Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade)

From SambaWiki
Revision as of 21:03, 6 February 2012 by Bilbo (talk | contribs)

PRENOTE This guide is only for replacing the 4th step (Step 4: Provision Samba4) on the main Samba4/HOWTO wiki page. Please follow that page in full detail before attempting anything on this page.

This is a very early beginning of a HOWTO for the Samba3 to Samba4 upgrade process

Samba Tool

The Samba Tool (see: Samba-tool-external) is a collection of tools and scripts used to build, manage and debug a Samba4 instance.

The samba3upgrade is a function built into the samba-tool. The intent of this function is to do a full replacement of an existing Samba3 supported domain. It is possible (at least in theory) to do the conversion of an existing Samba3 domain, shut down the old service and start the new Samba4 service, and the Windows users and member computers will simply connect to the new server without needing to manually re-join. Existing user domain profiles on member computers will appear exactly as they did on the old domain.

PLEASE NOTE: Make sure you thoroughly test your conversion and how your clients react before you activate your new server in your production environment! Once a Windows client finds and connects to the new server, it is not possible to go back! It is necessary to do testing on a separate network so that the old and new domain controllers don't clash.

The issues with having both domains 'live' at the same time are:

  • The databases are not syncronised after the initial migration
  • Even if no changes are made to the DB, clients which see an AD DC will no longer honour NT4 system policies
  • The new Samba4 PDC and the old DC will both claim to hold the #1b name as the netbios domain master

Notes about migrating from LDAP backend

Make sure you have the ldap headers (apt-get install libldap2-dev for debian based distros) Double check that either:

  • A) you have 'ldapsam:trusted = yes' in the [global] section of your Samba3 config file or
  • B) you have nsswitch.conf configured with the correct ldap entries.

or both!

Otherwise certain parts of the migration process wont complete correctly. (I had specific problems with group migration)

The following will check for duplicate SID's using slapcat, you will want to fix these manually before running the samba3upgrade command, otherwise the import will give you the following error.

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: Please remove duplicate user sid entries before upgrade.

# A quick and dirty python script that checks for duplicat SID's using slapcat.
import os
data = os.popen("slapcat | grep sambaSID", 'r')
line = []
def anydup(thelist):
        dups = list(set([x for x in thelist if thelist.count(x) > 1]))
        for i in dups:
                print "Duplicate id: ", i
for each_line in data:

To move your ldap directory over to the new server, first on your Samba3 machine you will want to

 # slapcat > backup.ldif 

Then on your Samba4 machine install ldap and stop slapd (/etc/init.d/slapd stop typically) and perform the following commands

 # scp root@ip.to.samba3.machine:/path/to/backup.ldif /root
 # scp -r root@ip.to.samba3.machine:/etc/ldap /root
 # cd /etc && mv ldap ldap.orig && mv /root/ldap ./
 # slapadd -l /root/backup.ldif

Then restart the slapd. (It will likely not start right off the bat, chown openldap:openldap /var/lib/ldap -R and chown openldap:openldap /etc/ldap -R should take care of this, remember this IS distro specific, your paths and openldap user may be different! Also, it is probably very insecure to change ALL the files in those directories to the openldap user/group, but we will only use slapd breifly to do the import, then we can get rid of it completely.)

[NOTE: If you didn't have the libldap2-dev when you did your ./configure or ./configure.developer, you WILL need to redo those steps and redo the make and make install as well before you migrate or you will get errors about ldapsam.]

Upgrading on a New Server (testing before an inplace migration PREFERRED)

It is possible to copy your domain information from the existing Samba3 domain to a new server and do your conversion there.

Download, build and install the Samba4 binaries, either from one of the Alpha releases or from "git". (see the Samba4/HOWTO page, follow the howto all the way to the provision step)

Copy your Samba3 database directory (the location of all your Samba3 tdb files mine is /var/lib/samba) to the new server (eg, scp -r /var/lib/samba ip.to.new.server:/home/user/samba3db) as well as the Samba3 config (mine is /etc/samba/smb.conf, so scp /etc/samba/smb.conf ip.to.new.server:/home/user/samba3.conf). [NOTE: samba3 does not need to be installed on this machine, only the db and config files copied over, LDAP however does need to be installed if you are coming from that backend]

If you wish to rename the new server, you can change the netbios name in the Samba3 conf file.

[NOTE: if you run the migration more than once, for example, in a testing environment, then make sure you remove the generated conf file in /usr/local/samba/etc directory. If the migration tool finds an existing smb.conf file, it will make use of the parameters there in its conversion.]

 # /usr/local/samba/bin/samba-tool domain samba3upgrade --dbdir=/home/user/samba3db  --use-xattrs=yes  --realm=myname.org /home/user/samba3.conf
 (this will need done with root permissions add | tee /samba3upgrade.log to capture the output)

You can toggle the samba loglevel in the samba3.conf to see extra output if you are having problems, be aware that this may cause MASSIVE amounts of output.

  • use-xattrs: use the underlying file system support for extended attributes. This assumes that your host OS supports this.
  • realm: You can specify the realm on the command line if it is not already specified in the Samba3 smb.conf file.

Upgrading in Place

Only after you have done a successful upgrade on another machine should you do this step.

One way to create a new Samba4 server is to install the Samba4 binaries on a currently existing Samba3 server. This will replace the currently running system with a Samba4 instance, populated with the users, groups and machine accounts from the previous Samba3 service.

  • First: follow the first 3 steps from the Samba4/HOWTO page
  • Second: stop all existing Samba3 services (smbd, nmbd, winbindd) but leave slapd running if you are moving from ldap backend.
  • Third: preform the upgrade by doing a
  # /usr/local/samba/bin/samba-tool domain samba3upgrade --dbdir=/path/to/samba3/tdbfiles  --use-xattrs=yes  --realm=myname.org /path/to/samba3/smb.conf 
  (this will need done with root permissions)
  • Fourth: Stop slapd and start samba 4 (follow from step 5 on using the Samba4/HOWTO page)
  • Fifth: VERY IMPORTANT Make sure the Samba3 and LDAP services DO NOT autostart on next boot. Look around the internet to find out how to stop them from starting, this is distro specific. Also, this is a good step to make sure that Samba4 DOES start on boot

Migrating Groups

At this point, the samba3upgrade tool does NOT migrate groups and their members from the previous Samba3 instance. However, it is not too difficult to create a script to add these groups manually. Assuming you have copied the source /etc/group file to your target server, you can use the following filter:

 # rebuild the Windows groups
 cat /etc/group | awk -F: '
 $3>100	{
 	printf("/usr/local/samba/bin/samba-tool group add %s\n", $1);
 	printf("/usr/local/samba/bin/samba-tool group addmembers %s %s\n", $1, $4);
 }' | /bin/sh

NOTE: Active Directory (and therefore Samba4) does not allow the usual Linux/Unix convention of creating private groups for users, with the same name as the user. This script does not check for these illegal group names. In this case, the samba-tool command will fail and skip over these groups, leaving you with the valid groups.


Please share any notes about your migration here!

I kept getting messages about expired passwords, this was an early bug that has since been fixed, but if you need to extend your password times do the following:

 # samba-tool domain passwordsettings set --max-pwd-age=999