Charish Patel
2016-Sep-28  16:11 UTC
[Samba] Migrating, Upgrading & Testing Samba 4 PDC/BDC
Hi folks,
I've been tasked with a migration of our servers and, as the subject
implies, part of it involves a PDC and BDC that were set up before my time.
However, I'm trying to accomplish a little bit more to give myself, the
sysadmin, a little bit more automation capability:
·         Migrate the PDC and BDC both to new servers (part of this I've
already done with copying /etc/passwd, group, shadow, and gshadow along with
smb.conf, secrets.tdb and passwd.tdb. There is no LDAP and/or Kerberos
configuration).
·         Upgrade the PDC and BDC to AD Controllers that will work in
redundancy.
·         Updating our netlogon script to mount Samba shares based on the user
logging in.
o   Part of this is getting a non-.bat script to work with both Windows and Mac
(it's mostly a Windows environment, but we have 12 Macs as well). I was
thinking something along the lines of trying to detect the OS via a fastscan
with nmap and, based on the OS, kick off logon.bat (Windows) or login.sh (for
Macs) in order to mount the network shares as well as pushing out an agent for
that takes an inventory of the workstations logging in.
§  The Macs haven't been joined to the domain yet, but with the new Samba
instances it's something I'm looking into doing.
·         The part that has me nervous: actually testing all this out. My
biggest concern is if I spin up the new Samba AD controllers, it will interfere
with the existing ones and thereby causing hell for my users. Is there any way
to isolate the set up for testing so that, if it's successful, it'd just
be a matter of shutting down the old PDC and BDC, spin up the new redundant AD
controllers and have the users be able to continue working seamlessly.
This is my first time working with Samba to this extent and I've done some
reading based on the documentation for Samba (specifically,
https://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html) and random
blogs, but wanted to see if someone could provide a more exact answer. I'm
not necessarily looking for the exact commands, just a guideline from some folks
who may have done something like this before. What I'm currently working
with:
Old setup
                PDC is running on Samba 4.1.17 on top of Debian 8 with bind9
acting as the DNS server
                BDC is running on Samba 3.6.6 on top of Debian 7 with bind9
running as well, but the configuration seems to be the default
New setup
                Debian 8.6 with Samba 4.2.10 for both servers that the
soon-to-be redundant AD Controllers will be sitting on.
Please let me know if more information is needed and MUCH appreciated in advance
to those who can help!
Charish
[http://i.bfm.nyc/images/img/2/i.jpg]<http://i.bfm.nyc/email2?utm_name=Charish%20Patel>
Rowland Penny
2016-Sep-28  16:22 UTC
[Samba] Migrating, Upgrading & Testing Samba 4 PDC/BDC
On Wed, 28 Sep 2016 16:11:23 +0000 Charish Patel via samba <samba at lists.samba.org> wrote:> Hi folks, > > I've been tasked with a migration of our servers and, as the subject > implies, part of it involves a PDC and BDC that were set up before my > time. However, I'm trying to accomplish a little bit more to give > myself, the sysadmin, a little bit more automation capability: > > > · Migrate the PDC and BDC both to new servers (part of this > I've already done with copying /etc/passwd, group, shadow, and > gshadow along with smb.conf, secrets.tdb and passwd.tdb. There is no > LDAP and/or Kerberos configuration). > > · Upgrade the PDC and BDC to AD Controllers that will work in > redundancy. > > · Updating our netlogon script to mount Samba shares based on > the user logging in. > > o Part of this is getting a non-.bat script to work with both > Windows and Mac (it's mostly a Windows environment, but we have 12 > Macs as well). I was thinking something along the lines of trying to > detect the OS via a fastscan with nmap and, based on the OS, kick off > logon.bat (Windows) or login.sh (for Macs) in order to mount the > network shares as well as pushing out an agent for that takes an > inventory of the workstations logging in. > > § The Macs haven't been joined to the domain yet, but with the new > Samba instances it's something I'm looking into doing. > > · The part that has me nervous: actually testing all this > out. My biggest concern is if I spin up the new Samba AD controllers, > it will interfere with the existing ones and thereby causing hell for > my users. Is there any way to isolate the set up for testing so that, > if it's successful, it'd just be a matter of shutting down the old > PDC and BDC, spin up the new redundant AD controllers and have the > users be able to continue working seamlessly. > > This is my first time working with Samba to this extent and I've done > some reading based on the documentation for Samba (specifically, > https://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html) and > random blogs, but wanted to see if someone could provide a more exact > answer. I'm not necessarily looking for the exact commands, just a > guideline from some folks who may have done something like this > before. What I'm currently working with: > > Old setup > PDC is running on Samba 4.1.17 on top of Debian 8 > with bind9 acting as the DNS server BDC is running on Samba 3.6.6 on > top of Debian 7 with bind9 running as well, but the configuration > seems to be the default > > New setup > Debian 8.6 with Samba 4.2.10 for both servers that > the soon-to-be redundant AD Controllers will be sitting on. > > Please let me know if more information is needed and MUCH appreciated > in advance to those who can help! > > Charish >Is there some reason why you aren't considering upgrading to AD ? Rowland
Rowland Penny
2016-Sep-28  17:43 UTC
[Samba] Migrating, Upgrading & Testing Samba 4 PDC/BDC
On Wed, 28 Sep 2016 11:33:29 -0500 Bob of Donelson Trophy <bob at donelsontrophy.net> wrote:> On 2016-09-28 11:22, Rowland Penny via samba wrote: > > > On Wed, 28 Sep 2016 16:11:23 +0000 > > Charish Patel via samba <samba at lists.samba.org> wrote: > > > >> Hi folks, > >> > >> I've been tasked with a migration of our servers and, as the > >> subject implies, part of it involves a PDC and BDC that were set > >> up before my time. However, I'm trying to accomplish a little bit > >> more to give myself, the sysadmin, a little bit more automation > >> capability: > >> > >> · Migrate the PDC and BDC both to new servers (part of this > >> I've already done with copying /etc/passwd, group, shadow, and > >> gshadow along with smb.conf, secrets.tdb and passwd.tdb. There is > >> no LDAP and/or Kerberos configuration). > >> > >> · Upgrade the PDC and BDC to AD Controllers that will work > >> in redundancy. > >> > >> · Updating our netlogon script to mount Samba shares based > >> on the user logging in. > >> > >> o Part of this is getting a non-.bat script to work with both > >> Windows and Mac (it's mostly a Windows environment, but we have 12 > >> Macs as well). I was thinking something along the lines of trying > >> to detect the OS via a fastscan with nmap and, based on the OS, > >> kick off logon.bat (Windows) or login.sh (for Macs) in order to > >> mount the network shares as well as pushing out an agent for that > >> takes an inventory of the workstations logging in. > >> > >> § The Macs haven't been joined to the domain yet, but with the new > >> Samba instances it's something I'm looking into doing. > >> > >> · The part that has me nervous: actually testing all this > >> out. My biggest concern is if I spin up the new Samba AD > >> controllers, it will interfere with the existing ones and thereby > >> causing hell for my users. Is there any way to isolate the set up > >> for testing so that, if it's successful, it'd just be a matter of > >> shutting down the old PDC and BDC, spin up the new redundant AD > >> controllers and have the users be able to continue working > >> seamlessly. > >> > >> This is my first time working with Samba to this extent and I've > >> done some reading based on the documentation for Samba > >> (specifically, > >> https://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html) > >> and random blogs, but wanted to see if someone could provide a > >> more exact answer. I'm not necessarily looking for the exact > >> commands, just a guideline from some folks who may have done > >> something like this before. What I'm currently working with: > >> > >> Old setup > >> PDC is running on Samba 4.1.17 on top of Debian 8 > >> with bind9 acting as the DNS server BDC is running on Samba 3.6.6 > >> on top of Debian 7 with bind9 running as well, but the > >> configuration seems to be the default > >> > >> New setup > >> Debian 8.6 with Samba 4.2.10 for both servers that > >> the soon-to-be redundant AD Controllers will be sitting on. > >> > >> Please let me know if more information is needed and MUCH > >> appreciated in advance to those who can help! > >> > >> Charish > > > > Is there some reason why you aren't considering upgrading to AD ? > > > > Rowland > > Rowland, she said that she was. (highlighted above . . . sorry.) >Sorry, I just fixated on PDC and BDC. I wouldn't use the 4.2.10 packages from debian, the 4.2.x series is now EOL. There are 4.4.5 packages in sid and stretch, but then would you want to run versions of debian in production that are also known as unstable and testing. I am rapidly coming to the opinion that it is probably best to compile Samba yourself. This way, if you do hit a problem that is fixed in a later version, or there is a patch to fix your problem, you can easily compile samba again. Rowland
Charish Patel
2016-Sep-29  13:57 UTC
[Samba] Migrating, Upgrading & Testing Samba 4 PDC/BDC
If you mean regular Microsoft AD, the reason is simple: cost. Management sadly does not want to shell out the money for it. If you mean upgrading the Samba PDC to AD, that is what I want to do but on the new servers as opposed to the current set up. Charish -----Original Message----- From: Rowland Penny [mailto:rpenny at samba.org] Sent: Wednesday, September 28, 2016 12:23 PM To: samba at lists.samba.org Subject: Re: [Samba] Migrating, Upgrading & Testing Samba 4 PDC/BDC On Wed, 28 Sep 2016 16:11:23 +0000 Charish Patel via samba <samba at lists.samba.org> wrote:> Hi folks, > > I've been tasked with a migration of our servers and, as the subject > implies, part of it involves a PDC and BDC that were set up before my > time. However, I'm trying to accomplish a little bit more to give > myself, the sysadmin, a little bit more automation capability: > > > · Migrate the PDC and BDC both to new servers (part of this > I've already done with copying /etc/passwd, group, shadow, and gshadow > along with smb.conf, secrets.tdb and passwd.tdb. There is no LDAP > and/or Kerberos configuration). > > · Upgrade the PDC and BDC to AD Controllers that will work in > redundancy. > > · Updating our netlogon script to mount Samba shares based on > the user logging in. > > o Part of this is getting a non-.bat script to work with both > Windows and Mac (it's mostly a Windows environment, but we have 12 > Macs as well). I was thinking something along the lines of trying to > detect the OS via a fastscan with nmap and, based on the OS, kick off > logon.bat (Windows) or login.sh (for Macs) in order to mount the > network shares as well as pushing out an agent for that takes an > inventory of the workstations logging in. > > § The Macs haven't been joined to the domain yet, but with the new > Samba instances it's something I'm looking into doing. > > · The part that has me nervous: actually testing all this > out. My biggest concern is if I spin up the new Samba AD controllers, > it will interfere with the existing ones and thereby causing hell for > my users. Is there any way to isolate the set up for testing so that, > if it's successful, it'd just be a matter of shutting down the old PDC > and BDC, spin up the new redundant AD controllers and have the users > be able to continue working seamlessly. > > This is my first time working with Samba to this extent and I've done > some reading based on the documentation for Samba (specifically, > https://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html) and > random blogs, but wanted to see if someone could provide a more exact > answer. I'm not necessarily looking for the exact commands, just a > guideline from some folks who may have done something like this > before. What I'm currently working with: > > Old setup > PDC is running on Samba 4.1.17 on top of Debian 8 with > bind9 acting as the DNS server BDC is running on Samba 3.6.6 on top of > Debian 7 with bind9 running as well, but the configuration seems to be > the default > > New setup > Debian 8.6 with Samba 4.2.10 for both servers that the > soon-to-be redundant AD Controllers will be sitting on. > > Please let me know if more information is needed and MUCH appreciated > in advance to those who can help! > > Charish >Is there some reason why you aren't considering upgrading to AD ? Rowland
Andrew Bartlett
2016-Oct-02  01:46 UTC
[Samba] Migrating, Upgrading & Testing Samba 4 PDC/BDC
On Wed, 2016-09-28 at 16:11 +0000, Charish Patel via samba wrote:> Hi folks, > > I've been tasked with a migration of our servers and, as the subject > implies, part of it involves a PDC and BDC that were set up before my > time. However, I'm trying to accomplish a little bit more to give > myself, the sysadmin, a little bit more automation capability: > > > · Migrate the PDC and BDC both to new servers (part of this > I've already done with copying /etc/passwd, group, shadow, and > gshadow along with smb.conf, secrets.tdb and passwd.tdb. There is no > LDAP and/or Kerberos configuration). > > · Upgrade the PDC and BDC to AD Controllers that will work in > redundancy. > > · Updating our netlogon script to mount Samba shares based on > the user logging in. > > o Part of this is getting a non-.bat script to work with both > Windows and Mac (it's mostly a Windows environment, but we have 12 > Macs as well). I was thinking something along the lines of trying to > detect the OS via a fastscan with nmap and, based on the OS, kick off > logon.bat (Windows) or login.sh (for Macs) in order to mount the > network shares as well as pushing out an agent for that takes an > inventory of the workstations logging in. > > § The Macs haven't been joined to the domain yet, but with the new > Samba instances it's something I'm looking into doing.I don't think the macs even understand the logon script. Also just note that the logon script from the smb.conf is not used any more, it has to be set per-user in AD (eg with a script, or with ADUC editing multiple users).> · The part that has me nervous: actually testing all this > out. My biggest concern is if I spin up the new Samba AD controllers, > it will interfere with the existing ones and thereby causing hell for > my users. Is there any way to isolate the set up for testing so that, > if it's successful, it'd just be a matter of shutting down the old > PDC and BDC, spin up the new redundant AD controllers and have the > users be able to continue working seamlessly.Isolated networks is what we suggest, and trial runs. If you get the trials to the point where it it automatic, you may be able to do your production deploy on the production network in downtime, otherwise ideally your test LAN is isolated enough that it has the same IP address space so you can slot it right in. The big issue with clients not falling back came from NT4 system policies, but I've not tested that for most of a decade, so no doubt it is more these days. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba