[Samba] Questions regarding upgrading existing PDC to Active Directory

[Rowland Penny]

On Wed, 2 Jan 2019 19:44:56 +0000
Bruce Vrieling via samba <samba at lists.samba.org> wrote:

> Hi all,
> 
> 
> I have an existing CentOS server at my school running Samba 4.8.8 as
> a PDC and using the Tranquil RPM’s (so they support AD). Samba has
> worked great for me for more than a decade with the users stored now
> in tdbsam (have not used LDAP, hope not to). This summer I want up
> upgrade the domain to an AD, and have some questions I was hoping
> someone could answer:

If you are going to use Samba AD, you ARE going to use ldap ;-)
Are you absolutely wedded to Centos, there will never be OS Samba AD
packages, can I suggest Debian instead, you will get better support for
this OS

> 
>   1.  TWO SERVERS: At the moment I have a single server (called
> Bigfoot) which acts as the PDC, file server, print server, pretty
> much everything. Given that in an AD world a DC should not also be a
> fileserver (we use Unix ACL’s exclusively, not Windows ACL’s), I plan
> to create a new server to be the DC (called Heimdall)

Why call it Heimdall ? this will just be confusing, why to use
something like 'DC1'

> and then
> Bigfoot will just be a domain member “file and email server” (I
> assume many single-server PDC setups take a route something like this
> when upgrading to AD). 

One DC and a fileserver is a good idea, but two DC's and a fileserver
is better ;-)

>In order to kick this off, I plan to a)
> transplant my existing Samba PDC setup on Bigfoot to Heimdall, b)
> classicupgrade it to AD to be the new DC; and then c) create a new,
> virgin Samba config on Bigfoot before joining Bigfoot to the AD
> domain as a member server. There are a lot of specifics I am missing,
> but does this approach generally sound right? 

It sounds okay so far.

>2.  NSSWITCH.CONF: Our
> users will continue to need to scp and ssh into Bigfoot. In order to
> allow AD domain users to authenticate to Bigfoot as unix users, do I
> just have to play with /etc/nsswitch.conf (assuming a valid winbind
> configuration)?

Provided the correct packages are installed and AD is configured
correctly, then yes.

> Some sources say I also have to play with files
> in /etc/pam.d. Do I? 

NO

>3.  EXISTING UNIX INFORMATION: I understand that
> the DC on Heimdall will now contain all my Windows authentication
> information, and that if add RFC2307 extensions to the directory,
> will also be able to store unix UID and GID information. 

>Question: I have 500 existing users. Should I be stuffing their existing UID and
> GID information into the AD before I let them log into Bigfoot?

If you run the classicupgrade, this will be done for you, but more
later.

> Or when someone ssh’s into Bigfoot, and winbind sees that user already
> exists locally, would it stuff this information itself automatically
> if it doesn’t exist yet? 

They will not be able to login unless the exist in AD.

>4.  VALID UID’s: My existing unix uid’s on
> bigfoot start at 500 (that is how CentOS started numbering them many
> years ago). Is that a problem?

Could be, when you had users in /etc/passwd and Samba, this was
acceptable, but now all your users will be in AD, it isn't really a
good idea.

> I thought I saw somewhere that starting at 1000 is the new normal.

For normal Unix users it is. 

>5.  NEW USERS AND /ETC/PASSWD: Suppose I create a totally new user
>in the AD. Then they connect/authenticate to bigfoot for the first time. Do they get
> entries in /etc/passwd and others? If I am understanding the purpose
> of a directory properly, I am thinking *not*. 

Correct, your users & groups will never be in /etc/passwd or /etc/group.

>So, when do their uid and gid get stuffed into the AD? Will this happen automagically or do
> I have to do this manually?

When you add them.

> 6.  EXTENT OF NSSWITCH.CONF: Suppose I create a totally new Windows
> user in AD on my DC, they have not yet logged into Bigfoot, and an
> email arrives at Bigfoot addressed to them. Does the nsswitch.conf
> magic also ensure that sendmail/procmail/dovecot will realize that
> this email is for a real user and accept it?

Should do, as long as 'getent passwd username' shows them as users. I
would however suggest you consider using something like Kopana, this
will store the mailserver info in AD.
 
> I do plan to model this all in VM’s before I actually do this in
> production, but I am trying to understand the process as much as
> possible before I begin.

It might be a good idea to read the Samba wiki:

https://wiki.samba.org/index.php/Main_Page

Running a PDC is nothing like running an AD DC, in some ways it is
easier, but others, it is harder, but only because it does more ;-)

Rowland