Bug 9186 - 'samba-tool domain classicupgrade' fails with 'LDAP client internal error'
Summary: 'samba-tool domain classicupgrade' fails with 'LDAP client internal error'
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.0rc1
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-20 13:15 UTC by Torsten Kurbad
Modified: 2012-09-21 01:08 UTC (History)
0 users

See Also:


Attachments
Small patch to make migration of POSIX attrs optional (7.49 KB, patch)
2012-09-20 14:54 UTC, Torsten Kurbad
no flags Details
Small patch to make migration of POSIX attrs optional (refined) (7.61 KB, patch)
2012-09-20 15:32 UTC, Torsten Kurbad
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Torsten Kurbad 2012-09-20 13:15:02 UTC
To migrate our existing, samba3 + OpenLDAP based domain to samba4, I set up a new server, copied over the db and config-Files of the old server to /root/samba3 and ran:

samba-tool domain classicupgrade \
        --dbdir=/root/samba3/db/private/ \
        --targetdir=/root/samba4/ \
        --use-xattrs=yes \
        /root/samba3/conf/smb.conf

The result in beta3 was a working PDC. However, in 4.0.0rc1 I get:

Provisioning
Exporting account policy
Exporting groups
Exporting users
  Skipping wellknown rid=500 (for username=administrator)
Could not find uidNumber in uid=root,ou=People,o=IWM,dc=iwm-kmrc,dc=de
Ignoring group memberships of 'root' S-1-5-21-1690228159-1232189243-2108207755-1000: Unable to enumerate group memberships, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
  Demoting BDC account trust for kmrcserv, this DC must be elevated to an AD DC using 'samba-tool domain promote'
Next rid = 41390
Failed to connect to ldap URL 'ldap://ldapsrv.iwm-kmrc.de' - LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://ldapsrv.iwm-kmrc.de' with backend 'ldap': (null)
Could not open ldb connection to ldap://ldapsrv.iwm-kmrc.de, the error message is: (1, None)
Exporting posix attributes
ERROR(<type 'exceptions.UnboundLocalError'>): uncaught exception - local variable 'ldb_object' referenced before assignment
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 168, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/domain.py", line 1312, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
  File "/usr/lib64/python2.7/site-packages/samba/upgrade.py", line 795, in upgrade_from_samba3
    homes[username] = get_posix_attr_from_ldap_backend(logger, ldb_object, base_dn, username, "homeDirectory")

My classic smb.conf contains:

passdb backend = ldapsam:"ldap://ldapsrv.iwm-kmrc.de"

However, I suspect that the migration of posix attributes that was recently introduced to classicupgrade causes the issue.

Can someone confirm that?

Best,
Torsten
Comment 1 Torsten Kurbad 2012-09-20 14:54:31 UTC
Created attachment 7912 [details]
Small patch to make migration of POSIX attrs optional

The attached patch introduces a new commandline option

'--no-posix-attrs'

to samba-tool domain classicupgrade to entirely skip migrating posix attributes.

In addition, the patch introduces a check whether ldb_object is set, before calling 'get_posix_attr_from_ldap_backend'. This way, the old database can be migrated including posix attrs, even if they are not set for all users.
Comment 2 Torsten Kurbad 2012-09-20 15:32:28 UTC
Created attachment 7913 [details]
Small patch to make migration of POSIX attrs optional (refined)

The new patch prints warnings about all accounts, whose posix attrs can't be read.
Comment 3 Torsten Kurbad 2012-09-21 01:08:55 UTC
As Andrew Bartlett pointed out on the samba-technical mailing list, the problem lies with the different types of name resolution used by different parts of the upgrade process. In my setup, for some (yet unknown) reason one of those fail, producing the error.

Thus, circumventing name resolution by putting the IP instead of the hostname into the 'passdb backend' line in my classic smb.conf, worked out perfectly.

Closing as invalid.

Best,
Torsten