[Samba] Replace SBS2003 with Samba4
Kris Lou
klou at themusiclink.net
Fri Aug 12 17:08:26 UTC 2016
This looks like an O'Reilly book waiting to happen. Thanks for sharing.
Kris Lou
klou at themusiclink.net
On Thu, Aug 11, 2016 at 4:38 PM, Mark Foley via samba <samba at lists.samba.org
> wrote:
> Anastasios,
>
> I've done exactly what you want to do, only starting from SBS2008. Our
> office went down this
> road in 2014 when we investigated upgrading from SBS2008 only to find that
> MS replacement,
> Server Essentials, did not support Exchange. We currently have a "no
> cloud" policy, so going
> to Office 365, as you have done, was not an option (and btw, have you not
> considered Server
> Essentials since you don't need Exchange?).
>
> We've been running Samba4 AD/DC as a SBS2008 replacement (DNS server,
> redirected folders, mail
> server, ...) for nearly 2 years with no problems whatsoever, and without
> the domain users
> noticing a sinle hiccup.
>
> I'll share the basics of what we did. My internal documentation is 49
> pages long, so this
> message will, of necessity, be abbreviated.
>
> After trying other distros I settled on Slackware64 14.1 where everything
> pretty much worked
> out of the box. Your favorite distro should also work, but I'll stick
> with describing what I
> have hands-on knowledge about and you'll have to figure out the
> differences.
>
> What I cannot help you with is setting up a secondary DC (I've not done
> that, though it is
> clear from this list that others have), nor anything to do with DirSync -
> no experience with
> that at all. But first things first!
>
> I used the Samba wiki as my "bible" to get started:
> https://wiki.samba.org/index.php/User_Documentation,
> plus many other helpful sites.
>
> I started by creating an isolated test network with my future Samba4 AC/DC
> and 2 eventual
> domain member test workstations; one Windows 7, one XP (remember, this was
> 2 years ago. We
> still had XP workstations).
>
>
> I first configured the "server" for plain, vanilla DNS and DHCP serving.
> Samba4 AD/DC can do
> DNS and is apparently recommended, but I did not do that to start -- baby
> steps. Here are my
> non-DC named.conf and zone files. Sorry, they are a bit lengthly, but are
> very "standard". If
> you're familiar with named these might be helpful. If not, you'll need to
> do some reasearch (or
> send me questions directly) as we'll not have space for a DNS tutorial.
>
> =============SNIP====================
> # /etc/named.conf: options {
> directory "/var/named";
>
> forwarders { // These are the ISP provided name servers
> 66.193.88.3;
> 66.192.88.4;
> };
>
> allow-query { // Permit querying by others in the domain
> 192.168.0.0/24;
> 127.0.0.1;
> };
> };
>
> zone "localhost" IN {
> type master;
> file "db.local"; };
>
> zone "127.in-addr.arpa" IN {
> type master;
> file "db.127"; };
>
> zone "hprs.local" in {
> type master;
> allow-update { 192.168.0.2; 127.0.0.1; }; // local DHCP server
> file "/etc/bind/db.hprs.local";
> };
>
> zone "0.168.192.in-addr.arpa" in {
> type master;
> allow-update { 192.168.0.2; 127.0.0.1; }; // local DHCP
> server
> file "/etc/bind/db.192.168.0";
> };
>
> =============SNIP====================
> # /var/named/db.local
>
> ;
> ; BIND data file for local loopback interface
> ;
> $TTL 604800
> @ IN SOA localhost. root.localhost. (
> 2 ; Serial
> 604800 ; Refresh
> 86400 ; Retry
> 2419200 ; Expire
> 604800 ) ; Negative Cache TTL
> ;
> @ IN NS localhost.
> @ IN A 127.0.0.1
> @ IN AAAA ::1
>
> =============SNIP====================
> # /var/named/db.127
>
> ;
> ; BIND reverse data file for local loopback interface
> ;
> $TTL 604800
> @ IN SOA localhost. root.localhost. (
> 1 ; Serial
> 604800 ; Refresh
> 86400 ; Retry
> 2419200 ; Expire
> 604800 ) ; Negative Cache TTL
> ;
> @ IN NS localhost.
> 1.0.0 IN PTR localhost.
>
>
> =============SNIP====================
> # /var/named/db.hprs.local:
>
> $ORIGIN .
> $TTL 4H
> hprs.local IN SOA mail.hprs.local. sysadmin.mail.ohprs.org.
> (
> 100 ; serial
> 3H ; refresh (3 hours)
> 1H ; retry (1 hour)
> 8H ; expire (1 week)
> 1H ; minimum (1 hour)
> )
> NS mail.hprs.local.
> $ORIGIN hprs.local.
> $TTL 4H
> mail A 192.168.0.2
> richo A 192.168.0.20
>
>
> =============SNIP====================
> # /etc/bind/db.192.168.0:
>
> $ORIGIN .
> $TTL 4H
> 0.168.192.in-addr.arpa IN SOA mail.hprs.local. sysadmin.mail.ohprs.org.
> (
> 100 ; serial
> 3H ; refresh (3 hours)
> 1H ; retry (1 hour)
> 8H ; expire (1 week)
> 1H ; minimum (1 hour)
> )
> NS mail.hprs.local.
>
> $ORIGIN 0.168.192.in-addr.arpa.
> $TTL 4H
> 2 PTR mail.hprs.local.
> 20 PTR richo.hprs.local.
> =============SNIP====================
>
> Another reason I've included these is that very few tweaks to these files
> are needed to get
> them working with Samba4.
>
> The DC requires ACL to be enabled. So, make sure you've formatted your
> drive with ext4, and add
> acl to your mount options in /etc/fstab. E.g.:
>
> dev/md0 / ext4 defaults,acl 1 1
>
> Now you're ready to provision the domain. I ran:
>
> /usr/local/samba/bin/samba-tool domain provision --use-rfc2307 \
> --server-role='dc' --realm=hprs.local --domain=HPRS \
> --adminpass='password' --dns-backend=BIND9_FLATFILE \
> --option="interfaces=lo eth1" --option="bind interfaces only=yes"
>
> Of course, use your own realm and domain names. I picked hprs.local
> because that was exactly
> how our SBS2008 had the name and I was afraid to mess with that. It turns
> out having .local in
> your FDQN is not recommended and will cause future problems with the
> nsswitch.conf line:
>
> hosts: files mdns4_minimal [NOTFOUND=return] dns
>
> which will have to be replaced with:
>
> hosts: files dns
>
> I had to do this on a Ubuntu domain member workstation. See
> http://www.linuxquestions.org/questions/linux-networking-3/
> ping-does-not-resolve-name-while-nslookup-does-251446/
> for a discussion. If you can make the realm something other than
> xyz.local, do so.
>
> I used --dns-backend=BIND9_FLATFILE, which will use named and the DNS
> config files I created.
> I did this for a couple of reasons. For one thing, I wasn't able to get
> the Samba Internal DNS
> or BIND_DLZ working -- probably lack of experience on my part. Secondly,
> I'm doing some
> special things with DNS and DHCP peculiar to our office and felt I had
> better control that way.
> See https://wiki.samba.org/index.php/DNS for more information on this.
> Using my existing
> (proven working!) bind9 settings was dead simple.
>
> My AD/DC has 2 network cards: one Internet facing (email) and one LAN
> facing. I had to specify
> --option="interfaces=lo eth1" to get it to pick the correct (LAN facing)
> interface.
>
> The provision command will output a lot of information. One line is:
>
> A Kerberos configuration suitable for Samba 4 has been generated at
> /etc/samba/private/krb5.conf
>
> You should copy or symlink that to /etc/krb5.conf. You'll likely need
> this later if you have
> programs (mail MDA?) that want to do any local kerberos authentication.
>
> This may now have made it into the wiki docs, but change your
> /etc/nsswitch.conf to have the
> following:
>
> passwd: compat winbind
> shadow: compat winbind
> group: compat winbind
>
> Adding the winbind method to these will permit local programs like
> sendmail to authenticate
> with AD authentication.
>
> Maybe things have changed now, but the default provisioning does not
> create suitable Group ID
> or starting User ID numbers. Correct initial values need to be set before
> adding domain users.
> To do this edit the sam.ldb database file:
>
> $ ldbedit -H /etc/samba/private/sam.ldb
>
> Search for "dn: cn=hprs,cn=ypservers".
>
> scroll down to "msSFU30Domains:". Add the following lines under this (If
> they do not already
> exists):
>
> msSFU30MaxGidNumber: 10001
> msSFU30MaxUidNumber: 10001
>
> Close/Save.
>
> The "msSFU30MaxGidNumber: 10001" will be the starting User ID for domain
> users. The
> "msSFU30MaxUidNumber: 10001" will be the Group ID for all domain users. It
> is important that
> these values be set before adding new users to the domain!
>
> See: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Now, to get DNS working with Samba4 ...
>
> In the named.conf file I listed above, remove the line "directory
> /var/named".
>
> remove the local zone file definitions for e.g. hprs.local and
> 0.168.192.in-addr.arpa, keep the
> localhost and 127.in-addr.arpa zone file definitions.
>
> At the bottom of the named.conf, add the line:
>
> include "/etc/samba/private/named.conf";
>
> The provisioning step will have created this file. In
> /etc/samba/private/named.conf, make the
> following changes:
>
> ==================ADD/CHANGE=================
> zone "hprs.local." IN {
> type master;
> allow-update { 192.168.0.0.24; 127.0.0.1; };
> file "/etc/samba/private/dns/hprs.local.zone";
>
> # comment out the following line:
> # include "/etc/samba/private/named.conf.update";
>
> /* we need to use check-names ignore so _msdcs A records can be created */
> check-names ignore;
> };
> ==================SNIP=================
>
> The allow-updates line will permit the local DHCP server to update. Of
> course you are welcome
> to experiment with other methods such as using a gss key.
>
> The domain Windows workstations will want to update the zone files. If
> they cannot, you will
> continuously get the syslog message:
>
> syslog:Jul 30 20:35:20 mail named[792]: client 192.168.0.101#58026: update
> 'hprs.local/IN' denied
>
> This can be fixed by permitting these updates; hence the addition of
> 192.168.0.0/24 to the
> allow-updates directive which will allow any workstation on the subnet to
> update.
>
> I've also configured the "optional" reverse zone file:
>
> ==================ADD=================
> zone "0.168.192.in-addr.arpa" in {
> type master;
> allow-update { 192.168.0.0/24; 127.0.0.1; }; // local DHCP
> server
> file "/etc/samba/private/dns/db.192.168.0";
> };
> ==================SNIP=================
>
> The samba-tool provisioning step will also create a
> /etc/samba/private/dns/hprs.local.zone
> file.
>
> I'll not go into detail about the dhcpd.conf file, but the following were
> lines I needed to
> add:
>
> ddns-updates on;
> update-static-leases on;
> allow unknown-clients;
> ddns-update-style interim;
> zone hprs.local. { primary 192.168.0.2; }
> zone 0.168.192.in-addr.arpa. { primary 192.168.0.2; }
>
> subnet 192.168.0.0 netmask 255.255.255.0 {
> option routers 192.168.0.2;
> range 192.168.0.100 192.168.0.254;
> option domain-name-servers 192.168.0.2;
> 66.193.88.3; option domain-name "hprs.local";
> ddns-domainname = "hprs.local.";
> ddns-rev-domainname = "in-addr.arpa.";
> }
>
> btw - the local IP of my AD/DC is 192.168.0.2, probably should have
> mentioned that earlier.
>
> Now you're ready to fire up the AD/DC. You'll need an init script for your
> distro. I can send
> you the one I have for Slackware if you need a starting template.
> Basically, you just run the
> command `samba`.
>
> Reboot.
>
> Run `smbclient`, to check if Samba provides the AD DC default shares
> 'netlogon' and 'sysvol'
> created in your 'smb.conf' during provisioning/upgrading:
>
> $ smbclient -L localhost -U%
> Domain=[HPRS] OS=[Unix] Server=[Samba 4.1.11]
>
> Sharename Type Comment
> --------- ---- -------
> netlogon Disk
> sysvol Disk
> IPC$ IPC IPC Service
> Domain=[HPRS] OS=[Unix] Server=[Samba 4.1.11]
>
> Server Comment
> --------- -------
>
> Workgroup Master
> --------- -------
>
> To test that authentication is working, you should try to connect to the
> netlogon share,
> using the Domain Administrator account, created during provisioning:
>
> $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
> Enter Administrator's password:
> Domain=[HPRS] OS=[Unix] Server=[Samba 4.1.11]
> . D 0 Fri Jun 27 13:43:19 2014
> .. D 0 Fri Jun 27 14:01:34 2014
>
> 36003 blocks of size 2097152. 32095 blocks available
>
> There are various additional test to perform, see:
> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
>
> Set Administrator Password to not Expire:
>
> $ samba-tool user setexpiry administrator --noexpiry
> Expiry for user 'administrator' disabled.
>
> Assuming your AD/DC is now working, you'll now you'll have to set things
> up for domain users.
> While samba-tool works ... ish, it's easier to use RSAT.
>
> https://wiki.samba.org/index.php/Installing_RSAT.
>
> Do you do Remote Desktop? Following these instructions EXACTLY:
>
> http://www.dannyeckes.com/server-2012-enable-remote-
> desktop-rdp-group-policy-gpo/
>
> I use Remote Desktop to access workstations externally. Most people feel
> VPN is a better
> choice. If you want to use Remote Desktop let me know and I'll give you
> info on what I did to
> duplicate the functionality of Remote Web Workplace. If you have Mac
> workstations, Apple has a
> "Microsoft Remote Desktop" at the Apple App Store. I have 2 users
> accessing their Windows 7
> desktop from their home Mac computer with that.
>
> Set up redirected folder:
>
> http://www.alexwyn.com/computer-tips/folder-redirection-samba4-active-
> directory-domain-controller
>
> If your users use MS Office you'll have to set up an MS Office 'Protected
> View' and 'Trust
> Center' GPO. Let me know if you need instructions on that.
>
> Note that on your backup, you'll want to save ACLs. I can show you what I
> did if want to do the same.
>
> Now, add computers and workstations. For your "real" domain, you'll first
> want to remove each
> workstation from your existing domain. Of course, you'll need the
> workstation's machine admin
> ID and password to be able to log in once you're off the domain.
>
> Physically connect your new Samba4 AD/DC to the real office LAN and boot.
> One by one, join each
> workstation to the domain.
>
> IMPORTANT! time synchronization needs to be maintained between the AD/DC
> and worksations. Of
> course, make sure ntpd is running on the AD/DC. However, Windows does not
> play nicely with ntpd,
> see: https://www.meinbergglobal.com/english/info/ntp-w32time.htm
>
> To fix this, log into the workstation as the domain administrator, get to
> a command prompt, and
> enter the following commands:
>
> > w32tm /config /manualpeerlist:mail,0x8 /syncfromflags:MANUAL
> > w32tm /config /update
>
> Add Domain Users
>
> In RSAT, Active Directory Users and Computers, Add new user. Enter
> whatever you want for name,
> password, etc., but some particulars:
>
> If you want to permit Remote Desktop, add the user to that group you
> created (above) in 'Member
> Of'.
>
> Note! Do not add users to the "Administrators" Group! This will cause any
> files the user
> creates in MAIL:/redirectedFolders (Desktop) to be created with the
> Administrator's UID of
> 3000000, not with their own UID. This will then cause problems when
> opening documents such as
> "Opening in Protected View" or "This file came from the Internet ...".
>
> On the Unix Attributes tab, confirm that the user will be added with the
> next domain UID
> starting at 10001, and the group name is "Domain Users". The NIS domain
> should be the domain
> you configured during provisioning. Set the user's shell to e.g.
> /bin/bash, and the user's
> home directory to "/home/yourdomain/username", which should be defaulted
> and you shouldn't have
> to fill it in.
>
> You may have to update the group policies (gpupdate) to get this to take
> sooner rather than
> later.
>
> On the DC, check the user's info:
>
> $ wbinfo -i username
> HPRS\username:*:10001:10000:A Domain User:/home/HPRS/username:/bin/bash
>
> Probably, adding this user will cause a new folder to be created on the
> workstation in C:\Users
> when they log in the first time, e.g. C:\Users\joe.0000 (versus just
> 'joe'). That means the
> user's desktop will be empty. What I did was copy the user's Desktop,
> Documents, Favorites,
> Photos, Music, etc. while still connected to the old SBS2008. I even
> snagged their Outlook
> autocomplete file. Then, I copied the files to the users' redirected
> folders on the Samba4
> server -- make sure to set the ownership correctly. That worked for me.
> Do one user at a time,
> to verify.
>
> That should do it! There are certaily details you'll either need to figure
> or post another
> message. All this worked for me pretty much without any real problem. And,
> as I've said, we've
> been running for 2 years trouble-free (and SBS free!).
>
> Good luck --Mark
>
> -----Original Message-----
> > From: Anastasios Papadopoulos <tpapad at gmail.com>
> > Date: Fri, 29 Jul 2016 18:20:14 +0300
> > To: samba at lists.samba.org
> > Subject: [Samba] Replace SBS2003 with Samba4
> >
> > Hello all,
> >
> > I'm currently investigating the option to completely replace a SBS2003 DC
> > with a Samba4 DC. My research (mostly on samba.org guides) shows that
> it is
> > feasible, however I'd like to get feedback from the community on my
> goals.
> >
> > Current status:
> > A Windows SBS 2003 is the PDC and a W2008 R2 server is acting as
> secondary
> > DC. Domain operational level is 2003.
> > There are ~40-50 users/workstations using the SBS as file server.
> > Until recently, SBS was also the mail server (built-in Exchange 2003)
> but a
> > couple of months ago we migrated to Office 365. The migration included
> the
> > setup of DirSync so our AD syncs with O365 for users/groups/password etc.
> > Exchange is still running but w/o any mailbox or clients using it.
> >
> > My goals (please fill free to correct the order or comment on the
> > feasibility of each step):
> >
> > - Setup a new Samba4 DC
> > - Join the Samba4 to the domain
> > - Assume all roles from SBS2003 (FSMO)
> > - Configure DirSync so that it still syncs AD changes to Office 365
> > - Migrate all files from SBS to Samba4 (either to Samba PDC or a new
> > Samba4 member server)
> > - Demote the SBS2003 server (and eventually recycle it...)
> > - Demote the W2008 R2 server (so it only serves as member server, i.e.
> > SQL Server). A second Samba4 DC can be installed to achieve redundancy
> > - (Optional) Continue using current ADUC console for user management
> etc
> >
> > I guess the really tricky part would be to maintain DirSync functionality
> > while replacing the DCs.
> >
> > I'd like to hear your thoughts: Are those goals doable? What should I
> watch
> > for or avoid?
> >
> > Thank you very much,
> >
> > --
> > Tasos
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list