Peter Schaefer
2013-Dec-29 21:28 UTC
[Samba] Upgrade Samba 3 -> Samba 4 AD DC (Debian Wheezy)
Hi! I just upgraded from Samba 3.6.6 to the Sernet Samba 4.1.7 packages as AD DC following the Samba AD DC / classicupgrade HOWTO and thought to share the experience so other users might find it in the archives. I also have some questions later on. I'd be very happy if some brave soul can give some advice on these (will come with a later post). The old Samba3 was running on an EXT4 filesystem with ACLs enabled and used TDB as config store. All SMB users were also local unix users, so ACLs weren't used and i handled permissions using "force group", "write list", group mappings and other ugly things. I hope to get this sorted with Samba4. I made the upgrade in-place. Risky, but i had backups :-) ... So, without further ado: 0) Stop your running Samba and do the checks covered with steps 6 - 8 using the old installation. Then you can skip 6 - 8 later. I keep them listed for the poor soul that discovers problems when Samba3 is already removed (guess who that poor soul were...). Turn off all windows clients and do not turn them back on before you are sure to never ever going back to Samba3 again. 1) Uninstall all Samba 3.6.6 packages using aptitude, apt-get or dpkg. See 'dpkg --list *samba* | grep ii" for installed packages. Be sure to NOT 'purge' but just 'remove' the packages. 2) Move everything in '/etc/samba/*' to '/var/lib/samba'. 3) Zip this directory together using 'tar cvzf samba3.tgz /var/lib/samba' 4) Install the 'sernet-samba-ad' packages and its dependencies. 5) If you have (very likely in case of Debian) your Samba3 users created as local Unix users and they all have an own user-private group with the same name as the user: Remove those user-private groups and add all Samba3 users to a common unix group ('users' or create 'smbusers' or similiar). You might have to fix-up unix file owners/permissions on the shares afterwards (expecially the home folders). If you have done step 7 using the old installation, you can proceed with 10, otherwise: 6) Create a directory "/var/lib/samba/private" and copy the files "secrets.tdb" and "passdb.tdb" from "/var/lib/samba" into that directory. Copy your old "smb.conf" from "/var/lib/samba" to "/etc/samba" again. With those old files in the right places, you can now call "pdbedit", "net" and other tools from the new Samba4 installation to do some checks or modifications. 7) Check that (if you have any) your group mappings for "Domain Admins" and "Domain Users" have the correct (MS specified) SID (e.g. they end with -512 and -513, respectively). Fix these like depicted in the following post: https://lists.samba.org/archive/samba/2013-August/175135.html. Note that you may have to check other group mappings, too. 8) If you had to make changes, move the *.tdb files from the "/var/lib/samba/private" again to "/var/lib/samba" and tar the directory up again (see step 3). Then delete "/etc/samba/smb.conf". Note: If you have to do further changes to the *.tdbs, you have to shuffle those files around, again. 10) Make a first attempt to run "samba-tool domain classicupgrade --dbdir=/var/lib/samba --use-xattrs=yes --realm=your.domain" (exchange the "your.domain" part, of course). 11) If it fails with some error: "rm -r -f /var/lib/samba" and "rm /etc/samba/smb.conf". Re-establish your old files with "tar xvzf samba3.tgz -C /". Fix the errors (if you can) and try again. 12) If "classicupgrade" succeeds, you have a basic "smb.conf" in "/etc/samba" and can start Samba4 for the first time. I suggest using the debug mode as written in the HOWTO: "samba -i -M single". 13) Test connectivity, configure DNS, Kerberos and NTP as written in the SAMBA AD DC HOWTO. I had to install the "heimdal-clients" package to get "kinit" & co. 14) At last, edit the "/etc/defaults/sernet-samba" file and set the mode to "ad". Then stop your "debug samba" and use the package init-scripts to enter production ("/etc/init.d/sernet-samba-ad start"). 15) Move over your shares from your old "smb.conf" (still in /var/lib/samba) to "/etc/samba/smb.conf" using a text editor. The classicupgrade tool did not transfer the shares in my case. Go one-by-one and call "testparm" and - if no errors - "smbcontrol all reload-config" to activate the share. You might drop everything from the share definition except "path" and manage permissions and users from the Windows side using the "Active Directory Users and Computers" MMC snap-in that you get by installing the MS RSAT tools. Further reading from the wiki: http://wiki.samba.org/index.php/Samba_AD_management_from_windows http://wiki.samba.org/index.php/Setting_up_a_home_share http://wiki.samba.org/index.php/Setup_and_configure_file_shares http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles Last not least (TL;DR): Besides the issue with the wrong SIDs (and the fact that "classicupgrade" just barfs bones in case of this error) the upgrade went smooth. I have to say a BIG THANK YOU to all Samba4 developers for developing Samba4. Another BIG THANK YOU goes to Sernet for packaging, too. In addition, the Samba4 wiki pages mentioned above helped a lot. There's always room for improvement, but the documented steps lead in the right direction. The only issue i'm still facing is managing permissions and dealing with the legacy maze of unix users, groups and permissions mixed with the new ACL based things. Regards, Peter
Marc Muehlfeld
2013-Dec-29 22:26 UTC
[Samba] Upgrade Samba 3 -> Samba 4 AD DC (Debian Wheezy)
Hello Peter, Am 29.12.2013 22:28, schrieb Peter Schaefer:> I just upgraded from Samba 3.6.6 to the Sernet Samba 4.1.7 packages as > AD DC following the Samba AD DC / classicupgrade HOWTO and thought to > share the experience so other users might find it in the archives.Always good to hear stories of migrations to improve the documentation.> I have to say a BIG THANK YOU to all Samba4 developers for developing > Samba4. Another BIG THANK YOU goes to Sernet for packaging, too. In > addition, the Samba4 wiki pages mentioned above helped a lot. There's > always room for improvement, but the documented steps lead in the right > direction.I already have the detailed re-writing of the upgrading HowTo on my list for a longer time. But since I moved 2 month ago, I haven't got my internet connection and just being online just with a limited and unstable UMTS connection :-( . But I'm collecting the problems/hints/wishes for later. So let me know what kind of improvements you are thinking about, and I'll try to add them. Regards, Marc
Possibly Parallel Threads
- classicupgrade
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- After the classicupgrade from samba3 to sernet-samba-4.2.1 , users are not able to remote desktop anymore ( bug11061 )
- Irregular crash of samba 3.6.6 (debian wheezy)