Migrating from Samba3-NT4 to Samba-AD

This documentation is used to migrate a Samba PDC NT4 to a Samba Active Directory.

The NT4 domain type, also called classic in Samba documentation refers to the old operating mode that emulated an NT4 domain controller.

You can have a Samba 4.x in NT4 mode. For this case, the migration mode is the same.

Preparing Samba-AD Active Directory

Install your new machine with Debian 64bit basic by following this documentation.

Note

In this documentation, it is assumed:

  • That the Samba3-NT4 domain controller uses OpenLDAP as backend.

  • That the existing Samba3-NT4 server is called samba3.

  • That the new server in Debian Stretch 64bit that you just installed following the Samba-AD installation documentation is called srvads and that the target forest and domain level is 2008R2.

  • That the domain is called mydomain.lan.

In the instructions below, you will replace mydomain.lan with your own domain name and srvads with the machine name of your choice.

Installing additional software libraries for the migration

apt-get install python-ldap libldap2-dev

Migrating the Samba-NT4 user base

Transferring data from Samba3-NT4 to Samba-AD

  • Create the file /root/samba3 on srvads:

    mkdir /root/samba3

  • Stop the samba service on samba3 and transfer the directory contents from samba3 to srvads:

    /etc/init.d/samba stop
rsync -aP /var/lib/samba/private/secrets.tdb root@IPsrvads:/root/samba3/
rsync -aP /etc/samba/smb.conf root@IPsrvads:/root/samba3/

    where IPsrvads is the IP address of your new Samba-AD server.

  • On srvads, edit the file /root/samba3/smb.conf and replace if needed the server name:

    netbios name = <srvads>

Migrating from Samba3-NT4 to Samba-AD

  • Suck up machine accounts and user accounts:

samba-tool domain samba3upgrade --dbdir=/root/samba3/ --realm='''MYDOMAIN.LAN''' /root/samba3/smb.conf

Hint

Possible errors during aspiration:

  • Unable to connect to ldap. In /root/samba3/smb.conf, if the ldap connection IP points to 127.0.0.1, set the IP of samba3 again.

  • Duplicate SID.

  • Unable to retrieve the UID. Check that the user in question has its posix properties and correct the entry if necessary (manually or by script).

  • Old reference to a BDC domain controller that no longer exists: delete the entry.

  • Groups and users with the same name: delete or rename one of the two.

Adjusting post-configuration

  • On srvads, add the DNS forwarder in the file /etc/samba/smb.conf:

    dns forwarder = 8.8.8.8

  • On srvads, delete the following line from /etc/samba/smb.conf:

    idmap_ldb:use rfc2307 = yes

  • When packages are installed, the Samba service is automatically started as a file server, the easiest way is to reboot the server with a reboot:

    reboot

  • Edit /etc/resolv.conf to make it point to itself:

    search mydomain.lan
nameserver 127.0.0.1

  • Check that the DNS entries are correct:

    dig @127.0.0.1 srvads.mydomain.lan
dig -t SRV @127.0.0.1 _ldap._tcp.mydomain.lan #(doit renvoyer la machine srvads.mydomain.lan)
dig @127.0.0.1 google.fr

  • Then configure the NTP service;

  • Reconfigure the /etc/nsswitch.conf of the servers that use nss_ldap to use instead nss_winbind;

  • Add the forward and reverse entries of all the servers in the fleet;