[Samba] Report: NT4PDC to Samba3beta3 working
Nick 'Zaf' Clifford
zaf at nrc.co.nz
Sat Aug 16 08:56:44 GMT 2003
-----BEGIN PGP SIGNED MESSAGE-----
I have posted here in the last few weeks with various questions regarding
samba 3, so I thought you'd all like to know, i've got it working.
The setup is:
Samba 3.0beta3 running on a Debian Woody box (with a few tools backported from
with an LDAP backend (OpenLDAP 2.1)
Samba is setup:
* with posix file attributes (see http://acl.bestbits.at)
* as a Primary Domain controller.
I pulled all the user accounts and group accounts accross and kept the same
The only thing I couldn't do was carry the files accross with the right acl
entries. (I tried with windows (using scopy), but got access denied
errors(?!), and couldn't find a linux tool for it).
I will try and produce a document discussing all the things I found later, but
for now, here is a brief overview of the procedure.
Compiled samba 3.0 using debian package scripts (bug: There is a makefile
patch that needs to be deleted first)
Backported OpenLDAP latest to woody.
Setup LDAP authentication (eg pulled all the user/groups into ldap using padl
tools, nsswitch, pam, etc).
Configured samba to use the ldap server (another bug I noticed further on was
a problem with 'ldap group suffix', it works better if you leave it blank).
During this whole time, I spent quite a bit of it with high debug levels, and
looking through logs, its not for the faint of heart).
The biggest problem I had was the 'net' tool crashing, turned out (see
https://bugzilla.samba.org/show_bug.cgi?id=278) after a long time spent
learning the samba source, debugging, etc, that the 'ldap group suffix' needs
to be nothing.
I'm not sure why that was.
Anyway, after playing around a bit with some manually created accounts, I
setup the "add user script", "add group script", "add machine script", and
"add user to group script".
(I custom wrote those scripts, what most of them do is call adduser/addgroup
with sane settings).
(btw - I got a ldap enabled adduser for debian from someone who's name escapes
me.. if you hunt through debians BTS, you'll find someone talking about it,
he has it).
The "add group script" script was written in perl, and took the windows
requested group name (eg "My Users Group_This is the one!" (which unix would
throw a fit over if you tried to create a group with that name)), and "safed"
it. (coverted to lowercase, replaced spaces, underscores, etc, with dashes).
Once I had all the scripts working, and I could use windows's usrmgr.exe
program to add/remove/alter users and groups without problem, then had some
fun pulling the user/group lists from the old NT4PDC.
(another bug to note: For some reason, I can add and remove users from groups
in usrmgr.exe under the User properties, but if I bring up a groups
properties, and try to add/remove a user from the group, it fails. Never did
find out why, didn't really need to).
First, I added the samba server as a BDC,
then found the NT4's sid (as per the migration documentation), and then I
_ALTERED_ my samba's sid to be that. Rather crudly, I dumped the ldap
database to a ldif file, the sed 's/samba_sid/nts_sid/g' < ldap.ldif >
Hey, it worked. (I think I needed to redo smbpasswd -w <ldappass>).
Then I did the net vampire bit... Wow that was fun.....
Many errors came up, but after investigating each of them, I either determined
that they were harmless, or I fixed them.
(btw - I found its perfectly safe to vampire the user/groups over and over
again till you get it right).
After that, another dump of the ldif, and a quick fiddle with sed/perl/grep,
In the end, I got it working... finally.
Oh, and samba3 with posix acls works like a dream. Users can use the ACL lists
in windows with very few problems, and generally don't notice anything
different from NT4).
It took the better part of 2 weeks of work to get it fully working.
Admitadly, I have a rather custom setup, so that plays a part in it.
My experience before this trial: I am/was a coder, and have messed with large
programs before, debugged, etc, and consider myself pretty good at coding and
debugging. So if you can't code, I would advise caution before attempting
something like my experience. I frequently used the samba source to answer
questions where the documenation failed, or to figure out why samba was
reporting various things in the log.
If anyone would like any of the tools/scripts I mentioned, please feel free to
send me an email, however it will take a few days to get organized enough to
send the tools/scripts.
I will also CONSIDER posting my smb.conf and ldap servers .ldif dump, but they
will be heavily editted for security reasons.
If anyone has any questions of me, please remember a few things:
1) I'm not a samba developer, I don't even play one on TV.
2) Your questions will, I'm afraid, be a low priority for me. I have a very
busy work schedule, so you may not get responses back for awhile, however, I
will try my best, especially if you ask specific questions, and not hunt for
3) I will not "tell you how I did it".. I've already done that in this email.
If you want information on a particular area, I may be how to help, but
requests of "My samba server doesn't work, it crashes, or nt logins don't
work, please tell me how you did it", will go straight to /dev/null. Sorry.
4) I have a bad memory, so I've already forgotten lots of things I discovered.
Anyway, good luck all on your samba quests,
and thanks to the samba developers, despite my rocky road, you make a GREAT
product, and samba stable (2.2.*), is always rock solid and works well for
Nick 'Zaf' Clifford <zaf at nrc.co.nz> GnuPG: 0xA8D0F53D
In matters of style, swim with the current; in matters of
principle, stand like a rock - Thomas Jefferson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: public key: http://www.nrc.co.nz/Zaf/pubkey.txt
-----END PGP SIGNATURE-----
More information about the samba