[Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

Vladimir Psenicka vladimir.psenicka at prodeco.cz
Tue Apr 6 00:50:22 MDT 2010


Hi Gorgio

Dne 2.4.2010 17:01, GG napsal(a):
> Hi all,
> 
> So I have
> openldap2-2.1.12-74
> samba-2.2.7a-72
> 
> I would like to migrate this existing PDC service to a new server and
> to current production / stable releases (especially for windows 7
> joining to the domain).
> 
> New server is Debian Lenny stable.
> 
> I have exported the domain SID, and ldap.ldif
> 
> Now lets get down to it :-)
> Before importing should I do something about organizational units and so? How?
> 
>> Import only data to LDAP no configs (slapcat->slapadd)
>  slapadd -c -l slapcat.ldif
> I did this but attached errors showed up.
> 
> Error, entries missing!
>   entry 3: dc=people,dc=ExampleDomain,dc=it
>   entry 4: dc=groups,dc=people,dc=ExampleDomain,dc=it

Can you post first 100 lines of your ldif you try to import? You
probably missing some base ldif.

> 
> 
> I know nothing about ldap, but my ldap is probably missing some pre
> required settings ? :-/
> 

Can you post slapd.conf also?


> Cheers!
> Giorgio
> 
>> Configs yes, live data no, but if you have ldap it *should* be enough to
>> import ldif from old server, configure samba to use ldap and run smbpasswd
>> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
>> samba see imported users in ldap (pdbedit -L).
> 
> 
> 
> 
> 
> 
> On 3/27/10, Vladimir Psenicka <vladimir.psenicka at prodeco.cz> wrote:
>> On Fri, 26 Mar 2010 15:32:50 +0100, GG <jojomi at gmail.com> wrote:
>>> wow I made it!
>>>
>>> I copied net and all the libs it complained about from another suse
>>> server which was not missing it :-)
>>>
>>> [2010/03/26 15:07:37, 0] param/loadparm.c:map_parameter(2435)
>>>   Unknown parameter encountered: "domain admin group"
>>> [2010/03/26 15:07:37, 0] param/loadparm.c:lp_do_parameter(3125)
>>>   Ignoring unknown parameter "domain admin group"
>>> SID for domain ThisIsLikeTheHostNameOrMaybeAtestDomain???
>>>  is: S-1-5-21-1bla bla
>>> SID for domain THISISMYDOMAIN is: S-1-5-other-bla bla
>>>
>>> Which shall I import?
>>>
>>
>> Import both for sure:-). First is localsid, second is domainsid
>>
>>> So now back to mail number 2 :-)
>>>
>>> LDAP: I exported ldif :-) now
>>> I copied /etc/groups passwd shadow aliases
>>>
>>> now on the new server:
>>>
>>> how do I import LDAP and all its configs,
>>> samba and all its configs are only in smb.conf?
>>>
>> Import only data to LDAP no configs (slapcat->slapadd)
>> Configs yes, live data no, but if you have ldap it *should* be enough to
>> import ldif from old server, configure samba to use ldap and run smbpasswd
>> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
>> samba see imported users in ldap (pdbedit -L).
>>
>>> :-)
>>> Giorgio
>>>
>>>
>>>
>>> On 3/26/10, Vladimir Psenicka <vladimir.psenicka at prodeco.cz> wrote:
>>>> Paste ldap admin dn or ldap suffix in your smb.conf
>>>>
>>>> Dne 26.3.2010 15:24, Vladimir Psenicka napsal(a):
>>>>> try this:
>>>>>
>>>>> ldapsearch -x -h localhost -D "cn=Manager,dc=WORKGROUP,dc=it" -W -b
>>>>> "sambaDomainName=WORKGROUP,dc=WORKGROUP,dc=it"
>>>>>
>>>>> Dne 26.3.2010 15:00, GG napsal(a):
>>>>>> Hello!
>>>>>>
>>>>>> I'm stuck on getdomainsid: Net command is missing even though libs
>> and
>>>>>> smbclient are installed.
>>>>>>
>>>>>> I tried this:
>>>>>> # ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
>>>>>> "sambaDomainName=WORKGROUP,dc=domain,dc=it"
>>>>>> Enter LDAP Password:
>>>>>> # extended LDIF
>>>>>> #
>>>>>> # LDAPv3
>>>>>> # base <sambaDomainName=WORKGROUP,dc=domain,dc=it> with scope sub
>>>>>> # filter: (objectclass=*)
>>>>>> # requesting: ALL
>>>>>> #
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 34 Invalid DN syntax
>>>>>> text: invalid DN
>>>>>>
>>>>>> # numResponses: 1
>>>>>>
>>>>>> So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
>>>>>> I used WORKGROUP as it is the domain we use on pcs and the only one
>>>>>> defined in smb.conf
>>>>>>
>>>>>> I also tried using my pdc HOSTNAME
>>>>>>
>>>>>> and this was returned
>>>>>> # LDAPv3
>>>>>> # base <sambaDomainName=hostname,dc=domain,dc=it> with scope sub
>>>>>> # filter: (objectclass=*)
>>>>>> # requesting: ALL
>>>>>> #
>>>>>>
>>>>>> # search result
>>>>>> search: 2
>>>>>> result: 34 Invalid DN syntax
>>>>>> text: invalid DN
>>>>>>
>>>>>> # numResponses: 1
>>>>>>
>>>>>> Any way to get through this or how to use net command? Maybe
>> updating
>>>>>> samba-client?
>>>>>>
>>>>>> I tried rpm -i samba-client but it says
>>>>>> file /usr/share/man/man1/smbclient.1.gz from install of
>>>>>> samba-client-2.2.12-1.suse82 conflicts with file from package
>>>>>> samba-client-2.2.7a-72 when trying to rpm -i
>> samba-client-2.2.12-1.rpm
>>>>>>
>>>>>> I found also the original package but it says it is already
>> installed.
>>>>>>
>>>>>> What happens if I remove samba-client and reinstall it soon after on
>>>>>> the production pdc?
>>>>>>
>>>>>>
>>>>>> Giorgio
>>>>>>
>>>>>> On 3/26/10, Vladimir Psenicka <vladimir.psenicka at prodeco.cz> wrote:
>>>>>>> Dne 26.3.2010 13:50, GG napsal(a):
>>>>>>>> Hello!
>>>>>>>>
>>>>>>>>>> Have you samba-client package installed?
>>>>>>>>>>
>>>>>>>>
>>>>>>>> yes I do at least smbclient is there! but no net command :-/
>>>>>>>>
>>>>>>>>>> PAVOUK\psenicka at psenicka:~> rpm -qf `which net`
>>>>>>>>>> samba-client-3.5.1-4.1.x86_64
>>>>>>>>
>>>>>>>> So here are the issues encountered...
>>>>>>>> file /usr/share/man/man1/smbclient.1.gz from install of
>>>>>>>> samba-client-2.2.12-1.suse82 conflicts with file from package
>>>>>>>> samba-client-2.2.7a-72 when trying to rpm -i
>>>>>>>> samba-client-2.2.12-1.rpm
>>>>>>>> I found on net...
>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> or you can dig domainsid from ldap
>>>>>>>>
>>>>>>>> This sounds interesting! How do I do that?
>>>>>>>>
>>>>>>>
>>>>>>> modify to your needs (domain):
>>>>>>>
>>>>>>> ldapsearch -x -h ldap -D "cn=admin,dc=domain,dc=cz" -W -b
>>>>>>> "sambaDomainName=domain,dc=domain,dc=cz"
>>>>>>>
>>>>>>> sambaSID: is your domainsid
>>>>>>>
>>>>>>> or you can use phpldapadmin to manage you ldap from browser
>>>>>>>
>>>>>>>> Thanks very much!
>>>>>>>> Giorgio
>>>>>>>>
>>>>>>>> On 3/26/10, GG <jojomi at gmail.com> wrote<script
>> type="text/javascript"
>> src="https://mail.prodeco.cz/roundcube/program/js/tiny_mce/themes/advanced/langs/cs.js?s=1240817786"></script>:
>>>>>>>>> Hi!
>>>>>>>>>
>>>>>>>>> I'll be at it in a few minutes installing samba client / net
>>>>>>>>> command :-)
>>>>>>>>>
>>>>>>>>> I have a question about the samba sernet repos:
>>>>>>>>> Shall I apt-get remove samba and use
>>>>>>>>> http://enterprisesamba.com/index.php?id=148 +
>>>>>>>>> http://enterprisesamba.com/index.php?id=56
>>>>>>>>>  instead from start?
>>>>>>>>>
>>>>>>>>> What is the real advantage of sernet? What about installing
>>>>>>>>> official
>>>>>>>>> samba.org packages, are there differences with sernet
>> (stability?)
>>>>>>>>> or
>>>>>>>>> is it just a more liberal repository?
>>>>>>>>>
>>>>>>>>> Also I read
>>>>>>>>>>>> Ensure that all local user and group accounts that are used by
>>>>>>>>>>>> samba
>>>>>>>>>>>> have the same uid/gid.
>>>>>>>>>
>>>>>>>>> Shall I copy /etc/shadow and /etc/passwd over? other files for
>>>>>>>>> groups
>>>>>>>>> and users?
>>>>>>>>>
>>>>>>>>> I use rsync --verbose  --progress --stats --compress --rsh=ssh \
>>>>>>>>>      --recursive --times --perms --links  \
>>>>>>>>>      --owner --group --devices --specials \
>>>>>>>>>      --exclude-from '/root/exclude.txt (if any, not in this case
>> as
>>>>>>>>> I'm only syncing data dir)' \
>>>>>>>>>      root at old_PDC:/DATA /DATA
>>>>>>>>>
>>>>>>>>> This should bring over every attribute set on files... correct?
>>>>>>>>>
>>>>>>>>> [[[did only partially in one case: I set up a twin install (fresh
>>>>>>>>> install then live cd and full rsync and after that I kept mbr,
>> but
>>>>>>>>> changed /boot and the /ect/fstab settings) and the server started
>>>>>>>>> etc.. LDAP did not work though: authentication was not
>> available...
>>>>>>>>> So I must be missing something or this rsync parameter set must
>> be
>>>>>>>>> missing something.. I had disconnected old PDC, set same IP and
>>>>>>>>> hostname to the VM well this worked well for other
>> virtualizations
>>>>>>>>> and
>>>>>>>>> in this PDC I need to upgrade to win7 compatible samba version
>>>>>>>>> anyway
>>>>>>>>> :-)
>>>>>>>>> This was another story but just to share it as it is an excellent
>>>>>>>>> way
>>>>>>>>> of migrating sometimes specially for machines you do not master
>> and
>>>>>>>>> this is my case very often.]]]
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Giorgio
>>>>>>>>>
>>>>>>>>> On Fri, Mar 26, 2010 at 9:14 AM, Vladimir Psenicka
>>>>>>>>> <vladimir.psenicka at prodeco.cz> wrote:
>>>>>>>>>> Hi
>>>>>>>>>>
>>>>>>>>>> Dne 25.3.2010 17:41, GG napsal(a):
>>>>>>>>>>> Hello Vladimir, John and all the NG :-)
>>>>>>>>>>> Thanks so much for answering. I really hoped someone would :-)
>>>>>>>>>>>
>>>>>>>>>>> So I installed Debian latest stable netinst on the future
>>>>>>>>>>> production
>>>>>>>>>>> server and here are my issues in the quotes :-( no net command
>>>>>>>>>>> on my
>>>>>>>>>>> suse 8.2
>>>>>>>>>>>
>>>>>>>>>>> Cheers :-)
>>>>>>>>>>> Giorgio
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> On Thu, Mar 25, 2010 at 14:00, John H Terpstra <*@samba.org>
>>>>>>>>>>>> wrote:
>>>>>>>>>>>>> On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
>>>>>>>>>>>>> What about Debian Stable with Sernet samba repo, where you
>> can
>>>>>>>>>>>>> choose
>>>>>>>>>>>>> Samba 3.4.x or 3.5.x
>>>>>>>>>>>>>
>>>>>>>>>>>>> My hints on migrating to new server:
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1. install new server (Samba,ldap etc.)
>>>>>>>>>>>
>>>>>>>>>>> done :-) Debian Stable netinst
>>>>>>>>>>>
>>>>>>>>>>>>> 2. set same hostname on new server
>>>>>>>>>>> My ignorance comes out :-)
>>>>>>>>>>> Must I set it different from the production server as FW points
>>>>>>>>>>> production.domain.com - I have clients using DNS=oldPDC and PDC
>>>>>>>>>>> forwards queries to FW. FW has pdc.domain.com defined to point
>>>>>>>>>>> to lan
>>>>>>>>>>> ip.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Ok, can be changed later
>>>>>>>>>>
>>>>>>>>>>>>> 3. export ldap data from old server and import them to new
>>>>>>>>>>>>> server
>>>>>>>>>>>
>>>>>>>>>>> slapcat -f /etc/openldap/ldap.conf -l /ldap.ldif
>>>>>>>>>>> OK
>>>>>>>>>>>
>>>>>>>>>>>> Ensure that all local user and group accounts that are used by
>>>>>>>>>>>> samba
>>>>>>>>>>>> have the same uid/gid.
>>>>>>>>>>> my ignorance again... another hint?
>>>>>>>>>>>>
>>>>>>>>>>>>> 4. export SID (net getlocalsid) and set it on new server (net
>>>>>>>>>>>>> setlocalsid oldsid)
>>>>>>>>>>>>
>>>>>>>>>>>> Note:
>>>>>>>>>>>>  net getdomainsid (on old server)
>>>>>>>>>>>>  net setdomainsid (on new server)
>>>>>>>>>>> thanks :-)
>>>>>>>>>>>
>>>>>>>>>>> # net getdomainsid
>>>>>>>>>>> -bash: net: command not found :-( and not found in yast
>>>>>>>>>>>
>>>>>>>>>>> I understand it has to do with extracting the sid from
>>>>>>>>>>> /etc/samba/secrets.tdb but how do I install the command? suse
>>>>>>>>>>> 8.2 yast
>>>>>>>>>>> has now net package and googling net is.. well wow!
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Have you samba-client package installed?
>>>>>>>>>>
>>>>>>>>>> PAVOUK\psenicka at psenicka:~> rpm -qf `which net`
>>>>>>>>>> samba-client-3.5.1-4.1.x86_64
>>>>>>>>>>
>>>>>>>>>> or you can dig domainsid from ldap
>>>>>>>>>>
>>>>>>>>>>>>> 5. configure samba on new server as PDC with ldap and shares
>>>>>>>>>>>>> in smb.conf
>>>>>>>>>>>>> from old samba smb.conf (check with testparm)
>>>>>>>>>>>
>>>>>>>>>>> I see it only contains shares so I bet smb.conf would just keep
>>>>>>>>>>> all
>>>>>>>>>>> the old settings rigth? /DATA will be rsynced
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Maybe smb.conf from Samba2 is too different from Samba 3. I will
>>>>>>>>>> keep
>>>>>>>>>> current smb.conf on new server and add only shares from old
>>>>>>>>>> smb.conf to
>>>>>>>>>> new smb.conf.
>>>>>>>>>>
>>>>>>>>>>>>> 6. stop samba on old server
>>>>>>>>>>>>> 7. copy all data (with perms) and netlogon share to new
>> server
>>>>>>>>>>>>> 8. stop old server
>>>>>>>>>>>>> 9. start samba on new server a check everything is working
>>>>>>>>>>>>> fine (domain
>>>>>>>>>>>>> logon from windows box, shares and perms)
>>>>>>>>>>>>>
>>>>>>>>>>>>> This can be done best when no users are logged in samba
>> (maybe
>>>>>>>>>>>>> at weekend?)
>>>>>>>>>>>>>
>>>>>>>>>>>>> P.S. We have ubuntu 8.04 as PDC and Windows 7 can't join to
>>>>>>>>>>>>> domain
>>>>>>>>>>>
>>>>>>>>>>> thanks I move to Debian with ease :-) ubuntu is a great deb
>>>>>>>>>>> derived right?
>>>>>>>>>>>
>>>>>>>>>> Ubuntu 8.04 LTS is now older than Debian Stable. When Ubuntu
>>>>>>>>>> 10.04 LTS
>>>>>>>>>> comes out this will be no longer truth.
>>>>>>>>>>
>>>>>>>>>>>> Check http://wiki.samba.org for info regarding Windows 7.
>>>>>>>>>>>>
>>>>>>>>>>>> Cheers,
>>>>>>>>>>>> John T.
>>>>>>>>>>>>
>>>>>>>>>>>>> Dne 25.3.2010 01:05, GG napsal(a):
>>>>>>>>>>>>>> Hello Vladimir and hi all,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks very much for replying!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Any suggested os? I'd go for debian or what advised, I just
>>>>>>>>>>>>>> happen to
>>>>>>>>>>>>>> know ubuntu more...
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Any strategy or hint on migrating from ancient ldap + samba
>>>>>>>>>>>>>> to a new server?
>>>>>>>>>>>>>> Already tried rsyncing (using all options to keep perms and
>>>>>>>>>>>>>> attributes
>>>>>>>>>>>>>> grp  own mod etc) on a twin v-machine but server starts and
>>>>>>>>>>>>>> the ldap
>>>>>>>>>>>>>> auth fails to work :-(
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'm a bit stuck at the moment :-( and I have posponed the
>>>>>>>>>>>>>> problem for
>>>>>>>>>>>>>> too long grrr
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Giorgio
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Wed, Mar 24, 2010 at 9:20 AM, Vladimir Psenicka
>>>>>>>>>>>>>> <vladimir.psenicka at prodeco.cz> wrote:
>>>>>>>>>>>>>>> Dne 23.3.2010 15:48, Giorgio napsal(a):
>>>>>>>>>>>>>>>> Hello,
>>>>>>>>>>>>>>>> Hopefully I'm in the right place asking for help :-)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I need to move from an old physical Suse 8.2 - samba 2.2.7
>>>>>>>>>>>>>>>> + ldap - to
>>>>>>>>>>>>>>>> latest samba versions, I would like to use an ubuntu 8.04
>>>>>>>>>>>>>>>> virtual machine.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The domain is in production on the physical server, to be
>>>>>>>>>>>>>>>> dismissed after
>>>>>>>>>>>>>>>> migration. It is also the file server!!! so /DATA/ has all
>>>>>>>>>>>>>>>> shared and
>>>>>>>>>>>>>>>> permission driven file access..
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I was following
>>>>>>>>>>>>>>>> https://help.ubuntu.com/8.10/serverguide/C/samba-dc.html
>> but
>>>>>>>>>>>>>>>> I realize I am in a different scenario...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Production so no errors are admitted :-(, migration to new
>>>>>>>>>>>>>>>> os and versions..
>>>>>>>>>>>>>>>> all at once?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I have a dump of the physical server (dd sda mbr and
>> single
>>>>>>>>>>>>>>>> partitions :)
>>>>>>>>>>>>>>>> plus an rsync with all permissions daily backup, just to
>> be
>>>>>>>>>>>>>>>> safe ;)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> What would you guru's suggest as a strategy?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Can I create a new server and add it as secondary domain
>>>>>>>>>>>>>>>> controller and then
>>>>>>>>>>>>>>>> once the replica is up? I'd feel quite comfortable with
>>>>>>>>>>>>>>>> this method.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> BTW I need a new version of samba as they have already
>>>>>>>>>>>>>>>> bought Windows 7
>>>>>>>>>>>>>>>> boxes (without asking if they were supported arrgh).
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks to all of you who read or answered :-)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Gio
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Ubuntu 8.10 is bad idea if you will be connecting Windows 7
>>>>>>>>>>>>>>> into domain,
>>>>>>>>>>>>>>> because of old Samba version. Samba 3.4.x or 3.5.x is
>>>>>>>>>>>>>>> recommended for
>>>>>>>>>>>>>>> Win7. Wait for Ubuntu 10.04 LTS (next month) if you want
>>>>>>>>>>>>>>> Ubuntu.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Vladimir Psenicka
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>>>>>> read the
>>>>>>>>>>>>>>> instructions:
>> https://lists.samba.org/mailman/options/samba
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>>>>> the
>>>>>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Vladimir Psenicka
>>>>>>>>>> IT system engineer
>>>>>>>>>> PRODECO, a.s.
>>>>>>>>>> Tel.: 417 633 762
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and read
>> the
>>>>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Vladimir Psenicka
>>>>>>> IT system engineer
>>>>>>> PRODECO, a.s.
>>>>>>> Tel.: 417 633 762
>>>>>>> --
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Vladimir Psenicka
>>>> IT system engineer
>>>> PRODECO, a.s.
>>>> Tel.: 417 633 762
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>


-- 
Vladimir Psenicka
IT system engineer
PRODECO, a.s.
Tel.: 417 633 762


More information about the samba mailing list