On 17/07/2020 15:05, Carl Hunter via samba wrote:> On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via samba <samba at lists.samba.org> wrote: > > > On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: > > > On 16/07/2020 01:59, Carl Hunter via samba wrote: >> ? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >> >> >> ? On 15/07/2020 21:53, Carl Hunter via samba wrote: >>> ? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>> >>> >>> ? ? On 15/07/2020 20:13, Carl Hunter via samba wrote: >>>> ? ? ? On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>>> >>>> >>>> ? ? ? On 15/07/2020 19:26, Carl Hunter via samba wrote: >>>>> ? ? ? ? On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>>>> >>>>> >>>>> ? ? ? ? On 15/07/2020 01:14, Carl Hunter via samba wrote: >>>>>> I've currently got a Ubuntu 18.04 server running Samba?4.7.6 with an NT4 domain that I'd like to migrate to an AD.? I've found the following link but am struggling to match up the steps with the Ubuntu install. >>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >>>>>> I've also found this post that creates a Samba AD on Ubuntu 18.04 from scratch but doesn't have the upgrade steps. >>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server >>>>> That howto isn't bad, he just got /etc/hosts wrong ;-) >>>>>> Would someone be able to help with some questions? >>>>>> In the first link, the "Server information used in this HowTo" section lists a bunch of settings.? I'm not sure how that matches up with Ubuntu. >>>>> The paths refer to a self compiled Samba, Ubuntu uses different paths >>>>> e.g. /var/lib/samba >>>>>> I'm not using ldap, my smb.conf file has "passdb backend = tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help. >>>>> Just ignore anything to do with ldap >>>>>> Under the "Domain controller name" section it talks about a "netbois name =" line in the smb.conf file.? I don't have that in mine but I do have a "workgroup =" line.? Is this the same thing? >>>>> No and you only really need the line if you are changing the computers >>>>> hostname during the upgrade. >>>>> >>>>>> Does the classicupgrade just "convert" a bunch of files like the passdb.tdb and smb.conf files?? And unless you actually replace the files and start the AD service nothing actually changes? >>>>> Bit more involved than that, all the users and groups are obtained from >>>>> the existing database (along with passwords and the domain SID). This >>>>> information is then used to provision a new AD domain. >>>>>> I think I should stop there. >>>>>> Thanks in advance and hopefully this makes some sense. >>>>> Yes, it did ;-) >>>>> >>>>> Rowland >>>>> >>>>> Thanks for the help.? I've got some more questions though about the following list. >>>>> AD DC Installation Directory:? ? ? ?/usr/local/samba/AD DC Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name:? ? ? ? ? ? ? ? ? ? ? ? samdom.example.comRealm:? ? ? ? ? ? ? ? ? ? ? ? ? ? ? samdom.example.comNT4 Domain Name:? ? ? ? ? ? ? ? ? ? samdomIP Address:? ? ? ? ? ? ? ? ? ? ? ? ?192.168.1.1Databases of the Samba NT4-domain:? /usr/local/samba.PDC/dbdir/smb.conf of the Samba NT4-domain:? ?/usr/local/samba.PDC/etc/smb.PDC.conf >>>>> So for Ubuntu the first line would be /var/lib/samba right? >>>> Yes >>>>> What would the last two lines in the list be for Ubuntu? >>>> Replace '/usr/local/samba' with 'var/lib/samba' >>>>> My NT4 domain is all uppercase.? Would it stay that way for the first part of the AD DNS Name and Realm lines? >>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use >>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the realm >>>>> The section talking about moving the /usr/local/samba/ directory, does that still apply to the /var/lib/samba directory? >>>> Yes >>>>> ? ? ? ? And is the /etc/samba/smb.conf file the one that needs to be moved like the /usr/local/samba.PDC/etc/smb.conf file? >>>> Yes >>>>> I'm assuming I need to install Kerberos since it's not currently installed on the system to get the classicupgrade to work? >>>> There is an old saying 'assume makes an ass of u & me' ;-) >>>> >>>> Or to put it another way, no, Samba uses it version of the Heimdal >>>> kerberos, you just need to install the required Samba packages, on >>>> Ubuntu 18.04, these would be: >>>> >>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils >>>> ldb-tools krb5-user >>>> >>>> You should test the upgrade in a different network, to iron out any >>>> problems. >>>> >>>> How large is your domain ? >>>> >>>> If it is small, you may be better off creating a new AD domain, that way >>>> you get full control. Upgrading an existing NT4-style domain carries >>>> over bad practises e.g. using the RID for Unix user & group ID's. >>>> >>>> Rowland >>>> >>>> So in the example on the classicupgrade wiki page my NT4 domain would be SAMDOM with nothing after it.? So would the realm be SAMDOM.example.com in that case? >>> Ah, in AD there are two domains, the one you are referring to, which is >>> actually the Netbios domain? and the DNS domain. If you are upgrading, >>> the Netbios domain will carry over, but you need to ensure you use a >>> valid DNS domain, so you could use samdom.example.com, but if you did, >>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in uppercase) >>>> On my server I'm currently missing libnss-winbind, libpam-winbind, libpam-krb5, ldb-tools and krb5-user.? Does this sound normal for an NT4 domain? >>> Yes, because you are probably not using winbind and you will definitely >>> not be using kerberos and ldb-tools is only used with AD. >>>> My domain would be about 200 users and 80 machines.? That's a guess.? I was able to clone the production server so I'm able to test things out first. >>>> Thanks >>>> Carl >>> I suggest you go and play ;-) >>> >>> Then come back with the inevitable questions ;-) >>> >>> Rowland >>> One more question before I go and play.? :) >>> I'm pretty sure I'll be running the following command taken from the wiki. >>> ? ? samba-tool domain classicupgrade --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf >>> ? ? From you explanation above should the realm not be "--realm=SAMDOM.EXAMPLE.COM" ? >>> Thanks >>> Carl >>> >>> >> Yes, thanks for pointing this out, I have updated the wikipage ;-) >> >> Rowland >> >> So I started in and here's my first inevitable question. :) >> I can't seem to figure out the following lines from the wiki. >> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb /usr/local/samba.PDC/dbdir/# cp -p /usr/local/samba.PDC/var/locks/group_mapping.tdb /usr/local/samba.PDC/dbdir/# cp -p /usr/local/samba.PDC/var/locks/account_policy.tdb /usr/local/samba.PDC/dbdir/ >> I don't seem to have a /var/lib/samba.PDC/var folder.? I do see a group_mapping.tdb file and a account_policy.tdb file in my /var/lib/samba.PDC folder but not the gencache_notrans.tdb file.? Are these the right ones to copy and the gencache_notrans.tdb is not needed? >> Thanks >> Carl > If you compile Samba yourself, by default, everything ends up in > /usr/local/samba. Distros split things up, so you just need to find the > files on your system ;-) > > Rowland > > So I found the gencache_notrans.tdb file only in /run/samba and the other two were only in /var/lib/samba.PDC.? Are these all good to use since they're the only ones I could find?? And do I need to rename the /run/samba folder like I did with the /var/lib/samba folder? > Thanks > Carl > > I finally had the chance to run the command and got the following output. > sudo samba-tool domain classicupgrade --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf > Reading smb.conf > Provisioningtdbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open /var/lib/samba/passdb.tdb!Exporting account policyExporting groupstdbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open /var/lib/samba/passdb.tdb! > ... > dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] > tdbsam_getsampwrid: failed to open /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open /var/lib/samba/passdb.tdb!ERROR(<class 'passdb.error'>): uncaught exception - Unable to search users? File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return self.run(*args, **kwargs)? File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589, in? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in upgrade? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ? userlist = s3db.search_users(0) > I removed a bunch of duplicate log lines just to make it shorter.? Any ideas?? It's like the tool knows something is supposed to be in /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to /var/lib/samba.PCD before I ran the command like the wiki said. > Thanks > CarlKeep this quite, but I have never classicupgraded an NT4-style domain, but I think I know what is going wrong here. That 'mv' should be a 'cp', the upgrade is trying to create files in /var/lib/samba and it no longer exists. Rowland
On 17/07/2020 15:21, Rowland penny via samba wrote:> On 17/07/2020 15:05, Carl Hunter via samba wrote: >> ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via >> samba <samba at lists.samba.org> wrote: >> ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny >> via samba <samba at lists.samba.org> wrote: >> ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote: >>> ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via >>> samba <samba at lists.samba.org> wrote: >>> ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba wrote: >>>> ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny >>>> via samba <samba at lists.samba.org> wrote: >>>> ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via samba wrote: >>>>> ?? ? ? On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland >>>>> penny via samba <samba at lists.samba.org> wrote: >>>>> ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl Hunter via samba >>>>> wrote: >>>>>> ?? ? ? ? On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland >>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>> ???????? ???????? ?? ? ? ? On 15/07/2020 01:14, Carl Hunter via >>>>>> samba wrote: >>>>>>> I've currently got a Ubuntu 18.04 server running Samba?4.7.6 >>>>>>> with an NT4 domain that I'd like to migrate to an AD.? I've >>>>>>> found the following link but am struggling to match up the steps >>>>>>> with the Ubuntu install. >>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >>>>>>> >>>>>>> I've also found this post that creates a Samba AD on Ubuntu >>>>>>> 18.04 from scratch but doesn't have the upgrade steps. >>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server >>>>>>> >>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-) >>>>>>> Would someone be able to help with some questions? >>>>>>> In the first link, the "Server information used in this HowTo" >>>>>>> section lists a bunch of settings.? I'm not sure how that >>>>>>> matches up with Ubuntu. >>>>>> The paths refer to a self compiled Samba, Ubuntu uses different >>>>>> paths >>>>>> e.g. /var/lib/samba >>>>>>> I'm not using ldap, my smb.conf file has "passdb backend = >>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help. >>>>>> Just ignore anything to do with ldap >>>>>>> Under the "Domain controller name" section it talks about a >>>>>>> "netbois name =" line in the smb.conf file.? I don't have that >>>>>>> in mine but I do have a "workgroup =" line.? Is this the same >>>>>>> thing? >>>>>> No and you only really need the line if you are changing the >>>>>> computers >>>>>> hostname during the upgrade. >>>>>> >>>>>>> Does the classicupgrade just "convert" a bunch of files like the >>>>>>> passdb.tdb and smb.conf files?? And unless you actually replace >>>>>>> the files and start the AD service nothing actually changes? >>>>>> Bit more involved than that, all the users and groups are >>>>>> obtained from >>>>>> the existing database (along with passwords and the domain SID). >>>>>> This >>>>>> information is then used to provision a new AD domain. >>>>>>> I think I should stop there. >>>>>>> Thanks in advance and hopefully this makes some sense. >>>>>> Yes, it did ;-) >>>>>> >>>>>> Rowland >>>>>> >>>>>> Thanks for the help.? I've got some more questions though about >>>>>> the following list. >>>>>> AD DC Installation Directory:? ? ? ?/usr/local/samba/AD DC >>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name: ? ? ? ? ? ? ? ? >>>>>> samdom.example.comRealm: ? ? ? ? ? ? ? samdom.example.comNT4 >>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address: ?192.168.1.1Databases >>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of >>>>>> the Samba NT4-domain:? ?/usr/local/samba.PDC/etc/smb.PDC.conf >>>>>> So for Ubuntu the first line would be /var/lib/samba right? >>>>> Yes >>>>>> What would the last two lines in the list be for Ubuntu? >>>>> Replace '/usr/local/samba' with 'var/lib/samba' >>>>>> My NT4 domain is all uppercase. Would it stay that way for the >>>>>> first part of the AD DNS Name and Realm lines? >>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use >>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the >>>>> realm >>>>>> The section talking about moving the /usr/local/samba/ directory, >>>>>> does that still apply to the /var/lib/samba directory? >>>>> Yes >>>>>> ?? ? ? ? And is the /etc/samba/smb.conf file the one that needs >>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file? >>>>> Yes >>>>>> I'm assuming I need to install Kerberos since it's not currently >>>>>> installed on the system to get the classicupgrade to work? >>>>> There is an old saying 'assume makes an ass of u & me' ;-) >>>>> >>>>> Or to put it another way, no, Samba uses it version of the Heimdal >>>>> kerberos, you just need to install the required Samba packages, on >>>>> Ubuntu 18.04, these would be: >>>>> >>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils >>>>> ldb-tools krb5-user >>>>> >>>>> You should test the upgrade in a different network, to iron out any >>>>> problems. >>>>> >>>>> How large is your domain ? >>>>> >>>>> If it is small, you may be better off creating a new AD domain, >>>>> that way >>>>> you get full control. Upgrading an existing NT4-style domain carries >>>>> over bad practises e.g. using the RID for Unix user & group ID's. >>>>> >>>>> Rowland >>>>> >>>>> So in the example on the classicupgrade wiki page my NT4 domain >>>>> would be SAMDOM with nothing after it.? So would the realm be >>>>> SAMDOM.example.com in that case? >>>> Ah, in AD there are two domains, the one you are referring to, >>>> which is >>>> actually the Netbios domain? and the DNS domain. If you are upgrading, >>>> the Netbios domain will carry over, but you need to ensure you use a >>>> valid DNS domain, so you could use samdom.example.com, but if you did, >>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in >>>> uppercase) >>>>> On my server I'm currently missing libnss-winbind, libpam-winbind, >>>>> libpam-krb5, ldb-tools and krb5-user.? Does this sound normal for >>>>> an NT4 domain? >>>> Yes, because you are probably not using winbind and you will >>>> definitely >>>> not be using kerberos and ldb-tools is only used with AD. >>>>> My domain would be about 200 users and 80 machines.? That's a >>>>> guess.? I was able to clone the production server so I'm able to >>>>> test things out first. >>>>> Thanks >>>>> Carl >>>> I suggest you go and play ;-) >>>> >>>> Then come back with the inevitable questions ;-) >>>> >>>> Rowland >>>> One more question before I go and play.? :) >>>> I'm pretty sure I'll be running the following command taken from >>>> the wiki. >>>> ?? ? samba-tool domain classicupgrade >>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com >>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf >>>> ?? ? From you explanation above should the realm not be >>>> "--realm=SAMDOM.EXAMPLE.COM" ? >>>> Thanks >>>> Carl >>>> >>> Yes, thanks for pointing this out, I have updated the wikipage ;-) >>> >>> Rowland >>> >>> So I started in and here's my first inevitable question. :) >>> I can't seem to figure out the following lines from the wiki. >>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb >>> /usr/local/samba.PDC/dbdir/# cp -p >>> /usr/local/samba.PDC/var/locks/group_mapping.tdb >>> /usr/local/samba.PDC/dbdir/# cp -p >>> /usr/local/samba.PDC/var/locks/account_policy.tdb >>> /usr/local/samba.PDC/dbdir/ >>> I don't seem to have a /var/lib/samba.PDC/var folder.? I do see a >>> group_mapping.tdb file and a account_policy.tdb file in my >>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file.? >>> Are these the right ones to copy and the gencache_notrans.tdb is not >>> needed? >>> Thanks >>> Carl >> If you compile Samba yourself, by default, everything ends up in >> /usr/local/samba. Distros split things up, so you just need to find the >> files on your system ;-) >> >> Rowland >> >> So I found the gencache_notrans.tdb file only in /run/samba and the >> other two were only in /var/lib/samba.PDC.? Are these all good to use >> since they're the only ones I could find?? And do I need to rename >> the /run/samba folder like I did with the /var/lib/samba folder? >> Thanks >> Carl >> >> I finally had the chance to run the command and got the following >> output. >> sudo samba-tool domain classicupgrade >> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG >> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf >> Reading smb.conf >> Provisioningtdbsam_open: Failed to open/create TDB passwd >> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >> /var/lib/samba/passdb.tdb!Exporting account policyExporting >> groupstdbsam_open: Failed to open/create TDB passwd >> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >> /var/lib/samba/passdb.tdb! >> ... >> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] >> tdbsam_getsampwrid: failed to open >> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to >> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: >> failed to open /var/lib/samba/passdb.tdb!ERROR(<class >> 'passdb.error'>): uncaught exception - Unable to search users? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return >> self.run(*args, **kwargs)? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589, >> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb, >> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File >> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in >> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ? userlist = >> s3db.search_users(0) >> I removed a bunch of duplicate log lines just to make it shorter.? >> Any ideas?? It's like the tool knows something is supposed to be in >> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to >> /var/lib/samba.PCD before I ran the command like the wiki said. >> Thanks >> Carl > > Keep this quite, but I have never classicupgraded an NT4-style domain, > but I think I know what is going wrong here. That 'mv' should be a > 'cp', the upgrade is trying to create files in /var/lib/samba and it > no longer exists. > > RowlandOK, after digging into the history of the classicupgrade wiki page, I have found that at one time, it was? thought that the upgrade would be carried out on a new PC, so the required files would be copied to the new PC with 'scp'. The page now is built around upgrading in place and 'mv' is definitely wrong. Looks like I am going to have to do a classicupgrade, before I can rewrite the page. Rowland
On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: On 17/07/2020 15:21, Rowland penny via samba wrote:> On 17/07/2020 15:05, Carl Hunter via samba wrote: >> ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via >> samba <samba at lists.samba.org> wrote: >> ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny >> via samba <samba at lists.samba.org> wrote: >> ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote: >>> ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via >>> samba <samba at lists.samba.org> wrote: >>> ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba wrote: >>>> ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny >>>> via samba <samba at lists.samba.org> wrote: >>>> ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via samba wrote: >>>>> ?? ? ? On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland >>>>> penny via samba <samba at lists.samba.org> wrote: >>>>> ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl Hunter via samba >>>>> wrote: >>>>>> ?? ? ? ? On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland >>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>> ???????? ???????? ?? ? ? ? On 15/07/2020 01:14, Carl Hunter via >>>>>> samba wrote: >>>>>>> I've currently got a Ubuntu 18.04 server running Samba?4.7.6 >>>>>>> with an NT4 domain that I'd like to migrate to an AD.? I've >>>>>>> found the following link but am struggling to match up the steps >>>>>>> with the Ubuntu install. >>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >>>>>>> >>>>>>> I've also found this post that creates a Samba AD on Ubuntu >>>>>>> 18.04 from scratch but doesn't have the upgrade steps. >>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server >>>>>>> >>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-) >>>>>>> Would someone be able to help with some questions? >>>>>>> In the first link, the "Server information used in this HowTo" >>>>>>> section lists a bunch of settings.? I'm not sure how that >>>>>>> matches up with Ubuntu. >>>>>> The paths refer to a self compiled Samba, Ubuntu uses different >>>>>> paths >>>>>> e.g. /var/lib/samba >>>>>>> I'm not using ldap, my smb.conf file has "passdb backend = >>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help. >>>>>> Just ignore anything to do with ldap >>>>>>> Under the "Domain controller name" section it talks about a >>>>>>> "netbois name =" line in the smb.conf file.? I don't have that >>>>>>> in mine but I do have a "workgroup =" line.? Is this the same >>>>>>> thing? >>>>>> No and you only really need the line if you are changing the >>>>>> computers >>>>>> hostname during the upgrade. >>>>>> >>>>>>> Does the classicupgrade just "convert" a bunch of files like the >>>>>>> passdb.tdb and smb.conf files?? And unless you actually replace >>>>>>> the files and start the AD service nothing actually changes? >>>>>> Bit more involved than that, all the users and groups are >>>>>> obtained from >>>>>> the existing database (along with passwords and the domain SID). >>>>>> This >>>>>> information is then used to provision a new AD domain. >>>>>>> I think I should stop there. >>>>>>> Thanks in advance and hopefully this makes some sense. >>>>>> Yes, it did ;-) >>>>>> >>>>>> Rowland >>>>>> >>>>>> Thanks for the help.? I've got some more questions though about >>>>>> the following list. >>>>>> AD DC Installation Directory:? ? ? ?/usr/local/samba/AD DC >>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name: ? ? ? ? ? ? ? ? >>>>>> samdom.example.comRealm: ? ? ? ? ? ? ? samdom.example.comNT4 >>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address: ?192.168.1.1Databases >>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of >>>>>> the Samba NT4-domain:? ?/usr/local/samba.PDC/etc/smb.PDC.conf >>>>>> So for Ubuntu the first line would be /var/lib/samba right? >>>>> Yes >>>>>> What would the last two lines in the list be for Ubuntu? >>>>> Replace '/usr/local/samba' with 'var/lib/samba' >>>>>> My NT4 domain is all uppercase. Would it stay that way for the >>>>>> first part of the AD DNS Name and Realm lines? >>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use >>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the >>>>> realm >>>>>> The section talking about moving the /usr/local/samba/ directory, >>>>>> does that still apply to the /var/lib/samba directory? >>>>> Yes >>>>>> ?? ? ? ? And is the /etc/samba/smb.conf file the one that needs >>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file? >>>>> Yes >>>>>> I'm assuming I need to install Kerberos since it's not currently >>>>>> installed on the system to get the classicupgrade to work? >>>>> There is an old saying 'assume makes an ass of u & me' ;-) >>>>> >>>>> Or to put it another way, no, Samba uses it version of the Heimdal >>>>> kerberos, you just need to install the required Samba packages, on >>>>> Ubuntu 18.04, these would be: >>>>> >>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils >>>>> ldb-tools krb5-user >>>>> >>>>> You should test the upgrade in a different network, to iron out any >>>>> problems. >>>>> >>>>> How large is your domain ? >>>>> >>>>> If it is small, you may be better off creating a new AD domain, >>>>> that way >>>>> you get full control. Upgrading an existing NT4-style domain carries >>>>> over bad practises e.g. using the RID for Unix user & group ID's. >>>>> >>>>> Rowland >>>>> >>>>> So in the example on the classicupgrade wiki page my NT4 domain >>>>> would be SAMDOM with nothing after it.? So would the realm be >>>>> SAMDOM.example.com in that case? >>>> Ah, in AD there are two domains, the one you are referring to, >>>> which is >>>> actually the Netbios domain? and the DNS domain. If you are upgrading, >>>> the Netbios domain will carry over, but you need to ensure you use a >>>> valid DNS domain, so you could use samdom.example.com, but if you did, >>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in >>>> uppercase) >>>>> On my server I'm currently missing libnss-winbind, libpam-winbind, >>>>> libpam-krb5, ldb-tools and krb5-user.? Does this sound normal for >>>>> an NT4 domain? >>>> Yes, because you are probably not using winbind and you will >>>> definitely >>>> not be using kerberos and ldb-tools is only used with AD. >>>>> My domain would be about 200 users and 80 machines.? That's a >>>>> guess.? I was able to clone the production server so I'm able to >>>>> test things out first. >>>>> Thanks >>>>> Carl >>>> I suggest you go and play ;-) >>>> >>>> Then come back with the inevitable questions ;-) >>>> >>>> Rowland >>>> One more question before I go and play.? :) >>>> I'm pretty sure I'll be running the following command taken from >>>> the wiki. >>>> ?? ? samba-tool domain classicupgrade >>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com >>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf >>>> ?? ? From you explanation above should the realm not be >>>> "--realm=SAMDOM.EXAMPLE.COM" ? >>>> Thanks >>>> Carl >>>> >>> Yes, thanks for pointing this out, I have updated the wikipage ;-) >>> >>> Rowland >>> >>> So I started in and here's my first inevitable question. :) >>> I can't seem to figure out the following lines from the wiki. >>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb >>> /usr/local/samba.PDC/dbdir/# cp -p >>> /usr/local/samba.PDC/var/locks/group_mapping.tdb >>> /usr/local/samba.PDC/dbdir/# cp -p >>> /usr/local/samba.PDC/var/locks/account_policy.tdb >>> /usr/local/samba.PDC/dbdir/ >>> I don't seem to have a /var/lib/samba.PDC/var folder.? I do see a >>> group_mapping.tdb file and a account_policy.tdb file in my >>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file.? >>> Are these the right ones to copy and the gencache_notrans.tdb is not >>> needed? >>> Thanks >>> Carl >> If you compile Samba yourself, by default, everything ends up in >> /usr/local/samba. Distros split things up, so you just need to find the >> files on your system ;-) >> >> Rowland >> >> So I found the gencache_notrans.tdb file only in /run/samba and the >> other two were only in /var/lib/samba.PDC.? Are these all good to use >> since they're the only ones I could find?? And do I need to rename >> the /run/samba folder like I did with the /var/lib/samba folder? >> Thanks >> Carl >> >> I finally had the chance to run the command and got the following >> output. >> sudo samba-tool domain classicupgrade >> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG >> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf >> Reading smb.conf >> Provisioningtdbsam_open: Failed to open/create TDB passwd >> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >> /var/lib/samba/passdb.tdb!Exporting account policyExporting >> groupstdbsam_open: Failed to open/create TDB passwd >> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >> /var/lib/samba/passdb.tdb! >> ... >> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] >> tdbsam_getsampwrid: failed to open >> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to >> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: >> failed to open /var/lib/samba/passdb.tdb!ERROR(<class >> 'passdb.error'>): uncaught exception - Unable to search users? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return >> self.run(*args, **kwargs)? File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589, >> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb, >> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File >> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in >> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ? userlist = >> s3db.search_users(0) >> I removed a bunch of duplicate log lines just to make it shorter.? >> Any ideas?? It's like the tool knows something is supposed to be in >> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to >> /var/lib/samba.PCD before I ran the command like the wiki said. >> Thanks >> Carl > > Keep this quite, but I have never classicupgraded an NT4-style domain, > but I think I know what is going wrong here. That 'mv' should be a > 'cp', the upgrade is trying to create files in /var/lib/samba and it > no longer exists. > > RowlandOK, after digging into the history of the classicupgrade wiki page, I have found that at one time, it was? thought that the upgrade would be carried out on a new PC, so the required files would be copied to the new PC with 'scp'. The page now is built around upgrading in place and 'mv' is definitely wrong. Looks like I am going to have to do a classicupgrade, before I can rewrite the page. Rowland I don't mind being the guinea pig if it helps.? :)?? I was able to duplicate the /var/lib/samba folder and re-run the command and it worked.? I got basically the same output as the wiki.?? My next question is in the "After the classicupgrade" section.? With the following line. If your passdb backend was smbpasswd or tdbsam, remove the domain groups from /etc/group. All groups that had a groupmapping were imported, including their members. You should also remove any Samba users from /etc/passwd, they are now stored in AD. Is there a way to know what are considered domain groups in the /etc/group file?? Same question for /etc/passwd.? Is there a way to know what ones are Samba users? Thanks Carl