samba - Jul 2020 - Ubuntu 18.04 classicupgrade help

On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba <samba
at lists.samba.org> wrote:
 
 
 On 17/07/2020 17:20, Carl Hunter via samba wrote:
>? On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba
<samba at lists.samba.org> wrote:
>? 
>? 
>? On 17/07/2020 15:21, Rowland penny via samba wrote:
>> On 17/07/2020 15:05, Carl Hunter via samba wrote:
>>>? ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via
>>> samba <samba at lists.samba.org> wrote:
>>>? ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland
penny
>>> via samba <samba at lists.samba.org> wrote:
>>>? ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote:
>>>>? ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland
penny via
>>>> samba <samba at lists.samba.org> wrote:
>>>>? ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba wrote:
>>>>>? ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT,
Rowland penny
>>>>> via samba <samba at lists.samba.org> wrote:
>>>>>? ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via samba
wrote:
>>>>>>? ?? ? ? On Wednesday, July 15, 2020, 02:50:09 p.m. EDT,
Rowland
>>>>>> penny via samba <samba at lists.samba.org> wrote:
>>>>>>? ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl Hunter
via samba
>>>>>> wrote:
>>>>>>>? ?? ? ? ? On Wednesday, July 15, 2020, 03:16:00
a.m. EDT, Rowland
>>>>>>> penny via samba <samba at lists.samba.org>
wrote:
>>>>>>>? ???????? ???????? ?? ? ? ? On 15/07/2020 01:14,
Carl Hunter via
>>>>>>> samba wrote:
>>>>>>>> I've currently got a Ubuntu 18.04 server
running Samba?4.7.6
>>>>>>>> with an NT4 domain that I'd like to migrate
to an AD.? I've
>>>>>>>> found the following link but am struggling to
match up the steps
>>>>>>>> with the Ubuntu install.
>>>>>>>>
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>>>>>>>>
>>>>>>>> I've also found this post that creates a
Samba AD on Ubuntu
>>>>>>>> 18.04 from scratch but doesn't have the
upgrade steps.
>>>>>>>>
https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server
>>>>>>>>
>>>>>>> That howto isn't bad, he just got /etc/hosts
wrong ;-)
>>>>>>>> Would someone be able to help with some
questions?
>>>>>>>> In the first link, the "Server information
used in this HowTo"
>>>>>>>> section lists a bunch of settings.? I'm not
sure how that
>>>>>>>> matches up with Ubuntu.
>>>>>>> The paths refer to a self compiled Samba, Ubuntu
uses different
>>>>>>> paths
>>>>>>> e.g. /var/lib/samba
>>>>>>>> I'm not using ldap, my smb.conf file has
"passdb backend >>>>>>>>
tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help.
>>>>>>> Just ignore anything to do with ldap
>>>>>>>> Under the "Domain controller name"
section it talks about a
>>>>>>>> "netbois name =" line in the smb.conf
file.? I don't have that
>>>>>>>> in mine but I do have a "workgroup ="
line.? Is this the same
>>>>>>>> thing?
>>>>>>> No and you only really need the line if you are
changing the
>>>>>>> computers
>>>>>>> hostname during the upgrade.
>>>>>>>
>>>>>>>> Does the classicupgrade just
"convert" a bunch of files like the
>>>>>>>> passdb.tdb and smb.conf files?? And unless you
actually replace
>>>>>>>> the files and start the AD service nothing
actually changes?
>>>>>>> Bit more involved than that, all the users and
groups are
>>>>>>> obtained from
>>>>>>> the existing database (along with passwords and the
domain SID).
>>>>>>> This
>>>>>>> information is then used to provision a new AD
domain.
>>>>>>>> I think I should stop there.
>>>>>>>> Thanks in advance and hopefully this makes some
sense.
>>>>>>> Yes, it did ;-)
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>> Thanks for the help.? I've got some more
questions though about
>>>>>>> the following list.
>>>>>>> AD DC Installation Directory:? ? ?
?/usr/local/samba/AD DC
>>>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name:
>>>>>>> samdom.example.comRealm: ? ? ? ? ? ? ?
samdom.example.comNT4
>>>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address:
?192.168.1.1Databases
>>>>>>> of the Samba NT4-domain:
/usr/local/samba.PDC/dbdir/smb.conf of
>>>>>>> the Samba NT4-domain:?
?/usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>> So for Ubuntu the first line would be
/var/lib/samba right?
>>>>>> Yes
>>>>>>> What would the last two lines in the list be for
Ubuntu?
>>>>>> Replace '/usr/local/samba' with
'var/lib/samba'
>>>>>>> My NT4 domain is all uppercase. Would it stay that
way for the
>>>>>>> first part of the AD DNS Name and Realm lines?
>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you
would use
>>>>>> samdom.example.com for the dns name and
SAMDOM.EXAMPLE.COM for the
>>>>>> realm
>>>>>>> The section talking about moving the
/usr/local/samba/ directory,
>>>>>>> does that still apply to the /var/lib/samba
directory?
>>>>>> Yes
>>>>>>>? ?? ? ? ? And is the /etc/samba/smb.conf file the
one that needs
>>>>>>> to be moved like the
/usr/local/samba.PDC/etc/smb.conf file?
>>>>>> Yes
>>>>>>> I'm assuming I need to install Kerberos since
it's not currently
>>>>>>> installed on the system to get the classicupgrade
to work?
>>>>>> There is an old saying 'assume makes an ass of u
& me' ;-)
>>>>>>
>>>>>> Or to put it another way, no, Samba uses it version of
the Heimdal
>>>>>> kerberos, you just need to install the required Samba
packages, on
>>>>>> Ubuntu 18.04, these would be:
>>>>>>
>>>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5
ntp binutils
>>>>>> ldb-tools krb5-user
>>>>>>
>>>>>> You should test the upgrade in a different network, to
iron out any
>>>>>> problems.
>>>>>>
>>>>>> How large is your domain ?
>>>>>>
>>>>>> If it is small, you may be better off creating a new AD
domain,
>>>>>> that way
>>>>>> you get full control. Upgrading an existing NT4-style
domain carries
>>>>>> over bad practises e.g. using the RID for Unix user
& group ID's.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>> So in the example on the classicupgrade wiki page my
NT4 domain
>>>>>> would be SAMDOM with nothing after it.? So would the
realm be
>>>>>> SAMDOM.example.com in that case?
>>>>> Ah, in AD there are two domains, the one you are referring
to,
>>>>> which is
>>>>> actually the Netbios domain? and the DNS domain. If you are
upgrading,
>>>>> the Netbios domain will carry over, but you need to ensure
you use a
>>>>> valid DNS domain, so you could use samdom.example.com, but
if you did,
>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always
in
>>>>> uppercase)
>>>>>> On my server I'm currently missing libnss-winbind,
libpam-winbind,
>>>>>> libpam-krb5, ldb-tools and krb5-user.? Does this sound
normal for
>>>>>> an NT4 domain?
>>>>> Yes, because you are probably not using winbind and you
will
>>>>> definitely
>>>>> not be using kerberos and ldb-tools is only used with AD.
>>>>>> My domain would be about 200 users and 80 machines.?
That's a
>>>>>> guess.? I was able to clone the production server so
I'm able to
>>>>>> test things out first.
>>>>>> Thanks
>>>>>> Carl
>>>>> I suggest you go and play ;-)
>>>>>
>>>>> Then come back with the inevitable questions ;-)
>>>>>
>>>>> Rowland
>>>>> One more question before I go and play.? :)
>>>>> I'm pretty sure I'll be running the following
command taken from
>>>>> the wiki.
>>>>>? ?? ? samba-tool domain classicupgrade
>>>>> --dbdir=/usr/local/samba.PDC/dbdir/
\--realm=samdom.example.com
>>>>> --dns-backend=BIND9_DLZ
/usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>? ?? ? From you explanation above should the realm not be
>>>>> "--realm=SAMDOM.EXAMPLE.COM" ?
>>>>> Thanks
>>>>> Carl
>>>>>
>>>> Yes, thanks for pointing this out, I have updated the wikipage
;-)
>>>>
>>>> Rowland
>>>>
>>>> So I started in and here's my first inevitable question. :)
>>>> I can't seem to figure out the following lines from the
wiki.
>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb
>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb
>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb
>>>> /usr/local/samba.PDC/dbdir/
>>>> I don't seem to have a /var/lib/samba.PDC/var folder.? I do
see a
>>>> group_mapping.tdb file and a account_policy.tdb file in my
>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb
file.
>>>> Are these the right ones to copy and the gencache_notrans.tdb
is not
>>>> needed?
>>>> Thanks
>>>> Carl
>>> If you compile Samba yourself, by default, everything ends up in
>>> /usr/local/samba. Distros split things up, so you just need to find
the
>>> files on your system ;-)
>>>
>>> Rowland
>>>
>>> So I found the gencache_notrans.tdb file only in /run/samba and the
>>> other two were only in /var/lib/samba.PDC.? Are these all good to
use
>>> since they're the only ones I could find?? And do I need to
rename
>>> the /run/samba folder like I did with the /var/lib/samba folder?
>>> Thanks
>>> Carl
>>>
>>> I finally had the chance to run the command and got the following
>>> output.
>>> sudo samba-tool domain classicupgrade
>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG
>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf
>>> Reading smb.conf
>>> Provisioningtdbsam_open: Failed to open/create TDB passwd
>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting
>>> groupstdbsam_open: Failed to open/create TDB passwd
>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>> /var/lib/samba/passdb.tdb!
>>> ...
>>> dbsam_open: Failed to open/create TDB passwd
[/var/lib/samba/passdb.tdb]
>>> tdbsam_getsampwrid: failed to open
>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to
>>> open/create TDB passwd
[/var/lib/samba/passdb.tdb]tdbsam_getsampwnam:
>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class
>>> 'passdb.error'>): uncaught exception - Unable to search
users? File
>>>
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>>> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return
>>> self.run(*args, **kwargs)? File
>>>
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589,
>>> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb,
>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File
>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line
554, in
>>> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ? userlist
>>> s3db.search_users(0)
>>> I removed a bunch of duplicate log lines just to make it shorter.
>>> Any ideas?? It's like the tool knows something is supposed to
be in
>>> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to
>>> /var/lib/samba.PCD before I ran the command like the wiki said.
>>> Thanks
>>> Carl
>> Keep this quite, but I have never classicupgraded an NT4-style domain,
>> but I think I know what is going wrong here. That 'mv' should
be a
>> 'cp', the upgrade is trying to create files in /var/lib/samba
and it
>> no longer exists.
>>
>> Rowland
> OK, after digging into the history of the classicupgrade wiki page, I
> have found that at one time, it was? thought that the upgrade would be
> carried out on a new PC, so the required files would be copied to the
> new PC with 'scp'. The page now is built around upgrading in place
and
> 'mv' is definitely wrong.
>
> Looks like I am going to have to do a classicupgrade, before I can
> rewrite the page.
>
> Rowland
>
> I don't mind being the guinea pig if it helps.? :)
Too late, I was the guinea pig ;-)

I will be updating the wiki tomorrow.
> I was able to duplicate the /var/lib/samba folder and re-run the command
and it worked.? I got basically the same output as the wiki.
> My next question is in the "After the classicupgrade" section.?
With the following line.
> If your passdb backend was smbpasswd or tdbsam, remove the domain groups
from /etc/group. All groups that had a groupmapping were imported, including
their members. You should also remove any Samba users from /etc/passwd, they are
now stored in AD.
>
> Is there a way to know what are considered domain groups in the /etc/group
file?? Same question for /etc/passwd.? Is there a way to know what ones are
Samba users?
> Thanks
> Carl
Run 'wbinfo -u' & 'wbinfo -g', these are the domain users
& groups on my
nice new shiny classicupgraded domain:

wbinfo -u
EXAMPLE\administrator
EXAMPLE\guest
EXAMPLE\krbtgt

wbinfo -g
EXAMPLE\cert publishers
EXAMPLE\ras and ias servers
EXAMPLE\allowed rodc password replication group
EXAMPLE\denied rodc password replication group
EXAMPLE\dnsadmins
EXAMPLE\enterprise read-only domain controllers
EXAMPLE\domain admins
EXAMPLE\domain users
EXAMPLE\domain guests
EXAMPLE\domain computers
EXAMPLE\domain controllers
EXAMPLE\schema admins
EXAMPLE\enterprise admins
EXAMPLE\group policy creator owners
EXAMPLE\read-only domain controllers
EXAMPLE\dnsupdateproxy

Your DOMAIN will be different, but if any of those are in /etc/passwd or 
/etc/group, then they should be remove from there. You should also check 
if any other users or groups shown by 'wbinfo -u ' or 'wbinfo
-g' are in
/etc/passwd or /etc/group, most of these should be removed from 
/etc/passwd or /etc/group, but a few may need to be removed from AD, 
basically any that are in AD and have a Unix ID of 999 should be removed 
from AD.

Rowland
Before I ran the classicupgrade command I had stopped smdb, nmdb and winbind.? I
haven't started samba-ad-dc yet.? Looks like the wbinfo -u and wbinfo -g
commands need winbind running.? Do I just temporarily start winbind to get my
info and stop it again?? Or do I start samba-ad-dc before cleaning up the group
and passwd files?? Just not sure about the order of things or if it matters.??
Thanks
Carl

On 17/07/2020 19:17, Carl Hunter via samba wrote:
>   On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba
<samba at lists.samba.org> wrote:
>   
>   
>   On 17/07/2020 17:20, Carl Hunter via samba wrote:
>>  ? On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba
<samba at lists.samba.org> wrote:
>>    
>>    
>>  ? On 17/07/2020 15:21, Rowland penny via samba wrote:
>>> On 17/07/2020 15:05, Carl Hunter via samba wrote:
>>>>  ? ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter
via
>>>> samba <samba at lists.samba.org> wrote:
>>>>  ? ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT,
Rowland penny
>>>> via samba <samba at lists.samba.org> wrote:
>>>>  ? ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote:
>>>>>  ? ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT,
Rowland penny via
>>>>> samba <samba at lists.samba.org> wrote:
>>>>>  ? ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba
wrote:
>>>>>>  ? ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT,
Rowland penny
>>>>>> via samba <samba at lists.samba.org> wrote:
>>>>>>  ? ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via
samba wrote:
>>>>>>>  ? ?? ? ? On Wednesday, July 15, 2020, 02:50:09
p.m. EDT, Rowland
>>>>>>> penny via samba <samba at lists.samba.org>
wrote:
>>>>>>>  ? ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl
Hunter via samba
>>>>>>> wrote:
>>>>>>>>  ? ?? ? ? ? On Wednesday, July 15, 2020,
03:16:00 a.m. EDT, Rowland
>>>>>>>> penny via samba <samba at
lists.samba.org> wrote:
>>>>>>>>  ? ???????? ???????? ?? ? ? ? On 15/07/2020
01:14, Carl Hunter via
>>>>>>>> samba wrote:
>>>>>>>>> I've currently got a Ubuntu 18.04
server running Samba?4.7.6
>>>>>>>>> with an NT4 domain that I'd like to
migrate to an AD.? I've
>>>>>>>>> found the following link but am struggling
to match up the steps
>>>>>>>>> with the Ubuntu install.
>>>>>>>>>
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>>>>>>>>>
>>>>>>>>> I've also found this post that creates
a Samba AD on Ubuntu
>>>>>>>>> 18.04 from scratch but doesn't have the
upgrade steps.
>>>>>>>>>
https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server
>>>>>>>>>
>>>>>>>> That howto isn't bad, he just got
/etc/hosts wrong ;-)
>>>>>>>>> Would someone be able to help with some
questions?
>>>>>>>>> In the first link, the "Server
information used in this HowTo"
>>>>>>>>> section lists a bunch of settings.? I'm
not sure how that
>>>>>>>>> matches up with Ubuntu.
>>>>>>>> The paths refer to a self compiled Samba,
Ubuntu uses different
>>>>>>>> paths
>>>>>>>> e.g. /var/lib/samba
>>>>>>>>> I'm not using ldap, my smb.conf file
has "passdb backend >>>>>>>>>
tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help.
>>>>>>>> Just ignore anything to do with ldap
>>>>>>>>> Under the "Domain controller
name" section it talks about a
>>>>>>>>> "netbois name =" line in the
smb.conf file.? I don't have that
>>>>>>>>> in mine but I do have a "workgroup
=" line.? Is this the same
>>>>>>>>> thing?
>>>>>>>> No and you only really need the line if you are
changing the
>>>>>>>> computers
>>>>>>>> hostname during the upgrade.
>>>>>>>>
>>>>>>>>> Does the classicupgrade just
"convert" a bunch of files like the
>>>>>>>>> passdb.tdb and smb.conf files?? And unless
you actually replace
>>>>>>>>> the files and start the AD service nothing
actually changes?
>>>>>>>> Bit more involved than that, all the users and
groups are
>>>>>>>> obtained from
>>>>>>>> the existing database (along with passwords and
the domain SID).
>>>>>>>> This
>>>>>>>> information is then used to provision a new AD
domain.
>>>>>>>>> I think I should stop there.
>>>>>>>>> Thanks in advance and hopefully this makes
some sense.
>>>>>>>> Yes, it did ;-)
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> Thanks for the help.? I've got some more
questions though about
>>>>>>>> the following list.
>>>>>>>> AD DC Installation Directory:? ? ?
?/usr/local/samba/AD DC
>>>>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name:
>>>>>>>> samdom.example.comRealm: ? ? ? ? ? ? ?
samdom.example.comNT4
>>>>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address:
?192.168.1.1Databases
>>>>>>>> of the Samba NT4-domain:
/usr/local/samba.PDC/dbdir/smb.conf of
>>>>>>>> the Samba NT4-domain:?
?/usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>>> So for Ubuntu the first line would be
/var/lib/samba right?
>>>>>>> Yes
>>>>>>>> What would the last two lines in the list be
for Ubuntu?
>>>>>>> Replace '/usr/local/samba' with
'var/lib/samba'
>>>>>>>> My NT4 domain is all uppercase. Would it stay
that way for the
>>>>>>>> first part of the AD DNS Name and Realm lines?
>>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM ,
you would use
>>>>>>> samdom.example.com for the dns name and
SAMDOM.EXAMPLE.COM for the
>>>>>>> realm
>>>>>>>> The section talking about moving the
/usr/local/samba/ directory,
>>>>>>>> does that still apply to the /var/lib/samba
directory?
>>>>>>> Yes
>>>>>>>>  ? ?? ? ? ? And is the /etc/samba/smb.conf file
the one that needs
>>>>>>>> to be moved like the
/usr/local/samba.PDC/etc/smb.conf file?
>>>>>>> Yes
>>>>>>>> I'm assuming I need to install Kerberos
since it's not currently
>>>>>>>> installed on the system to get the
classicupgrade to work?
>>>>>>> There is an old saying 'assume makes an ass of
u & me' ;-)
>>>>>>>
>>>>>>> Or to put it another way, no, Samba uses it version
of the Heimdal
>>>>>>> kerberos, you just need to install the required
Samba packages, on
>>>>>>> Ubuntu 18.04, these would be:
>>>>>>>
>>>>>>> samba winbind libnss-winbind libpam-winbind
libpam-krb5 ntp binutils
>>>>>>> ldb-tools krb5-user
>>>>>>>
>>>>>>> You should test the upgrade in a different network,
to iron out any
>>>>>>> problems.
>>>>>>>
>>>>>>> How large is your domain ?
>>>>>>>
>>>>>>> If it is small, you may be better off creating a
new AD domain,
>>>>>>> that way
>>>>>>> you get full control. Upgrading an existing
NT4-style domain carries
>>>>>>> over bad practises e.g. using the RID for Unix user
& group ID's.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>> So in the example on the classicupgrade wiki page
my NT4 domain
>>>>>>> would be SAMDOM with nothing after it.? So would
the realm be
>>>>>>> SAMDOM.example.com in that case?
>>>>>> Ah, in AD there are two domains, the one you are
referring to,
>>>>>> which is
>>>>>> actually the Netbios domain? and the DNS domain. If you
are upgrading,
>>>>>> the Netbios domain will carry over, but you need to
ensure you use a
>>>>>> valid DNS domain, so you could use samdom.example.com,
but if you did,
>>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is
always in
>>>>>> uppercase)
>>>>>>> On my server I'm currently missing
libnss-winbind, libpam-winbind,
>>>>>>> libpam-krb5, ldb-tools and krb5-user.? Does this
sound normal for
>>>>>>> an NT4 domain?
>>>>>> Yes, because you are probably not using winbind and you
will
>>>>>> definitely
>>>>>> not be using kerberos and ldb-tools is only used with
AD.
>>>>>>> My domain would be about 200 users and 80
machines.? That's a
>>>>>>> guess.? I was able to clone the production server
so I'm able to
>>>>>>> test things out first.
>>>>>>> Thanks
>>>>>>> Carl
>>>>>> I suggest you go and play ;-)
>>>>>>
>>>>>> Then come back with the inevitable questions ;-)
>>>>>>
>>>>>> Rowland
>>>>>> One more question before I go and play.? :)
>>>>>> I'm pretty sure I'll be running the following
command taken from
>>>>>> the wiki.
>>>>>>  ? ?? ? samba-tool domain classicupgrade
>>>>>> --dbdir=/usr/local/samba.PDC/dbdir/
\--realm=samdom.example.com
>>>>>> --dns-backend=BIND9_DLZ
/usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>  ? ?? ? From you explanation above should the realm not
be
>>>>>> "--realm=SAMDOM.EXAMPLE.COM" ?
>>>>>> Thanks
>>>>>> Carl
>>>>>>
>>>>> Yes, thanks for pointing this out, I have updated the
wikipage ;-)
>>>>>
>>>>> Rowland
>>>>>
>>>>> So I started in and here's my first inevitable
question. :)
>>>>> I can't seem to figure out the following lines from the
wiki.
>>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb
>>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb
>>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb
>>>>> /usr/local/samba.PDC/dbdir/
>>>>> I don't seem to have a /var/lib/samba.PDC/var folder.?
I do see a
>>>>> group_mapping.tdb file and a account_policy.tdb file in my
>>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb
file.
>>>>> Are these the right ones to copy and the
gencache_notrans.tdb is not
>>>>> needed?
>>>>> Thanks
>>>>> Carl
>>>> If you compile Samba yourself, by default, everything ends up
in
>>>> /usr/local/samba. Distros split things up, so you just need to
find the
>>>> files on your system ;-)
>>>>
>>>> Rowland
>>>>
>>>> So I found the gencache_notrans.tdb file only in /run/samba and
the
>>>> other two were only in /var/lib/samba.PDC.? Are these all good
to use
>>>> since they're the only ones I could find?? And do I need to
rename
>>>> the /run/samba folder like I did with the /var/lib/samba
folder?
>>>> Thanks
>>>> Carl
>>>>
>>>> I finally had the chance to run the command and got the
following
>>>> output.
>>>> sudo samba-tool domain classicupgrade
>>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG
>>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf
>>>> Reading smb.conf
>>>> Provisioningtdbsam_open: Failed to open/create TDB passwd
>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting
>>>> groupstdbsam_open: Failed to open/create TDB passwd
>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>>> /var/lib/samba/passdb.tdb!
>>>> ...
>>>> dbsam_open: Failed to open/create TDB passwd
[/var/lib/samba/passdb.tdb]
>>>> tdbsam_getsampwrid: failed to open
>>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to
>>>> open/create TDB passwd
[/var/lib/samba/passdb.tdb]tdbsam_getsampwnam:
>>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class
>>>> 'passdb.error'>): uncaught exception - Unable to
search users? File
>>>>
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>>>> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return
>>>> self.run(*args, **kwargs)? File
>>>>
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589,
>>>> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb,
>>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File
>>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py",
line 554, in
>>>> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ?
userlist >>>> s3db.search_users(0)
>>>> I removed a bunch of duplicate log lines just to make it
shorter.
>>>> Any ideas?? It's like the tool knows something is supposed
to be in
>>>> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to
>>>> /var/lib/samba.PCD before I ran the command like the wiki said.
>>>> Thanks
>>>> Carl
>>> Keep this quite, but I have never classicupgraded an NT4-style
domain,
>>> but I think I know what is going wrong here. That 'mv'
should be a
>>> 'cp', the upgrade is trying to create files in
/var/lib/samba and it
>>> no longer exists.
>>>
>>> Rowland
>> OK, after digging into the history of the classicupgrade wiki page, I
>> have found that at one time, it was? thought that the upgrade would be
>> carried out on a new PC, so the required files would be copied to the
>> new PC with 'scp'. The page now is built around upgrading in
place and
>> 'mv' is definitely wrong.
>>
>> Looks like I am going to have to do a classicupgrade, before I can
>> rewrite the page.
>>
>> Rowland
>>
>> I don't mind being the guinea pig if it helps.? :)
> Too late, I was the guinea pig ;-)
>
> I will be updating the wiki tomorrow.
>
>> I was able to duplicate the /var/lib/samba folder and re-run the
command and it worked.? I got basically the same output as the wiki.
>> My next question is in the "After the classicupgrade"
section.? With the following line.
>> If your passdb backend was smbpasswd or tdbsam, remove the domain
groups from /etc/group. All groups that had a groupmapping were imported,
including their members. You should also remove any Samba users from
/etc/passwd, they are now stored in AD.
>>
>> Is there a way to know what are considered domain groups in the
/etc/group file?? Same question for /etc/passwd.? Is there a way to know what
ones are Samba users?
>> Thanks
>> Carl
> Run 'wbinfo -u' & 'wbinfo -g', these are the domain
users & groups on my
> nice new shiny classicupgraded domain:
>
> wbinfo -u
> EXAMPLE\administrator
> EXAMPLE\guest
> EXAMPLE\krbtgt
>
> wbinfo -g
> EXAMPLE\cert publishers
> EXAMPLE\ras and ias servers
> EXAMPLE\allowed rodc password replication group
> EXAMPLE\denied rodc password replication group
> EXAMPLE\dnsadmins
> EXAMPLE\enterprise read-only domain controllers
> EXAMPLE\domain admins
> EXAMPLE\domain users
> EXAMPLE\domain guests
> EXAMPLE\domain computers
> EXAMPLE\domain controllers
> EXAMPLE\schema admins
> EXAMPLE\enterprise admins
> EXAMPLE\group policy creator owners
> EXAMPLE\read-only domain controllers
> EXAMPLE\dnsupdateproxy
>
> Your DOMAIN will be different, but if any of those are in /etc/passwd or
> /etc/group, then they should be remove from there. You should also check
> if any other users or groups shown by 'wbinfo -u ' or 'wbinfo
-g' are in
> /etc/passwd or /etc/group, most of these should be removed from
> /etc/passwd or /etc/group, but a few may need to be removed from AD,
> basically any that are in AD and have a Unix ID of 999 should be removed
> from AD.
>
> Rowland
> Before I ran the classicupgrade command I had stopped smdb, nmdb and
winbind.? I haven't started samba-ad-dc yet.? Looks like the wbinfo -u and
wbinfo -g commands need winbind running.? Do I just temporarily start winbind to
get my info and stop it again?? Or do I start samba-ad-dc before cleaning up the
group and passwd files?? Just not sure about the order of things or if it
matters.
> Thanks
> Carl
Start samba-ad-dc, this will start smbd and winbind. Don't do anything 
but check your users and groups, you can do this with a local user.

Rowland

On Friday, July 17, 2020, 02:26:53 p.m. EDT, Rowland penny via samba <samba
at lists.samba.org> wrote:
 
 
 On 17/07/2020 19:17, Carl Hunter via samba wrote:
>? On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba
<samba at lists.samba.org> wrote:
>? 
>? 
>? On 17/07/2020 17:20, Carl Hunter via samba wrote:
>>? ? On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba
<samba at lists.samba.org> wrote:
>>? ? 
>>? ? 
>>? ? On 17/07/2020 15:21, Rowland penny via samba wrote:
>>> On 17/07/2020 15:05, Carl Hunter via samba wrote:
>>>>? ? ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter
via
>>>> samba <samba at lists.samba.org> wrote:
>>>>? ? ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT,
Rowland penny
>>>> via samba <samba at lists.samba.org> wrote:
>>>>? ? ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote:
>>>>>? ? ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT,
Rowland penny via
>>>>> samba <samba at lists.samba.org> wrote:
>>>>>? ? ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba
wrote:
>>>>>>? ? ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT,
Rowland penny
>>>>>> via samba <samba at lists.samba.org> wrote:
>>>>>>? ? ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via
samba wrote:
>>>>>>>? ? ?? ? ? On Wednesday, July 15, 2020, 02:50:09
p.m. EDT, Rowland
>>>>>>> penny via samba <samba at lists.samba.org>
wrote:
>>>>>>>? ? ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl
Hunter via samba
>>>>>>> wrote:
>>>>>>>>? ? ?? ? ? ? On Wednesday, July 15, 2020,
03:16:00 a.m. EDT, Rowland
>>>>>>>> penny via samba <samba at
lists.samba.org> wrote:
>>>>>>>>? ? ???????? ???????? ?? ? ? ? On 15/07/2020
01:14, Carl Hunter via
>>>>>>>> samba wrote:
>>>>>>>>> I've currently got a Ubuntu 18.04
server running Samba?4.7.6
>>>>>>>>> with an NT4 domain that I'd like to
migrate to an AD.? I've
>>>>>>>>> found the following link but am struggling
to match up the steps
>>>>>>>>> with the Ubuntu install.
>>>>>>>>>
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>>>>>>>>>
>>>>>>>>> I've also found this post that creates
a Samba AD on Ubuntu
>>>>>>>>> 18.04 from scratch but doesn't have the
upgrade steps.
>>>>>>>>>
https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server
>>>>>>>>>
>>>>>>>> That howto isn't bad, he just got
/etc/hosts wrong ;-)
>>>>>>>>> Would someone be able to help with some
questions?
>>>>>>>>> In the first link, the "Server
information used in this HowTo"
>>>>>>>>> section lists a bunch of settings.? I'm
not sure how that
>>>>>>>>> matches up with Ubuntu.
>>>>>>>> The paths refer to a self compiled Samba,
Ubuntu uses different
>>>>>>>> paths
>>>>>>>> e.g. /var/lib/samba
>>>>>>>>> I'm not using ldap, my smb.conf file
has "passdb backend >>>>>>>>>
tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help.
>>>>>>>> Just ignore anything to do with ldap
>>>>>>>>> Under the "Domain controller
name" section it talks about a
>>>>>>>>> "netbois name =" line in the
smb.conf file.? I don't have that
>>>>>>>>> in mine but I do have a "workgroup
=" line.? Is this the same
>>>>>>>>> thing?
>>>>>>>> No and you only really need the line if you are
changing the
>>>>>>>> computers
>>>>>>>> hostname during the upgrade.
>>>>>>>>
>>>>>>>>> Does the classicupgrade just
"convert" a bunch of files like the
>>>>>>>>> passdb.tdb and smb.conf files?? And unless
you actually replace
>>>>>>>>> the files and start the AD service nothing
actually changes?
>>>>>>>> Bit more involved than that, all the users and
groups are
>>>>>>>> obtained from
>>>>>>>> the existing database (along with passwords and
the domain SID).
>>>>>>>> This
>>>>>>>> information is then used to provision a new AD
domain.
>>>>>>>>> I think I should stop there.
>>>>>>>>> Thanks in advance and hopefully this makes
some sense.
>>>>>>>> Yes, it did ;-)
>>>>>>>>
>>>>>>>> Rowland
>>>>>>>>
>>>>>>>> Thanks for the help.? I've got some more
questions though about
>>>>>>>> the following list.
>>>>>>>> AD DC Installation Directory:? ? ?
?/usr/local/samba/AD DC
>>>>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name:
>>>>>>>> samdom.example.comRealm: ? ? ? ? ? ? ?
samdom.example.comNT4
>>>>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address:
?192.168.1.1Databases
>>>>>>>> of the Samba NT4-domain:
/usr/local/samba.PDC/dbdir/smb.conf of
>>>>>>>> the Samba NT4-domain:?
?/usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>>> So for Ubuntu the first line would be
/var/lib/samba right?
>>>>>>> Yes
>>>>>>>> What would the last two lines in the list be
for Ubuntu?
>>>>>>> Replace '/usr/local/samba' with
'var/lib/samba'
>>>>>>>> My NT4 domain is all uppercase. Would it stay
that way for the
>>>>>>>> first part of the AD DNS Name and Realm lines?
>>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM ,
you would use
>>>>>>> samdom.example.com for the dns name and
SAMDOM.EXAMPLE.COM for the
>>>>>>> realm
>>>>>>>> The section talking about moving the
/usr/local/samba/ directory,
>>>>>>>> does that still apply to the /var/lib/samba
directory?
>>>>>>> Yes
>>>>>>>>? ? ?? ? ? ? And is the /etc/samba/smb.conf file
the one that needs
>>>>>>>> to be moved like the
/usr/local/samba.PDC/etc/smb.conf file?
>>>>>>> Yes
>>>>>>>> I'm assuming I need to install Kerberos
since it's not currently
>>>>>>>> installed on the system to get the
classicupgrade to work?
>>>>>>> There is an old saying 'assume makes an ass of
u & me' ;-)
>>>>>>>
>>>>>>> Or to put it another way, no, Samba uses it version
of the Heimdal
>>>>>>> kerberos, you just need to install the required
Samba packages, on
>>>>>>> Ubuntu 18.04, these would be:
>>>>>>>
>>>>>>> samba winbind libnss-winbind libpam-winbind
libpam-krb5 ntp binutils
>>>>>>> ldb-tools krb5-user
>>>>>>>
>>>>>>> You should test the upgrade in a different network,
to iron out any
>>>>>>> problems.
>>>>>>>
>>>>>>> How large is your domain ?
>>>>>>>
>>>>>>> If it is small, you may be better off creating a
new AD domain,
>>>>>>> that way
>>>>>>> you get full control. Upgrading an existing
NT4-style domain carries
>>>>>>> over bad practises e.g. using the RID for Unix user
& group ID's.
>>>>>>>
>>>>>>> Rowland
>>>>>>>
>>>>>>> So in the example on the classicupgrade wiki page
my NT4 domain
>>>>>>> would be SAMDOM with nothing after it.? So would
the realm be
>>>>>>> SAMDOM.example.com in that case?
>>>>>> Ah, in AD there are two domains, the one you are
referring to,
>>>>>> which is
>>>>>> actually the Netbios domain? and the DNS domain. If you
are upgrading,
>>>>>> the Netbios domain will carry over, but you need to
ensure you use a
>>>>>> valid DNS domain, so you could use samdom.example.com,
but if you did,
>>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is
always in
>>>>>> uppercase)
>>>>>>> On my server I'm currently missing
libnss-winbind, libpam-winbind,
>>>>>>> libpam-krb5, ldb-tools and krb5-user.? Does this
sound normal for
>>>>>>> an NT4 domain?
>>>>>> Yes, because you are probably not using winbind and you
will
>>>>>> definitely
>>>>>> not be using kerberos and ldb-tools is only used with
AD.
>>>>>>> My domain would be about 200 users and 80
machines.? That's a
>>>>>>> guess.? I was able to clone the production server
so I'm able to
>>>>>>> test things out first.
>>>>>>> Thanks
>>>>>>> Carl
>>>>>> I suggest you go and play ;-)
>>>>>>
>>>>>> Then come back with the inevitable questions ;-)
>>>>>>
>>>>>> Rowland
>>>>>> One more question before I go and play.? :)
>>>>>> I'm pretty sure I'll be running the following
command taken from
>>>>>> the wiki.
>>>>>>? ? ?? ? samba-tool domain classicupgrade
>>>>>> --dbdir=/usr/local/samba.PDC/dbdir/
\--realm=samdom.example.com
>>>>>> --dns-backend=BIND9_DLZ
/usr/local/samba.PDC/etc/smb.PDC.conf
>>>>>>? ? ?? ? From you explanation above should the realm not
be
>>>>>> "--realm=SAMDOM.EXAMPLE.COM" ?
>>>>>> Thanks
>>>>>> Carl
>>>>>>
>>>>> Yes, thanks for pointing this out, I have updated the
wikipage ;-)
>>>>>
>>>>> Rowland
>>>>>
>>>>> So I started in and here's my first inevitable
question. :)
>>>>> I can't seem to figure out the following lines from the
wiki.
>>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb
>>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb
>>>>> /usr/local/samba.PDC/dbdir/# cp -p
>>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb
>>>>> /usr/local/samba.PDC/dbdir/
>>>>> I don't seem to have a /var/lib/samba.PDC/var folder.?
I do see a
>>>>> group_mapping.tdb file and a account_policy.tdb file in my
>>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb
file.
>>>>> Are these the right ones to copy and the
gencache_notrans.tdb is not
>>>>> needed?
>>>>> Thanks
>>>>> Carl
>>>> If you compile Samba yourself, by default, everything ends up
in
>>>> /usr/local/samba. Distros split things up, so you just need to
find the
>>>> files on your system ;-)
>>>>
>>>> Rowland
>>>>
>>>> So I found the gencache_notrans.tdb file only in /run/samba and
the
>>>> other two were only in /var/lib/samba.PDC.? Are these all good
to use
>>>> since they're the only ones I could find?? And do I need to
rename
>>>> the /run/samba folder like I did with the /var/lib/samba
folder?
>>>> Thanks
>>>> Carl
>>>>
>>>> I finally had the chance to run the command and got the
following
>>>> output.
>>>> sudo samba-tool domain classicupgrade
>>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG
>>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf
>>>> Reading smb.conf
>>>> Provisioningtdbsam_open: Failed to open/create TDB passwd
>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting
>>>> groupstdbsam_open: Failed to open/create TDB passwd
>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open
>>>> /var/lib/samba/passdb.tdb!
>>>> ...
>>>> dbsam_open: Failed to open/create TDB passwd
[/var/lib/samba/passdb.tdb]
>>>> tdbsam_getsampwrid: failed to open
>>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to
>>>> open/create TDB passwd
[/var/lib/samba/passdb.tdb]tdbsam_getsampwnam:
>>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class
>>>> 'passdb.error'>): uncaught exception - Unable to
search users? File
>>>>
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>>>> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return
>>>> self.run(*args, **kwargs)? File
>>>>
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589,
>>>> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb,
>>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File
>>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py",
line 554, in
>>>> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ?
userlist >>>> s3db.search_users(0)
>>>> I removed a bunch of duplicate log lines just to make it
shorter.
>>>> Any ideas?? It's like the tool knows something is supposed
to be in
>>>> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to
>>>> /var/lib/samba.PCD before I ran the command like the wiki said.
>>>> Thanks
>>>> Carl
>>> Keep this quite, but I have never classicupgraded an NT4-style
domain,
>>> but I think I know what is going wrong here. That 'mv'
should be a
>>> 'cp', the upgrade is trying to create files in
/var/lib/samba and it
>>> no longer exists.
>>>
>>> Rowland
>> OK, after digging into the history of the classicupgrade wiki page, I
>> have found that at one time, it was? thought that the upgrade would be
>> carried out on a new PC, so the required files would be copied to the
>> new PC with 'scp'. The page now is built around upgrading in
place and
>> 'mv' is definitely wrong.
>>
>> Looks like I am going to have to do a classicupgrade, before I can
>> rewrite the page.
>>
>> Rowland
>>
>> I don't mind being the guinea pig if it helps.? :)
> Too late, I was the guinea pig ;-)
>
> I will be updating the wiki tomorrow.
>
>> I was able to duplicate the /var/lib/samba folder and re-run the
command and it worked.? I got basically the same output as the wiki.
>> My next question is in the "After the classicupgrade"
section.? With the following line.
>> If your passdb backend was smbpasswd or tdbsam, remove the domain
groups from /etc/group. All groups that had a groupmapping were imported,
including their members. You should also remove any Samba users from
/etc/passwd, they are now stored in AD.
>>
>> Is there a way to know what are considered domain groups in the
/etc/group file?? Same question for /etc/passwd.? Is there a way to know what
ones are Samba users?
>> Thanks
>> Carl
> Run 'wbinfo -u' & 'wbinfo -g', these are the domain
users & groups on my
> nice new shiny classicupgraded domain:
>
> wbinfo -u
> EXAMPLE\administrator
> EXAMPLE\guest
> EXAMPLE\krbtgt
>
> wbinfo -g
> EXAMPLE\cert publishers
> EXAMPLE\ras and ias servers
> EXAMPLE\allowed rodc password replication group
> EXAMPLE\denied rodc password replication group
> EXAMPLE\dnsadmins
> EXAMPLE\enterprise read-only domain controllers
> EXAMPLE\domain admins
> EXAMPLE\domain users
> EXAMPLE\domain guests
> EXAMPLE\domain computers
> EXAMPLE\domain controllers
> EXAMPLE\schema admins
> EXAMPLE\enterprise admins
> EXAMPLE\group policy creator owners
> EXAMPLE\read-only domain controllers
> EXAMPLE\dnsupdateproxy
>
> Your DOMAIN will be different, but if any of those are in /etc/passwd or
> /etc/group, then they should be remove from there. You should also check
> if any other users or groups shown by 'wbinfo -u ' or 'wbinfo
-g' are in
> /etc/passwd or /etc/group, most of these should be removed from
> /etc/passwd or /etc/group, but a few may need to be removed from AD,
> basically any that are in AD and have a Unix ID of 999 should be removed
> from AD.
>
> Rowland
> Before I ran the classicupgrade command I had stopped smdb, nmdb and
winbind.? I haven't started samba-ad-dc yet.? Looks like the wbinfo -u and
wbinfo -g commands need winbind running.? Do I just temporarily start winbind to
get my info and stop it again?? Or do I start samba-ad-dc before cleaning up the
group and passwd files?? Just not sure about the order of things or if it
matters.
> Thanks
> Carl
Start samba-ad-dc, this will start smbd and winbind. Don't do anything 
but check your users and groups, you can do this with a local user.

Rowland

I was able to start samba-ad-dc and now those wbinfo commands work.? I see
almost all the users and groups from the wbinfo commands in the group and passwd
files.? This server is also the file server so each user has a home folder.?
I'm not sure what that means for things.? I haven't gotten to the file
server side of things yet but I don't have an option to split up the ad
server and the file server.??
Thanks
Carl