[Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

GG jojomi at gmail.com
Fri Apr 2 09:01:48 MDT 2010


Hi all,

So I have
openldap2-2.1.12-74
samba-2.2.7a-72

I would like to migrate this existing PDC service to a new server and
to current production / stable releases (especially for windows 7
joining to the domain).

New server is Debian Lenny stable.

I have exported the domain SID, and ldap.ldif

Now lets get down to it :-)
Before importing should I do something about organizational units and so? How?

> Import only data to LDAP no configs (slapcat->slapadd)
 slapadd -c -l slapcat.ldif
I did this but attached errors showed up.

Error, entries missing!
  entry 3: dc=people,dc=ExampleDomain,dc=it
  entry 4: dc=groups,dc=people,dc=ExampleDomain,dc=it


I know nothing about ldap, but my ldap is probably missing some pre
required settings ? :-/

Cheers!
Giorgio

> Configs yes, live data no, but if you have ldap it *should* be enough to
> import ldif from old server, configure samba to use ldap and run smbpasswd
> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
> samba see imported users in ldap (pdbedit -L).






On 3/27/10, Vladimir Psenicka <vladimir.psenicka at prodeco.cz> wrote:
> On Fri, 26 Mar 2010 15:32:50 +0100, GG <jojomi at gmail.com> wrote:
> > wow I made it!
> >
> > I copied net and all the libs it complained about from another suse
> > server which was not missing it :-)
> >
> > [2010/03/26 15:07:37, 0] param/loadparm.c:map_parameter(2435)
> >   Unknown parameter encountered: "domain admin group"
> > [2010/03/26 15:07:37, 0] param/loadparm.c:lp_do_parameter(3125)
> >   Ignoring unknown parameter "domain admin group"
> > SID for domain ThisIsLikeTheHostNameOrMaybeAtestDomain???
> >  is: S-1-5-21-1bla bla
> > SID for domain THISISMYDOMAIN is: S-1-5-other-bla bla
> >
> > Which shall I import?
> >
>
> Import both for sure:-). First is localsid, second is domainsid
>
> > So now back to mail number 2 :-)
> >
> > LDAP: I exported ldif :-) now
> > I copied /etc/groups passwd shadow aliases
> >
> > now on the new server:
> >
> > how do I import LDAP and all its configs,
> > samba and all its configs are only in smb.conf?
> >
> Import only data to LDAP no configs (slapcat->slapadd)
> Configs yes, live data no, but if you have ldap it *should* be enough to
> import ldif from old server, configure samba to use ldap and run smbpasswd
> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
> samba see imported users in ldap (pdbedit -L).
>
> > :-)
> > Giorgio
> >
> >
> >
> > On 3/26/10, Vladimir Psenicka <vladimir.psenicka at prodeco.cz> wrote:
> >> Paste ldap admin dn or ldap suffix in your smb.conf
> >>
> >> Dne 26.3.2010 15:24, Vladimir Psenicka napsal(a):
> >> > try this:
> >> >
> >> > ldapsearch -x -h localhost -D "cn=Manager,dc=WORKGROUP,dc=it" -W -b
> >> > "sambaDomainName=WORKGROUP,dc=WORKGROUP,dc=it"
> >> >
> >> > Dne 26.3.2010 15:00, GG napsal(a):
> >> >> Hello!
> >> >>
> >> >> I'm stuck on getdomainsid: Net command is missing even though libs
> and
> >> >> smbclient are installed.
> >> >>
> >> >> I tried this:
> >> >> # ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
> >> >> "sambaDomainName=WORKGROUP,dc=domain,dc=it"
> >> >> Enter LDAP Password:
> >> >> # extended LDIF
> >> >> #
> >> >> # LDAPv3
> >> >> # base <sambaDomainName=WORKGROUP,dc=domain,dc=it> with scope sub
> >> >> # filter: (objectclass=*)
> >> >> # requesting: ALL
> >> >> #
> >> >>
> >> >> # search result
> >> >> search: 2
> >> >> result: 34 Invalid DN syntax
> >> >> text: invalid DN
> >> >>
> >> >> # numResponses: 1
> >> >>
> >> >> So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
> >> >> I used WORKGROUP as it is the domain we use on pcs and the only one
> >> >> defined in smb.conf
> >> >>
> >> >> I also tried using my pdc HOSTNAME
> >> >>
> >> >> and this was returned
> >> >> # LDAPv3
> >> >> # base <sambaDomainName=hostname,dc=domain,dc=it> with scope sub
> >> >> # filter: (objectclass=*)
> >> >> # requesting: ALL
> >> >> #
> >> >>
> >> >> # search result
> >> >> search: 2
> >> >> result: 34 Invalid DN syntax
> >> >> text: invalid DN
> >> >>
> >> >> # numResponses: 1
> >> >>
> >> >> Any way to get through this or how to use net command? Maybe
> updating
> >> >> samba-client?
> >> >>
> >> >> I tried rpm -i samba-client but it says
> >> >> file /usr/share/man/man1/smbclient.1.gz from install of
> >> >> samba-client-2.2.12-1.suse82 conflicts with file from package
> >> >> samba-client-2.2.7a-72 when trying to rpm -i
> samba-client-2.2.12-1.rpm
> >> >>
> >> >> I found also the original package but it says it is already
> installed.
> >> >>
> >> >> What happens if I remove samba-client and reinstall it soon after on
> >> >> the production pdc?
> >> >>
> >> >>
> >> >> Giorgio
> >> >>
> >> >> On 3/26/10, Vladimir Psenicka <vladimir.psenicka at prodeco.cz> wrote:
> >> >>> Dne 26.3.2010 13:50, GG napsal(a):
> >> >>>> Hello!
> >> >>>>
> >> >>>>>> Have you samba-client package installed?
> >> >>>>>>
> >> >>>>
> >> >>>> yes I do at least smbclient is there! but no net command :-/
> >> >>>>
> >> >>>>>> PAVOUK\psenicka at psenicka:~> rpm -qf `which net`
> >> >>>>>> samba-client-3.5.1-4.1.x86_64
> >> >>>>
> >> >>>> So here are the issues encountered...
> >> >>>> file /usr/share/man/man1/smbclient.1.gz from install of
> >> >>>> samba-client-2.2.12-1.suse82 conflicts with file from package
> >> >>>> samba-client-2.2.7a-72 when trying to rpm -i
> >> >>>> samba-client-2.2.12-1.rpm
> >> >>>> I found on net...
> >> >>>>
> >> >>>>>>
> >> >>>>>> or you can dig domainsid from ldap
> >> >>>>
> >> >>>> This sounds interesting! How do I do that?
> >> >>>>
> >> >>>
> >> >>> modify to your needs (domain):
> >> >>>
> >> >>> ldapsearch -x -h ldap -D "cn=admin,dc=domain,dc=cz" -W -b
> >> >>> "sambaDomainName=domain,dc=domain,dc=cz"
> >> >>>
> >> >>> sambaSID: is your domainsid
> >> >>>
> >> >>> or you can use phpldapadmin to manage you ldap from browser
> >> >>>
> >> >>>> Thanks very much!
> >> >>>> Giorgio
> >> >>>>
> >> >>>> On 3/26/10, GG <jojomi at gmail.com> wrote<script
> type="text/javascript"
> src="https://mail.prodeco.cz/roundcube/program/js/tiny_mce/themes/advanced/langs/cs.js?s=1240817786"></script>:
> >> >>>>> Hi!
> >> >>>>>
> >> >>>>> I'll be at it in a few minutes installing samba client / net
> >> >>>>> command :-)
> >> >>>>>
> >> >>>>> I have a question about the samba sernet repos:
> >> >>>>> Shall I apt-get remove samba and use
> >> >>>>> http://enterprisesamba.com/index.php?id=148 +
> >> >>>>> http://enterprisesamba.com/index.php?id=56
> >> >>>>>  instead from start?
> >> >>>>>
> >> >>>>> What is the real advantage of sernet? What about installing
> >> >>>>> official
> >> >>>>> samba.org packages, are there differences with sernet
> (stability?)
> >> >>>>> or
> >> >>>>> is it just a more liberal repository?
> >> >>>>>
> >> >>>>> Also I read
> >> >>>>>>>> Ensure that all local user and group accounts that are used by
> >> >>>>>>>> samba
> >> >>>>>>>> have the same uid/gid.
> >> >>>>>
> >> >>>>> Shall I copy /etc/shadow and /etc/passwd over? other files for
> >> >>>>> groups
> >> >>>>> and users?
> >> >>>>>
> >> >>>>> I use rsync --verbose  --progress --stats --compress --rsh=ssh \
> >> >>>>>      --recursive --times --perms --links  \
> >> >>>>>      --owner --group --devices --specials \
> >> >>>>>      --exclude-from '/root/exclude.txt (if any, not in this case
> as
> >> >>>>> I'm only syncing data dir)' \
> >> >>>>>      root at old_PDC:/DATA /DATA
> >> >>>>>
> >> >>>>> This should bring over every attribute set on files... correct?
> >> >>>>>
> >> >>>>> [[[did only partially in one case: I set up a twin install (fresh
> >> >>>>> install then live cd and full rsync and after that I kept mbr,
> but
> >> >>>>> changed /boot and the /ect/fstab settings) and the server started
> >> >>>>> etc.. LDAP did not work though: authentication was not
> available...
> >> >>>>> So I must be missing something or this rsync parameter set must
> be
> >> >>>>> missing something.. I had disconnected old PDC, set same IP and
> >> >>>>> hostname to the VM well this worked well for other
> virtualizations
> >> >>>>> and
> >> >>>>> in this PDC I need to upgrade to win7 compatible samba version
> >> >>>>> anyway
> >> >>>>> :-)
> >> >>>>> This was another story but just to share it as it is an excellent
> >> >>>>> way
> >> >>>>> of migrating sometimes specially for machines you do not master
> and
> >> >>>>> this is my case very often.]]]
> >> >>>>>
> >> >>>>> Cheers,
> >> >>>>> Giorgio
> >> >>>>>
> >> >>>>> On Fri, Mar 26, 2010 at 9:14 AM, Vladimir Psenicka
> >> >>>>> <vladimir.psenicka at prodeco.cz> wrote:
> >> >>>>>> Hi
> >> >>>>>>
> >> >>>>>> Dne 25.3.2010 17:41, GG napsal(a):
> >> >>>>>>> Hello Vladimir, John and all the NG :-)
> >> >>>>>>> Thanks so much for answering. I really hoped someone would :-)
> >> >>>>>>>
> >> >>>>>>> So I installed Debian latest stable netinst on the future
> >> >>>>>>> production
> >> >>>>>>> server and here are my issues in the quotes :-( no net command
> >> >>>>>>> on my
> >> >>>>>>> suse 8.2
> >> >>>>>>>
> >> >>>>>>> Cheers :-)
> >> >>>>>>> Giorgio
> >> >>>>>>>
> >> >>>>>>>
> >> >>>>>>>> On Thu, Mar 25, 2010 at 14:00, John H Terpstra <*@samba.org>
> >> >>>>>>>> wrote:
> >> >>>>>>>>> On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
> >> >>>>>>>>> What about Debian Stable with Sernet samba repo, where you
> can
> >> >>>>>>>>> choose
> >> >>>>>>>>> Samba 3.4.x or 3.5.x
> >> >>>>>>>>>
> >> >>>>>>>>> My hints on migrating to new server:
> >> >>>>>>>>>
> >> >>>>>>>>> 1. install new server (Samba,ldap etc.)
> >> >>>>>>>
> >> >>>>>>> done :-) Debian Stable netinst
> >> >>>>>>>
> >> >>>>>>>>> 2. set same hostname on new server
> >> >>>>>>> My ignorance comes out :-)
> >> >>>>>>> Must I set it different from the production server as FW points
> >> >>>>>>> production.domain.com - I have clients using DNS=oldPDC and PDC
> >> >>>>>>> forwards queries to FW. FW has pdc.domain.com defined to point
> >> >>>>>>> to lan
> >> >>>>>>> ip.
> >> >>>>>>>
> >> >>>>>>
> >> >>>>>> Ok, can be changed later
> >> >>>>>>
> >> >>>>>>>>> 3. export ldap data from old server and import them to new
> >> >>>>>>>>> server
> >> >>>>>>>
> >> >>>>>>> slapcat -f /etc/openldap/ldap.conf -l /ldap.ldif
> >> >>>>>>> OK
> >> >>>>>>>
> >> >>>>>>>> Ensure that all local user and group accounts that are used by
> >> >>>>>>>> samba
> >> >>>>>>>> have the same uid/gid.
> >> >>>>>>> my ignorance again... another hint?
> >> >>>>>>>>
> >> >>>>>>>>> 4. export SID (net getlocalsid) and set it on new server (net
> >> >>>>>>>>> setlocalsid oldsid)
> >> >>>>>>>>
> >> >>>>>>>> Note:
> >> >>>>>>>>  net getdomainsid (on old server)
> >> >>>>>>>>  net setdomainsid (on new server)
> >> >>>>>>> thanks :-)
> >> >>>>>>>
> >> >>>>>>> # net getdomainsid
> >> >>>>>>> -bash: net: command not found :-( and not found in yast
> >> >>>>>>>
> >> >>>>>>> I understand it has to do with extracting the sid from
> >> >>>>>>> /etc/samba/secrets.tdb but how do I install the command? suse
> >> >>>>>>> 8.2 yast
> >> >>>>>>> has now net package and googling net is.. well wow!
> >> >>>>>>>
> >> >>>>>>
> >> >>>>>> Have you samba-client package installed?
> >> >>>>>>
> >> >>>>>> PAVOUK\psenicka at psenicka:~> rpm -qf `which net`
> >> >>>>>> samba-client-3.5.1-4.1.x86_64
> >> >>>>>>
> >> >>>>>> or you can dig domainsid from ldap
> >> >>>>>>
> >> >>>>>>>>> 5. configure samba on new server as PDC with ldap and shares
> >> >>>>>>>>> in smb.conf
> >> >>>>>>>>> from old samba smb.conf (check with testparm)
> >> >>>>>>>
> >> >>>>>>> I see it only contains shares so I bet smb.conf would just keep
> >> >>>>>>> all
> >> >>>>>>> the old settings rigth? /DATA will be rsynced
> >> >>>>>>>
> >> >>>>>>
> >> >>>>>> Maybe smb.conf from Samba2 is too different from Samba 3. I will
> >> >>>>>> keep
> >> >>>>>> current smb.conf on new server and add only shares from old
> >> >>>>>> smb.conf to
> >> >>>>>> new smb.conf.
> >> >>>>>>
> >> >>>>>>>>> 6. stop samba on old server
> >> >>>>>>>>> 7. copy all data (with perms) and netlogon share to new
> server
> >> >>>>>>>>> 8. stop old server
> >> >>>>>>>>> 9. start samba on new server a check everything is working
> >> >>>>>>>>> fine (domain
> >> >>>>>>>>> logon from windows box, shares and perms)
> >> >>>>>>>>>
> >> >>>>>>>>> This can be done best when no users are logged in samba
> (maybe
> >> >>>>>>>>> at weekend?)
> >> >>>>>>>>>
> >> >>>>>>>>> P.S. We have ubuntu 8.04 as PDC and Windows 7 can't join to
> >> >>>>>>>>> domain
> >> >>>>>>>
> >> >>>>>>> thanks I move to Debian with ease :-) ubuntu is a great deb
> >> >>>>>>> derived right?
> >> >>>>>>>
> >> >>>>>> Ubuntu 8.04 LTS is now older than Debian Stable. When Ubuntu
> >> >>>>>> 10.04 LTS
> >> >>>>>> comes out this will be no longer truth.
> >> >>>>>>
> >> >>>>>>>> Check http://wiki.samba.org for info regarding Windows 7.
> >> >>>>>>>>
> >> >>>>>>>> Cheers,
> >> >>>>>>>> John T.
> >> >>>>>>>>
> >> >>>>>>>>> Dne 25.3.2010 01:05, GG napsal(a):
> >> >>>>>>>>>> Hello Vladimir and hi all,
> >> >>>>>>>>>>
> >> >>>>>>>>>> Thanks very much for replying!
> >> >>>>>>>>>>
> >> >>>>>>>>>> Any suggested os? I'd go for debian or what advised, I just
> >> >>>>>>>>>> happen to
> >> >>>>>>>>>> know ubuntu more...
> >> >>>>>>>>>>
> >> >>>>>>>>>>
> >> >>>>>>>>>> Any strategy or hint on migrating from ancient ldap + samba
> >> >>>>>>>>>> to a new server?
> >> >>>>>>>>>> Already tried rsyncing (using all options to keep perms and
> >> >>>>>>>>>> attributes
> >> >>>>>>>>>> grp  own mod etc) on a twin v-machine but server starts and
> >> >>>>>>>>>> the ldap
> >> >>>>>>>>>> auth fails to work :-(
> >> >>>>>>>>>>
> >> >>>>>>>>>> I'm a bit stuck at the moment :-( and I have posponed the
> >> >>>>>>>>>> problem for
> >> >>>>>>>>>> too long grrr
> >> >>>>>>>>>>
> >> >>>>>>>>>> Giorgio
> >> >>>>>>>>>>
> >> >>>>>>>>>> On Wed, Mar 24, 2010 at 9:20 AM, Vladimir Psenicka
> >> >>>>>>>>>> <vladimir.psenicka at prodeco.cz> wrote:
> >> >>>>>>>>>>> Dne 23.3.2010 15:48, Giorgio napsal(a):
> >> >>>>>>>>>>>> Hello,
> >> >>>>>>>>>>>> Hopefully I'm in the right place asking for help :-)
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> I need to move from an old physical Suse 8.2 - samba 2.2.7
> >> >>>>>>>>>>>> + ldap - to
> >> >>>>>>>>>>>> latest samba versions, I would like to use an ubuntu 8.04
> >> >>>>>>>>>>>> virtual machine.
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> The domain is in production on the physical server, to be
> >> >>>>>>>>>>>> dismissed after
> >> >>>>>>>>>>>> migration. It is also the file server!!! so /DATA/ has all
> >> >>>>>>>>>>>> shared and
> >> >>>>>>>>>>>> permission driven file access..
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> I was following
> >> >>>>>>>>>>>> https://help.ubuntu.com/8.10/serverguide/C/samba-dc.html
> but
> >> >>>>>>>>>>>> I realize I am in a different scenario...
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> Production so no errors are admitted :-(, migration to new
> >> >>>>>>>>>>>> os and versions..
> >> >>>>>>>>>>>> all at once?
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> I have a dump of the physical server (dd sda mbr and
> single
> >> >>>>>>>>>>>> partitions :)
> >> >>>>>>>>>>>> plus an rsync with all permissions daily backup, just to
> be
> >> >>>>>>>>>>>> safe ;)
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> What would you guru's suggest as a strategy?
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> Can I create a new server and add it as secondary domain
> >> >>>>>>>>>>>> controller and then
> >> >>>>>>>>>>>> once the replica is up? I'd feel quite comfortable with
> >> >>>>>>>>>>>> this method.
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> BTW I need a new version of samba as they have already
> >> >>>>>>>>>>>> bought Windows 7
> >> >>>>>>>>>>>> boxes (without asking if they were supported arrgh).
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> Thanks to all of you who read or answered :-)
> >> >>>>>>>>>>>>
> >> >>>>>>>>>>>> Gio
> >> >>>>>>>>>>>
> >> >>>>>>>>>>> Hi.
> >> >>>>>>>>>>>
> >> >>>>>>>>>>> Ubuntu 8.10 is bad idea if you will be connecting Windows 7
> >> >>>>>>>>>>> into domain,
> >> >>>>>>>>>>> because of old Samba version. Samba 3.4.x or 3.5.x is
> >> >>>>>>>>>>> recommended for
> >> >>>>>>>>>>> Win7. Wait for Ubuntu 10.04 LTS (next month) if you want
> >> >>>>>>>>>>> Ubuntu.
> >> >>>>>>>>>>>
> >> >>>>>>>>>>> --
> >> >>>>>>>>>>> Vladimir Psenicka
> >> >>>>>>>>>>> --
> >> >>>>>>>>>>> To unsubscribe from this list go to the following URL and
> >> >>>>>>>>>>> read the
> >> >>>>>>>>>>> instructions:
> https://lists.samba.org/mailman/options/samba
> >> >>>>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>>>
> >> >>>>>>>>
> >> >>>>>>>> --
> >> >>>>>>>> To unsubscribe from this list go to the following URL and read
> >> >>>>>>>> the
> >> >>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >> >>>>>>
> >> >>>>>>
> >> >>>>>> --
> >> >>>>>> Vladimir Psenicka
> >> >>>>>> IT system engineer
> >> >>>>>> PRODECO, a.s.
> >> >>>>>> Tel.: 417 633 762
> >> >>>>>> --
> >> >>>>>> To unsubscribe from this list go to the following URL and read
> the
> >> >>>>>> instructions:  https://lists.samba.org/mailman/options/samba
> >> >>>>>>
> >> >>>>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Vladimir Psenicka
> >> >>> IT system engineer
> >> >>> PRODECO, a.s.
> >> >>> Tel.: 417 633 762
> >> >>> --
> >> >>> To unsubscribe from this list go to the following URL and read the
> >> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >> >>>
> >> >
> >> >
> >>
> >>
> >> --
> >> Vladimir Psenicka
> >> IT system engineer
> >> PRODECO, a.s.
> >> Tel.: 417 633 762
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list