Trouble during classicupgrade

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Trouble during classicupgrade

Samba - General mailing list
Hello,

I need to do a classic migration on a machine which has until now been
running samba as an old NT4-style PDC. I made a copy of that machine in
a VM to test the process. Until now, things don't work quite right. I
was following the classic upgrade howto from wiki.samba.org. I was using
the method with internal DNS. Classicupgrade itself ran without errors,
I followed the steps after provisioning in the setup guide until the
connection test with smbclient:

smbclient -L localhost -U%
session setup failed: NT_STATUS_INTERNAL_ERROR

With log level raised to 5, I can find in log.smbd:

[2017/11/25 16:41:48.248479,  1]
../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
  Failed to generate session_info (user and group token) for session
setup: NT_STATUS_INTERNAL_ERROR

Turning log level to 10 I get an awful lot of info, including several
messages:

Duplicate base-DN matches found for <SID=1-5-11>

These errors also occur during the classicupgrade when run with log
level 10. But I can't find anything useful in all these log messages.

I can post full logs if you want, but I'm not going to attach them here
due to the size.

I am running Debian 9 with samba 4.5.12. Before you ask, no I cannot
upgrade. This is what comes with debian and I will have to stick with it.

Thanks,

Andreas


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

smb.conf.PDC (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Trouble during classicupgrade

Samba - General mailing list


Am 25.11.2017 um 16:49 schrieb Andreas Heinlein via samba:

> Hello,
>
> I need to do a classic migration on a machine which has until now been
> running samba as an old NT4-style PDC. I made a copy of that machine in
> a VM to test the process. Until now, things don't work quite right. I
> was following the classic upgrade howto from wiki.samba.org. I was using
> the method with internal DNS. Classicupgrade itself ran without errors,
> I followed the steps after provisioning in the setup guide until the
> connection test with smbclient:
>
> smbclient -L localhost -U%
> session setup failed: NT_STATUS_INTERNAL_ERROR
>
> With log level raised to 5, I can find in log.smbd:
>
> [2017/11/25 16:41:48.248479,  1]
> ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
>    Failed to generate session_info (user and group token) for session
> setup: NT_STATUS_INTERNAL_ERROR
>
> Turning log level to 10 I get an awful lot of info, including several
> messages:
>
> Duplicate base-DN matches found for <SID=1-5-11>
>
> These errors also occur during the classicupgrade when run with log
> level 10. But I can't find anything useful in all these log messages.
>
> I can post full logs if you want, but I'm not going to attach them here
> due to the size.
>
> I am running Debian 9 with samba 4.5.12. Before you ask, no I cannot
> upgrade. This is what comes with debian and I will have to stick with it.
>
> Thanks,
>
> Andreas
>
>
>

I'd inspect the ldap dump file you use for the classic upgrade and
remove the duplicate objects with SID=1-5-11 in that file before running
classic upgrade.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Trouble during classicupgrade

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Sat, 25 Nov 2017 16:49:24 +0100
Andreas Heinlein via samba <[hidden email]> wrote:

> Hello,
>
> I need to do a classic migration on a machine which has until now been
> running samba as an old NT4-style PDC. I made a copy of that machine
> in a VM to test the process. Until now, things don't work quite
> right. I was following the classic upgrade howto from wiki.samba.org.
> I was using the method with internal DNS. Classicupgrade itself ran
> without errors, I followed the steps after provisioning in the setup
> guide until the connection test with smbclient:
>
> smbclient -L localhost -U%
> session setup failed: NT_STATUS_INTERNAL_ERROR

I have just discovered there was a link error on the 'classic upgrade'
page (now fixed), it took you to the entire page instead of the
relevant section, so how much of the page did you follow ?

>
> With log level raised to 5, I can find in log.smbd:
>
> [2017/11/25 16:41:48.248479,  1]
> ../source3/smbd/sesssetup.c:290(reply_sesssetup_and_X_spnego)
>   Failed to generate session_info (user and group token) for session
> setup: NT_STATUS_INTERNAL_ERROR
>
> Turning log level to 10 I get an awful lot of info, including several
> messages:
>
> Duplicate base-DN matches found for <SID=1-5-11>

This is 'Authenticated Users' and is stored in AD as
'CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=samdom,DC=example,DC=com'
and should only be found once.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Trouble during classicupgrade

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hello,

I just wanted to say that after some hours of digging, I found the
problem. It turned out to be quite trivial...

The winbind package was missing on that machine. This is a separate
package in Debian; after installing it everything seems to work.

There were two factors that led me to remove winbind at first:
1. The wiki says "Configuring Winbindd on a Samba AD DC - Only required
if using the DC as a file server". That is misleading, obviously
winbindd itself is actually required.
2. The Debian winbind package has a weird bug that causes it to
unconditionally try to start winbindd as a standalone service even on a
samba AD DC (https://bugs.debian.org/863285), which obviously fails. I
came across that error, tried to start winbindd manually and got a
message explaining "server role = 'active directory domain controller'
not compatible with running the winbindd binary. You should start
'samba' instead, and it will control starting the internal AD DC
winbindd implementation, which is not the same as this one." That too
led me to the assumption that a separate winbind package is now no
longer needed and I could remove it.

Only after looking through the logs again, I found the message that
samba failed to start /usr/sbin/winbindd, which is in the winbind package.

So the actual problem is now gone, but maybe someone wants to look into
these potentially misleading messages.

Thank you for your help!

Andreas


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Trouble during classicupgrade

Samba - General mailing list
On Wed, 29 Nov 2017 18:57:53 +0100
Andreas Heinlein via samba <[hidden email]> wrote:

> Hello,
>
> I just wanted to say that after some hours of digging, I found the
> problem. It turned out to be quite trivial...
>
> The winbind package was missing on that machine. This is a separate
> package in Debian; after installing it everything seems to work.

Debian used to install the winbind package when you installed the
'samba' package, you now need to install it separately.
 
>
> There were two factors that led me to remove winbind at first:
> 1. The wiki says "Configuring Winbindd on a Samba AD DC - Only
> required if using the DC as a file server". That is misleading,
> obviously winbindd itself is actually required.

You are confusing setting up 'winbindd' with installing the winbind
package.

> 2. The Debian winbind package has a weird bug that causes it to
> unconditionally try to start winbindd as a standalone service even on
> a samba AD DC (https://bugs.debian.org/863285), which obviously
> fails. I came across that error, tried to start winbindd manually and
> got a message explaining "server role = 'active directory domain
> controller' not compatible with running the winbindd binary. You
> should start 'samba' instead, and it will control starting the
> internal AD DC winbindd implementation, which is not the same as this
> one." That too led me to the assumption that a separate winbind
> package is now no longer needed and I could remove it.

Debian needs to deal with its bug, it also needs to update that
message, samba no longer starts its internal winbind (I think it has
been removed), it starts the separate 'winbindd' deamon, this is why
you need the winbind package.
 
>
> Only after looking through the logs again, I found the message that
> samba failed to start /usr/sbin/winbindd, which is in the winbind
> package.
>
> So the actual problem is now gone, but maybe someone wants to look
> into these potentially misleading messages.
>
The Samba wiki is mainly written around using a self compiled Samba and
not on a package install, but you have made a few valid points, so I
will look into updating the wiki.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba