subject:"\[Samba\] samba3 to samba4 \/\/ logon hours \/\/ server role secrets.tdb, secrets.ldb"

Re: [Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

2012-10-16 Thread Andrew Bartlett

On Tue, 2012-10-16 at 08:45 +0200, Johannes Paechnatz wrote:
> >> fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
> >> with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
> >> until all user accounts got migrated.
> >
> > What was your 'unix charset' (we may need to add a conversion here, as
> > we assume UTF8 at the ldb layer).
> 
> old samba3 server:
> LANG="de_DE"
> LC_ALL="de_DE"
> 
> smb.conf:
> display charset = ISO8859-1
> unix charset = ISO8859-1
> I remember the reason for this was a software that couldn't handle
> UTF-8 (which is fixed meanwhile) - and I know that we need to convert
> the whole content of the filesystem when we migrate...

OK, that's certainly the issue here.  Can you please file a bug, so we
can try and handle or at least detect it more clearly at classicupgrade
time?

> >> 1. machine accounts: some machine accounts don't have Logon hours
> >> FF what seem to be a problem.
> >> Could I manually change fields (which fields?) in the tdbsam dump? I
> >> tried pdbedit  -Z of the specific account, but that seems to change it
> >> to an epoch style timestamp and migration fails again - so I removed
> >> them in the tdbsam dump to get the migration working, after that
> >> additional steps all user and machine accounts get migrated.
> >
> > Can you give me some more detail about what is wrong here?  We generally
> > do want to convert any valid samba3 account.
> 
> old samba3 server:
> add machine script = /usr/sbin/useradd -c Machine -d /dev/null -g 1000
> -s /bin/false %u
> 
> all machine accounts are added via this entry - so I thought they are the 
> same.

Well, that doesn't control the samba passdb.tdb record, which is where
the failure is.

> example:
> 
> Failed to modify account record
> CN=w-2000-007,CN=Computers,DC=SAMBA4SRV to set user attributes:
> objectclass_attrs: attribute 'logonHours' on entry
> 'CN=w-2000-007,CN=Computers,DC=SAMBA4SRV' contains at least one
> invalid value!
> ERROR(): uncaught exception - Unable to add sam
> account 'w-2000-007$', (-1073741811,Unexpected information received)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
> 1321, in run
> useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
>   File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 883,
> in upgrade_from_samba3
> s4_passdb.add_sam_account(userdata[username])
> 
> on samba3
> pdbedit -Lv
> 
> Unix username:w-2000-007$
> NT username:
> Account Flags:[W  ]
> User SID: S-1-5-21-2800255703-2035631742-3861056042-3132
> Primary Group SID:S-1-5-21-2800255703-2035631742-3861056042-513
> Full Name:W-2000-007$
> Home Directory:   \\filesrv\w-2000-007_
> HomeDir Drive:L:
> Logon Script: logon-users.bat
> Profile Path: ""
> Domain:   BFE
> Account desc:
> Workstations:
> Munged dial:
> Logon time:   0
> Logoff time:  9223372036854775807 seconds since the Epoch
> Kickoff time: 9223372036854775807 seconds since the Epoch
> Password last set:Mon, 19 Sep 2011 08:25:53 CEST
> Password can change:  Mon, 19 Sep 2011 08:25:53 CEST
> Password must change: Sun, 18 Dec 2011 07:25:53 CET
> Last bad password   : 0
> Bad password count  : 0
> Logon hours : 30ACC81063

That looks like an un-initialised value to me...

> other successful migrated account:
> 
> Unix username:W-4000-026$
> NT username:
> Account Flags:[W  ]
> User SID: S-1-5-21-2800255703-2035631742-3861056042-2219
> Primary Group SID:S-1-5-21-2800255703-2035631742-3861056042-513
> Full Name:W-4000-026$
> Home Directory:   \\filesrv\w-4000-026_
> HomeDir Drive:L:
> Logon Script: logon-joh.bat
> Profile Path: ""
> Domain:   BFE
> Account desc:
> Workstations:
> Munged dial:
> Logon time:   0
> Logoff time:  9223372036854775807 seconds since the Epoch
> Kickoff time: 9223372036854775807 seconds since the Epoch
> Password last set:Mon, 14 Mar 2011 08:54:54 CET
> Password can change:  Mon, 14 Mar 2011 08:54:54 CET
> Password must change: Sun, 12 Jun 2011 09:54:54 CEST
> Last bad password   : 0
> Bad password count  : 0
> Logon hours : FF
> 
> tdbdump of both (made on the samba4 machine, if tdbtools version matters?):
> 
> {
> key(17) = "USER_w-2000-007$\00"
> data(199) = 
> "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00q\E0vN\8F\19zFq\87\EDN\0C\00\00\00w-2000-007$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-2000-007$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00<\0C\00\00\01\02\00\00\00\00\00\00\10\00\00\

Re: [Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

2012-10-15 Thread Johannes Paechnatz

>> fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
>> with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
>> until all user accounts got migrated.
>
> What was your 'unix charset' (we may need to add a conversion here, as
> we assume UTF8 at the ldb layer).

old samba3 server:
LANG="de_DE"
LC_ALL="de_DE"

smb.conf:
display charset = ISO8859-1
unix charset = ISO8859-1
I remember the reason for this was a software that couldn't handle
UTF-8 (which is fixed meanwhile) - and I know that we need to convert
the whole content of the filesystem when we migrate...

>> 1. machine accounts: some machine accounts don't have Logon hours
>> FF what seem to be a problem.
>> Could I manually change fields (which fields?) in the tdbsam dump? I
>> tried pdbedit  -Z of the specific account, but that seems to change it
>> to an epoch style timestamp and migration fails again - so I removed
>> them in the tdbsam dump to get the migration working, after that
>> additional steps all user and machine accounts get migrated.
>
> Can you give me some more detail about what is wrong here?  We generally
> do want to convert any valid samba3 account.

old samba3 server:
add machine script = /usr/sbin/useradd -c Machine -d /dev/null -g 1000
-s /bin/false %u

all machine accounts are added via this entry - so I thought they are the same.

example:

Failed to modify account record
CN=w-2000-007,CN=Computers,DC=SAMBA4SRV to set user attributes:
objectclass_attrs: attribute 'logonHours' on entry
'CN=w-2000-007,CN=Computers,DC=SAMBA4SRV' contains at least one
invalid value!
ERROR(): uncaught exception - Unable to add sam
account 'w-2000-007$', (-1073741811,Unexpected information received)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line
1321, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 883,
in upgrade_from_samba3
s4_passdb.add_sam_account(userdata[username])

on samba3
pdbedit -Lv

Unix username:w-2000-007$
NT username:
Account Flags:[W  ]
User SID: S-1-5-21-2800255703-2035631742-3861056042-3132
Primary Group SID:S-1-5-21-2800255703-2035631742-3861056042-513
Full Name:W-2000-007$
Home Directory:   \\filesrv\w-2000-007_
HomeDir Drive:L:
Logon Script: logon-users.bat
Profile Path: ""
Domain:   BFE
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  9223372036854775807 seconds since the Epoch
Kickoff time: 9223372036854775807 seconds since the Epoch
Password last set:Mon, 19 Sep 2011 08:25:53 CEST
Password can change:  Mon, 19 Sep 2011 08:25:53 CEST
Password must change: Sun, 18 Dec 2011 07:25:53 CET
Last bad password   : 0
Bad password count  : 0
Logon hours : 30ACC81063

other successful migrated account:

Unix username:W-4000-026$
NT username:
Account Flags:[W  ]
User SID: S-1-5-21-2800255703-2035631742-3861056042-2219
Primary Group SID:S-1-5-21-2800255703-2035631742-3861056042-513
Full Name:W-4000-026$
Home Directory:   \\filesrv\w-4000-026_
HomeDir Drive:L:
Logon Script: logon-joh.bat
Profile Path: ""
Domain:   BFE
Account desc:
Workstations:
Munged dial:
Logon time:   0
Logoff time:  9223372036854775807 seconds since the Epoch
Kickoff time: 9223372036854775807 seconds since the Epoch
Password last set:Mon, 14 Mar 2011 08:54:54 CET
Password can change:  Mon, 14 Mar 2011 08:54:54 CET
Password must change: Sun, 12 Jun 2011 09:54:54 CEST
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

tdbdump of both (made on the samba4 machine, if tdbtools version matters?):

{
key(17) = "USER_w-2000-007$\00"
data(199) = 
"\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00q\E0vN\8F\19zFq\87\EDN\0C\00\00\00w-2000-007$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-2000-007$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00<\0C\00\00\01\02\00\00\00\00\00\00\10\00\00\00\8C\9A\F1\16\AA@\90\1Ef\0E\95\B2\CAW\7F\97\00\00\00\00\80\00\00\00\00\00\00\00\00\00
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\000\AC\C8\10c\7F\00\00\00\80\00\10\00\00\00\00\00\00\00\00\00\00\00\00"
}

{
key(13) = "RID_0c3c\00"
data(12) = "w-2000-007$\00"
}


{
key(17) = "USER_w-4000-026$\00"
data(199) = 
"\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00\CE\C9}M\00\00\00\00\CEp\F4M\0C\00\00\00W-4000-026$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-4000-026$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00

Re: [Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

2012-10-15 Thread Andrew Bartlett

On Mon, 2012-10-15 at 11:52 +0200, Johannes Paechnatz wrote:
> Hello.
> 
> I tried the migration from samba3 domain master (pdc) to a samba4.
> 
> samba4 -V:
> Version 4.1.0pre1-GIT-2c3a808
> 
> I used the wiki entry about samba3 migration as a guide, copied over
> the data etc. but I have some questions left.
> 
> fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
> with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
> until all user accounts got migrated.

What was your 'unix charset' (we may need to add a conversion here, as
we assume UTF8 at the ldb layer). 

> 1. machine accounts: some machine accounts don't have Logon hours
> FF what seem to be a problem.
> Could I manually change fields (which fields?) in the tdbsam dump? I
> tried pdbedit  -Z of the specific account, but that seems to change it
> to an epoch style timestamp and migration fails again - so I removed
> them in the tdbsam dump to get the migration working, after that
> additional steps all user and machine accounts get migrated.

Can you give me some more detail about what is wrong here?  We generally
do want to convert any valid samba3 account.

> 2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the
> samba4 server is stand alone and starting of smbd works without error.
> BUT if I change the server role to active directory domain controller
> and try samba instead of smbd, I get an error: Failed to find record
> for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such
> object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an
> new and empty ADS from scratch does work - but I need the migration
> ;-)
> I tried to modify the secrets.tdb before I start the classicupgrade
> without success.
> 
> This is a show-stopper ;-)

Exactly what command did you run? 

We should upgrade a ROLE_DOMAIN_PDC into an 'server role = active
directory domain controller'.  Are you sure you are using the smb.conf
produced by the upgrade?

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

2012-10-15 Thread Johannes Paechnatz

Hello.

I tried the migration from samba3 domain master (pdc) to a samba4.

samba4 -V:
Version 4.1.0pre1-GIT-2c3a808

I used the wiki entry about samba3 migration as a guide, copied over
the data etc. but I have some questions left.

fyi - samba3 tdbsam backend. I removed/edited serveral user accounts
with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore)
until all user accounts got migrated.

1. machine accounts: some machine accounts don't have Logon hours
FF what seem to be a problem.
Could I manually change fields (which fields?) in the tdbsam dump? I
tried pdbedit  -Z of the specific account, but that seems to change it
to an epoch style timestamp and migration fails again - so I removed
them in the tdbsam dump to get the migration working, after that
additional steps all user and machine accounts get migrated.

2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the
samba4 server is stand alone and starting of smbd works without error.
BUT if I change the server role to active directory domain controller
and try samba instead of smbd, I get an error: Failed to find record
for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such
object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an
new and empty ADS from scratch does work - but I need the migration
;-)
I tried to modify the secrets.tdb before I start the classicupgrade
without success.

This is a show-stopper ;-)

Do you could provide me a hint / solution to this?

Thanks.


cu Joh.Paechnatz

-- 
Johannes Paechnatz

--> googleplus: http://goo.gl/GVNoM
--> facebook: http://www.facebook.com/jpaechnatz
--> jabber/xmpp: jpaechn...@gmail.com
--> icq: 22621122
--> skype: jpaechnatz
--> blog: http://simplyroot.blogspot.com/

amazon wishlist:
--> http://www.amazon.de/registry/wishlist/3L6U7SE47GQ1Z

Backup u. Sync sicher via Wuala:
http://www.wuala.com/referral/BBN3CFN4HKFF74HN3B7M

Encfs4win:
http://goo.gl/djpLB

Callsign: DO2PJ
Try JT65a: http://jt65.w6cqz.org/
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

Re: [Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

Re: [Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

[Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb

4 matches

Site Navigation

Mail list logo

Footer information