Samba/Samba 4 Migration

This guide introduces the migration of Samba3 to Samba4 with LDAP on Gentoo boxes.

Pre-requisite

 * A working samba 3 NT PDC (Must be PDC as it will be Promote to AD)
 * Samba AD DNS Planing
 * LDAP Auth Backend Database (Optional)
 * Python 2.7 as ABI

Samba DNS Planing

 * Moving from samba3 to samba AD is not easy due to the fact that the idea wasn't the same.
 * Samba AD required you to have a resolvable DNS.
 * MS suggest to use a FQDN as an AD Server as it is easily scalable in future.
 * There are some suggestion to use suffixes of .local, .lan .corp but these are bad idea, very bad idea indeed. As we have no understanding what suffixes ICANN will use in future. And having a DNS with that suffix will conflict with the external DNS.

Thus we would hope that you use the following suggestion.

FQDN subdomain DNS setup
Example you own "company.com" and it is hosting by your web hosting company.

Samba AD and internal subdomain DNS setup

in the above example:

NETBIOS NAME: HEADOFFICE

So the most important setup.

hostname = samba4-1.headoffice.company.com

AD = headoffice.company.com

REALM = HEADOFFICE.COMPANY.COM

DOMAINNAME ( NT Style ) COMPANY

Benefit
 * 1) A clear cut on internal and external DNS.
 * 2) There will not be any conflict between internal and also external DNS.
 * 3) In case if there are Branch Site, the Branch AD FQDN can be another subdomain: samba4-2.branch_CA.company.com.
 * 4) We can also make the subdomain public if need and that make this design future proof.

Python 2.7 ABI
Run the following command to check if python2.7 is ABI

If the result are not the same run the following command

Checking SambaSID for duplication
We will now check for SambaSID duplication You can use the following code which is from the samba ClassUpgrade/HOWTO import os data = os.popen("slapcat
 * 1) !/usr/bin/python
 * 2) A quick and dirty python script that checks for duplicat SID's using slapcat.

Checking Samba username and groupname for duplication
Unfortunately, there are no program for this.

Options 1, internal heimdal (Need to create new ebuild)
Samba4 is already in portage, however it is still mask and there are some bugs related to it.

A few of them are affecting us. Make the patch in and run your ebuild.
 * 1)  Mit-krb5 conflict with hemidal issue, resolve using internal hemidal library.

The 1st bugs are very important if you cannot remove the dependency of having mit-Krb5 (in most case)

Please apply the patch and make your own ebuild.

For more on samba4 bugs please have a look on the bugs tracker below.

Samba4 unmask bugs tracker.

Options 2, Remove system wide mit-krb5 and replace with heimdal
This might not be as challenge as compare to option 1 but there are some other challenge.

Remove mit-krb5 dependency
You will need to to check which package are dependent on mit-krb5

remove the kerberos useflag and recompile these package

but leave virtual/krb5-0 untouch, we need that later.

Emerge your new package with mit-krb5 dependency removed.

Check if the kerberos useflag had be removed.

Unmerge mit-krb5
We will now remove mit-krb.

Emerge heimdal
We can now emerge app-crypt/heimdal kerberos.

Now rebuild all package which need kerberos library.

virtual/krb5-0 was the build so that if a package can compile with either of the kerberos library, we can choose either one.

When done we can continue emerge samba.