[Samba] Ubuntu 18.04 classicupgrade help

Carl Hunter cdhunter2 at yahoo.com
Wed Jul 15 19:13:13 UTC 2020 

 On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
 
 
 On 15/07/2020 19:26, Carl Hunter via samba wrote:
>  On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
>  
>  
>  On 15/07/2020 01:14, Carl Hunter via samba wrote:
>> I've currently got a Ubuntu 18.04 server running Samba 4.7.6 with an NT4 domain that I'd like to migrate to an AD.  I've found the following link but am struggling to match up the steps with the Ubuntu install.
>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>> I've also found this post that creates a Samba AD on Ubuntu 18.04 from scratch but doesn't have the upgrade steps.
>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server
> That howto isn't bad, he just got /etc/hosts wrong ;-)
>> Would someone be able to help with some questions?
>> In the first link, the "Server information used in this HowTo" section lists a bunch of settings.  I'm not sure how that matches up with Ubuntu.
> The paths refer to a self compiled Samba, Ubuntu uses different paths
> e.g. /var/lib/samba
>> I'm not using ldap, my smb.conf file has "passdb backend = tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help.
> Just ignore anything to do with ldap
>> Under the "Domain controller name" section it talks about a "netbois name =" line in the smb.conf file.  I don't have that in mine but I do have a "workgroup =" line.  Is this the same thing?
> No and you only really need the line if you are changing the computers
> hostname during the upgrade.
>
>> Does the classicupgrade just "convert" a bunch of files like the passdb.tdb and smb.conf files?  And unless you actually replace the files and start the AD service nothing actually changes?
> Bit more involved than that, all the users and groups are obtained from
> the existing database (along with passwords and the domain SID). This
> information is then used to provision a new AD domain.
>> I think I should stop there.
>> Thanks in advance and hopefully this makes some sense.
> Yes, it did ;-)
>
> Rowland
>
> Thanks for the help.  I've got some more questions though about the following list.
> AD DC Installation Directory:       /usr/local/samba/AD DC Hostname:                     DC1AD DNS Name:                        samdom.example.comRealm:                              samdom.example.comNT4 Domain Name:                    samdomIP Address:                         192.168.1.1Databases of the Samba NT4-domain:  /usr/local/samba.PDC/dbdir/smb.conf of the Samba NT4-domain:   /usr/local/samba.PDC/etc/smb.PDC.conf
> So for Ubuntu the first line would be /var/lib/samba right?
Yes
> What would the last two lines in the list be for Ubuntu?
Replace '/usr/local/samba' with 'var/lib/samba'
> My NT4 domain is all uppercase.  Would it stay that way for the first part of the AD DNS Name and Realm lines?
Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use 
samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the realm
> The section talking about moving the /usr/local/samba/ directory, does that still apply to the /var/lib/samba directory?
Yes
>  And is the /etc/samba/smb.conf file the one that needs to be moved like the /usr/local/samba.PDC/etc/smb.conf file?
Yes
> I'm assuming I need to install Kerberos since it's not currently installed on the system to get the classicupgrade to work?

There is an old saying 'assume makes an ass of u & me' ;-)

Or to put it another way, no, Samba uses it version of the Heimdal 
kerberos, you just need to install the required Samba packages, on 
Ubuntu 18.04, these would be:

samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils 
ldb-tools krb5-user

You should test the upgrade in a different network, to iron out any 
problems.

How large is your domain ?

If it is small, you may be better off creating a new AD domain, that way 
you get full control. Upgrading an existing NT4-style domain carries 
over bad practises e.g. using the RID for Unix user & group ID's.

Rowland

So in the example on the classicupgrade wiki page my NT4 domain would be SAMDOM with nothing after it.  So would the realm be SAMDOM.example.com in that case?
On my server I'm currently missing libnss-winbind, libpam-winbind, libpam-krb5, ldb-tools and krb5-user.  Does this sound normal for an NT4 domain?
My domain would be about 200 users and 80 machines.  That's a guess.  I was able to clone the production server so I'm able to test things out first.  
Thanks
Carl

More information about the samba mailing list