Samba/Samba 4 Migration

From Gentoo Wiki
< Samba
Jump to: navigation, search

This guide introduces the migration of Samba 3 to Samba 4 with LDAP on Gentoo boxes.

Pre-requisites

  • A working samba 3.6.x NT PDC with LDAP backend(Must be PDC as it will be Promoted to AD)
  • Samba AD DNS Planning
  • Samba AD and DNS understanding
  • LDAP Auth Backend Database (Optional)
  • Python 2.7 as ABI
  • Access Control List (ACL) on file system
  • extended attributes (xattr) on file system
Warning

Do not test migration in your production environment. Once a Windows client finds and connects to the new server, it is not possible to go back! the Windows client will never talk to your samba 3 server even if you remove/downgrade the samba 4 Server. So make sure you thoroughly test your migration on a virtual environment and how your clients react before you activate your new server in your production environment!

Samba DNS Planning

  • Moving from samba3 to samba AD is not easy due to the fact that the idea wasn't the same.
  • Samba AD requires you to have a resolvable DNS.
  • MS suggest using a FQDN as an AD Server as it is easily scalable in future.
  • There are some suggestions to use suffixes of .local, .lan .corp but these are bad idea, very bad idea indeed, as we have no understanding what suffixes ICANN will use in future. And having a DNS with that suffix will conflict with the external DNS.

Thus we would hope that you use the following suggestion.

FQDN subdomain DNS setup

Example you own "company.com" and it is hosting by your web hosting company.

FQDN Description
company.com. main internet address point to your web server.
www.company.com. points to webserver ( Public IP Address, by your web hosting company)
mail01.company.com. points to mail server 1 ( Public IP Address, by your web hosting company )
mail02.company.com. points to mail Server 2 ( Public IP Address, by your web hosting company )
smtp1.company.com. points to smtp server 1 ( Public IP Address, by your web hosting company )
smtp2.company.com. points to smtp server 2 ( Public IP Address, by your web hosting company )
smtp3.company.com. points to smtp server 3 ( Public IP Address, by your web hosting company )

Samba AD and internal subdomain DNS setup

FQDN Description
headoffice.location1.company.com. head office subdomain
samba4-1.headoffice.location1.company.com. Samba AD FQDN

in the above example:
NETBIOS NAME: HEADOFFICE

So the most important setup.

hostname = samba4-1.headoffice.company.com
AD = headoffice.company.com
REALM = HEADOFFICE.COMPANY.COM
DOMAINNAME ( NT Style ) COMPANY

Benefits

  1. A clear cut on internal and external DNS.
  2. There will not be any conflict between internal and external DNS.
  3. In case if there are Branch Site, the Branch AD FQDN can be another subdomain: samba4-2.branch_CA.company.com.
  4. We can also make the subdomain public if needed and that makes this design future proof.

Samba AD DNS setup

Samba AD requires DNS Server to work, so if you have an DNS server running on the same server before, you will need to change it to support Samba or replace it to Samba internal DNS. The choice is yours.

If you would like to run 2 DNS server separately, it will be slightly wasteful as samba's internal DNS provides a DNS forwarding feature, just you need some tweaks.

There are 2 Options in Samba DNS setup.

  • Samba Internal DNS : This is simplest and easier. Configuration using Microsoft DNS Management tools.
  • Bind 9.8/9.8 Server : This is another choice that Samba team provides. If you are currently running Bind DNS, you might prefer this method.

What is Samba AD

Samba AD has the following features

  • Samba file Sharing (the most important)
  • LDAP Server with MS Specified Schema which works as an Active Directory
  • DNS Server which work together with Active Directory
  • Kerberos Server

All 4 features need to run for a successfully deployed Active Directory. If you have been using LDAP Centralize Authentication and Management, you might want to run LDAP from a different virtual machine than current Samba AD until you have migrated all authentication to Samba AD.

Port Usage on the Samba AD[1] [2]

Port Type Description
53 TCP/UDP DNS Server(Bind/Samba) DNS Server port
88 TCP/UDP Kerberos krb5
135 TCP Client/Server Communication
137 UDP Browsing requests of NetBIOS over TCP/IP
138 UDP Browsing datagram responses of NetBIOS over TCP/IP
139,445
445
TCP
UDP
Common Internet File System (CIFS)
389 TCP/UDP LDAP
464 TCP/UDP Kerberos kpasswd
636 TCP/UDP LDAP (SSL)
1024-5000 TCP Dynamic RPC Ports
3268 TCP Global Cataloge
3269 TCP Global Cataloge (SSL)
5353 TCP/UDP Multicast DNS

Have a look at the following documentation Samba/Active Directory Guide You can choose any of the following:

  • winbind from samba4
  • nslcd/nss-pam-ldapd (a replacement of nss-pam and nss-ldap)
  • sssd (must have mit-krb)

Python 2.7 ABI

Run the following command to check if python2.7 is ABI

root #eselect python list
Available Python interpreters:
  [1]   python2.7 *
  [2]   python3.2

If the python2.7 is not selected, run the following command

root #eselect python set 1

Checking SambaSID for duplication

We will now check for SambaSID duplication You can use the following code which is from the samba ClassUpgrade/HOWTO[3]

CODE
#!/usr/bin/python
# A quick and dirty python script that checks for duplicat SID's using slapcat.
import os
 
data = os.popen("slapcat | grep sambaSID", 'r')
line = []
 
def anydup(thelist):
        dups = list(set([x for x in thelist if thelist.count(x) > 1]))
        for i in dups:
                print "Duplicate id: ", i
 
for each_line in data:
        line.append(each_line.strip())
 
anydup(line)

Checking Samba username and groupname for duplication

Unfortunately, there are no program for this. You will have to do it manually.

if you are using smbldap-tools, you can use the following command and manually compare their differences.

root #smbldap-grouplist
root #smbldap-userlist

Due to a bug in smbldap-tools, you probably need >=net-nds/smbldap-tools-0.9.9 [4].

Note
Please help write a python program for this

ACL and xattr support on your Files system

Samba 4 relies heavily on ACL and xattr because of the nature on how Windows controls the file sharing.
Running without these would be like running a windows share server on a FAT32 disk, where users other than owner and some file attributes would not be saved.

Due to the topic and it size, we will move it to another HOWTO. Filesystem/Access Control List Guide

Getting Samba 4

Getting ready before Samba 4

There are two options to get Samba 4 compiled; just choose the one that you preferred.
There isn't much different in usage, just the way of getting it.

Options 1, internal heimdal (Need to create customized ebuild)

Samba 4 is already in portage, however it is still masked and there are some bugs related to it.
A few of them are affecting us. Make the patch in and run your ebuild.

  1. bug #490872 Mit-krb5 conflict with hemidal issue, resolve using internal hemidal library.

This bugs are very important as you might have difficult on removing the need of mit-krb5 (in most case)
Please apply this patch and make your own ebuild.

Note
Unless if this bugs had been agreed and are check-in to gentoo main portage. You will need to maintain this extra ebuild until this bugs is fixed.
root #mkdir -p /usr/local/portage/net-fs/samba/
root #cd /usr/local/portage/net-fs/samba/
root #cp -avr /usr/portage/net-fs/samba/samba-4.1.2.*
root #cp -avr /usr/portage/net-fs/samba/files files/

download the patch from Bug 490872 that fits your version save it as patch. Apply the patch, any way you like.

root #patch -p patch

rebuild ebuild Manifest, it will download samba source and checksum it.

root #ebuild samba-4.1.2.ebuild Manifest
Special USE flag
USE flag Description
bi_heimdal Use Build in heimdal library

Please add this extra USE flag

FILE /etc/portage/package.useadd this extra useflag, for example
net-fs/samba bi_heimdal ads addns cluster winbind quota syslog fam

Continue to Emerge Samba

Options 2, Remove system wide mit-krb5 and replace with heimdal

This might not be as challenge as compare to option 1 but there are some other challenge.

Note
If you face the following:

kernel: traps: getent[3691] general protection ip:7fd9b7a229f8 sp:a7e5ddc470aa4ca0 error:0 in ld-2.16.so[7fd9b7a0c000+21000]
It Can only temporary fix it by removing all ldap in /etc/nsswitch.conf
This issue is fixed with the latest nss_ldap-265-r2
Please unmask it and emerge it manually or switch to nss-pam-ldapd which is preferred.

Remove mit-krb5 dependency

You will need to to check which packages are dependent on mit-krb5

root #equery d mit-krb5
 * These packages depend on mit-krb5:
dev-libs/openssl-1.0.1e-r1 (kerberos ? app-crypt/mit-krb5)
net-libs/c-client-2007f-r4 (kerberos ? app-crypt/mit-krb5)
virtual/krb5-0 (app-crypt/mit-krb5)

Remove the kerberos useflag and recompile these packages
but leave virtual/krb5-0 untouched; we need that later.

FILE /etc/portage/package.useExample adding openssl and c-client
dev-libs/openssl -kerberos
net-libs/c-client -kerberos

Emerge your new package with mit-krb5 dependency removed.

root #emerge --ask --newuse --verbose openssl c-client

Check if the kerberos USE flag has be removed.

Unmerge mit-krb5

We will now remove mit-krb.

Warning
if you skip the above steps, some systems will not be respond
root #emerge --ask --unmerge mit-krb5
Emerge heimdal

Due to the new virtual-krb5 required new masked version of heimdal which is masked for amd64, you will need to make some changes. to portage.keyword

FILE /etc/portage/package.keywordsadd heimdal version to unmask, for example
=app-crypt/heimdal-1.5.3-r2 ~amd64

We can now emerge app-crypt/heimdal kerberos.

root #emerge --ask app-crypt/heimdal

Now rebuild all package which need kerberos library.
virtual/krb5-0 was the build so that if a package can compile with either of the kerberos library, we can choose either one.

root #revdep-rebuild

When done we can continue to Emerge Samba.

Emerge Samba

For more on Samba 4 bugs please have a look on the bugs tracker below.

bug #489762 Samba 4 unmask bugs tracker.

Cannot load package information. Is the atom net-fs/samba correct?

Unmasking Samba 4

Before this let's unmask samba 4

FILE /etc/portage/package.unmaskadd this line in
=net-fs/samba-4.1.2
root #emerge --ask =net-fs/samba-4.1.2

Please wait and allow samba 4 to build.

When it is done we can continue configuration Samba 4.

Migration from Samba 3 to Samba 4 configuration

We will now prepared to do an classic upgrade from samba 3 to samba 4. Before that please run test-parm to make sure all configuration on the samba3 is correct. The migration will fail if it sees some outdated/obsolete config

Note
We assume that you are currently running samba 3.6.x as it compatibility to Samba 4 is better.
root #testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
WARNING: The "password level" option is deprecated
Processing section "[homes]"
WARNING: The "username" option is deprecated

Change or remove any WARNING configuration.
We assume that both old and new server are on the same host. Else you can copy them to another host.

root #scp -r /var/lib/samba/private/ /var/lib/samba/samba3tdb/
root #scp /etc/samba/smb.conf /var/lib/samba/samba3tdb/

Your New host should also have a basic configure like below. Samba-tools migratation requires talking to the ldap server to get your existing information.

FILE /etc/openldap/ldap.conf
BASE   dc=example,dc=com
URI     ldap://ldapServerIpAddress:389/

TLS_REQCERT     allow

If you wish to change the host name of the new server, you can change the netbios name in the Samba3 conf file that you have copied over.

Note

  • Changing netbios name might cause services using existing netbios name to fail. Its effect is huge if your existing infrastructure uses that name widely.
  • However, if your migration is a DC only setup, that means we wouldn't have any share on DC.
  • All shares should than be consolidate to a domain member. Then this member should inherit your existing netbios name.
  • So, you should always change your netbios name.
  • For some reason the Samba 4 classical upgrade tools will fail if you use hostname on the ldap entry. Please change your ldap domain name from dns to ip. Samba Bug 9186[5]

Start migration

Now it is time to stop samba.

root #/etc/init.d/samba stop

And run your migratation. Choose one of the following for different DNS configuration. You can change it later after running.

Samba 4 AD with Bind9 DLZ Module DLZ is for windows client to do dns update to bind9

root #samba-tool domain classicupgrade --dbdir=/var/lib/samba/samba3tdb/ --use-xattrs=yes --realm=headoffice.location1.company.com --dns-backend=BIND9_DLZ /var/lib/samba/samba3tdb/samba3.conf

Samba 4 AD with internal DNS Module

root #samba-tool domain classicupgrade --dbdir=/var/lib/samba/samba3tdb/ --use-xattrs=yes --realm=headoffice.location1.company.com /var/lib/samba/samba3tdb/samba3.conf

You should not see any error message from this command. If you do you will have to re-run the above command again.

Testing of Migration

As said above, Samba AD provides LDAP and DNS, so you have to turn off your slapd and also other DNS if you are using samba internal DNS.

root #samba -i -M single
Note
You might need to change your Administrator password using the following command
root #samba-tool user setpassword Administrator

Smbclient test

root #smbclient //localhost/netlogon -UAdministrator -c 'ls'
Domain=[SAMDOM] OS=[Unix] Server=[Samba 4.x.y]
  .                                   D        0  Tue Dec 11 20:00:00 2012
  ..                                  D        0  Tue Dec 11 20:00:00 2012

Internal Samba DNS setup

If you want to forward DNS to 8.8.8.8 (Google) for all PC clients to the Internet, please setup the following in your new /etc/samba/smb.conf
Also you should also allow dns update from Windows clients to samba DNS.

Note
I don't understand while the time I'm writing this, please add more info
FILE /etc/samba/smb.confadd this line to forward dns
#Samba Internal DNS options
        dns forwarder = 8.8.8.8
        allow dns updates = nonsecure

Bind DNS DLZ module setup

Having Bind DNZ DLZ working with Samba 4 AD is somewhat simple, but still we need to do the following.

  1. Change of Samba DLZ Module version.
  2. Change the permission on /var/lib/samba/private/ so that named can access
  3. Change /etc/bind/named.conf to include the files inside /var/lib/samba/private/

Change of /var/lib/samba/private/named.conf

Uncomment the proper bind module according to the bind version you have.

root #named -v
BIND 9.9.3-P2 (Extended Support Version)
FILE /var/lib/samba/private/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    # database "dlopen /usr/lib64/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.0
    database "dlopen /usr/lib64/samba/bind9/dlz_bind9_9.so";
};

Getting permission on /var/lib/samba/private/

This is tricky but not hard to do, still doubt arises about its security where named needs to access samba private folder, which is default 400.
We will try to use ACL to make life simple (since it is required by default for samba4)

root #setfacl -m u:named:rx /var/lib/samba/private/
root #setfacl -m u:named:rx /var/lib/samba/private/named.*
root #setfacl -m u:named:rwx -R /var/lib/samba/private/dns
root #setfacl -m u:named:rx /var/lib/samba/private/dns*

Change of /etc/bind/named.conf

We now need to make 2 changes in named.conf

Note
You don't need to create any primary zone or reverse zone with your samba sub domain. That will be done automatically

1. Samba gssapi keytab If you follow BIND/Guide put it under "options section"

FILE /etc/bind/named.conf
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

2. Samba4 AD DLZ If you follow BIND/Guide put it under "Internal view/External view"
According to your AD design.

FILE /etc/bind/named.conf
include "/var/lib/samba/private/named.conf";

You are now done; reload bind.

Sub function test

As said before, samba include DNS, ldap and kerberos in a full AD environment.
We will need to do a full test it now.

Before that we need to change our /etc/resolv.conf so that it is using samba DNS. Krb and ldap don't work fully without that.
Set nameserver ip to your new samba server ip. e.g 192.168.0.10.

FILE /etc/resolv.confchange to the following line
search headoffice.company.com
nameserver 192.168.0.10

DNS sub function test

Your result on the following dns query should be identical or very similar.

root #host -t SRV _kerberos._udp.headoffice.company.com.
_kerberos._udp.headoffice.company.com has SRV record 0 100 88 samba4-1.headoffice.company.com.
root #host -t SRV _ldap._tcp.headoffice.company.com.
_ldap._tcp.headoffice.company.com has SRV record 0 100 389 samba4-1.headoffice.company.com.
root #host -t A samba4-1.headoffice.company.com.
samba4-1.headoffice.company.com has address 192.168.0.10

Kerberos Test

There shouldn't be any errors when you get the initial TGT (Ticket Granting Ticket).

root #kinit administrator@HEADOFFICE.COMPANY.COM
Password:
root #klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@HEADOFFICE.COMPANY.COM

Valid starting       Expires              Service principal
02/05/2014 03:15:46  02/05/2014 13:15:46  krbtgt/HEADOFFICE.COMPANY.COM@HEADOFFICE.COMPANY.COM
        renew until 02/06/2014 03:15:41

Final setup

Finally we will need to make the following change

FILE /etc/conf.d/sambaChanging to samba4 deamon
# Add "winbind" to the daemon_list if you also want winbind to start.
# Replace "smbd nmbd" by "samba4" if you want the active directory domain controller part or the ntvfs
# file server part or the rpc proxy to start.
# Note that samba4 controls 'smbd' by itself, thus it can't be started manually. You can, however,
# tweak the behaviour of a samba4-controlled smbd by modifying your '/etc/samba/smb.conf' file
# accordingly.
daemon_list="samba4"

FAQ

1. Where are my shares after the new migration?

A: They will not be migrated. According to samba design you should have a clean DC (No user shares). You shares should be done by a domain member and you will have to manually move you old share over.
However, you should keep your configurable share as simple as possible and use xAttrs/ACLs to set appropriate permissions.
E.g.

CODE
[netlogon]
        path = /var/lib/samba/sysvol/headoffice.company.com/scripts
        read only = No


2. My netlogon is not working...

A: Netlogon script setting from ldap is not being migrated when you move from samba3 PDC to Samba4.
Why? You are advised to use GPO Drive mapping, which in most cases makes the deployment simpler.
Some Examples:

  • Map Network Shared Drive in Group Policy[6]
  • Using Group Policy Preferences to Map Drives Based on Group Membership[7]
  • Windows XP Drive Maps GPO not working[8]

But still if you still want to use netlogon script, you can copy all your existing scripts to the [netlogon] path above.

Note
Make sure to change of your netbios name in your netlogon script if you have changed it during the migration.

Open the AD Users profiles under setting and put the script file name in (without path).

e.g: netlog.bat

You can do it for all users by selecting them all together.


3. My [homes] is not accessible, and I have not changed anything.

A: a basic [homes] share can be as simple as below.

CODE
[homes]
        valid users = %S
        read only = No
        browseable = No

However something is missing, how would the system know your home path?

By default it uses path is read by /etc/nsswitch.conf but as you know our user information is in Samba AD so we can configure nss to winbind, nslcd or sssd.

We will use winbind in this example as it doesn't require an extra package or installation.

But strongly recommend that you have a look on nslcd setup on the link below if you don't have samba on your other linux systems.

Samba/Active Directory Guide

You would have to configure /etc/nsswitch.conf and add winbind to be like the following:

FILE /etc/nsswitch.conf
passwd:      compat winbind
shadow:      compat 
group:       compat winbind
Note
shadow with winbind, that would be a nice to have. In this case we will not need to configure pam to use winbind since shadow information is already provided, but the provided AD can support shadow passwords.

For more about PAM support winbind, please check on the docs below. [9]

With this configuration the system will be able to know the user and group. Use these commands to verify:

root #getent passwd
root #getent group

You might see some strange entry on the password where the path are /home/COMPANY/username which is the cause of why your [homes] don't work. So just tweak smb.conf a bit on winbind under [global] but before any share

FILE /etc/samba/smb.conf
winbind use default domain = Yes
        template homedir = /home/%ACCOUNTNAME%
        template shell = /bin/bash

Restart Samba and run the above command again...

Warning
nscd have to be off when you use winbind, as winbind have it own cache and thus caused nscd to be even more delay

See also

  1. Samba/Guide
  2. Centralized authentication using OpenLDAP
  3. BIND/Guide
  4. Samba/Active Directory Guide
  5. Filesystem/Access Control List Guide

References

  1. Samba Port Usage
  2. Microsoft Port Assignments for Commonly-Used Services
  3. Samba classicupgrade/HOWTO
  4. Debian Bug #691329
  5. Samba Bug 9186
  6. Map Network Shared Drive in Group Policy
  7. Using Group Policy Preferences to Map Drives Based on Group Membership
  8. Windows XP Drive Maps GPO not working
  9. Samba4/Winbind