Migrating a Samba NT4 Domain to Samba AD (Classic Upgrade)
Introduction
This guide is only relevant if you have a Samba NT4-style domain, that you want to upgrade to Samba Active Directory!
Many people find themselves in a situation where they have an existing Samba NT4-style domain, complete with an extensive set of domain users, groups and machines. The domain is functioning rather well, but they find themselves running into more and more dead ends. Things that a NT4-style domain just doesn't support.
Samba provides a way to migrate an existing NT4-style domain to a new Samba Active Directory. The following guide describes the upgrade szenario.
About classicupgrade
The classicupgrade is a function built into samba-tool. The intent of this function is to do a full replacement of an existing Samba NT4-style domain. It is possible to do the conversion and the users and machines will simply re-connect to the new Samba AD installation without needing to manually re-join.
Doing a classicupgrade is possible from all passwd backends (smbpasswd, tdbsam and ldapsam). But only ldapsam enables the automatic import of groups, as well. For the other backends this has to be done manually, what results in new SIDs for these groups. See: What are the consequences changing an SID/RID?
Important notes before you start
The migration from an NT4-style domain to Active Directory is a one way road! This means that when your clients are contacting the first time your migrated AD Domain Controller, then will never access the NT4-style domain any more - even if you rollback your changes!
It's highly recommended, that before you do the migration, you should test the upgrade process in a network, that is separated from your production! This enables you to avoid unnecessary downtimes through unpredictable problems and it won't have any effects to your existing network.
Server information used in this HowTo
Inside this HowTo, we will be using the following configuration/settings:
AD DC Installation Directory: /usr/local/samba/ AD DC Hostname: DC1 AD DNS Name: samdom.example.com Realm: samdom.example.com NT4 Domain Name: samdom IP Address: 192.168.1.1 Databases of the Samba NT4-domain: /usr/local/samba.PDC/private/ smb.conf of the Samba NT4-domain: /usr/local/samba.PDC/etc/smb.PDC.conf
Preparations
Avoiding common problems
Prevent duplicate SIDs abortions
A common problem are duplicate SIDs in the backend. In a healthy environment an SID is unique. But old Samba versions without sanity checks, wrong manual changes or other things could have lead to duplicate SIDs in your environment. These need to be fixed/removed. Otherwise the classicupgrade is not possible!
See: What are the consequences changing an SID/RID?
To detect duplicate SIDs in an LDAP backend, you can use the following script on your LDAP server:
#!/usr/bin/python # A quick and dirty python script that checks for duplicat SID's using slapcat. import os data = os.popen("slapcat 2>&1 | grep sambaSID", 'r') line = [] def anydup(thelist): dups = list(set([x for x in thelist if thelist.count(x) > 1])) for i in dups: print "Duplicate id: ", i for each_line in data: line.append(each_line.strip()) anydup(line)
To find duplicate SIDs on other passdb backends (smbpasswd, tdbsam), you have to script around the output of the following two commands:
# pdbedit -Lv # net groupmap list
To change SIDs for for groups, remove the mapping and re-add it. A new SID with the next free RID is created and used.
Note: This is is only relevant if you are using „passdb backend = ldapsam“. For other backends the groups are not imported and need to manually re-created in Active Directory. This automatically would lead into new SIDs.
# net groupmap delete ntgroup="demo group" Sucessfully removed demo group from the mapping db # net groupmap add ntgroup="Demo Group" unixgroup="demo group" No rid or sid specified, choosing a RID Got RID 1009 Successfully added group Demo Group to the mapping db as a domain group
For user and machine accounts, you have to manually assign a new RID:
# net maxrid Currently used maximum rid: 3001 # pdbedit -U 3002 -u demo1 ... User SID: S-1-5-21-4097619914-84555263-3210783664-3002
Prevent common user/group name abortions
If you are having any usernames, that are the same than a groupname, you have to rename one of them. Otherwise the provisioning will fail („ProvisioningError: Please remove common user/group names before upgrade.“).
Note: This is is only relevant if you are using „passdb backend = ldapsam“. For other backends the groups are not imported and need to manually re-created in Active Directory. This automatically would lead into new SIDs.
slapd.conf sizelimit
Note: The following is only relevant in passdb backend = ldapsam setups:
If you have many objects in your PDC LDAP, you should consider to add
sizelimit {<integer>|unlimited}
to your slapd.conf. This parameter specifies the maximum number of entries returned from a search operation. The default, if not set, is 500. This can cause problems, when having many objects in your LDAP directory and classicupgrade can't retrieve them all!
Active Directory Domain Name
Choose a meaningful and suitable Active Directory domain name / realm. See Domain Name best practice.
Note: Currently Samba does not provide capabilities to change the AD Domain Name afterwards!
Domain Controller name
If you consider to change the Domain Controller name during the migration, simply set/change the netbios name in your old PDC smb.conf file, that classicupgrade will use for doing the migration:
netbios name = DC1
Though it's possible to rename a DC afterwards, it is always additional work and can cause problems (forgotten configuration adaptations, etc.)
Installing Samba
Versions
This HowTo is frequently updated to reflect the latest changes. Please see the Samba Release Planning for more specifics.
Different ways to install
You have a few options to install Samba:
- Build Samba by yourself.
- Install binary distribution packages. Make sure, that you use a recent Samba installation with Active Directory Domain Controller capabilities!
- Install from SerNet Enterprise Samba package.
See OS Requirements for dependencies and recommendations.
Paths
Take care when running Samba commands, if you also have a previous version of Samba installed. To avoid inadvertently running the wrong version, you should consider putting the /usr/local/samba/bin/ and /usr/local/samba/sbin/ directories in the beginning of your $PATH variable!
You can see what version of Samba, if any, is in your $PATH variable, by running:
# samba --version
The classicupgrade process
Before you start, shutdown your Samba PDC services (smbd, nmbd, winbind), but leave your LDAP server running (if using passwd backend = ldapsam).
Rename your Samba PDC installation directory, or at least the folder containing the databases, to avoid mixing binaries/libraries/databases from the old and new installation:
# mv /usr/local/samba/ /usr/local/samba.PDC/
It will also prevent problems, like they will happen, when your old Samba installation is started automatically at boot time again.
Rename your smb.conf to a name indicating, that it's the one from your old PDC:
# mv /usr/local/samba.PDC/etc/smb.conf /usr/local/samba.PDC/etc/smb.PDC.conf
The classicupgrade setup a database based on the Samba NT4-style domain SID. A default directory layout is created including accounts, groups, ACLs, etc. Imports of e. g. user and machine accounts are done.
The classicupgrade step must be run as user root. Otherwise you're getting permission denied errors!
To start the classicupgrade with Internal DNS setup, run:
# samba-tool domain classicupgrade --dbdir=/usr/local/samba.PDC/private/ --use-xattrs=yes --realm=samdom.example.com --dns-backend=SAMBA_INTERNAL /usr/local/samba.PDC/etc/smb.PDC.conf
To start the classicupgrade with BIND_DLZ DNS setup, run:
# samba-tool domain classicupgrade --dbdir=/usr/local/samba.PDC/private/ --use-xattrs=yes --realm=samdom.example.com --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf
Parameter explanations:
--dbdir= Path to samba classic DC database directory --use-xattrs=yes Use the native filesystem capabilities for storing the neccessary extended attributes for Windows ACLs (required e. g. for the SysVol share) --realm= Set the realm name --dns-backend= Optional. Required if BIND9_DLZ should be used as DNS backend. Default is the internal DNS (SAMBA_INTERNAL) Optional: If you are having multiple NICs, classicupgrade auto-chooses the IPv4/v6 address of one NIC to setup the Domain Controller. To prevent this, add the following to parameters the the classicupgrade command. This would bind Samba to the given interface (eth0) and localhost (Samba should always listen on localhost, too). --option="interfaces=lo eth0" --option="bind interfaces only=yes"
The following is a sample output of a successfull classicupgrade. Depending on your database backend, Samba version and other factors, the output will differ:
Reading smb.conf Provisioning Exporting account policy Exporting groups Exporting users Next rid = 1010 Exporting posix attributes Reading WINS database Cannot open wins database, Ignoring: [Errno 2] No such file or directory: '/usr/local/samba.PDC/private/wins.dat' Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=samdom,DC=example,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Modifying display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Setting acl on sysvol skipped Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=samdom,DC=example,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Server Role: active directory domain controller Hostname: DC1 NetBIOS Domain: SAMDOM DNS Domain: samdom.example.com DOMAIN SID: S-1-5-21-4097619914-84555263-3210783664 Importing WINS database Importing Account policy Importing idmap database Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Adding groups Importing groups Commiting 'add groups' transaction to disk Adding users Importing users Commiting 'add users' transaction to disk Adding users to groups Commiting 'add users to groups' transaction to disk Setting password for administrator
Note: If you re-run the classicupgrade, you need to remove the auto-generated smb.conf and the databases:
# rm -f /usr/local/samba/etc/smb.conf # rm -rf /usr/local/samba/private/*
After the classicupgrade
- Shutdown your LDAP server, if your passdb backend was ldapsam. Samba Active Directory requires to start its own LDAP server, that binds to the default ports port 389/tcp (LDAP) and 636/tcp (LDAPS).
- Disable the automatic start of your Samba PDC and LDAP server (if any).
- Enable your Samba AD service to automatically start at boot time.
- If your passdb backend was smbpasswd or tdbsam, you have to manually import your groups.
Manual import of groups (only smbpasswd and tdbsam passdb backend)
When using the passdb backends smbpasswd or tdbsam, it is not possible to automatically import groups from /etc/group during the classicupgrade. This has to be done manually afterwards.
Important note: Please read What are the consequences changing an SID/RID?
The following small script create all groups from /etc/group with an GID > 1000 in Active Directory and add their members to it:
cat /etc/group | awk -F: '$3 > 1000 { printf("samba-tool group add \"%s\"\n", $1); printf("samba-tool group addmembers \"%s\" %s\n", $1, $4); }' | /bin/sh
Continuing with the AD DC setup
The „classicupdate“ process replaces the „provisioning“ step in the Samba AD DC HowTo. If you had finished the classicupgrade without problems, you have to continue with the Samba AD DC HowTo after the provisioning step.
Improving classicupgrade
Because of complexity and the various setups, the classicupgrade doesn't catch all exceptions with a meaningful message yet.
Please open a bug report for every uncaught exception error (please first search bugzilla, if it was already reported).
Of course all other bugs, feature enhancements, etc. should be reported, as well, to improve the migration process in future releases.
classicupgrade FAQ
What are the consequences changing an SID/RID?
Warning: Windows uses in it's backend only SIDs to identify users, groups and machines. Changing an SID without due consideration, may result in serious problems or damages!
Example 1: You have two accounts with the same SID. One of them is member of the local administrators group on a workstation. If you change the SID of this account, the group membership gets lost, because Windows had stored the account SID in the group and not the account name.
Example 2: You have two machine accounts with the same SID. If you change the SID of one account, then this computer is not part of the domain any more and logins are not possible. If you have duplicate SIDs and at least one of them is on a machine account, the easiest way is to delete the machine account and rejoin the computer to the domain.
Error: User 'Administrator' in your existing directory has SID ..., expected it to be ...-500
The error says what's wrong: In your NT4-style domain backend, the RID of the domain administrator account isn't -500, what it should be (see. Windows well-known security identifiers). Change it to 500 and start over. You can remove the account, too, as it will be automatically created during the AD provisioning. See: What are the consequences changing an SID/RID?
Not all attributes were copied when migrating from passwd backend = ldapsam
Sadly classicupdate currently does not migrate all attributes found in LDAP. You can follow bug report #9908 about the progress. But improvements would only take effect, when doing the classicupgrade - not afterwards!
Workaround:
- Change the listen port of your NT4-style domain LDAP server to a different one than its default (389/tcp), if hosted on the same machine than your new Active Directory.
- Write a small script, that walks trought all user accounts in your AD, then search the same user account in your old LDAP and retrieve the attributes you want to transfer. Add them to an LDIF file, which can be imported with
# ldbmodify -H path/to/sam.ldb LDIFfilename