Samba Migration 3 > 4

Hi,

ich habe auf UCS 3.2.5 mit Samba 3 eine Migration auf Samba 4 versucht, die leider völlig in die Hose gegangen ist.

Zunächst habe ich die SID angepasst:
/usr/share/univention-samba/set_domain_sid
/usr/share/univention-samba/change_sid

Danach die User und Gruppen aus einem LDAP-Dump importiert.
Dazu habe ich dieses Skript als Basis verwendet:
github.com/dansan/Samba3toUCS

Zusätzlich habe ich eingebunden, dass die Samba-RIDs korrekt gesetzt werden.
Das hat soweit sehr gut funktioniert.

Die Installation von Samba 4 ist dann so verlaufen:

root@univention1:~# ucr get samba4/ignore/mixsetup 
yes
root@univention1:~# ucr get samba4/ntacl/backend 
native
root@univention1:~# ucr get samba/debug/level 
1
root@univention1:~# ucr get connector/s4/mapping/group/grouptype 
false
root@univention1:~# 
root@univention1:~# 
root@univention1:~# univention-install univention-s4-connector 
OK   http://updates.software-univention.de 3.0-0/all/ Release.gpg
Ign http://updates.software-univention.de/3.0/maintained/ 3.0-0/all/ Translation-de
[..]
OK   http://updates.software-univention.de 3.0-0/all/ Release
OK   http://updates.software-univention.de 3.0-0/amd64/ Release
[..]
Hole:11 http://updates.software-univention.de 3.2-5-errata/all/ Packages [10,3 kB]
Hole:12 http://updates.software-univention.de 3.2-5-errata/amd64/ Packages [19,6 kB]
Es wurden 65,5 kB in 1 s geholt (33,0 kB/s)
Paketlisten werden gelesen...
Paketlisten werden gelesen...
Abhängigkeitsbaum wird aufgebaut...
Statusinformationen werden eingelesen...
Die folgenden Pakete wurden automatisch installiert und werden nicht mehr benötigt:
  expect tcl8.5
Verwenden Sie »apt-get autoremove«, um sie zu entfernen.
Die folgenden zusätzlichen Pakete werden installiert:
  attr ldb-tools libdcerpc-server0 python-pysqlite2
  python-univention-connector-s4 samba-ad-dc samba-dsdb-modules samba4
  samba4-clients sqlite3 univention-samba4 univention-samba4-sysvol-sync
Vorgeschlagene Pakete:
  python-pysqlite2-doc python-pysqlite2-dbg samba-gtk swat2 sqlite3-doc
Die folgenden Pakete werden ENTFERNT:
  univention-samba
Die folgenden NEUEN Pakete werden installiert:
  attr ldb-tools libdcerpc-server0 python-pysqlite2
  python-univention-connector-s4 samba-ad-dc samba-dsdb-modules samba4
  samba4-clients sqlite3 univention-s4-connector univention-samba4
  univention-samba4-sysvol-sync
0 aktualisiert, 13 neu installiert, 1 zu entfernen und 38 nicht aktualisiert.
Es müssen 3328 kB an Archiven heruntergeladen werden.
Nach dieser Operation werden 16,6 MB Plattenplatz zusätzlich benutzt.
Möchten Sie fortfahren [J/n]? J
Hole:1 http://updates.software-univention.de/3.0/maintained/ 3.0-2/amd64/ attr 1:2.4.44-2.14.201207031515 [46,9 kB]
[..]
Hole:13 http://updates.software-univention.de/3.2/maintained/ 3.2-5/all/ univention-s4-connector 8.0.33-88.537.201412151702 [63,2 kB]
Vorkonfiguration der Pakete ...
Es wurden 3328 kB in 2 s geholt (1301 kB/s)
(Lese Datenbank ... 64874 Dateien und Verzeichnisse sind derzeit installiert.)
Entfernen von univention-samba ...
Multifile: /etc/samba/smb.conf
Unsetting security/packetfilter/package/univention-samba/tcp/137:139/all
Unsetting security/packetfilter/package/univention-samba/tcp/137:139/all/en
Unsetting security/packetfilter/package/univention-samba/udp/137:139/all
Unsetting security/packetfilter/package/univention-samba/udp/137:139/all/en
Unsetting security/packetfilter/package/univention-samba/udp/137/all
Unsetting security/packetfilter/package/univention-samba/tcp/445/all
Unsetting security/packetfilter/package/univention-samba/tcp/445/all/en
Unsetting security/packetfilter/package/univention-samba/udp/445/all
Unsetting security/packetfilter/package/univention-samba/udp/445/all/en
File: /etc/security/packetfilter.d/10_univention-firewall_start.sh
File: /etc/security/packetfilter.d/80_univention-firewall_policy.sh
Stopping Univention iptables configuration::.
Starting Univention iptables configuration::.
Unsetting samba/share/home
Unsetting samba/share/groups
Unsetting samba/adminusers
Unsetting samba/debug/level
Unsetting samba/os/level
Unsetting samba/profileserver
Unsetting samba/profilepath
Unsetting samba/homedirserver
Unsetting samba/homedirpath
Unsetting samba/homedirletter
Unsetting samba/script/adduser
Unsetting samba/script/deleteuser
Unsetting samba/script/addgroup
Unsetting samba/script/deletegroup
Unsetting samba/script/addusertogroup
Unsetting samba/script/deleteuserfromgroup
Unsetting samba/script/addmachine
Unsetting samba/script/setprimarygroup
Unsetting samba/script/postusermodify
Unsetting samba/winbind/nested/groups
Unsetting samba/encrypt_passwords
Unsetting samba/use_spnego
Unsetting samba/client_use_spnego
Unsetting samba/oplocks
Unsetting samba/kernel_oplocks
Unsetting samba/large_readwrite
Unsetting samba/deadtime
Unsetting samba/read_raw
Unsetting samba/write_raw
Unsetting samba/max_xmit
Unsetting samba/max_open_files
Unsetting samba/max/protocol
Unsetting samba/getwd_cache
Unsetting samba/store_dos_attributes
Unsetting samba/preserve_case
Unsetting samba/short_preserve_case
Unsetting samba/time_server
Unsetting samba/guest_account
Unsetting samba/map_to_guest
Unsetting samba/netlogon/sync
Unsetting samba/domain/logons
Unsetting samba/password/checkscript
Unsetting windows/wins-support
Unsetting samba/role
Restarting univention-directory-listener daemon.
ok: run: univention-directory-listener: (pid 2759) 0s, normally down
done.
Trigger für univention-config werden verarbeitet ...
Kein Paket gefunden, das auf ldapacl_66univention-appcenter_app.acl passt.
Vormals abgewähltes Paket attr wird gewählt.
(Lese Datenbank ... 64839 Dateien und Verzeichnisse sind derzeit installiert.)
Entpacken von attr (aus .../attr_1%3a2.4.44-2.14.201207031515_amd64.deb) ...
Vormals abgewähltes Paket ldb-tools wird gewählt.
Entpacken von ldb-tools (aus .../ldb-tools_1%3a1.1.16-1.44.201308081854_amd64.deb) ...
Vormals abgewähltes Paket libdcerpc-server0 wird gewählt.
Entpacken von libdcerpc-server0 (aus .../libdcerpc-server0_2%3a4.1.0-1.722.201502181223_amd64.deb) ...
Vormals abgewähltes Paket python-pysqlite2 wird gewählt.
Entpacken von python-pysqlite2 (aus .../python-pysqlite2_2.6.0-1.6.201201310837_amd64.deb) ...
Vormals abgewähltes Paket python-univention-connector-s4 wird gewählt.
Entpacken von python-univention-connector-s4 (aus .../python-univention-connector-s4_8.0.33-88.537.201412151702_all.deb) ...
Vormals abgewähltes Paket samba-dsdb-modules wird gewählt.
Entpacken von samba-dsdb-modules (aus .../samba-dsdb-modules_2%3a4.1.0-1.722.201502181223_amd64.deb) ...
Vormals abgewähltes Paket samba-ad-dc wird gewählt.
Entpacken von samba-ad-dc (aus .../samba-ad-dc_2%3a4.1.0-1.722.201502181223_amd64.deb) ...
Vormals abgewähltes Paket samba4 wird gewählt.
Entpacken von samba4 (aus .../samba4_2%3a4.1.0-1.722.201502181223_amd64.deb) ...
Vormals abgewähltes Paket samba4-clients wird gewählt.
Entpacken von samba4-clients (aus .../samba4-clients_2%3a4.1.0-1.722.201502181223_amd64.deb) ...
Vormals abgewähltes Paket sqlite3 wird gewählt.
Entpacken von sqlite3 (aus .../sqlite3_3.7.3-1.14.201201310833_amd64.deb) ...
Vormals abgewähltes Paket univention-samba4-sysvol-sync wird gewählt.
Entpacken von univention-samba4-sysvol-sync (aus .../univention-samba4-sysvol-sync_3.0.39-35.591.201408281245_all.deb) ...
Vormals abgewähltes Paket univention-samba4 wird gewählt.
Entpacken von univention-samba4 (aus .../univention-samba4_3.0.39-35.591.201408281245_amd64.deb) ...
Vormals abgewähltes Paket univention-s4-connector wird gewählt.
Entpacken von univention-s4-connector (aus .../univention-s4-connector_8.0.33-88.537.201412151702_all.deb) ...
Trigger für man-db werden verarbeitet ...
Trigger für univention-config werden verarbeitet ...
Kein Paket gefunden, das auf ldapacl_66univention-appcenter_app.acl passt.
attr (1:2.4.44-2.14.201207031515) wird eingerichtet ...
ldb-tools (1:1.1.16-1.44.201308081854) wird eingerichtet ...
libdcerpc-server0 (2:4.1.0-1.722.201502181223) wird eingerichtet ...
python-pysqlite2 (2.6.0-1.6.201201310837) wird eingerichtet ...
samba-dsdb-modules (2:4.1.0-1.722.201502181223) wird eingerichtet ...
samba-ad-dc (2:4.1.0-1.722.201502181223) wird eingerichtet ...
samba4 (2:4.1.0-1.722.201502181223) wird eingerichtet ...
samba4-clients (2:4.1.0-1.722.201502181223) wird eingerichtet ...
sqlite3 (3.7.3-1.14.201201310833) wird eingerichtet ...
univention-samba4-sysvol-sync (3.0.39-35.591.201408281245) wird eingerichtet ...
File: /etc/cron.d/sysvol-cleanup
File: /etc/cron.d/sysvol-sync
Create samba4/sysvol/cleanup/cron
File: /etc/cron.d/sysvol-cleanup
univention-samba4 (3.0.39-35.591.201408281245) wird eingerichtet ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/logrotate.d/winbind wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/logrotate.d/samba wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/pam.d/samba wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind wird installiert ...
Neue Version der Konfigurationsdatei /etc/univention/templates/files/etc/samba/base.conf wird installiert ...
File: /etc/logrotate.d/univention-samba4
File: /etc/pam.d/samba
File: /etc/cron.d/univention-samba4-backup
File: /etc/logrotate.d/winbind
File: /etc/logrotate.d/samba
File: /etc/samba/base.conf
Multifile: /etc/samba/smb.conf
dpkg-statoverride: Ein Override für »/var/log/samba« existiert bereits, Abbruch.
Create samba/share/home
Create samba/share/groups
Create samba/adminusers
Create samba/encrypt_passwords
Create samba/use_spnego
Create samba/oplocks
Create samba/kernel_oplocks
Create samba/large_readwrite
Create samba/deadtime
Create samba/read_raw
Create samba/write_raw
Create samba/max_xmit
Create samba/max_open_files
Create samba/getwd_cache
Create samba/store_dos_attributes
Create samba/preserve_case
Create samba/short_preserve_case
Create samba/guest_account
Create samba/map_to_guest
Create samba/max/protocol
Create samba/enable-msdfs
Not updating samba/acl/allow/execute/always
File: /etc/samba/base.conf
Multifile: /etc/samba/smb.conf
Create samba/profileserver
Create samba/profilepath
Create samba/homedirserver
Create samba/homedirpath
Create samba/homedirletter
Multifile: /etc/samba/smb.conf
Create samba/debug/level
Create samba4/sysvol/sync/jitter
Create samba4/service/smb
Create samba4/service/nmb
Not updating samba4/ntacl/backend
Create samba4/sysvol/sync/setfacl/AU
Create samba4/backup/cron
File: /etc/samba/base.conf
File: /etc/cron.d/sysvol-sync
File: /etc/cron.d/univention-samba4-backup
Multifile: /etc/samba/smb.conf
Create security/packetfilter/package/univention-samba4/tcp/389/all
Create security/packetfilter/package/univention-samba4/tcp/389/all/en
Create security/packetfilter/package/univention-samba4/udp/389/all
Create security/packetfilter/package/univention-samba4/udp/389/all/en
Create security/packetfilter/package/univention-samba4/tcp/636/all
Create security/packetfilter/package/univention-samba4/tcp/636/all/en
Create security/packetfilter/package/univention-samba4/tcp/53/all
Create security/packetfilter/package/univention-samba4/tcp/53/all/en
Create security/packetfilter/package/univention-samba4/udp/53/all
Create security/packetfilter/package/univention-samba4/udp/53/all/en
Create security/packetfilter/package/univention-samba4/udp/123/all
Create security/packetfilter/package/univention-samba4/udp/123/all/en
Create security/packetfilter/package/univention-samba4/tcp/135/all
Create security/packetfilter/package/univention-samba4/tcp/135/all/en
Create security/packetfilter/package/univention-samba4/tcp/137:139/all
Create security/packetfilter/package/univention-samba4/tcp/137:139/all/en
Create security/packetfilter/package/univention-samba4/udp/137:139/all
Create security/packetfilter/package/univention-samba4/udp/137:139/all/en
Create security/packetfilter/package/univention-samba4/tcp/445/all
Create security/packetfilter/package/univention-samba4/tcp/445/all/en
Create security/packetfilter/package/univention-samba4/udp/445/all
Create security/packetfilter/package/univention-samba4/udp/445/all/en
Create security/packetfilter/package/univention-samba4/tcp/1024/all
Create security/packetfilter/package/univention-samba4/tcp/1024/all/en
Create security/packetfilter/package/univention-samba4/tcp/3268/all
Create security/packetfilter/package/univention-samba4/tcp/3268/all/en
Create security/packetfilter/package/univention-samba4/tcp/3269/all
Create security/packetfilter/package/univention-samba4/tcp/3269/all/en
Create security/packetfilter/package/univention-samba4/tcp/88/all
Create security/packetfilter/package/univention-samba4/tcp/88/all/en
Create security/packetfilter/package/univention-samba4/udp/88/all
Create security/packetfilter/package/univention-samba4/udp/88/all/en
Create security/packetfilter/package/univention-samba4/tcp/464/all
Create security/packetfilter/package/univention-samba4/tcp/464/all/en
Create security/packetfilter/package/univention-samba4/udp/464/all
Create security/packetfilter/package/univention-samba4/udp/464/all/en
Create security/packetfilter/package/univention-samba4/tcp/749/all
Create security/packetfilter/package/univention-samba4/tcp/749/all/en
File: /etc/security/packetfilter.d/10_univention-firewall_start.sh
File: /etc/security/packetfilter.d/80_univention-firewall_policy.sh
Stopping Univention iptables configuration::.
Starting Univention iptables configuration::.
Create samba4/autostart
Multifile: /etc/samba/smb.conf
Create samba/domain/master
Multifile: /etc/samba/smb.conf
Stopping NTP server: ntpd.
Starting NTP server: ntpd.
Restarting univention-directory-listener daemon.
ok: run: univention-directory-listener: (pid 3523) 1s, normally down
done.
Calling joinscript 96univention-samba4.inst ...
WARNING: It is not possible to install a samba 4 domaincontroller 
         into a samba 3 environment. samba4/ignore/mixsetup is true.
         Continue as requested
Traceback (most recent call last):
  File "<string>", line 2, in <module>
ImportError: No module named univention.lib.admember
Create samba4/role
File: /etc/samba/base.conf
Multifile: /etc/samba/smb.conf
Multifile: /etc/samba/smb.conf
Setting samba/quota/command
Multifile: /etc/samba/smb.conf
Stopping Samba daemons: nmbd smbd.
Stopping Heimdal password server: kpasswdd.
Stopping Heimdal KDC: heimdal-kdc.
Setting samba/autostart
Create winbind/autostart
Setting kerberos/autostart
Multifile: /etc/samba/smb.conf
Setting samba4/autostart
Multifile: /etc/samba/smb.conf
Create samba4/ldap/base
Multifile: /etc/samba/smb.conf
Object created: cn=Builtin,dc=gfm,dc=local
Object created: cn=Authenticated Users,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Authenticated Users,cn=Builtin,dc=gfm,dc=local"

Object modified: cn=Authenticated Users,cn=Builtin,dc=gfm,dc=local
Object created: cn=World Authority,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=World Authority,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Everyone,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Everyone,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Null Authority,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Null Authority,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Nobody,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Nobody,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Enterprise Domain Controllers,cn=groups,dc=gfm,dc=local
modifying entry "cn=Enterprise Domain Controllers,cn=groups,dc=gfm,dc=local"

Object modified: cn=Enterprise Domain Controllers,cn=groups,dc=gfm,dc=local
Object created: cn=Remote Interactive Logon,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Remote Interactive Logon,cn=Builtin,dc=gfm,dc=local"

Object created: cn=SChannel Authentication,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=SChannel Authentication,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Digest Authentication,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Digest Authentication,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Terminal Server User,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Terminal Server User,cn=Builtin,dc=gfm,dc=local"

Object created: cn=NTLM Authentication,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=NTLM Authentication,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Other Organization,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Other Organization,cn=Builtin,dc=gfm,dc=local"

Object created: cn=This Organization,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=This Organization,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Anonymous Logon,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Anonymous Logon,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Network Service,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Network Service,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Creator Group,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Creator Group,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Creator Owner,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Creator Owner,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Local Service,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Local Service,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Owner Rights,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Owner Rights,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Interactive,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Interactive,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Restricted,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Restricted,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Network,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Network,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Service,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Service,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Dialup,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Dialup,cn=Builtin,dc=gfm,dc=local"

Object created: cn=System,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=System,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Batch,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Batch,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Proxy,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Proxy,cn=Builtin,dc=gfm,dc=local"

Object created: cn=IUSR,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=IUSR,cn=Builtin,dc=gfm,dc=local"

Object created: cn=Self,cn=Builtin,dc=gfm,dc=local
modifying entry "cn=Self,cn=Builtin,dc=gfm,dc=local"

Create samba/share/netlogon
File: /etc/samba/base.conf
Multifile: /etc/samba/smb.conf
Stopping Samba AD DC daemon: samba nmbd.
Create kerberos/kdc
Setting kerberos/kpasswdserver
File: /etc/krb5.conf
WARNING: The following Samba 3 domaincontroller have been found:
         univention1
         It is not possible to install a samba 4 domaincontroller 
         into a samba 3 environment.samba4/ignore/mixsetup is true.
         Continue as requested
Create samba4/function/level
Multifile: /etc/samba/smb.conf
Object modified: cn=Windows Hosts,cn=groups,dc=gfm,dc=local
Object modified: cn=DC Backup Hosts,cn=groups,dc=gfm,dc=local
Object modified: cn=DC Slave Hosts,cn=groups,dc=gfm,dc=local
Object modified: cn=Computers,cn=groups,dc=gfm,dc=local
E: DN is missing
UPN: None
Reading smb.conf
WARNING: The "idmap backend" option is deprecated
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
WARNING: The "use spnego" option is deprecated
lp_int(): value is NULL or empty!
lp_bool(): value is NULL or empty!
WARNING: No path in service IPC$ - making it unavailable!
NOTE: Service IPC$ is flagged unavailable.
Provisioning
Exporting account policy
Exporting groups
GROUP 'Domain Admins'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-512'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'Domain Admins' S-1-5-21-2657495056-2441450391-3094810640-512 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'Domain Users'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-513'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'Domain Users' S-1-5-21-2657495056-2441450391-3094810640-513 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'Domain Guests'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-514'
GROUP 'Windows Hosts'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-11011'
GROUP 'DC Backup Hosts'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-11012'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'DC Backup Hosts' S-1-5-21-2657495056-2441450391-3094810640-11012 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'DC Slave Hosts'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-11013'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'DC Slave Hosts' S-1-5-21-2657495056-2441450391-3094810640-11013 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'Computers'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-11015'
GROUP 'Printer-Admins'
GROUP SID 'S-1-5-32-550'
Ignoring group 'Printer-Admins' S-1-5-32-550 listed but then not found: Unable to enumerate members for alias, (-1073741487,NT_STATUS_NO_SUCH_ALIAS)
GROUP 'Backup Join'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-11017'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'Backup Join' S-1-5-21-2657495056-2441450391-3094810640-11017 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'Slave Join'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-11019'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'Slave Join' S-1-5-21-2657495056-2441450391-3094810640-11019 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'alenia'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-2001'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'alenia' S-1-5-21-2657495056-2441450391-3094810640-2001 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'av'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1311'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'av' S-1-5-21-2657495056-2441450391-3094810640-1311 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'bh'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1251'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'bh' S-1-5-21-2657495056-2441450391-3094810640-1251 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'edv'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1231'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'edv' S-1-5-21-2657495056-2441450391-3094810640-1231 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'ekf'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1291'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'ekf' S-1-5-21-2657495056-2441450391-3094810640-1291 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'emont'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1371'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'emont' S-1-5-21-2657495056-2441450391-3094810640-1371 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'emont_l'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1373'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'emont_l' S-1-5-21-2657495056-2441450391-3094810640-1373 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'gf'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1221'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'gf' S-1-5-21-2657495056-2441450391-3094810640-1221 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'kb'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1261'
Inconsistent SAM -- group member uid not in our domain
[..]
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1361'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'mont' S-1-5-21-2657495056-2441450391-3094810640-1361 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'pp'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1511'
GROUP 'pur'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1441'
GROUP 'sal'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1451'
GROUP 'tec'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1281'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'tec' S-1-5-21-2657495056-2441450391-3094810640-1281 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'users'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1201'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'users' S-1-5-21-2657495056-2441450391-3094810640-1201 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'vkf'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-1301'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'vkf' S-1-5-21-2657495056-2441450391-3094810640-1301 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'vkfl'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-3003'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'vkfl' S-1-5-21-2657495056-2441450391-3094810640-3003 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)
GROUP 'Authenticated Users'
GROUP SID 'S-1-5-11'
Ignoring 'well known' group 'Authenticated Users' (should already be in AD, and have no members)
GROUP 'World Authority'
GROUP SID 'S-1-1'
FAILED to get SID/rid
GROUP 'Everyone'
GROUP SID 'S-1-1-0'
Ignoring 'well known' group 'Everyone' (should already be in AD, and have no members)
GROUP 'Null Authority'
GROUP SID 'S-1-0'
FAILED to get SID/rid
GROUP 'Nobody'
GROUP SID 'S-1-0-0'
Ignoring 'well known' group 'Nobody' (should already be in AD, and have no members)
GROUP 'Enterprise Domain Controllers'
GROUP SID 'S-1-5-9'
Ignoring 'well known' group 'Enterprise Domain Controllers' (should already be in AD, and have no members)
GROUP 'Remote Interactive Logon'
GROUP SID 'S-1-5-14'
Ignoring 'well known' group 'Remote Interactive Logon' (should already be in AD, and have no members)
GROUP 'SChannel Authentication'
GROUP SID 'S-1-5-64-14'
Ignoring 'well known' group 'SChannel Authentication' (should already be in AD, and have no members)
GROUP 'Digest Authentication'
GROUP SID 'S-1-5-64-21'
Ignoring 'well known' group 'Digest Authentication' (should already be in AD, and have no members)
GROUP 'Terminal Server User'
GROUP SID 'S-1-5-13'
Ignoring 'well known' group 'Terminal Server User' (should already be in AD, and have no members)
GROUP 'NTLM Authentication'
GROUP SID 'S-1-5-64-10'
Ignoring 'well known' group 'NTLM Authentication' (should already be in AD, and have no members)
GROUP 'Other Organization'
GROUP SID 'S-1-5-1000'
Ignoring 'well known' group 'Other Organization' (should already be in AD, and have no members)
GROUP 'This Organization'
GROUP SID 'S-1-5-15'
Ignoring 'well known' group 'This Organization' (should already be in AD, and have no members)
GROUP 'Anonymous Logon'
GROUP SID 'S-1-5-7'
Ignoring 'well known' group 'Anonymous Logon' (should already be in AD, and have no members)
GROUP 'Network Service'
GROUP SID 'S-1-5-20'
Ignoring 'well known' group 'Network Service' (should already be in AD, and have no members)
GROUP 'Creator Group'
GROUP SID 'S-1-3-1'
Ignoring 'well known' group 'Creator Group' (should already be in AD, and have no members)
GROUP 'Creator Owner'
GROUP SID 'S-1-3-0'
Ignoring 'well known' group 'Creator Owner' (should already be in AD, and have no members)
GROUP 'Local Service'
GROUP SID 'S-1-5-19'
Ignoring 'well known' group 'Local Service' (should already be in AD, and have no members)
GROUP 'Owner Rights'
GROUP SID 'S-1-3-4'
Ignoring 'well known' group 'Owner Rights' (should already be in AD, and have no members)
GROUP 'Interactive'
GROUP SID 'S-1-5-4'
Ignoring 'well known' group 'Interactive' (should already be in AD, and have no members)
GROUP 'Restricted'
GROUP SID 'S-1-5-12'
Ignoring 'well known' group 'Restricted' (should already be in AD, and have no members)
GROUP 'Network'
GROUP SID 'S-1-5-2'
Ignoring 'well known' group 'Network' (should already be in AD, and have no members)
GROUP 'Service'
GROUP SID 'S-1-5-6'
Ignoring 'well known' group 'Service' (should already be in AD, and have no members)
GROUP 'Dialup'
GROUP SID 'S-1-5-1'
Ignoring 'well known' group 'Dialup' (should already be in AD, and have no members)
GROUP 'System'
GROUP SID 'S-1-5-18'
Ignoring 'well known' group 'System' (should already be in AD, and have no members)
GROUP 'Batch'
GROUP SID 'S-1-5-3'
Ignoring 'well known' group 'Batch' (should already be in AD, and have no members)
GROUP 'Proxy'
GROUP SID 'S-1-5-8'
Ignoring 'well known' group 'Proxy' (should already be in AD, and have no members)
GROUP 'IUSR'
GROUP SID 'S-1-5-17'
Ignoring 'well known' group 'IUSR' (should already be in AD, and have no members)
GROUP 'Self'
GROUP SID 'S-1-5-10'
Ignoring 'well known' group 'Self' (should already be in AD, and have no members)
Exporting users
sid S-1-5-21-2657495056-2441450391-3094810640-5002 does not belong to our domain
sid S-1-5-21-2657495056-2441450391-3094810640-500 does not belong to our domain
sid S-1-5-21-2657495056-2441450391-3094810640-5006 does not belong to our domain
[..]
sid S-1-5-21-2657495056-2441450391-3094810640-1896 does not belong to our domain
sid S-1-5-21-2657495056-2441450391-3094810640-1898 does not belong to our domain
sid S-1-5-21-2657495056-2441450391-3094810640-3070 does not belong to our domain
Next rid = 1000
Failed to connect to ldap URL 'ldap://univention1.gfm.local:7389' - LDAP client internal error: NT_STATUS_BAD_NETWORK_NAME
Failed to connect to 'ldap://univention1.gfm.local:7389' with backend 'ldap': (null)
Could not open ldb connection to ldap://univention1.gfm.local:7389, the error message is: (1, None)
Trying to dig.
ERROR(<type 'exceptions.NameError'>): uncaught exception - global name 'ProvisiongError' is not defined
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/domain.py", line 1399, in run
    useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs, no_upn=no_upn)
  File "/usr/lib/python2.6/dist-packages/samba/upgrade.py", line 853, in upgrade_from_samba3
    raise ProvisiongError("Could not open ldb connection to %s, the error message is: %s" % (url, e))
ERR: (No such object) "ldb_wait: No such object (32)" on DN flatname=GFM,cn=Primary Domains at block before line 8
Modify failed after processing 0 records
ERROR: Failed to set password for user 'univention1$': (34, "ldb_search: invalid basedn '(null)'")
ERROR: Failed to set password for user 'Administrator': (34, "ldb_search: invalid basedn '(null)'")
cp: Aufruf von stat für „/var/lib/samba/private/phpldapadmin-config.php“ nicht möglich: Datei oder Verzeichnis nicht gefunden
Setting slapd/port
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Setting slapd/port/ldaps
File: /etc/init.d/slapd
Multifile: /etc/ldap/slapd.conf
Setting ldap/server/port
File: /etc/pam.d/smtp
Multifile: /etc/postfix/ldap.virtualwithcanonical
File: /etc/pam_ldap.conf
File: /etc/runit/univention-directory-listener/run
Multifile: /etc/postfix/ldap.virtual
Multifile: /etc/postfix/ldap.canonicalrecipient
Multifile: /etc/postfix/ldap.transport
File: /etc/libnss-ldap.conf
File: /etc/postgresql/pam_ldap.conf
Multifile: /etc/postfix/ldap.virtualdomains
Multifile: /etc/postfix/ldap.distlist
Multifile: /etc/postfix/ldap.groups
Multifile: /etc/postfix/ldap.sharedfolderlocal
Multifile: /etc/postfix/master.cf
Multifile: /etc/postfix/main.cf
Multifile: /etc/postfix/ldap.sharedfolderremote
Multifile: /etc/postfix/ldap.canonicalsender
File: /etc/ldap/ldap.conf
Setting ldap/master/port
File: /etc/ntp.conf
Multifile: /etc/ldap/slapd.conf
File: /etc/default/ntpdate
File: /etc/nagios/nrpe.cfg
Restarting ldap server(s).
Stopping ldap server(s): slapd ...done.
Check database: ...done.
Starting ldap server(s): slapd ...done.
Checking Schema ID: ...done.
Restarting univention-directory-listener daemon.
ok: run: univention-directory-listener: (pid 4951) 1s, normally down
done.
Restarting Univention Management Console Server.
done.
Create windows/wins-support
Not updating windows/wins-server
Multifile: /etc/samba/smb.conf
ERR: (No such object) "ldb_wait: No such object (32)" on DN flatname=GFM,cn=Primary Domains at block before line 5
Modify failed after processing 0 records
ERR: (No such object) "ldb_wait: No such object (32)" on DN flatname=GFM,cn=Primary Domains at block before line 5
Modify failed after processing 0 records
restore_rIDNextRID: Attribute rIDSetReferences not found
ERROR(runtime): uncaught exception - samdb_domain_sid failed
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.6/dist-packages/samba/netcmd/ntacl.py", line 189, in run
    domain_sid = security.dom_sid(samdb.domain_sid)
  File "/usr/lib/python2.6/dist-packages/samba/samdb.py", line 550, in get_domain_sid
    return dsdb._samdb_get_domain_sid(self)
Samba4 does not seem to be provisioned, exiting /usr/share/univention-samba4/scripts/setup-dns-in-ucsldap.sh
univention1.gfm.local port 7389 is not offering the Service 'Samba 4'
Information provided is not sufficient.
ERR: (No such object) "ldb_wait: No such object (32)" on DN CN=univention1,OU=Domain Controllers,DC=GFM,DC=LOCAL at block before line 7
Modify failed after processing 0 records
Starting Samba AD DC daemon: samba nmbd.
Create samba4/sysvol/sync/cron
File: /etc/cron.d/sysvol-sync
Multifile: /etc/samba/smb.conf
Object modified: zoneName=gfm.local,cn=dns,dc=gfm,dc=local
ERR: (No such object) "ldb_wait: No such object (32)" on DN flatname=GFM,cn=Primary Domains at block before line 5
Modify failed after processing 0 records
ERR: (No such object) "ldb_wait: No such object (32)" on DN flatname=GFM,cn=Primary Domains at block before line 5
Modify failed after processing 0 records
Object exists: cn=univention1.gfm.local,cn=shares,dc=gfm,dc=local
No modification: cn=univention1.gfm.local,cn=shares,dc=gfm,dc=local
Stopping Samba AD DC daemon: samba nmbd.
Starting Samba AD DC daemon: samba nmbd.
WARNING: Failed to search for S4 connector DC
Object exists: cn=services,cn=univention,dc=gfm,dc=local
Object created: cn=Samba 4,cn=services,cn=univention,dc=gfm,dc=local
Object modified: cn=univention1,cn=dc,cn=computers,dc=gfm,dc=local
Joinscript 96univention-samba4.inst finished with exitcode 0
Trigger für python-central werden verarbeitet ...
python-univention-connector-s4 (8.0.33-88.537.201412151702) wird eingerichtet ...
univention-s4-connector (8.0.33-88.537.201412151702) wird eingerichtet ...
File: /etc/logrotate.d/univention-s4-connector
Create connector/s4/listener/dir
Create connector/s4/poll/sleep
Create connector/s4/retryrejected
Create connector/s4/ldap/port
Create connector/s4/ldap/ssl
Create connector/debug/function
Create connector/debug/level
Create connector/ad/mapping/group/language
Create connector/s4/mapping/syncmode
Create connector/s4/mapping/sid
Create connector/s4/mapping/gpo
Create connector/s4/mapping/user/ignorelist
Not updating connector/s4/mapping/group/grouptype
Create connector/s4/mapping/group/ignorelist
Create connector/s4/mapping/group/table/Printer-Admins
Create connector/s4/mapping/container/ignorelist
Create connector/s4/mapping/dns/ignorelist
Restarting univention-directory-listener daemon.
ok: run: univention-directory-listener: (pid 5438) 0s, normally down
done.
Calling joinscript 97univention-s4-connector.inst ...
Traceback (most recent call last):
  File "<string>", line 2, in <module>
ImportError: No module named univention.lib.admember
Create connector/s4/ldap/host
Create connector/s4/ldap/base
Not updating connector/s4/ldap/ssl
Create connector/s4/mapping/group/language
Create connector/s4/ldap/protocol
Create connector/s4/ldap/socket
Object created: cn=gPLink,cn=custom attributes,cn=univention,dc=gfm,dc=local
Object exists: cn=Builtin,dc=gfm,dc=local
Object created: cn=System,dc=gfm,dc=local
Object created: cn=Policies,cn=System,dc=gfm,dc=local
Object created: ou=Domain Controllers,dc=gfm,dc=local
Object created: cn=WMIPolicy,cn=System,dc=gfm,dc=local
Object created: cn=SOM,cn=WMIPolicy,cn=System,dc=gfm,dc=local
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/pymodules/python2.6/univention/lib/ldap_extension.py", line 8, in <module>
    import univention.debug as ud
ImportError: No module named univention.debug
Joinscript 97univention-s4-connector.inst finished with exitcode 1
Stopping univention-s4-connector daemon.
failed.
Starting univention-s4-connector daemon.
done.
Trigger für python-support werden verarbeitet ...
Cannot find service-record of _pkgdb._tcp.
No DB-Server-Name found.
root@univention1:~# tail -f /var/log/univention/join.log 
ERROR
ucs_registerLDAPExtension: registraton of /usr/share/univention-s4-connector/ldap/msgpo.schema failed.
EXITCODE=1
RUNNING 98univention-samba4-dns.inst
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1

Fre Mai  8 09:19:29 CEST 2015
univention-run-join-scripts finished

^C
root@univention1:~# 
root@univention1:~# less /var/log/univention/join.log 
root@univention1:~# tail -f /var/log/univention/join.log 
ERROR
ucs_registerLDAPExtension: registraton of /usr/share/univention-s4-connector/ldap/msgpo.schema failed.
EXITCODE=1
RUNNING 98univention-samba4-dns.inst
Samba4 backend database not available yet, exiting joinscript 98univention-samba4-dns.
EXITCODE=1

Fre Mai  8 09:19:29 CEST 2015
univention-run-join-scripts finished


univention-run-join-scripts started
Fre Mai  8 10:36:59 CEST 2015

RUNNING 97univention-s4-connector.inst
Not updating connector/s4/ldap/host
Not updating connector/s4/ldap/base
Not updating connector/s4/ldap/ssl
Not updating connector/s4/mapping/group/language
Not updating connector/s4/ldap/protocol
Not updating connector/s4/ldap/socket
Object exists: cn=gPLink,cn=custom attributes,cn=univention,dc=gfm,dc=local
Object exists: cn=Builtin,dc=gfm,dc=local
Object exists: cn=System,dc=gfm,dc=local
Object exists: cn=Policies,cn=System,dc=gfm,dc=local
Object exists: ou=Domain Controllers,dc=gfm,dc=local
Object exists: cn=WMIPolicy,cn=System,dc=gfm,dc=local
Object exists: cn=SOM,cn=WMIPolicy,cn=System,dc=gfm,dc=local
Object exists: cn=ldapschema,cn=univention,dc=gfm,dc=local
INFO: No change of core data of object msgpo.
INFO: No change of core data of object mswmi.
Object exists: cn=udm_module,cn=univention,dc=gfm,dc=local
INFO: No change of core data of object container/msgpo.
No modification: cn=msgpo,cn=ldapschema,cn=univention,dc=gfm,dc=local

No modification: cn=mswmi,cn=ldapschema,cn=univention,dc=gfm,dc=local

No modification: cn=container/msgpo,cn=udm_module,cn=univention,dc=gfm,dc=local

Waiting for activation of the extension object msgpo:........................................................ERROR: Master did not mark the extension object active within 180 seconds.
ERROR
ucs_registerLDAPExtension: registraton of /usr/share/univention-s4-connector/ldap/msgpo.schema failed.
EXITCODE=1

Fre Mai  8 10:40:02 CEST 2015
univention-run-join-scripts finished

Damit habe ich das UCS ziemlich zerschossen - der LDAP-Dienst startet nicht mehr.

Generell kann ich nur raten, vor jeglichen Änderungen, die Sie jetzt noch durchführen, ein Backup anzufertigen, und vielleicht im Vorfeld überlegen, ob Sie nicht den Versuch abbrechen und den Server aus einem Backup wiederherstellen. Beim nächsten Migrationsversuch könnten Sie dann die Methode mit zwei getrennten Servern wählen, die ebenfalls im Wiki beschrieben ist.

Sind Sie sicher, dass der LDAP-Server nicht mehr startet? Bei einem Update von Samba 3 auf Samba 4 wird der LDAP-Server von UCS auf Port 7389 lauschen und nicht mehr auf 389 – weil auf 389 dann der in Samba 4 integrierte LDAP-Server lauscht.

Klappen Befehle wie »univention-ldapsearch« oder »univention-ldapsearch -p 7389 -h localhost«? Zeigt ein »lsof -Pni | grep ‘slapd.*LISTEN’« den Port 7389 an?

Falls nein: versuchen Sie, den LDAP-Server mit »service slapd« zu starten. Klappt das nicht, bitte mal in /var/log/syslog nachschauen, was dort für Fehlermeldungen vom slapd erscheinen.

Weiterhin müssen durch diese Umstellung natürlich auch die anderen Dienste, die sich direkt mit dem LDAP-Server verbinden, ihre Konfiguration aktualisiert bekommen, allen voran der Nameserver bind. Allerdings scheint das nicht geschehen zu sein, zumindest sehe ich in Ihrem Log keine Angabe darüber, dass in /etc/bind Dateien neu erzeugt wurden. Sie können das einmal für alle Konfigurationsdateien mit »ucr commit« anstoßen. Danach müssen die Dienste auch neu gestartet werden; ein Reboot tut es auch, aber ich weiß nicht, ob das in diesem Moment so klug wäre.

Wenn Sie’s also generell weiter versuchen wollen, würde ich grob wie folgt vorgehen:

[ol][li]Sicherstellen, dass der LDAP-Server wirklich auf Port 7389 läuft[/li]
[li]Konfigurationsdateien neu bauen lassen und dazugehörige Dienste neu starten, allen voran der Bind-Nameserver[/li]
[li]Join-Scripte erneut durchlaufen lassen[/li][/ol]

Ok, sorry für meine unklare Ausdrucksweise.

Es handelt sich um ein Test-System. Es nicht tragisch, dass es schief gegangen ist.
Eine Rückkehr zum ursprünglichen System ist auch kein Problem - es gibt einen Snapshot.

Ich würde nur gerne wissen, was ich tun kann, damit es beim nächsten Mal klappt.

Ich bin mir recht sicher, dass slapd nicht läuft:

root@univention1:~# /etc/init.d/slapd start
Check database: ...done.
Starting ldap server(s): slapd ...failed.
5550b52b /etc/ldap/slapd.conf: line 47: <suffix> invalid DN 21 (Invalid syntax) slapschema: bad configuration file!.
root@univention1:~# 
root@univention1:~# 
root@univention1:~# univention-ldapsearch 
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)
ldap_start_tls: Can't contact LDAP server (-1)

Die problematische Zeile 47 ist:
suffix “dc=gfm,dc=local”

Hier das ganze File:

root@univention1:~# cat /etc/ldap/slapd.conf 
# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry überschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
# 
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/10univention-ldap-server_schema
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/13univention-virtual-machine-manager_schema
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/25univention-ldap-server_local-schema
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/30univention-ldap-server_head
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/40univention-ldap-server_database
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/63univention-ldap-server_acl-master-password
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/64univention-ldap-server_acl-master-admin-settings
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/66univention-appcenter_app.acl
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/66univention-ldap-server_acl-master-uvmm
# 	/etc/univention/templates/files/etc/ldap/slapd.conf.d/70univention-ldap-server_acl-master-end
# 






pidfile			/var/run/slapd/slapd.pid
argsfile		/var/run/slapd/slapd.args
loglevel		0
allow			bind_v2 update_anon

TLSCertificateFile	/etc/univention/ssl/univention1.gfm.local/cert.pem
TLSCertificateKeyFile	/etc/univention/ssl/univention1.gfm.local/private.key
TLSCACertificateFile	/etc/univention/ssl/ucsCA/CAcert.pem

sizelimit		400000

idletimeout		360

attributeoptions "entry-"

# database definition
modulepath	/usr/lib/ldap
moduleload	back_bdb.so


database	bdb
suffix		"dc=gfm,dc=local"


cachesize   20000
idlcachesize   20000
threads		16

limits users time.soft=-1 time.hard=-1

directory	"/var/lib/univention-ldap/ldap"
lastmod		on

Das steht im syslog, wenn ich service slapd start eingebe:

May 11 16:06:48 univention1 root: /etc/init.d/slapd start (pid: 31707, ppid:31614 bash)
May 11 16:06:48 univention1 slapd[31737]: @(#) $OpenLDAP: slapd  (Mar 17 2015 11:57:33) $#012#011root@ladda:/var/build/temp/tmp.VVRYI2rUhf/pbuilder/openldap-2.4.35/debian/build/servers/slapd

Nach einen ucr commit und einem Reboot läuft der LDAP-Daemon wieder.

Das Joinskript für 97univention-s4-connector kann offenbar das GPO-Objekt nicht aktivieren:

RUNNING 97univention-s4-connector.inst
Not updating connector/s4/ldap/host
Not updating connector/s4/ldap/base
Not updating connector/s4/ldap/ssl
Not updating connector/s4/mapping/group/language
Not updating connector/s4/ldap/protocol
Not updating connector/s4/ldap/socket
Object exists: cn=gPLink,cn=custom attributes,cn=univention,dc=gfm,dc=local
Object exists: cn=Builtin,dc=gfm,dc=local
Object exists: cn=System,dc=gfm,dc=local
Object exists: cn=Policies,cn=System,dc=gfm,dc=local
Object exists: ou=Domain Controllers,dc=gfm,dc=local
Object exists: cn=WMIPolicy,cn=System,dc=gfm,dc=local
Object exists: cn=SOM,cn=WMIPolicy,cn=System,dc=gfm,dc=local
Object exists: cn=ldapschema,cn=univention,dc=gfm,dc=local
INFO: No change of core data of object msgpo.
INFO: No change of core data of object mswmi.
Object exists: cn=udm_module,cn=univention,dc=gfm,dc=local
INFO: No change of core data of object container/msgpo.
No modification: cn=msgpo,cn=ldapschema,cn=univention,dc=gfm,dc=local

No modification: cn=mswmi,cn=ldapschema,cn=univention,dc=gfm,dc=local

No modification: cn=container/msgpo,cn=udm_module,cn=univention,dc=gfm,dc=local

Waiting for activation of the extension object msgpo:........................................................ERROR: Master did not mark the extension object active within 180 seconds.
ERROR
ucs_registerLDAPExtension: registraton of /usr/share/univention-s4-connector/ldap/msgpo.schema failed.
EXITCODE=1

Mon Mai 11 16:21:01 CEST 2015
univention-run-join-scripts finished

Was sagen denn die Logdateien in /var/log/univention sowie die Samba-Logs, wenn Sie das Join-Script erneut laufen lassen?

Ich bin jetzt zurück zur Samba-3-Installation gesprungen und habe den Best-Practice-Artikel durchgearbeitet.
http://wiki.univention.de/index.php?title=Best_Practice_Samba_4_Migration

Kerberos und DNS-Domain passen zusammen, die Samba-SIDs passen größtenteils auch - nur die Users hatten die RID 1201 statt 545.
Das habe ich mit ldapmodify angepasst.
Der Befehl:
/usr/share/univention-directory-manager-tools/proof_uniqueMembers
hat mir dann alle Benutzer aus den Gruppen entfernt

root@univention1:~# /usr/share/univention-directory-manager-tools/proof_uniqueMembers 
Checking if users are member of their primary group...
Checked 274 posixAccounts, fixed 0 issues.
Checking if group-members exist...
Warning: No member for DN 'uid=grladmin,cn=groups,dc=gfm,dc=local', will be removed
Warning: No member for DN 'uid=des005,cn=groups,dc=gfm,dc=local', will be removed
Warning: No member for DN 'uid=lab017,cn=groups,dc=gfm,dc=local', will be removed
Warning: No member for DN 'uid=mon398,cn=groups,dc=gfm,dc=local', will be removed
Warning: No member for DN 'uid=des002,cn=groups,dc=gfm,dc=local', will be removed
Warning: No member for DN 'uid=tec010,cn=groups,dc=gfm,dc=local', will be removed
Warning: No member for DN 'uid=des013,cn=groups,dc=gfm,dc=local', will be removed
Warning: No member for DN 'uid=vkf060,cn=groups,dc=gfm,dc=local', will be removed
Warning: No member for DN 'uid=hyd098,cn=groups,dc=gfm,dc=local', will be removed
Warning: No member for DN 'uid=kbs249,cn=groups,dc=gfm,dc=local', will be removed
[...]

Danach läuft die Samba-4-Migration jedoch in etwa genauso ab wie zuvor.

Es kommen Meldung wie:

GROUP 'users'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-545'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'users' S-1-5-21-2657495056-2441450391-3094810640-545 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)

Wieder zurück zum Samba-3-Stand:
Dort listet mir wbinfo -u und wbinfo -g nichts auf.
Die Domäne selbst kann ich mir anzeigen lassen.

root@univention1:~# wbinfo -m --trusted-domains
BUILTIN
GFM
BUILTIN
GFM
root@univention1:~# wbinfo -m --own-domain
BUILTIN
GFM
GFM
root@univention1:~# wbinfo -m --online-status
BUILTIN
GFM
BUILTIN : online
GFM : online


root@univention1:~# wbinfo -D=GFM
Name              : GFM
Alt_Name          : 
SID               : S-1-5-21-1279396558-1320036956-2672020403
Active Directory  : No
Native            : No
Primary           : Yes


root@univention1:~# wbinfo -D=BUILTIN
Name              : BUILTIN
Alt_Name          : 
SID               : S-1-5-32
Active Directory  : No
Native            : No
Primary           : No

Bin etwas ratlos.

Welche Log-Datei in /var/log/univention ausser der join.log ist denn relevant?

Das steht in der log.samba:

[2015/05/12 11:49:28.148295,  0, pid=1381] ../source4/smbd/server.c:372(binary_smbd_main)
  samba version 4.1.0-Debian started.
  Copyright Andrew Tridgell and the Samba Team 1992-2013
[2015/05/12 11:49:28.256462,  0, pid=1382] ../source4/smbd/server.c:501(binary_smbd_main)
  samba: using 'standard' process model
[2015/05/12 11:49:28.260093,  1, pid=1401] ../source4/dsdb/common/util.c:1324(samdb_ntds_settings_dn)
  Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search
[2015/05/12 11:49:28.260184,  1, pid=1401] ../source4/dsdb/common/util.c:1344(samdb_ntds_settings_dn)
  Failed to find our own NTDS Settings DN in the ldb!
[2015/05/12 11:49:28.260239,  1, pid=1401] ../source4/dsdb/common/util.c:1501(samdb_ntds_objectGUID)
  Failed to find our own NTDS Settings objectGUID in the ldb!
[2015/05/12 11:49:28.260285,  1, pid=1401] ../source4/kdc/kdc.c:913(kdc_task_init)
  kdc_task_init: Cannot determine if we are an RODC: operations error at ../source4/dsdb/common/util.c:2984
[2015/05/12 11:49:28.260320,  0, pid=1401] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [kdc: krb5_init_context samdb RODC connect failed]
[2015/05/12 11:49:28.260346,  1, pid=1402] ../source4/dsdb/common/util.c:1324(samdb_ntds_settings_dn)
  Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search
[2015/05/12 11:49:28.260414,  1, pid=1402] ../source4/dsdb/common/util.c:1344(samdb_ntds_settings_dn)
  Failed to find our own NTDS Settings DN in the ldb!
[2015/05/12 11:49:28.260465,  1, pid=1402] ../source4/dsdb/common/util.c:1501(samdb_ntds_objectGUID)
  Failed to find our own NTDS Settings objectGUID in the ldb!
[2015/05/12 11:49:28.260511,  0, pid=1402] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [dreplsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE
  ]
[2015/05/12 11:49:28.261678,  0, pid=1403] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [Cannot start Winbind (domain controller): Failed to find record for GFM in /var/lib/samba/private/secrets.ldb: No such object: (null): Have you provisioned the GFM domain?]
[2015/05/12 11:49:28.262003,  1, pid=1405] ../source4/dsdb/common/util.c:1324(samdb_ntds_settings_dn)
  Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search
[2015/05/12 11:49:28.262068,  1, pid=1405] ../source4/dsdb/common/util.c:1344(samdb_ntds_settings_dn)
  Failed to find our own NTDS Settings DN in the ldb!
[2015/05/12 11:49:28.262133,  1, pid=1405] ../source4/dsdb/common/util.c:1501(samdb_ntds_objectGUID)
  Failed to find our own NTDS Settings objectGUID in the ldb!
[2015/05/12 11:49:28.262179,  0, pid=1405] ../source4/smbd/service_task.c:35(task_server_terminate)
  task_server_terminate: [kccsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE
  ]
[2015/05/12 11:49:28.281367,  0, pid=1382] ../source4/smbd/server.c:213(samba_terminate)
  samba_terminate: kccsrv: Failed to connect to local samdb: WERR_DS_UNAVAILABLE
  
[2015/05/12 11:49:28.943358,  1, pid=1399] ../source4/dsdb/common/util.c:1324(samdb_ntds_settings_dn)
  Searching for dsServiceName in rootDSE failed: NULL Base DN invalid for a base search
[2015/05/12 11:49:28.943411,  1, pid=1399] ../source4/dsdb/common/util.c:1344(samdb_ntds_settings_dn)
  Failed to find our own NTDS Settings DN in the ldb!
[2015/05/12 11:49:28.943448,  1, pid=1399] ../source4/dsdb/common/util.c:3119(samdb_ntds_options)
  Failed to find our own NTDS Settings options in the ldb!

Ich bin noch einen Schritt weiter zurückgegangen.

Diesmal habe ich als Basis meinen Snapshot von der UCS 3.2.5-Neuinstallation genommen, bei der nur die Basis-SID geändert wurde.
Dann habe ich einen einzelnen Test-User angelegt und danach die Samba-4-Migration durchgeführt.
Sie schlägt dann auch nicht fehl, zeigt aber auch nicht erwartete Fehlermeldungen:

[...]
GROUP 'Domain Admins'
GROUP SID 'S-1-5-21-2657495056-2441450391-3094810640-512'
Inconsistent SAM -- group member uid not in our domain
Ignoring group 'Domain Admins' S-1-5-21-2657495056-2441450391-3094810640-512 listed but then not found: Unable to enumerate group members, (-1073741596,NT_STATUS_INTERNAL_DB_CORRUPTION)

[...]

Exporting users
sid S-1-5-21-2657495056-2441450391-3094810640-5002 does not belong to our domain
sid S-1-5-21-2657495056-2441450391-3094810640-500 does not belong to our domain
sid S-1-5-21-2657495056-2441450391-3094810640-5006 does not belong to our domain
sid S-1-5-21-2657495056-2441450391-3094810640-5008 does not belong to our domain
sid S-1-5-21-2657495056-2441450391-3094810640-5010 does not belong to our domain
Next rid = 1000

[...]

Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Admin password:        .xs[D6N-$v&Poo
Server Role:           active directory domain controller
Hostname:              univention1
NetBIOS Domain:        GFM
DNS Domain:            gfm.local
DOMAIN SID:            S-1-5-21-1279396558-1320036956-2672020403
Importing WINS database
[...]

Es wurde also für meine Domäne eine neue SID angelegt. Genau das will ich vermeiden - es soll die verwendet werden, die ich angegeben habe.
Diese SID steht dann im LDAP an genau diesen zwei Stellen:

Ein Eintrag für eine temporäre SID:

dn: cn=S-1-5-21-1279396558-1320036956-2672020403-5002,cn=sid,cn=temporary,cn=u
 nivention,dc=gfm,dc=local
objectClass: top
objectClass: lock
lockTime: 1427890025
cn: S-1-5-21-1279396558-1320036956-2672020403-5002
structuralObjectClass: lock
entryUUID: a899e610-6cb2-1034-935e-a3b5f97aa76f
creatorsName: cn=admin,dc=gfm,dc=local
createTimestamp: 20150401120205Z
entryCSN: 20150401120205.259071Z#000000#000#000000
modifiersName: cn=admin,dc=gfm,dc=local
modifyTimestamp: 20150401120205Z

Und einer für die Domäne:

dn: sambaDomainName=GFM,dc=gfm,dc=local
sambaDomainName: GFM
sambaSID: S-1-5-21-1279396558-1320036956-2672020403
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
structuralObjectClass: sambaDomain
entryUUID: 16feac92-8ce5-1034-8509-c797228dc2cc
creatorsName: cn=admin,dc=gfm,dc=local
createTimestamp: 20150512112342Z
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMinPwdAge: 0
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
sambaMinPwdLength: 8
sambaLockoutDuration: 0
sambaMaxPwdAge: 0
entryCSN: 20150512115706.808183Z#000000#000#000000
modifiersName: cn=admin,dc=gfm,dc=local
modifyTimestamp: 20150512115706Z

Sonst existiert der Wert S-1-5-21-1279396558-1320036956-2672020403 im LDAP nicht. Alle anderen Objekte haben die alte SID, die ich behalten wollte.

Wenn ich mit meinen 270 Usern, die ich in der anderen Testumgebung schon importiert habe, soweit kommen würde, wäre ich schon froh - auch wenn ich gerne hätte, dass im S4 auch die alte SID verwendet wird und nicht die neu erstellte:

root@univention1:~# univention-s4search cn=Gsell
# record 1
dn: CN=Gsell,CN=Users,DC=gfm,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Gsell
sn: Roland
instanceType: 4
whenCreated: 20150512115601.0Z
displayName: Roland
uSNCreated: 3853
name: Gsell
objectGUID: 29a9d78e-b859-4a6a-8b78-b066e4bdf239
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 513
objectSid: S-1-5-21-1279396558-1320036956-2672020403-1103
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Gsell
sAMAccountType: 805306368
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=gfm,DC=local
userAccountControl: 512
userPrincipalName: Gsell@GFM.LOCAL
pwdLastSet: 130759035030000000
whenChanged: 20150512115602.0Z
uSNChanged: 3855
distinguishedName: CN=Gsell,CN=Users,DC=gfm,DC=local

Geht das überhaupt?

Ok, die ganze Migration dürfte wohl hauptsächlich daher fehlgeschlagen sein, da ich Python 2.7 auf dem System installiert hatte (wurde von meinem Import-Skript zwingend benötigt) und Univention beim Installieren von Samba 4 wohl intensiv Gebrauch von Python nimmt.
Mit Python 2.6 geht’s schon wesentlich besser.

Die Tatsache, dass eine neue SID erstellt wird und nun die Basis-SID’s im S4 und im Univention-LDAP unterschiedlich sind, bleibt jedoch aufrecht.
Ob das ein Problem ist oder nicht, wird der Praxis-Test beim Kunden zeigen.

Insbesondere die Notwendigkeit eines Rejoins der Clients sollte vermieden werden.

LG,
Roland.