Samba/Samba 4 Migration

This guide introduces the migration of Samba3 to Samba4 with LDAP on Gentoo boxes.

Pre-requisite

 * A working samba 3 NT PDC (Must be PDC as it will be Promote to AD)
 * Samba AD DNS Planing
 * LDAP Auth Backend Database (Optional)
 * Python 2.7 as ABI

Samba DNS Planing

 * Moving from samba3 to samba AD is not easy due to the fact that the idea wasn't the same.
 * Samba AD required you to have a resolvable DNS.
 * MS suggest to use a FQDN as an AD Server as it is easily scalable in future.
 * There are some suggestion to use suffixes of .local, .lan .corp but these are bad idea, very bad idea indeed. As we have no understanding what suffixes ICANN will use in future. And having a DNS with that suffix will conflict with the external DNS.

Thus we would hope that you use the following suggestion.

FQDN subdomain DNS setup
Example you own "company.com" and it is hosting by your web hosting company.

Samba AD and internal subdomain DNS setup

in the above example:

NETBIOS NAME: HEADOFFICE

So the most important setup.

hostname = samba4-1.headoffice.company.com

AD = headoffice.company.com

REALM = HEADOFFICE.COMPANY.COM

DOMAINNAME ( NT Style ) COMPANY

Benefit
 * 1) A clear cut on internal and external DNS.
 * 2) There will not be any conflict between internal and also external DNS.
 * 3) In case if there are Branch Site, the Branch AD FQDN can be another subdomain: samba4-2.branch_CA.company.com.
 * 4) We can also make the subdomain public if need and that make this design future proof.

Python 2.7 ABI
Run the following command to check if python2.7 is ABI

If the result are not the same run the following command

Checking SambaSID for duplication
We will now check for SambaSID duplication You can use the following code which is from the samba ClassUpgrade/HOWTO import os data = os.popen("slapcat
 * 1) !/usr/bin/python
 * 2) A quick and dirty python script that checks for duplicat SID's using slapcat.

Checking Samba username and groupname for duplication
Unfortunately, there are no program for this. You will have to do it manually.

if you are using smbldap-tools, you can use the following command and manually compare their different.

Getting ready before Samba4
There are 2 options to get samba 4 compile, just choose the one that you preferred.

There isn't much different in usage, just the way of getting it.

Options 1, internal heimdal (Need to create customized ebuild)
Samba4 is already in portage, however it is still mask and there are some bugs related to it.

A few of them are affecting us. Make the patch in and run your ebuild.
 * 1)  Mit-krb5 conflict with hemidal issue, resolve using internal hemidal library.

This bugs are very important as you might have difficult on removing the need of mit-Krb5 (in most case)

Please apply this patch and make your own ebuild.

download the patch from Bug 490872 that fit your version save it as patch Apply the patch, any way you like.

rebuild ebuild Manifest, it will download samba source and check on it.

Options 2, Remove system wide mit-krb5 and replace with heimdal
This might not be as challenge as compare to option 1 but there are some other challenge.

Remove mit-krb5 dependency
You will need to to check which package are dependent on mit-krb5

remove the kerberos useflag and recompile these package

but leave virtual/krb5-0 untouch, we need that later.

Emerge your new package with mit-krb5 dependency removed.

Check if the kerberos useflag had be removed.

Unmerge mit-krb5
We will now remove mit-krb.

Emerge heimdal
We can now emerge app-crypt/heimdal kerberos.

Now rebuild all package which need kerberos library.

virtual/krb5-0 was the build so that if a package can compile with either of the kerberos library, we can choose either one.

When done we can continue emerge samba.

Emerge Samba
For more on samba4 bugs please have a look on the bugs tracker below.

Samba4 unmask bugs tracker.

= External Reference =