samba - Jul 2013 - Suggestions testing Samba 4 on same subnet as Standalone Samba 3 Server

My network currently has the following server running Samba 3 as a
standalone server to 50 client boxes: Linux a1 2.6.35.7 #3 SMP Samba
Version 3.5.6. Currently, no true NT Domain Controller, in Windows speak -
it's a Workgroup only.

I have another server that I want to configure to use Samba 4 as an Active
Directory Domain Controller and file server: Linux a10 3.7.10-gentoo-r1 #1
SMP Samba Version 4.0.4.

I only have one subnet and cannot disrupt the users, but have read the
following concerns on the Samba wiki: Make sure you thoroughly test your
conversion and how your clients react before you activate your new server
in your production environment! Once a Windows client finds and connects to
the new server, it is not possible to go back!

Also, it is necessary to do testing on a separate network so that the old
and new domain controllers don't clash. The issues with having both domains
'live' at the same time are:

The databases are not syncronised after the initial migration
Even if no changes are made to the DB, clients which see an AD DC will no
longer honour NT4 system policies
The new Samba4 PDC and the old DC will both claim to hold the #1b name as
the netbios domain master

The paths to certain files and directories for your Samba3 installation are
often distribution specific (for example, /var/lib/samba vs. /etc/samba).
Please be sure to verify and if necessary, modify paths used in examples
appropriately.

- - - - - -

Has anyone dealt with only having one subnet upon which to configure and
test a new Samba 4 server in the presence of a currently active Samba 3
server?

I was thinking maybe the simplest way would be to make an iptables firewall
on the Samba 4 server -- allowing connections from only one particular
address on the subnet and use that one address for a client box to test on.

Possible iptables rule (allowing one client address, blocking all others on
subnet):
iptables -t filter -A INPUT -i eth0 -s 192.168.1.200 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -i eth0 ! -s 192.168.1.200 -j DROP

Would this be adequate to separate the Samba 4 server from others on the
LAN?

On 30/07/13 04:27 PM, Mike wrote:
> My network currently has the following server running Samba 3 as a
> standalone server to 50 client boxes: Linux a1 2.6.35.7 #3 SMP Samba
> Version 3.5.6. Currently, no true NT Domain Controller, in Windows speak -
> it's a Workgroup only.
>
> I have another server that I want to configure to use Samba 4 as an Active
> Directory Domain Controller and file server: Linux a10 3.7.10-gentoo-r1 #1
> SMP Samba Version 4.0.4.
>
> I only have one subnet and cannot disrupt the users, but have read the
> following concerns on the Samba wiki: Make sure you thoroughly test your
> conversion and how your clients react before you activate your new server
> in your production environment! Once a Windows client finds and connects to
> the new server, it is not possible to go back!
>
> Also, it is necessary to do testing on a separate network so that the old
> and new domain controllers don't clash. The issues with having both
domains
> 'live' at the same time are:
>
> The databases are not syncronised after the initial migration
> Even if no changes are made to the DB, clients which see an AD DC will no
> longer honour NT4 system policies
> The new Samba4 PDC and the old DC will both claim to hold the #1b name as
> the netbios domain master
>
> The paths to certain files and directories for your Samba3 installation are
> often distribution specific (for example, /var/lib/samba vs. /etc/samba).
> Please be sure to verify and if necessary, modify paths used in examples
> appropriately.
>
> - - - - - -
>
> Has anyone dealt with only having one subnet upon which to configure and
> test a new Samba 4 server in the presence of a currently active Samba 3
> server?
>
> I was thinking maybe the simplest way would be to make an iptables firewall
> on the Samba 4 server -- allowing connections from only one particular
> address on the subnet and use that one address for a client box to test on.
>
> Possible iptables rule (allowing one client address, blocking all others on
> subnet):
> iptables -t filter -A INPUT -i eth0 -s 192.168.1.200 -m state --state
> NEW,ESTABLISHED,RELATED -j ACCEPT
> iptables -t filter -A INPUT -i eth0 ! -s 192.168.1.200 -j DROP
>
> Would this be adequate to separate the Samba 4 server from others on the
> LAN?
You're way overthinking this. Just give the new server an IP address 
that is on a different subnet. e.g. if your current server is 
192.168,.1.10/24, give your new server 192.168.2.10/24.

Secondly, since you don't have an NT domain, the differences between it 
and AD are not relevant. What you will find is the difference between a 
workgroup and a domain. This involves the logins and roaming profiles.

What really doesn't change much are the file shares, although you can 
now simplify them by setting sharing according to domain group rather 
than individual ids.

An even simpler way is to simply NOT use a separate subdomain. Set up 
the new server as the domain controller for the group. Leave the files & 
printers on the old server. Once all the clients have been switched from 
the workgroup to the domain, move the files and printers over to the new 
server, shut down the old one, then create an alias for the old server 
on the new one. This way, there are no more changes required on the 
clients. If a problem is identified, you can simply remove the alias and 
bring the old server back.

Of course, you can convert the individual workstations to use the new 
server name at your leisure so that you can eventually remove the alias. 
However this is not necessary. In fact, if you later replace the new 
server, the replacement can assume the old name so that the alias isn't 
needed any more.