Univention Bugzilla – Bug 33338
In place upgrade of the Samba 3/NT4 to a Samba 4/AD domain - s4connector rejects and Tracebacks
Last modified: 2013-11-19 06:42:37 CET
UCS 3.2 with univention-samba, then "In place upgrade of the Samba 3/NT4 to a Samba 4/AD domain ": -> ucr set samba4/ignore/mixsetup=yes \ samba4/ntacl/backend=native \ samba/debug/level=1 -> univention-install univention-s4-connector during the migration, "warnings" like this GROUP 'NTLM Authentication' GROUP SID 'S-1-5-64-10' Ignoring group 'NTLM Authentication' S-1-5-64-10 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) ... Could not modify AD idmap entry for sid=S-1-5-9, id=5017, type=ID_TYPE_GID ((32, "Duplicate base-DN matches found for '<SID=S-1-5-9>'")) Could not add posix attrs for AD entry for sid=S-1-5-9, ((32, "Duplicate base-DN matches found for '<SID=S-1-5-9>'")) Group already exists as foreignSecurityPrincipal sid=S-1-5-14, groupname=Remote Interactive Logon existing_groupname=Remote Interactive Logon, Ignoring. were printed to the console, and after the migration univention-s4connector-list-rejected show a lot if rejects and the connector log is full of: 12.11.2013 16:57:51,825 LDAP (PROCESS): sync to ucs: [ group] [ modify] cn=groupxp,cn=groups,dc=perf,dc=test 12.11.2013 16:57:51,873 LDAP (ERROR ): Unknown Exception during sync_to_ucs 12.11.2013 16:57:51,873 LDAP (ERROR ): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1320, in sync_to_ucs result = self.modify_in_ucs(property_type, object, module, position) File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1187, in modify_in_ucs return ucs_object.modify() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position) File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 344, in modify return self._modify(modify_childs,ignore_license=ignore_license) File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 727, in _modify self._ldap_pre_modify() File "/usr/lib/pymodules/python2.6/univention/admin/handlers/groups/group.py", line 525, in _ldap_pre_modify self.check_ad_group_type_change() File "/usr/lib/pymodules/python2.6/univention/admin/handlers/groups/group.py", line 999, in check_ad_group_type_change raise univention.admin.uexceptions.adGroupTypeChangeGlobalToDomainLocal adGroupTypeChangeGlobalToDomainLocal and 12.11.2013 16:56:55,150 LDAP (PROCESS): sync from ucs: [ group] [ add] CN=Computers,cn=groups,dc=perf,dc=test 12.11.2013 16:56:55,152 LDAP (ERROR ): sync_from_ucs: traceback during modify object: CN=Computers,cn=groups,dc=perf,dc=test 12.11.2013 16:56:55,152 LDAP (ERROR ): sync_from_ucs: traceback due to modlist: [(2, 'groupType', [u'-2147483646']), (1, 'description', None)] 12.11.2013 16:56:55,155 LDAP (WARNING): sync failed, saved as rejected /var/lib/univention-connector/s4/1384269958.657495 12.11.2013 16:56:55,156 LDAP (WARNING): Traceback (most recent call last): File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 753, in __sync_file_from_ucs or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old))): File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/__init__.py", line 2435, in sync_from_ucs self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 808, in modify_ext_s return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 766, in _apply_method_s return func(self,*args,**kwargs) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 295, in modify_ext_s return self.result(msgid,all=1,timeout=self.timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 422, in result res_type,res_data,res_msgid = self.result2(msgid,all,timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 426, in result2 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 432, in result3 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call result = func(*args,**kwargs) UNWILLING_TO_PERFORM: {'info': '00002035: samldb: Change from security/distribution local group forbidden!', 'desc': 'Server is unwilling to perform'}
Created attachment 5613 [details] connector-s4.log
Created attachment 5614 [details] actualise.log
This was an environment with master, backup, slave and member, all UCS 3.2 and with univention-samba
still does not work, even with connector/s4/mapping/group/grouptype=false migration of DC master looks good, but migration/join of DC backup fails -> univention-run-join-scripts --ask-pass Partition[DC=perf,DC=test] objects[425/327] linked_values[40/0] Failed to apply records: ../ldb_tdb/ldb_index.c:1216: Failed to re-index objectGUID in CN=Authenticated Users\0ACNF:6e857f16-2c03-4078-afb0-79c06ea5acd8,CN=Groups,DC=perf,DC=test - ../ldb_tdb/ldb_index.c:1148: unique index violation on objectGUID in CN=Authenticated Users\0ACNF:6e857f16-2c03-4078-afb0-79c06ea5acd8,CN=Groups,DC=perf,DC=test: Entry already exists Failed to commit objects: WERR_GENERAL_FAILURE ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to process chunk: NT_STATUS_UNSUCCESSFUL File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1220, in join_DC ctx.do_join() File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1102, in do_join ctx.join_replicate() File "/usr/lib/python2.6/dist-packages/samba/join.py", line 842, in join_replicate replica_flags=ctx.domain_replica_flags) File "/usr/lib/python2.6/dist-packages/samba/drs_utils.py", line 256, in replicate schema=schema, req_level=req_level, req=req)
Created attachment 5617 [details] join.log (backup)
Created attachment 5618 [details] actualise.log (backup)
The group type sync has to be disabled in any case: connector/s4/mapping/group/grouptype=false I've changed the wiki article. The group sync can be activated later via Bug #32863 I've also added the dbcheck command on the first system after the migration. The sambaGroupType rewrite have been removed from the classicupdate code in setup-s4.sh.
My tests were successful. I've added the bug number to the existing Samba 4.1 changelog entry.
OK
*** Bug 33345 has been marked as a duplicate of this bug. ***
The migration failed during the import of some pseudo groups Importing group: Authenticated Users Could not modify AD idmap entry for sid=S-1-5-11, id=5011, type=ID_TYPE_GID ((32, "Duplicate base-DN matches found for '<SID=S-1-5-11>'")) Could not add posix attrs for AD entry for sid=S-1-5-11, ((32, "Duplicate base-DN matches found for '<SID=S-1-5-11>'")) Importing group: World Authority ERROR(runtime): uncaught exception - dom_sid_split_rid failed File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 1330, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs, no_upn=no_upn) File "/usr/lib/python2.6/dist-packages/samba/upgrade.py", line 955, in upgrade_from_samba3 add_group_from_mapping_entry(result.samdb, g, logger) File "/usr/lib/python2.6/dist-packages/samba/upgrade.py", line 302, in add_group_from_mapping_entry (group_dom_sid, rid) = groupmap.sid.split() root@master181:~ The classicupgrade now ignores these pseudo groups. Waiting for the samba build.
Samba has been built.
nop, another problem samba4 demotes the other (samba3) dc's Demoting BDC account trust for pbackup, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'^M Demoting BDC account trust for pslave, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'^M this leads to a password mismatch between ldap and machine.secret on the dc backup
The BDC are now skipping while migrating. They will be re-added when the systen is joined via samba-tool. This will lead to a new SID for the DC but that is OK.
OK, join of dc backup, slave into the samba4 domain works
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".