Replace Your NT4 Domain Controller with Samba 3 (Part 2)
Linux/Windows Interoperability: The last time we visited this topic, we explained why you might want to lose that aging Windows NT server. This week, we offer a hands-on look at how to perform the migration.
Last week we provided an overview of why or why not to migrate a Windows NT4 domain controller to Samba. Today we'll dig into how to do it, step-by-step.
These are the steps to follow:
- Create a BDC (Backup Domain Controller) (define) account in the old NT4 domain for the Samba server using NT Server Manager
- Configure Samba as a BDC
- Join the Samba BDC to your NT4 domain
- Migrate user and machine accounts
- Shutdown the NT4 domain controller
- "Promote" Samba to a PDC
- Start up Samba and watch your users login and never know the difference
Step 1: Create a BDC account on NT4
Not much to do here — fire up Server Manager on your NT4 domain controller and create a BDC account for the Samba box.
Step 2: Configure A Samba Backup Domain Controller
This is an example of /etc/samba/smb.conf without any file or printer shares, configured as a BDC. This configuration uses the tdbsam database backend because it is the simplest for migration. However, you ought to consider using an LDAP backend for greater flexibility and growth potential. (See Resources for links to howtos for this.) The NetBIOS (define) name for the Samba server can be anything. Do not change the domain name, use your old one! If you change it the SID (Security ID) will change, and then you will have to rejoin all of your clients to the new domain, which is less fun than it sounds.
workgroup = [domainname]
netbios name = SAMBASERVER
passdb backend = tdbsam
domain master = No
domain logons = Yes
os level = 33
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
add user to group script = /usr/sbin/usermod -G '%g' '%u'
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
wins server = [IP of wins server]
Now run the testparm command to check for syntax errors, and to report the Samba server role. It should report ROLE DOMAIN BDC.
All of the scripts named in smb.conf are the standard Linux Shadow Suite utilities for managing users, groups, and passwords. See their respective man pages for an explanation of the command options. The macros — like %u — are Samba macros. See man smb.conf for their definitions.
Join the Samba BDC to the NT4 domain
Start up Samba and run this command from the Samba box to join the domain as a BDC server, using your NT Administrator login:
# /etc/init.d/samba start
# net rpc join -S [NT netbios name or IP] -UAdministrator%password
Joined domain DOMAINNAME.
Migrate user and machine accounts
Now comes the fun part; this is where you get to vampire your accounts from the NT4 box to Samba. Don't type the brackets, these mean you must substitute your own values.
# net rpc vampire -S [NT netbios name or IP] -W [domainname] -UAdministrator%password
Fetching DOMAINNAME database
SAM_DELTA_DOMAINNAME_INFO not handled
Creating unix group: 'Domain Admins'
Creating unix group: 'Domain Users'
Creating unix group: 'Domain Guests'
Creating unix group: 'Web_team'
Creating unix group: 'Sysadmins'
Creating account: Administrator
Creating account: Guest
Creating account: NTSERVER$
Creating account: 'carla'
Creating account: 'dawnmarie'
Verify that your user accounts moved over with pbdedit. Only the root user can do this:
# pdbedit -L
Get detailed information such as home directory, logon script, password aging, and domain for individual users with this command:
# pdbedit -Lv user1
Unix username: user1
NT username: user1
Account Flags: [UX ]
User SID: S-1-2-21-3371872119-397798111-429892680-5775
Primary Group SID: S-1-2-21-3371872119-397798111-429892680-9521
Full Name: User One
Look in /var/lib/samba to find the password databases. Don't try to read or edit them directly, it's just nice to know where they are. Next, check for groups migration:
# net group -l -Uroot%not24get -S[Samba netbios name]
Group name Comment
Web_team Internal site team
Sysadmins Heroes and deities
Shutdown the NT4 domain controller
Shut it down nicely — you may want it again.
Promote Samba to a PDC
Promoting Samba to a Primary Domain Controller is done by editing /etc/samba/smb.conf. Make it the WINS server as well by changing these two lines:
domain master = yes
wins support = yes
# /etc/init.d/samba restart
Run smbstatus to see if Samba is alive:
Samba version 3.0.9-Debian PID Username Group Machine
Service pid machine Connected at
No locked files
It lives! It works! Now try logging in and out from client machines.
This is just the beginning of what you can do with Samba. For larger LANs, 50 users or more, you can add a secondary Samba domain controller to share the load. Since you will not be troubled by restrictive, expensive server and client access licenses, you can add as many as you need for the cost of the hardware.
If you need to merge accounts from several NT4 domain controllers, see the "Samba-3 by Example" book.
Dealing With Troubles
Your best help will be found in the Resources listed below, and in the Samba mailing list archives. Always search the archives before asking a question; there is nothing new under the Samba sun.
- The Official Samba-3 HOWTO and Reference Guide. You may also purchase this in a nice printed book.
- My very own book, the Linux Cookbook has an excellent chapter on Samba. It covers file and printer sharing, building a Samba fileserver, and configuring Samba as a PDC. This will get new Samba users up and running quickly.
- Samba-3 by Example, chapter 8 covers migration in detail, including using an LDAP backend