Am 31.03.19 um 14:08 schrieb Rowland Penny via samba:> On Sun, 31 Mar 2019 13:37:44 +0200 > Patrick von der Hagen via samba <samba at lists.samba.org> wrote: > >> I am running samba as a fileserver, having some users (LDAP backend) >> and lots of files. No machines ever joined this setup. Now I want to >> join some clients, but want to upgrade to AD before I do that. >> Configuration is quite old, but had no issues so far. I've been >> following >> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >> >> Since the LDAP backend runs on the old server and blocks ports >> 389/636, I want to follow "Upgrading on a new server" and I want to >> follow "Domain Controller name" because the new server has a >> different name, which should be "DC1". >> >> The new server ist running Ubuntu 18.10, which provides samba 4.8.4. >> Provisioning a new domain works flawless, no issues there. But I >> really want to perform an upgrade, migrating users and groups. >> >> In smb.conf, "netbios name = DC1" and "workgroup = WORKGROUP", >> hostname returns "dc1", hostname -f returns "dc1.samdom.domain.de". >> >> I prepared a local slapd and copied the samba-databases. >> >> I start the process like this: >> >> samba-tool domain classicupgrade --dbdir=/root/samba/ >> --realm=samdom.domain.de --dns-backend=SAMBA_INTERNAL -d >> 2 /root/smb.conf >> >> Output: >> ... >> smbldap_search_domain_info: Searching >> for:[(&(objectClass=sambaDomain)(sambaDomainName=DC1))] >> ... >> sid S-1-5-21-... does not belong to our domain >> ... >> Cannot open wins database, Ignoring: [Errno 2] No such file or >> directory: '/root/samba/wins.dat' >> ... >> Adding DomainDN: DC=DC1 >> DN: DC=DC1 is a NC >> ... >> Admin password: xxxxxxxxxxxxxxxxxxxxx >> Server Role: standalone server >> Hostname: dc1 >> NetBIOS Domain: DC1 >> DNS Domain: dc1 >> DOMAIN SID: S-1-5-21-2467318493-10260708-2946515883 >> ... >> Cannot open idmap database, Ignoring: [Errno 2] No such file or >> directory ... >> >> Content of /etc/samba/smb.conf (complete!): >> [global] >> log level = 2 >> netbios name = DC1 >> passdb backend = samba_dsdb >> realm = SAMDOM.DOMAIN.DE >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> workgroup = WORKGROUP >> idmap_ldb:use rfc2307 = yes >> >> Obviously, smb.conf is no complete. >> >> My questions: >> >> Documentation says, to change "netbios name" before upgrade if you >> want to change the domain controller name. But it is used in the ldap >> query for sambaDomainName, so currently I have to change it to >> WORKGROUP in order to import the LDAP data. How do I fix that? >> >> "DNS Domain" should be the realm I specified at the commandline? Why >> is it ignored and why is sambaDomainName used instead? >> >> Is it normal to get a smb.conf file that does not work? Is it >> indended as a starting point of should it convert my previous >> configuration? At least "server role" is missing and "server >> services" contains "dnsupdate" which it should not with >> SAMBA_INTERNAL. >> >> Do I have to worry about wins.dat missing? I don't have such a file. >> >> Best regards >> Patrick >> >> > Lets start with the obvious questions: > > What is the original OS ? > What OS are you moving to ? > What version of Samba is on the original OS ? > and finally and most importantly, What is in the original smb.conf ?the old server runs Ubuntu 18.04 (LTS) and samba 4.7.6-Ubuntu. I'd stick with LTS, but it has the same issues, so I upgraded the new server to Ubuntu 18.10 and samba 4.8.4 Configuration: [global] security = user workgroup = WORKGROUP netbios name = DC1 server string = %h server (Samba, Ubuntu) dns proxy = no log file = /var/log/samba/log.%m max log size = 1000 panic action = /usr/share/samba/panic-action %d server role = standalone server passdb backend = ldapsam:ldap://localhost ldap suffix = dc=domain,dc=de ldap user suffix = ou=People ldap group suffix = ou=Group ldap machine suffix = ou=machines ldap idmap suffix = ou=Idmap ldap admin dn = cn=admin,dc=domain,dc=de ldap ssl = off ldap passwd sync = yes obey pam restrictions = yes unix password sync = yes passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes map to guest = bad user and some shares, which should not matter. Best regards Patrick
On Sun, 31 Mar 2019 14:37:44 +0200 Patrick von der Hagen <patrick.vdhagen at wiso-tech.de> wrote:> Am 31.03.19 um 14:08 schrieb Rowland Penny via samba: > > On Sun, 31 Mar 2019 13:37:44 +0200 > > Patrick von der Hagen via samba <samba at lists.samba.org> wrote: > > > >> I am running samba as a fileserver, having some users (LDAP > >> backend) and lots of files. No machines ever joined this setup. > >> Now I want to join some clients, but want to upgrade to AD before > >> I do that. Configuration is quite old, but had no issues so far. > >> I've been following > >> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) > >> > >> Since the LDAP backend runs on the old server and blocks ports > >> 389/636, I want to follow "Upgrading on a new server" and I want to > >> follow "Domain Controller name" because the new server has a > >> different name, which should be "DC1". > >> > >> The new server ist running Ubuntu 18.10, which provides samba > >> 4.8.4. Provisioning a new domain works flawless, no issues there. > >> But I really want to perform an upgrade, migrating users and > >> groups. > >> > >> In smb.conf, "netbios name = DC1" and "workgroup = WORKGROUP", > >> hostname returns "dc1", hostname -f returns "dc1.samdom.domain.de". > >> > >> I prepared a local slapd and copied the samba-databases. > >> > >> I start the process like this: > >> > >> samba-tool domain classicupgrade --dbdir=/root/samba/ > >> --realm=samdom.domain.de --dns-backend=SAMBA_INTERNAL -d > >> 2 /root/smb.conf > >> > >> Output: > >> ... > >> smbldap_search_domain_info: Searching > >> for:[(&(objectClass=sambaDomain)(sambaDomainName=DC1))] > >> ... > >> sid S-1-5-21-... does not belong to our domain > >> ... > >> Cannot open wins database, Ignoring: [Errno 2] No such file or > >> directory: '/root/samba/wins.dat' > >> ... > >> Adding DomainDN: DC=DC1 > >> DN: DC=DC1 is a NC > >> ... > >> Admin password: xxxxxxxxxxxxxxxxxxxxx > >> Server Role: standalone server > >> Hostname: dc1 > >> NetBIOS Domain: DC1 > >> DNS Domain: dc1 > >> DOMAIN SID: S-1-5-21-2467318493-10260708-2946515883 > >> ... > >> Cannot open idmap database, Ignoring: [Errno 2] No such file or > >> directory ... > >> > >> Content of /etc/samba/smb.conf (complete!): > >> [global] > >> log level = 2 > >> netbios name = DC1 > >> passdb backend = samba_dsdb > >> realm = SAMDOM.DOMAIN.DE > >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, > >> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > >> workgroup = WORKGROUP > >> idmap_ldb:use rfc2307 = yes > >> > >> Obviously, smb.conf is no complete. > >> > >> My questions: > >> > >> Documentation says, to change "netbios name" before upgrade if you > >> want to change the domain controller name. But it is used in the > >> ldap query for sambaDomainName, so currently I have to change it to > >> WORKGROUP in order to import the LDAP data. How do I fix that? > >> > >> "DNS Domain" should be the realm I specified at the commandline? > >> Why is it ignored and why is sambaDomainName used instead? > >> > >> Is it normal to get a smb.conf file that does not work? Is it > >> indended as a starting point of should it convert my previous > >> configuration? At least "server role" is missing and "server > >> services" contains "dnsupdate" which it should not with > >> SAMBA_INTERNAL. > >> > >> Do I have to worry about wins.dat missing? I don't have such a > >> file. > >> > >> Best regards > >> Patrick > >> > >> > > Lets start with the obvious questions: > > > > What is the original OS ? > > What OS are you moving to ? > > What version of Samba is on the original OS ? > > and finally and most importantly, What is in the original > > smb.conf ? > > the old server runs Ubuntu 18.04 (LTS) and samba 4.7.6-Ubuntu. I'd > stick with LTS, but it has the same issues, so I upgraded the new > server to Ubuntu 18.10 and samba 4.8.4 > > Configuration: > > [global] > security = user > workgroup = WORKGROUP > netbios name = DC1 > server string = %h server (Samba, Ubuntu) > dns proxy = no > log file = /var/log/samba/log.%m > max log size = 1000 > panic action = /usr/share/samba/panic-action %d > server role = standalone serverThought so, did you miss this from: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) [quote] This guide is only relevant if you have a Samba NT4-style domain, that you want to upgrade to Samba Active Directory! [/quote] You do not have an NT4-style domain, you have a standalone server. You could try changing it to be an actual PDC, the changes are minimal, but depending on how many users you have, it might just be easier to start with a new AD domain. Rowland
Am 31.03.19 um 14:51 schrieb Rowland Penny via samba:> Thought so, did you miss this from: > > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) > > [quote] > > This guide is only relevant if you have a Samba NT4-style domain, that > you want to upgrade to Samba Active Directory! > > [/quote] > > You do not have an NT4-style domain, you have a standalone server. > > You could try changing it to be an actual PDC, the changes are minimal, > but depending on how many users you have, it might just be easier to > start with a new AD domain.I didn't actually miss it, I was simply convinced "yes, that's what I'm doing". Wasn't aware that "standalone" implies "not NT4-style". After some more fiddling around, it seems I simply need to add "domain logons = yes" to my smb.conf and that's it, classic upgrade seems to work nicely. Didn't do a proper check and will spent some more time with the lab setup, but hostname, NetBIOS domain and DNS domain are correct and users are transferred with their passwords, ldap binds and smbclient work nicely. Thanks a lot. Best regards Patrick