[Samba] Upgrade Samba 3 -> Samba 4 AD DC (Debian Wheezy)

[Peter Schaefer]

Hi!

I just upgraded from Samba 3.6.6 to the Sernet Samba 4.1.7 packages as AD DC  following the Samba AD DC / classicupgrade 
HOWTO and thought to share the experience so other users might find it in the archives. I also have some questions later 
on. I'd be very happy if some brave soul can give some advice on these (will come with a later post).

The old Samba3 was running on an EXT4 filesystem with ACLs enabled and used TDB as config store. All SMB users were also 
local unix users, so ACLs weren't used and i handled permissions using "force group", "write list", group mappings and 
other ugly things. I hope to get this sorted with Samba4.

I made the upgrade in-place. Risky, but i had backups :-) ...

So, without further ado:

0) Stop your running Samba and do the checks covered with steps 6 - 8 using the old installation. Then you can skip 6 - 
8 later. I keep them listed for the poor soul that discovers problems when Samba3 is already removed (guess who that 
poor soul were...). Turn off all windows clients and do not turn them back on before you are sure to never ever going 
back to Samba3 again.

1) Uninstall all Samba 3.6.6 packages using aptitude, apt-get or dpkg. See 'dpkg --list *samba* | grep ii" for installed 
packages. Be sure to NOT 'purge' but just 'remove' the packages.

2) Move everything in '/etc/samba/*' to '/var/lib/samba'.

3) Zip this directory together using 'tar cvzf samba3.tgz /var/lib/samba'

4) Install the 'sernet-samba-ad' packages and its dependencies.

5) If you have (very likely in case of Debian) your Samba3 users created as local Unix users and they all have an own 
user-private group with the same name as the user: Remove those user-private groups and add all Samba3 users to a common 
unix group ('users' or create 'smbusers' or similiar). You might have to fix-up unix file owners/permissions on the 
shares afterwards (expecially the home folders).

If you have done step 7 using the old installation, you can proceed with 10, otherwise:

6) Create a directory "/var/lib/samba/private" and copy the files "secrets.tdb" and "passdb.tdb" from "/var/lib/samba" 
into that directory. Copy your old "smb.conf" from "/var/lib/samba" to "/etc/samba" again. With those old files in the 
right places, you can now call "pdbedit", "net" and other tools from the new Samba4 installation to do some checks or 
modifications.

7) Check that (if you have any) your group mappings for "Domain Admins" and "Domain Users" have the correct (MS 
specified) SID (e.g. they end with -512 and -513, respectively). Fix these like depicted in the following post: 
https://lists.samba.org/archive/samba/2013-August/175135.html. Note that you may have to check other group mappings, too.

8) If you had to make changes, move the *.tdb files from the "/var/lib/samba/private" again to "/var/lib/samba" and tar 
the directory up again (see step 3). Then delete "/etc/samba/smb.conf". Note: If you have to do further changes to the 
*.tdbs, you have to shuffle those files around, again.

10) Make a first attempt to run "samba-tool domain classicupgrade --dbdir=/var/lib/samba --use-xattrs=yes 
--realm=your.domain" (exchange the "your.domain" part, of course).

11) If it fails with some error: "rm -r -f /var/lib/samba" and "rm /etc/samba/smb.conf". Re-establish your old files 
with "tar xvzf samba3.tgz -C /". Fix the errors (if you can) and try again.

12) If "classicupgrade" succeeds, you have a basic "smb.conf" in "/etc/samba" and can start Samba4 for the first time. I 
suggest using the debug mode as written in the HOWTO: "samba -i -M single".

13) Test connectivity, configure DNS, Kerberos and NTP as written in the SAMBA AD DC HOWTO. I had to install the 
"heimdal-clients" package to get "kinit" & co.

14) At last, edit the "/etc/defaults/sernet-samba" file and set the mode to "ad". Then stop your "debug samba" and use 
the package init-scripts to enter production ("/etc/init.d/sernet-samba-ad start").

15) Move over your shares from your old "smb.conf" (still in /var/lib/samba) to "/etc/samba/smb.conf" using a text 
editor. The classicupgrade tool did not transfer the shares in my case. Go one-by-one and call "testparm" and - if no 
errors - "smbcontrol all reload-config" to activate the share. You might drop everything from the share definition 
except "path" and manage permissions and users from the Windows side using the "Active Directory Users and Computers" 
MMC snap-in that you get by installing the MS RSAT tools. Further reading from the wiki:
http://wiki.samba.org/index.php/Samba_AD_management_from_windows
http://wiki.samba.org/index.php/Setting_up_a_home_share
http://wiki.samba.org/index.php/Setup_and_configure_file_shares
http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles

Last not least (TL;DR):

Besides the issue with the wrong SIDs (and the fact that "classicupgrade" just barfs bones in case of this error) the 
upgrade went smooth.

I have to say a BIG THANK YOU to all Samba4 developers for developing Samba4. Another BIG THANK YOU goes to Sernet for 
packaging, too. In addition, the Samba4 wiki pages mentioned above helped a lot. There's always room for improvement, 
but the documented steps lead in the right direction.

The only issue i'm still facing is managing permissions and dealing with the legacy maze of unix users, groups and 
permissions mixed with the new ACL based things.

Regards,
   Peter