[Samba] Report: NT4PDC to Samba3beta3 working

Nick 'Zaf' Clifford zaf at nrc.co.nz
Sat Aug 16 08:56:44 GMT 2003

Hash: SHA1

Heyya all.

I have posted here in the last few weeks with various questions regarding 
samba 3, so I thought you'd all like to know, i've got it working.
The setup is:
Samba 3.0beta3 running on a Debian Woody box (with a few tools backported from 
with an LDAP backend (OpenLDAP 2.1)
Samba is setup:
* with posix file attributes (see http://acl.bestbits.at)
* as a Primary Domain controller.

I pulled all the user accounts and group accounts accross and kept the same 
password, etc.

The only thing I couldn't do was carry the files accross with the right acl 
entries. (I tried with windows (using scopy), but got access denied 
errors(?!), and couldn't find a linux tool for it).

I will try and produce a document discussing all the things I found later, but 
for now, here is a brief overview of the procedure.

Compiled samba 3.0 using debian package scripts (bug: There is a makefile 
patch that needs to be deleted first)
Backported OpenLDAP latest to woody.
Setup LDAP authentication (eg pulled all the user/groups into ldap using padl 
tools, nsswitch, pam, etc).
Configured samba to use the ldap server (another bug I noticed further on was 
a problem with 'ldap group suffix', it works better if you leave it blank).
During this whole time, I spent quite a bit of it with high debug levels, and 
looking through logs, its not for the faint of heart).
The biggest problem I had was the 'net' tool crashing, turned out (see 
https://bugzilla.samba.org/show_bug.cgi?id=278) after a long time spent 
learning the samba source, debugging, etc, that the 'ldap group suffix' needs 
to be nothing.
I'm not sure why that was.

Anyway, after playing around a bit with some manually created accounts, I 
setup the "add user script", "add group script", "add machine script", and 
"add user to group script".
(I custom wrote those scripts, what most of them do is call adduser/addgroup 
with sane settings).
(btw - I got a ldap enabled adduser for debian from someone who's name escapes 
me.. if you hunt through debians BTS, you'll find someone talking about it, 
he has it).

The "add group script" script was written in perl, and took the windows 
requested group name (eg "My Users Group_This is the one!" (which unix would 
throw a fit over if you tried to create a group with that name)), and "safed" 
it. (coverted to lowercase, replaced spaces, underscores, etc, with dashes).

Once I had all the scripts working, and I could use windows's usrmgr.exe 
program to add/remove/alter users and groups without problem, then had some 
fun pulling the user/group lists from the old NT4PDC.
(another bug to note: For some reason, I can add and remove users from groups 
in usrmgr.exe under the User properties, but if I bring up a groups 
properties, and try to add/remove a user from the group, it fails. Never did 
find out why, didn't really need to).
First, I added the samba server as a BDC,
then found the NT4's sid (as per the migration documentation), and then I 
_ALTERED_ my samba's sid to be that. Rather crudly, I dumped the ldap 
database to a ldif file, the sed 's/samba_sid/nts_sid/g' < ldap.ldif > 
Hey, it worked. (I think I needed to redo smbpasswd -w <ldappass>).
Then I did the net vampire bit... Wow that was fun.....
Many errors came up, but after investigating each of them, I either determined 
that they were harmless, or I fixed them.
(btw - I found its perfectly safe to vampire the user/groups over and over 
again till you get it right).
After that, another  dump of the ldif, and a quick fiddle with sed/perl/grep, 

In the end, I got it working... finally.
Oh, and samba3 with posix acls works like a dream. Users can use the ACL lists 
in windows with very few problems, and generally don't notice anything 
different from NT4).

It took the better part of 2 weeks of work to get it fully working.
Admitadly, I have a rather custom setup, so that plays a part in it.
My experience before this trial: I am/was a coder, and have messed with large 
programs before, debugged, etc, and consider myself pretty good at coding and 
debugging. So if you can't code, I would advise caution before attempting 
something like my experience. I frequently used the samba source to answer 
questions where the documenation failed, or to figure out why samba was 
reporting various things in the log.

If anyone would like any of the tools/scripts I mentioned, please feel free to 
send me an email, however it will take a few days to get organized enough to 
send the tools/scripts.
I will also CONSIDER posting my smb.conf and ldap servers .ldif dump, but they 
will be heavily editted for security reasons.

If anyone has any questions of me, please remember a few things:
1) I'm not a samba developer, I don't even play one on TV.
2) Your questions will, I'm afraid, be a low priority for me. I have a very 
busy work schedule, so you may not get responses back for awhile, however, I 
will try my best, especially if you ask specific questions, and not hunt for 
vauge clues.
3) I will not "tell you how I did it".. I've already done that in this email. 
If you want information on a particular area, I may be how to help, but 
requests of "My samba server doesn't work, it crashes, or nt logins don't 
work, please tell me how you did it", will go straight to /dev/null. Sorry.
4) I have a bad memory, so I've already forgotten lots of things I discovered.

Anyway, good luck all on your samba quests,
and thanks to the samba developers, despite my rocky road, you make a GREAT 
product, and samba stable (2.2.*), is always rock solid and works well for 

- -- 
Nick 'Zaf' Clifford <zaf at nrc.co.nz> GnuPG: 0xA8D0F53D
In matters of style, swim with the current; in matters of 
principle, stand like a rock - Thomas Jefferson
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: public key: http://www.nrc.co.nz/Zaf/pubkey.txt


More information about the samba mailing list