26 May 2012 14:08
Re: errors/issues when trying to migrate
Marc Muehlfeld <Marc.Muehlfeld <at> medizinische-genetik.de>
2012-05-26 12:08:51 GMT
2012-05-26 12:08:51 GMT
Am 26.05.2012 07:41, schrieb Andrew Bartlett: >> 2.) Exporting groups >> Ignoring group 'Print Operators' S-1-5-32-550 listed but then not found: >> Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS) >> ... >> >> The script continues, but this groups are all ignored. Any idea why? > > A number of Samba3 databases appear to have aliases templates for these > well known groups, but if they are not mapped to system groups, then > this will happen. That's why we ignore the error, because clearly there > are no users in these groups. What is an alias template? In some of this groups I have users, like in "print operators". This is my LDAP export of one of these groups: dn: cn=Print Operators,ou=Groups,dc=mr,dc=lfmg,dc=de objectClass: posixGroup objectClass: sambaGroupMapping cn: Print Operators description: Netbios Domain Print Operators displayName: Print Operators gidNumber: 550 memberUid: technik memberUid: Administrator sambaGroupType: 5 sambaSID: S-1-5-32-550 >> Here the script crashes and stops. The only way to continue, is to delete >> wins.dat. Maybe the script can continue, if the WINS import failes. > > I need a sample of the failed wins.dat, so we can fix the parsing > script. Find the wins.dat attached. >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - >> ProvisioningError: Could not add member >> 'S-1-5-21-1362721961-1801182073-732966438-2996' to group >> 'S-1-5-21-1362721961-1801182073-732966438-512' as either group or user record >> doesn't exist: Unable to find GUID for DN > > The issue would be that Administrator should have a SID ending in -500. > We already skip accounts "root" and "administrator" and map the password > on to the Administrator account we build at provision time. This does > however mean that we break when trying to import the incorrect > administrator as a group member. I'll fix the SID of this account. But should there be some code added around to skip this failure, if others having a wrong SID for 'administator' too? Or at least a message, what's wrong. Thanks for your information. Regards, Marc
RSS Feed