[Samba] Migrating Samba NT4 Domain to Samba AD

Rowland penny rpenny at samba.org
Mon Sep 16 17:43:51 UTC 2019 

On 16/09/2019 17:26, Bartłomiej Solarz-Niesłuchowski wrote:
> W dniu 2019-09-16 o 16:30, Rowland penny via samba pisze:
>> On 16/09/2019 15:04, L.P.H. van Belle via samba wrote:
>>> Well it was worth checking.. We just dont know what you already 
>>> checked..
>
> now I setup the Ubuntu Server 18.04.3 LTS +
>
> http://apt.van-belle.nl/ + 
> https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt#L268
>
> + i changed krb (default is ... MIT!) to heimdal
>
> apt install heimdal-clients
>
>
>
> So now I have some success....
>
> 1. I add the second AD controler "themes" as stated in
>
> https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller 
>
>
> 2. bind configured and it looks like working:
>
> root at themes:~# samba_dnsupdate --verbose --all-names
>
> ...
>
> update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl 
> themes.ad.wsisiz.edu.pl 389
> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl 
> themes.ad.wsisiz.edu.pl 389 (add)
> Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl 
> as THEMES$
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl. 900 IN SRV 0 100 389 
> themes.ad.wsisiz.edu.pl.
>
> update(nsupdate): SRV 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl 
> themes.ad.wsisiz.edu.pl 389
> Calling nsupdate for SRV 
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl 
> themes.ad.wsisiz.edu.pl 389 (add)
> Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl 
> as THEMES$
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl. 
> 900 IN SRV 0 100 389 themes.ad.wsisiz.edu.pl.
>
> 3. when I try to join another samba server (but as AD member!):
>
> [root at mask ~]# net ads join -U administrator
> Using short domain name -- WSISIZ.EDU.PL
> Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl'
> DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> message looks not good BUT domain connection in fact works.....
>
> [root at mask ~]# wbinfo --ping-dc
> checking the NETLOGON for domain[WSISIZ.EDU.PL] dc connection to 
> "oceanic.ad.wsisiz.edu.pl" succeeded
>
>
> So how can I drop DC "oceanic" and reconnect whole network to DC 
> "themes"?
>
> (when I do it DC will be on server which has no shares (only netlogon 
> + sysvol?))

If 'oceanic' was the first AD DC you created, then it will hold the FSMO 
roles, you can check this with:

samba-tool fsmo show

If you see 'oceanic' amongst the output, then run this command on 'themes''

samba-tool fsmo transfer --role=all -U Administrator

You can then demote 'oceanic' by running this command on 'oceanic':

samba-tool domain demote -U Administrator

>
>
> And after disconnecting oceanic as DC - i want to make cleaning with 
> ldap/AD ldap.
At this point you can just remove Samba entirely
>
>
> I have workstation based both on windows and linux.
>
> Currently for windows workstations source of user data is Samba AD , 
> but for linux workstations is openldap.
>
> Problems are two:
>
> on windows worstation we use "NThash" on linux workstations we use 
> "SHA512" hash.
>
> So how can i arrange that if user change password via CTRL+ALT+DEL via 
> windows if fact pasword changing procedure changes both hash?

If you must keep your openldap machine (and you haven't actually told us 
what auths from it) you will need to script around this:

See here for an example (in French):

https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

However, if you are referring to Linux workstations running as Unix 
domain members, then you do not need to do anything, they and the users 
will auth directly from the Samba AD DC, provided that Samba is set up 
correctly. If you run:

getent passwd <a domain user> on a Unix domain member, you should get 
something like this:

rowland:*:10000:10000:Rowland Penny:/home/rowland:/bin/bash

>
> in NT4 domain it was used
>
> pam password change = Yes
>
> which changes BOTH hashes.
>
>
> What I need to do to conserve this feature?

I am not 100% convinced you need to do anything like this.

What do you use the openldap for ?

A mailserver or something else ?

You may be able to extend the AD schema with whatever it is you are 
using openldap for.

Rowland

More information about the samba mailing list