Samba/Samba 4 Migration

This guide Article description::introduces the migration of Samba 3 to Samba 4 with LDAP on Gentoo boxes.

Pre-requisites

 * A working samba 3.6.x NT PDC with LDAP backend(Must be PDC as it will be Promoted to AD)
 * Samba AD DNS Planning
 * Samba AD and DNS understanding
 * LDAP Auth Backend Database (Optional)
 * Python 2.7 as ABI
 * Access Control List (ACL) on file system
 * extended attributes (xattr) on file system

Samba DNS Planning

 * Moving from samba3 to samba AD is not easy due to the fact that the idea wasn't the same.
 * Samba AD requires you to have a resolvable DNS.
 * MS suggest using a FQDN as an AD Server as it is easily scalable in future.
 * There are some suggestions to use suffixes of .local, .lan .corp but these are bad idea, very bad idea indeed, as we have no understanding what suffixes ICANN will use in future. And having a DNS with that suffix will conflict with the external DNS.

Thus we would hope that you use the following suggestion.

FQDN subdomain DNS setup
Example you own "company.com" and it is hosting by your web hosting company.

Samba AD and internal subdomain DNS setup

in the above example:

NETBIOS NAME: HEADOFFICE

So the most important setup.

hostname = samba4-1.headoffice.company.com

AD = headoffice.company.com

REALM = HEADOFFICE.COMPANY.COM

DOMAINNAME ( NT Style ) COMPANY

Benefits
 * 1) A clear cut on internal and external DNS.
 * 2) There will not be any conflict between internal and external DNS.
 * 3) In case if there are Branch Site, the Branch AD FQDN can be another subdomain: samba4-2.branch_CA.company.com.
 * 4) We can also make the subdomain public if needed and that makes this design future proof.

Samba AD DNS setup
Samba AD requires DNS Server to work, so if you have an DNS server running on the same server before, you will need to change it to support Samba or replace it to Samba internal DNS. The choice is yours.

If you would like to run 2 DNS server separately, it will be slightly wasteful as samba's internal DNS provides a DNS forwarding feature, just you need some tweaks.

There are 2 Options in Samba DNS setup.
 * Samba Internal DNS : This is simplest and easier. Configuration using Microsoft DNS Management tools.
 * Bind 9.8/9.8 Server : This is another choice that Samba team provides. If you are currently running Bind DNS, you might prefer this method.

What is Samba AD
Samba AD has the following features
 * Samba file Sharing (the most important)
 * LDAP Server with MS Specified Schema which works as an Active Directory
 * DNS Server which work together with Active Directory
 * Kerberos Server

All 4 features need to run for a successfully deployed Active Directory. If you have been using LDAP Centralize Authentication and Management, you might want to run LDAP from a different virtual machine than current Samba AD until you have migrated all authentication to Samba AD.

Port Usage on the Samba AD

Have a look at the following documentation Samba/Active Directory Guide You can choose any of the following:
 * winbind from samba4
 * nslcd/nss-pam-ldapd (a replacement of nss-pam and nss-ldap)
 * sssd (must have mit-krb)

Checking SambaSID for duplication
We will now check for SambaSID duplication You can use the following code which is from the samba ClassUpgrade/HOWTO

Checking Samba username and groupname for duplication
Unfortunately, there are no program for this. You will have to do it manually.

if you are using smbldap-tools, you can use the following command and manually compare their differences.

Due to a bug in smbldap-tools, you probably need >=net-nds/smbldap-tools-0.9.9.

ACL and xattr support on your Files system
Samba 4 relies heavily on ACL and xattr because of the nature on how Windows controls the file sharing.

Running without these would be like running a windows share server on a FAT32 disk, where users other than owner and some file attributes would not be saved.

Due to the topic and it size, we will move it to another HOWTO. Filesystem/Access Control List Guide

Emerge Samba
For more on Samba 4 bugs please have a look on the bugs tracker below.

Samba 4 unmask bugs tracker.

Please wait and allow samba 4 to build.

When it is done we can continue configuration Samba 4.

Migration from Samba 3 to Samba 4 configuration
We will now prepared to do an classic upgrade from samba 3 to samba 4. Before that please run test-parm to make sure all configuration on the samba3 is correct. The migration will fail if it sees some outdated/obsolete config

Change or remove any WARNING configuration.

We assume that both old and new server are on the same host. Else you can copy them to another host.

Your New host should also have a basic configure like below. Samba-tools migratation requires talking to the ldap server to get your existing information.

If you wish to change the host name of the new server, you can change the netbios name in the Samba3 conf file that you have copied over.

Start migration
Now it is time to stop samba.

And run your migratation. Choose one of the following for different DNS configuration. You can change it later after running.

Samba 4 AD with Bind9 DLZ Module DLZ is for windows client to do dns update to bind9

Samba 4 AD with internal DNS Module

You should not see any error message from this command. If you do you will have to re-run the above command again.

Testing of Migration
As said above, Samba AD provides LDAP and DNS, so you have to turn off your slapd and also other DNS if you are using samba internal DNS.

Smbclient test

Internal Samba DNS setup
If you want to forward DNS to 8.8.8.8 (Google) for all PC clients to the Internet, please setup the following in your new /etc/samba/smb.conf

Also you should also allow dns update from Windows clients to samba DNS.

Bind DNS DLZ module setup
Having Bind DNZ DLZ working with Samba 4 AD is somewhat simple, but still we need to do the following.


 * 1) Change of Samba DLZ Module version.
 * 2) Change the permission on /var/lib/samba/private/ so that named can access
 * 3) Change /etc/bind/named.conf to include the files inside /var/lib/samba/private/

Change of /var/lib/samba/private/named.conf
Uncomment the proper bind module according to the bind version you have.

Getting permission on /var/lib/samba/private/
This is tricky but not hard to do, still doubt arises about its security where named needs to access samba private folder, which is default 400.

We will try to use ACL to make life simple (since it is required by default for samba4)

Change of /etc/bind/named.conf
We now need to make 2 changes in named.conf

1. Samba gssapi keytab If you follow BIND/Guide put it under "options section"

2. Samba4 AD DLZ If you follow BIND/Guide put it under "Internal view/External view"

According to your AD design.

You are now done; reload bind.

Sub function test
As said before, samba include DNS, ldap and kerberos in a full AD environment.

We will need to do a full test it now.

Before that we need to change our /etc/resolv.conf so that it is using samba DNS. Krb and ldap don't work fully without that.

Set nameserver ip to your new samba server ip. e.g 192.168.0.10.

DNS sub function test
Your result on the following dns query should be identical or very similar.

Kerberos Test
There shouldn't be any errors when you get the initial TGT (Ticket Granting Ticket).

Final setup
Finally we will need to make the following change

FAQ
1. Where are my shares after the new migration?

A: They will not be migrated. According to samba design you should have a clean DC (No user shares). You shares should be done by a domain member and you will have to manually move you old share over.

However, you should keep your configurable share as simple as possible and use xAttrs/ACLs to set appropriate permissions.

E.g.

2. My netlogon is not working...

A: Netlogon script setting from ldap is not being migrated when you move from samba3 PDC to Samba4.

Why? You are advised to use GPO Drive mapping, which in most cases makes the deployment simpler.

Some Examples:


 * Map Network Shared Drive in Group Policy


 * Using Group Policy Preferences to Map Drives Based on Group Membership


 * Windows XP Drive Maps GPO not working

But still if you still want to use netlogon script, you can copy all your existing scripts to the [netlogon] path above.

Open the AD Users profiles under setting and put the script file name in (without path).

e.g: netlog.bat

You can do it for all users by selecting them all together.

3. My [homes] is not accessible, and I have not changed anything.

A: a basic [homes] share can be as simple as below.

However something is missing, how would the system know your home path?

By default it uses path is read by /etc/nsswitch.conf but as you know our user information is in Samba AD so we can configure nss to winbind, nslcd or sssd.

We will use winbind in this example as it doesn't require an extra package or installation.

But strongly recommend that you have a look on nslcd setup on the link below if you don't have samba on your other linux systems.

Samba/Active Directory Guide

You would have to configure /etc/nsswitch.conf and add winbind to be like the following:

For more about PAM support winbind, please check on the docs below.

With this configuration the system will be able to know the user and group. Use these commands to verify:

You might see some strange entry on the password where the path are /home/COMPANY/username which is the cause of why your [homes] don't work. So just tweak smb.conf a bit on winbind under [global] but before any share

Restart Samba and run the above command again...