Replace Your NT4 Domain Controller with Samba 3 (Part 2)

By Carla Schroder | Jan 11, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/netos/article.php/3457461/Replace-Your-NT4-Domain-Controller-with-Samba-3-Part-2.htm

Last week we provided an overview of why or why not to migrate a Windows NT4 domain controller to Samba. Today we'll dig into how to do it, step-by-step.

For larger LANs you can add a secondary Samba domain controller. Untroubled by expensive server and client access licenses, you can add as many as you need for the cost of the hardware.
As the Samba documentation wisely mentions, this is a good time to evaluate your network structure and services, and possibly make additional changes. Windows NT4 has been around since 1996, so this might be a good time to do some housecleaning and re-organization. At the least you should you clean up your NT4 box by deleting obsolete accounts and files.

These are the steps to follow:

  1. Create a BDC (Backup Domain Controller) (define) account in the old NT4 domain for the Samba server using NT Server Manager
  2. Configure Samba as a BDC
  3. Join the Samba BDC to your NT4 domain
  4. Migrate user and machine accounts
  5. Shutdown the NT4 domain controller
  6. "Promote" Samba to a PDC
  7. Start up Samba and watch your users login and never know the difference

Step 1: Create a BDC account on NT4

Not much to do here — fire up Server Manager on your NT4 domain controller and create a BDC account for the Samba box.

Step 2: Configure A Samba Backup Domain Controller

This is an example of /etc/samba/smb.conf without any file or printer shares, configured as a BDC. This configuration uses the tdbsam database backend because it is the simplest for migration. However, you ought to consider using an LDAP backend for greater flexibility and growth potential. (See Resources for links to howtos for this.) The NetBIOS (define) name for the Samba server can be anything. Do not change the domain name, use your old one! If you change it the SID (Security ID) will change, and then you will have to rejoin all of your clients to the new domain, which is less fun than it sounds.

[global]
     workgroup = [domainname]
     netbios name = SAMBASERVER
     passdb backend = tdbsam
     domain master = No
     domain logons = Yes
     os level = 33
     add user script = /usr/sbin/useradd -m '%u'
     delete user script = /usr/sbin/userdel -r '%u'
     add group script = /usr/sbin/groupadd '%g'
     delete group script = /usr/sbin/groupdel '%g'
     add user to group script = /usr/sbin/usermod -G '%g' '%u'
     add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
     wins server = [IP of wins server]

Now run the testparm command to check for syntax errors, and to report the Samba server role. It should report ROLE DOMAIN BDC.

All of the scripts named in smb.conf are the standard Linux Shadow Suite utilities for managing users, groups, and passwords. See their respective man pages for an explanation of the command options. The macros — like %u — are Samba macros. See man smb.conf for their definitions.

Join the Samba BDC to the NT4 domain

Start up Samba and run this command from the Samba box to join the domain as a BDC server, using your NT Administrator login:

# /etc/init.d/samba start
# net rpc join -S [NT netbios name or IP] -UAdministrator%password

Joined domain DOMAINNAME.

Migrate user and machine accounts

Now comes the fun part; this is where you get to vampire your accounts from the NT4 box to Samba. Don't type the brackets, these mean you must substitute your own values.

# net rpc vampire -S [NT netbios name or IP] -W [domainname] -UAdministrator%password
Fetching DOMAINNAME database
SAM_DELTA_DOMAINNAME_INFO not handled
Creating unix group: 'Domain Admins'
Creating unix group: 'Domain Users'
Creating unix group: 'Domain Guests'
Creating unix group: 'Web_team'
Creating unix group: 'Sysadmins'
...
Creating account: Administrator
Creating account: Guest
Creating account: NTSERVER$
Creating account: 'carla'
Creating account: 'dawnmarie'
...

Verify that your user accounts moved over with pbdedit. Only the root user can do this:

# pdbedit -L
user1:1001:
user2:1002:
user3:1003:
...

Get detailed information such as home directory, logon script, password aging, and domain for individual users with this command:

# pdbedit -Lv user1
Unix username:     user1
NT username:     user1
Account Flags:     [UX ]
User SID:     S-1-2-21-3371872119-397798111-429892680-5775
Primary Group SID:     S-1-2-21-3371872119-397798111-429892680-9521
Full Name:     User One
...

Look in /var/lib/samba to find the password databases. Don't try to read or edit them directly, it's just nice to know where they are. Next, check for groups migration:

# net group -l -Uroot%not24get -S[Samba netbios name]
Group name     Comment
——————————————-
Web_team     Internal site team
Sysadmins     Heroes and deities
Backup_admins

Shutdown the NT4 domain controller

Shut it down nicely — you may want it again.

Promote Samba to a PDC

Promoting Samba to a Primary Domain Controller is done by editing /etc/samba/smb.conf. Make it the WINS server as well by changing these two lines:

domain master = yes
wins support = yes

Restart Samba:

# /etc/init.d/samba restart

Run smbstatus to see if Samba is alive:

# smbstatus
Samba version 3.0.9-Debian PID     Username     Group     Machine
————————————————————————————-
Service     pid     machine     Connected at
———————————————————————————-
No locked files

It lives! It works! Now try logging in and out from client machines.

This is just the beginning of what you can do with Samba. For larger LANs, 50 users or more, you can add a secondary Samba domain controller to share the load. Since you will not be troubled by restrictive, expensive server and client access licenses, you can add as many as you need for the cost of the hardware.

If you need to merge accounts from several NT4 domain controllers, see the "Samba-3 by Example" book.

Dealing With Troubles

Your best help will be found in the Resources listed below, and in the Samba mailing list archives. Always search the archives before asking a question; there is nothing new under the Samba sun.

Resources