Samba/Samba 4 Migration

This guide introduces the migration of Samba3 to Samba4 with LDAP on Gentoo boxes.

Pre-requisite

 * A working samba 3.6.x NT PDC with LDAP backend(Must be PDC as it will be Promote to AD)
 * Samba AD DNS Planing
 * Samba AD and DNS understanding
 * LDAP Auth Backend Database (Optional)
 * Python 2.7 as ABI
 * Access Control List (ACL) on file system
 * extended attributes (xattr) on file system

Samba DNS Planning

 * Moving from samba3 to samba AD is not easy due to the fact that the idea wasn't the same.
 * Samba AD required you to have a resolvable DNS.
 * MS suggest using a FQDN as an AD Server as it is easily scalable in future.
 * There are some suggestions to use suffixes of .local, .lan .corp but these are bad idea, very bad idea indeed. As we have no understanding what suffixes ICANN will use in future. And having a DNS with that suffix will conflict with the external DNS.

Thus we would hope that you use the following suggestion.

FQDN subdomain DNS setup
Example you own "company.com" and it is hosting by your web hosting company.

Samba AD and internal subdomain DNS setup

in the above example:

NETBIOS NAME: HEADOFFICE

So the most important setup.

hostname = samba4-1.headoffice.company.com

AD = headoffice.company.com

REALM = HEADOFFICE.COMPANY.COM

DOMAINNAME ( NT Style ) COMPANY

Benefit
 * 1) A clear cut on internal and external DNS.
 * 2) There will not be any conflict between internal and also external DNS.
 * 3) In case if there are Branch Site, the Branch AD FQDN can be another subdomain: samba4-2.branch_CA.company.com.
 * 4) We can also make the subdomain public if need and that make this design future proof.

Samba AD DNS setup
Samba AD required DNS Server to work, so if you have an DNS server running on the same server before. You will need to change it to support Samba or replace it to Samba internal DNS. The choice are your.

If you would like to run 2 DNS server differently, it will waste as samba internal DNS also can provied DNS forwarding feature, just you need some tweak.

There are 2 Options in Samba DNS setup.
 * Samba Internal DNS : This is simplest and easier. Configuration using Microsoft DNS Management tools.
 * Bind 9.8/9.8 Server : This is another choice that Samba team provide. If you are currently running Bind DNS, you might preferd this method.

What is Samba AD
Samba AD have the following feature
 * Samba files Sharing (the most important)
 * LDAP Server with MS Specified Schema which is working as an Active Directory
 * DNS Server which work together in and Active Directory
 * Kerberos Server

All 4 feature need to run for a success fully deploy Active Directory. If you have been using LDAP Centralize Authentication and Management, you might want to run LDAP from a different virtual machine than current Samba AD until you have migrate all authentication to Samba AD.

Port Usage on the Samba AD Have a look on the following documentation Centralized authentication with Samba AD /HOWTO You can choose any of the following:
 * winbind from samba4
 * nslcd/nss-pam-ldapd (a replacement of nss-pam and nss-ldap)
 * sssd (must have mit-krb)

Python 2.7 ABI
Run the following command to check if python2.7 is ABI

If the result are not the same run the following command

Checking SambaSID for duplication
We will now check for SambaSID duplication You can use the following code which is from the samba ClassUpgrade/HOWTO import os data = os.popen("slapcat
 * 1) !/usr/bin/python
 * 2) A quick and dirty python script that checks for duplicat SID's using slapcat.

Checking Samba username and groupname for duplication
Unfortunately, there are no program for this. You will have to do it manually.

if you are using smbldap-tools, you can use the following command and manually compare their different.

ACL and xattr support on your Files system
Samba 4 realy heavily on ACL and xattr because of the nature on how windows control the files sharing.

Without this would be like running a windows share server on a FAT32 disk. What you can control on the shared files are limited.

Due to the topic and it size, we will move it to another HOWTO. Files System ACL/HOWTO

Getting ready before Samba4
There are 2 options to get samba 4 compile, just choose the one that you preferred.

There isn't much different in usage, just the way of getting it.

Options 1, internal heimdal (Need to create customized ebuild)
Samba4 is already in portage, however it is still mask and there are some bugs related to it.

A few of them are affecting us. Make the patch in and run your ebuild.
 * 1)  Mit-krb5 conflict with hemidal issue, resolve using internal hemidal library.

This bugs are very important as you might have difficult on removing the need of mit-Krb5 (in most case)

Please apply this patch and make your own ebuild.

download the patch from Bug 490872 that fit your version save it as patch Apply the patch, any way you like.

rebuild ebuild Manifest, it will download samba source and check on it.

Special Useflag
Please add this extra useflag

Jump to emerge samba

Options 2, Remove system wide mit-krb5 and replace with heimdal
This might not be as challenge as compare to option 1 but there are some other challenge.

Remove mit-krb5 dependency
You will need to to check which package are dependent on mit-krb5

remove the kerberos useflag and recompile these package

but leave virtual/krb5-0 untouch, we need that later.

Emerge your new package with mit-krb5 dependency removed.

Check if the kerberos useflag had be removed.

Unmerge mit-krb5
We will now remove mit-krb.

Emerge heimdal
We can now emerge app-crypt/heimdal kerberos.

Now rebuild all package which need kerberos library.

virtual/krb5-0 was the build so that if a package can compile with either of the kerberos library, we can choose either one.

When done we can continue emerge samba.

Emerge Samba
For more on samba4 bugs please have a look on the bugs tracker below.

Samba4 unmask bugs tracker.

unmaks Samba
Before this let unmask samba 4

Please wait and allow samba4 to build.

When it is done we can continue configuration samba4.

Migration samba 3 to samba 4 configuration
We will now prepaid to do an classic upgrade from samba 3 to samba 4. Before that please run test-parm to make sure all configuration on the samba3 is correct. The migration will fail if it see some outdated/obsolete config

Change or remove any WARNING configuration.

We assume that both old and new server are on the same host. Else you can copy them to another host.

If you wish to change the host name of the new server, you can change the netbios name in the Samba3 conf file that you have copy over.

Migration Start
Now it is time to stop samba.

And run you migratation choose one of the following for different DNS configuration. You can change it later after running.

Samba 4 AD with Bind9 DLZ Module DLZ is for windows client to do dns update to bind9

Samba 4 AD with internal DNS Module

You should not see any error message from this command. if you do you will have to re-run the above command again.

Testing of Migration
As per said Samba AD do consist LDAP and also DNS. so you have to turn off your slapd and also other DNS if you are using samba internal DNS.

Smbclient test

Internal Samba DNS Setup
If you would allow DNS forward to 8.8.8.8 for all PC client to the internet, please setup the following in your new /etc/samba/smb.conf

Also you should also allow dns update from windows client to samba DNS.

Bind DNS DLZ module Setup
Having Bind DNZ DLZ working with samba4 AD is somehow simple.

But still we need to do the following.
 * 1) Change of Samba DLZ Module version.
 * 2) Change the permission on /var/lib/samba/private/ so that named can access
 * 3) Change /etc/bind/named.conf to include the files inside /var/lib/samba/private/

Change of /var/lib/samba/private/named.conf
Uncomment the proper bind module according to the bind version you have.

Getting permission on /var/lib/samba/private/
This is tricky but not hard to do, still doubt arise about it security where named need to access samba private folder, which is default 400.

We will try to use ACL to make life simple (since it is default required by samba4)

Change of /etc/bind/named.conf
We would now need to make 2 change in named.conf

1. Samba gssapi keytab If you follow BIND/Tutorial put it under "options section"

2. Samba4 AD DLZ If you follow BIND/Tutorial put it under "Internal view/External view"

According to your AD design.

You are now done

reload bind.

Sub function test
AS per said before, samba include dns, ldap and kerberos in a full AD environment.

We will need to do a full test it now.

Before that we need to change our /etc/resolv.conf so that it is using samba dns. Krb and ldap don't work fully without that.

Set nameserver ip to your current samba server ip. e.g 192.168.0.10.

DNS sub function test
Your result on the following dns query should be identical or very similar.

Kerberos Test
There shouldn't be any errors when you get the initial TGT (Ticket Granting Ticket).

Final Setup
Finally we will need to make the following

= FAQ = 1. Where are my shares after the new migration?

A: They will not be migrated. According to samba design you should have a clean DC (No to be share by users). You share should be done by a domain member and you will have to manually move you old share over.

However, you should keep your configurable share as simple as possible and use xAttrs/ACLs to set appropriate permissions.

E.g. [netlogon] path = /var/lib/samba/sysvol/headoffice.company.com/scripts read only = No

2. My netlogon is not working...

A: Netlogon script setting from ldap is not being migrated when you move from samba3 PDC to Samba4.

Why? You are advise to use GPO Drive mapping which in most case the deployment can be simpler.

Some Example:


 * Map Network Shared Drive in Group Policy


 * Using Group Policy Preferences to Map Drives Based on Group Membership


 * Windows XP Drive Maps GPO not working

But still if you still want to use netlogon script, you can copy all your existing script to the [netlogon] path above.

Open the AD Users profiles under setting and put the script file name in (without path).

e.g: netlog.bat

You can do it for all users by selection all together.

3. My [homes] is not accessible, I have not change anythings.

A: a basic [homes] share can be as simple as below.

[homes] valid users = %S read only = No       browseable = No

However something is missing, how would the system know your home path?

By default uses path is read by /etc/nsswitch.conf but as you know our user information are in Samba AD so we can configure nss to winbind, nslcd or sssd.

We will use winbind in this example as it don't required extra package or installation.

But strongly recommand that you have a look on nslcd setup on the link below if you don't have samba in your other linux system.

Centralized authentication with Samba AD /HOWTO

You would have to configure /etc/nsswitch.conf and add winbind to be like follow

/etc/nsswitch.conf

For more about PAM support winbind, please check on the docs below.

With this configuration the system will be able to know the user and group, use these to verify:

You would see some strange entry on the password where the path are /home/COMPANY/username which is the caused of why your [homes] don't work. So just tweak smb.conf a bit on winbind under [global] but before any share /etc/samba/smb.conf

Restart Samba and run the above command again...

= Internal Wiki Refernce =
 * 1) Samba/HOWTO
 * 2) Centralized authentication using OpenLDAP
 * 3) BIND/Tutorial
 * 4) Centralized authentication with Samba AD /HOWTO
 * 5) Files System ACL/HOWTO

= External Reference =