[Samba] Ubuntu 18.04 classicupgrade help

Rowland penny rpenny at samba.org
Fri Jul 17 18:26:18 UTC 2020

On 17/07/2020 19:17, Carl Hunter via samba wrote:
>   On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
>   On 17/07/2020 17:20, Carl Hunter via samba wrote:
>>    On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
>>    On 17/07/2020 15:21, Rowland penny via samba wrote:
>>> On 17/07/2020 15:05, Carl Hunter via samba wrote:
>>>>      On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via
>>>> samba <samba at lists.samba.org> wrote:
>>>>           On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny
>>>> via samba <samba at lists.samba.org> wrote:
>>>>          On 16/07/2020 01:59, Carl Hunter via samba wrote:
>>>>>       On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via
>>>>> samba <samba at lists.samba.org> wrote:
>>>>>             On 15/07/2020 21:53, Carl Hunter via samba wrote:
>>>>>>         On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny
>>>>>> via samba <samba at lists.samba.org> wrote:
>>>>>>                   On 15/07/2020 20:13, Carl Hunter via samba wrote:
>>>>>>>           On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland
>>>>>>> penny via samba <samba at lists.samba.org> wrote:
>>>>>>>                         On 15/07/2020 19:26, Carl Hunter via samba
>>>>>>> wrote:
>>>>>>>>             On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland
>>>>>>>> penny via samba <samba at lists.samba.org> wrote:
>>>>>>>>                               On 15/07/2020 01:14, Carl Hunter via
>>>>>>>> samba wrote:
>>>>>>>>> I've currently got a Ubuntu 18.04 server running Samba 4.7.6
>>>>>>>>> with an NT4 domain that I'd like to migrate to an AD.  I've
>>>>>>>>> found the following link but am struggling to match up the steps
>>>>>>>>> with the Ubuntu install.
>>>>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>>>>>>>>> I've also found this post that creates a Samba AD on Ubuntu
>>>>>>>>> 18.04 from scratch but doesn't have the upgrade steps.
>>>>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server
>>>>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-)
>>>>>>>>> Would someone be able to help with some questions?
>>>>>>>>> In the first link, the "Server information used in this HowTo"
>>>>>>>>> section lists a bunch of settings.  I'm not sure how that
>>>>>>>>> matches up with Ubuntu.
>>>>>>>> The paths refer to a self compiled Samba, Ubuntu uses different
>>>>>>>> paths
>>>>>>>> e.g. /var/lib/samba
>>>>>>>>> I'm not using ldap, my smb.conf file has "passdb backend =
>>>>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help.
>>>>>>>> Just ignore anything to do with ldap
>>>>>>>>> Under the "Domain controller name" section it talks about a
>>>>>>>>> "netbois name =" line in the smb.conf file.  I don't have that
>>>>>>>>> in mine but I do have a "workgroup =" line.  Is this the same
>>>>>>>>> thing?
>>>>>>>> No and you only really need the line if you are changing the
>>>>>>>> computers
>>>>>>>> hostname during the upgrade.
>>>>>>>>> Does the classicupgrade just "convert" a bunch of files like the
>>>>>>>>> passdb.tdb and smb.conf files?  And unless you actually replace
>>>>>>>>> the files and start the AD service nothing actually changes?
>>>>>>>> Bit more involved than that, all the users and groups are
>>>>>>>> obtained from
>>>>>>>> the existing database (along with passwords and the domain SID).
>>>>>>>> This
>>>>>>>> information is then used to provision a new AD domain.
>>>>>>>>> I think I should stop there.
>>>>>>>>> Thanks in advance and hopefully this makes some sense.
>>>>>>>> Yes, it did ;-)
>>>>>>>> Rowland
>>>>>>>> Thanks for the help.  I've got some more questions though about
>>>>>>>> the following list.
>>>>>>>> AD DC Installation Directory:       /usr/local/samba/AD DC
>>>>>>>> Hostname:                     DC1AD DNS Name:
>>>>>>>> samdom.example.comRealm:               samdom.example.comNT4
>>>>>>>> Domain Name:             samdomIP Address:
>>>>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of
>>>>>>>> the Samba NT4-domain:   /usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>>> So for Ubuntu the first line would be /var/lib/samba right?
>>>>>>> Yes
>>>>>>>> What would the last two lines in the list be for Ubuntu?
>>>>>>> Replace '/usr/local/samba' with 'var/lib/samba'
>>>>>>>> My NT4 domain is all uppercase. Would it stay that way for the
>>>>>>>> first part of the AD DNS Name and Realm lines?
>>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use
>>>>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the
>>>>>>> realm
>>>>>>>> The section talking about moving the /usr/local/samba/ directory,
>>>>>>>> does that still apply to the /var/lib/samba directory?
>>>>>>> Yes
>>>>>>>>             And is the /etc/samba/smb.conf file the one that needs
>>>>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file?
>>>>>>> Yes
>>>>>>>> I'm assuming I need to install Kerberos since it's not currently
>>>>>>>> installed on the system to get the classicupgrade to work?
>>>>>>> There is an old saying 'assume makes an ass of u & me' ;-)
>>>>>>> Or to put it another way, no, Samba uses it version of the Heimdal
>>>>>>> kerberos, you just need to install the required Samba packages, on
>>>>>>> Ubuntu 18.04, these would be:
>>>>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils
>>>>>>> ldb-tools krb5-user
>>>>>>> You should test the upgrade in a different network, to iron out any
>>>>>>> problems.
>>>>>>> How large is your domain ?
>>>>>>> If it is small, you may be better off creating a new AD domain,
>>>>>>> that way
>>>>>>> you get full control. Upgrading an existing NT4-style domain carries
>>>>>>> over bad practises e.g. using the RID for Unix user & group ID's.
>>>>>>> Rowland
>>>>>>> So in the example on the classicupgrade wiki page my NT4 domain
>>>>>>> would be SAMDOM with nothing after it.  So would the realm be
>>>>>>> SAMDOM.example.com in that case?
>>>>>> Ah, in AD there are two domains, the one you are referring to,
>>>>>> which is
>>>>>> actually the Netbios domain  and the DNS domain. If you are upgrading,
>>>>>> the Netbios domain will carry over, but you need to ensure you use a
>>>>>> valid DNS domain, so you could use samdom.example.com, but if you did,
>>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in
>>>>>> uppercase)
>>>>>>> On my server I'm currently missing libnss-winbind, libpam-winbind,
>>>>>>> libpam-krb5, ldb-tools and krb5-user.  Does this sound normal for
>>>>>>> an NT4 domain?
>>>>>> Yes, because you are probably not using winbind and you will
>>>>>> definitely
>>>>>> not be using kerberos and ldb-tools is only used with AD.
>>>>>>> My domain would be about 200 users and 80 machines.  That's a
>>>>>>> guess.  I was able to clone the production server so I'm able to
>>>>>>> test things out first.
>>>>>>> Thanks
>>>>>>> Carl
>>>>>> I suggest you go and play ;-)
>>>>>> Then come back with the inevitable questions ;-)
>>>>>> Rowland
>>>>>> One more question before I go and play.  :)
>>>>>> I'm pretty sure I'll be running the following command taken from
>>>>>> the wiki.
>>>>>>         samba-tool domain classicupgrade
>>>>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com
>>>>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>         From you explanation above should the realm not be
>>>>>> "--realm=SAMDOM.EXAMPLE.COM" ?
>>>>>> Thanks
>>>>>> Carl
>>>>> Yes, thanks for pointing this out, I have updated the wikipage ;-)
>>>>> Rowland
>>>>> So I started in and here's my first inevitable question. :)
>>>>> I can't seem to figure out the following lines from the wiki.
>>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb
>>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb
>>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb
>>>>> /usr/local/samba.PDC/dbdir/
>>>>> I don't seem to have a /var/lib/samba.PDC/var folder.  I do see a
>>>>> group_mapping.tdb file and a account_policy.tdb file in my
>>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file.
>>>>> Are these the right ones to copy and the gencache_notrans.tdb is not
>>>>> needed?
>>>>> Thanks
>>>>> Carl
>>>> If you compile Samba yourself, by default, everything ends up in
>>>> /usr/local/samba. Distros split things up, so you just need to find the
>>>> files on your system ;-)
>>>> Rowland
>>>> So I found the gencache_notrans.tdb file only in /run/samba and the
>>>> other two were only in /var/lib/samba.PDC.  Are these all good to use
>>>> since they're the only ones I could find?  And do I need to rename
>>>> the /run/samba folder like I did with the /var/lib/samba folder?
>>>> Thanks
>>>> Carl
>>>> I finally had the chance to run the command and got the following
>>>> output.
>>>> sudo samba-tool domain classicupgrade
>>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG
>>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf
>>>> Reading smb.conf
>>>> Provisioningtdbsam_open: Failed to open/create TDB passwd
>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting
>>>> groupstdbsam_open: Failed to open/create TDB passwd
>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>>> /var/lib/samba/passdb.tdb!
>>>> ...
>>>> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb]
>>>> tdbsam_getsampwrid: failed to open
>>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to
>>>> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam:
>>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class
>>>> 'passdb.error'>): uncaught exception - Unable to search users  File
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>>>> 176, in                                      _run    return
>>>> self.run(*args, **kwargs)  File
>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589,
>>>> in                                  run    useeadb=eadb,
>>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)  File
>>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in
>>>> upgrade                                   _from_samba3    userlist =
>>>> s3db.search_users(0)
>>>> I removed a bunch of duplicate log lines just to make it shorter.
>>>> Any ideas?  It's like the tool knows something is supposed to be in
>>>> /var/lib/samba on Ubuntu.  I moved the /var/lib/samba folder to
>>>> /var/lib/samba.PCD before I ran the command like the wiki said.
>>>> Thanks
>>>> Carl
>>> Keep this quite, but I have never classicupgraded an NT4-style domain,
>>> but I think I know what is going wrong here. That 'mv' should be a
>>> 'cp', the upgrade is trying to create files in /var/lib/samba and it
>>> no longer exists.
>>> Rowland
>> OK, after digging into the history of the classicupgrade wiki page, I
>> have found that at one time, it was  thought that the upgrade would be
>> carried out on a new PC, so the required files would be copied to the
>> new PC with 'scp'. The page now is built around upgrading in place and
>> 'mv' is definitely wrong.
>> Looks like I am going to have to do a classicupgrade, before I can
>> rewrite the page.
>> Rowland
>> I don't mind being the guinea pig if it helps.  :)
> Too late, I was the guinea pig ;-)
> I will be updating the wiki tomorrow.
>> I was able to duplicate the /var/lib/samba folder and re-run the command and it worked.  I got basically the same output as the wiki.
>> My next question is in the "After the classicupgrade" section.  With the following line.
>> If your passdb backend was smbpasswd or tdbsam, remove the domain groups from /etc/group. All groups that had a groupmapping were imported, including their members. You should also remove any Samba users from /etc/passwd, they are now stored in AD.
>> Is there a way to know what are considered domain groups in the /etc/group file?  Same question for /etc/passwd.  Is there a way to know what ones are Samba users?
>> Thanks
>> Carl
> Run 'wbinfo -u' & 'wbinfo -g', these are the domain users & groups on my
> nice new shiny classicupgraded domain:
> wbinfo -u
> EXAMPLE\administrator
> EXAMPLE\guest
> EXAMPLE\krbtgt
> wbinfo -g
> EXAMPLE\cert publishers
> EXAMPLE\ras and ias servers
> EXAMPLE\allowed rodc password replication group
> EXAMPLE\denied rodc password replication group
> EXAMPLE\dnsadmins
> EXAMPLE\enterprise read-only domain controllers
> EXAMPLE\domain admins
> EXAMPLE\domain users
> EXAMPLE\domain guests
> EXAMPLE\domain computers
> EXAMPLE\domain controllers
> EXAMPLE\schema admins
> EXAMPLE\enterprise admins
> EXAMPLE\group policy creator owners
> EXAMPLE\read-only domain controllers
> EXAMPLE\dnsupdateproxy
> Your DOMAIN will be different, but if any of those are in /etc/passwd or
> /etc/group, then they should be remove from there. You should also check
> if any other users or groups shown by 'wbinfo -u ' or 'wbinfo -g' are in
> /etc/passwd or /etc/group, most of these should be removed from
> /etc/passwd or /etc/group, but a few may need to be removed from AD,
> basically any that are in AD and have a Unix ID of 999 should be removed
> from AD.
> Rowland
> Before I ran the classicupgrade command I had stopped smdb, nmdb and winbind.  I haven't started samba-ad-dc yet.  Looks like the wbinfo -u and wbinfo -g commands need winbind running.  Do I just temporarily start winbind to get my info and stop it again?  Or do I start samba-ad-dc before cleaning up the group and passwd files?  Just not sure about the order of things or if it matters.
> Thanks
> Carl

Start samba-ad-dc, this will start smbd and winbind. Don't do anything 
but check your users and groups, you can do this with a local user.


More information about the samba mailing list