[Samba] NT4-Samba Migration Test Results
Ganguly, Sapan
Sapan.Ganguly at thalesgroup.com
Thu Oct 9 09:00:58 GMT 2003
John,
Thank you very much, that has filled in a few gaps but I have one more
question. Once I've used pdbedit to migrate everything to an LDAP backend
how should the scripts part of my smb.conf look then?
You see, the way I did it was to set up my LDAP database first, then setup
Samba and put the scripts from smbldap-tools into my smb.conf. I then ran
'net rpc vampire' and that took everything across, all the users, groups,
and computers went into the database. The only problem was that the most
groups were empty, in fact the only group that is populated is Domain Users.
We have a lot of groups on our site, each time a new project is started we
create a new group and put the team members in it, we have hundreds!! I did
contemplate putting people back into their groups by hand and I'll have to
do it if that's the only way but I suspect I'm just using a script wrongly
or just not using the right script....is there even a script for this?
So before I start again and do it your way I'd just like to know the answer
to that last little bit because although your method will give me a complete
and correct initial database, when my administrators add users and groups to
the system via NT's UserManager I suspect I will have the same problem.
Oh, one more thing, the passwords don't seem to go across either, next to
sambaNTPassword and sambaLMPassword I get "XXX". This may be solved if I do
things your way too, but this may also be a problem for administrators when
adding users via UserManager when I convert back to an LDAP
backend....hmm...a few more questions have come up in my mind, but I'll save
them for later...after I have re-read the documentation. Anyway, in the
short term I can just add the hashes to an LDIF from a 'net rpc samdump'
right?
I really appreciate your help so far but I just have to iron these few
things out, I can't really present this solution to a technical director
just yet as I don't have it straight in my own head.
I promise I have read ALL of the relevant parts of the HOWTO collection but
for someone like me who is going straight from NT4 to Samba+LDAP you kind of
have to piece things together from different parts of the documentation
which is why I offered to write a complete HOWTO for this specific task, I
will have to document it all for people here anyway.
I'm going to stop now, I know I'm getting this product and support for it
free, I don't want to push my luck!
Thanks a lot,
Sapan
-----Original Message-----
From: John H Terpstra [mailto:jht at samba.org]
Sent: 09 October 2003 03:32
To: Ganguly, Sapan
Cc: 'samba at lists.samba.org'
Subject: RE: [Samba] NT4-Samba Migration Test Results
Sapan,
It is of course a pleasure to help you, but I did expect that my reply was
rather specific enough.
Have you read the Samba-HOWTO-Collection.pdf?
Chapter 31 covers the process (Section 31.1.1.2) covers this rather
completely.
Anyhow, here we go:
1. Configure smb.conf for BDC
[globals]
workgroup = NT4DOMAIN
netbios name = NEWSERVER
passdb backend = tdbsam
domain master = No
domain logons = Yes
os level = 33
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel %u
add group script = /usr/sbin/groupadd %g
add machine script =
/usr/sbin/useradd -d /dev/null -s /bin/false %u
wins server = x.x.x.x
2. Join the domain as a BDC server:
net rpc join -UAdministrator%passsword
3. Migrate accounts:
net rpc vampire -UAdministrator%password
4. Shutdown NT4 PDC
5. Convert Samba-3 BDC to PDC, and make it the WINS server:
[globals]
workgroup = NT4DOMAIN
netbios name = NEWSERVER
passdb backend = tdbsam
domain master = Yes
domain logons = Yes
os level = 33
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel %u
add group script = /usr/sbin/groupadd %g
add machine script =
/usr/sbin/useradd -d /dev/null -s /bin/false %u
wins support = Yes
6. Start Samba PDC.
If all worked correctly then your existing Windows NT4 Domain clients will
be able to log on just as with the original NT4 PDC.
Gotchas:
--------
The biggest problem will be the migration of NT4 Group accounts. You will
need to either:
a) convert all group names to all lower-case and less than 32 characters
_OR_
b) create your own replacement for the "groupadd" command on your system so
that it can add group names that have a space character in them, and that
can have an upper case character in them. You will also need to modify the
way that the NT Group name is passed to the script.
Here is a script that will do the trick, although it is NOT elegant nor does
it do any safety checks. You might call this script: smbaddgrp.sh Of course
it needs to be set to permissions to execute with:
chmod 755 smbgrpadd.sh
PS: That script is published on page 144 as Example 12.1 smbgrpadd.sh in the
Samba-HOWTO-Collection.pdf.
--------------------------------------------------
#!/bin/bash
# Add the group using normal system groupadd tool.
groupadd smbtmpgrp00
grpunconv
thegid='cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3'
# Now change the name to what we want for the MS Windows networking end cp
/etc/group /etc/group.bak cat /etc/group.bak | sed s/smbtmpgrp00/$1/g >
/etc/group grpconv
# Now return the GID as would normally happen.
echo $thegid
exit 0
---------------------------------------------------
You will need to change your smb.conf as follows:
add group script = /usr/sbin/smbgrpadd.sh "%g"
Finally, please note that you must NOT change the Domain Name (WORGROUP) or
the netbios name of the server. If you do, then the SID will change and your
clients will need to be re-joined to the domain.
Oh, and one more pointer (see page 122, Chapter 11.3.2 - The pdbedit
command) for information on how to migrate your account backend to another
backend format.
For example, if you have your migrated accounts in tdbsam (which stores the
accounts in a file called passdb.tdb) and you want to copy them to an
smbpasswd file you can do this as follows:
In smb.conf:
passdb backend = tdbsam, smbpasswd
Execute:
pdbedit -i tdbsam -e smbpasswd
If you have your accounts in smbpasswd and you want to migrate them to
tdbsam:
In smb.conf:
passdb backend = smbpasswd, tdbsam
Execute:
pdbedit -i smbpasswd -e tdbsam
And so on. After migration you can delete the backend that you no longer
need to use from the "passdb backend" parameter line.
Is there something I may have missed? I look forward to your HOWTO.
cheers,
John T.
On Tue, 7 Oct 2003, Ganguly, Sapan wrote:
>
> If someone answers my question I'll even write a howto!
>
> -----Original Message-----
> From: Ganguly, Sapan
> Sent: 06 October 2003 10:06
> To: 'samba at lists.samba.org'
> Cc: 'jht at samba.org'
> Subject: Re: [Samba] NT4-Samba Migration Test Results
>
>
>
> >Larry,
>
> >I have found that the easiest way to migrate from NT4 to SAmba3 is
> >to:
>
> >1. Use tdbsam as a medium for migration.
> >2. Before migrating accounts:
> > i. Make sure that you configure your smb.conf carefully
> > ii. Include all the "user/group/machine scripts"
> > iii. Do NOT run smbd before vampire is run.
> >3. Set up the smb.conf for a Samba-BDC
> >4. Join the domain before running vampire
> >5. Then finally run vampire.
> >
> >IF you want to use an LDAP or smbpasswd backend, use pdbedit to
> >migrate the database.
>
> >- John T.
>
>
> John,
>
> Would it be possible for you to show us a copy of your smb.conf for
> each stage of your migration? I'm also interested in how you use
> pbedit to migrate the database.
>
> Thanks,
> Sapan
>
--
John H Terpstra
Email: jht at samba.org
More information about the samba
mailing list