[Samba] Ubuntu 18.04 classicupgrade help

Carl Hunter cdhunter2 at yahoo.com
Fri Jul 17 20:51:44 UTC 2020

 On Friday, July 17, 2020, 03:35:19 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
 On 17/07/2020 20:12, Carl Hunter via samba wrote:
>  On Friday, July 17, 2020, 02:26:53 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
>  On 17/07/2020 19:17, Carl Hunter via samba wrote:
>>    On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
>>    On 17/07/2020 17:20, Carl Hunter via samba wrote:
>>>      On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote:
>>>      On 17/07/2020 15:21, Rowland penny via samba wrote:
>>>> On 17/07/2020 15:05, Carl Hunter via samba wrote:
>>>>>        On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via
>>>>> samba <samba at lists.samba.org> wrote:
>>>>>             On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny
>>>>> via samba <samba at lists.samba.org> wrote:
>>>>>            On 16/07/2020 01:59, Carl Hunter via samba wrote:
>>>>>>         On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via
>>>>>> samba <samba at lists.samba.org> wrote:
>>>>>>               On 15/07/2020 21:53, Carl Hunter via samba wrote:
>>>>>>>           On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny
>>>>>>> via samba <samba at lists.samba.org> wrote:
>>>>>>>                     On 15/07/2020 20:13, Carl Hunter via samba wrote:
>>>>>>>>             On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland
>>>>>>>> penny via samba <samba at lists.samba.org> wrote:
>>>>>>>>                           On 15/07/2020 19:26, Carl Hunter via samba
>>>>>>>> wrote:
>>>>>>>>>               On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland
>>>>>>>>> penny via samba <samba at lists.samba.org> wrote:
>>>>>>>>>                                 On 15/07/2020 01:14, Carl Hunter via
>>>>>>>>> samba wrote:
>>>>>>>>>> I've currently got a Ubuntu 18.04 server running Samba 4.7.6
>>>>>>>>>> with an NT4 domain that I'd like to migrate to an AD.  I've
>>>>>>>>>> found the following link but am struggling to match up the steps
>>>>>>>>>> with the Ubuntu install.
>>>>>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>>>>>>>>>> I've also found this post that creates a Samba AD on Ubuntu
>>>>>>>>>> 18.04 from scratch but doesn't have the upgrade steps.
>>>>>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server
>>>>>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-)
>>>>>>>>>> Would someone be able to help with some questions?
>>>>>>>>>> In the first link, the "Server information used in this HowTo"
>>>>>>>>>> section lists a bunch of settings.  I'm not sure how that
>>>>>>>>>> matches up with Ubuntu.
>>>>>>>>> The paths refer to a self compiled Samba, Ubuntu uses different
>>>>>>>>> paths
>>>>>>>>> e.g. /var/lib/samba
>>>>>>>>>> I'm not using ldap, my smb.conf file has "passdb backend =
>>>>>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help.
>>>>>>>>> Just ignore anything to do with ldap
>>>>>>>>>> Under the "Domain controller name" section it talks about a
>>>>>>>>>> "netbois name =" line in the smb.conf file.  I don't have that
>>>>>>>>>> in mine but I do have a "workgroup =" line.  Is this the same
>>>>>>>>>> thing?
>>>>>>>>> No and you only really need the line if you are changing the
>>>>>>>>> computers
>>>>>>>>> hostname during the upgrade.
>>>>>>>>>> Does the classicupgrade just "convert" a bunch of files like the
>>>>>>>>>> passdb.tdb and smb.conf files?  And unless you actually replace
>>>>>>>>>> the files and start the AD service nothing actually changes?
>>>>>>>>> Bit more involved than that, all the users and groups are
>>>>>>>>> obtained from
>>>>>>>>> the existing database (along with passwords and the domain SID).
>>>>>>>>> This
>>>>>>>>> information is then used to provision a new AD domain.
>>>>>>>>>> I think I should stop there.
>>>>>>>>>> Thanks in advance and hopefully this makes some sense.
>>>>>>>>> Yes, it did ;-)
>>>>>>>>> Rowland
>>>>>>>>> Thanks for the help.  I've got some more questions though about
>>>>>>>>> the following list.
>>>>>>>>> AD DC Installation Directory:       /usr/local/samba/AD DC
>>>>>>>>> Hostname:                     DC1AD DNS Name:
>>>>>>>>> samdom.example.comRealm:               samdom.example.comNT4
>>>>>>>>> Domain Name:             samdomIP Address:
>>>>>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of
>>>>>>>>> the Samba NT4-domain:   /usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>>>> So for Ubuntu the first line would be /var/lib/samba right?
>>>>>>>> Yes
>>>>>>>>> What would the last two lines in the list be for Ubuntu?
>>>>>>>> Replace '/usr/local/samba' with 'var/lib/samba'
>>>>>>>>> My NT4 domain is all uppercase. Would it stay that way for the
>>>>>>>>> first part of the AD DNS Name and Realm lines?
>>>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use
>>>>>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the
>>>>>>>> realm
>>>>>>>>> The section talking about moving the /usr/local/samba/ directory,
>>>>>>>>> does that still apply to the /var/lib/samba directory?
>>>>>>>> Yes
>>>>>>>>>               And is the /etc/samba/smb.conf file the one that needs
>>>>>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file?
>>>>>>>> Yes
>>>>>>>>> I'm assuming I need to install Kerberos since it's not currently
>>>>>>>>> installed on the system to get the classicupgrade to work?
>>>>>>>> There is an old saying 'assume makes an ass of u & me' ;-)
>>>>>>>> Or to put it another way, no, Samba uses it version of the Heimdal
>>>>>>>> kerberos, you just need to install the required Samba packages, on
>>>>>>>> Ubuntu 18.04, these would be:
>>>>>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils
>>>>>>>> ldb-tools krb5-user
>>>>>>>> You should test the upgrade in a different network, to iron out any
>>>>>>>> problems.
>>>>>>>> How large is your domain ?
>>>>>>>> If it is small, you may be better off creating a new AD domain,
>>>>>>>> that way
>>>>>>>> you get full control. Upgrading an existing NT4-style domain carries
>>>>>>>> over bad practises e.g. using the RID for Unix user & group ID's.
>>>>>>>> Rowland
>>>>>>>> So in the example on the classicupgrade wiki page my NT4 domain
>>>>>>>> would be SAMDOM with nothing after it.  So would the realm be
>>>>>>>> SAMDOM.example.com in that case?
>>>>>>> Ah, in AD there are two domains, the one you are referring to,
>>>>>>> which is
>>>>>>> actually the Netbios domain  and the DNS domain. If you are upgrading,
>>>>>>> the Netbios domain will carry over, but you need to ensure you use a
>>>>>>> valid DNS domain, so you could use samdom.example.com, but if you did,
>>>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in
>>>>>>> uppercase)
>>>>>>>> On my server I'm currently missing libnss-winbind, libpam-winbind,
>>>>>>>> libpam-krb5, ldb-tools and krb5-user.  Does this sound normal for
>>>>>>>> an NT4 domain?
>>>>>>> Yes, because you are probably not using winbind and you will
>>>>>>> definitely
>>>>>>> not be using kerberos and ldb-tools is only used with AD.
>>>>>>>> My domain would be about 200 users and 80 machines.  That's a
>>>>>>>> guess.  I was able to clone the production server so I'm able to
>>>>>>>> test things out first.
>>>>>>>> Thanks
>>>>>>>> Carl
>>>>>>> I suggest you go and play ;-)
>>>>>>> Then come back with the inevitable questions ;-)
>>>>>>> Rowland
>>>>>>> One more question before I go and play.  :)
>>>>>>> I'm pretty sure I'll be running the following command taken from
>>>>>>> the wiki.
>>>>>>>           samba-tool domain classicupgrade
>>>>>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com
>>>>>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>>           From you explanation above should the realm not be
>>>>>>> "--realm=SAMDOM.EXAMPLE.COM" ?
>>>>>>> Thanks
>>>>>>> Carl
>>>>>> Yes, thanks for pointing this out, I have updated the wikipage ;-)
>>>>>> Rowland
>>>>>> So I started in and here's my first inevitable question. :)
>>>>>> I can't seem to figure out the following lines from the wiki.
>>>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb
>>>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb
>>>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb
>>>>>> /usr/local/samba.PDC/dbdir/
>>>>>> I don't seem to have a /var/lib/samba.PDC/var folder.  I do see a
>>>>>> group_mapping.tdb file and a account_policy.tdb file in my
>>>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file.
>>>>>> Are these the right ones to copy and the gencache_notrans.tdb is not
>>>>>> needed?
>>>>>> Thanks
>>>>>> Carl
>>>>> If you compile Samba yourself, by default, everything ends up in
>>>>> /usr/local/samba. Distros split things up, so you just need to find the
>>>>> files on your system ;-)
>>>>> Rowland
>>>>> So I found the gencache_notrans.tdb file only in /run/samba and the
>>>>> other two were only in /var/lib/samba.PDC.  Are these all good to use
>>>>> since they're the only ones I could find?  And do I need to rename
>>>>> the /run/samba folder like I did with the /var/lib/samba folder?
>>>>> Thanks
>>>>> Carl
>>>>> I finally had the chance to run the command and got the following
>>>>> output.
>>>>> sudo samba-tool domain classicupgrade
>>>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG
>>>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf
>>>>> Reading smb.conf
>>>>> Provisioningtdbsam_open: Failed to open/create TDB passwd
>>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting
>>>>> groupstdbsam_open: Failed to open/create TDB passwd
>>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>>>> /var/lib/samba/passdb.tdb!
>>>>> ...
>>>>> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb]
>>>>> tdbsam_getsampwrid: failed to open
>>>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to
>>>>> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam:
>>>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class
>>>>> 'passdb.error'>): uncaught exception - Unable to search users  File
>>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>>>>> 176, in                                      _run    return
>>>>> self.run(*args, **kwargs)  File
>>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589,
>>>>> in                                  run    useeadb=eadb,
>>>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)  File
>>>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in
>>>>> upgrade                                   _from_samba3    userlist =
>>>>> s3db.search_users(0)
>>>>> I removed a bunch of duplicate log lines just to make it shorter.
>>>>> Any ideas?  It's like the tool knows something is supposed to be in
>>>>> /var/lib/samba on Ubuntu.  I moved the /var/lib/samba folder to
>>>>> /var/lib/samba.PCD before I ran the command like the wiki said.
>>>>> Thanks
>>>>> Carl
>>>> Keep this quite, but I have never classicupgraded an NT4-style domain,
>>>> but I think I know what is going wrong here. That 'mv' should be a
>>>> 'cp', the upgrade is trying to create files in /var/lib/samba and it
>>>> no longer exists.
>>>> Rowland
>>> OK, after digging into the history of the classicupgrade wiki page, I
>>> have found that at one time, it was  thought that the upgrade would be
>>> carried out on a new PC, so the required files would be copied to the
>>> new PC with 'scp'. The page now is built around upgrading in place and
>>> 'mv' is definitely wrong.
>>> Looks like I am going to have to do a classicupgrade, before I can
>>> rewrite the page.
>>> Rowland
>>> I don't mind being the guinea pig if it helps.  :)
>> Too late, I was the guinea pig ;-)
>> I will be updating the wiki tomorrow.
>>> I was able to duplicate the /var/lib/samba folder and re-run the command and it worked.  I got basically the same output as the wiki.
>>> My next question is in the "After the classicupgrade" section.  With the following line.
>>> If your passdb backend was smbpasswd or tdbsam, remove the domain groups from /etc/group. All groups that had a groupmapping were imported, including their members. You should also remove any Samba users from /etc/passwd, they are now stored in AD.
>>> Is there a way to know what are considered domain groups in the /etc/group file?  Same question for /etc/passwd.  Is there a way to know what ones are Samba users?
>>> Thanks
>>> Carl
>> Run 'wbinfo -u' & 'wbinfo -g', these are the domain users & groups on my
>> nice new shiny classicupgraded domain:
>> wbinfo -u
>> EXAMPLE\administrator
>> EXAMPLE\guest
>> EXAMPLE\krbtgt
>> wbinfo -g
>> EXAMPLE\cert publishers
>> EXAMPLE\ras and ias servers
>> EXAMPLE\allowed rodc password replication group
>> EXAMPLE\denied rodc password replication group
>> EXAMPLE\dnsadmins
>> EXAMPLE\enterprise read-only domain controllers
>> EXAMPLE\domain admins
>> EXAMPLE\domain users
>> EXAMPLE\domain guests
>> EXAMPLE\domain computers
>> EXAMPLE\domain controllers
>> EXAMPLE\schema admins
>> EXAMPLE\enterprise admins
>> EXAMPLE\group policy creator owners
>> EXAMPLE\read-only domain controllers
>> EXAMPLE\dnsupdateproxy
>> Your DOMAIN will be different, but if any of those are in /etc/passwd or
>> /etc/group, then they should be remove from there. You should also check
>> if any other users or groups shown by 'wbinfo -u ' or 'wbinfo -g' are in
>> /etc/passwd or /etc/group, most of these should be removed from
>> /etc/passwd or /etc/group, but a few may need to be removed from AD,
>> basically any that are in AD and have a Unix ID of 999 should be removed
>> from AD.
>> Rowland
>> Before I ran the classicupgrade command I had stopped smdb, nmdb and winbind.  I haven't started samba-ad-dc yet.  Looks like the wbinfo -u and wbinfo -g commands need winbind running.  Do I just temporarily start winbind to get my info and stop it again?  Or do I start samba-ad-dc before cleaning up the group and passwd files?  Just not sure about the order of things or if it matters.
>> Thanks
>> Carl
> Start samba-ad-dc, this will start smbd and winbind. Don't do anything
> but check your users and groups, you can do this with a local user.
> Rowland
> I was able to start samba-ad-dc and now those wbinfo commands work.  I see almost all the users and groups from the wbinfo commands in the group and passwd files.  This server is also the file server so each user has a home folder.  I'm not sure what that means for things.  I haven't gotten to the file server side of things yet but I don't have an option to split up the ad server and the file server.
> Thanks
> Carl

How many users ? we don't recommend using a DC as a fileserver, but it 
can work for a small number of users.

You will need to have libnss-winbind, libpam-winbind and libpam-krb5 
installed and add 'winbind' to the  'passwd' and 'group' lines in 
/etc/nsswitch.conf. You will also need to get PAM to create the users 
homedirectories as the log on, you can run 'pam-auth-update' on Debian 
10 to do this, you will also need to add a line to smb.conf 'template 
shell = /bin/bash' to allow logons

I just counted the wbinfo -u output and it's 264.  I read the recommendations about the fileserver but I don't have an option at this point.  It's a "get it working" type of thing.  :)
I already had installed those packages and my nsswitch.conf file was already correct.  I'm not exactly sure what you mean by the PAM comment.  I already have all the users created since this is a copy of a live system so they all have /home folders.  Or are you saying there's another step since it's now an AD domain?  
What section would I put the template shell line in the smb.conf file?  I see global, netlogon and sysvol.  I also don't see any of the share sections of the old smb.conf file in the new.  


More information about the samba mailing list