On Friday, July 17, 2020, 05:15:53 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: On 17/07/2020 21:51, Carl Hunter via samba wrote:>? On Friday, July 17, 2020, 03:35:19 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >? >? >? On 17/07/2020 20:12, Carl Hunter via samba wrote: >>? ? On Friday, July 17, 2020, 02:26:53 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>? ? >>? ? >>? ? On 17/07/2020 19:17, Carl Hunter via samba wrote: >>>? ? ? On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>>? ? ? >>>? ? ? >>>? ? ? On 17/07/2020 17:20, Carl Hunter via samba wrote: >>>>? ? ? ? On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>>>? ? ? ? >>>>? ? ? ? >>>>? ? ? ? On 17/07/2020 15:21, Rowland penny via samba wrote: >>>>> On 17/07/2020 15:05, Carl Hunter via samba wrote: >>>>>>? ? ? ? ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via >>>>>> samba <samba at lists.samba.org> wrote: >>>>>>? ? ? ? ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny >>>>>> via samba <samba at lists.samba.org> wrote: >>>>>>? ? ? ? ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote: >>>>>>>? ? ? ? ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via >>>>>>> samba <samba at lists.samba.org> wrote: >>>>>>>? ? ? ? ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba wrote: >>>>>>>>? ? ? ? ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny >>>>>>>> via samba <samba at lists.samba.org> wrote: >>>>>>>>? ? ? ? ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via samba wrote: >>>>>>>>>? ? ? ? ?? ? ? On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland >>>>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>>>? ? ? ? ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl Hunter via samba >>>>>>>>> wrote: >>>>>>>>>>? ? ? ? ?? ? ? ? On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland >>>>>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>>>>? ? ? ? ???????? ???????? ?? ? ? ? On 15/07/2020 01:14, Carl Hunter via >>>>>>>>>> samba wrote: >>>>>>>>>>> I've currently got a Ubuntu 18.04 server running Samba?4.7.6 >>>>>>>>>>> with an NT4 domain that I'd like to migrate to an AD.? I've >>>>>>>>>>> found the following link but am struggling to match up the steps >>>>>>>>>>> with the Ubuntu install. >>>>>>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >>>>>>>>>>> >>>>>>>>>>> I've also found this post that creates a Samba AD on Ubuntu >>>>>>>>>>> 18.04 from scratch but doesn't have the upgrade steps. >>>>>>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server >>>>>>>>>>> >>>>>>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-) >>>>>>>>>>> Would someone be able to help with some questions? >>>>>>>>>>> In the first link, the "Server information used in this HowTo" >>>>>>>>>>> section lists a bunch of settings.? I'm not sure how that >>>>>>>>>>> matches up with Ubuntu. >>>>>>>>>> The paths refer to a self compiled Samba, Ubuntu uses different >>>>>>>>>> paths >>>>>>>>>> e.g. /var/lib/samba >>>>>>>>>>> I'm not using ldap, my smb.conf file has "passdb backend >>>>>>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help. >>>>>>>>>> Just ignore anything to do with ldap >>>>>>>>>>> Under the "Domain controller name" section it talks about a >>>>>>>>>>> "netbois name =" line in the smb.conf file.? I don't have that >>>>>>>>>>> in mine but I do have a "workgroup =" line.? Is this the same >>>>>>>>>>> thing? >>>>>>>>>> No and you only really need the line if you are changing the >>>>>>>>>> computers >>>>>>>>>> hostname during the upgrade. >>>>>>>>>> >>>>>>>>>>> Does the classicupgrade just "convert" a bunch of files like the >>>>>>>>>>> passdb.tdb and smb.conf files?? And unless you actually replace >>>>>>>>>>> the files and start the AD service nothing actually changes? >>>>>>>>>> Bit more involved than that, all the users and groups are >>>>>>>>>> obtained from >>>>>>>>>> the existing database (along with passwords and the domain SID). >>>>>>>>>> This >>>>>>>>>> information is then used to provision a new AD domain. >>>>>>>>>>> I think I should stop there. >>>>>>>>>>> Thanks in advance and hopefully this makes some sense. >>>>>>>>>> Yes, it did ;-) >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>>> Thanks for the help.? I've got some more questions though about >>>>>>>>>> the following list. >>>>>>>>>> AD DC Installation Directory:? ? ? ?/usr/local/samba/AD DC >>>>>>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name: >>>>>>>>>> samdom.example.comRealm: ? ? ? ? ? ? ? samdom.example.comNT4 >>>>>>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address: ?192.168.1.1Databases >>>>>>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of >>>>>>>>>> the Samba NT4-domain:? ?/usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>>>>> So for Ubuntu the first line would be /var/lib/samba right? >>>>>>>>> Yes >>>>>>>>>> What would the last two lines in the list be for Ubuntu? >>>>>>>>> Replace '/usr/local/samba' with 'var/lib/samba' >>>>>>>>>> My NT4 domain is all uppercase. Would it stay that way for the >>>>>>>>>> first part of the AD DNS Name and Realm lines? >>>>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use >>>>>>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the >>>>>>>>> realm >>>>>>>>>> The section talking about moving the /usr/local/samba/ directory, >>>>>>>>>> does that still apply to the /var/lib/samba directory? >>>>>>>>> Yes >>>>>>>>>>? ? ? ? ?? ? ? ? And is the /etc/samba/smb.conf file the one that needs >>>>>>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file? >>>>>>>>> Yes >>>>>>>>>> I'm assuming I need to install Kerberos since it's not currently >>>>>>>>>> installed on the system to get the classicupgrade to work? >>>>>>>>> There is an old saying 'assume makes an ass of u & me' ;-) >>>>>>>>> >>>>>>>>> Or to put it another way, no, Samba uses it version of the Heimdal >>>>>>>>> kerberos, you just need to install the required Samba packages, on >>>>>>>>> Ubuntu 18.04, these would be: >>>>>>>>> >>>>>>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils >>>>>>>>> ldb-tools krb5-user >>>>>>>>> >>>>>>>>> You should test the upgrade in a different network, to iron out any >>>>>>>>> problems. >>>>>>>>> >>>>>>>>> How large is your domain ? >>>>>>>>> >>>>>>>>> If it is small, you may be better off creating a new AD domain, >>>>>>>>> that way >>>>>>>>> you get full control. Upgrading an existing NT4-style domain carries >>>>>>>>> over bad practises e.g. using the RID for Unix user & group ID's. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>> So in the example on the classicupgrade wiki page my NT4 domain >>>>>>>>> would be SAMDOM with nothing after it.? So would the realm be >>>>>>>>> SAMDOM.example.com in that case? >>>>>>>> Ah, in AD there are two domains, the one you are referring to, >>>>>>>> which is >>>>>>>> actually the Netbios domain? and the DNS domain. If you are upgrading, >>>>>>>> the Netbios domain will carry over, but you need to ensure you use a >>>>>>>> valid DNS domain, so you could use samdom.example.com, but if you did, >>>>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in >>>>>>>> uppercase) >>>>>>>>> On my server I'm currently missing libnss-winbind, libpam-winbind, >>>>>>>>> libpam-krb5, ldb-tools and krb5-user.? Does this sound normal for >>>>>>>>> an NT4 domain? >>>>>>>> Yes, because you are probably not using winbind and you will >>>>>>>> definitely >>>>>>>> not be using kerberos and ldb-tools is only used with AD. >>>>>>>>> My domain would be about 200 users and 80 machines.? That's a >>>>>>>>> guess.? I was able to clone the production server so I'm able to >>>>>>>>> test things out first. >>>>>>>>> Thanks >>>>>>>>> Carl >>>>>>>> I suggest you go and play ;-) >>>>>>>> >>>>>>>> Then come back with the inevitable questions ;-) >>>>>>>> >>>>>>>> Rowland >>>>>>>> One more question before I go and play.? :) >>>>>>>> I'm pretty sure I'll be running the following command taken from >>>>>>>> the wiki. >>>>>>>>? ? ? ? ?? ? samba-tool domain classicupgrade >>>>>>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com >>>>>>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>>>? ? ? ? ?? ? From you explanation above should the realm not be >>>>>>>> "--realm=SAMDOM.EXAMPLE.COM" ? >>>>>>>> Thanks >>>>>>>> Carl >>>>>>>> >>>>>>> Yes, thanks for pointing this out, I have updated the wikipage ;-) >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> So I started in and here's my first inevitable question. :) >>>>>>> I can't seem to figure out the following lines from the wiki. >>>>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb >>>>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb >>>>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb >>>>>>> /usr/local/samba.PDC/dbdir/ >>>>>>> I don't seem to have a /var/lib/samba.PDC/var folder.? I do see a >>>>>>> group_mapping.tdb file and a account_policy.tdb file in my >>>>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file. >>>>>>> Are these the right ones to copy and the gencache_notrans.tdb is not >>>>>>> needed? >>>>>>> Thanks >>>>>>> Carl >>>>>> If you compile Samba yourself, by default, everything ends up in >>>>>> /usr/local/samba. Distros split things up, so you just need to find the >>>>>> files on your system ;-) >>>>>> >>>>>> Rowland >>>>>> >>>>>> So I found the gencache_notrans.tdb file only in /run/samba and the >>>>>> other two were only in /var/lib/samba.PDC.? Are these all good to use >>>>>> since they're the only ones I could find?? And do I need to rename >>>>>> the /run/samba folder like I did with the /var/lib/samba folder? >>>>>> Thanks >>>>>> Carl >>>>>> >>>>>> I finally had the chance to run the command and got the following >>>>>> output. >>>>>> sudo samba-tool domain classicupgrade >>>>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG >>>>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf >>>>>> Reading smb.conf >>>>>> Provisioningtdbsam_open: Failed to open/create TDB passwd >>>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting >>>>>> groupstdbsam_open: Failed to open/create TDB passwd >>>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>>>> /var/lib/samba/passdb.tdb! >>>>>> ... >>>>>> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] >>>>>> tdbsam_getsampwrid: failed to open >>>>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to >>>>>> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: >>>>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class >>>>>> 'passdb.error'>): uncaught exception - Unable to search users? File >>>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >>>>>> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return >>>>>> self.run(*args, **kwargs)? File >>>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589, >>>>>> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb, >>>>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File >>>>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in >>>>>> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ? userlist >>>>>> s3db.search_users(0) >>>>>> I removed a bunch of duplicate log lines just to make it shorter. >>>>>> Any ideas?? It's like the tool knows something is supposed to be in >>>>>> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to >>>>>> /var/lib/samba.PCD before I ran the command like the wiki said. >>>>>> Thanks >>>>>> Carl >>>>> Keep this quite, but I have never classicupgraded an NT4-style domain, >>>>> but I think I know what is going wrong here. That 'mv' should be a >>>>> 'cp', the upgrade is trying to create files in /var/lib/samba and it >>>>> no longer exists. >>>>> >>>>> Rowland >>>> OK, after digging into the history of the classicupgrade wiki page, I >>>> have found that at one time, it was? thought that the upgrade would be >>>> carried out on a new PC, so the required files would be copied to the >>>> new PC with 'scp'. The page now is built around upgrading in place and >>>> 'mv' is definitely wrong. >>>> >>>> Looks like I am going to have to do a classicupgrade, before I can >>>> rewrite the page. >>>> >>>> Rowland >>>> >>>> I don't mind being the guinea pig if it helps.? :) >>> Too late, I was the guinea pig ;-) >>> >>> I will be updating the wiki tomorrow. >>> >>>> I was able to duplicate the /var/lib/samba folder and re-run the command and it worked.? I got basically the same output as the wiki. >>>> My next question is in the "After the classicupgrade" section.? With the following line. >>>> If your passdb backend was smbpasswd or tdbsam, remove the domain groups from /etc/group. All groups that had a groupmapping were imported, including their members. You should also remove any Samba users from /etc/passwd, they are now stored in AD. >>>> >>>> Is there a way to know what are considered domain groups in the /etc/group file?? Same question for /etc/passwd.? Is there a way to know what ones are Samba users? >>>> Thanks >>>> Carl >>> Run 'wbinfo -u' & 'wbinfo -g', these are the domain users & groups on my >>> nice new shiny classicupgraded domain: >>> >>> wbinfo -u >>> EXAMPLE\administrator >>> EXAMPLE\guest >>> EXAMPLE\krbtgt >>> >>> wbinfo -g >>> EXAMPLE\cert publishers >>> EXAMPLE\ras and ias servers >>> EXAMPLE\allowed rodc password replication group >>> EXAMPLE\denied rodc password replication group >>> EXAMPLE\dnsadmins >>> EXAMPLE\enterprise read-only domain controllers >>> EXAMPLE\domain admins >>> EXAMPLE\domain users >>> EXAMPLE\domain guests >>> EXAMPLE\domain computers >>> EXAMPLE\domain controllers >>> EXAMPLE\schema admins >>> EXAMPLE\enterprise admins >>> EXAMPLE\group policy creator owners >>> EXAMPLE\read-only domain controllers >>> EXAMPLE\dnsupdateproxy >>> >>> Your DOMAIN will be different, but if any of those are in /etc/passwd or >>> /etc/group, then they should be remove from there. You should also check >>> if any other users or groups shown by 'wbinfo -u ' or 'wbinfo -g' are in >>> /etc/passwd or /etc/group, most of these should be removed from >>> /etc/passwd or /etc/group, but a few may need to be removed from AD, >>> basically any that are in AD and have a Unix ID of 999 should be removed >>> from AD. >>> >>> Rowland >>> Before I ran the classicupgrade command I had stopped smdb, nmdb and winbind.? I haven't started samba-ad-dc yet.? Looks like the wbinfo -u and wbinfo -g commands need winbind running.? Do I just temporarily start winbind to get my info and stop it again?? Or do I start samba-ad-dc before cleaning up the group and passwd files?? Just not sure about the order of things or if it matters. >>> Thanks >>> Carl >> Start samba-ad-dc, this will start smbd and winbind. Don't do anything >> but check your users and groups, you can do this with a local user. >> >> Rowland >> >> I was able to start samba-ad-dc and now those wbinfo commands work.? I see almost all the users and groups from the wbinfo commands in the group and passwd files.? This server is also the file server so each user has a home folder.? I'm not sure what that means for things.? I haven't gotten to the file server side of things yet but I don't have an option to split up the ad server and the file server. >> Thanks >> Carl > How many users ? we don't recommend using a DC as a fileserver, but it > can work for a small number of users. > > You will need to have libnss-winbind, libpam-winbind and libpam-krb5 > installed and add 'winbind' to the? 'passwd' and 'group' lines in > /etc/nsswitch.conf. You will also need to get PAM to create the users > homedirectories as the log on, you can run 'pam-auth-update' on Debian > 10 to do this, you will also need to add a line to smb.conf 'template > shell = /bin/bash' to allow logons > > Rowland > I just counted the wbinfo -u output and it's 264.? I read the recommendations about the fileserver but I don't have an option at this point.? It's a "get it working" type of thing.? :)OK, just try it, but be prepared for possible problems> I already had installed those packages and my nsswitch.conf file was already correct.? I'm not exactly sure what you mean by the PAM comment.? I already have all the users created since this is a copy of a live system so they all have /home folders.? Or are you saying there's another step since it's now an AD domain?If the users do not have a home directory, then it will not be created unless you get PAM to do it for you, but yours all ready exist.> What section would I put the template shell line in the smb.conf file?? I see global, netlogon and sysvol.It goes into global, you may also need to add a 'template homedir', by default this will be /home/DOMAIN/username, you may wish to change this.>? ? I also don't see any of the share sections of the old smb.conf file in the new.You will have to manually copy them from the old smb.conf to your new one, but they must be in this format: [sharename] ??? path = /path/to/share_directory ??? read only = no Do not add anything like valid users, force user, etc , you MUST set the permissions from Windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs and for profiles (if you use them): https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#Using_Windows_ACLs Looks like my old smb.conf file had a bunch of shares that I can use your format above with.? There's a bunch of mask and mode settings as well as browseable that I'm assuming go with your comment of removing them? It looks like someone attempted to try to use profiles but they aren't currently being used.?? There is a homes section like this.?? [homes]? ? ? ? comment = Home Directories? ? ? ? valid users = %S? ? ? ? read only = No? ? ? ? create mask = 0750? ? ? ? force create mode = 0750? ? ? ? directory mask = 0750? ? ? ? force directory mode = 0750? ? ? ? hide files = /Desktop.ini/desktop.ini/$RECYCLE.BIN/Thumbs.db/? ? ? ? browseable = No? ? ? ? browsable = No How would this be converted if at all??? Thanks Carl
On Friday, July 17, 2020, 05:53:06 p.m. EDT, Carl Hunter via samba <samba at lists.samba.org> wrote: On Friday, July 17, 2020, 05:15:53 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: On 17/07/2020 21:51, Carl Hunter via samba wrote:>? On Friday, July 17, 2020, 03:35:19 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >? >? >? On 17/07/2020 20:12, Carl Hunter via samba wrote: >>? ? On Friday, July 17, 2020, 02:26:53 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>? ? >>? ? >>? ? On 17/07/2020 19:17, Carl Hunter via samba wrote: >>>? ? ? On Friday, July 17, 2020, 12:43:33 p.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>>? ? ? >>>? ? ? >>>? ? ? On 17/07/2020 17:20, Carl Hunter via samba wrote: >>>>? ? ? ? On Friday, July 17, 2020, 11:36:18 a.m. EDT, Rowland penny via samba <samba at lists.samba.org> wrote: >>>>? ? ? ? >>>>? ? ? ? >>>>? ? ? ? On 17/07/2020 15:21, Rowland penny via samba wrote: >>>>> On 17/07/2020 15:05, Carl Hunter via samba wrote: >>>>>>? ? ? ? ? On Thursday, July 16, 2020, 07:34:26 a.m. EDT, Carl Hunter via >>>>>> samba <samba at lists.samba.org> wrote: >>>>>>? ? ? ? ? ? ?? On Thursday, July 16, 2020, 03:30:36 a.m. EDT, Rowland penny >>>>>> via samba <samba at lists.samba.org> wrote: >>>>>>? ? ? ? ? ? ? On 16/07/2020 01:59, Carl Hunter via samba wrote: >>>>>>>? ? ? ? ?? On Wednesday, July 15, 2020, 05:03:52 p.m. EDT, Rowland penny via >>>>>>> samba <samba at lists.samba.org> wrote: >>>>>>>? ? ? ? ?? ?? ?? On 15/07/2020 21:53, Carl Hunter via samba wrote: >>>>>>>>? ? ? ? ?? ? On Wednesday, July 15, 2020, 03:29:57 p.m. EDT, Rowland penny >>>>>>>> via samba <samba at lists.samba.org> wrote: >>>>>>>>? ? ? ? ???? ???? ?? ? On 15/07/2020 20:13, Carl Hunter via samba wrote: >>>>>>>>>? ? ? ? ?? ? ? On Wednesday, July 15, 2020, 02:50:09 p.m. EDT, Rowland >>>>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>>>? ? ? ? ?????? ?????? ?? ? ? On 15/07/2020 19:26, Carl Hunter via samba >>>>>>>>> wrote: >>>>>>>>>>? ? ? ? ?? ? ? ? On Wednesday, July 15, 2020, 03:16:00 a.m. EDT, Rowland >>>>>>>>>> penny via samba <samba at lists.samba.org> wrote: >>>>>>>>>>? ? ? ? ???????? ???????? ?? ? ? ? On 15/07/2020 01:14, Carl Hunter via >>>>>>>>>> samba wrote: >>>>>>>>>>> I've currently got a Ubuntu 18.04 server running Samba?4.7.6 >>>>>>>>>>> with an NT4 domain that I'd like to migrate to an AD.? I've >>>>>>>>>>> found the following link but am struggling to match up the steps >>>>>>>>>>> with the Ubuntu install. >>>>>>>>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >>>>>>>>>>> >>>>>>>>>>> I've also found this post that creates a Samba AD on Ubuntu >>>>>>>>>>> 18.04 from scratch but doesn't have the upgrade steps. >>>>>>>>>>> https://blog.ricosharp.com/posts/2019/Samba-4-Active-Directory-Domain-Controller-on-Ubuntu-18-04-Server >>>>>>>>>>> >>>>>>>>>> That howto isn't bad, he just got /etc/hosts wrong ;-) >>>>>>>>>>> Would someone be able to help with some questions? >>>>>>>>>>> In the first link, the "Server information used in this HowTo" >>>>>>>>>>> section lists a bunch of settings.? I'm not sure how that >>>>>>>>>>> matches up with Ubuntu. >>>>>>>>>> The paths refer to a self compiled Samba, Ubuntu uses different >>>>>>>>>> paths >>>>>>>>>> e.g. /var/lib/samba >>>>>>>>>>> I'm not using ldap, my smb.conf file has "passdb backend >>>>>>>>>>> tdbsam:/var/lib/samba/passdb.tdb" in it if that's any help. >>>>>>>>>> Just ignore anything to do with ldap >>>>>>>>>>> Under the "Domain controller name" section it talks about a >>>>>>>>>>> "netbois name =" line in the smb.conf file.? I don't have that >>>>>>>>>>> in mine but I do have a "workgroup =" line.? Is this the same >>>>>>>>>>> thing? >>>>>>>>>> No and you only really need the line if you are changing the >>>>>>>>>> computers >>>>>>>>>> hostname during the upgrade. >>>>>>>>>> >>>>>>>>>>> Does the classicupgrade just "convert" a bunch of files like the >>>>>>>>>>> passdb.tdb and smb.conf files?? And unless you actually replace >>>>>>>>>>> the files and start the AD service nothing actually changes? >>>>>>>>>> Bit more involved than that, all the users and groups are >>>>>>>>>> obtained from >>>>>>>>>> the existing database (along with passwords and the domain SID). >>>>>>>>>> This >>>>>>>>>> information is then used to provision a new AD domain. >>>>>>>>>>> I think I should stop there. >>>>>>>>>>> Thanks in advance and hopefully this makes some sense. >>>>>>>>>> Yes, it did ;-) >>>>>>>>>> >>>>>>>>>> Rowland >>>>>>>>>> >>>>>>>>>> Thanks for the help.? I've got some more questions though about >>>>>>>>>> the following list. >>>>>>>>>> AD DC Installation Directory:? ? ? ?/usr/local/samba/AD DC >>>>>>>>>> Hostname:? ? ? ? ? ? ? ? ? ? ?DC1AD DNS Name: >>>>>>>>>> samdom.example.comRealm: ? ? ? ? ? ? ? samdom.example.comNT4 >>>>>>>>>> Domain Name: ? ? ? ? ? ? samdomIP Address: ?192.168.1.1Databases >>>>>>>>>> of the Samba NT4-domain: /usr/local/samba.PDC/dbdir/smb.conf of >>>>>>>>>> the Samba NT4-domain:? ?/usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>>>>> So for Ubuntu the first line would be /var/lib/samba right? >>>>>>>>> Yes >>>>>>>>>> What would the last two lines in the list be for Ubuntu? >>>>>>>>> Replace '/usr/local/samba' with 'var/lib/samba' >>>>>>>>>> My NT4 domain is all uppercase. Would it stay that way for the >>>>>>>>>> first part of the AD DNS Name and Realm lines? >>>>>>>>> Lets say your NT4 domain is SAMDOM.EXAMPLE.COM , you would use >>>>>>>>> samdom.example.com for the dns name and SAMDOM.EXAMPLE.COM for the >>>>>>>>> realm >>>>>>>>>> The section talking about moving the /usr/local/samba/ directory, >>>>>>>>>> does that still apply to the /var/lib/samba directory? >>>>>>>>> Yes >>>>>>>>>>? ? ? ? ?? ? ? ? And is the /etc/samba/smb.conf file the one that needs >>>>>>>>>> to be moved like the /usr/local/samba.PDC/etc/smb.conf file? >>>>>>>>> Yes >>>>>>>>>> I'm assuming I need to install Kerberos since it's not currently >>>>>>>>>> installed on the system to get the classicupgrade to work? >>>>>>>>> There is an old saying 'assume makes an ass of u & me' ;-) >>>>>>>>> >>>>>>>>> Or to put it another way, no, Samba uses it version of the Heimdal >>>>>>>>> kerberos, you just need to install the required Samba packages, on >>>>>>>>> Ubuntu 18.04, these would be: >>>>>>>>> >>>>>>>>> samba winbind libnss-winbind libpam-winbind libpam-krb5 ntp binutils >>>>>>>>> ldb-tools krb5-user >>>>>>>>> >>>>>>>>> You should test the upgrade in a different network, to iron out any >>>>>>>>> problems. >>>>>>>>> >>>>>>>>> How large is your domain ? >>>>>>>>> >>>>>>>>> If it is small, you may be better off creating a new AD domain, >>>>>>>>> that way >>>>>>>>> you get full control. Upgrading an existing NT4-style domain carries >>>>>>>>> over bad practises e.g. using the RID for Unix user & group ID's. >>>>>>>>> >>>>>>>>> Rowland >>>>>>>>> >>>>>>>>> So in the example on the classicupgrade wiki page my NT4 domain >>>>>>>>> would be SAMDOM with nothing after it.? So would the realm be >>>>>>>>> SAMDOM.example.com in that case? >>>>>>>> Ah, in AD there are two domains, the one you are referring to, >>>>>>>> which is >>>>>>>> actually the Netbios domain? and the DNS domain. If you are upgrading, >>>>>>>> the Netbios domain will carry over, but you need to ensure you use a >>>>>>>> valid DNS domain, so you could use samdom.example.com, but if you did, >>>>>>>> the realm would be SAMDOM.EXAMPLE.COM (the realm is always in >>>>>>>> uppercase) >>>>>>>>> On my server I'm currently missing libnss-winbind, libpam-winbind, >>>>>>>>> libpam-krb5, ldb-tools and krb5-user.? Does this sound normal for >>>>>>>>> an NT4 domain? >>>>>>>> Yes, because you are probably not using winbind and you will >>>>>>>> definitely >>>>>>>> not be using kerberos and ldb-tools is only used with AD. >>>>>>>>> My domain would be about 200 users and 80 machines.? That's a >>>>>>>>> guess.? I was able to clone the production server so I'm able to >>>>>>>>> test things out first. >>>>>>>>> Thanks >>>>>>>>> Carl >>>>>>>> I suggest you go and play ;-) >>>>>>>> >>>>>>>> Then come back with the inevitable questions ;-) >>>>>>>> >>>>>>>> Rowland >>>>>>>> One more question before I go and play.? :) >>>>>>>> I'm pretty sure I'll be running the following command taken from >>>>>>>> the wiki. >>>>>>>>? ? ? ? ?? ? samba-tool domain classicupgrade >>>>>>>> --dbdir=/usr/local/samba.PDC/dbdir/ \--realm=samdom.example.com >>>>>>>> --dns-backend=BIND9_DLZ /usr/local/samba.PDC/etc/smb.PDC.conf >>>>>>>>? ? ? ? ?? ? From you explanation above should the realm not be >>>>>>>> "--realm=SAMDOM.EXAMPLE.COM" ? >>>>>>>> Thanks >>>>>>>> Carl >>>>>>>> >>>>>>> Yes, thanks for pointing this out, I have updated the wikipage ;-) >>>>>>> >>>>>>> Rowland >>>>>>> >>>>>>> So I started in and here's my first inevitable question. :) >>>>>>> I can't seem to figure out the following lines from the wiki. >>>>>>> # cp -p /usr/local/samba.PDC/var/lock/gencache_notrans.tdb >>>>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>>>> /usr/local/samba.PDC/var/locks/group_mapping.tdb >>>>>>> /usr/local/samba.PDC/dbdir/# cp -p >>>>>>> /usr/local/samba.PDC/var/locks/account_policy.tdb >>>>>>> /usr/local/samba.PDC/dbdir/ >>>>>>> I don't seem to have a /var/lib/samba.PDC/var folder.? I do see a >>>>>>> group_mapping.tdb file and a account_policy.tdb file in my >>>>>>> /var/lib/samba.PDC folder but not the gencache_notrans.tdb file. >>>>>>> Are these the right ones to copy and the gencache_notrans.tdb is not >>>>>>> needed? >>>>>>> Thanks >>>>>>> Carl >>>>>> If you compile Samba yourself, by default, everything ends up in >>>>>> /usr/local/samba. Distros split things up, so you just need to find the >>>>>> files on your system ;-) >>>>>> >>>>>> Rowland >>>>>> >>>>>> So I found the gencache_notrans.tdb file only in /run/samba and the >>>>>> other two were only in /var/lib/samba.PDC.? Are these all good to use >>>>>> since they're the only ones I could find?? And do I need to rename >>>>>> the /run/samba folder like I did with the /var/lib/samba folder? >>>>>> Thanks >>>>>> Carl >>>>>> >>>>>> I finally had the chance to run the command and got the following >>>>>> output. >>>>>> sudo samba-tool domain classicupgrade >>>>>> --dbdir=/var/lib/samba.PDC/dbdir/ --realm=OSCLAN.OCSCHOOL.ORG >>>>>> --dns-backend=BIND9_DLZ /etc/samba/smb.PDC.conf >>>>>> Reading smb.conf >>>>>> Provisioningtdbsam_open: Failed to open/create TDB passwd >>>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>>>> /var/lib/samba/passdb.tdb!Exporting account policyExporting >>>>>> groupstdbsam_open: Failed to open/create TDB passwd >>>>>> [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: failed to open >>>>>> /var/lib/samba/passdb.tdb! >>>>>> ... >>>>>> dbsam_open: Failed to open/create TDB passwd [/var/lib/samba/passdb.tdb] >>>>>> tdbsam_getsampwrid: failed to open >>>>>> /var/lib/samba/passdb.tdb!Exporting userstdbsam_open: Failed to >>>>>> open/create TDB passwd [/var/lib/samba/passdb.tdb]tdbsam_getsampwnam: >>>>>> failed to open /var/lib/samba/passdb.tdb!ERROR(<class >>>>>> 'passdb.error'>): uncaught exception - Unable to search users? File >>>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >>>>>> 176, in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?_run? ? return >>>>>> self.run(*args, **kwargs)? File >>>>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py", line 1589, >>>>>> in ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?run? ? useeadb=eadb, >>>>>> dns_backend=dns_backend, use_ntvfs=use_ntvfs)? File >>>>>> "/usr/lib/python2.7/dist-packages/samba/upgrade.py", line 554, in >>>>>> upgrade ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? _from_samba3? ? userlist >>>>>> s3db.search_users(0) >>>>>> I removed a bunch of duplicate log lines just to make it shorter. >>>>>> Any ideas?? It's like the tool knows something is supposed to be in >>>>>> /var/lib/samba on Ubuntu.? I moved the /var/lib/samba folder to >>>>>> /var/lib/samba.PCD before I ran the command like the wiki said. >>>>>> Thanks >>>>>> Carl >>>>> Keep this quite, but I have never classicupgraded an NT4-style domain, >>>>> but I think I know what is going wrong here. That 'mv' should be a >>>>> 'cp', the upgrade is trying to create files in /var/lib/samba and it >>>>> no longer exists. >>>>> >>>>> Rowland >>>> OK, after digging into the history of the classicupgrade wiki page, I >>>> have found that at one time, it was? thought that the upgrade would be >>>> carried out on a new PC, so the required files would be copied to the >>>> new PC with 'scp'. The page now is built around upgrading in place and >>>> 'mv' is definitely wrong. >>>> >>>> Looks like I am going to have to do a classicupgrade, before I can >>>> rewrite the page. >>>> >>>> Rowland >>>> >>>> I don't mind being the guinea pig if it helps.? :) >>> Too late, I was the guinea pig ;-) >>> >>> I will be updating the wiki tomorrow. >>> >>>> I was able to duplicate the /var/lib/samba folder and re-run the command and it worked.? I got basically the same output as the wiki. >>>> My next question is in the "After the classicupgrade" section.? With the following line. >>>> If your passdb backend was smbpasswd or tdbsam, remove the domain groups from /etc/group. All groups that had a groupmapping were imported, including their members. You should also remove any Samba users from /etc/passwd, they are now stored in AD. >>>> >>>> Is there a way to know what are considered domain groups in the /etc/group file?? Same question for /etc/passwd.? Is there a way to know what ones are Samba users? >>>> Thanks >>>> Carl >>> Run 'wbinfo -u' & 'wbinfo -g', these are the domain users & groups on my >>> nice new shiny classicupgraded domain: >>> >>> wbinfo -u >>> EXAMPLE\administrator >>> EXAMPLE\guest >>> EXAMPLE\krbtgt >>> >>> wbinfo -g >>> EXAMPLE\cert publishers >>> EXAMPLE\ras and ias servers >>> EXAMPLE\allowed rodc password replication group >>> EXAMPLE\denied rodc password replication group >>> EXAMPLE\dnsadmins >>> EXAMPLE\enterprise read-only domain controllers >>> EXAMPLE\domain admins >>> EXAMPLE\domain users >>> EXAMPLE\domain guests >>> EXAMPLE\domain computers >>> EXAMPLE\domain controllers >>> EXAMPLE\schema admins >>> EXAMPLE\enterprise admins >>> EXAMPLE\group policy creator owners >>> EXAMPLE\read-only domain controllers >>> EXAMPLE\dnsupdateproxy >>> >>> Your DOMAIN will be different, but if any of those are in /etc/passwd or >>> /etc/group, then they should be remove from there. You should also check >>> if any other users or groups shown by 'wbinfo -u ' or 'wbinfo -g' are in >>> /etc/passwd or /etc/group, most of these should be removed from >>> /etc/passwd or /etc/group, but a few may need to be removed from AD, >>> basically any that are in AD and have a Unix ID of 999 should be removed >>> from AD. >>> >>> Rowland >>> Before I ran the classicupgrade command I had stopped smdb, nmdb and winbind.? I haven't started samba-ad-dc yet.? Looks like the wbinfo -u and wbinfo -g commands need winbind running.? Do I just temporarily start winbind to get my info and stop it again?? Or do I start samba-ad-dc before cleaning up the group and passwd files?? Just not sure about the order of things or if it matters. >>> Thanks >>> Carl >> Start samba-ad-dc, this will start smbd and winbind. Don't do anything >> but check your users and groups, you can do this with a local user. >> >> Rowland >> >> I was able to start samba-ad-dc and now those wbinfo commands work.? I see almost all the users and groups from the wbinfo commands in the group and passwd files.? This server is also the file server so each user has a home folder.? I'm not sure what that means for things.? I haven't gotten to the file server side of things yet but I don't have an option to split up the ad server and the file server. >> Thanks >> Carl > How many users ? we don't recommend using a DC as a fileserver, but it > can work for a small number of users. > > You will need to have libnss-winbind, libpam-winbind and libpam-krb5 > installed and add 'winbind' to the? 'passwd' and 'group' lines in > /etc/nsswitch.conf. You will also need to get PAM to create the users > homedirectories as the log on, you can run 'pam-auth-update' on Debian > 10 to do this, you will also need to add a line to smb.conf 'template > shell = /bin/bash' to allow logons > > Rowland > I just counted the wbinfo -u output and it's 264.? I read the recommendations about the fileserver but I don't have an option at this point.? It's a "get it working" type of thing.? :)OK, just try it, but be prepared for possible problems> I already had installed those packages and my nsswitch.conf file was already correct.? I'm not exactly sure what you mean by the PAM comment.? I already have all the users created since this is a copy of a live system so they all have /home folders.? Or are you saying there's another step since it's now an AD domain?If the users do not have a home directory, then it will not be created unless you get PAM to do it for you, but yours all ready exist.> What section would I put the template shell line in the smb.conf file?? I see global, netlogon and sysvol.It goes into global, you may also need to add a 'template homedir', by default this will be /home/DOMAIN/username, you may wish to change this.>? ? I also don't see any of the share sections of the old smb.conf file in the new.You will have to manually copy them from the old smb.conf to your new one, but they must be in this format: [sharename] ??? path = /path/to/share_directory ??? read only = no Do not add anything like valid users, force user, etc , you MUST set the permissions from Windows, see here: https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs and for profiles (if you use them): https://wiki.samba.org/index.php/Roaming_Windows_User_Profiles#Using_Windows_ACLs Looks like my old smb.conf file had a bunch of shares that I can use your format above with.? There's a bunch of mask and mode settings as well as browseable that I'm assuming go with your comment of removing them? It looks like someone attempted to try to use profiles but they aren't currently being used.?? There is a homes section like this.?? [homes]? ? ? ? comment = Home Directories? ? ? ? valid users = %S? ? ? ? read only = No? ? ? ? create mask = 0750? ? ? ? force create mode = 0750? ? ? ? directory mask = 0750? ? ? ? force directory mode = 0750? ? ? ? hide files = /Desktop.ini/desktop.ini/$RECYCLE.BIN/Thumbs.db/? ? ? ? browseable = No? ? ? ? browsable = No How would this be converted if at all??? Thanks Carl? Just got back from vacation.? I tried adding those shares and they seem to be working.? I went to the ACL link and followed the instructions to set the permissions in windows.? In the list of shares I see a couple I'm not sure of.? There's an IPC$, netlogon and sysvol share.? Do you know what these are for?? I see a netlogon section and sysvol section in the new smb.conf file.?? Thanks Carl
On 03/08/2020 00:29, Carl Hunter via samba wrote:> > > Just got back from vacation.? I tried adding those shares and they seem to be working.? I went to the ACL link and followed the instructions to set the permissions in windows.? In the list of shares I see a couple I'm not sure of.? There's an IPC$, netlogon and sysvol share.? Do you know what these are for?? I see a netlogon section and sysvol section in the new smb.conf file. > Thanks > CarlIPC$ is a special share that lists all other shares, 'netlogon' is a share normally used for scripts run when a user logs in, Sysvol is the share that stores GPO's. Rowland