I have a Samba 3.6 PDC (ClearOS) that I want to migrate to Sernet Samba 4.2 AD on a Centos7-arm box. So I am reading: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29 And trying to figure out what files I need. Note this is a totally NEW box, I need to copy over the needed files. So do I move all of the .tdb files? There are actually 2 secrets.tdb: /var/clearos/framework/tmp/secrets.tdb /var/lib/samba/private/secrets.tdb Do I need to stop smb and nmb services on the old server before copying the files? Going to rsync the files over. What about the conf files in /etc/samba? Do I need my old smb.conf? Security on the old system is users (unix login, never really liked that). Can I change that and to what? I assume I need to have BIND set up first. And DHCPD? Definitely need to fix some things on the box before I try the upgrade. And if I get it wrong the first time, that is not a problem. I will be trying this a number of times anyway, as Centos7-arm is not even up to beta yet. But the beta could go fast once they get the build process working.
Hi,
Here's what I noted for my migration 1 year ago:
add unix groups used into samba into samba db in order to get them on AD
side: net groupmap add unixgroup
You'll have to fix wrong encoded logins too:
sudo pdbedit -L -b tdbsam:/path/to/passdb.tdb | perl -l -ne '/
^( ([\x00-\x7F])
|([\xC2-\xDF][\x80-\xBF])
|((([\xE0][\xA0-\xBF])|([\xED][\x80-\x9F])|([\xE1-\xEC\xEE-\xEF][\x80-\xBF]))([\x80-\xBF]))
|((([\xF0][\x90-\xBF])|([\xF1-\xF3][\x80-\xBF])|([\xF4][\x80-\x8F]))([\x80-\xBF]{2}))
)*$ /x or print'
Stop samba on old DC
backup /etc/samba, /var/lib/samba/ & /var/run/samba
merge old-DC /etc/passwd & /etc/group to get samba-used users & groups
install samba
stop samba
stop winbind
rm -r /var/lib/samba/private/*
rm -f /etc/samba/*
check acl & xattr support on fs
cp
old-dc/var/lib/samba{account_policy.tdb,group_mapping.ldb,passdb.tdb,schannel_store.tdb,secrets.tdb}
/root/samba3-files ; cp old-dc/var/run/samba/gencache_notrans.tdb
/root/samba3-files ; cp old-dc/etc/samba/smb.conf /root/samba3-files
samba-tool domain classicupgrade –verbose –use-xattrs=yes
–dbdir=/root/samba3-files/ –realm=my.ad.realm
–dns-backend=SAMBA_INTERNAL /root/samba3-files/smb.conf
check that DNS is ok (you may need to give a delegation on the AD realm,
depending on how your company DNS is set up). Here we have a dns for
company.smth who gives a delegation for ad.company.smth to the DCs )
dig -t SRV _ldap._tcp.dc._msdcs.my.ad.realm
Create a domain admin
samba-tool user add i-am-a-domain-admin
samba-tool group addmembers “Domain Admins” i-am-a-domain-admin
clean up /etc/{passwd,group} to remove samba groups & users
Should be a good start :-) Note that any shares will be removed from the
new generated smb.conf (you may re-add them even if some people tell you
no to, never had any issue with that)
Regards
Le 26/08/2015 22:56, Robert Moskowitz a écrit :> I have a Samba 3.6 PDC (ClearOS) that I want to migrate to Sernet
> Samba 4.2 AD on a Centos7-arm box.
>
> So I am reading:
>
>
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29
>
>
> And trying to figure out what files I need. Note this is a totally
> NEW box, I need to copy over the needed files. So do I move all of
> the .tdb files? There are actually 2 secrets.tdb:
>
> /var/clearos/framework/tmp/secrets.tdb
> /var/lib/samba/private/secrets.tdb
>
> Do I need to stop smb and nmb services on the old server before
> copying the files? Going to rsync the files over.
>
> What about the conf files in /etc/samba? Do I need my old smb.conf?
>
> Security on the old system is users (unix login, never really liked
> that). Can I change that and to what?
>
> I assume I need to have BIND set up first. And DHCPD?
>
> Definitely need to fix some things on the box before I try the upgrade.
>
> And if I get it wrong the first time, that is not a problem. I will
> be trying this a number of times anyway, as Centos7-arm is not even up
> to beta yet. But the beta could go fast once they get the build
> process working.
>
>
>
Hello Robert, Am 26.08.2015 um 22:56 schrieb Robert Moskowitz:> And trying to figure out what files I need.You need the databased files, you're told to copy in the guide https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29#The_classicupgrade_process> Note this is a totally NEW > box, I need to copy over the needed files.What means "totally new"? You mean it's a new installed OS, without any running Samba installation? Then copy the files told in the guide.> So do I move all of the .tdb files? There are actually 2 secrets.tdb: > > /var/clearos/framework/tmp/secrets.tdb > /var/lib/samba/private/secrets.tdbThen you have to find out, which one samba uses. If this is on your old host, where Samba is still running, try # lsof | grep secrets.tdb> Do I need to stop smb and nmb services on the old server before copying > the files? Going to rsync the files over.You should stop samba on the old host before. Otherwise it could happen, that things inside the databases change (e. g. user or machine password changes, etc.) and you're doing the migration with an outdated database.> What about the conf files in /etc/samba? Do I need my old smb.conf?Yes. But with a different name. It's also described in the Wiki guide. Classicupgrade read some information required for the migration out of it, like LDAP settings.> Security on the old system is users (unix login, never really liked > that). Can I change that and to what?It was never required, that that users are able to login locally to a PDC or member server. Nor it is on an AD DC. But this has nothing to do with 'security = user'> I assume I need to have BIND set up first. And DHCPD?Just follow the guide. It was used on thousands of installations. It tells you what to do in which order, so that it's working ;-) DHCP is not part of AD. If you want to us it, just set it up, when ever you want.> Definitely need to fix some things on the box before I try the upgrade.Before doing a migration, it's always a good idea to do this on a separate test environment first. Regards, Marc