[Samba] samba-tool domain classicupgrade with LDAP backend
Juan Asensio Sánchez
I am testing the migration from our actual Samba domain, based on Samba
3.3.8 and LDAP (389DS) to Samba 4. I have followed the Samba4 Howto, and I
have successfully compiled it. Now I am running the classicupgrade command,
but I am getting some errors.
First of them is that the script is ignoring the "ldap group suffix"
parameter in smb.conf, and is always searching in the "ldap suffix".
Because our LDAP database is very big, the script is getting a timeout as
all groups are not received in time. I have changed the timeout and
timelimit values in ldap.conf to 300, but they are also being ignored. This
is the output of the script:
[root@samba4 ~]# samba-tool domain classicupgrade ~/sambav3/smb.conf
--dbdir ~/sambav3/private --realm XXXXXXXXXX.TEST
Reading smb.conf
Processing section "[netlogon]"
Processing section "[unixscripts]"
Provisioning
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
smbldap_open_connection: connection opened
init_sam_from_ldap: Entry found for user: XXXXXXXXXX$
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=XXXXXXXXXX.SACYL))]
smbldap_open_connection: connection opened
Exporting account policy
Exporting groups
ldapsam_setsamgrent: LDAP search failed: Timed out
ldapsam_enum_group_mapping: Unable to open passdb
ERROR(<class 'passdb.error'>): uncaught exception - Unable to enumerate
group mappings, (-1073741790,Access denied)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 635, in upgrade_from_samba3
grouplist = s3db.enum_group_mapping()
And this is the LDAP access LOG:
[03/Jan/2013:10:58:01 +0100] conn=24304 op=13 SRCH
base="dc=XXXXXXXXXX,dc=XX" scope=2 filter="(objectClass=sambaGroupMapping)"
attrs="gidNumber sambaSID sambaGroupType sambaSIDList description
displayName cn objectClass"
[03/Jan/2013:10:58:16 +0100] conn=24304 op=14 UNBIND
[03/Jan/2013:10:58:16 +0100] conn=24304 op=14 fd=73 closed - U1
dc=XXXXXXXXXX,dc=XX is our "ldap suffix", not our "ldap group suffix", as
it should. Any ideas how to fix these problems and continue with the tests?
Regards and thanks in advance,
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Juan Asensio Sánchez
Well, finally I got it, adding "ldap timeout" to smb.conf. Now I am getting
another error when running the domain classicupgrade command of samba-tool:
...
init_sam_from_ldap: Entry found for user: XXXXXXXX
init_sam_from_ldap: Entry found for user: XXXXXXXX$
Next rid = 12801001
Failed to connect to ldap URL 'ldap://XXXXXXX.XXXXXXX.XX' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://XXXXXXX.XXXXXXX.XX' with backend 'ldap': (null)
Could not open ldb connection to ldap://XXXXXXX.XXXXXXX.XX, the error
message is: (1, None)
Exporting posix attributes
ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
variable 'ldb_object' referenced before assignment
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 800, in upgrade_from_samba3
homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object,
base_dn, username, "homeDirectory")
I don't understand why the NT_STATUS_BAD_NETWORK_NAME error is thrown; I
can ping and telnet the server XXXXXXX.XXXXXXX.XX in port 389 (previously
it was on port 636 and ldaps, but changed to ldap and 389 to try to avoid
the error); indeed, the script has obtained all groups and users
previously...
Any ideas?
2013/1/3 Juan Asensio Sánchez <oke...@gmail.com>
Mario Codeniera
*internal error: NT_STATUS_BAD_NETWORK_NAME
If not check the ldap.conf, nslcd.conf and the PAM which is distro
specific.
Based on my experienced I used to check using the command below and if it
displays the user's passwords and the groups, you can successfully migrate
it
*$getent passwd *
*$getent group*
Andrew Bartlett
> Hi again
>
> Well, finally I got it, adding "ldap timeout" to smb.conf.
Good. The 'ldap suffix' is used because while we write new groups under
'ldap group suffix' we always search under 'ldap suffix' for all
objects. That is, it is a default, not a restriction.
This hasn't changed in a number of releases, and the 'passdb' code used
as the upgrade source is actually the same code that powers the classic
DC implementation.
In this second stage of the migration, we use the ldb API and ldb's
ildap driver (a new implementation of an LDAP client) to connect to the
server. We do this in the hope of migrating some extra information that
isn't available via passdb.
ldb and the idlap driver does not read ldap.conf, nslcd.conf or PAM as
Mario suggests, but I'm pretty sure it does use the 'name resolve order'
from smb.conf, so perhaps restore that to the default value and try
again.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Juan Asensio Sánchez
I forgot to explain my scenario... I have one Samba3 test-production with
LDAP backend (it's a test server, but used intensively), so to make the
tests I created a new virtual machine in a separated/isolated network. This
is a clean CentOS 6.3 machine, just installed the compile dependencies and
then compile and install Samba; I didn't modify resolv.conf, neither
nscd.conf, so the name resolution is using an "official" DNS server. After
posting the message, I continued investigating and I found this message
https://lists.samba.org/archive/samba-technical/2012-September/086979.html,
where the user reports the same problem than me. The solution there is to
use the IP address instead of the DNS name, and he says that the problem
can be due to his configuration, but I have the same problem... so I could
think this is bug, not a server configuration problem I can connect
perfectly to the LDAP server, use ldapsearch command, etc. Indeed, the
script retrieves correctly the users, but only fails when exporting the
Posix attributes).
The problem with us about "ldap group suffix" is that our LDAP has multiple
organizations, each one with their own users and groups:
dc=myorg,dc=es
- o=suborg1,dc=myorg,dc=es
- - ou=People,o=suborg1,dc=myorg,dc=es
- - ou=Groups,o=suborg1,dc=myorg,dc=es
- o=suborg2,dc=myorg,dc=es
- - ou=People,o=suborg2,dc=myorg,dc=es
- - ou=Groups,o=suborg2,dc=myorg,dc=es
...
So, in our Samba3 configuration we have "ldap suffix" to "dc=myorg,dc=es"
but "ldap group suffix" to "ou=Groups,o=suborg1" (for the Samba3 domain
controller for suborg1; each suborganization has its own domain under its
tree and its own domain controller using that domain). Then, all users
(from any suborganization) can login in any organization/domain/domain
controller (we have resolved the problem with SIDs from one domain to
another using a plugin in the 389DS LDAP server).
Our target (is and here comes my big doubt) is to configure Samba4 to host
multiple domains under the same forest, replicating our current environment
and stablishing trust relationships between the domains. Is this possible?
How should I do it?
Regards again, and thanks for your help.
2013/1/4 Andrew Bartlett <abar...@samba.org>
Andrew Bartlett
> Hi
>
>
> with LDAP backend (it's a test server, but used intensively), so to
> make the tests I created a new virtual machine in a separated/isolated
> network. This is a clean CentOS 6.3 machine, just installed the
> compile dependencies and then compile and install Samba; I didn't
> modify resolv.conf, neither nscd.conf, so the name resolution is using
> an "official" DNS server. After posting the message, I continued
> investigating and I found this message
> https://lists.samba.org/archive/samba-technical/2012-September/086979.html, where the user reports the same problem than me. The solution there is to use the IP address instead of the DNS name, and he says that the problem can be due to his configuration, but I have the same problem... so I could think this is bug, not a server configuration problem I can connect perfectly to the LDAP server, use ldapsearch command, etc. Indeed, the script retrieves correctly the users, but only fails when exporting the Posix attributes).
What is your 'name resolve order' parameter set to?
> The problem with us about "ldap group suffix" is that our LDAP has
> multiple organizations, each one with their own users and groups:
>
>
> dc=myorg,dc=es
>
> - o=suborg1,dc=myorg,dc=es
>
> - - ou=People,o=suborg1,dc=myorg,dc=es
> - - ou=Groups,o=suborg1,dc=myorg,dc=es
> - o=suborg2,dc=myorg,dc=es
> - - ou=People,o=suborg2,dc=myorg,dc=es
> - - ou=Groups,o=suborg2,dc=myorg,dc=es
> ...
>
>
> So, in our Samba3 configuration we have "ldap suffix" to
> "dc=myorg,dc=es" but "ldap group suffix" to "ou=Groups,o=suborg1" (for
> the Samba3 domain controller for suborg1; each suborganization has its
> own domain under its tree and its own domain controller using that
> domain). Then, all users (from any suborganization) can login in any
> organization/domain/domain controller (we have resolved the problem
> with SIDs from one domain to another using a plugin in the 389DS LDAP
> server).
why is your ldap suffix 'dc=myorg,dc=es' and not
'o=suborg1,dc=myorg,dc=es'?
Either way, the migration script expects a directory layout at least
somewhat near the typical described in our documentation and populated
with either the ldapsam:edixposix tool or smbldap-tools. As you move
beyond that, the ability of a standardised script to cope drastically
decreases.
I'm very happy for the script to try and cope with more diverse
configurations, if you wish to propose patches however. I'm keen for it
to import any additional attributes for which we have matching schema,
for example (not just the posix attributes).
> Our target (is and here comes my big doubt) is to configure Samba4 to
> host multiple domains under the same forest, replicating our current
> environment and stablishing trust relationships between the domains.
> Is this possible? How should I do it?
Samba as an AD DC does not support either being or hosting a subdomain,
nor the trust relationships needed between those domains. This remains
a future development task.
A small amount of support exists for inter-realm trusts, trusts with
Samba classic domains and kerberos trusts, but what little support
exists here is experimental and undocumented, existing mostly because it
fell out of other work.
Juan Asensio Sánchez
2013/1/4 Andrew Bartlett <abar...@samba.org>
> On Fri, 2013-01-04 at 08:57 +0100, Juan Asensio Sánchez wrote:
> > Hi
> >
> >
> > I forgot to explain my scenario... I have one Samba3 test-production
> > with LDAP backend (it's a test server, but used intensively), so to
> > make the tests I created a new virtual machine in a separated/isolated
> > network. This is a clean CentOS 6.3 machine, just installed the
> > compile dependencies and then compile and install Samba; I didn't
> > modify resolv.conf, neither nscd.conf, so the name resolution is using
> > an "official" DNS server. After posting the message, I continued
> > investigating and I found this message
> >
> https://lists.samba.org/archive/samba-technical/2012-September/086979.html,
> where the user reports the same problem than me. The solution there is to
> use the IP address instead of the DNS name, and he says that the problem
> can be due to his configuration, but I have the same problem... so I could
> think this is bug, not a server configuration problem I can connect
> perfectly to the LDAP server, use ldapsearch command, etc. Indeed, the
> script retrieves correctly the users, but only fails when exporting the
> Posix attributes).
>
> What is your 'name resolve order' parameter set to?
>
>
name resolve order = wins lmhosts hosts bcast
(Samba3 is not installed in the new virtual machine, just copied smb.conf
and tdb files; smb.conf is configured to make the server act as a PDC using
the LDAP server in other machine)
> > The problem with us about "ldap group suffix" is that our LDAP has
> > multiple organizations, each one with their own users and groups:
> >
> >
> > dc=myorg,dc=es
> >
> > - o=suborg1,dc=myorg,dc=es
> >
> > - - ou=People,o=suborg1,dc=myorg,dc=es
> > - - ou=Groups,o=suborg1,dc=myorg,dc=es
> > - o=suborg2,dc=myorg,dc=es
> > - - ou=People,o=suborg2,dc=myorg,dc=es
> > - - ou=Groups,o=suborg2,dc=myorg,dc=es
> > ...
> >
> >
> > So, in our Samba3 configuration we have "ldap suffix" to
> > "dc=myorg,dc=es" but "ldap group suffix" to "ou=Groups,o=suborg1" (for
> > the Samba3 domain controller for suborg1; each suborganization has its
> > own domain under its tree and its own domain controller using that
> > domain). Then, all users (from any suborganization) can login in any
> > organization/domain/domain controller (we have resolved the problem
> > with SIDs from one domain to another using a plugin in the 389DS LDAP
> > server).
>
> why is your ldap suffix 'dc=myorg,dc=es' and not
> 'o=suborg1,dc=myorg,dc=es'?
>
Because we want all users from the rest of organizations can login in any
domain, so the user search base is set to the entire organization, but the
group search base is set to the group from the organization; so, the users
are global to the organization (from the point of view of Samba, as they
really are in the ou=People,o=XXXXX,dc=myorg,dc=es), but groups (and
machines) are locally to the suborganization (users SIDs are changed
dynamically to match the SambaSid of the domain where the user is logging
in, although he belongs to another domain; the path to 389DS LDAP Server I
refer previously). This is a requisite of the client.
>
> Either way, the migration script expects a directory layout at least
> somewhat near the typical described in our documentation and populated
> with either the ldapsam:edixposix tool or smbldap-tools. As you move
> beyond that, the ability of a standardised script to cope drastically
> decreases.
>
> I'm very happy for the script to try and cope with more diverse
> configurations, if you wish to propose patches however. I'm keen for it
> to import any additional attributes for which we have matching schema,
> for example (not just the posix attributes).
>
>
I know the particularities of our organization, so I don't expect the
script to match all our requisites. As you said, we have made a lot of
modifications in the source LDAP schema, so we would need to write
additional scripts to add the schema and re-sync the new object classes and
attributes to the users in Samba4.
> > Our target (is and here comes my big doubt) is to configure Samba4 to
> > host multiple domains under the same forest, replicating our current
> > environment and stablishing trust relationships between the domains.
> > Is this possible? How should I do it?
>
> Samba as an AD DC does not support either being or hosting a subdomain,
> nor the trust relationships needed between those domains. This remains
> a future development task.
>
> A small amount of support exists for inter-realm trusts, trusts with
> Samba classic domains and kerberos trusts, but what little support
> exists here is experimental and undocumented, existing mostly because it
> fell out of other work.
>
> Andrew Bartlett
>
>
For now, we are just testing, because Samba4 is a big step, to unify all
services that AD provides (LDAP, domain, DNS, Kerberos) without patching
lot of external services to make a Samba3 domain work correct but
defective. Perhaps we could ask the client to change the internal
organization, but it's not easy, due to the internal structure (38
sub-organizations, 60.000 users, 5.000 groups, 60 LDAP/Samba servers,
etc...).
I will continue testing and reporting the results... Now I have more
problems, but I will open a new thread to not mix different subjects.
Regards.
Andrew Bartlett
> Hi
>
>
> 2013/1/4 Andrew Bartlett <abar...@samba.org>
> On Fri, 2013-01-04 at 08:57 +0100, Juan Asensio Sánchez wrote:
> > Hi
> >
> >
>
> > I forgot to explain my scenario... I have one Samba3
> test-production
> > with LDAP backend (it's a test server, but used
> intensively), so to
> > make the tests I created a new virtual machine in a
> separated/isolated
> > network. This is a clean CentOS 6.3 machine, just installed
> the
> > compile dependencies and then compile and install Samba; I
> didn't
> > modify resolv.conf, neither nscd.conf, so the name
> resolution is using
> > an "official" DNS server. After posting the message, I
> continued
> > investigating and I found this message
> >
> https://lists.samba.org/archive/samba-technical/2012-September/086979.html, where the user reports the same problem than me. The solution there is to use the IP address instead of the DNS name, and he says that the problem can be due to his configuration, but I have the same problem... so I could think this is bug, not a server configuration problem I can connect perfectly to the LDAP server, use ldapsearch command, etc. Indeed, the script retrieves correctly the users, but only fails when exporting the Posix attributes).
>
>
> What is your 'name resolve order' parameter set to?
>
>
>
> name resolve order = wins lmhosts hosts bcast
Andrew Bartlett
Juan Asensio Sánchez
Unfortunately, after applying the patch, recompile, uninstall and install
again, I am getting the same error:
# cd ~/samba-4.0.0
# patch -p1 <
~/0001-s4-libcli-resolv-Add-alias-hosts-for-host-in-name-re.patch
# make uninstall && rm -Rf /usr/local/samba/ && make clean && make && make
install
# samba-tool domain classicupgrade --dbdir ~/sambav3 --realm
SSCC.SACYL.TEST --use-xattrs=yes ~/sambav3/smb.conf -d9
...
init_sam_from_ldap: Entry found for user: XXXXXXX
init_sam_from_ldap: Entry found for user: XXXXXXX$
Next rid = 12801001
Failed to connect to ldap URL 'ldap://XXXXXX.XXXXX.es' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://XXXXXX.XXXXX.es' with backend 'ldap': (null)
Could not open ldb connection to ldap://XXXXXX.XXXXX.es, the error message
is: (1, None)
Exporting posix attributes
ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
variable 'ldb_object' referenced before assignment
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 800, in upgrade_from_samba3
homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object,
base_dn, username, "homeDirectory")
Regards.
2013/1/4 Andrew Bartlett <abar...@samba.org>
Andrew Bartlett
> > Hi Andrew
> >
> >
> > Unfortunately, after applying the patch, recompile, uninstall and
> > install again, I am getting the same error:
> >
> > # cd ~/samba-4.0.0
> > # patch -p1 <
> > ~/0001-s4-libcli-resolv-Add-alias-hosts-for-host-in-name-re.patch
> > # make uninstall && rm -Rf /usr/local/samba/ && make clean && make &&
> > make install
> > # samba-tool domain classicupgrade --dbdir ~/sambav3 --realm
> > SSCC.SACYL.TEST --use-xattrs=yes ~/sambav3/smb.conf -d9
> >
> > ...
> > init_sam_from_ldap: Entry found for user: XXXXXXX
> > init_sam_from_ldap: Entry found for user: XXXXXXX$
> > Next rid = 12801001
> > Failed to connect to ldap URL 'ldap://XXXXXX.XXXXX.es' - LDAP client
> > internal error: NT_STATUS_BAD_NETWORK_NAME
> > Failed to connect to 'ldap://XXXXXX.XXXXX.es' with backend 'ldap':
> > (null)
> > Could not open ldb connection to ldap://XXXXXX.XXXXX.es, the error
> > message is: (1, None)
>
> must lost as to what the error is if this doesn't fix it.
>
> Can you contact this host using ldbsearch? eg:
>
> ldbsearch -H ldap://XXXXXX.XXXXX.es
>
> Andrew Bartlett
Also, can you verify that this patch makes the classicupgrade fail right
after the failed connection, rather than hobbling on and failing due to
an un-set variable?
Thanks,
Andrew Bartlett
> Hi Andrew
>
>
> Unfortunately, after applying the patch, recompile, uninstall and
> install again, I am getting the same error:
>
> # cd ~/samba-4.0.0
> # patch -p1 <
> ~/0001-s4-libcli-resolv-Add-alias-hosts-for-host-in-name-re.patch
> # make uninstall && rm -Rf /usr/local/samba/ && make clean && make &&
> make install
> # samba-tool domain classicupgrade --dbdir ~/sambav3 --realm
> SSCC.SACYL.TEST --use-xattrs=yes ~/sambav3/smb.conf -d9
>
> ...
> init_sam_from_ldap: Entry found for user: XXXXXXX
> init_sam_from_ldap: Entry found for user: XXXXXXX$
> Next rid = 12801001
> Failed to connect to ldap URL 'ldap://XXXXXX.XXXXX.es' - LDAP client
> internal error: NT_STATUS_BAD_NETWORK_NAME
> Failed to connect to 'ldap://XXXXXX.XXXXX.es' with backend 'ldap':
> (null)
> Could not open ldb connection to ldap://XXXXXX.XXXXX.es, the error
> message is: (1, None)
Can you set 'log level = 10' in your smb.conf and try again, I'm very
must lost as to what the error is if this doesn't fix it.
Can you contact this host using ldbsearch? eg:
ldbsearch -H ldap://XXXXXX.XXXXX.es
Andrew Bartlett
Juan Asensio Sánchez
These are the new results. After running the classicupgrade with "log level
= 10" this is the output:
# cd ~/samba-4.0.0
# patch -p1 <
~/0001-s4-libcli-resolv-Add-alias-hosts-for-host-in-name-re.patch
# patch -p1 <
~/0001-samba-tool-domain-classicupgrade-Make-failure-to-con.patch
# make uninstall && rm -Rf /usr/local/samba/ && make clean && make && make
install
# samba-tool domain classicupgrade --dbdir ~/sambav3 --realm
MYSUBORG1.MYORG.TEST --use-xattrs=yes ~/sambav3/smb.conf
....
Looking up login cache for user somecomputeraccount$
No cache entry found
No cache entry, bad count = 0, bad time = 0
smbldap_search_ext: base => [o=mysuborg1,dc=myorg,dc=es], filter =>
[(&(sambaSid=S-1-5-21-2808594902-4197342290-404042715-31036)(|(objectClass=sambaGroupMapping)(objectClass=sambaSamAccount)))],
scope => [2]
attribute sambaGroupType does not exist
Adding cache entry with key =
IDMAP/SID2XID/S-1-5-21-5555555555-66666666666-777777777-31036 and timeout =
Wed Jan 16 09:36:19 2013
(604800 seconds ahead)
Adding cache entry with key = IDMAP/UID2SID/15018 and timeout = Wed Jan 16
09:36:19 2013
(604800 seconds ahead)
smbldap_search_ext: base => [o=mysuborg1,dc=myorg,dc=es], filter =>
[(&(objectClass=posixGroup)(|(memberUid=somecomputeraccount$)(gidNumber=10003)))],
scope => [2]
Next rid = 12801001
Failed to connect to ldap URL 'ldap://ldappruebas.myorg.es' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://ldappruebas.myorg.es' with backend 'ldap':
(null)
Could not open ldb connection to ldap://ldappruebas.myorg.es, the error
message is: (1, None)
Exporting posix attributes
smbldap_search_paged: base => [o=mysuborg1,dc=myorg,dc=es], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
smbldap_search_ext: base => [o=mysuborg1,dc=myorg,dc=es], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))], scope => [2]
smbldap_search_paged: search was successful
"description" not found
"description" not found
[...lots of same line...]
"description" not found
"description" not found
ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local
variable 'ldb_object' referenced before assignment
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 800, in upgrade_from_samba3
homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object,
base_dn, username, "homeDirectory")
The connection to the LDAP server was closed
I don't see any additional relevant information... The lsbsearch command
works fine:
# ldbsearch -b "dc=myorg,dc=es" -H
ldap://ldappruebas.myorg.es--simple-bind-dn="cn=readonlyuser"
--password=XXXXXXXX "(uid=someuser)" uid
# the results...
After applying the second patch, when the connection fails the exporting
posix attributes step doesn't start.
....
Next rid = 12801001
Failed to connect to ldap URL 'ldap://ldappruebas.myorg.es' - LDAP client
internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://ldappruebas.myorg.es' with backend 'ldap':
(null)
ERROR(<type 'exceptions.TypeError'>): uncaught exception - __init__() takes
exactly 2 arguments (4 given)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line
1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py",
line 790, in upgrade_from_samba3
raise ProvisioningError("Could not open ldb connection to %s, the error
message is: %s", url, e)
The connection to the LDAP server was closed
I don't know what more to test...
Regards and thanks again.
2013/1/8 Andrew Bartlett <abar...@samba.org>