[Samba] Samba 4 success story

Alex Ferrara alex at receptiveit.com.au
Wed May 1 01:24:00 MDT 2013 

Hi guys,

I thought I should send a quick email through to report my experience upgrading a Samba3 + OpenLDAP site to Samba4.

I did lots of reading and had a bunch of howto documents, including the official one, at my disposal. 

I set up a shiny new Ubuntu 12.04 64bit virtual machine using OpenVZ and installed the samba4 packages out of http://ppa.launchpad.net/kernevil. I went through the samba-tool classic upgrade documented in the official how to several times in a test environment to beat our LDAP into shape, which was mostly usernames with the same name as a group, and a few duplicate SIDs, but all this was fairly painless. After the testing migration worked, the "for-real" migration worked first time. We used "ldapsam:trussed = yes" in the classic upgrade step as we did it on new hardware.

I modified our existing Bind DNS servers to look to the Samba 4 DNS server for the AD domain, and modified the /etc/resolv.conf to search the AD domain. We ended up using bind9-dlz on the Samba4 server as this gave us greater flexibility.

I installed the krb5-user package and copied /var/lib/samba/private/krb5.conf to /etc. This was the only thing I had to do to make the kerberos client work. A kinit root at FQDN.DOMAIN worked first time, and a klist confirmed the ticket.

I modified my existing DHCP server to serve out the new AD domain name to our clients, and removed the WINS stuff. Once this was done, our clients pretty much logged on and migrated to the new domain on their own, as per the Microsoft migration path. Most clients needed two reboots, and one client had a problem with the time skewing the kerberos ticket, but mostly it worked first time.

By this time, the whole migration had taken about 90 minutes and it was all working really well. I spent quite a bit of time testing everything and I even installed the Microsoft remote admin pack which worked just like we were running an AD server…. Oh wait, we are!

In hindsight, the use of kernevil packages was bad decision, as those packages don't include the winbind client tools or CUPS support. It worked flawlessly other than that, and upgrading those packages should be nice and easy. I have been told that the Debian packages out of squeeze-backports would have been a better choice, but I haven't looked at them as of yet.

This is day 3 of running Samba4 and after a few changes to make other things talk to AD Samba instead of NT4 Samba, things are really stable.

A big "thank-you" goes out to all the Samba developers. 

This is one of those situations where I took extreme caution just in case things broke, but they never did. Site #1 migrated to Samba4, and I have quite a few more to go. Exciting times.

Alex Ferrara
Director
Receptive IT Solutions

More information about the samba mailing list