Re: [Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb
On Tue, 2012-10-16 at 08:45 +0200, Johannes Paechnatz wrote: > >> fyi - samba3 tdbsam backend. I removed/edited serveral user accounts > >> with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore) > >> until all user accounts got migrated. > > > > What was your 'unix charset' (we may need to add a conversion here, as > > we assume UTF8 at the ldb layer). > > old samba3 server: > LANG="de_DE" > LC_ALL="de_DE" > > smb.conf: > display charset = ISO8859-1 > unix charset = ISO8859-1 > I remember the reason for this was a software that couldn't handle > UTF-8 (which is fixed meanwhile) - and I know that we need to convert > the whole content of the filesystem when we migrate... OK, that's certainly the issue here. Can you please file a bug, so we can try and handle or at least detect it more clearly at classicupgrade time? > >> 1. machine accounts: some machine accounts don't have Logon hours > >> FF what seem to be a problem. > >> Could I manually change fields (which fields?) in the tdbsam dump? I > >> tried pdbedit -Z of the specific account, but that seems to change it > >> to an epoch style timestamp and migration fails again - so I removed > >> them in the tdbsam dump to get the migration working, after that > >> additional steps all user and machine accounts get migrated. > > > > Can you give me some more detail about what is wrong here? We generally > > do want to convert any valid samba3 account. > > old samba3 server: > add machine script = /usr/sbin/useradd -c Machine -d /dev/null -g 1000 > -s /bin/false %u > > all machine accounts are added via this entry - so I thought they are the > same. Well, that doesn't control the samba passdb.tdb record, which is where the failure is. > example: > > Failed to modify account record > CN=w-2000-007,CN=Computers,DC=SAMBA4SRV to set user attributes: > objectclass_attrs: attribute 'logonHours' on entry > 'CN=w-2000-007,CN=Computers,DC=SAMBA4SRV' contains at least one > invalid value! > ERROR(): uncaught exception - Unable to add sam > account 'w-2000-007$', (-1073741811,Unexpected information received) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line > 1321, in run > useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) > File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 883, > in upgrade_from_samba3 > s4_passdb.add_sam_account(userdata[username]) > > on samba3 > pdbedit -Lv > > Unix username:w-2000-007$ > NT username: > Account Flags:[W ] > User SID: S-1-5-21-2800255703-2035631742-3861056042-3132 > Primary Group SID:S-1-5-21-2800255703-2035631742-3861056042-513 > Full Name:W-2000-007$ > Home Directory: \\filesrv\w-2000-007_ > HomeDir Drive:L: > Logon Script: logon-users.bat > Profile Path: "" > Domain: BFE > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: 9223372036854775807 seconds since the Epoch > Kickoff time: 9223372036854775807 seconds since the Epoch > Password last set:Mon, 19 Sep 2011 08:25:53 CEST > Password can change: Mon, 19 Sep 2011 08:25:53 CEST > Password must change: Sun, 18 Dec 2011 07:25:53 CET > Last bad password : 0 > Bad password count : 0 > Logon hours : 30ACC81063 That looks like an un-initialised value to me... > other successful migrated account: > > Unix username:W-4000-026$ > NT username: > Account Flags:[W ] > User SID: S-1-5-21-2800255703-2035631742-3861056042-2219 > Primary Group SID:S-1-5-21-2800255703-2035631742-3861056042-513 > Full Name:W-4000-026$ > Home Directory: \\filesrv\w-4000-026_ > HomeDir Drive:L: > Logon Script: logon-joh.bat > Profile Path: "" > Domain: BFE > Account desc: > Workstations: > Munged dial: > Logon time: 0 > Logoff time: 9223372036854775807 seconds since the Epoch > Kickoff time: 9223372036854775807 seconds since the Epoch > Password last set:Mon, 14 Mar 2011 08:54:54 CET > Password can change: Mon, 14 Mar 2011 08:54:54 CET > Password must change: Sun, 12 Jun 2011 09:54:54 CEST > Last bad password : 0 > Bad password count : 0 > Logon hours : FF > > tdbdump of both (made on the samba4 machine, if tdbtools version matters?): > > { > key(17) = "USER_w-2000-007$\00" > data(199) = > "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00q\E0vN\8F\19zFq\87\EDN\0C\00\00\00w-2000-007$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-2000-007$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00<\0C\00\00\01\02\00\00\00\00\00\00\10\00\00\
Re: [Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb
>> fyi - samba3 tdbsam backend. I removed/edited serveral user accounts >> with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore) >> until all user accounts got migrated. > > What was your 'unix charset' (we may need to add a conversion here, as > we assume UTF8 at the ldb layer). old samba3 server: LANG="de_DE" LC_ALL="de_DE" smb.conf: display charset = ISO8859-1 unix charset = ISO8859-1 I remember the reason for this was a software that couldn't handle UTF-8 (which is fixed meanwhile) - and I know that we need to convert the whole content of the filesystem when we migrate... >> 1. machine accounts: some machine accounts don't have Logon hours >> FF what seem to be a problem. >> Could I manually change fields (which fields?) in the tdbsam dump? I >> tried pdbedit -Z of the specific account, but that seems to change it >> to an epoch style timestamp and migration fails again - so I removed >> them in the tdbsam dump to get the migration working, after that >> additional steps all user and machine accounts get migrated. > > Can you give me some more detail about what is wrong here? We generally > do want to convert any valid samba3 account. old samba3 server: add machine script = /usr/sbin/useradd -c Machine -d /dev/null -g 1000 -s /bin/false %u all machine accounts are added via this entry - so I thought they are the same. example: Failed to modify account record CN=w-2000-007,CN=Computers,DC=SAMBA4SRV to set user attributes: objectclass_attrs: attribute 'logonHours' on entry 'CN=w-2000-007,CN=Computers,DC=SAMBA4SRV' contains at least one invalid value! ERROR(): uncaught exception - Unable to add sam account 'w-2000-007$', (-1073741811,Unexpected information received) File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1321, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 883, in upgrade_from_samba3 s4_passdb.add_sam_account(userdata[username]) on samba3 pdbedit -Lv Unix username:w-2000-007$ NT username: Account Flags:[W ] User SID: S-1-5-21-2800255703-2035631742-3861056042-3132 Primary Group SID:S-1-5-21-2800255703-2035631742-3861056042-513 Full Name:W-2000-007$ Home Directory: \\filesrv\w-2000-007_ HomeDir Drive:L: Logon Script: logon-users.bat Profile Path: "" Domain: BFE Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 9223372036854775807 seconds since the Epoch Kickoff time: 9223372036854775807 seconds since the Epoch Password last set:Mon, 19 Sep 2011 08:25:53 CEST Password can change: Mon, 19 Sep 2011 08:25:53 CEST Password must change: Sun, 18 Dec 2011 07:25:53 CET Last bad password : 0 Bad password count : 0 Logon hours : 30ACC81063 other successful migrated account: Unix username:W-4000-026$ NT username: Account Flags:[W ] User SID: S-1-5-21-2800255703-2035631742-3861056042-2219 Primary Group SID:S-1-5-21-2800255703-2035631742-3861056042-513 Full Name:W-4000-026$ Home Directory: \\filesrv\w-4000-026_ HomeDir Drive:L: Logon Script: logon-joh.bat Profile Path: "" Domain: BFE Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: 9223372036854775807 seconds since the Epoch Kickoff time: 9223372036854775807 seconds since the Epoch Password last set:Mon, 14 Mar 2011 08:54:54 CET Password can change: Mon, 14 Mar 2011 08:54:54 CET Password must change: Sun, 12 Jun 2011 09:54:54 CEST Last bad password : 0 Bad password count : 0 Logon hours : FF tdbdump of both (made on the samba4 machine, if tdbtools version matters?): { key(17) = "USER_w-2000-007$\00" data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00q\E0vN\8F\19zFq\87\EDN\0C\00\00\00w-2000-007$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-2000-007$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00\00\00\00<\0C\00\00\01\02\00\00\00\00\00\00\10\00\00\00\8C\9A\F1\16\AA@\90\1Ef\0E\95\B2\CAW\7F\97\00\00\00\00\80\00\00\00\00\00\00\00\00\00 \00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\000\AC\C8\10c\7F\00\00\00\80\00\10\00\00\00\00\00\00\00\00\00\00\00\00" } { key(13) = "RID_0c3c\00" data(12) = "w-2000-007$\00" } { key(17) = "USER_w-4000-026$\00" data(199) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\00\CE\C9}M\00\00\00\00\CEp\F4M\0C\00\00\00W-4000-026$\00\04\00\00\00BFE\00\01\00\00\00\00\0C\00\00\00W-4000-026$\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\01\00
Re: [Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb
On Mon, 2012-10-15 at 11:52 +0200, Johannes Paechnatz wrote: > Hello. > > I tried the migration from samba3 domain master (pdc) to a samba4. > > samba4 -V: > Version 4.1.0pre1-GIT-2c3a808 > > I used the wiki entry about samba3 migration as a guide, copied over > the data etc. but I have some questions left. > > fyi - samba3 tdbsam backend. I removed/edited serveral user accounts > with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore) > until all user accounts got migrated. What was your 'unix charset' (we may need to add a conversion here, as we assume UTF8 at the ldb layer). > 1. machine accounts: some machine accounts don't have Logon hours > FF what seem to be a problem. > Could I manually change fields (which fields?) in the tdbsam dump? I > tried pdbedit -Z of the specific account, but that seems to change it > to an epoch style timestamp and migration fails again - so I removed > them in the tdbsam dump to get the migration working, after that > additional steps all user and machine accounts get migrated. Can you give me some more detail about what is wrong here? We generally do want to convert any valid samba3 account. > 2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the > samba4 server is stand alone and starting of smbd works without error. > BUT if I change the server role to active directory domain controller > and try samba instead of smbd, I get an error: Failed to find record > for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such > object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an > new and empty ADS from scratch does work - but I need the migration > ;-) > I tried to modify the secrets.tdb before I start the classicupgrade > without success. > > This is a show-stopper ;-) Exactly what command did you run? We should upgrade a ROLE_DOMAIN_PDC into an 'server role = active directory domain controller'. Are you sure you are using the smb.conf produced by the upgrade? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] samba3 to samba4 // logon hours // server role secrets.tdb, secrets.ldb
Hello. I tried the migration from samba3 domain master (pdc) to a samba4. samba4 -V: Version 4.1.0pre1-GIT-2c3a808 I used the wiki entry about samba3 migration as a guide, copied over the data etc. but I have some questions left. fyi - samba3 tdbsam backend. I removed/edited serveral user accounts with Umlauts in Fullname/Displayname. (tdbdump/text editor/tdbrestore) until all user accounts got migrated. 1. machine accounts: some machine accounts don't have Logon hours FF what seem to be a problem. Could I manually change fields (which fields?) in the tdbsam dump? I tried pdbedit -Z of the specific account, but that seems to change it to an epoch style timestamp and migration fails again - so I removed them in the tdbsam dump to get the migration working, after that additional steps all user and machine accounts get migrated. 2. The server role of samba3 is ROLE_DOMAIN_PDC after migration the samba4 server is stand alone and starting of smbd works without error. BUT if I change the server role to active directory domain controller and try samba instead of smbd, I get an error: Failed to find record for MYDOMAIN-HERE in /var/lib/samba/private/secrets.ldb: No such object: Have you provisioned the MYDOMAIN-HERE domain? Provisioning an new and empty ADS from scratch does work - but I need the migration ;-) I tried to modify the secrets.tdb before I start the classicupgrade without success. This is a show-stopper ;-) Do you could provide me a hint / solution to this? Thanks. cu Joh.Paechnatz -- Johannes Paechnatz --> googleplus: http://goo.gl/GVNoM --> facebook: http://www.facebook.com/jpaechnatz --> jabber/xmpp: jpaechn...@gmail.com --> icq: 22621122 --> skype: jpaechnatz --> blog: http://simplyroot.blogspot.com/ amazon wishlist: --> http://www.amazon.de/registry/wishlist/3L6U7SE47GQ1Z Backup u. Sync sicher via Wuala: http://www.wuala.com/referral/BBN3CFN4HKFF74HN3B7M Encfs4win: http://goo.gl/djpLB Callsign: DO2PJ Try JT65a: http://jt65.w6cqz.org/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba