On Friday, July 17, 2020, 02:26:53 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: On 17/07/2020 19:17, Carl Hunter via samba wrote:>? On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >? >? >? On 17/07/2020 17:20, Carl Hunter via samba wrote: >>? ? On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>? ? >>? ? >>? ? On 17/07/2020 15:21, Rowland penny via samba wrote: >>> On 17/07/2020 15:05, Carl Hunter via samba wrote: >>>>? ? ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via >>>> samba <samba at lists.samba.org> wrote: >>>>? ? ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny >>>> via samba <samba at lists.samba.org> wrote: >>>>? ? ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote: >>>>>? ? ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via >>>>> samba <samba at lists.samba.org> wrote: >>>>>? ? ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba wrote: >>>>>>? ? ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny >>>>>> via samba <samba at lists.samba.org> wrote: >>>>>>? ? ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via samba wrote: >>>>>>>? ? ?? ? ? On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland >>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>? ? ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl Hunter via samba >>>>>>> wrote: >>>>>>>>? ? ?? ? ? ? On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland >>>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>>? ? ???????? ???????? ?? ? ? ? On 15/07/2020 01:14, Carl Hunter via >>>>>>>> samba wrote: >>>>>>>>> I've currently got a Ubuntu 18.04 server running Samba?4.7.6 >>>>>>>>> with an NT4 domain that I'd like to migrate to an AD.? I've >>>>>>>>> found the following link but am struggling to match up the steps >>>>>>>>> with the Ubuntu install. >>>>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >>>>>>>>> >>>>>>>>> I've also found this post that creates a Samba AD on Ubuntu >>>>>>>>> 18.04 from scratch but doesn't have the upgrade steps. >>>>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server >>>>>>>>> >>>>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-) >>>>>>>>> Would someone be able to help with some questions? >>>>>>>>> In the first link, the "Server information used in this HowTo" >>>>>>>>> section lists a bunch of settings.? I'm not sure how that >>>>>>>>> matches up with Ubuntu. >>>>>>>> The paths refer to a self compiled Samba, Ubuntu uses different >>>>>>>> paths >>>>>>>> e.g. /var/lib/samba >>>>>>>>> I'm not using ldap, my smb.conf file has "passdb backend >>>>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help. >>>>>>>> Just ignore anything to do with ldap >>>>>>>>> Under the "Domain controller name" section it talks about a >>>>>>>>> "netbois name =" line in the smb.conf file.? I don't have that >>>>>>>>> in mine but I do have a "workgroup =" line.? Is this the same >>>>>>>>> thing? >>>>>>>> No and you only really need the line if you are changing the >>>>>>>> computers >>>>>>>> hostname during the upgrade. >>>>>>>> >>>>>>>>> Does the classicupgrade just "convert" a bunch of files like the >>>>>>>>> passdb.tdb and smb.conf files?? And unless you actually replace >>>>>>>>> the files and start the AD service nothing actually changes? >>>>>>>> Bit more involved than that, all the users and groups are >>>>>>>> obtained from >>>>>>>> the existing database (along with passwords and the domain SID). >>>>>>>> This >>>>>>>> information is then used to provision a new AD domain. >>>>>>>>> I think I should stop there. >>>>>>>>> Thanks in advance and hopefully this makes some sense. >>>>>>>> Yes, it did ;-) >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> Thanks for the help.? I've got some more questions though about >>>>>>>> the following list. >>>>>>>> AD DC Installation Directory:? ? ? ?/usr/local/samba/AD DC >>>>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name: >>>>>>>> samdom.example.comRealm: ? ? ? ? ? ? ? samdom.example.comNT4 >>>>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address: ?192.168.1.1Databases >>>>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of >>>>>>>> the Samba NT4-domain:? ?/usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>>> So for Ubuntu the first line would be /var/lib/samba right? >>>>>>> Yes >>>>>>>> What would the last two lines in the list be for Ubuntu? >>>>>>> Replace '/usr/local/samba' with 'var/lib/samba' >>>>>>>> My NT4 domain is all uppercase. Would it stay that way for the >>>>>>>> first part of the AD DNS Name and Realm lines? >>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use >>>>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the >>>>>>> realm >>>>>>>> The section talking about moving the /usr/local/samba/ directory, >>>>>>>> does that still apply to the /var/lib/samba directory? >>>>>>> Yes >>>>>>>>? ? ?? ? ? ? And is the /etc/samba/smb.conf file the one that needs >>>>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file? >>>>>>> Yes >>>>>>>> I'm assuming I need to install Kerberos since it's not currently >>>>>>>> installed on the system to get the classicupgrade to work? >>>>>>> There is an old saying 'assume makes an ass of u & me' ;-) >>>>>>> >>>>>>> Or to put it another way, no, Samba uses it version of the Heimdal >>>>>>> kerberos, you just need to install the required Samba packages, on >>>>>>> Ubuntu 18.04, these would be: >>>>>>> >>>>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils >>>>>>> ldb-tools krb5-user >>>>>>> >>>>>>> You should test the upgrade in a different network, to iron out any >>>>>>> problems. >>>>>>> >>>>>>> How large is your domain ? >>>>>>> >>>>>>> If it is small, you may be better off creating a new AD domain, >>>>>>> that way >>>>>>> you get full control. Upgrading an existing NT4-style domain carries >>>>>>> over bad practises e.g. using the RID for Unix user & group ID's. >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> So in the example on the classicupgrade wiki page my NT4 domain >>>>>>> would be SAMDOM with nothing after it.? So would the realm be >>>>>>> SAMDOM.example.com in that case? >>>>>> Ah, in AD there are two domains, the one you are referring to, >>>>>> which is >>>>>> actually the Netbios domain? and the DNS domain. If you are upgrading, >>>>>> the Netbios domain will carry over, but you need to ensure you use a >>>>>> valid DNS domain, so you could use samdom.example.com, but if you did, >>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in >>>>>> uppercase) >>>>>>> On my server I'm currently missing libnss-winbind, libpam-winbind, >>>>>>> libpam-krb5, ldb-tools and krb5-user.? Does this sound normal for >>>>>>> an NT4 domain? >>>>>> Yes, because you are probably not using winbind and you will >>>>>> definitely >>>>>> not be using kerberos and ldb-tools is only used with AD. >>>>>>> My domain would be about 200 users and 80 machines.? That's a >>>>>>> guess.? I was able to clone the production server so I'm able to >>>>>>> test things out first. >>>>>>> Thanks >>>>>>> Carl >>>>>> I suggest you go and play ;-) >>>>>> >>>>>> Then come back with the inevitable questions ;-) >>>>>> >>>>>> Rowland >>>>>> One more question before I go and play.? :) >>>>>> I'm pretty sure I'll be running the following command taken from >>>>>> the wiki. >>>>>>? ? ?? ? samba-tool domain classicupgrade >>>>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com >>>>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>? ? ?? ? From you explanation above should the realm not be >>>>>> "--realm=SAMDOM.EXAMPLE.COM" ? >>>>>> Thanks >>>>>> Carl >>>>>> >>>>> Yes, thanks for pointing this out, I have updated the wikipage ;-) >>>>> >>>>> Rowland >>>>> >>>>> So I started in and here's my first inevitable question. :) >>>>> I can't seem to figure out the following lines from the wiki. >>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb >>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb >>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb >>>>> /usr/local/samba.PDC/dbdir/ >>>>> I don't seem to have a /var/lib/samba.PDC/var folder.? I do see a >>>>> group_mapping.tdb file and a account_policy.tdb file in my >>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file. >>>>> Are these the right ones to copy and the gencache_notrans.tdb is not >>>>> needed? >>>>> Thanks >>>>> Carl >>>> If you compile Samba yourself, by default, everything ends up in >>>> /usr/local/samba. Distros split things up, so you just need to find the >>>> files on your system ;-) >>>> >>>> Rowland >>>> >>>> So I found the gencache_notrans.tdb file only in /run/samba and the >>>> other two were only in /var/lib/samba.PDC.? Are these all good to use >>>> since they're the only ones I could find?? And do I need to rename >>>> the /run/samba folder like I did with the /var/lib/samba folder? >>>> Thanks >>>> Carl >>>> >>>> I finally had the chance to run the command and got the following >>>> output. >>>> sudo samba-tool domain classicupgrade >>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG >>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf >>>> Reading smb.conf >>>> Provisioningtdbsam_open: Failed to open/create TDB passwd >>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting >>>> groupstdbsam_open: Failed to open/create TDB passwd >>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>> /var/lib/samba/passdb.tdb! >>>> ... >>>> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] >>>> tdbsam_getsampwrid: failed to open >>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to >>>> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: >>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class >>>> 'passdb.error'>): uncaught exception - Unable to search users? File >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >>>> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return >>>> self.run(*args, **kwargs)? File >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589, >>>> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb, >>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File >>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in >>>> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ? userlist >>>> s3db.search_users(0) >>>> I removed a bunch of duplicate log lines just to make it shorter. >>>> Any ideas?? It's like the tool knows something is supposed to be in >>>> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to >>>> /var/lib/samba.PCD before I ran the command like the wiki said. >>>> Thanks >>>> Carl >>> Keep this quite, but I have never classicupgraded an NT4-style domain, >>> but I think I know what is going wrong here. That 'mv' should be a >>> 'cp', the upgrade is trying to create files in /var/lib/samba and it >>> no longer exists. >>> >>> Rowland >> OK, after digging into the history of the classicupgrade wiki page, I >> have found that at one time, it was? thought that the upgrade would be >> carried out on a new PC, so the required files would be copied to the >> new PC with 'scp'. The page now is built around upgrading in place and >> 'mv' is definitely wrong. >> >> Looks like I am going to have to do a classicupgrade, before I can >> rewrite the page. >> >> Rowland >> >> I don't mind being the guinea pig if it helps.? :) > Too late, I was the guinea pig ;-) > > I will be updating the wiki tomorrow. > >> I was able to duplicate the /var/lib/samba folder and re-run the command and it worked.? I got basically the same output as the wiki. >> My next question is in the "After the classicupgrade" section.? With the following line. >> If your passdb backend was smbpasswd or tdbsam, remove the domain groups from /etc/group. All groups that had a groupmapping were imported, including their members. You should also remove any Samba users from /etc/passwd, they are now stored in AD. >> >> Is there a way to know what are considered domain groups in the /etc/group file?? Same question for /etc/passwd.? Is there a way to know what ones are Samba users? >> Thanks >> Carl > Run 'wbinfo -u' & 'wbinfo -g', these are the domain users & groups on my > nice new shiny classicupgraded domain: > > wbinfo -u > EXAMPLE\administrator > EXAMPLE\guest > EXAMPLE\krbtgt > > wbinfo -g > EXAMPLE\cert publishers > EXAMPLE\ras and ias servers > EXAMPLE\allowed rodc password replication group > EXAMPLE\denied rodc password replication group > EXAMPLE\dnsadmins > EXAMPLE\enterprise read-only domain controllers > EXAMPLE\domain admins > EXAMPLE\domain users > EXAMPLE\domain guests > EXAMPLE\domain computers > EXAMPLE\domain controllers > EXAMPLE\schema admins > EXAMPLE\enterprise admins > EXAMPLE\group policy creator owners > EXAMPLE\read-only domain controllers > EXAMPLE\dnsupdateproxy > > Your DOMAIN will be different, but if any of those are in /etc/passwd or > /etc/group, then they should be remove from there. You should also check > if any other users or groups shown by 'wbinfo -u ' or 'wbinfo -g' are in > /etc/passwd or /etc/group, most of these should be removed from > /etc/passwd or /etc/group, but a few may need to be removed from AD, > basically any that are in AD and have a Unix ID of 999 should be removed > from AD. > > Rowland > Before I ran the classicupgrade command I had stopped smdb, nmdb and winbind.? I haven't started samba-ad-dc yet.? Looks like the wbinfo -u and wbinfo -g commands need winbind running.? Do I just temporarily start winbind to get my info and stop it again?? Or do I start samba-ad-dc before cleaning up the group and passwd files?? Just not sure about the order of things or if it matters. > Thanks > CarlStart samba-ad-dc, this will start smbd and winbind. Don't do anything but check your users and groups, you can do this with a local user. Rowland I was able to start samba-ad-dc and now those wbinfo commands work.? I see almost all the users and groups from the wbinfo commands in the group and passwd files.? This server is also the file server so each user has a home folder.? I'm not sure what that means for things.? I haven't gotten to the file server side of things yet but I don't have an option to split up the ad server and the file server.?? Thanks Carl
On 17/07/2020 20:12, Carl Hunter via samba wrote:> On Friday, July 17, 2020, 02:26:53 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: > > > On 17/07/2020 19:17, Carl Hunter via samba wrote: >> ? On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >> >> >> ? On 17/07/2020 17:20, Carl Hunter via samba wrote: >>> ? ? On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>> >>> >>> ? ? On 17/07/2020 15:21, Rowland penny via samba wrote: >>>> On 17/07/2020 15:05, Carl Hunter via samba wrote: >>>>> ? ? ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via >>>>> samba <samba at lists.samba.org> wrote: >>>>> ? ? ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny >>>>> via samba <samba at lists.samba.org> wrote: >>>>> ? ? ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote: >>>>>> ? ? ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via >>>>>> samba <samba at lists.samba.org> wrote: >>>>>> ? ? ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba wrote: >>>>>>> ? ? ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny >>>>>>> via samba <samba at lists.samba.org> wrote: >>>>>>> ? ? ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via samba wrote: >>>>>>>> ? ? ?? ? ? On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland >>>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>> ? ? ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl Hunter via samba >>>>>>>> wrote: >>>>>>>>> ? ? ?? ? ? ? On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland >>>>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>>> ? ? ???????? ???????? ?? ? ? ? On 15/07/2020 01:14, Carl Hunter via >>>>>>>>> samba wrote: >>>>>>>>>> I've currently got a Ubuntu 18.04 server running Samba?4.7.6 >>>>>>>>>> with an NT4 domain that I'd like to migrate to an AD.? I've >>>>>>>>>> found the following link but am struggling to match up the steps >>>>>>>>>> with the Ubuntu install. >>>>>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >>>>>>>>>> >>>>>>>>>> I've also found this post that creates a Samba AD on Ubuntu >>>>>>>>>> 18.04 from scratch but doesn't have the upgrade steps. >>>>>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server >>>>>>>>>> >>>>>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-) >>>>>>>>>> Would someone be able to help with some questions? >>>>>>>>>> In the first link, the "Server information used in this HowTo" >>>>>>>>>> section lists a bunch of settings.? I'm not sure how that >>>>>>>>>> matches up with Ubuntu. >>>>>>>>> The paths refer to a self compiled Samba, Ubuntu uses different >>>>>>>>> paths >>>>>>>>> e.g. /var/lib/samba >>>>>>>>>> I'm not using ldap, my smb.conf file has "passdb backend >>>>>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help. >>>>>>>>> Just ignore anything to do with ldap >>>>>>>>>> Under the "Domain controller name" section it talks about a >>>>>>>>>> "netbois name =" line in the smb.conf file.? I don't have that >>>>>>>>>> in mine but I do have a "workgroup =" line.? Is this the same >>>>>>>>>> thing? >>>>>>>>> No and you only really need the line if you are changing the >>>>>>>>> computers >>>>>>>>> hostname during the upgrade. >>>>>>>>> >>>>>>>>>> Does the classicupgrade just "convert" a bunch of files like the >>>>>>>>>> passdb.tdb and smb.conf files?? And unless you actually replace >>>>>>>>>> the files and start the AD service nothing actually changes? >>>>>>>>> Bit more involved than that, all the users and groups are >>>>>>>>> obtained from >>>>>>>>> the existing database (along with passwords and the domain SID). >>>>>>>>> This >>>>>>>>> information is then used to provision a new AD domain. >>>>>>>>>> I think I should stop there. >>>>>>>>>> Thanks in advance and hopefully this makes some sense. >>>>>>>>> Yes, it did ;-) >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>> Thanks for the help.? I've got some more questions though about >>>>>>>>> the following list. >>>>>>>>> AD DC Installation Directory:? ? ? ?/usr/local/samba/AD DC >>>>>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name: >>>>>>>>> samdom.example.comRealm: ? ? ? ? ? ? ? samdom.example.comNT4 >>>>>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address: ?192.168.1.1Databases >>>>>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of >>>>>>>>> the Samba NT4-domain:? ?/usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>>>> So for Ubuntu the first line would be /var/lib/samba right? >>>>>>>> Yes >>>>>>>>> What would the last two lines in the list be for Ubuntu? >>>>>>>> Replace '/usr/local/samba' with 'var/lib/samba' >>>>>>>>> My NT4 domain is all uppercase. Would it stay that way for the >>>>>>>>> first part of the AD DNS Name and Realm lines? >>>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use >>>>>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the >>>>>>>> realm >>>>>>>>> The section talking about moving the /usr/local/samba/ directory, >>>>>>>>> does that still apply to the /var/lib/samba directory? >>>>>>>> Yes >>>>>>>>> ? ? ?? ? ? ? And is the /etc/samba/smb.conf file the one that needs >>>>>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file? >>>>>>>> Yes >>>>>>>>> I'm assuming I need to install Kerberos since it's not currently >>>>>>>>> installed on the system to get the classicupgrade to work? >>>>>>>> There is an old saying 'assume makes an ass of u & me' ;-) >>>>>>>> >>>>>>>> Or to put it another way, no, Samba uses it version of the Heimdal >>>>>>>> kerberos, you just need to install the required Samba packages, on >>>>>>>> Ubuntu 18.04, these would be: >>>>>>>> >>>>>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils >>>>>>>> ldb-tools krb5-user >>>>>>>> >>>>>>>> You should test the upgrade in a different network, to iron out any >>>>>>>> problems. >>>>>>>> >>>>>>>> How large is your domain ? >>>>>>>> >>>>>>>> If it is small, you may be better off creating a new AD domain, >>>>>>>> that way >>>>>>>> you get full control. Upgrading an existing NT4-style domain carries >>>>>>>> over bad practises e.g. using the RID for Unix user & group ID's. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> So in the example on the classicupgrade wiki page my NT4 domain >>>>>>>> would be SAMDOM with nothing after it.? So would the realm be >>>>>>>> SAMDOM.example.com in that case? >>>>>>> Ah, in AD there are two domains, the one you are referring to, >>>>>>> which is >>>>>>> actually the Netbios domain? and the DNS domain. If you are upgrading, >>>>>>> the Netbios domain will carry over, but you need to ensure you use a >>>>>>> valid DNS domain, so you could use samdom.example.com, but if you did, >>>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in >>>>>>> uppercase) >>>>>>>> On my server I'm currently missing libnss-winbind, libpam-winbind, >>>>>>>> libpam-krb5, ldb-tools and krb5-user.? Does this sound normal for >>>>>>>> an NT4 domain? >>>>>>> Yes, because you are probably not using winbind and you will >>>>>>> definitely >>>>>>> not be using kerberos and ldb-tools is only used with AD. >>>>>>>> My domain would be about 200 users and 80 machines.? That's a >>>>>>>> guess.? I was able to clone the production server so I'm able to >>>>>>>> test things out first. >>>>>>>> Thanks >>>>>>>> Carl >>>>>>> I suggest you go and play ;-) >>>>>>> >>>>>>> Then come back with the inevitable questions ;-) >>>>>>> >>>>>>> Rowland >>>>>>> One more question before I go and play.? :) >>>>>>> I'm pretty sure I'll be running the following command taken from >>>>>>> the wiki. >>>>>>> ? ? ?? ? samba-tool domain classicupgrade >>>>>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com >>>>>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>> ? ? ?? ? From you explanation above should the realm not be >>>>>>> "--realm=SAMDOM.EXAMPLE.COM" ? >>>>>>> Thanks >>>>>>> Carl >>>>>>> >>>>>> Yes, thanks for pointing this out, I have updated the wikipage ;-) >>>>>> >>>>>> Rowland >>>>>> >>>>>> So I started in and here's my first inevitable question. :) >>>>>> I can't seem to figure out the following lines from the wiki. >>>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb >>>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb >>>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb >>>>>> /usr/local/samba.PDC/dbdir/ >>>>>> I don't seem to have a /var/lib/samba.PDC/var folder.? I do see a >>>>>> group_mapping.tdb file and a account_policy.tdb file in my >>>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file. >>>>>> Are these the right ones to copy and the gencache_notrans.tdb is not >>>>>> needed? >>>>>> Thanks >>>>>> Carl >>>>> If you compile Samba yourself, by default, everything ends up in >>>>> /usr/local/samba. Distros split things up, so you just need to find the >>>>> files on your system ;-) >>>>> >>>>> Rowland >>>>> >>>>> So I found the gencache_notrans.tdb file only in /run/samba and the >>>>> other two were only in /var/lib/samba.PDC.? Are these all good to use >>>>> since they're the only ones I could find?? And do I need to rename >>>>> the /run/samba folder like I did with the /var/lib/samba folder? >>>>> Thanks >>>>> Carl >>>>> >>>>> I finally had the chance to run the command and got the following >>>>> output. >>>>> sudo samba-tool domain classicupgrade >>>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG >>>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf >>>>> Reading smb.conf >>>>> Provisioningtdbsam_open: Failed to open/create TDB passwd >>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting >>>>> groupstdbsam_open: Failed to open/create TDB passwd >>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>>> /var/lib/samba/passdb.tdb! >>>>> ... >>>>> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] >>>>> tdbsam_getsampwrid: failed to open >>>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to >>>>> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: >>>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class >>>>> 'passdb.error'>): uncaught exception - Unable to search users? File >>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >>>>> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return >>>>> self.run(*args, **kwargs)? File >>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589, >>>>> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb, >>>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File >>>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in >>>>> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ? userlist >>>>> s3db.search_users(0) >>>>> I removed a bunch of duplicate log lines just to make it shorter. >>>>> Any ideas?? It's like the tool knows something is supposed to be in >>>>> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to >>>>> /var/lib/samba.PCD before I ran the command like the wiki said. >>>>> Thanks >>>>> Carl >>>> Keep this quite, but I have never classicupgraded an NT4-style domain, >>>> but I think I know what is going wrong here. That 'mv' should be a >>>> 'cp', the upgrade is trying to create files in /var/lib/samba and it >>>> no longer exists. >>>> >>>> Rowland >>> OK, after digging into the history of the classicupgrade wiki page, I >>> have found that at one time, it was? thought that the upgrade would be >>> carried out on a new PC, so the required files would be copied to the >>> new PC with 'scp'. The page now is built around upgrading in place and >>> 'mv' is definitely wrong. >>> >>> Looks like I am going to have to do a classicupgrade, before I can >>> rewrite the page. >>> >>> Rowland >>> >>> I don't mind being the guinea pig if it helps.? :) >> Too late, I was the guinea pig ;-) >> >> I will be updating the wiki tomorrow. >> >>> I was able to duplicate the /var/lib/samba folder and re-run the command and it worked.? I got basically the same output as the wiki. >>> My next question is in the "After the classicupgrade" section.? With the following line. >>> If your passdb backend was smbpasswd or tdbsam, remove the domain groups from /etc/group. All groups that had a groupmapping were imported, including their members. You should also remove any Samba users from /etc/passwd, they are now stored in AD. >>> >>> Is there a way to know what are considered domain groups in the /etc/group file?? Same question for /etc/passwd.? Is there a way to know what ones are Samba users? >>> Thanks >>> Carl >> Run 'wbinfo -u' & 'wbinfo -g', these are the domain users & groups on my >> nice new shiny classicupgraded domain: >> >> wbinfo -u >> EXAMPLE\administrator >> EXAMPLE\guest >> EXAMPLE\krbtgt >> >> wbinfo -g >> EXAMPLE\cert publishers >> EXAMPLE\ras and ias servers >> EXAMPLE\allowed rodc password replication group >> EXAMPLE\denied rodc password replication group >> EXAMPLE\dnsadmins >> EXAMPLE\enterprise read-only domain controllers >> EXAMPLE\domain admins >> EXAMPLE\domain users >> EXAMPLE\domain guests >> EXAMPLE\domain computers >> EXAMPLE\domain controllers >> EXAMPLE\schema admins >> EXAMPLE\enterprise admins >> EXAMPLE\group policy creator owners >> EXAMPLE\read-only domain controllers >> EXAMPLE\dnsupdateproxy >> >> Your DOMAIN will be different, but if any of those are in /etc/passwd or >> /etc/group, then they should be remove from there. You should also check >> if any other users or groups shown by 'wbinfo -u ' or 'wbinfo -g' are in >> /etc/passwd or /etc/group, most of these should be removed from >> /etc/passwd or /etc/group, but a few may need to be removed from AD, >> basically any that are in AD and have a Unix ID of 999 should be removed >> from AD. >> >> Rowland >> Before I ran the classicupgrade command I had stopped smdb, nmdb and winbind.? I haven't started samba-ad-dc yet.? Looks like the wbinfo -u and wbinfo -g commands need winbind running.? Do I just temporarily start winbind to get my info and stop it again?? Or do I start samba-ad-dc before cleaning up the group and passwd files?? Just not sure about the order of things or if it matters. >> Thanks >> Carl > Start samba-ad-dc, this will start smbd and winbind. Don't do anything > but check your users and groups, you can do this with a local user. > > Rowland > > I was able to start samba-ad-dc and now those wbinfo commands work.? I see almost all the users and groups from the wbinfo commands in the group and passwd files.? This server is also the file server so each user has a home folder.? I'm not sure what that means for things.? I haven't gotten to the file server side of things yet but I don't have an option to split up the ad server and the file server. > Thanks > CarlHow many users ? we don't recommend using a DC as a fileserver, but it can work for a small number of users. You will need to have libnss-winbind, libpam-winbind and libpam-krb5 installed and add 'winbind' to the? 'passwd' and 'group' lines in /etc/nsswitch.conf. You will also need to get PAM to create the users homedirectories as the log on, you can run 'pam-auth-update' on Debian 10 to do this, you will also need to add a line to smb.conf 'template shell = /bin/bash' to allow logons Rowland
On Friday, July 17, 2020, 03:35:19 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: On 17/07/2020 20:12, Carl Hunter via samba wrote:>? On Friday, July 17, 2020, 02:26:53 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >? >? >? On 17/07/2020 19:17, Carl Hunter via samba wrote: >>? ? On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>? ? >>? ? >>? ? On 17/07/2020 17:20, Carl Hunter via samba wrote: >>>? ? ? On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>>? ? ? >>>? ? ? >>>? ? ? On 17/07/2020 15:21, Rowland penny via samba wrote: >>>> On 17/07/2020 15:05, Carl Hunter via samba wrote: >>>>>? ? ? ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via >>>>> samba <samba at lists.samba.org> wrote: >>>>>? ? ? ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny >>>>> via samba <samba at lists.samba.org> wrote: >>>>>? ? ? ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote: >>>>>>? ? ? ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via >>>>>> samba <samba at lists.samba.org> wrote: >>>>>>? ? ? ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba wrote: >>>>>>>? ? ? ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny >>>>>>> via samba <samba at lists.samba.org> wrote: >>>>>>>? ? ? ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via samba wrote: >>>>>>>>? ? ? ?? ? ? On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland >>>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>>? ? ? ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl Hunter via samba >>>>>>>> wrote: >>>>>>>>>? ? ? ?? ? ? ? On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland >>>>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>>>? ? ? ???????? ???????? ?? ? ? ? On 15/07/2020 01:14, Carl Hunter via >>>>>>>>> samba wrote: >>>>>>>>>> I've currently got a Ubuntu 18.04 server running Samba?4.7.6 >>>>>>>>>> with an NT4 domain that I'd like to migrate to an AD.? I've >>>>>>>>>> found the following link but am struggling to match up the steps >>>>>>>>>> with the Ubuntu install. >>>>>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >>>>>>>>>> >>>>>>>>>> I've also found this post that creates a Samba AD on Ubuntu >>>>>>>>>> 18.04 from scratch but doesn't have the upgrade steps. >>>>>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server >>>>>>>>>> >>>>>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-) >>>>>>>>>> Would someone be able to help with some questions? >>>>>>>>>> In the first link, the "Server information used in this HowTo" >>>>>>>>>> section lists a bunch of settings.? I'm not sure how that >>>>>>>>>> matches up with Ubuntu. >>>>>>>>> The paths refer to a self compiled Samba, Ubuntu uses different >>>>>>>>> paths >>>>>>>>> e.g. /var/lib/samba >>>>>>>>>> I'm not using ldap, my smb.conf file has "passdb backend >>>>>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help. >>>>>>>>> Just ignore anything to do with ldap >>>>>>>>>> Under the "Domain controller name" section it talks about a >>>>>>>>>> "netbois name =" line in the smb.conf file.? I don't have that >>>>>>>>>> in mine but I do have a "workgroup =" line.? Is this the same >>>>>>>>>> thing? >>>>>>>>> No and you only really need the line if you are changing the >>>>>>>>> computers >>>>>>>>> hostname during the upgrade. >>>>>>>>> >>>>>>>>>> Does the classicupgrade just "convert" a bunch of files like the >>>>>>>>>> passdb.tdb and smb.conf files?? And unless you actually replace >>>>>>>>>> the files and start the AD service nothing actually changes? >>>>>>>>> Bit more involved than that, all the users and groups are >>>>>>>>> obtained from >>>>>>>>> the existing database (along with passwords and the domain SID). >>>>>>>>> This >>>>>>>>> information is then used to provision a new AD domain. >>>>>>>>>> I think I should stop there. >>>>>>>>>> Thanks in advance and hopefully this makes some sense. >>>>>>>>> Yes, it did ;-) >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>> Thanks for the help.? I've got some more questions though about >>>>>>>>> the following list. >>>>>>>>> AD DC Installation Directory:? ? ? ?/usr/local/samba/AD DC >>>>>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name: >>>>>>>>> samdom.example.comRealm: ? ? ? ? ? ? ? samdom.example.comNT4 >>>>>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address: ?192.168.1.1Databases >>>>>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of >>>>>>>>> the Samba NT4-domain:? ?/usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>>>> So for Ubuntu the first line would be /var/lib/samba right? >>>>>>>> Yes >>>>>>>>> What would the last two lines in the list be for Ubuntu? >>>>>>>> Replace '/usr/local/samba' with 'var/lib/samba' >>>>>>>>> My NT4 domain is all uppercase. Would it stay that way for the >>>>>>>>> first part of the AD DNS Name and Realm lines? >>>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use >>>>>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the >>>>>>>> realm >>>>>>>>> The section talking about moving the /usr/local/samba/ directory, >>>>>>>>> does that still apply to the /var/lib/samba directory? >>>>>>>> Yes >>>>>>>>>? ? ? ?? ? ? ? And is the /etc/samba/smb.conf file the one that needs >>>>>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file? >>>>>>>> Yes >>>>>>>>> I'm assuming I need to install Kerberos since it's not currently >>>>>>>>> installed on the system to get the classicupgrade to work? >>>>>>>> There is an old saying 'assume makes an ass of u & me' ;-) >>>>>>>> >>>>>>>> Or to put it another way, no, Samba uses it version of the Heimdal >>>>>>>> kerberos, you just need to install the required Samba packages, on >>>>>>>> Ubuntu 18.04, these would be: >>>>>>>> >>>>>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils >>>>>>>> ldb-tools krb5-user >>>>>>>> >>>>>>>> You should test the upgrade in a different network, to iron out any >>>>>>>> problems. >>>>>>>> >>>>>>>> How large is your domain ? >>>>>>>> >>>>>>>> If it is small, you may be better off creating a new AD domain, >>>>>>>> that way >>>>>>>> you get full control. Upgrading an existing NT4-style domain carries >>>>>>>> over bad practises e.g. using the RID for Unix user & group ID's. >>>>>>>> >>>>>>>> Rowland >>>>>>>> >>>>>>>> So in the example on the classicupgrade wiki page my NT4 domain >>>>>>>> would be SAMDOM with nothing after it.? So would the realm be >>>>>>>> SAMDOM.example.com in that case? >>>>>>> Ah, in AD there are two domains, the one you are referring to, >>>>>>> which is >>>>>>> actually the Netbios domain? and the DNS domain. If you are upgrading, >>>>>>> the Netbios domain will carry over, but you need to ensure you use a >>>>>>> valid DNS domain, so you could use samdom.example.com, but if you did, >>>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in >>>>>>> uppercase) >>>>>>>> On my server I'm currently missing libnss-winbind, libpam-winbind, >>>>>>>> libpam-krb5, ldb-tools and krb5-user.? Does this sound normal for >>>>>>>> an NT4 domain? >>>>>>> Yes, because you are probably not using winbind and you will >>>>>>> definitely >>>>>>> not be using kerberos and ldb-tools is only used with AD. >>>>>>>> My domain would be about 200 users and 80 machines.? That's a >>>>>>>> guess.? I was able to clone the production server so I'm able to >>>>>>>> test things out first. >>>>>>>> Thanks >>>>>>>> Carl >>>>>>> I suggest you go and play ;-) >>>>>>> >>>>>>> Then come back with the inevitable questions ;-) >>>>>>> >>>>>>> Rowland >>>>>>> One more question before I go and play.? :) >>>>>>> I'm pretty sure I'll be running the following command taken from >>>>>>> the wiki. >>>>>>>? ? ? ?? ? samba-tool domain classicupgrade >>>>>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com >>>>>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>>? ? ? ?? ? From you explanation above should the realm not be >>>>>>> "--realm=SAMDOM.EXAMPLE.COM" ? >>>>>>> Thanks >>>>>>> Carl >>>>>>> >>>>>> Yes, thanks for pointing this out, I have updated the wikipage ;-) >>>>>> >>>>>> Rowland >>>>>> >>>>>> So I started in and here's my first inevitable question. :) >>>>>> I can't seem to figure out the following lines from the wiki. >>>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb >>>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb >>>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb >>>>>> /usr/local/samba.PDC/dbdir/ >>>>>> I don't seem to have a /var/lib/samba.PDC/var folder.? I do see a >>>>>> group_mapping.tdb file and a account_policy.tdb file in my >>>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file. >>>>>> Are these the right ones to copy and the gencache_notrans.tdb is not >>>>>> needed? >>>>>> Thanks >>>>>> Carl >>>>> If you compile Samba yourself, by default, everything ends up in >>>>> /usr/local/samba. Distros split things up, so you just need to find the >>>>> files on your system ;-) >>>>> >>>>> Rowland >>>>> >>>>> So I found the gencache_notrans.tdb file only in /run/samba and the >>>>> other two were only in /var/lib/samba.PDC.? Are these all good to use >>>>> since they're the only ones I could find?? And do I need to rename >>>>> the /run/samba folder like I did with the /var/lib/samba folder? >>>>> Thanks >>>>> Carl >>>>> >>>>> I finally had the chance to run the command and got the following >>>>> output. >>>>> sudo samba-tool domain classicupgrade >>>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG >>>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf >>>>> Reading smb.conf >>>>> Provisioningtdbsam_open: Failed to open/create TDB passwd >>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting >>>>> groupstdbsam_open: Failed to open/create TDB passwd >>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>>> /var/lib/samba/passdb.tdb! >>>>> ... >>>>> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] >>>>> tdbsam_getsampwrid: failed to open >>>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to >>>>> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: >>>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class >>>>> 'passdb.error'>): uncaught exception - Unable to search users? File >>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >>>>> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return >>>>> self.run(*args, **kwargs)? File >>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589, >>>>> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb, >>>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File >>>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in >>>>> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ? userlist >>>>> s3db.search_users(0) >>>>> I removed a bunch of duplicate log lines just to make it shorter. >>>>> Any ideas?? It's like the tool knows something is supposed to be in >>>>> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to >>>>> /var/lib/samba.PCD before I ran the command like the wiki said. >>>>> Thanks >>>>> Carl >>>> Keep this quite, but I have never classicupgraded an NT4-style domain, >>>> but I think I know what is going wrong here. That 'mv' should be a >>>> 'cp', the upgrade is trying to create files in /var/lib/samba and it >>>> no longer exists. >>>> >>>> Rowland >>> OK, after digging into the history of the classicupgrade wiki page, I >>> have found that at one time, it was? thought that the upgrade would be >>> carried out on a new PC, so the required files would be copied to the >>> new PC with 'scp'. The page now is built around upgrading in place and >>> 'mv' is definitely wrong. >>> >>> Looks like I am going to have to do a classicupgrade, before I can >>> rewrite the page. >>> >>> Rowland >>> >>> I don't mind being the guinea pig if it helps.? :) >> Too late, I was the guinea pig ;-) >> >> I will be updating the wiki tomorrow. >> >>> I was able to duplicate the /var/lib/samba folder and re-run the command and it worked.? I got basically the same output as the wiki. >>> My next question is in the "After the classicupgrade" section.? With the following line. >>> If your passdb backend was smbpasswd or tdbsam, remove the domain groups from /etc/group. All groups that had a groupmapping were imported, including their members. You should also remove any Samba users from /etc/passwd, they are now stored in AD. >>> >>> Is there a way to know what are considered domain groups in the /etc/group file?? Same question for /etc/passwd.? Is there a way to know what ones are Samba users? >>> Thanks >>> Carl >> Run 'wbinfo -u' & 'wbinfo -g', these are the domain users & groups on my >> nice new shiny classicupgraded domain: >> >> wbinfo -u >> EXAMPLE\administrator >> EXAMPLE\guest >> EXAMPLE\krbtgt >> >> wbinfo -g >> EXAMPLE\cert publishers >> EXAMPLE\ras and ias servers >> EXAMPLE\allowed rodc password replication group >> EXAMPLE\denied rodc password replication group >> EXAMPLE\dnsadmins >> EXAMPLE\enterprise read-only domain controllers >> EXAMPLE\domain admins >> EXAMPLE\domain users >> EXAMPLE\domain guests >> EXAMPLE\domain computers >> EXAMPLE\domain controllers >> EXAMPLE\schema admins >> EXAMPLE\enterprise admins >> EXAMPLE\group policy creator owners >> EXAMPLE\read-only domain controllers >> EXAMPLE\dnsupdateproxy >> >> Your DOMAIN will be different, but if any of those are in /etc/passwd or >> /etc/group, then they should be remove from there. You should also check >> if any other users or groups shown by 'wbinfo -u ' or 'wbinfo -g' are in >> /etc/passwd or /etc/group, most of these should be removed from >> /etc/passwd or /etc/group, but a few may need to be removed from AD, >> basically any that are in AD and have a Unix ID of 999 should be removed >> from AD. >> >> Rowland >> Before I ran the classicupgrade command I had stopped smdb, nmdb and winbind.? I haven't started samba-ad-dc yet.? Looks like the wbinfo -u and wbinfo -g commands need winbind running.? Do I just temporarily start winbind to get my info and stop it again?? Or do I start samba-ad-dc before cleaning up the group and passwd files?? Just not sure about the order of things or if it matters. >> Thanks >> Carl > Start samba-ad-dc, this will start smbd and winbind. Don't do anything > but check your users and groups, you can do this with a local user. > > Rowland > > I was able to start samba-ad-dc and now those wbinfo commands work.? I see almost all the users and groups from the wbinfo commands in the group and passwd files.? This server is also the file server so each user has a home folder.? I'm not sure what that means for things.? I haven't gotten to the file server side of things yet but I don't have an option to split up the ad server and the file server. > Thanks > CarlHow many users ? we don't recommend using a DC as a fileserver, but it can work for a small number of users. You will need to have libnss-winbind, libpam-winbind and libpam-krb5 installed and add 'winbind' to the? 'passwd' and 'group' lines in /etc/nsswitch.conf. You will also need to get PAM to create the users homedirectories as the log on, you can run 'pam-auth-update' on Debian 10 to do this, you will also need to add a line to smb.conf 'template shell = /bin/bash' to allow logons Rowland I just counted the wbinfo -u output and it's 264.? I read the recommendations about the fileserver but I don't have an option at this point.? It's a "get it working" type of thing.? :) I already had installed those packages and my nsswitch.conf file was already correct.? I'm not exactly sure what you mean by the PAM comment.? I already have all the users created since this is a copy of a live system so they all have /home folders.? Or are you saying there's another step since it's now an AD domain??? What section would I put the template shell line in the smb.conf file?? I see global, netlogon and sysvol.? I also don't see any of the share sections of the old smb.conf file in the new.?? Thanks Carl