in
Debian unstable and also with GIT v4-0-stable (b341371).
The current roadblock is that a machine account produces an error in the
migration:
init_sam_from_ldap: Failed to find Unix account for CICHLID$
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'CICHLID$'!
ERROR(class 'passdb.error'): uncaught exception - Unable to get user
information for 'CICHLID$', (-1073741724,No such user)
Notably all of our Linux machines joined to the domain have posixAccount
credentials, but the Windows machines do not.
The LDAP entry for this machine is:
dn: uid=CICHLID$,ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
objectClass: sambaSamAccount
objectClass: account
displayName: CICHLID$
sambaAcctFlags: [W ]
sambaNTPassword: {elided}
sambaPwdLastSet: 1364267120
sambaSID: S-1-5-21-3342141748-1574249315-1264630062-1075
uid: CICHLID$
The entries for all our Windows 7 machines look similar.
The Linux machines all also have a posixAccount objectClass with the
appropriate attributes.
Importantly, we have ldapsam:trusted set in our Samba 3 config, and with
the add machine script set to:
/usr/sbin/cpu -C /etc/cpu/cpu-samba.conf useradd -d /dev/null -o %u
(where cpu-samba.conf sets the default container to the Computers OU,
disables the home directory and shell, and sets the GID to the computers
group).
Any suggestions? I am particularly curious as to why the add machine
script doesn't appear to be doing anything for Windows machines joined to
the domain, and why the classicupgrade script is trying to look for user
account details for machine accounts.
Thanks,
David Adam
zanc...@ucc.gu.uwa.edu.au
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] classicupgrade from LDAP - failed to find Unix account for machine account
On Thu, 2013-04-04 at 15:30 +0800, David Adam wrote:
Hi all,
We have a somewhat crufty Samba 3 PDC NT-style domain backed on to an
OpenLDAP server that we use for both Linux and Windows 7 authentication,
thanks to the magic of ldapsam and smbk5pwd.
I am investigating the feasability of moving to Samba 4 and have tried
upgrading with the classicupgrade tool in both the Samba 4.0.0 packages in
Debian unstable and also with GIT v4-0-stable (b341371).
The current roadblock is that a machine account produces an error in the
migration:
init_sam_from_ldap: Failed to find Unix account for CICHLID$
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'CICHLID$'!
ERROR(class 'passdb.error'): uncaught exception - Unable to get user
information for 'CICHLID$', (-1073741724,No such user)
Notably all of our Linux machines joined to the domain have posixAccount
credentials, but the Windows machines do not.
The LDAP entry for this machine is:
dn: uid=CICHLID$,ou=Computers,dc=ucc,dc=gu,dc=uwa,dc=edu,dc=au
objectClass: sambaSamAccount
objectClass: account
displayName: CICHLID$
sambaAcctFlags: [W ]
sambaNTPassword: {elided}
sambaPwdLastSet: 1364267120
sambaSID: S-1-5-21-3342141748-1574249315-1264630062-1075
uid: CICHLID$
The entries for all our Windows 7 machines look similar.
The Linux machines all also have a posixAccount objectClass with the
appropriate attributes.
Importantly, we have ldapsam:trusted set in our Samba 3 config, and with
the add machine script set to:
/usr/sbin/cpu -C /etc/cpu/cpu-samba.conf useradd -d /dev/null -o %u
(where cpu-samba.conf sets the default container to the Computers OU,
disables the home directory and shell, and sets the GID to the computers
group).
Any suggestions? I am particularly curious as to why the add machine
script doesn't appear to be doing anything for Windows machines joined to
the domain, and why the classicupgrade script is trying to look for user
account details for machine accounts.
So, what has happened is that I've forced on the 'ldapsam:trusted' in
our classicupgrade script, as it makes it much, much easier to set up a
migration, as you don't have to set up nss_ldap and then tear it down
again.
I had assumed that almost all installations of Samba as a DC on LDAP
would store the unix account with the Samba account.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] classicupgrade from LDAP - failed to find Unix account for machine account
On Thu, 4 Apr 2013, Andrew Bartlett wrote: On Thu, 2013-04-04 at 15:30 +0800, David Adam wrote: Hi all, We have a somewhat crufty Samba 3 PDC NT-style domain backed on to an OpenLDAP server that we use for both Linux and Windows 7 authentication, thanks to the magic of ldapsam and smbk5pwd. So, what has happened is that I've forced on the 'ldapsam:trusted' in our classicupgrade script, as it makes it much, much easier to set up a migration, as you don't have to set up nss_ldap and then tear it down again. I had assumed that almost all installations of Samba as a DC on LDAP would store the unix account with the Samba account. Your psychic powers were accurate; for some reason we still have a few machine accounts in /etc/passwd on the PDC and not in LDAP, even though we have ldapsam:trusted set. (I'm surprised that works.) Deleting the entries in /etc/passwd and rejoining the machines to the domain helps immensely. Thanks David zanc...@ucc.gu.uwa.edu.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
