[Samba] Migration NT4 PDC to Smb3/LDAP/TOOLS: A Success Procedure

[Kang Sun]

Greetings,

    After a few weeks trying, I figured out how to migrate from NT4 PDC to
Samba-3/LDAP/SMBLDAP-TOOLS, at least in my case.
    I will just explain my setup and my understanding why it works and why
it fails. I hope it is helpful to others who are in the same situation as I
was.

Basic Setup:
    OS: Fedora-2 (FC2)
    samba-3.0.3 that comes with FC2.
    openldap-2.1.29 that comes with FC2.
    smbldap-tools that comes with samba-3.0.3

Basic guide:
    Samba-3 by Examples Chapter 6 and Chapter 8

Steps:
    *** Using a faked domain for the testing so it won't interfere the
normal network ****
    1. Follow Example 6.3.1 to configure /etc/openldap/slapd.conf
        Mine is the same except the following specific.
            suffix          "dc=ab,dc=com"
            rootdn          "cn=Manager,dc=ab,dc=com"
            rootpw          not24get
    2. Follow Example 6.3.2 to configure /etc/ldap.conf
        Here is my configuration for /etc/ldap.conf
                host 127.0.0.1
                base dc=ab,dc=com
                ssl no
                pam_password md5
       Note I did not turn on any of the nss directives. I think by default,
the right nss is used.
    3. PAM and NSS Client Configuration
        On FC2 you can simply run
            authoconfig
        and choose Cache,
            [*] Cache Information   [*] Use LDAP
            [*] Use MD5 Passwords [*] Use Shadow Passwords
            [*] Use LDAP Authentication
         Note: This step tells the Unix system to use LDAP for all the
authetication.
                After you exit from authconfig, NSCD (NS cache daemon) will
start.
                /etc/nsswitch.conf is modified to let passwd/group resolved
by ldap.
                ** DO NOT LOGOUT BEFORE YOU STARTED OPENLDAP**
                or you might not be able to login again since not LDAP
server is running.
    4. Samba-3 Configuration
            Make /etc/samba/smb.conf according to Examples 6.3.4 6.3.5
6.4.3, 6.4.4 and your organization's particular situation.
            A few entries are differet in my /etc/samba/smb.conf
                [global]
                workgroup = ab
                netbios name = PDC
                passdb backend = ldapsam:ldap://127.0.0.1/
                admin users= @"Domain Admins"
                encrypt passwords = Yes
                obey pam restrictions = No
                ldap passwd sync = Yes
                socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
                mangling method = hash2
                domain master = Yes
                os level = 65
                ldap ssl = No
                # I am not sure if all the above are needed, but it worked
for me
                ldap suffix = dc=ab,dc=com
                ldap machine suffix = ou=People
                ldap user suffix = ou=Users
                ...
    Note: I use People as the machine holder since I was told that samba
looks for machines in People's group.
                Users seems to hold users fine!
                Test and start samba as instructed.
 5. Configure the smbldap-tools.
        Configure and install smbldap-tools as in the guide, rembmer to
compile and install MKNTPWD.
        Since I use People as holder for computers, I need to make the
following changes in smbldap_conf.pm
            $computersou = q(People);
        Forget about the session on LDMAP entries for now, they will be
created as the migration goes on.
6.    Populate the ldap database
        Start ldap by  /etc/init.d/ldap start
        ./smbldap-populate.pl
        Test it as suggested in the guide.
        Create a user and test it with 'id <username>'. If you see it belong
to group "Domain Users", the pam/nss authorization is working.
        ** Configure auto start of ldap server by '(cd /etc/rc3.d; ln -s
../init.d/ldap S48ldap)' or something like it. **
        The above step is imporant to ensure you are able to login after the
machine restarted.
        Restart sshd '/etc/init.d/sshd restart' to make it aware of the new
authentication scheme and ssh to see the new user you created in ldap
server.
7.    Start the samba server and hopefully you system is a PDC for a faked
domain.

****************** Now for the Migration
********************************************

1. Shutdown the ldap and samba daemon.
        /etc/init.d/ldap stop
        /etc/init.d/smb stop

2. Editing /etc/samba/smb.conf
        domain master = No
        workgroup = <REAL domain>
        add user script = /var/lib/samba/sbin/smbldap-useradd.pl -m "%u"
    Note: this ensures that it start as the samba will start as a BDC in the
REAL domain.
        **** IMPORTANT: "add user script" should not create Windows account
during Migration.
            The migration process only expect a Posix account and will
create a Windows account as it migrates from the old NT4 domain.
            So Remove the "-a" option from  smbldap-useradd.p script.
Otherwise you will see "user exists" and passwords will not be migrated.

3. Clean up all the previous ldap and samba entries.
        rm -rf /var/lib/ldap/*    # clean up the ldap database
        rm -f /var/cache/samba/*    # clean up the cached samba entries.
        rm -f /etc/samb/*.tdb        # clean up the all exiting tdb
    Note: ** Cleaning up is needed whenever you change your configuration,
otherwise you will have unexpected result. **

4. Get your Domain SID as instructed
    net rpc getsid -S <PDC server> -W <Real domain>
    Also run "smbpasswd -w not24get"
    Run "tdbdump /etc/samba/secrets.tdb" to see what is in this tdb.

5. Preload the database
    Refer to Example 8.3.1
    With several trial I realized that I need to reploaded a few more
entries to make the migration work!
    In addtion to the entries suggested, I made additional entries.
    *** replace the domain part of SID with the SID you obtain from above
step ***

        dn: ou=Users,dc=ab,dc=com
        objectClass: top
        objectClass: organizationalUnit
        ou: Users
        structuralObjectClass: organizationalUnit
   Note: This is needed since we hold all users in Users group

        dn: cn=Domain Admins,ou=Groups,dc=ab,dc=com
        objectClass: posixGroup
        objectClass: sambaGroupMapping
        cn: Domain Admins
        gidNumber: 512
        structuralObjectClass: posixGroup
        entryUUID: d5c6a642-736b-1028-828a-f4f139c67fb5
        sambaSID: S-1-5-21-72881033-379349262-1855928443-512
        sambaGroupType: 2
        displayName: Domain Admins
        description: Designated administrators of the domain
        entryCSN: 2004072616:23:12Z#0x0002#0#0000
  Note: smbtools assuming the "Domain Admins" group is mapped to GID 512.
Without this entry,
            the migration will create a "Domain Admins" group with a random
GID

       dn: cn=Domain Users,ou=Groups,dc=ab,dc=com
        objectClass: posixGroup
        objectClass: sambaGroupMapping
        cn: Domain Users
        gidNumber: 513
        structuralObjectClass: posixGroup
        entryUUID: d792f890-736b-1028-828b-f4f139c67fb5
        sambaSID: S-1-5-21-72881033-379349262-1855928443-513
        sambaGroupType: 2
        displayName: Domain Users
        description: All domain users
        entryCSN: 2004072616:23:15Z#0x0002#0#0000
  Note: smbldap-tools expected all "Domain Users" being mapped to GID 513.
        ** This entry is important, or you will get "Group 513 does not
exist" error during  migration. **

        dn: cn=Domain Guests,ou=Groups,dc=ab,dc=com
        objectClass: posixGroup
        objectClass: sambaGroupMapping
        cn: Domain Guests
        gidNumber: 514
        structuralObjectClass: posixGroup
        entryUUID: d95eacaa-736b-1028-828c-f4f139c67fb5
        creatorsName: cn=Manager,dc=ab,dc=com
        createTimestamp: 20040726162318Z
        sambaSID: S-1-5-21-72881033-379349262-1855928443-514
        sambaGroupType: 2
        displayName: Domain Guests
        description: All domain guests
        entryCSN: 2004072616:23:18Z#0x0002#0#0000
    Note: I am not sure how important this is.

        dn: uid=Administrator,ou=Users,dc=ab,dc=com
        objectClass: top
        objectClass: inetOrgPerson
        objectClass: posixAccount
        objectClass: sambaSamAccount
        cn: Administrator
        sn: Administrator
        uid: Administrator
        uidNumber: 0
        gidNumber: 512
        homeDirectory: /u/Administrator
        loginShell: /bin/tcsh
        gecos: System User
        structuralObjectClass: inetOrgPerson
        entryUUID: eb4d3030-736b-1028-8296-f4f139c67fb5
        sambaSID: S-1-5-21-72881033-379349262-1855928443-500
        sambaPrimaryGroupSID: S-1-5-21-72881033-379349262-1855928443-512
        description: Built-in account for administering the computer/domain
        sambaLogonTime: 1090857052
        sambaLogoffTime: 981830074
        sambaLMPassword: A97D5AFE0D3EF79944CBCFC86460DB9E
        sambaNTPassword: 015B5326F969E4741241A45F1C734BAD
        sambaPwdLastSet: 1052497723
        sambaAcctFlags: [UX         ]
        entryCSN: 2004072616:23:49Z#0x0001#0#0000
    Note: smbldap-tools expects Administrator account has UID 0 and GID 512.
Without this entry, the migration process will create an unprivileged
Administrator account.

6. Now run the preload
        slapadd -v -l preload.LDIF
    Note: ldap daemon should be up at this point.
        chown ldap:ldap /var/lib/ldap/*
    Note: This chnage the owner and group to ldap.
        /etc/init.d/ldap start

7. Join your server into domain
        net rpc join BDC -S <PDC Server> -W <REAL domain> -U
Administrator&<admin passwd>
    Note, samba should not run at this time. Otherwise you will get "Cannot
Set Creds" error.

8. Vampiring ....
        net rpc vampire -S <PDC server> -U administrator%<admin passwd>
    Note, samba should not run at this time. Otherwise you will get "Cannot
Set Creds" error.

Let me know if I missed any step.

Good luck!

--- Kang Sun