Bug 9181 - PDC migration fails on ACL issues (s3fs specific?)
Summary: PDC migration fails on ACL issues (s3fs specific?)
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.0.0rc1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-19 22:24 UTC by Steinar H. Gunderson (dead mail address)
Modified: 2022-08-18 05:54 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Steinar H. Gunderson (dead mail address) 2012-09-19 22:24:52 UTC 
Hi,

We have a venerable Samba3 domain (it dates from before Samba 3, actually), and we're doing test migrations to Samba 4 on a private network. We are doing migrations with

eatmydata /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/var/lib/samba  --use-xattrs=yes  --realm=ad.samfundet.no /etc/samba/smb.conf

Near the end, it complains that

Adding users to groups
Setting password for administrator
Administrator password has been set to password of user 'root'
idmapping sid_to_xid failed for id[0]=S-1-5-32-549: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-18: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-18: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-11: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-11: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-32-545: NT_STATUS_NONE_MAPPED
enum_group_memberships failed for S-1-5-21-2179488501-3702089277-485037447-1000: NT_STATUS_NONE_MAPPED
Fall back to unix uid lookup

This happens several times. At the very end, however, it dies with

idmapping sid_to_xid failed for id[0]=S-1-5-32-545: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-32-549: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-18: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-18: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-11: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-11: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-21-2179488501-3702089277-485037447-520: NT_STATUS_NONE_MAPPED
idmapping sid_to_xid failed for id[0]=S-1-5-21-2179488501-3702089277-485037447-520: NT_STATUS_NONE_MAPPED
create_canon_ace_lists: unable to map SID S-1-5-21-2179488501-3702089277-485037447-520 to uid or gid.
idmapping sid_to_xid failed for id[0]=S-1-5-21-2179488501-3702089277-485037447-512: NT_STATUS_NONE_MAPPED
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER')
  File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 168, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line 1312, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py", line 908, in upgrade_from_samba3
    security.dom_sid(result.domainsid), result.names.dnsdomain, result.names.domaindn, result.lp, use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 1462, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 1401, in set_gpos_acl
    str(domainsid), use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 1368, in set_dir_acl
    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.6/site-packages/samba/ntacls.py", line 108, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)

It appears this is the same error as before, except that exceptions are not caught. If I comment out the line in upgrade.py, the migration appears to finish (at least partially) successfully; clients can log in from machines on the domain, but we have other issues (see forthcoming bug reports :-) ).
Comment 1 Martijn Berger 2012-10-04 12:47:46 UTC 
I am having I think the same issue with 4.0.0rc2 it seems to be unable to map 
"Group Policy Creator Owners" to a uid or gid. 

create_canon_ace_lists: unable to map SID S-1-5-21-4112421354-4033912310-3560899222-520 to uid or gid.
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 168, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1312, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 908, in upgrade_from_samba3
    security.dom_sid(result.domainsid), result.names.dnsdomain, result.names.domaindn, result.lp, use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1462, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1401, in set_gpos_acl
    str(domainsid), use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1368, in set_dir_acl
    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 108, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)




dn: CN=Group Policy Creator Owners,CN=Users,DC=denc,DC=nl
objectClass: top
objectClass: group
cn: Group Policy Creator Owners
description: Members in this group can modify group policy for the domain
member: CN=Administrator,CN=Users,DC=denc,DC=nl
instanceType: 4
whenCreated: 20121004124007.0Z
whenChanged: 20121004124007.0Z
uSNCreated: 3552
uSNChanged: 3552
name: Group Policy Creator Owners
objectGUID: 92bde578-f5f4-4650-b801-a684a7d4e35d
objectSid: S-1-5-21-4112421354-4033912310-3560899222-520
sAMAccountName: Group Policy Creator Owners
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=denc,DC=nl
isCriticalSystemObject: TRUE
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=denc,DC=nl
distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=denc,DC=nl
Comment 2 Andrew Bartlett 2012-11-16 02:12:50 UTC 
Later versions of Samba 4.0 rc can paper over part of this issue, but the fact remains that we need to change the file owner of policies to be groups, and if the group is mapped only to a GID before the upgrade, we can't do that.
Comment 3 Douglas Bagnall 2022-08-18 05:54:15 UTC 
(In reply to Andrew Bartlett from comment #2)
"Papering over the issue" does seem to have made people stop reporting it, at least in this form, so I'm calling it fixed.

If people are still doing classicupgrades, they aren't hitting messages that bring them here. Nobody in the world mentions it.

c.f. https://lists.samba.org/archive/samba/2012-October/169531.html