Hi, We have a venerable Samba3 domain (it dates from before Samba 3, actually), and we're doing test migrations to Samba 4 on a private network. We are doing migrations with eatmydata /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/var/lib/samba --use-xattrs=yes --realm=ad.samfundet.no /etc/samba/smb.conf Near the end, it complains that Adding users to groups Setting password for administrator Administrator password has been set to password of user 'root' idmapping sid_to_xid failed for id[0]=S-1-5-32-549: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-18: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-18: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-11: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-11: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-32-545: NT_STATUS_NONE_MAPPED enum_group_memberships failed for S-1-5-21-2179488501-3702089277-485037447-1000: NT_STATUS_NONE_MAPPED Fall back to unix uid lookup This happens several times. At the very end, however, it dies with idmapping sid_to_xid failed for id[0]=S-1-5-32-545: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-32-549: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-18: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-18: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-11: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-11: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-21-2179488501-3702089277-485037447-520: NT_STATUS_NONE_MAPPED idmapping sid_to_xid failed for id[0]=S-1-5-21-2179488501-3702089277-485037447-520: NT_STATUS_NONE_MAPPED create_canon_ace_lists: unable to map SID S-1-5-21-2179488501-3702089277-485037447-520 to uid or gid. idmapping sid_to_xid failed for id[0]=S-1-5-21-2179488501-3702089277-485037447-512: NT_STATUS_NONE_MAPPED set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER. ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER') File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py", line 168, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/domain.py", line 1312, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.6/site-packages/samba/upgrade.py", line 908, in upgrade_from_samba3 security.dom_sid(result.domainsid), result.names.dnsdomain, result.names.domaindn, result.lp, use_ntvfs) File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 1462, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs) File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 1401, in set_gpos_acl str(domainsid), use_ntvfs) File "/usr/local/samba/lib/python2.6/site-packages/samba/provision/__init__.py", line 1368, in set_dir_acl setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.6/site-packages/samba/ntacls.py", line 108, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) It appears this is the same error as before, except that exceptions are not caught. If I comment out the line in upgrade.py, the migration appears to finish (at least partially) successfully; clients can log in from machines on the domain, but we have other issues (see forthcoming bug reports :-) ).
I am having I think the same issue with 4.0.0rc2 it seems to be unable to map "Group Policy Creator Owners" to a uid or gid. create_canon_ace_lists: unable to map SID S-1-5-21-4112421354-4033912310-3560899222-520 to uid or gid. set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER. ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 168, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1312, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 908, in upgrade_from_samba3 security.dom_sid(result.domainsid), result.names.dnsdomain, result.names.domaindn, result.lp, use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1462, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1401, in set_gpos_acl str(domainsid), use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1368, in set_dir_acl setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 108, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) dn: CN=Group Policy Creator Owners,CN=Users,DC=denc,DC=nl objectClass: top objectClass: group cn: Group Policy Creator Owners description: Members in this group can modify group policy for the domain member: CN=Administrator,CN=Users,DC=denc,DC=nl instanceType: 4 whenCreated: 20121004124007.0Z whenChanged: 20121004124007.0Z uSNCreated: 3552 uSNChanged: 3552 name: Group Policy Creator Owners objectGUID: 92bde578-f5f4-4650-b801-a684a7d4e35d objectSid: S-1-5-21-4112421354-4033912310-3560899222-520 sAMAccountName: Group Policy Creator Owners sAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=denc,DC=nl isCriticalSystemObject: TRUE memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=denc,DC=nl distinguishedName: CN=Group Policy Creator Owners,CN=Users,DC=denc,DC=nl
Later versions of Samba 4.0 rc can paper over part of this issue, but the fact remains that we need to change the file owner of policies to be groups, and if the group is mapped only to a GID before the upgrade, we can't do that.
(In reply to Andrew Bartlett from comment #2) "Papering over the issue" does seem to have made people stop reporting it, at least in this form, so I'm calling it fixed. If people are still doing classicupgrades, they aren't hitting messages that bring them here. Nobody in the world mentions it. c.f. https://lists.samba.org/archive/samba/2012-October/169531.html