[Samba] NT4-Samba Migration Test Results

John H Terpstra jht at samba.org
Thu Oct 9 14:56:54 GMT 2003

On Thu, 9 Oct 2003, Ganguly, Sapan  wrote:

> John,
> Thank you very much, that has filled in a few gaps but I have one more
> question.  Once I've used pdbedit to migrate everything to an LDAP backend
> how should the scripts part of my smb.conf look then?

The scripts need to be appropriate for the backend database. The scripts
needed to support the Samba3 LDAP schema are included in the
~samba/examples/LDAP directory. You will most likely need to modify them
for your platform.

OS Platform vendors (eg: SuSE) ship their product with highly customized
scripts already in place. It may be worth considering use of a commercial
product so as to avoid the necessity of solving the problem of getting all
of this to work. On the other hand, making it work by yourself can be a
valuable learning experience.

> You see, the way I did it was to set up my LDAP database first, then setup
> Samba and put the scripts from smbldap-tools into my smb.conf.  I then ran

You should consider the complexity of what you are trying to do. I believe
in the KISS (Keep It Surprisingly Simple) approach to building a complex
network. You have created an environment in which you need to master
Samba-3, LDAP and the interaction of MS Windows protocols with them - all
in one big chunk. My approach is simply to make the migration to the least
complex environment possible.

Instead of migrating NT4 directly to Samba-3 and LDAP, why not migrate to
the tdbsam backend. Then when you have completed the migration and are
happy with the configuration migrate tdbsam to LDAP. That final migration
step is relatively simple, as shown by the use of pdbedit.

> 'net rpc vampire' and that took everything across, all the users, groups,
> and computers went into the database. The only problem was that the most
> groups were empty, in fact the only group that is populated is Domain Users.

That sounds to me as if your script for adding uses to groups was
defective. Note however, that Samba-3 does NOT support nested groups. That
is a feature we hope to add some time later.

> We have a lot of groups on our site, each time a new project is started we
> create a new group and put the team members in it, we have hundreds!!  I did
> contemplate putting people back into their groups by hand and I'll have to
> do it if that's the only way but I suspect I'm just using a script wrongly
> or just not using the right script....is there even a script for this?

You probably need to adjust and reconfigure your NT Group architecture
anyhow. Given that Samba-3 is not Windows NT4 or 200x, it is
understandable that trade-offs were made in the design. This means that to
some extent it is impossible to avoid manual reconfiguration.

> So before I start again and do it your way I'd just like to know the answer
> to that last little bit because although your method will give me a complete
> and correct initial database, when my administrators add users and groups to
> the system via NT's UserManager I suspect I will have the same problem.

Use of the NT4 Domain User Manager should work fine. If it does not then
your scripts are the logical suspects. You can use the debug level to
diagnose what instructions samba is receiving and how they are being

> Oh, one more thing, the passwords don't seem to go across either, next to
> sambaNTPassword and sambaLMPassword I get "XXX".  This may be solved if I do

Your scripts are suspect. I ran two workshops in Switzerland recently,
both migrated an NT4 server to Samba-3 with a tdbsam backend and both
migrated flawlessly with full recovery of the passwords.

> things your way too, but this may also be a problem for administrators when
> adding users via UserManager when I convert back to an LDAP
> backend....hmm...a few more questions have come up in my mind, but I'll save
> them for later...after I have re-read the documentation.  Anyway, in the
> short term I can just add the hashes to an LDIF from a 'net rpc samdump'
> right?

Why do it this way? Fix your scripts instead. That way you only need to
spend your energy once.

> I really appreciate your help so far but I just have to iron these few
> things out, I can't really present this solution to a technical director
> just yet as I don't have it straight in my own head.


> I promise I have read ALL of the relevant parts of the HOWTO collection but
> for someone like me who is going straight from NT4 to Samba+LDAP you kind of
> have to piece things together from different parts of the documentation
> which is why  I offered to write a complete HOWTO for this specific task, I
> will have to document it all for people here anyway.

Send me your HOWTO when it is done. I'll add it to the documentation.

> I'm going to stop now, I know I'm getting this product and support for it
> free, I don't want to push my luck!

No way! I am billing you for my time and effort. The price I am asking you
to pay is to deliver your HOWTO.

- John T.

> Thanks a lot,
> Sapan
> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: 09 October 2003 03:32
> To: Ganguly, Sapan
> Cc: 'samba at lists.samba.org'
> Subject: RE: [Samba] NT4-Samba Migration Test Results
> Sapan,
> It is of course a pleasure to help you, but I did expect that my reply was
> rather specific enough.
> Have you read the Samba-HOWTO-Collection.pdf?
> Chapter 31 covers the process (Section covers this rather
> completely.
> Anyhow, here we go:
> 1. Configure smb.conf for BDC
>    [globals]
> 	workgroup = NT4DOMAIN
> 	netbios name = NEWSERVER
> 	passdb backend = tdbsam
> 	domain master = No
> 	domain logons = Yes
> 	os level = 33
> 	add user script = /usr/sbin/useradd -m %u
> 	delete user script = /usr/sbin/userdel %u
> 	add group script = /usr/sbin/groupadd %g
> 	add machine script =
> 		/usr/sbin/useradd -d /dev/null -s /bin/false %u
> 	wins server = x.x.x.x
> 2. Join the domain as a BDC server:
> 	net rpc join -UAdministrator%passsword
> 3. Migrate accounts:
> 	net rpc vampire -UAdministrator%password
> 4. Shutdown NT4 PDC
> 5. Convert Samba-3 BDC to PDC, and make it the WINS server:
>    [globals]
>         workgroup = NT4DOMAIN
>         netbios name = NEWSERVER
> 	passdb backend = tdbsam
>         domain master = Yes
>         domain logons = Yes
>         os level = 33
>         add user script = /usr/sbin/useradd -m %u
>         delete user script = /usr/sbin/userdel %u
>         add group script = /usr/sbin/groupadd %g
>         add machine script =
>                 /usr/sbin/useradd -d /dev/null -s /bin/false %u
>         wins support = Yes
> 6. Start Samba PDC.
> If all worked correctly then your existing Windows NT4 Domain clients will
> be able to log on just as with the original NT4 PDC.
> Gotchas:
> --------
> The biggest problem will be the migration of NT4 Group accounts. You will
> need to either:
> a) convert all group names to all lower-case and less than 32 characters
> _OR_
> b) create your own replacement for the "groupadd" command on your system so
> that it can add group names that have a space character in them, and that
> can have an upper case character in them. You will also need to modify the
> way that the NT Group name is passed to the script.
> Here is a script that will do the trick, although it is NOT elegant nor does
> it do any safety checks. You might call this script: smbaddgrp.sh Of course
> it needs to be set to permissions to execute with:
> 	chmod 755 smbgrpadd.sh
> PS: That script is published on page 144 as Example 12.1 smbgrpadd.sh in the
> Samba-HOWTO-Collection.pdf.
> --------------------------------------------------
> #!/bin/bash
> # Add the group using normal system groupadd tool.
> groupadd smbtmpgrp00
> grpunconv
> thegid='cat /etc/group | grep smbtmpgrp00 | cut -d ":" -f3'
> # Now change the name to what we want for the MS Windows networking end cp
> /etc/group /etc/group.bak cat /etc/group.bak | sed s/smbtmpgrp00/$1/g >
> /etc/group grpconv
> # Now return the GID as would normally happen.
> echo $thegid
> exit 0
> ---------------------------------------------------
> You will need to change your smb.conf as follows:
> 	add group script = /usr/sbin/smbgrpadd.sh "%g"
> Finally, please note that you must NOT change the Domain Name (WORGROUP) or
> the netbios name of the server. If you do, then the SID will change and your
> clients will need to be re-joined to the domain.
> Oh, and one more pointer (see page 122, Chapter 11.3.2 - The pdbedit
> command) for information on how to migrate your account backend to another
> backend format.
> For example, if you have your migrated accounts in tdbsam (which stores the
> accounts in a file called passdb.tdb) and you want to copy them to an
> smbpasswd file you can do this as follows:
> 	In smb.conf:
> 		passdb backend = tdbsam, smbpasswd
> 	Execute:
> 		pdbedit -i tdbsam -e smbpasswd
> If you have your accounts in smbpasswd and you want to migrate them to
> tdbsam:
> 	In smb.conf:
> 		passdb backend = smbpasswd, tdbsam
> 	Execute:
> 		pdbedit -i smbpasswd -e tdbsam
> And so on. After migration you can delete the backend that you no longer
> need to use from the "passdb backend" parameter line.
> Is there something I may have missed? I look forward to your HOWTO.
> cheers,
> John T.
> On Tue, 7 Oct 2003, Ganguly, Sapan  wrote:
> >
> > If someone answers my question I'll even write a howto!
> >
> > -----Original Message-----
> > From: Ganguly, Sapan
> > Sent: 06 October 2003 10:06
> > To: 'samba at lists.samba.org'
> > Cc: 'jht at samba.org'
> > Subject: Re: [Samba] NT4-Samba Migration Test Results
> >
> >
> >
> > >Larry,
> >
> > >I have found that the easiest way to migrate from NT4 to SAmba3 is
> > >to:
> >
> > >1. Use tdbsam as a medium for migration.
> > >2. Before migrating accounts:
> > >	i. Make sure that you configure your smb.conf carefully
> > >	ii. Include all the "user/group/machine scripts"
> > >	iii. Do NOT run smbd before vampire is run.
> > >3. Set up the smb.conf for a Samba-BDC
> > >4. Join the domain before running vampire
> > >5. Then finally run vampire.
> > >
> > >IF you want to use an LDAP or smbpasswd backend, use pdbedit to
> > >migrate the database.
> >
> > >- John T.
> >
> >
> > John,
> >
> > Would it be possible for you to show us a copy of your smb.conf for
> > each stage of your migration?  I'm also interested in how you use
> > pbedit to migrate the database.
> >
> > Thanks,
> > Sapan
> >

John H Terpstra
Email: jht at samba.org

More information about the samba mailing list