Samba/Samba 4 Migration

From Gentoo Wiki
< Samba
Jump to:navigation Jump to:search

This guide introduces the migration of Samba 3 to Samba 4 with LDAP on Gentoo boxes.


  • A working samba 3.6.x NT PDC with LDAP backend(Must be PDC as it will be Promoted to AD)
  • Samba AD DNS Planning
  • Samba AD and DNS understanding
  • LDAP Auth Backend Database (Optional)
  • Python 2.7 as ABI
  • Access Control List (ACL) on file system
  • extended attributes (xattr) on file system
Do not test migration in your production environment. Once a Windows client finds and connects to the new server, it is not possible to go back! the Windows client will never talk to your samba 3 server even if you remove/downgrade the samba 4 Server. So make sure you thoroughly test your migration on a virtual environment and how your clients react before you activate your new server in your production environment!

Samba DNS Planning

  • Moving from samba3 to samba AD is not easy due to the fact that the idea wasn't the same.
  • Samba AD requires you to have a resolvable DNS.
  • MS suggest using a FQDN as an AD Server as it is easily scalable in future.
  • There are some suggestions to use suffixes of .local, .lan .corp but these are bad idea, very bad idea indeed, as we have no understanding what suffixes ICANN will use in future. And having a DNS with that suffix will conflict with the external DNS.

Thus we would hope that you use the following suggestion.

FQDN subdomain DNS setup

Example you own "" and it is hosting by your web hosting company.

FQDN Description main internet address point to your web server. points to webserver ( Public IP Address, by your web hosting company) points to mail server 1 ( Public IP Address, by your web hosting company ) points to mail Server 2 ( Public IP Address, by your web hosting company ) points to smtp server 1 ( Public IP Address, by your web hosting company ) points to smtp server 2 ( Public IP Address, by your web hosting company ) points to smtp server 3 ( Public IP Address, by your web hosting company )

Samba AD and internal subdomain DNS setup

FQDN Description head office subdomain Samba AD FQDN

in the above example:

So the most important setup.

hostname =
AD =


  1. A clear cut on internal and external DNS.
  2. There will not be any conflict between internal and external DNS.
  3. In case if there are Branch Site, the Branch AD FQDN can be another subdomain:
  4. We can also make the subdomain public if needed and that makes this design future proof.

Samba AD DNS setup

Samba AD requires DNS Server to work, so if you have an DNS server running on the same server before, you will need to change it to support Samba or replace it to Samba internal DNS. The choice is yours.

If you would like to run 2 DNS server separately, it will be slightly wasteful as samba's internal DNS provides a DNS forwarding feature, just you need some tweaks.

There are 2 Options in Samba DNS setup.

  • Samba Internal DNS : This is simplest and easier. Configuration using Microsoft DNS Management tools.
  • Bind 9.8/9.8 Server : This is another choice that Samba team provides. If you are currently running Bind DNS, you might prefer this method.

What is Samba AD

Samba AD has the following features

  • Samba file Sharing (the most important)
  • LDAP Server with MS Specified Schema which works as an Active Directory
  • DNS Server which work together with Active Directory
  • Kerberos Server

All 4 features need to run for a successfully deployed Active Directory. If you have been using LDAP Centralize Authentication and Management, you might want to run LDAP from a different virtual machine than current Samba AD until you have migrated all authentication to Samba AD.

Port Usage on the Samba AD[1] [2]

Port Type Description
53 TCP/UDP DNS Server(Bind/Samba) DNS Server port
88 TCP/UDP Kerberos krb5
135 TCP Client/Server Communication
137 UDP Browsing requests of NetBIOS over TCP/IP
138 UDP Browsing datagram responses of NetBIOS over TCP/IP
Common Internet File System (CIFS)
464 TCP/UDP Kerberos kpasswd
1024-5000 TCP Dynamic RPC Ports
3268 TCP Global Cataloge
3269 TCP Global Cataloge (SSL)
5353 TCP/UDP Multicast DNS

Have a look at the following documentation Samba/Active Directory Guide You can choose any of the following:

  • winbind from samba4
  • nslcd/nss-pam-ldapd (a replacement of nss-pam and nss-ldap)
  • sssd (must have mit-krb)

Checking SambaSID for duplication

We will now check for SambaSID duplication You can use the following code which is from the samba ClassUpgrade/HOWTO[3]

# A quick and dirty python script that checks for duplicat SID's using slapcat.
import os
data = os.popen("slapcat | grep sambaSID", 'r')
line = []
def anydup(thelist):
        dups = list(set([x for x in thelist if thelist.count(x) > 1]))
        for i in dups:
                print "Duplicate id: ", i
for each_line in data:

Checking Samba username and groupname for duplication

Unfortunately, there are no program for this. You will have to do it manually.

if you are using smbldap-tools, you can use the following command and manually compare their differences.

root #smbldap-grouplist
root #smbldap-userlist

Due to a bug in smbldap-tools, you probably need >=net-nds/smbldap-tools-0.9.9 [4].

Please help write a python program for this

ACL and xattr support on your Files system

Samba 4 relies heavily on ACL and xattr because of the nature on how Windows controls the file sharing.
Running without these would be like running a windows share server on a FAT32 disk, where users other than owner and some file attributes would not be saved.

Due to the topic and it size, we will move it to another HOWTO. Filesystem/Access Control List Guide

Getting Samba 4

Getting ready before Samba 4

Emerge Samba

For more on Samba 4 bugs please have a look on the bugs tracker below.

bug #489762 Samba 4 unmask bugs tracker.

USE flags for net-fs/samba Samba Suite Version 4

acl Add support for Access Control Lists
addc Enable Active Directory Domain Controller support
ads Enable Active Directory support
ceph Enable support for Ceph distributed filesystem via sys-cluster/ceph
client Enables the client part
cluster Enable support for clustering
cups Add support for CUPS (Common Unix Printing System)
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see
fam Enable FAM (File Alteration Monitor) support
glusterfs Enable support for Glusterfs filesystem via sys-cluster/glusterfs
gpg Use app-crypt/gpgme for AD DC
iprint Enabling iPrint technology by Novell
json Enable json audit support through dev-libs/jansson
ldap Add LDAP support (Lightweight Directory Access Protocol)
llvm-libunwind Use sys-libs/llvm-libunwind instead of sys-libs/libunwind
pam Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip
profiling-data Enables support for collecting profiling data
python Add optional support/bindings for the Python language
quota Enables support for user quotas
regedit Enable support for regedit command-line tool
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
snapper Enable vfs_snapper module (requires sys-apps/dbus)
spotlight Enable support for spotlight backend
syslog Enable support for syslog
system-heimdal Use app-crypt/heimdal instead of bundled heimdal.
system-mitkrb5 Use app-crypt/mit-krb5 instead of app-crypt/heimdal.
systemd Enable use of systemd-specific libraries and features like socket activation or session tracking
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
unwind Enable libunwind usage for backtraces
winbind Enables support for the winbind auth daemon
zeroconf Support for DNS Service Discovery (DNS-SD)

root #emerge --ask =net-fs/samba-4.1.2

Please wait and allow samba 4 to build.

When it is done we can continue configuration Samba 4.

Migration from Samba 3 to Samba 4 configuration

We will now prepared to do an classic upgrade from samba 3 to samba 4. Before that please run test-parm to make sure all configuration on the samba3 is correct. The migration will fail if it sees some outdated/obsolete config

We assume that you are currently running samba 3.6.x as it compatibility to Samba 4 is better.
root #testparm /etc/samba/smb.conf
Load smb config files from /etc/samba/smb.conf
WARNING: The "password level" option is deprecated
Processing section "[homes]"
WARNING: The "username" option is deprecated

Change or remove any WARNING configuration.
We assume that both old and new server are on the same host. Else you can copy them to another host.

root #scp -r /var/lib/samba/private/ /var/lib/samba/samba3tdb/
root #scp /etc/samba/smb.conf /var/lib/samba/samba3tdb/

Your New host should also have a basic configure like below. Samba-tools migratation requires talking to the ldap server to get your existing information.

FILE /etc/openldap/ldap.conf
BASE   dc=example,dc=com
URI     ldap://ldapServerIpAddress:389/

TLS_REQCERT     allow

If you wish to change the host name of the new server, you can change the netbios name in the Samba3 conf file that you have copied over.


  • Changing netbios name might cause services using existing netbios name to fail. Its effect is huge if your existing infrastructure uses that name widely.
  • However, if your migration is a DC only setup, that means we wouldn't have any share on DC.
  • All shares should than be consolidate to a domain member. Then this member should inherit your existing netbios name.
  • So, you should always change your netbios name.
  • For some reason the Samba 4 classical upgrade tools will fail if you use hostname on the ldap entry. Please change your ldap domain name from dns to ip. Samba Bug 9186[5]

Start migration

Now it is time to stop samba.

root #/etc/init.d/samba stop

And run your migratation. Choose one of the following for different DNS configuration. You can change it later after running.

Samba 4 AD with Bind9 DLZ Module DLZ is for windows client to do dns update to bind9

root #samba-tool domain classicupgrade --dbdir=/var/lib/samba/samba3tdb/ --use-xattrs=yes --dns-backend=BIND9_DLZ /var/lib/samba/samba3tdb/samba3.conf

Samba 4 AD with internal DNS Module

root #samba-tool domain classicupgrade --dbdir=/var/lib/samba/samba3tdb/ --use-xattrs=yes /var/lib/samba/samba3tdb/samba3.conf

You should not see any error message from this command. If you do you will have to re-run the above command again.

Testing of Migration

As said above, Samba AD provides LDAP and DNS, so you have to turn off your slapd and also other DNS if you are using samba internal DNS.

root #samba -i -M single
You might need to change your Administrator password using the following command
root #samba-tool user setpassword Administrator

Smbclient test

root #smbclient //localhost/netlogon -UAdministrator -c 'ls'
Domain=[SAMDOM] OS=[Unix] Server=[Samba 4.x.y]
  .                                   D        0  Tue Dec 11 20:00:00 2012
  ..                                  D        0  Tue Dec 11 20:00:00 2012

Internal Samba DNS setup

If you want to forward DNS to (Google) for all PC clients to the Internet, please setup the following in your new /etc/samba/smb.conf
Also you should also allow dns update from Windows clients to samba DNS.

I don't understand while the time I'm writing this, please add more info
FILE /etc/samba/smb.confadd this line to forward dns
#Samba Internal DNS options
        dns forwarder =
        allow dns updates = nonsecure

Bind DNS DLZ module setup

Having Bind DNZ DLZ working with Samba 4 AD is somewhat simple, but still we need to do the following.

  1. Change of Samba DLZ Module version.
  2. Change the permission on /var/lib/samba/private/ so that named can access
  3. Change /etc/bind/named.conf to include the files inside /var/lib/samba/private/

Change of /var/lib/samba/private/named.conf

Uncomment the proper bind module according to the bind version you have.

root #named -v
BIND 9.9.3-P2 (Extended Support Version)
FILE /var/lib/samba/private/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    # database "dlopen /usr/lib64/samba/bind9/";

    # For BIND 9.9.0
    database "dlopen /usr/lib64/samba/bind9/";

Getting permission on /var/lib/samba/private/

This is tricky but not hard to do, still doubt arises about its security where named needs to access samba private folder, which is default 400.
We will try to use ACL to make life simple (since it is required by default for samba4)

root #setfacl -m u:named:rx /var/lib/samba/private/
root #setfacl -m u:named:rx /var/lib/samba/private/named.*
root #setfacl -m u:named:rwx -R /var/lib/samba/private/dns
root #setfacl -m u:named:rx /var/lib/samba/private/dns*

Change of /etc/bind/named.conf

We now need to make 2 changes in named.conf

You don't need to create any primary zone or reverse zone with your samba sub domain. That will be done automatically

1. Samba gssapi keytab If you follow BIND/Guide put it under "options section"

FILE /etc/bind/named.conf
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

2. Samba4 AD DLZ If you follow BIND/Guide put it under "Internal view/External view"
According to your AD design.

FILE /etc/bind/named.conf
include "/var/lib/samba/private/named.conf";

You are now done; reload bind.

Sub function test

As said before, samba include DNS, ldap and kerberos in a full AD environment.
We will need to do a full test it now.

Before that we need to change our /etc/resolv.conf so that it is using samba DNS. Krb and ldap don't work fully without that.
Set nameserver ip to your new samba server ip. e.g

FILE /etc/resolv.confchange to the following line

DNS sub function test

Your result on the following dns query should be identical or very similar.

root #host -t SRV has SRV record 0 100 88
root #host -t SRV has SRV record 0 100 389
root #host -t A has address

Kerberos Test

There shouldn't be any errors when you get the initial TGT (Ticket Granting Ticket).

root #kinit administrator@HEADOFFICE.COMPANY.COM
root #klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@HEADOFFICE.COMPANY.COM

Valid starting       Expires              Service principal
02/05/2014 03:15:46  02/05/2014 13:15:46  krbtgt/HEADOFFICE.COMPANY.COM@HEADOFFICE.COMPANY.COM
        renew until 02/06/2014 03:15:41

Final setup

Finally we will need to make the following change

FILE /etc/conf.d/sambaChanging to samba4 deamon
# Add "winbind" to the daemon_list if you also want winbind to start.
# Replace "smbd nmbd" by "samba4" if you want the active directory domain controller part or the ntvfs
# file server part or the rpc proxy to start.
# Note that samba4 controls 'smbd' by itself, thus it can't be started manually. You can, however,
# tweak the behaviour of a samba4-controlled smbd by modifying your '/etc/samba/smb.conf' file
# accordingly.


1. Where are my shares after the new migration?

A: They will not be migrated. According to samba design you should have a clean DC (No user shares). You shares should be done by a domain member and you will have to manually move you old share over.
However, you should keep your configurable share as simple as possible and use xAttrs/ACLs to set appropriate permissions.

        path = /var/lib/samba/sysvol/
        read only = No

2. My netlogon is not working...

A: Netlogon script setting from ldap is not being migrated when you move from samba3 PDC to Samba4.
Why? You are advised to use GPO Drive mapping, which in most cases makes the deployment simpler.
Some Examples:

  • Map Network Shared Drive in Group Policy[6]
  • Using Group Policy Preferences to Map Drives Based on Group Membership[7]
  • Windows XP Drive Maps GPO not working[8]

But still if you still want to use netlogon script, you can copy all your existing scripts to the [netlogon] path above.

Make sure to change of your netbios name in your netlogon script if you have changed it during the migration.

Open the AD Users profiles under setting and put the script file name in (without path).

e.g: netlog.bat

You can do it for all users by selecting them all together.

3. My [homes] is not accessible, and I have not changed anything.

A: a basic [homes] share can be as simple as below.

        valid users = %S
        read only = No
        browseable = No

However something is missing, how would the system know your home path?

By default it uses path is read by /etc/nsswitch.conf but as you know our user information is in Samba AD so we can configure nss to winbind, nslcd or sssd.

We will use winbind in this example as it doesn't require an extra package or installation.

But strongly recommend that you have a look on nslcd setup on the link below if you don't have samba on your other linux systems.

Samba/Active Directory Guide

You would have to configure /etc/nsswitch.conf and add winbind to be like the following:

FILE /etc/nsswitch.conf
passwd:      compat winbind
shadow:      compat 
group:       compat winbind
shadow with winbind, that would be a nice to have. In this case we will not need to configure pam to use winbind since shadow information is already provided, but the provided AD can support shadow passwords.

For more about PAM support winbind, please check on the docs below. [9]

With this configuration the system will be able to know the user and group. Use these commands to verify:

root #getent passwd
root #getent group

You might see some strange entry on the password where the path are /home/COMPANY/username which is the cause of why your [homes] don't work. So just tweak smb.conf a bit on winbind under [global] but before any share

FILE /etc/samba/smb.conf
winbind use default domain = Yes
        template homedir = /home/%ACCOUNTNAME%
        template shell = /bin/bash

Restart Samba and run the above command again...

nscd have to be off when you use winbind, as winbind have it own cache and thus caused nscd to be even more delay

See also

  1. Samba/Guide
  2. Centralized authentication using OpenLDAP
  3. BIND/Guide
  4. Samba/Active Directory Guide
  5. Filesystem/Access Control List Guide