Bug 33338 - In place upgrade of the Samba 3/NT4 to a Samba 4/AD domain - s4connector rejects and Tracebacks
In place upgrade of the Samba 3/NT4 to a Samba 4/AD domain - s4connector reje...
Product: UCS
Classification: Unclassified
Component: Samba4
Other Linux
: P5 normal (vote)
: UCS 3.2
Assigned To: Stefan Gohmann
Felix Botner
: interim-4
: 33345 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2013-11-12 17:01 CET by Felix Botner
Modified: 2013-11-19 06:42 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

connector-s4.log (1.99 MB, text/x-log)
2013-11-12 17:02 CET, Felix Botner
actualise.log (103.39 KB, text/x-log)
2013-11-12 17:02 CET, Felix Botner
join.log (backup) (45.99 KB, text/x-log)
2013-11-12 17:57 CET, Felix Botner
actualise.log (backup) (45.56 KB, text/x-log)
2013-11-12 17:58 CET, Felix Botner

Note You need to log in before you can comment on or make changes to this bug.
Description Felix Botner univentionstaff 2013-11-12 17:01:44 CET
UCS 3.2 with univention-samba, then "In place upgrade of the Samba 3/NT4 to a Samba 4/AD domain ":

-> ucr set samba4/ignore/mixsetup=yes \
           samba4/ntacl/backend=native \
-> univention-install univention-s4-connector

during the migration, "warnings" like this 

GROUP 'NTLM Authentication'
GROUP SID 'S-1-5-64-10'
Ignoring group 'NTLM Authentication' S-1-5-64-10 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Could not modify AD idmap entry for sid=S-1-5-9, id=5017, type=ID_TYPE_GID ((32, "Duplicate base-DN matches found for '<SID=S-1-5-9>'"))
Could not add posix attrs for AD entry for sid=S-1-5-9, ((32, "Duplicate base-DN matches found for '<SID=S-1-5-9>'"))
Group already exists as foreignSecurityPrincipal sid=S-1-5-14, groupname=Remote Interactive Logon existing_groupname=Remote Interactive Logon, Ignoring.

were printed to the console, and after the migration univention-s4connector-list-rejected show a lot if rejects and the connector log is full of:

12.11.2013 16:57:51,825 LDAP        (PROCESS): sync to ucs:   [         group] [    modify] cn=groupxp,cn=groups,dc=perf,dc=test
12.11.2013 16:57:51,873 LDAP        (ERROR  ): Unknown Exception during sync_to_ucs
12.11.2013 16:57:51,873 LDAP        (ERROR  ): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1320, in sync_to_ucs
    result = self.modify_in_ucs(property_type, object, module, position)
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 1187, in modify_in_ucs
    return ucs_object.modify() and self.__modify_custom_attributes(property_type, object, ucs_object, module, position)
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 344, in modify
    return self._modify(modify_childs,ignore_license=ignore_license)
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/__init__.py", line 727, in _modify
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/groups/group.py", line 525, in _ldap_pre_modify
  File "/usr/lib/pymodules/python2.6/univention/admin/handlers/groups/group.py", line 999, in check_ad_group_type_change
    raise univention.admin.uexceptions.adGroupTypeChangeGlobalToDomainLocal

12.11.2013 16:56:55,150 LDAP        (PROCESS): sync from ucs: [         group] [       add] CN=Computers,cn=groups,dc=perf,dc=test
12.11.2013 16:56:55,152 LDAP        (ERROR  ): sync_from_ucs: traceback during modify object: CN=Computers,cn=groups,dc=perf,dc=test
12.11.2013 16:56:55,152 LDAP        (ERROR  ): sync_from_ucs: traceback due to modlist: [(2, 'groupType', [u'-2147483646']), (1, 'description', None)]
12.11.2013 16:56:55,155 LDAP        (WARNING): sync failed, saved as rejected
12.11.2013 16:56:55,156 LDAP        (WARNING): Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/__init__.py", line 753, in __sync_file_from_ucs
    or (not old_dn and not self.sync_from_ucs(key, object, premapped_ucs_dn, old_dn, old))):
  File "/usr/lib/pymodules/python2.6/univention/s4connector/s4/__init__.py", line 2435, in sync_from_ucs
    self.lo_s4.lo.modify_ext_s(compatible_modstring(object['dn']), compatible_modlist(modlist), serverctrls=self.serverctrls_for_add_and_modify)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 808, in modify_ext_s
    return self._apply_method_s(SimpleLDAPObject.modify_ext_s,*args,**kwargs)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 766, in _apply_method_s
    return func(self,*args,**kwargs)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 295, in modify_ext_s
    return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 422, in result
    res_type,res_data,res_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 426, in result2
    res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 432, in result3
    ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout)
  File "/usr/lib/python2.6/dist-packages/ldap/ldapobject.py", line 96, in _ldap_call
    result = func(*args,**kwargs)
UNWILLING_TO_PERFORM: {'info': '00002035: samldb: Change from security/distribution local group forbidden!', 'desc': 'Server is unwilling to perform'}
Comment 1 Felix Botner univentionstaff 2013-11-12 17:02:12 CET
Created attachment 5613 [details]
Comment 2 Felix Botner univentionstaff 2013-11-12 17:02:29 CET
Created attachment 5614 [details]
Comment 3 Felix Botner univentionstaff 2013-11-12 17:03:09 CET
This was an environment with master, backup, slave and member, all UCS 3.2 and with univention-samba
Comment 4 Felix Botner univentionstaff 2013-11-12 17:56:52 CET
still does not work, even with 

migration of DC master looks good, but migration/join of DC backup fails

-> univention-run-join-scripts --ask-pass
Partition[DC=perf,DC=test] objects[425/327] linked_values[40/0]
Failed to apply records: ../ldb_tdb/ldb_index.c:1216: Failed to re-index objectGUID in CN=Authenticated Users\0ACNF:6e857f16-2c03-4078-afb0-79c06ea5acd8,CN=Groups,DC=perf,DC=test - ../ldb_tdb/ldb_index.c:1148: unique index violation on objectGUID in CN=Authenticated Users\0ACNF:6e857f16-2c03-4078-afb0-79c06ea5acd8,CN=Groups,DC=perf,DC=test: Entry already exists
Failed to commit objects: WERR_GENERAL_FAILURE
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to process chunk: NT_STATUS_UNSUCCESSFUL
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 560, in run
    machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1220, in join_DC
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 1102, in do_join
  File "/usr/lib/python2.6/dist-packages/samba/join.py", line 842, in join_replicate
  File "/usr/lib/python2.6/dist-packages/samba/drs_utils.py", line 256, in replicate
    schema=schema, req_level=req_level, req=req)
Comment 5 Felix Botner univentionstaff 2013-11-12 17:57:41 CET
Created attachment 5617 [details]
join.log (backup)
Comment 6 Felix Botner univentionstaff 2013-11-12 17:58:12 CET
Created attachment 5618 [details]
actualise.log (backup)
Comment 7 Stefan Gohmann univentionstaff 2013-11-12 18:48:35 CET
The group type sync has to be disabled in any case:

I've changed the wiki article. The group sync can be activated later via Bug #32863

I've also added the dbcheck command on the first system after the migration.

The sambaGroupType rewrite have been removed from the classicupdate code in setup-s4.sh.
Comment 8 Stefan Gohmann univentionstaff 2013-11-13 07:39:58 CET
My tests were successful. I've added the bug number to the existing Samba 4.1 changelog entry.
Comment 9 Felix Botner univentionstaff 2013-11-13 10:49:52 CET
Comment 10 Stefan Gohmann univentionstaff 2013-11-13 12:01:40 CET
*** Bug 33345 has been marked as a duplicate of this bug. ***
Comment 11 Stefan Gohmann univentionstaff 2013-11-13 12:05:09 CET
The migration failed during the import of some pseudo groups

Importing group: Authenticated Users
Could not modify AD idmap entry for sid=S-1-5-11, id=5011, type=ID_TYPE_GID ((32, "Duplicate base-DN matches found for '<SID=S-1-5-11>'"))
Could not add posix attrs for AD entry for sid=S-1-5-11, ((32, "Duplicate base-DN matches found for '<SID=S-1-5-11>'"))
Importing group: World Authority
ERROR(runtime): uncaught exception - dom_sid_split_rid failed
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 1330, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs, no_upn=no_upn)
  File "/usr/lib/python2.6/dist-packages/samba/upgrade.py", line 955, in upgrade_from_samba3
    add_group_from_mapping_entry(result.samdb, g, logger)
  File "/usr/lib/python2.6/dist-packages/samba/upgrade.py", line 302, in add_group_from_mapping_entry
    (group_dom_sid, rid) = groupmap.sid.split()

The classicupgrade now ignores these pseudo groups.

Waiting for the samba build.
Comment 12 Stefan Gohmann univentionstaff 2013-11-13 13:26:44 CET
Samba has been built.
Comment 13 Felix Botner univentionstaff 2013-11-13 14:06:24 CET
nop, another problem

samba4 demotes the other (samba3) dc's

  Demoting BDC account trust for pbackup, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'^M
  Demoting BDC account trust for pslave, this DC must be elevated to an AD DC using 'samba-tool domain dcpromo'^M

this leads to a password mismatch between ldap and machine.secret on the dc backup
Comment 14 Stefan Gohmann univentionstaff 2013-11-13 15:20:23 CET
The BDC are now skipping while migrating. They will be re-added when the systen is joined via samba-tool. This will lead to a new SID for the DC but that is OK.
Comment 15 Felix Botner univentionstaff 2013-11-13 16:49:14 CET
OK, join of dc backup, slave into the samba4 domain works
Comment 16 Stefan Gohmann univentionstaff 2013-11-19 06:42:37 CET
UCS 3.2 has been released:

If this error occurs again, please use "Clone This Bug".