samba - Dec 2013 - Upgrade Samba 3 -> Samba 4 AD DC (Debian Wheezy)

Hi!

I just upgraded from Samba 3.6.6 to the Sernet Samba 4.1.7 packages as AD DC 
following the Samba AD DC / classicupgrade
HOWTO and thought to share the experience so other users might find it in the
archives. I also have some questions later
on. I'd be very happy if some brave soul can give some advice on these (will
come with a later post).

The old Samba3 was running on an EXT4 filesystem with ACLs enabled and used TDB
as config store. All SMB users were also
local unix users, so ACLs weren't used and i handled permissions using
"force group", "write list", group mappings and
other ugly things. I hope to get this sorted with Samba4.

I made the upgrade in-place. Risky, but i had backups :-) ...

So, without further ado:

0) Stop your running Samba and do the checks covered with steps 6 - 8 using the
old installation. Then you can skip 6 -
8 later. I keep them listed for the poor soul that discovers problems when
Samba3 is already removed (guess who that
poor soul were...). Turn off all windows clients and do not turn them back on
before you are sure to never ever going
back to Samba3 again.

1) Uninstall all Samba 3.6.6 packages using aptitude, apt-get or dpkg. See
'dpkg --list *samba* | grep ii" for installed
packages. Be sure to NOT 'purge' but just 'remove' the packages.

2) Move everything in '/etc/samba/*' to '/var/lib/samba'.

3) Zip this directory together using 'tar cvzf samba3.tgz
/var/lib/samba'

4) Install the 'sernet-samba-ad' packages and its dependencies.

5) If you have (very likely in case of Debian) your Samba3 users created as
local Unix users and they all have an own
user-private group with the same name as the user: Remove those user-private
groups and add all Samba3 users to a common
unix group ('users' or create 'smbusers' or similiar). You might
have to fix-up unix file owners/permissions on the
shares afterwards (expecially the home folders).

If you have done step 7 using the old installation, you can proceed with 10,
otherwise:

6) Create a directory "/var/lib/samba/private" and copy the files
"secrets.tdb" and "passdb.tdb" from
"/var/lib/samba"
into that directory. Copy your old "smb.conf" from
"/var/lib/samba" to "/etc/samba" again. With those old files
in the
right places, you can now call "pdbedit", "net" and other
tools from the new Samba4 installation to do some checks or
modifications.

7) Check that (if you have any) your group mappings for "Domain
Admins" and "Domain Users" have the correct (MS
specified) SID (e.g. they end with -512 and -513, respectively). Fix these like
depicted in the following post:
https://lists.samba.org/archive/samba/2013-August/175135.html. Note that you may
have to check other group mappings, too.

8) If you had to make changes, move the *.tdb files from the
"/var/lib/samba/private" again to "/var/lib/samba" and tar
the directory up again (see step 3). Then delete
"/etc/samba/smb.conf". Note: If you have to do further changes to the
*.tdbs, you have to shuffle those files around, again.

10) Make a first attempt to run "samba-tool domain classicupgrade
--dbdir=/var/lib/samba --use-xattrs=yes
--realm=your.domain" (exchange the "your.domain" part, of
course).

11) If it fails with some error: "rm -r -f /var/lib/samba" and
"rm /etc/samba/smb.conf". Re-establish your old files
with "tar xvzf samba3.tgz -C /". Fix the errors (if you can) and try
again.

12) If "classicupgrade" succeeds, you have a basic
"smb.conf" in "/etc/samba" and can start Samba4 for the
first time. I
suggest using the debug mode as written in the HOWTO: "samba -i -M
single".

13) Test connectivity, configure DNS, Kerberos and NTP as written in the SAMBA
AD DC HOWTO. I had to install the
"heimdal-clients" package to get "kinit" & co.

14) At last, edit the "/etc/defaults/sernet-samba" file and set the
mode to "ad". Then stop your "debug samba" and use
the package init-scripts to enter production ("/etc/init.d/sernet-samba-ad
start").

15) Move over your shares from your old "smb.conf" (still in
/var/lib/samba) to "/etc/samba/smb.conf" using a text
editor. The classicupgrade tool did not transfer the shares in my case. Go
one-by-one and call "testparm" and - if no
errors - "smbcontrol all reload-config" to activate the share. You
might drop everything from the share definition
except "path" and manage permissions and users from the Windows side
using the "Active Directory Users and Computers"
MMC snap-in that you get by installing the MS RSAT tools. Further reading from
the wiki:
http://wiki.samba.org/index.php/Samba_AD_management_from_windows
http://wiki.samba.org/index.php/Setting_up_a_home_share
http://wiki.samba.org/index.php/Setup_and_configure_file_shares
http://wiki.samba.org/index.php/Samba_%26_Windows_Profiles

Last not least (TL;DR):

Besides the issue with the wrong SIDs (and the fact that
"classicupgrade" just barfs bones in case of this error) the
upgrade went smooth.

I have to say a BIG THANK YOU to all Samba4 developers for developing Samba4.
Another BIG THANK YOU goes to Sernet for
packaging, too. In addition, the Samba4 wiki pages mentioned above helped a lot.
There's always room for improvement,
but the documented steps lead in the right direction.

The only issue i'm still facing is managing permissions and dealing with the
legacy maze of unix users, groups and
permissions mixed with the new ACL based things.

Regards,
   Peter

Hello Peter,

Am 29.12.2013 22:28, schrieb Peter Schaefer:
> I just upgraded from Samba 3.6.6 to the Sernet Samba 4.1.7 packages as
> AD DC  following the Samba AD DC / classicupgrade HOWTO and thought to
> share the experience so other users might find it in the archives.
Always good to hear stories of migrations to improve the documentation.



> I have to say a BIG THANK YOU to all Samba4 developers for developing
> Samba4. Another BIG THANK YOU goes to Sernet for packaging, too. In
> addition, the Samba4 wiki pages mentioned above helped a lot. There's
> always room for improvement, but the documented steps lead in the right
> direction.
I already have the detailed re-writing of the upgrading HowTo on my list 
for a longer time. But since I moved 2 month ago, I haven't got my 
internet connection and just being online just with a limited and 
unstable UMTS connection :-( . But I'm collecting the 
problems/hints/wishes for later. So let me know what kind of 
improvements you are thinking about, and I'll try to add them.


Regards,
Marc