[Samba] Ubuntu 18.04 classicupgrade help

Carl Hunter cdhunter2 at yahoo.com
Fri Jul 17 18:17:01 UTC 2020

 On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
 On 17/07/2020 17:20, Carl Hunter via samba wrote:
>  On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
>  On 17/07/2020 15:21, Rowland penny via samba wrote:
>> On 17/07/2020 15:05, Carl Hunter via samba wrote:
>>>    On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via
>>> samba <samba at lists.samba.org> wrote:
>>>         On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny
>>> via samba <samba at lists.samba.org> wrote:
>>>        On 16/07/2020 01:59, Carl Hunter via samba wrote:
>>>>     On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via
>>>> samba <samba at lists.samba.org> wrote:
>>>>           On 15/07/2020 21:53, Carl Hunter via samba wrote:
>>>>>       On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny
>>>>> via samba <samba at lists.samba.org> wrote:
>>>>>                 On 15/07/2020 20:13, Carl Hunter via samba wrote:
>>>>>>         On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland
>>>>>> penny via samba <samba at lists.samba.org> wrote:
>>>>>>                       On 15/07/2020 19:26, Carl Hunter via samba
>>>>>> wrote:
>>>>>>>           On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland
>>>>>>> penny via samba <samba at lists.samba.org> wrote:
>>>>>>>                             On 15/07/2020 01:14, Carl Hunter via
>>>>>>> samba wrote:
>>>>>>>> I've currently got a Ubuntu 18.04 server running Samba 4.7.6
>>>>>>>> with an NT4 domain that I'd like to migrate to an AD.  I've
>>>>>>>> found the following link but am struggling to match up the steps
>>>>>>>> with the Ubuntu install.
>>>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>>>>>>>> I've also found this post that creates a Samba AD on Ubuntu
>>>>>>>> 18.04 from scratch but doesn't have the upgrade steps.
>>>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server
>>>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-)
>>>>>>>> Would someone be able to help with some questions?
>>>>>>>> In the first link, the "Server information used in this HowTo"
>>>>>>>> section lists a bunch of settings.  I'm not sure how that
>>>>>>>> matches up with Ubuntu.
>>>>>>> The paths refer to a self compiled Samba, Ubuntu uses different
>>>>>>> paths
>>>>>>> e.g. /var/lib/samba
>>>>>>>> I'm not using ldap, my smb.conf file has "passdb backend =
>>>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help.
>>>>>>> Just ignore anything to do with ldap
>>>>>>>> Under the "Domain controller name" section it talks about a
>>>>>>>> "netbois name =" line in the smb.conf file.  I don't have that
>>>>>>>> in mine but I do have a "workgroup =" line.  Is this the same
>>>>>>>> thing?
>>>>>>> No and you only really need the line if you are changing the
>>>>>>> computers
>>>>>>> hostname during the upgrade.
>>>>>>>> Does the classicupgrade just "convert" a bunch of files like the
>>>>>>>> passdb.tdb and smb.conf files?  And unless you actually replace
>>>>>>>> the files and start the AD service nothing actually changes?
>>>>>>> Bit more involved than that, all the users and groups are
>>>>>>> obtained from
>>>>>>> the existing database (along with passwords and the domain SID).
>>>>>>> This
>>>>>>> information is then used to provision a new AD domain.
>>>>>>>> I think I should stop there.
>>>>>>>> Thanks in advance and hopefully this makes some sense.
>>>>>>> Yes, it did ;-)
>>>>>>> Rowland
>>>>>>> Thanks for the help.  I've got some more questions though about
>>>>>>> the following list.
>>>>>>> AD DC Installation Directory:       /usr/local/samba/AD DC
>>>>>>> Hostname:                     DC1AD DNS Name:
>>>>>>> samdom.example.comRealm:               samdom.example.comNT4
>>>>>>> Domain Name:             samdomIP Address:
>>>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of
>>>>>>> the Samba NT4-domain:   /usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>> So for Ubuntu the first line would be /var/lib/samba right?
>>>>>> Yes
>>>>>>> What would the last two lines in the list be for Ubuntu?
>>>>>> Replace '/usr/local/samba' with 'var/lib/samba'
>>>>>>> My NT4 domain is all uppercase. Would it stay that way for the
>>>>>>> first part of the AD DNS Name and Realm lines?
>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use
>>>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the
>>>>>> realm
>>>>>>> The section talking about moving the /usr/local/samba/ directory,
>>>>>>> does that still apply to the /var/lib/samba directory?
>>>>>> Yes
>>>>>>>           And is the /etc/samba/smb.conf file the one that needs
>>>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file?
>>>>>> Yes
>>>>>>> I'm assuming I need to install Kerberos since it's not currently
>>>>>>> installed on the system to get the classicupgrade to work?
>>>>>> There is an old saying 'assume makes an ass of u & me' ;-)
>>>>>> Or to put it another way, no, Samba uses it version of the Heimdal
>>>>>> kerberos, you just need to install the required Samba packages, on
>>>>>> Ubuntu 18.04, these would be:
>>>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils
>>>>>> ldb-tools krb5-user
>>>>>> You should test the upgrade in a different network, to iron out any
>>>>>> problems.
>>>>>> How large is your domain ?
>>>>>> If it is small, you may be better off creating a new AD domain,
>>>>>> that way
>>>>>> you get full control. Upgrading an existing NT4-style domain carries
>>>>>> over bad practises e.g. using the RID for Unix user & group ID's.
>>>>>> Rowland
>>>>>> So in the example on the classicupgrade wiki page my NT4 domain
>>>>>> would be SAMDOM with nothing after it.  So would the realm be
>>>>>> SAMDOM.example.com in that case?
>>>>> Ah, in AD there are two domains, the one you are referring to,
>>>>> which is
>>>>> actually the Netbios domain  and the DNS domain. If you are upgrading,
>>>>> the Netbios domain will carry over, but you need to ensure you use a
>>>>> valid DNS domain, so you could use samdom.example.com, but if you did,
>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in
>>>>> uppercase)
>>>>>> On my server I'm currently missing libnss-winbind, libpam-winbind,
>>>>>> libpam-krb5, ldb-tools and krb5-user.  Does this sound normal for
>>>>>> an NT4 domain?
>>>>> Yes, because you are probably not using winbind and you will
>>>>> definitely
>>>>> not be using kerberos and ldb-tools is only used with AD.
>>>>>> My domain would be about 200 users and 80 machines.  That's a
>>>>>> guess.  I was able to clone the production server so I'm able to
>>>>>> test things out first.
>>>>>> Thanks
>>>>>> Carl
>>>>> I suggest you go and play ;-)
>>>>> Then come back with the inevitable questions ;-)
>>>>> Rowland
>>>>> One more question before I go and play.  :)
>>>>> I'm pretty sure I'll be running the following command taken from
>>>>> the wiki.
>>>>>       samba-tool domain classicupgrade
>>>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com
>>>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>       From you explanation above should the realm not be
>>>>> "--realm=SAMDOM.EXAMPLE.COM" ?
>>>>> Thanks
>>>>> Carl
>>>> Yes, thanks for pointing this out, I have updated the wikipage ;-)
>>>> Rowland
>>>> So I started in and here's my first inevitable question. :)
>>>> I can't seem to figure out the following lines from the wiki.
>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb
>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb
>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb
>>>> /usr/local/samba.PDC/dbdir/
>>>> I don't seem to have a /var/lib/samba.PDC/var folder.  I do see a
>>>> group_mapping.tdb file and a account_policy.tdb file in my
>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file.
>>>> Are these the right ones to copy and the gencache_notrans.tdb is not
>>>> needed?
>>>> Thanks
>>>> Carl
>>> If you compile Samba yourself, by default, everything ends up in
>>> /usr/local/samba. Distros split things up, so you just need to find the
>>> files on your system ;-)
>>> Rowland
>>> So I found the gencache_notrans.tdb file only in /run/samba and the
>>> other two were only in /var/lib/samba.PDC.  Are these all good to use
>>> since they're the only ones I could find?  And do I need to rename
>>> the /run/samba folder like I did with the /var/lib/samba folder?
>>> Thanks
>>> Carl
>>> I finally had the chance to run the command and got the following
>>> output.
>>> sudo samba-tool domain classicupgrade
>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG
>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf
>>> Reading smb.conf
>>> Provisioningtdbsam_open: Failed to open/create TDB passwd
>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting
>>> groupstdbsam_open: Failed to open/create TDB passwd
>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>> /var/lib/samba/passdb.tdb!
>>> ...
>>> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb]
>>> tdbsam_getsampwrid: failed to open
>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to
>>> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam:
>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class
>>> 'passdb.error'>): uncaught exception - Unable to search users  File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>>> 176, in                                      _run    return
>>> self.run(*args, **kwargs)  File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589,
>>> in                                  run    useeadb=eadb,
>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)  File
>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in
>>> upgrade                                   _from_samba3    userlist =
>>> s3db.search_users(0)
>>> I removed a bunch of duplicate log lines just to make it shorter.
>>> Any ideas?  It's like the tool knows something is supposed to be in
>>> /var/lib/samba on Ubuntu.  I moved the /var/lib/samba folder to
>>> /var/lib/samba.PCD before I ran the command like the wiki said.
>>> Thanks
>>> Carl
>> Keep this quite, but I have never classicupgraded an NT4-style domain,
>> but I think I know what is going wrong here. That 'mv' should be a
>> 'cp', the upgrade is trying to create files in /var/lib/samba and it
>> no longer exists.
>> Rowland
> OK, after digging into the history of the classicupgrade wiki page, I
> have found that at one time, it was  thought that the upgrade would be
> carried out on a new PC, so the required files would be copied to the
> new PC with 'scp'. The page now is built around upgrading in place and
> 'mv' is definitely wrong.
> Looks like I am going to have to do a classicupgrade, before I can
> rewrite the page.
> Rowland
> I don't mind being the guinea pig if it helps.  :)

Too late, I was the guinea pig ;-)

I will be updating the wiki tomorrow.

> I was able to duplicate the /var/lib/samba folder and re-run the command and it worked.  I got basically the same output as the wiki.
> My next question is in the "After the classicupgrade" section.  With the following line.
> If your passdb backend was smbpasswd or tdbsam, remove the domain groups from /etc/group. All groups that had a groupmapping were imported, including their members. You should also remove any Samba users from /etc/passwd, they are now stored in AD.
> Is there a way to know what are considered domain groups in the /etc/group file?  Same question for /etc/passwd.  Is there a way to know what ones are Samba users?
> Thanks
> Carl

Run 'wbinfo -u' & 'wbinfo -g', these are the domain users & groups on my 
nice new shiny classicupgraded domain:

wbinfo -u

wbinfo -g
EXAMPLE\cert publishers
EXAMPLE\ras and ias servers
EXAMPLE\allowed rodc password replication group
EXAMPLE\denied rodc password replication group
EXAMPLE\enterprise read-only domain controllers
EXAMPLE\domain admins
EXAMPLE\domain users
EXAMPLE\domain guests
EXAMPLE\domain computers
EXAMPLE\domain controllers
EXAMPLE\schema admins
EXAMPLE\enterprise admins
EXAMPLE\group policy creator owners
EXAMPLE\read-only domain controllers

Your DOMAIN will be different, but if any of those are in /etc/passwd or 
/etc/group, then they should be remove from there. You should also check 
if any other users or groups shown by 'wbinfo -u ' or 'wbinfo -g' are in 
/etc/passwd or /etc/group, most of these should be removed from 
/etc/passwd or /etc/group, but a few may need to be removed from AD, 
basically any that are in AD and have a Unix ID of 999 should be removed 
from AD.

Before I ran the classicupgrade command I had stopped smdb, nmdb and winbind.  I haven't started samba-ad-dc yet.  Looks like the wbinfo -u and wbinfo -g commands need winbind running.  Do I just temporarily start winbind to get my info and stop it again?  Or do I start samba-ad-dc before cleaning up the group and passwd files?  Just not sure about the order of things or if it matters.  

More information about the samba mailing list