Bug 33338 – In place upgrade of the Samba 3/NT4 to a Samba 4/AD domain - s4connector rejects and Tracebacks

Bug 33338 - In place upgrade of the Samba 3/NT4 to a Samba 4/AD domain - s4connector rejects and Tracebacks


Summary:	In place upgrade of the Samba 3/NT4 to a Samba 4/AD domain - s4connector reje...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UNSTABLE
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.2
Assigned To:	Stefan Gohmann
QA Contact:	Felix Botner

URL:
Keywords:	interim-4

Duplicates:	33345 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-11-12 17:01 CET by Felix Botner
Modified:	2013-11-19 06:42 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
connector-s4.log (1.99 MB, text/x-log) 2013-11-12 17:02 CET, Felix Botner	Details
actualise.log (103.39 KB, text/x-log) 2013-11-12 17:02 CET, Felix Botner	Details
join.log (backup) (45.99 KB, text/x-log) 2013-11-12 17:57 CET, Felix Botner	Details
actualise.log (backup) (45.56 KB, text/x-log) 2013-11-12 17:58 CET, Felix Botner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2013-11-12 17:01:44 CET

UCS 3.2 with univention-samba, then "In place upgrade of the Samba 3/NT4 to a Samba 4/AD domain ":

-> ucr set samba4/ignore/mixsetup=yes \
           samba4/ntacl/backend=native \
           samba/debug/level=1
-> univention-install univention-s4-connector

during the migration, "warnings" like this 

GROUP 'NTLM Authentication'
GROUP SID 'S-1-5-64-10'
Ignoring group 'NTLM Authentication' S-1-5-64-10 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
...
Could not modify AD idmap entry for sid=S-1-5-9, id=5017, type=ID_TYPE_GID ((32, "Duplicate base-DN matches found for '<SID=S-1-5-9>'"))
Could not add posix attrs for AD entry for sid=S-1-5-9, ((32, "Duplicate base-DN matches found for '<SID=S-1-5-9>'"))
Group already exists as foreignSecurityPrincipal sid=S-1-5-14, groupname=Remote Interactive Logon existing_groupname=Remote Interactive Logon, Ignoring.

were printed to the console, and after the migration univention-s4connector-list-rejected show a lot if rejects and the connector log is full of:

12.11.2013 16:57:51,825 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=groupxp,cn=groups,dc=perf,dc=test
12.11.2013 16:57:51,873 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
12.11.2013 16:57:51,873 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1320, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1187, in modify_in_ucs
    return ucs_object.modify() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 344, in modify
    return self._modify(modify_childs,ignore_license=ignore_license)
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 727, in _modify
    self._ldap_pre_modify()
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/groups/group.py", line 525, in _ldap_pre_modify
    self.check_ad_group_type_change()
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/groups/group.py", line 999, in check_ad_group_type_change
    raise univention.admin.uexceptions.adGroupTypeChangeGlobalToDomainLocal
adGroupTypeChangeGlobalToDomainLocal


and
12.11.2013 16:56:55,150 LDAP        (PROCESS): sync from ucs: [         group] [       add] CN=Computers,cn=groups,dc=perf,dc=test
12.11.2013 16:56:55,152 LDAP        (ERROR  ): sync_from_ucs: traceback during modify object: CN=Computers,cn=groups,dc=perf,dc=test
12.11.2013 16:56:55,152 LDAP        (ERROR  ): sync_from_ucs: traceback due to modlist: [(2, 'groupType', [u'-2147483646']), (1, 'description', None)]
12.11.2013 16:56:55,155 LDAP        (WARNING): sync failed, saved as rejected
        /var/lib/univention-connector/s4/1384269958.657495
12.11.2013 16:56:55,156 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 753, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old))):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/__init__.py", line 2435, in sync_from_ucs
    self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 808, in modify_ext_s
    return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 766, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 295, in modify_ext_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 422, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 426, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 432, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
UNWILLING_TO_PERFORM: {'info': '00002035: samldb: Change from security/distribution local group forbidden!', 'desc': 'Server is unwilling to perform'}

Comment 1 Felix Botner

2013-11-12 17:02:12 CET

Created attachment 5613 [details]
connector-s4.log

Comment 2 Felix Botner

2013-11-12 17:02:29 CET

Created attachment 5614 [details]
actualise.log

Comment 3 Felix Botner

2013-11-12 17:03:09 CET

This was an environment with master, backup, slave and member, all UCS 3.2 and with univention-samba

Comment 4 Felix Botner

2013-11-12 17:56:52 CET

still does not work, even with 
 connector/s4/mapping/group/grouptype=false

migration of DC master looks good, but migration/join of DC backup fails

-> univention-run-join-scripts --ask-pass
Partition[DC=perf,DC=test] objects[425/327] linked_values[40/0]
Failed to apply records: ../ldb_tdb/ldb_index.c:1216: Failed to re-index objectGUID in CN=Authenticated Users\0ACNF:6e857f16-2c03-4078-afb0-79c06ea5acd8,CN=Groups,DC=perf,DC=test - ../ldb_tdb/ldb_index.c:1148: unique index violation on objectGUID in CN=Authenticated Users\0ACNF:6e857f16-2c03-4078-afb0-79c06ea5acd8,CN=Groups,DC=perf,DC=test: Entry already exists
Failed to commit objects: WERR_GENERAL_FAILURE
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to process chunk: NT_STATUS_UNSUCCESSFUL
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1220, in join_DC
    ctx.do_join()
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1102, in do_join
    ctx.join_replicate()
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 842, in join_replicate
    replica_flags=ctx.domain_replica_flags)
  File "/usr/lib/python2.6/dist-packages/samba/drs_utils.py", line 256, in replicate
    schema=schema, req_level=req_level, req=req)

Comment 5 Felix Botner

2013-11-12 17:57:41 CET

Created attachment 5617 [details]
join.log (backup)

Comment 6 Felix Botner

2013-11-12 17:58:12 CET

Created attachment 5618 [details]
actualise.log (backup)

Comment 7 Stefan Gohmann

2013-11-12 18:48:35 CET

The group type sync has to be disabled in any case:
   connector/s4/mapping/group/grouptype=false

I've changed the wiki article. The group sync can be activated later via Bug #32863

I've also added the dbcheck command on the first system after the migration.

The sambaGroupType rewrite have been removed from the classicupdate code in setup-s4.sh.

Comment 8 Stefan Gohmann

2013-11-13 07:39:58 CET

My tests were successful. I've added the bug number to the existing Samba 4.1 changelog entry.

Comment 9 Felix Botner

2013-11-13 10:49:52 CET

OK

Comment 10 Stefan Gohmann

2013-11-13 12:01:40 CET

*** Bug 33345 has been marked as a duplicate of this bug. ***

Comment 11 Stefan Gohmann

2013-11-13 12:05:09 CET

The migration failed during the import of some pseudo groups

Importing group: Authenticated Users
Could not modify AD idmap entry for sid=S-1-5-11, id=5011, type=ID_TYPE_GID ((32, "Duplicate base-DN matches found for '<SID=S-1-5-11>'"))
Could not add posix attrs for AD entry for sid=S-1-5-11, ((32, "Duplicate base-DN matches found for '<SID=S-1-5-11>'"))
Importing group: World Authority
ERROR(runtime): uncaught exception - dom_sid_split_rid failed
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 1330, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs, no_upn=no_upn)
  File "/usr/lib/python2.6/dist-packages/samba/upgrade.py", line 955, in upgrade_from_samba3
    add_group_from_mapping_entry(result.samdb, g, logger)
  File "/usr/lib/python2.6/dist-packages/samba/upgrade.py", line 302, in add_group_from_mapping_entry
    (group_dom_sid, rid) = groupmap.sid.split()
root@master181:~

The classicupgrade now ignores these pseudo groups.

Waiting for the samba build.

Comment 12 Stefan Gohmann

2013-11-13 13:26:44 CET

Samba has been built.

Comment 13 Felix Botner

2013-11-13 14:06:24 CET

nop, another problem

samba4 demotes the other (samba3) dc's

  Demoting BDC account trust for pbackup, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'^M
  Demoting BDC account trust for pslave, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'^M

this leads to a password mismatch between ldap and machine.secret on the dc backup

Comment 14 Stefan Gohmann

2013-11-13 15:20:23 CET

The BDC are now skipping while migrating. They will be re-added when the systen is joined via samba-tool. This will lead to a new SID for the DC but that is OK.

Comment 15 Felix Botner

2013-11-13 16:49:14 CET

OK, join of dc backup, slave into the samba4 domain works

Comment 16 Stefan Gohmann

2013-11-19 06:42:37 CET

UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".