[Samba] classic upgrade woes, ignores realm

Patrick von der Hagen patrick.vdhagen at wiso-tech.de
Sun Mar 31 12:37:44 UTC 2019 

Am 31.03.19 um 14:08 schrieb Rowland Penny via samba:
> On Sun, 31 Mar 2019 13:37:44 +0200
> Patrick von der Hagen via samba <samba at lists.samba.org> wrote:
>
>> I am running samba as a fileserver, having some users (LDAP backend)
>> and lots of files. No machines ever joined this setup. Now I want to
>> join some clients, but want to upgrade to AD before I do that.
>> Configuration is quite old, but had no issues so far. I've been
>> following
>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>>
>> Since the LDAP backend runs on the old server and blocks ports
>> 389/636, I want to follow "Upgrading on a new server" and I want to
>> follow "Domain Controller name" because the new server has a
>> different name, which should be "DC1".
>>
>> The new server ist running Ubuntu 18.10, which provides samba 4.8.4.
>> Provisioning a new domain works flawless, no issues there. But I
>> really want to perform an upgrade, migrating users and groups.
>>
>> In smb.conf, "netbios name = DC1" and "workgroup = WORKGROUP",
>> hostname returns "dc1", hostname -f returns "dc1.samdom.domain.de".
>>
>> I prepared a local slapd and copied the samba-databases.
>>
>> I start the process like this:
>>
>> samba-tool domain classicupgrade --dbdir=/root/samba/
>> --realm=samdom.domain.de --dns-backend=SAMBA_INTERNAL -d
>> 2 /root/smb.conf
>>
>> Output:
>> ...
>> smbldap_search_domain_info: Searching
>> for:[(&(objectClass=sambaDomain)(sambaDomainName=DC1))]
>> ...
>> sid S-1-5-21-... does not belong to our domain
>> ...
>> Cannot open wins database, Ignoring: [Errno 2] No such file or
>> directory: '/root/samba/wins.dat'
>> ...
>> Adding DomainDN: DC=DC1
>> DN: DC=DC1 is a NC
>> ...
>> Admin password:        xxxxxxxxxxxxxxxxxxxxx
>> Server Role:           standalone server
>> Hostname:              dc1
>> NetBIOS Domain:        DC1
>> DNS Domain:            dc1
>> DOMAIN SID:            S-1-5-21-2467318493-10260708-2946515883
>> ...
>> Cannot open idmap database, Ignoring: [Errno 2] No such file or
>> directory ...
>>
>> Content of /etc/samba/smb.conf (complete!):
>> [global]
>>           log level = 2
>>           netbios name = DC1
>>           passdb backend = samba_dsdb
>>           realm = SAMDOM.DOMAIN.DE
>>           server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>           workgroup = WORKGROUP
>>           idmap_ldb:use rfc2307 = yes
>>
>> Obviously, smb.conf is no complete.
>>
>> My questions:
>>
>> Documentation says, to change "netbios name" before upgrade if you
>> want to change the domain controller name. But it is used in the ldap
>> query for sambaDomainName, so currently I have to change it to
>> WORKGROUP in order to import the LDAP data. How do I fix that?
>>
>> "DNS Domain" should be the realm I specified at the commandline? Why
>> is it ignored and why is sambaDomainName used instead?
>>
>> Is it normal to get a smb.conf file that does not work? Is it
>> indended as a starting point of should it convert my previous
>> configuration? At least "server role" is missing and "server
>> services" contains "dnsupdate" which it should not with
>> SAMBA_INTERNAL.
>>
>> Do I have to worry about wins.dat missing? I don't have such a file.
>>
>> Best regards
>> Patrick
>>
>>
> Lets start with the obvious questions:
>
> What is the original OS ?
> What OS are you moving to ?
> What version of Samba is on the original OS ?
> and finally and most importantly, What is in the original smb.conf ?

the old server runs Ubuntu 18.04 (LTS) and samba 4.7.6-Ubuntu. I'd stick 
with LTS, but it has the same issues, so I upgraded the new server to 
Ubuntu 18.10 and samba 4.8.4

Configuration:

[global]
security = user
    workgroup = WORKGROUP
    netbios name = DC1
    server string = %h server (Samba, Ubuntu)
    dns proxy = no
    log file = /var/log/samba/log.%m
    max log size = 1000
    panic action = /usr/share/samba/panic-action %d
    server role = standalone server
    passdb backend = ldapsam:ldap://localhost
    ldap suffix = dc=domain,dc=de
    ldap user suffix = ou=People
    ldap group suffix = ou=Group
    ldap machine suffix = ou=machines
    ldap idmap suffix = ou=Idmap
    ldap admin dn = cn=admin,dc=domain,dc=de
    ldap ssl = off
    ldap passwd sync = yes
    obey pam restrictions = yes
    unix password sync = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n 
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
    pam password change = yes
    map to guest = bad user

and some shares, which should not matter.

Best regards
Patrick

More information about the samba mailing list