Migrating a Samba NT4 domain to Samba Active Directory

Content
 1 Summary
 2 Introduction
 3 Migration Guide
o 3.1 Previous steps
o 3.2 About the infrastructure to use in migration
o 3.3 Executing the migration
o 3.4 Integrating AD into existing infrastructure
 3.4.1 IP Change
 3.4.2 DNS server integration
 4 Sources

Summary
Migration of NT4 Domain over Samba3 to an AD domain with Samba4 and integration into the
existing infrastructure for a transparent server change in clients

Introduction
Samba4 enables the configuration of an Active Directory domain with Linux servers. In most
cases, the most common issue is about migrating an existing NT4 domain with hundreds of
clients connected to an AD Domain with the greatest possible transparency for each client. This
guide exempts even from changing DNS server to each client. The keys are the change of server
IP and the integration of the DNS domain minsal.psalud.gob.sv as a subdomain within the
psalud.gob.sv domain of the existing infrastructure.
Migration guide
Previous steps
 The system charset is configured correctly, which comes to be "just as you are supposed
to want". In my particular case I configure es_SV.UTF-8 as explained here

 Update the system before installing: Aptitude in Debian Jessie is behaving badly when
resolving dependencies when the system is outdated.

About the infrastructure to use in migration

Executing the migration
AD server

We created a directory to store the files that made up the NT domain of samba3.

mkdir / var / lib / samba3tdb /

We transfer these files to the AD server, in the example, from being in AD we execute:

scp -r [email protected]: / var / lib / samba / * / var / lib / samba3tdb /

scp -r [email protected]: / etc / samba / * / var / lib / samba3tdb /

We install all necessary packages with:

aptitude install samba smbclient bind9 bind9-host krb5-user ntp

We make sure that samba is off

systemctl stop samba-ad-dc.service

Seriously, we make sure there is no related service (In Debian it seems that Samba Server tries to
function as samba 3)

systemctl stop smbd.service

systemctl stop nmbd.service
systemctl disable nmbd.service
systemctl disable smbd.service

The installation process has created some files that we do not need in the way they were
configured by default:

rm /etc/samba/smb.conf
rm -r / var / lib / samba / private / * tdb

PDC server

We turn off the old server to the samba service and take it out of the boot with the system startup
in case the doubts

service samba stop

update-rc.d samba disable
AD server

Part of the necessary configuration for the domain is read from the file /etc/samba/smb.conf
that we brought from the PDC server. Then, it will be necessary to verify two things:

 netbios name corresponds to the host name of the current ad server. In that case, the
server is called ad

netbios name = ad

 passdb backend must refer to an IP from which the LDAP server of the PDC server can
be accessed

passdb backend = ldapsam: ldap: //10.30.20.49

The migration command goes as follows:

samba-tool domain classicupgrade --dbdir = / var / lib / samba3tdb / --use-

xattrs = yes --realm = minsal.psalud.gob.sv --dns-backend = BIND9_DLZ / var /
lib / samba3tdb / smb. conf --verbose

In the most recent versions of Debian, there is an error with the previous command, by which
winbindd is written instead of winbind in server services , which will have to be modified
manually. In general terms, the configuration file is very short and simple, something like the
following:

# Global parameters
[global]
workgroup = HEALTH.GOB.SV
realm = minsal.salud.gob.sv
netbios name = AD
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbind, ntp_signd, kcc, dnsupdate
idmap_ldb: use rfc2307 = yes

[netlogon]
path = /var/lib/samba/sysvol/minsal.salud.gob.sv/scripts
read only = No

[sysvol]
path = / var / lib / samba / sysvol
read only = No
If you need to restart the process due to errors such as duplicate SIDs or duplicate user / group
names, delete deleted files with

rm -r / var / lib / samba / sysvol / *

rm -r / var / lib / samba / private / * ldb
rm -r /var/lib/samba/private/sam.ldb.d/*
rm -r /var/lib/samba/private/dns/sam.ldb.d/*
rm -r /var/lib/samba/private/smbd.tmp/*
rm /etc/samba/smb.conf

With --verbose we will see infinity of information that could be useful to save, however, a
fragment that in fact contains extremely sensitive information could be overlooked, and goes as
follows:

Admin password: 3g6cgvKP & WCM5gh

Server Role: active directory domain controller
Hostname: ad
NetBIOS Domain: PSALUD.GOB.SV
DNS Domain: minsal.psalud.gob.sv
DOMAIN SID: S-1-5-21-1048629412-387374047-4087719091

We verify the version of bind9 installed, with Debian Jessie being 9.9.5 and verify that the
corresponding library is referenced in /var/lib/samba/private/named.conf :

database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

Then we configure bind9 with the following file, but it will be possible to make other changes
that are considered necessary. It is enough to consider that for the dynamic zone to work, it must
be on the same computer where it is samba, on the other hand, the queries that the Windows
clients make to the DNS are configured as norecursive .

cat << CONF> /etc/bind/named.conf

# Global Bind configuration options
include "/var/lib/samba/private/named.conf";
options {

auth-nxdomain yes;
directory "/ var / lib / bind /";
notify no;
empty-zones-enable no;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

allow-query {
127.0.0.1;
192.168.2.0/24;
# add other networks you want to allow to query your DNS
};
 allow-recursion {
192.168.2.0/24;
# add other networks you want to allow to do recursive queries
};

forwarders {
# Google public DNS server here - replace with your own if necessary
192.168.2.4;
};

allow-transfer {
# this config is for a single master DNS server
none;
};

};

# Required localhost forward- / reverse zones

zone "localhost" {
type master;
file "master / localhost.zone";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "master / 0.0.127.zone";
};
CONF

We create the directory for the first zones:

mkdir / var / lib / bind / master

The localhost zone that we are creating in the previous file

cat << CONF> /var/lib/bind/master/localhost.zone

\ $ TTL 3D

\ $ ORIGIN localhost.

@ 1D IN SOA @ root (
2013050101; serial
8H; refresh
2H; retry
4W; expiry
1D; minimum
)

@ IN NS @
IN A 127.0.0.1
CONF
The reverse zone for localhost

cat << CONF> /var/lib/bind/master/0.0.127.zone

\ $ TTL 3D

@ IN SOA localhost. root.localhost (

2013050101; Serial
8H; Refresh
2H; Retry
4W; Expire
1D; Minimum TTL
)

IN NS localhost.

1 IN PTR localhost.
CONF

We normalize permissions and obtain the root DNS directory:

chown bind: bind / var / lib / bind / master / * zone

chmod 640 / var / lib / bind / master / * zone

wget -q -O /var/lib/bind/named.root http://www.internic.net/zones/named.root

chown bind: bind /var/lib/bind/named.root

Restart service

systemctl restart bind9.service

A healthy record occurs as follows:

Apr 21 12:46:05 named directory [1032]: generating session key for dynamic
DNS
Apr 21 12:46:05 named directory [1032]: sizing zone task pool based on 2
zones
Apr 21 12:46:05 named directory [1032]: Loading 'AD DNS Zone' using driver
dlopen
Apr 21 12:46:06 named directory [1032]: samba_dlz: started for DN DC =
minsal, DC = psalud, DC = gob, DC = sv
Apr 21 12:46:06 named directory [1032]: samba_dlz: starting configure
Apr 21 12:46:06 named directory [1032]: samba_dlz: configured writeable zone
'minsal.psalud.gob.sv'
Apr 21 12:46:06 named directory [1032]: samba_dlz: configured writeable zone
'_msdcs.minsal.psalud.gob.sv'
Apr 21 12:46:06 named directory [1032]: set up managed keys zone for view
_default, file 'managed-keys.bind'
Apr 21 12:46:06 named directory [1032]: command channel listening on
127.0.0.1 # 953
Apr 21 12:46:06 named directory [1032]: command channel listening on :: 1 #
953
With the DNS server already functional, the server must be configured as its own DNS
server in /etc/resolve.conf . Neglecting this is a significant part of the headaches that the
internet forums are full of ( Cannot find KDC for realm "PSALUD.GOB.SV" while getting
initial credentials is the most common).

To configure kerberos with the file created by the migration wizard, simply create a symbolic
link:

ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf

At this point, restart samba

systemctl restart samba-ad-dc.service

A healthy record (Except for the problem with cups) occurs as follows:

Apr 21 12:47:20 samba directory [1105]: samba version 4.1.17-Debian

started.
Apr 21 12:47:20 directory samba-ad-dc [1096]: Starting Samba AD DC daemon:
samba.
Apr 21 12:47:21 Samba directory [1106]: [2016/04/21 12: 47: 21.005728, 0]
../source4/smbd/server.c:488(binary_smbd_main)
Apr 21 12:47:21 samba directory [1106]: samba: using 'standard' process
model
Apr 21 12:47:21 Samba directory [1106]: [2016/04/21 12: 47: 21.021866, 0]
../lib/util/become_daemon.c:136(daemon_ready)
Apr 21 12:47:21 smbd directory [1109]: [2016/04/21 12: 47: 21.947156, 0]
../lib/util/become_daemon.c:136(daemon_ready)
Apr 21 12:47:21 smbd directory [1123]: STATUS = daemon 'smbd' finished
starting up and ready to serve connectionsUnable to connect to CUPS server
localhost: 631 - Wrong file descriptor
Apr 21 12:47:21 smbd directory [1122]: STATUS = daemon 'smbd' finished
starting up and ready to serve connectionsfailed to retrieve printer list:
NT_STATUS_UNSUCCESSFUL

We check that our kerberos kingdom is online, using the password we have collected before

kinit [email protected]

If the previous command occurs without problems (it returns nothing), we can use the samba4
tools to check the DNS records.

samba-tool dns query 127.0.0.1 minsal.psalud.gob.sv @ ALL

And I could not miss a classic, because the classics never die

smbclient // DIRECTORY / netlogon -U alortiz

At this point, you have an AD server with fully functional samba4. If you attend to the DNS
address, at this point it is already possible that all those services that authenticate against
the LDAP server can change their configuration .

Integrating AD into existing infrastructure

IP change

Considering computers within the old NT domain with samba3, if the server we are going to
migrate acquires the new IP, the transition will be completely transparent. Consider that this
transition is irreversible, which, although it is a good thing, forces us to test this guide in an
isolated network environment.

PDC server

At this point in life, we have samba off. But now we have to say goodbye forever to our Samba
server. Instead of drama, just change your IP to use it on the new Samba server.

AD server

We add the ip to the flight. We need the other IP to be available because there are many
operations that are carried out against it.

ip addr add 10.30.20.49/24 dev eth0

We update the DNS records to take into account the new IP

samba_dnsupdate --verbose

The output is extremely extensive, but basically you have to look at each point where Failed
says :

Failed to find matching DNS entry A directory.minsal.psalud.gob.sv

10.30.20.49
For each of them, and towards the end of that command, there should be an output of this type:

Calling nsupdate for A directory.minsal.psalud.gob.sv 10.30.20.49 (add)

Outgoing update query:
;; - >> HEADER << - opcode: UPDATE, status: NOERROR, id: 0
;; flags :; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
directory.minsal.psalud.gob.sv. 900 IN AT 10.30.20.49

The best proof that it has worked is that when you run that command again, there are no major
changes and towards the end of all the output the command returns:

No DNS updates needed

We turn off a moment to samba while we make the changes systemctl stop samba-ad-dc.service

We change the IP for the system. In Debian, just modify /etc/hosts and
/etc/network/interfaces . We last /etc/resolv.conf that in /etc/resolv.conf it points
to the same server as DNS

We restart the network

systemctl restart networking.service

We check the status of our connection to the system, if we were connected remotely

We restart with all confidence samba

systemctl start samba-ad-dc.service

At this point, we have made a successful IP address change to Samba.

DNS server integration

This can be a little trick. To join new computers in the domain, it will be enough to have a DNS
server configured that resolves all the entries related to the operation of AD. Now, to save the
step of having to configure the network, this may be the procedure you want to follow. DNS
server
We add in the file /etc/bind/named.conf.default-zones (Or wherever the zones are added in our
DNS configuration) a slave zone as follows:

zone "minsal.psalud.gob.sv" {
type slave;
file "/var/lib/bind/minsal.psalud.gob.sv.db";
allow-transfer {10.30.20.49/32;};
masters {10.30.20.49;};
};

We create the file /var/lib/bind/minsal.psalud.gob.sv.db and normalize permissions:

touch /var/lib/bind/minsal.psalud.gob.sv.db
chown bind: bind /var/lib/bind/minsal.psalud.gob.sv.db

We restart the BIND service:

systemctl restart bind9.service

A characteristic and functional record points as follows

Mar 15 14:29:22 dns named [30171]: zone minsal.psalud.gob.sv/IN: loading

from master file / var / lib /bind/minsal.psalud.gob.sv.db failed: end of
file
Mar 15 14:29:22 dns named [30171]: zone minsal.psalud.gob.sv/IN: unable to
load from '/var/lib/bind/minsal.psalud.gob.sv.db'; renaming file to '/ var /
lib / bind / db-AVREcZAb' for failure analysis and retransferring.
Mar 15 14:29:22 dns named [30171]: zone localhost / IN: loaded serial 2
Mar 15 14:29:22 dns named [30171]: zone salud.gob.sv/IN: loaded serial
1408027834
Mar 15 14:29:22 dns named [30171]: all zones loaded
Mar 15 14:29:22 dns named [30171]: running
Mar 15 14:29:22 dns named [30171]: zone minsal.psalud.gob.sv/IN: Transfer
started.
Mar 15 14:29:22 dns named [30171]: transfer of 'minsal.psalud.gob.sv/IN'
from 10.30.20.49 # 53: connected using 192.168.2.4 # 45887
Mar 15 14:29:22 dns named [30171]: zone minsal.psalud.gob.sv/IN: transferred
serial 1
Mar 15 14:29:22 dns named [30171]: transfer of 'minsal.psalud.gob.sv/IN'
from 10.30.20.49 # 53: Transfer completed: 1 messages, 21 records, 1032
bytes, 0.012 secs (86000 bytes / sec)

We can test this configuration when executing a non-recursive DNS query against the given
server. A computer external to the DNS would be your best option

dig @ 10.30.20.4 -t SRV _kerberos._udp.minsal.psalud.gob.sv + short +

norecurse
0 100 88 directory.minsal.psalud.gob.sv.
Sources
 Migrating a Samba NT4 domain to a Samba AD domain (classic upgrade)
 Change IP address of an Samba AD DC
 Slave (Secondary) DNS Server