[Samba] Ubuntu 18.04 classicupgrade help
cdhunter2 at yahoo.com
Thu Jul 16 00:59:52 UTC 2020
On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
On 15/07/2020 21:53, Carl Hunter via samba wrote:
> On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
> On 15/07/2020 20:13, Carl Hunter via samba wrote:
>> On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
>> On 15/07/2020 19:26, Carl Hunter via samba wrote:
>>> On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
>>> On 15/07/2020 01:14, Carl Hunter via samba wrote:
>>>> I've currently got a Ubuntu 18.04 server running Samba 4.7.6 with an NT4 domain that I'd like to migrate to an AD. I've found the following link but am struggling to match up the steps with the Ubuntu install.
>>>> I've also found this post that creates a Samba AD on Ubuntu 18.04 from scratch but doesn't have the upgrade steps.
>>> That howto isn't bad, he just got /etc/hosts wrong ;-)
>>>> Would someone be able to help with some questions?
>>>> In the first link, the "Server information used in this HowTo" section lists a bunch of settings. I'm not sure how that matches up with Ubuntu.
>>> The paths refer to a self compiled Samba, Ubuntu uses different paths
>>> e.g. /var/lib/samba
>>>> I'm not using ldap, my smb.conf file has "passdb backend = tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help.
>>> Just ignore anything to do with ldap
>>>> Under the "Domain controller name" section it talks about a "netbois name =" line in the smb.conf file. I don't have that in mine but I do have a "workgroup =" line. Is this the same thing?
>>> No and you only really need the line if you are changing the computers
>>> hostname during the upgrade.
>>>> Does the classicupgrade just "convert" a bunch of files like the passdb.tdb and smb.conf files? And unless you actually replace the files and start the AD service nothing actually changes?
>>> Bit more involved than that, all the users and groups are obtained from
>>> the existing database (along with passwords and the domain SID). This
>>> information is then used to provision a new AD domain.
>>>> I think I should stop there.
>>>> Thanks in advance and hopefully this makes some sense.
>>> Yes, it did ;-)
>>> Thanks for the help. I've got some more questions though about the following list.
>>> AD DC Installation Directory: /usr/local/samba/AD DC Hostname: DC1AD DNS Name: samdom.example.comRealm: samdom.example.comNT4 Domain Name: samdomIP Address: 192.168.1.1Databases of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of the Samba NT4-domain: /usr/local/samba.PDC/etc/smb.PDC.conf
>>> So for Ubuntu the first line would be /var/lib/samba right?
>>> What would the last two lines in the list be for Ubuntu?
>> Replace '/usr/local/samba' with 'var/lib/samba'
>>> My NT4 domain is all uppercase. Would it stay that way for the first part of the AD DNS Name and Realm lines?
>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use
>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the realm
>>> The section talking about moving the /usr/local/samba/ directory, does that still apply to the /var/lib/samba directory?
>>> And is the /etc/samba/smb.conf file the one that needs to be moved like the /usr/local/samba.PDC/etc/smb.conf file?
>>> I'm assuming I need to install Kerberos since it's not currently installed on the system to get the classicupgrade to work?
>> There is an old saying 'assume makes an ass of u & me' ;-)
>> Or to put it another way, no, Samba uses it version of the Heimdal
>> kerberos, you just need to install the required Samba packages, on
>> Ubuntu 18.04, these would be:
>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils
>> ldb-tools krb5-user
>> You should test the upgrade in a different network, to iron out any
>> How large is your domain ?
>> If it is small, you may be better off creating a new AD domain, that way
>> you get full control. Upgrading an existing NT4-style domain carries
>> over bad practises e.g. using the RID for Unix user & group ID's.
>> So in the example on the classicupgrade wiki page my NT4 domain would be SAMDOM with nothing after it. So would the realm be SAMDOM.example.com in that case?
> Ah, in AD there are two domains, the one you are referring to, which is
> actually the Netbios domain and the DNS domain. If you are upgrading,
> the Netbios domain will carry over, but you need to ensure you use a
> valid DNS domain, so you could use samdom.example.com, but if you did,
> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in uppercase)
>> On my server I'm currently missing libnss-winbind, libpam-winbind, libpam-krb5, ldb-tools and krb5-user. Does this sound normal for an NT4 domain?
> Yes, because you are probably not using winbind and you will definitely
> not be using kerberos and ldb-tools is only used with AD.
>> My domain would be about 200 users and 80 machines. That's a guess. I was able to clone the production server so I'm able to test things out first.
> I suggest you go and play ;-)
> Then come back with the inevitable questions ;-)
> One more question before I go and play. :)
> I'm pretty sure I'll be running the following command taken from the wiki.
> samba-tool domain classicupgrade --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf
> From you explanation above should the realm not be "--realm=SAMDOM.EXAMPLE.COM" ?
Yes, thanks for pointing this out, I have updated the wikipage ;-)
So I started in and here's my first inevitable question. :)
I can't seem to figure out the following lines from the wiki.
# cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb /usr/local/samba.PDC/dbdir/# cp -p /usr/local/samba.PDC/var/locks/group_mapping.tdb /usr/local/samba.PDC/dbdir/# cp -p /usr/local/samba.PDC/var/locks/account_policy.tdb /usr/local/samba.PDC/dbdir/
I don't seem to have a /var/lib/samba.PDC/var folder. I do see a group_mapping.tdb file and a account_policy.tdb file in my /var/lib/samba.PDC folder but not the gencache_notrans.tdb file. Are these the right ones to copy and the gencache_notrans.tdb is not needed?
More information about the samba