diff -Nuar samba-4.2.0~alpha1.orig/debian/patches/40_samba3upgrade.patch samba-4.2.0~alpha1/debian/patches/40_samba3upgrade.patch
--- samba-4.2.0~alpha1.orig/debian/patches/40_samba3upgrade.patch	1970-01-01 01:00:00.000000000 +0100
+++ samba-4.2.0~alpha1/debian/patches/40_samba3upgrade.patch	2014-08-13 23:50:39.000000000 +0200
@@ -0,0 +1,109 @@
+--- samba-4.2.0~alpha1.orig/python/samba/upgrade.py	2014-08-12 19:52:29.000000000 +0200
++++ samba-4.2.0~alpha1/python/samba/upgrade.py	2014-08-13 12:01:56.000000000 +0200
+@@ -74,7 +74,7 @@ def import_sam_policy(samdb, policy, log
+ 
+     if 'maximum password age' in policy:
+         max_pw_age_unix = policy['maximum password age']
+-        if max_pw_age_unix == -1 or max_pw_age_unix == 0:
++        if max_pw_age_unix == -1 or max_pw_age_unix == 0 or max_pw_age_unix == 0xFFFFFFFF:
+             max_pw_age_nt = -0x8000000000000000
+         else:
+             max_pw_age_nt = int(-max_pw_age_unix * (1e7))
+@@ -262,12 +262,24 @@ def add_group_from_mapping_entry(samdb,
+             raise ldb.LdbError(ecode, emsg)
+ 
+     if found:
+-        logger.warn('Group already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
++        if 'group' in msg[0]['objectClass']:
++            logger.warn('Group already exists sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
+                             str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0])
++        elif 'foreignSecurityPrincipal' in msg[0]['objectClass']:
++            logger.warn('Group already exists as foreignSecurityPrincipal sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
++                            str(groupmap.sid), groupmap.nt_name, msg[0]['cn'][0])
++        else:
++            logger.warn('Group already exists as obectclass %s sid=%s, groupname=%s existing_groupname=%s, Ignoring.',
++                            str(groupmap.sid), groupmap.nt_name, list(msg[0]['objectClass']))
++
+     else:
+         if groupmap.sid_name_use == lsa.SID_NAME_WKN_GRP:
+             # In a lot of Samba3 databases, aliases are marked as well known groups
+-            (group_dom_sid, rid) = groupmap.sid.split()
++            try:
++            	(group_dom_sid, rid) = groupmap.sid.split()
++            except:
++                logger.warn('Failed to split sid for %s' % groupmap.nt_name)
++                return
+             if (group_dom_sid != security.dom_sid(security.SID_BUILTIN)):
+                 return
+ 
+@@ -430,7 +442,7 @@ def upgrade_from_samba3(samba3, logger,
+ 
+     domainname = samba3.lp.get("workgroup")
+     realm = samba3.lp.get("realm")
+-    netbiosname = samba3.lp.get("netbios name")
++    netbiosname = samba3.lp.get("netbios name").lower()
+ 
+     if samba3.lp.get("ldapsam:trusted") is None:
+         samba3.lp.set("ldapsam:trusted", "yes")
+@@ -464,7 +476,7 @@ def upgrade_from_samba3(samba3, logger,
+ 
+     if samba3.lp.get("passdb backend").split(":")[0].strip() == "ldapsam":
+         base_dn =  samba3.lp.get("ldap suffix")
+-        ldapuser = samba3.lp.get("ldap admin dn")
++        ldapuser = samba3.lp.get("ldap admin dn").strip('"')
+         ldappass = secrets_db.get_ldap_bind_pw(ldapuser)
+         if ldappass is None:
+             raise ProvisioningError("ldapsam passdb backend detected but no LDAP Bind PW found in secrets.tdb for user %s.  Please point this tool at the secrets.tdb that was used by the previous installation.")
+@@ -506,10 +518,16 @@ def upgrade_from_samba3(samba3, logger,
+     grouplist = s3db.enum_group_mapping()
+     groupmembers = {}
+     for group in grouplist:
+-        sid, rid = group.sid.split()
+-        if sid == domainsid:
+-            if rid >= next_rid:
+-                next_rid = rid + 1
++        logger.warn("GROUP '%s'", group.nt_name)
++        logger.warn("GROUP SID '%s'", group.sid)
++        try:
++            sid, rid = group.sid.split()
++            if sid == domainsid:
++                if rid >= next_rid:
++                    next_rid = rid + 1
++        except:
++            logger.warn("FAILED to get SID/rid")
++            continue
+ 
+         # Get members for each group/alias
+         if group.sid_name_use == lsa.SID_NAME_ALIAS:
+@@ -566,8 +584,8 @@ def upgrade_from_samba3(samba3, logger,
+         user = s3db.getsampwnam(username)
+         acct_type = (user.acct_ctrl & (samr.ACB_NORMAL|samr.ACB_WSTRUST|samr.ACB_SVRTRUST|samr.ACB_DOMTRUST))
+         if acct_type == samr.ACB_SVRTRUST:
+-            logger.warn("  Demoting BDC account trust for %s, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'" % username[:-1])
+-            user.acct_ctrl = (user.acct_ctrl & ~samr.ACB_SVRTRUST) | samr.ACB_WSTRUST
++            logger.warn("  Skipping BDC account for %s, this DC must be re-joined" % username[:-1])
++            continue
+ 
+         elif acct_type == samr.ACB_DOMTRUST:
+             logger.warn("  Skipping inter-domain trust from domain %s, this trust must be re-created as an AD trust" % username[:-1])
+@@ -664,9 +682,29 @@ Please fix this account before attemptin
+         urls = samba3.lp.get("passdb backend").split(":",1)[1].strip('"')
+         for url in urls.split():
+             try:
+-                ldb_object = Ldb(url, credentials=creds)
++                ldb_object = Ldb(url, credentials=creds, lp=samba3.lp)
+             except ldb.LdbError, e:
+-                raise ProvisioningError("Could not open ldb connection to %s, the error message is: %s" % (url, e))
++                logger.warn("Could not open ldb connection to %s, the error message is: %s\nTrying to dig.", url, e)
++                from urlparse import urlparse
++                import subprocess
++                url_hostname = urlparse(url).hostname
++                p1 = subprocess.Popen(["dig", "@localhost", url_hostname, "+short"], stdout=subprocess.PIPE)
++                (stdout, stderr) = p1.communicate()
++                if stdout:
++                    stdout_line_list = stdout.split('\n')
++                    if len(stdout_line_list) > 1:
++                        logger.warn("Found %d addresses for %s" % (len(stdout_line_list), url_hostname))
++                    for stdout_line in stdout_line_list:
++                        logger.warn("Trying to connect to %s" % (stdout_line,))
++                        try:
++                            ldb_object = Ldb(url.replace(url_hostname, stdout_line), credentials=creds)
++                            break
++                        except ldb.LdbError, e:
++                            logger.warn("Could not open ldb connection to %s, the error message is: %s" % (url.replace(url_hostname, stdout_line), e))
++                    else:
++                        raise ProvisioningError("Could not open ldb connection to %s, the error message is: %s" % (url, e))
++                else:
++                        raise ProvisioningError("Could not open ldb connection to %s, the error message is: %s" % (url, e))
+             else:
+                 break
+     logger.info("Exporting posix attributes")
diff -Nuar samba-4.2.0~alpha1.orig/debian/patches/series samba-4.2.0~alpha1/debian/patches/series
--- samba-4.2.0~alpha1.orig/debian/patches/series	2014-08-13 23:50:05.000000000 +0200
+++ samba-4.2.0~alpha1/debian/patches/series	2014-08-13 23:50:48.000000000 +0200
@@ -10000,0 +10000,1 @@
+40_samba3upgrade.patch