Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] need help cleaning up my smb3 databases to complete smb4 classic upgrade
284 views
Skip to first unread message
Adam Wojnarski
May 19, 2014, 5:00:03 AM5/19/14
to
Hi,
Getting straight to the point:
/usr/local/samba/bin/samba-tool domain classicupgrade
--dbdir=/root/elara/samba/ --use-xattrs=yes
--realm=mycompanyname.com.pl/root/elara.smb.conf
After cleaning up all duplicate names and sutch I end up with:
ldb: ldb_trace_request: (tdb)->search
ldb: ldb_trace_response: ENTRY
dn: CN=CONFIG
cn: CONFIG
upperBound: 4000000
lowerBound: None
xidNumber: None
distinguishedName: CN=CONFIG
ldb: cancel ldb transaction (nesting: 0)
ldb: ldb_trace_request: (tdb)->del_transaction
idmapping sid_to_xid failed for
id[0]=S-1-5-21-1275545348-4294519683-4007804651-512: NT_STATUS_NONE_MAPPED
ERROR(<class 'passdb.error'>): uncaught exception - Unable to get id for sid
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1448, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 851, in upgrade_from_samba3
result.names.domaindn, result.lp, use_ntvfs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py",
line 1612, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py",
line 1517, in set_gpos_acl
passdb=passdb)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py",
line 1480, in set_dir_acl
setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs,
skip_invalid_chown=True, passdb=passdb, service=service)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/ntacls.py",
line 104, in setntacl
(owner_id, owner_type) = passdb.sid_to_id(sd.owner_sid)
I have medium size environment ~60windows PCs, ~60users and ~200registered
servers (many old ones were just disbanded and not removed from the domain,
about 1/3 active) so it's not a big issue if I'll have to delete one of
them and re-register it or check
I already know that smb3 has no consistancy checks or other sanity checks
so I know why is this happening.
My issue is:
How do i find the offending sid in my old dbs and get rid of it?
I got my samba 4 from git://git.samba.org/samba.git samba-master
my smb3 server is a an ancient fedora build samba-3.2.15-0.36.fc10.x86_64 -
am I right to think that upgrading it to a current 3.x line version might
help things or will the db's collect even more garbage with the upgrade? A
few people managed it before me so I don't know it's full history.
Any help will be greatly appreciated.
Best Regards
Adam
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Getting straight to the point:
/usr/local/samba/bin/samba-tool domain classicupgrade
--dbdir=/root/elara/samba/ --use-xattrs=yes
--realm=mycompanyname.com.pl/root/elara.smb.conf
After cleaning up all duplicate names and sutch I end up with:
ldb: ldb_trace_request: (tdb)->search
ldb: ldb_trace_response: ENTRY
dn: CN=CONFIG
cn: CONFIG
upperBound: 4000000
lowerBound: None
xidNumber: None
distinguishedName: CN=CONFIG
ldb: cancel ldb transaction (nesting: 0)
ldb: ldb_trace_request: (tdb)->del_transaction
idmapping sid_to_xid failed for
id[0]=S-1-5-21-1275545348-4294519683-4007804651-512: NT_STATUS_NONE_MAPPED
ERROR(<class 'passdb.error'>): uncaught exception - Unable to get id for sid
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1448, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 851, in upgrade_from_samba3
result.names.domaindn, result.lp, use_ntvfs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py",
line 1612, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs, passdb=s4_passdb)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py",
line 1517, in set_gpos_acl
passdb=passdb)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py",
line 1480, in set_dir_acl
setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs,
skip_invalid_chown=True, passdb=passdb, service=service)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/ntacls.py",
line 104, in setntacl
(owner_id, owner_type) = passdb.sid_to_id(sd.owner_sid)
I have medium size environment ~60windows PCs, ~60users and ~200registered
servers (many old ones were just disbanded and not removed from the domain,
about 1/3 active) so it's not a big issue if I'll have to delete one of
them and re-register it or check
I already know that smb3 has no consistancy checks or other sanity checks
so I know why is this happening.
My issue is:
How do i find the offending sid in my old dbs and get rid of it?
I got my samba 4 from git://git.samba.org/samba.git samba-master
my smb3 server is a an ancient fedora build samba-3.2.15-0.36.fc10.x86_64 -
am I right to think that upgrading it to a current 3.x line version might
help things or will the db's collect even more garbage with the upgrade? A
few people managed it before me so I don't know it's full history.
Any help will be greatly appreciated.
Best Regards
Adam
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Marc Muehlfeld
May 19, 2014, 3:40:02 PM5/19/14
to
Hello Adam,
Am 19.05.2014 10:53, schrieb Adam Wojnarski:
> My issue is:
> How do i find the offending sid in my old dbs and get rid of it?
What kind of backend do you use on your classic domain?
> I got my samba 4 from git://git.samba.org/samba.git samba-master
> my smb3 server is a an ancient fedora build samba-3.2.15-0.36.fc10.x86_64 -
> am I right to think that upgrading it to a current 3.x line version might
> help things or will the db's collect even more garbage with the upgrade? A
> few people managed it before me so I don't know it's full history.
If you have any concerns, you can simply update to 4.1.7 and if
everything works like it should, then do the classicupgrade to AD a few
days later.
But why do you want to use a developer/git version and not a released
one (4.1.7)? Releases are stable. I would not run a git version in
production.
Regards,
Marc
Am 19.05.2014 10:53, schrieb Adam Wojnarski:
> My issue is:
> How do i find the offending sid in my old dbs and get rid of it?
> I got my samba 4 from git://git.samba.org/samba.git samba-master
> my smb3 server is a an ancient fedora build samba-3.2.15-0.36.fc10.x86_64 -
> am I right to think that upgrading it to a current 3.x line version might
> help things or will the db's collect even more garbage with the upgrade? A
> few people managed it before me so I don't know it's full history.
everything works like it should, then do the classicupgrade to AD a few
days later.
But why do you want to use a developer/git version and not a released
one (4.1.7)? Releases are stable. I would not run a git version in
production.
Regards,
Marc
Adam Wojnarski
May 21, 2014, 5:10:01 AM5/21/14
to
Hello Marc,
Thank You for Your reply
[global]
workgroup = MyCOMPANYNAME
server string = THISHOSTSNAME
hosts allow = 192.168. 127.
log file = /var/log/samba/%m.log
max log size = 50
log level = 10
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
logon drive = Q:
logon home = \\%N\%U
logon path = \\%N\%U\profile
add machine script = /usr/sbin/useradd -d /var/lib/nobody -s /sbin/nologin "%u"
local master = yes
preferred master = yes
wins support = yes
load printers = no
cups options = raw
create mask = 0660
directory mask = 0770
unix extensions = no
max open files = 100000
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
valid users = MYCOMPANYNAME\%S
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
>
>
>> I got my samba 4 from git://git.samba.org/samba.git samba-master
>> my smb3 server is a an ancient fedora build samba-3.2.15-0.36.fc10.x86_64 -
>> am I right to think that upgrading it to a current 3.x line version might
>> help things or will the db's collect even more garbage with the upgrade? A
>> few people managed it before me so I don't know it's full history.
>
> If you have any concerns, you can simply update to 4.1.7 and if
> everything works like it should, then do the classicupgrade to AD a few
> days later.
>
> But why do you want to use a developer/git version and not a released
> one (4.1.7)? Releases are stable. I would not run a git version in
> production.
>
Tried the current stable release - I have the exact same error. I
googled it multiple times and am sure that It's an issue with the old
samba. tried to locate the offending use/host using wbinfo or dumping
the winbindd_idmap.tdb file but failed to find it there. I was trying
the one from git hoping that a fresher version will do better. From
what I learned this haunts users ever since classicupgrade is
available.
>
>
> Regards,
> Marc
p.s. listing of all tdb databases I have in my old system
# ls /var/lib/samba/
account_policy.tdb connections.tdb.bak
idmap_cache.tdb.bak mutex.tdb.bak notify.tdb.bak
ntprinters.tdb.bak scripts unexpected.tdb.bak
wins.dat
account_policy.tdb.bak gencache.tdb locking.tdb
namelist.debug ntdrivers.tdb perfmon
sessionid.tdb winbindd_cache.tdb wins.tdb
brlock.tdb gencache.tdb.bak locking.tdb.bak
netlogon ntdrivers.tdb.bak printing
sessionid.tdb.bak winbindd_cache.tdb.bak wins.tdb.bak
brlock.tdb.bak group_mapping.ldb messages.tdb
netsamlogon_cache.tdb ntforms.tdb private
share_info.tdb winbindd_idmap.tdb
browse.dat group_mapping.tdb.upgraded messages.tdb.bak
netsamlogon_cache.tdb.bak ntforms.tdb.bak registry.tdb
share_info.tdb.bak winbindd_idmap.tdb.bak
connections.tdb idmap_cache.tdb mutex.tdb
notify.tdb ntprinters.tdb registry.tdb.bak
unexpected.tdb winbindd_privileged
# ls /var/lib/samba/private/
passdb.tdb schannel_store.tdb secrets.tdb smbpasswd
Best Regards,
Adam
Thank You for Your reply
> Hello Adam,
>
> Am 19.05.2014 10:53, schrieb Adam Wojnarski:
>> My issue is:
>> How do i find the offending sid in my old dbs and get rid of it?
>
> What kind of backend do you use on your classic domain?
>
>
My smb3 config (excluding hosts shares fallows)
>
> Am 19.05.2014 10:53, schrieb Adam Wojnarski:
>> My issue is:
>> How do i find the offending sid in my old dbs and get rid of it?
>
> What kind of backend do you use on your classic domain?
>
>
[global]
workgroup = MyCOMPANYNAME
server string = THISHOSTSNAME
hosts allow = 192.168. 127.
log file = /var/log/samba/%m.log
max log size = 50
log level = 10
security = user
passdb backend = tdbsam
domain master = yes
domain logons = yes
logon drive = Q:
logon home = \\%N\%U
logon path = \\%N\%U\profile
add machine script = /usr/sbin/useradd -d /var/lib/nobody -s /sbin/nologin "%u"
local master = yes
preferred master = yes
wins support = yes
load printers = no
cups options = raw
create mask = 0660
directory mask = 0770
unix extensions = no
max open files = 100000
[homes]
comment = Home Directories
browseable = no
writable = yes
valid users = %S
valid users = MYCOMPANYNAME\%S
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no
>
>
>> I got my samba 4 from git://git.samba.org/samba.git samba-master
>> my smb3 server is a an ancient fedora build samba-3.2.15-0.36.fc10.x86_64 -
>> am I right to think that upgrading it to a current 3.x line version might
>> help things or will the db's collect even more garbage with the upgrade? A
>> few people managed it before me so I don't know it's full history.
>
> If you have any concerns, you can simply update to 4.1.7 and if
> everything works like it should, then do the classicupgrade to AD a few
> days later.
>
> But why do you want to use a developer/git version and not a released
> one (4.1.7)? Releases are stable. I would not run a git version in
> production.
>
googled it multiple times and am sure that It's an issue with the old
samba. tried to locate the offending use/host using wbinfo or dumping
the winbindd_idmap.tdb file but failed to find it there. I was trying
the one from git hoping that a fresher version will do better. From
what I learned this haunts users ever since classicupgrade is
available.
>
>
> Regards,
> Marc
p.s. listing of all tdb databases I have in my old system
# ls /var/lib/samba/
account_policy.tdb connections.tdb.bak
idmap_cache.tdb.bak mutex.tdb.bak notify.tdb.bak
ntprinters.tdb.bak scripts unexpected.tdb.bak
wins.dat
account_policy.tdb.bak gencache.tdb locking.tdb
namelist.debug ntdrivers.tdb perfmon
sessionid.tdb winbindd_cache.tdb wins.tdb
brlock.tdb gencache.tdb.bak locking.tdb.bak
netlogon ntdrivers.tdb.bak printing
sessionid.tdb.bak winbindd_cache.tdb.bak wins.tdb.bak
brlock.tdb.bak group_mapping.ldb messages.tdb
netsamlogon_cache.tdb ntforms.tdb private
share_info.tdb winbindd_idmap.tdb
browse.dat group_mapping.tdb.upgraded messages.tdb.bak
netsamlogon_cache.tdb.bak ntforms.tdb.bak registry.tdb
share_info.tdb.bak winbindd_idmap.tdb.bak
connections.tdb idmap_cache.tdb mutex.tdb
notify.tdb ntprinters.tdb registry.tdb.bak
unexpected.tdb winbindd_privileged
# ls /var/lib/samba/private/
passdb.tdb schannel_store.tdb secrets.tdb smbpasswd
Best Regards,
Adam
Adam Wojnarski
May 26, 2014, 4:40:03 AM5/26/14
to
Since there is no response to my previous e-mail, I have an idea for a
different approach- perhaps I can use those commands
net rpc samdump Dump SAM data of remote NT PDC
net rpc vampire Sync a remote NT PDC's data into local passdb
net rpc getsid Fetch the domain sid into local secrets.tdb
to pump my domain data to a fresh tdb database and ensure consistancy this way?
This way I would migrate oldsmb3->newsmb3(as secondary
DC)->newsmb4(->and then finally be able to build a trust with ad2008
but that's a different story)
Or will the invalid entries be copied as well? I prefer to ask prior
to doing something that will turn out to be a total waste of time. If
It is supposed to work as I wrote, which options should I use?
Or coming back to my previous approach - perhaps I need to dump the db
in a special way or it's a ssid not connected to users at all and I
need to check another tdb? I still think that identifying and deleting
the offending record is the best approach.
Maybe the classic upgrade has some kind of --force equivalent I could
You to try to migrate overlooking errorous entries in tdb's?
I've been struggling for a few weeks now so any help will be welcome.
Best Regards,
Adam
different approach- perhaps I can use those commands
net rpc samdump Dump SAM data of remote NT PDC
net rpc vampire Sync a remote NT PDC's data into local passdb
net rpc getsid Fetch the domain sid into local secrets.tdb
to pump my domain data to a fresh tdb database and ensure consistancy this way?
This way I would migrate oldsmb3->newsmb3(as secondary
DC)->newsmb4(->and then finally be able to build a trust with ad2008
but that's a different story)
Or will the invalid entries be copied as well? I prefer to ask prior
to doing something that will turn out to be a total waste of time. If
It is supposed to work as I wrote, which options should I use?
Or coming back to my previous approach - perhaps I need to dump the db
in a special way or it's a ssid not connected to users at all and I
need to check another tdb? I still think that identifying and deleting
the offending record is the best approach.
Maybe the classic upgrade has some kind of --force equivalent I could
You to try to migrate overlooking errorous entries in tdb's?
I've been struggling for a few weeks now so any help will be welcome.
Best Regards,
Adam
Rowland Penny
May 26, 2014, 5:40:02 AM5/26/14
to
would seem that the upgrade is trying to map the SID
'S-1-5-21-1275545348-4294519683-4007804651-512' (this is Domain Admins)
to a group in your tdbsam database and cannot find anything to map to.
what does 'net groupmap list' return ?
Rowland
0 new messages