Discussion:
[Samba] Changing administrator password after Samba4 classic upgrade
(too old to reply)
Mario Codeniera
2012-12-20 10:00:01 UTC
Permalink
I used to upgrade samba3 to samba4 with almost successful with one problem,
administrator can't access. As administrator, by default it is the only
user account that is given full control over the system.

My query is how to change the administrator password? we have one account
which can join to the samba 4 AD based on the migrated data but the problem
can't change the administrator or can't alter the domain.

At first, got a problem on group 'Everyone' and 'root' which then deleted.

*[***@gaara ambot]# /usr/local/samba/bin/samba-tool domain classicupgrade
--dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
--dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
/srv/smb.conf
Reading smb.conf
WARNING: Ignoring invalid value 'cups' for parameter 'printing'
Provisioning
Exporting account policy
Exporting groups
Ignoring group 'Everyone' S-1-1-0 listed but then not found: Unable to
enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
Exporting users
Demoting BDC account trust for naruto-konoha11, this DC must be elevated
to an AD DC using 'samba-tool domain promote'
Demoting BDC account trust for naruto-kiri4y, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Ignoring group memberships of 'root'
S-1-5-21-1511653421-423844657-761698953-1000: Unable to enumerate group
memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
Skipping wellknown rid=501 (for username=nobody)
Demoting BDC account trust for naruto-kiri, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Next rid = 105011
- (just remove the description message)
-
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-546, groupname=Guests
existing_groupname=Guests, Ignoring.
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 879, in upgrade_from_samba3
add_group_from_mapping_entry(result.samdb, g, logger)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 264, in add_group_from_mapping_entry
str(groupmap.sid), groupmap.nt_name, msg[0]['sAMAccountName'][0])*

After that re-run the classic upgrade, and found out that the administrator
SID was wrong and modified to xxx-500 where xxx domain SID and modified
group Administrators because there are other domain SIDs.

*- (remove the description, displaying only the last part)
-
Importing idmap database
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Importing users
User 'Administrator' in your existing directory has SID
S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
S-1-5-21-1511653421-423844657-761698953-500
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: User 'Administrator' in your existing directory does not
have SID ending in -500
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 889, in upgrade_from_samba3
raise ProvisioningError("User 'Administrator' in your existing
directory does not have SID ending in -500")*


Finally got this with no errors, but again the administrator can't login
even using the kinit. As mentioned above I used to login other user in
Windows 7 and run the Windows Remote Administration Tools and able to check
the data is successfully migrated including administrator (but the problem
it was changed during upgrading) and I observed in the log see highlighted.
And every time I run the samba-tool domain classicupgrade, the Admin
password: (see other highlighted below) have different values (
0ngHrG~IIMHZ>DhNIP YOU<AKoN~+wPZ!Am * * SXJ96re1=zYO* *respectively).
*
[***@gaara ambot]# /usr/local/samba/bin/samba-tool domain classicupgrade
--dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
--dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
/srv/smb.conf
Reading smb.conf
WARNING: Ignoring invalid value 'cups' for parameter 'printing'
Provisioning
Exporting account policy
Exporting groups
Exporting users
Demoting BDC account trust for naruto-konoha1, this DC must be elevated
to an AD DC using 'samba-tool domain promote'
Skipping wellknown rid=500 (for username=administrator)
Demoting BDC account trust for naruto-kiri, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Next rid = 105011
Exporting posix attributes
Reading WINS database
Cannot open wins database, Ignoring: [Errno 2] No such file or directory:
'/srv/LiveData/var_lib_samba/samba/wins.dat'
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=kazekage,DC=sura,DC=sandbox,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting acl on sysvol skipped
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=kazekage,DC=sura,DC=sandbox,DC=local
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Admin password: SXJ96re1=zYO
Server Role: active directory domain controller
Hostname: gaara
NetBIOS Domain: KAZEKAGE
DNS Domain: kazekage.sura.sandbox.local
DOMAIN SID: S-1-5-21-1511653421-423844657-761698953
Importing WINS database
Importing Account policy
Importing idmap database
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Importing users
Adding users to groups*

Thank you, hope someone can give insights on it.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2012-12-22 02:00:01 UTC
Permalink
Post by Mario Codeniera
I used to upgrade samba3 to samba4 with almost successful with one problem,
administrator can't access. As administrator, by default it is the only
user account that is given full control over the system.
My query is how to change the administrator password? we have one account
which can join to the samba 4 AD based on the migrated data but the problem
can't change the administrator or can't alter the domain.
After that re-run the classic upgrade, and found out that the administrator
SID was wrong and modified to xxx-500 where xxx domain SID and modified
group Administrators because there are other domain SIDs.
*- (remove the description, displaying only the last part)
-
Importing idmap database
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Importing users
User 'Administrator' in your existing directory has SID
S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
S-1-5-21-1511653421-423844657-761698953-500
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: User 'Administrator' in your existing directory does not
have SID ending in -500
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 889, in upgrade_from_samba3
raise ProvisioningError("User 'Administrator' in your existing
directory does not have SID ending in -500")*
Finally got this with no errors, but again the administrator can't login
even using the kinit. As mentioned above I used to login other user in
Windows 7 and run the Windows Remote Administration Tools and able to check
the data is successfully migrated including administrator (but the problem
it was changed during upgrading) and I observed in the log see highlighted.
And every time I run the samba-tool domain classicupgrade, the Admin
password: (see other highlighted below) have different values (
0ngHrG~IIMHZ>DhNIP YOU<AKoN~+wPZ!Am * * SXJ96re1=zYO* *respectively).
This is interesting, as at one point we had logic to not show these
unused passwords.

I've attached a patch that should do this, let me know if it makes the
output (which I agree is very, very verbose) clearer.
Post by Mario Codeniera
*
--dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
--dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
/srv/smb.conf
Reading smb.conf
What it should have said was 'using the existing admin password of user
root/administrator'. So, try the old password, but if neither the old
password nor the generated one works, you can reset it using 'samba-tool
user setpassword administrator'
Post by Mario Codeniera
Thank you, hope someone can give insights on it.
Thanks for your patience with this.

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Andrew Bartlett
2012-12-22 09:20:02 UTC
Permalink
Post by Andrew Bartlett
Post by Mario Codeniera
I used to upgrade samba3 to samba4 with almost successful with one problem,
administrator can't access. As administrator, by default it is the only
user account that is given full control over the system.
My query is how to change the administrator password? we have one account
which can join to the samba 4 AD based on the migrated data but the problem
can't change the administrator or can't alter the domain.
After that re-run the classic upgrade, and found out that the administrator
SID was wrong and modified to xxx-500 where xxx domain SID and modified
group Administrators because there are other domain SIDs.
*- (remove the description, displaying only the last part)
-
Importing idmap database
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Importing users
User 'Administrator' in your existing directory has SID
S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
S-1-5-21-1511653421-423844657-761698953-500
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: User 'Administrator' in your existing directory does not
have SID ending in -500
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 889, in upgrade_from_samba3
raise ProvisioningError("User 'Administrator' in your existing
directory does not have SID ending in -500")*
Finally got this with no errors, but again the administrator can't login
even using the kinit. As mentioned above I used to login other user in
Windows 7 and run the Windows Remote Administration Tools and able to check
the data is successfully migrated including administrator (but the problem
it was changed during upgrading) and I observed in the log see highlighted.
And every time I run the samba-tool domain classicupgrade, the Admin
password: (see other highlighted below) have different values (
0ngHrG~IIMHZ>DhNIP YOU<AKoN~+wPZ!Am * * SXJ96re1=zYO* *respectively).
This is interesting, as at one point we had logic to not show these
unused passwords.
I've attached a patch that should do this, let me know if it makes the
output (which I agree is very, very verbose) clearer.
The attached corrected patch should work better.

Sorry,

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Mario Codeniera
2013-01-04 01:10:01 UTC
Permalink
Thanks so much Andrew, it is working fine.

But when I try to reinstall and recompile without removing the 'root'
account from the OpenLDAP and it doesn't have an error (just for
curiosity), and the root account password is also the administrator
password after migration.

I am on the process of connecting it to the real machine which previously
connected with the DC-Samba3, seems some problem but I have
to re-investigate it the cause maybe a DNS et al. I don't want to
re-connect (re-establish) it to the Samba4, coz I retain the SID of Samba4
from Samba3.

I used to connect new machine but machines after migration (samba3
machines), at first able to connect because you able to login. But after it
you can't able to see it, I even try administration tools, again as said on
previous paragraph needs to check other causes.
Post by Mario Codeniera
Post by Mario Codeniera
I used to upgrade samba3 to samba4 with almost successful with one
problem,
Post by Mario Codeniera
administrator can't access. As administrator, by default it is the only
user account that is given full control over the system.
My query is how to change the administrator password? we have one account
which can join to the samba 4 AD based on the migrated data but the
problem
Post by Mario Codeniera
can't change the administrator or can't alter the domain.
After that re-run the classic upgrade, and found out that the
administrator
Post by Mario Codeniera
SID was wrong and modified to xxx-500 where xxx domain SID and modified
group Administrators because there are other domain SIDs.
*- (remove the description, displaying only the last part)
-
Importing idmap database
Importing groups
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-515,
groupname=Domain Computers existing_groupname=Domain Computers, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-21-1511653421-423844657-761698953-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Importing users
User 'Administrator' in your existing directory has SID
S-1-5-21-1511653421-423844657-761698953-20001, expected it to be
S-1-5-21-1511653421-423844657-761698953-500
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: User 'Administrator' in your existing directory does
not
Post by Mario Codeniera
have SID ending in -500
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py",
Post by Mario Codeniera
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/domain.py",
line 1318, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib64/python2.6/site-packages/samba/upgrade.py",
line 889, in upgrade_from_samba3
raise ProvisioningError("User 'Administrator' in your existing
directory does not have SID ending in -500")*
Finally got this with no errors, but again the administrator can't login
even using the kinit. As mentioned above I used to login other user in
Windows 7 and run the Windows Remote Administration Tools and able to
check
Post by Mario Codeniera
the data is successfully migrated including administrator (but the
problem
Post by Mario Codeniera
it was changed during upgrading) and I observed in the log see
highlighted.
Post by Mario Codeniera
And every time I run the samba-tool domain classicupgrade, the Admin
password: (see other highlighted below) have different values (
0ngHrG~IIMHZ>DhNIP YOU<AKoN~+wPZ!Am * * SXJ96re1=zYO*
*respectively).
This is interesting, as at one point we had logic to not show these
unused passwords.
I've attached a patch that should do this, let me know if it makes the
output (which I agree is very, very verbose) clearer.
Post by Mario Codeniera
*
classicupgrade
Post by Mario Codeniera
--dbdir=/srv/LiveData/var_lib_samba/samba --use-xattrs=yes
--dns-backend=SAMBA_INTERNAL --realm=kazekage.sura.sandbox.local
/srv/smb.conf
Reading smb.conf
What it should have said was 'using the existing admin password of user
root/administrator'. So, try the old password, but if neither the old
password nor the generated one works, you can reset it using 'samba-tool
user setpassword administrator'
Post by Mario Codeniera
Thank you, hope someone can give insights on it.
Thanks for your patience with this.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
2013-01-04 04:50:02 UTC
Permalink
Post by Mario Codeniera
Thanks so much Andrew, it is working fine.
But when I try to reinstall and recompile without removing the 'root'
account from the OpenLDAP and it doesn't have an error (just for
curiosity), and the root account password is also the administrator
password after migration.
I am on the process of connecting it to the real machine which previously
connected with the DC-Samba3, seems some problem but I have
to re-investigate it the cause maybe a DNS et al. I don't want to
re-connect (re-establish) it to the Samba4, coz I retain the SID of Samba4
from Samba3.
I used to connect new machine but machines after migration (samba3
machines), at first able to connect because you able to login. But after it
you can't able to see it, I even try administration tools, again as said on
previous paragraph needs to check other causes.
Mario,

I'm really sorry, but I've tried a couple of times to make sense of what
you have written above, but I just can't.

Please can you clearly state:

For your testing domain or configuration:
- What was working
- What was not working
- What you changed
- What is now working

For your attempt to apply this to your production domain:
- What is working
- What is not working
- What was working but is now not working
- What you have attempted to do to fix it

Thanks,

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Mario Codeniera
2013-01-11 04:50:01 UTC
Permalink
Hi Andrew,

Sorry for the late response took me a while to figure out the internal DNS.

For your queries these are the concern/issues

For your testing domain or configuration:
- What was working
I used to run smoothly the classic upgrade in a new Server (running a
Centos 6.3 using OpenLDAP 2.4 before migrating to Samba4 from CentOS 5.5
and Samba 3.3.10 with OpenLDAP 2.3.43 as backend)

Copy the backup ldif (from the production server) to the new server
(testing domain) and connecting to the new ldap server
$sudo slapadd -c -l thebackup.ldif
Meaning i have a fully running OpenLDAP 2.4 running, which I used to
configure some files like nslcd.conf, pam_ldap.conf, and dap.conf
I used the following commands to check
$getent group
$getent passwd
If displays the groups and the users from the ldap database, I can
successfully migrated it to Samba4.
As based on my test if doesn't have output from the ldap, I can't proceed
to classicupgrade.

Hope someone give insights more? If no need to change the configurations
stated above, or maybe it is a shortcut of what I am doing. As for my
understanding "samba-tool domain classicugrade" need to have LDAP running,
and those configurations needed in order to run it properly the LDAP.
That's why you need to run still the ldap when issuing the classicupgrade.

The patch you given was working fine and even without adding a patch,
probably I just got some mistakes before especially on the users and groups
in the database.

Then copied the tdb files to the new server and on my case generate error
on secrets.tdb, what I did issue the command
$sudo /usr/local/samba/bin/smbpasswd -w xxx -c
/tmp/livedata/samba/smb.conf
$cp /var/lib/samba/private/secrets.tdb /tmp/livedata/samba
assume xxx the password and /tmp/livedata/samba where your tdb
files also located

Then run the classicupgrade but modified/delete some users and groups that
the conflict or not recognised by the "samba-tool domain classicupgrade"
based on the display.


- What was not working
Some suggested, NO need to the configure the nslcd.conf, pam_ldap.conf, and
the ldap.conf (locally connected) to the LDAP server.
But on my case, it doesn't work if I will not change them, in short I can't
upgrade to Samba4, using classicupgrade command.

Not able to test client from the production that no need to re-authenticate
(re-connecting to the samba4 domain from samba3)


- What you changed
I used to retain the SID, meaning just copy the SID from the production
domain, my assumptions that the existing machines in the LDAP database,
will be automatically connected without re-authentication.
$set netlocalid zzz
where zzz is the SID

Modified users and groups in the LDAP Server
Deleted 'Everyone' group
Change SID of user uid=administrator from 20001 to 500
Deleted the Group list of "Administrators" and added from the list of
"Administrators' zzz-512
where zzz SID
Remove oneGroup, but uncommon group or custom made group


- What is now working
Work fine no yet problems encountered (coz not yet connected to the
production)



For your attempt to apply this to your production domain:
- What is working
So far as I mimicking the testing domain, no problems encountered in
migration or running the "classicupgrade" command

- What is not working
As I observed the internal DNS having the problem especially once change
with an IP address coz only using a DHCP.

Not authororitative for 'aaaa.bbbb', forwarding
RuntimeError: kinit for xxx$@yyy failed (Cannot contact any KDC for
requested realm)
../source4/dsdb/dns/dns_update.c294: Failed DNS update -
NT_STATUS_ACCESS_DENIED

- What was working but is now not working
Not yet so far

- What you have attempted to do to fix it
What I did as internal DNS having the probs, I used to re-run again
"samba-tool domain classicupgrade" from scratch which solved the problems
but so far on the trial of connecting to the 2 actual clients for testing
purposes (that no need to re-authenticate) if that will be the case lots of
work to do.


My question
How do able to change the internal DNS server ip? I think it is not using
localhost nor 127.0.0.1.

Cheers,

Mario Codeniera
Post by Mario Codeniera
Post by Mario Codeniera
Thanks so much Andrew, it is working fine.
But when I try to reinstall and recompile without removing the 'root'
account from the OpenLDAP and it doesn't have an error (just for
curiosity), and the root account password is also the administrator
password after migration.
I am on the process of connecting it to the real machine which previously
connected with the DC-Samba3, seems some problem but I have
to re-investigate it the cause maybe a DNS et al. I don't want to
re-connect (re-establish) it to the Samba4, coz I retain the SID of
Samba4
Post by Mario Codeniera
from Samba3.
I used to connect new machine but machines after migration (samba3
machines), at first able to connect because you able to login. But after
it
Post by Mario Codeniera
you can't able to see it, I even try administration tools, again as said
on
Post by Mario Codeniera
previous paragraph needs to check other causes.
Mario,
I'm really sorry, but I've tried a couple of times to make sense of what
you have written above, but I just can't.
- What was working
- What was not working
- What you changed
- What is now working
- What is working
- What is not working
- What was working but is now not working
- What you have attempted to do to fix it
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...