samba - Jun 2014 - Easy conversion/import/use of old samba databases(passwords) to samba4?

Background: A server running samba 3.6.3 on ubuntu 12.04 had a raid
controller failure that also  corrupted the disks. I set up temporary
server by simply installing ubuntu 12.04 and copying over the
configuration(/etc/samba, /var/lib/samba passwd shadow groups gshadow)
from backup to a reserve workstation and it has worked fine as reserve
server.

Setup: uses a single server master domain controller with tdb backend.

Test: The replacement parts arrived and I installed ubuntu 14.04 on
the main server. However ubuntu 14.04 only comes with samba 4.1.6 and
there is no samba 3 package.

Copying over the files and trying it shows that samba 4.1.6 starts
fine with the old configuration and tdb files from the old samba, but
the passwords do not work for users and machines. If I reset the
password manually and rejoin the workstation to the domain things
seems to work.

I would prefer to have the downtime on the server as short as possible.

I tried looking at the samba 3 to 4 transition guides and they all
either seem to have instructions for in place upgrade(that would
require me to install samba3 first on the main server or samba4 on the
temporary server) or by adding an extra server to a domain using ldap.

Anyone have any ideas for how to transfer/set the passwords easiest?

Possible solutions that I see:

Reset all passwords and rejoin machines to the domain manually.
   Not preferred as people are mobile and not all on site in any
reasonable time.

Manually compile and install samba 3 on the server
   Not preferred as maintaining security fixes and such on manual
configs is more work.

Just install ubuntu 12.04 with samba 3.6.x again on the server and do
the ubuntu/samba 4 transition later.
   Probably easiest solution if there is no easy way to transfer the
passwords. Would allow things to work for few years without changes.

Do some sort of conversion so that the user/machine passwords are
moved from samba 3 to 4.
   Would likely be the best solution if there is a fairly easy way to do it.

Any suggestions/ideas/how to guides or such that would help me?

-- 
Vesa Roto

On Mon, 2014-06-23 at 13:42 +0300, Vesa Roto wrote:
> Background: A server running samba 3.6.3 on ubuntu 12.04 had a raid
> controller failure that also  corrupted the disks. I set up temporary
> server by simply installing ubuntu 12.04 and copying over the
> configuration(/etc/samba, /var/lib/samba passwd shadow groups gshadow)
> from backup to a reserve workstation and it has worked fine as reserve
> server.
> 
> Setup: uses a single server master domain controller with tdb backend.
> 
> Test: The replacement parts arrived and I installed ubuntu 14.04 on
> the main server. However ubuntu 14.04 only comes with samba 4.1.6 and
> there is no samba 3 package.
> 
> Copying over the files and trying it shows that samba 4.1.6 starts
> fine with the old configuration and tdb files from the old samba, but
> the passwords do not work for users and machines. If I reset the
> password manually and rejoin the workstation to the domain things
> seems to work.
I suspect you are not putting the tdb files in the right place.  Samba
3.x machines can upgrade to Samba 4.x without changing to being an AD
DC, but we did move some files around, and on a same-host situation that
would have been handled by the package scripts.  

Look at where passdb.tdb is created on your new host, and put the backup
file there.
> I would prefer to have the downtime on the server as short as possible.
> 
> I tried looking at the samba 3 to 4 transition guides and they all
> either seem to have instructions for in place upgrade(that would
> require me to install samba3 first on the main server or samba4 on the
> temporary server) or by adding an extra server to a domain using ldap.
If you wish to use this as an opportunity to become an AD DC, see the
--dbdir option to 'samba-tool domain classicupgrade', and put all your
tdb files there.  That script should take care of the rest. 

https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%
28NT4-style_domain_to_AD%29

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba