[Samba] Test successful migrate Samba3 to Samba4: keep existing servers and add a new AD DC
achen at harbourfrontcentre.com
Fri May 23 10:32:26 MDT 2014
I did a test migration from Samba3 to Samba4. So far everything works
fine. Great work! Thanks to Samba team.
I want to share my experience with you and look for your comments.
My existing servers:
1. Samba 3.4.5(compiled) server: domain logon + file sharing + printer
sharing ( 300 users + 200 win7)
2. 5 samba3 file servers(using the same ldap backend, so uid and gid
are consistent on all servers)
3. Openldap server: for samba3 backend and other applications
4. DHCP and DNS servers.
5. no Kerberos and winbind in the whole environment. *Any comments here?*
My objective is to keep existing servers with minor changes to implement
samba4 AD DC.
I have to keep my old ldap server to authenticate other applications,
so the challenge is the synchronization between the old ldap and the
new AD DC.
I plan to add some extra scripts to my existing ldap management system.
In the test network:
I copied over all existing servers(all VMs),
and create a new AD DC server(CentOS 6.2 32bit) in the same subnet,
compile Samba 4.1.17 from the tar file.
I only copied schannel_store.tdb and secrets.tdb in the private folder
and smb.conf from samba3 to AD DC in folder /samba3db,
and then do the migration with this command on AD DC:
/usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/samba3db
--use-xattrs=yes --realm=NT4domain.local /samba3db/smb.conf
My first try failed. So I added "sizelimit unlimited" to ldap
configraton, and I have to remove "guest" account from the ldap database.
After the migration is finished:
1. stop nmbd service on samba3 server,
2. add a forwarder to DNS to point to the new AD DC for the domain
3. modify DHCP service to not publish WIN server, so windows clients
do not know the samba3 controller. *Any comments here?
* 4. start samba service on the new AD DC. My XP and Win7 do not notice
the switch over, just work!. The mapped drives to samba3 are still OK.
5. join a window8R2 to the AD DC, and take a look at the users and
groups, looks good.
6. on AD DC server, wbinfo can show me uid and gid are migrated.
So far I haven't tested any GPO stuff, because I don't have it in samba3.
1. logon process is faster in AD DC
2. when join a machine to AD DC, I have to use the full domain name
after, I can use the short name "NT4domain" to logon. I think this
is normal, because "NT4domain.local" is the DNS domain,
3. small changes on the logon script: I get lost about "Home" share, so
I treat it as a mapped drive(still on samba3).
4. smb.conf is much much simple on the AD DC, I don't modify anything.
because I don't share anything through the AD DC.
5. I have to keep users and groups synchronized by myself between the
new AD DC and the old ldap.
Not a big deal, I manage my old ldap account with scripts, so I can
do the same on AD DC with its samba-tool.
I can not have user to change password, this is the only drawback,
because I cannot capture the passwords.
Your inputs are welcome.
More information about the samba