Samba/Samba 4 Migration

This guide introduces the migration of Samba3 to Samba4 with LDAP on Gentoo boxes.

Pre-requisite

 * A working samba 3.6.x NT PDC with LDAP backend(Must be PDC as it will be Promoted to AD)
 * Samba AD DNS Planning
 * Samba AD and DNS understanding
 * LDAP Auth Backend Database (Optional)
 * Python 2.7 as ABI
 * Access Control List (ACL) on file system
 * extended attributes (xattr) on file system

Samba DNS Planning

 * Moving from samba3 to samba AD is not easy due to the fact that the idea wasn't the same.
 * Samba AD requires you to have a resolvable DNS.
 * MS suggest using a FQDN as an AD Server as it is easily scalable in future.
 * There are some suggestions to use suffixes of .local, .lan .corp but these are bad idea, very bad idea indeed, as we have no understanding what suffixes ICANN will use in future. And having a DNS with that suffix will conflict with the external DNS.

Thus we would hope that you use the following suggestion.

FQDN subdomain DNS setup
Example you own "company.com" and it is hosting by your web hosting company.

Samba AD and internal subdomain DNS setup

in the above example:

NETBIOS NAME: HEADOFFICE

So the most important setup.

hostname = samba4-1.headoffice.company.com

AD = headoffice.company.com

REALM = HEADOFFICE.COMPANY.COM

DOMAINNAME ( NT Style ) COMPANY

Benefit
 * 1) A clear cut on internal and external DNS.
 * 2) There will not be any conflict between internal and external DNS.
 * 3) In case if there are Branch Site, the Branch AD FQDN can be another subdomain: samba4-2.branch_CA.company.com.
 * 4) We can also make the subdomain public if needed and that makes this design future proof.

Samba AD DNS setup
Samba AD requires DNS Server to work, so if you have an DNS server running on the same server before, you will need to change it to support Samba or replace it to Samba internal DNS. The choice is yours.

If you would like to run 2 DNS server separately, it will be slightly wasteful as samba's internal DNS provides a DNS forwarding feature, just you need some tweaks.

There are 2 Options in Samba DNS setup.
 * Samba Internal DNS : This is simplest and easier. Configuration using Microsoft DNS Management tools.
 * Bind 9.8/9.8 Server : This is another choice that Samba team provides. If you are currently running Bind DNS, you might prefer this method.

What is Samba AD
Samba AD has the following features
 * Samba file Sharing (the most important)
 * LDAP Server with MS Specified Schema which works as an Active Directory
 * DNS Server which work together with Active Directory
 * Kerberos Server

All 4 features need to run for a successfully deployed Active Directory. If you have been using LDAP Centralize Authentication and Management, you might want to run LDAP from a different virtual machine than current Samba AD until you have migrated all authentication to Samba AD.

Port Usage on the Samba AD Have a look at the following documentation Centralized authentication with Samba AD /HOWTO You can choose any of the following:
 * winbind from samba4
 * nslcd/nss-pam-ldapd (a replacement of nss-pam and nss-ldap)
 * sssd (must have mit-krb)

Python 2.7 ABI
Run the following command to check if python2.7 is ABI

If the python2.7 is not selected, run the following command

Checking SambaSID for duplication
We will now check for SambaSID duplication You can use the following code which is from the samba ClassUpgrade/HOWTO

Checking Samba username and groupname for duplication
Unfortunately, there are no program for this. You will have to do it manually.

if you are using smbldap-tools, you can use the following command and manually compare their differences.

ACL and xattr support on your Files system
Samba 4 relies heavily on ACL and xattr because of the nature on how Windows controls the file sharing.

Running without these would be like running a windows share server on a FAT32 disk, where users other than owner and some file attributes would not be saved.

Due to the topic and it size, we will move it to another HOWTO. Files System ACL/HOWTO

Getting ready before Samba4
There are 2 options to get samba 4 compiled; just choose the one that you preferred.

There isn't much different in usage, just the way of getting it.

Options 1, internal heimdal (Need to create customized ebuild)
Samba4 is already in portage, however it is still masked and there are some bugs related to it.

A few of them are affecting us. Make the patch in and run your ebuild.
 * 1)  Mit-krb5 conflict with hemidal issue, resolve using internal hemidal library.

This bugs are very important as you might have difficult on removing the need of mit-krb5 (in most case)

Please apply this patch and make your own ebuild.

download the patch from Bug 490872 that fits your version save it as patch. Apply the patch, any way you like.

rebuild ebuild Manifest, it will download samba source and checksum it.

Special Useflag
Please add this extra useflag

Continue to Emerge samba

Options 2, Remove system wide mit-krb5 and replace with heimdal
This might not be as challenge as compare to option 1 but there are some other challenge.

Remove mit-krb5 dependency
You will need to to check which packages are dependent on mit-krb5

Remove the kerberos useflag and recompile these packages

but leave virtual/krb5-0 untouched; we need that later.

Emerge your new package with mit-krb5 dependency removed.

Check if the kerberos useflag has be removed.

Unmerge mit-krb5
We will now remove mit-krb.

Emerge heimdal
Due to the new virtual-krb5 required new masked version of heimdal which is masked for amd64, you will need to make some changes. to portage.keyword

We can now emerge app-crypt/heimdal kerberos.

Now rebuild all package which need kerberos library.

virtual/krb5-0 was the build so that if a package can compile with either of the kerberos library, we can choose either one.

When done we can continue to Emerge samba.

Emerge Samba
For more on samba4 bugs please have a look on the bugs tracker below.

Samba4 unmask bugs tracker.

unmaks Samba
Before this let's unmask samba 4

Please wait and allow samba4 to build.

When it is done we can continue configuration samba4.

Migration samba 3 to samba 4 configuration
We will now prepared to do an classic upgrade from samba 3 to samba 4. Before that please run test-parm to make sure all configuration on the samba3 is correct. The migration will fail if it sees some outdated/obsolete config

Change or remove any WARNING configuration.

We assume that both old and new server are on the same host. Else you can copy them to another host.

Your New host should also have a basic configure like below. Samba-tools migratation requires talking to the ldap server to get your existing information.

If you wish to change the host name of the new server, you can change the netbios name in the Samba3 conf file that you have copied over.

Migration Start
Now it is time to stop samba.

And run your migratation. Choose one of the following for different DNS configuration. You can change it later after running.

Samba 4 AD with Bind9 DLZ Module DLZ is for windows client to do dns update to bind9

Samba 4 AD with internal DNS Module

You should not see any error message from this command. If you do you will have to re-run the above command again.

Testing of Migration
As said above, Samba AD provides LDAP and DNS, so you have to turn off your slapd and also other DNS if you are using samba internal DNS.

Smbclient test

Internal Samba DNS Setup
If you want to forward DNS to 8.8.8.8 (Google) for all PC clients to the Internet, please setup the following in your new /etc/samba/smb.conf

Also you should also allow dns update from Windows clients to samba DNS.

Bind DNS DLZ module Setup
Having Bind DNZ DLZ working with samba4 AD is somewhat simple, but still we need to do the following.


 * 1) Change of Samba DLZ Module version.
 * 2) Change the permission on /var/lib/samba/private/ so that named can access
 * 3) Change /etc/bind/named.conf to include the files inside /var/lib/samba/private/

Change of /var/lib/samba/private/named.conf
Uncomment the proper bind module according to the bind version you have.

Getting permission on /var/lib/samba/private/
This is tricky but not hard to do, still doubt arises about its security where named needs to access samba private folder, which is default 400.

We will try to use ACL to make life simple (since it is required by default for samba4)

Change of /etc/bind/named.conf
We now need to make 2 changes in named.conf

1. Samba gssapi keytab If you follow BIND/Tutorial put it under "options section"

2. Samba4 AD DLZ If you follow BIND/Tutorial put it under "Internal view/External view"

According to your AD design.

You are now done

reload bind.

Sub function test
As said before, samba include DNS, ldap and kerberos in a full AD environment.

We will need to do a full test it now.

Before that we need to change our /etc/resolv.conf so that it is using samba DNS. Krb and ldap don't work fully without that.

Set nameserver ip to your new samba server ip. e.g 192.168.0.10.

DNS sub function test
Your result on the following dns query should be identical or very similar.

Kerberos Test
There shouldn't be any errors when you get the initial TGT (Ticket Granting Ticket).

Final Setup
Finally we will need to make the following change

= FAQ = 1. Where are my shares after the new migration?

A: They will not be migrated. According to samba design you should have a clean DC (No user shares). You shares should be done by a domain member and you will have to manually move you old share over.

However, you should keep your configurable share as simple as possible and use xAttrs/ACLs to set appropriate permissions.

E.g.

2. My netlogon is not working...

A: Netlogon script setting from ldap is not being migrated when you move from samba3 PDC to Samba4.

Why? You are advised to use GPO Drive mapping, which in most cases makes the deployment simpler.

Some Examples:


 * Map Network Shared Drive in Group Policy


 * Using Group Policy Preferences to Map Drives Based on Group Membership


 * Windows XP Drive Maps GPO not working

But still if you still want to use netlogon script, you can copy all your existing scripts to the [netlogon] path above.

Open the AD Users profiles under setting and put the script file name in (without path).

e.g: netlog.bat

You can do it for all users by selecting them all together.

3. My [homes] is not accessible, and I have not changed anything.

A: a basic [homes] share can be as simple as below.

However something is missing, how would the system know your home path?

By default it uses path is read by /etc/nsswitch.conf but as you know our user information is in Samba AD so we can configure nss to winbind, nslcd or sssd.

We will use winbind in this example as it doesn't require an extra package or installation.

But strongly recommend that you have a look on nslcd setup on the link below if you don't have samba on your other linux systems.

Centralized authentication with Samba AD /HOWTO

You would have to configure /etc/nsswitch.conf and add winbind to be like the following

For more about PAM support winbind, please check on the docs below.

With this configuration the system will be able to know the user and group. Use these commands to verify:

You might see some strange entry on the password where the path are /home/COMPANY/username which is the cause of why your [homes] don't work. So just tweak smb.conf a bit on winbind under [global] but before any share

Restart Samba and run the above command again...

= Internal wiki Reference =
 * 1) Samba/Configuration
 * 2) Centralized authentication using OpenLDAP
 * 3) BIND/Tutorial
 * 4) Centralized authentication with Samba AD /HOWTO
 * 5) Files System ACL/HOWTO

= External Reference =