Difference between revisions of "Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade)"
m (→Prevent duplicate SID's abortions)
m (→Prevent common user/group name abortions)
|Line 139:||Line 139:|
User SID: S-1-5-21-4097619914-84555263-3210783664-3002
User SID: S-1-5-21-4097619914-84555263-3210783664-3002
=== Prevent common user/group
=== Prevent common user/group ===
If you have any usernames that are the same as a groupname, you have to rename one of them. Otherwise the provisioning will fail („ProvisioningError: Please remove common user/group names before upgrade.“). Also, if you have unique groups that, for whatever historical reason, share the same displayName, they will have to edited so that all the displayNames are different.
=== slapd.conf sizelimit ===
=== slapd.conf sizelimit ===
Revision as of 11:55, 22 November 2014
- 1 Introduction
- 2 About classicupgrade
- 3 Important notes before you start
- 4 Server information used in this HowTo
- 5 Preparations
- 6 Installing Samba
- 7 The classicupgrade process
- 8 After the classicupgrade
- 9 Continuing with the AD DC setup
- 10 Improving classicupgrade
- 11 classicupgrade FAQ
Doing a classicupgrade is possible from all passwd backends (smbpasswd, tdbsam and ldapsam).
Important notes before you start
The migration from an NT4-style domain to Active Directory is one way! This means that once your clients contact your migrated AD Domain Controller, they will never be able to access the NT4-style domain again - even if you roll back your changes!
Server information used in this HowTo
Inside this HowTo, we will be using the following configuration/settings:
Upgrading on a new server
If the backend of your PDC is ldapsam, you have the choice of:
- LDAP export on the old host:
# slapcat > ldap.backup.ldif
- Copy the export file to your new server
- Install openLDAP (incl. headers and libraries) on the new host
- Stop the LDAP service on the new host
- Import the ldif
# slapadd -l ldap.backup.ldif
- Check/adjust permissions on your LDAP database directory (distro specific)
# chown -R ldap:ldap /var/lib/ldap/
- Copy the slapd.conf from your old LDAP host to the new one
- Start the LDAP service
Avoiding common problems
Prevent failure due to duplicate SID's
A common problem is duplicate SID's in the backend. In a healthy environment, a SID is unique. But old Samba versions without sanity checks, wrong manual changes or other things could have lead to duplicate SID's in your environment. These need to be fixed/removed. Otherwise the classicupgrade is not possible!
To detect duplicate SID's in an LDAP backend, you can use the following script on your LDAP server:
#!/usr/bin/python # A quick and dirty python script that checks for duplicate SID's using slapcat. import os data = os.popen("slapcat 2>&1 | grep sambaSID", 'r') line =  def anydup(thelist): dups = list(set([x for x in thelist if thelist.count(x) > 1])) for i in dups: print "Duplicate id: ", i for each_line in data: line.append(each_line.strip()) anydup(line)
# pdbedit -Lv # net groupmap list
To change SID's for for groups, remove the mapping and re-add it. A new SID with the next free RID is created and used.
# net groupmap delete ntgroup="demo group" Successfully removed demo group from the mapping db # net groupmap add ntgroup="Demo Group" unixgroup="demo group" No rid or sid specified, choosing a RID Got RID 1009 Successfully added group Demo Group to the mapping db as a domain group
For user and machine accounts, you have to manually assign a new RID:
Prevent failure due to common user/group names
If you have any usernames that are the same as a groupname, you will have to rename one of them. Otherwise the provisioning will fail („ProvisioningError: Please remove common user/group names before upgrade.“). Also, if you have unique groups that, for whatever historical reason, share the same displayName, they will have to edited so that all the displayNames are different.
Note: The following is only relevant in passdb backend = ldapsam setups:
If you have many objects in your PDC LDAP, you should consider adding
Active Directory Domain Name
Note: Currently Samba does not provide capabilities to change the AD Domain Name afterwards!
Domain Controller name
If you need to change the Domain Controller name during the migration, simply edit the old PDC smb.conf file that the classicupgrade will use for doing the migration and set/change the netbios name :
netbios name = DC1
Different ways to install
You have a few options to install Samba:
- Build Samba yourself.
- Install binary distribution packages. Make sure that you use a recent Samba installation with Active Directory Domain Controller capabilities!
- Install from SerNet Enterprise Samba package.
See OS Requirements for dependencies and recommendations.
You can see what version of Samba, if any, is in your $PATH variable, by running:
# samba --version
The classicupgrade process
# mv /usr/local/samba/ /usr/local/samba.PDC/
It will also prevent problems that could happen, if your old Samba installation is started automatically at boot time again.
Rename your smb.conf to a name indicating that it's the one from your old PDC:
# mv /usr/local/samba.PDC/etc/smb.conf /usr/local/samba.PDC/etc/smb.PDC.conf
The classicupgrade will setup a database based on the Samba NT4-style domain SID. A default directory layout is created including accounts, groups, ACLs, etc. Imports of e. g. user and machine accounts are done.
The classicupgrade step must be run as user root. Otherwise you will get permission denied errors!
To start the classicupgrade with Internal DNS setup, run:
To start the classicupgrade with BIND_DLZ DNS setup, run:
--dbdir= Path to samba classic DC directory, containing all databases required for the migration --use-xattrs=yes Use the native filesystem capabilities for storing the neccessary extended attributes for Windows ACLs (required e. g. for the SysVol share) --realm= Set the realm name --dns-backend= Optional. Required if BIND9_DLZ should be used as DNS backend. Default is the internal DNS (SAMBA_INTERNAL) Optional: If you have multiple NICs, classicupgrade auto-chooses the IPv4/v6 address of one NIC to setup the Domain Controller. To prevent this, add the following parameters to the classicupgrade command. This will bind Samba to the given interface (eth0) and localhost (Samba should always listen on localhost too). --option="interfaces=lo eth0" --option="bind interfaces only=yes"
The following is a sample output of a successful classicupgrade. Depending on your database backend, Samba version and other factors, the output will differ:
Note: If you re-run the classicupgrade, you will need to remove the auto-generated smb.conf and the databases:
# rm -f /usr/local/samba/etc/smb.conf # rm -rf /usr/local/samba/private/*
After the classicupgrade
- If your passdb backend was ldapsam, shutdown your LDAP server, Samba Active Directory will start its own LDAP server that binds to the default ports port 389/tcp (LDAP) and 636/tcp (LDAPS).
- Disable the automatic start of your Samba PDC and LDAP server (if any).
- Enable your Samba AD service to automatically start at boot time.
Continuing with the AD DC setup
The „classicupdate“ process replaces the „provisioning“ step in the Samba AD DC HowTo. If the classicupgrade finished without problems, you have to continue with the Samba AD DC HowTo after the provisioning step.
What are the consequences of changing a SID/RID?
Warning: SID's are the only thing that Windows uses in it's backend to identify users, groups and machines. Changing a SID, without due consideration, may result in serious problems or damages!
Example 2: You have two machine accounts with the same SID. If you change the SID of one account, then this computer is not part of the domain any more and logins are not possible. If you have duplicate SID's and at least one of them is on a machine account, the easiest way is to delete the machine account and rejoin the computer to the domain.
Error: User 'Administrator' in your existing directory has SID ..., expected it to be ...-500
The error says what's wrong: In your NT4-style domain backend, the RID of the domain administrator account isn't -500, what it should be (see. Windows well-known security identifiers). Change it to 500 and start over. You can remove the account, too, as it will be automatically created during the AD provisioning. See: What are the consequences of changing a SID/RID?
Not all attributes were copied when migrating from passwd backend = ldapsam
Sadly classicupdate currently does not migrate all attributes found in LDAP. You can follow bug report #9908 about the progress. But improvements would only take effect when doing the classicupgrade - not afterwards!
- Change the listen port of your NT4-style domain LDAP server to a different one than its default (389/tcp), if hosted on the same machine as your new Active Directory.
# ldbmodify -H path/to/sam.ldb LDIFfilename