SAMBA classicupgrade experience on Debian 8

From the sandbox

Prehistory

There is a small local area network of the enterprise in which 10 years ago on Debian 5 a domain was raised on the 3rd Samba + LDAP + BIND (on the gateway). In fact, it only needed user authentication, and file globs. All these years, the server has upgraded to new versions of Debian without problems. Currently, Debian 8 and Samba 4.2 are in it.

Since the days of Windows 7, the introduction of computers into the domain, without the well-known crutch with editing the registry, has failed. The same crutch worked in Win 8 and Win 10 to version 1803. In addition to the impossibility of entering computers into the domain, other problems accumulated and it was finally decided to do a classicupgrade. In view of the simplicity of the LAN structure, it was decided to use the internal Samba DNS.

Just want to say that the article is not an exact guide, but rather an experience of this operation. The pretest stage is highly recommended. In my case, server images were taken for testing and deployed on VirtualBox virtual machines. Also, to test the behavior of existing domain clients, Win XP SP3 and Win 10 1709 and 180 client machines were created.

I also want to note that several times errors were caused by commonplace typos . Be careful.

Environment description

OS: Debian 8
Domain: samdom.local
Server name: pdc
server ip: 10.10.1.220

Transition process

Upgrading packages to the latest versions + installation missing.

In my case, after the upgrade, it was necessary to deliver only krb5-user.

apt-get update
apt-getupgrade
apt-getinstall samba smbclient krb5-user winbind

When installing krb5-user, the system will ask a few questions about the server name and domain name. We fill with the data of our server.

Stop "Samba"

service samba-ad-dc stop
service smbd stop
service nmbd  stop
service winbind  stop

Transfer of old bases and samba config

mv /var/lib/samba /var/lib/samba.NT
mv /etc/samba/smb.conf /etc/samba/smb.conf.NT

I moved the old databases to /var/lib/samba.NT so I need to re-create the directory / var / lib / samba

mkdir /var/lib/samba

The documentation recommends transferring all databases to a separate folder. In my case, only gencache_notrans.tdb was lying separately, so I only had to transfer it.

cp -p /run/samba/gencache_notrans.tdb /var/lib/samba.NT

The documentation also states that only six bases are needed:

secrets.tdb
schannel_store.tdb
passdb.tdb
gencache_notrans.tdb
group_mapping.tdb
account_policy.tdb

However, the presence of other files in the folder did not prevent the transition process.

Starting the classicupgrade process

samba-tool domain classicupgrade —dbdir=/var/lib/samba.NT --realm=samdom.local --dns-backend=SAMBA_INTERNAL /etc/samba/smb.conf.NT

I note that the documentation does not recommend the use of the top-level domain local., But in my case this has happened historically.

In the sheet, which appears on the screen flashes the administrator password, which if desired can be recorded).

If there are problems, before new attempts at classicupgrade, you need to remember to delete the database files and smb.conf files created in the process.

rm -f /etc/samba/smb.conf
rm -rf /var/lib/samba/*

If everything went well, you can proceed to the next step.

Check and edit server configs

In /etc/resolv.conf should be (if it is not automatically created for you)

domainsamdom.localnameserver 10.10.1.220

In / etc / hosts

127.0.0.1localhostlocalhost.localdomain
10.10.1.220pdc.samdom.localpdc

The / etc / hostname file must contain an abbreviated host name.

pdc

In / etc / network / interfases

dns-nameservers 10.10.1.220dns-searchsamdom.local

Redirect dns requests

In case your server will redirect DNS requests to the Internet (and is used by Samba's INTERNAL_DNS), in smb.conf you need to add a line with your provider’s ip to the [global] section in smb.conf:

dns forwarder = ip

In "Samba" 4.2, you can specify only one ip. In the next few, a space.
If outgoing traffic is controlled on your gateway, then do not forget to open udp packets from the server on port 53.

Kerberos Setup

We give /etc/krb5.conf to a similar view:

[libdefaults]
default_realm = SAMDOM.LOCAL
dns_lookup_realm = false
dns_lookup_kdc = true
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
SAMDOM.LOCAL = {
kdc = pdc
admin_server = pdc
default_domain = SAMDOM.LOCAL
}
[domain_realm]
.samdom.local = SAMDOM.LOCAL
samdom.local = SAMDOM.LOCAL

Configure time synchronization

If the ntp package is not worth it - then set:

apt-get install ntp

In my case, there was no directory / var / lib / samba / ntp_signd /. Made by hand.

Next you need to give him the right:

chown root:ntp /var/lib/samba/ntp_signd/
chmod 750 /var/lib/samba/ntp_signd/

Next, you need to bring the file /etc/ntp.conf to a similar form:

# Local clock (Note: This isnot the localhost address!)
server127.127.1.0
fudge 127.127.1.0 stratum 10
# The source, where we are receiving the timefromserver0.pool.ntp.org iburst prefer
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp
ntpsigndsocket /var/lib/samba/ntp_signd/
# Access control
# Default restriction: Only allow querying time (incl. ms-sntp) from this machine
restrictdefault kod nomodify notrap nopeer mssntp
# Allow everything from localhost
restrict127.0.0.1
# Allow that our time source can only provide timeanddonothingelserestrict0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery

Slapd removal and reboot

apt-getremove slapd
reboot

Testing

In the documentation, testing is done from the Administrator account. We have historically developed that administrative actions pass from domain_admin. Further commands will be shown and their correct output.

Test samba:

root@debian:/root# smbclient -L localhost -U%
Domain=[SAMDOM] OS=[Unix] Server=[Samba 4.1.17-Debian]
Sharename TypeComment--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.1.17-Debian)
Domain=[SAMDOM] OS=[Unix] Server=[Samba 4.1.17-Debian]
ServerComment--------- -------
Workgroup Master
--------- -------

If you get an error here:

Connection to loclhost failed (Error NT_STATUS_UNSUCCESSFUL)

Check whether samba is running. In one testing, I forgot to remove (turn off) slapd and also saw this error.

Another check:

$ smbclient //localhost/netlogon -Udomain_admin -c 'ls'
Enter Administrator's password: 
Domain=[SAMDOM] OS=[Unix] Server=[Samba x.y.z]
 .                                   D        0  Tue Nov  1 08:40:00 2016
 ..                                  D        0  Tue Nov  1 08:40:00 201649386 blocks of size 524288. 42093 blocks available

We test DNS

root@debian:/root# nslookup samdom.localServer:10.10.1.220Address:10.10.1.220#53Name: samdom.local
Address:10.10.1.220

$ host -t SRV _ldap._tcp.samdom.local.
_ldap._tcp.samdom.example.com has SRV record0100389 pdc.samdom.example.com.

$ host -t SRV _kerberos._udp.samdom.local.
_kerberos._udp.samdom.example.com has SRV record010088 pdc.samdom.example.com.

$ host -t A pdc.samdom.local.
dc1.samdom.example.com has address 10.10.1.220

Test Kerberos

root@debian:/root# kinit domain_admin@SAMDOM.LOCAL
Password for domain_admin@SAMDOM.LOCAL:Warning: Your password will expire in41 days on Пт 27 ноя 201514:34:46

root@debian:/root# klist
Ticket cache:FILE:/tmp/krb5cc_0
Default principal: domain_admin@SAMDOM.LOCAL
Valid starting Expires Service principal
16.10.201515:07:1217.10.201501:07:12 krbtgt/SAMDOM.LOCAL@SAMDOM.LOCAL
renew until17.10.201515:07:07

Additional setting

In order for domain names and groups to appear in linux instead of numbers, you need to tweak /etc/nsswitch.conf

Lines should be reduced to the following form:

passwd: files winbind
group: files winbind

Please note that winbind is added only to these lines. For details - in the documentation.
In my case, I also removed the mention of ldap from this file.

reboot

If you, like me, before the classicupgrade dns server was located on another machine and you are using a DHCP server, do not forget to change the DHCP server settings pointing to the DNS server

Network Folder Setup

Developers do not recommend using an AD domain controller as a file server. However, in my case there were no other servers.

The setting is very well described in the documentation for "Samba" and there it is necessary to look there. In short, then:

You need to check the support of the ACL samba.

smbd -b | grep HAVE_LIBACL
   HAVE_LIBACL

Do not forget that the partition should be mounted with the user_xattr and acl options.

Only users and groups with SeDiskOperatorPrivilege can configure the rights to the balls:

For example, to grant such rights to the Domain Admins group, run the command:

net rpc rights grant "Samdom\Domain Admins" SeDiskOperatorPrivilege -U "Samdom\domain_admin"

Directly to add the balls you need:

Create a directory and assign the necessary rights:

# mkdir -p /srv/samba/Demo/# chown root:"Domain Admins" /srv/samba/Demo/# chmod 0770 /srv/samba/Demo/

add to smb.conf

[Demo]
       path = /srv/samba/Demo/
       readonly = no

After this, reload the samba configs with the command:

smbcontrol all reload-config

As before, the balls can be hidden by adding to its description:

browseable = no

Further, the rights are distributed from the windows of the machine, from under the account that has SeDiskOperatorPrivilege . To do this, go to the "computer management".
To cling to a remote computer (pdc domain controller in our case). Distribute rights via: “Shared folders” -> “Shared resources”.

It is likely that when you go to the “Shared folders” item, you will get the error “The procedure number is out of range (1745)”. I ignore it, because I did not find anything intelligible on the Internet about it and in the process of testing and operating it does not cause problems.

Problems will be possible if you thus share the old network folders. Before classicupgrade, the rights to the balls were specified via smb.conf, linux user, group, other and setfacl. After the classicupgrade, shoals gradually began to appear with the rights to change, rename, etc. Recursive setfacl did not help, since there were shoals with inheritance rights.

It is worth noting that in the documentation, it is recommended to distribute the rights from the windows of the machine through remote access.

As a result, in view of the not very large amount of files, it was decided to transfer the data to the windows machine after hours, re-create the network folders as recommended by the samba developers and reload the files back.

Home folders of users on the server

The management of users' home folders has also changed.
It is worth noting that the process of setting is also very well described in the documentation .
I will describe only the key features for my case.

Previously, each user picked up his own ball. Now only the shared folder is shared, and users have access only to their directory.

Setup is performed using Microsoft Remote Server Administration Tools (RSAT) . RSAT has an unpleasant feature. When upgrading Win 10 to the new version, it must be reinstalled.

Home balls can be hooked up manually, through user properties in the “Users and Computers” snap-in. Profile tab. Drive U: \\ pdc \ user-shares \ username

However, it is more convenient to do this through a domain policy, which is very clearly described in the above documentation in the “Using a Group Policy Preference” clause .

Do not forget that the general ball can be hidden by adding to its description:

browseable = no

Domain Upgrade

The domain was upgraded to the 2008_R2 level with the following command:

samba-tool domainlevelraise--domain=2008_R2 --forest=2008_R2

You can view the level with the command:

samba-tool domainlevelshow

If smbd.log is bombarded with CUPS errors

In my case, this problem manifested itself:

Unable to connect to CUPS server localhost: 631

We fix for this short article.

The problem with the subsequent upgrade to Debian 9 and its solution

With

apt-get dist-upgrade

there was a problem, namely, samba and winbind did not want to be updated. We went into a dependency conflict.

Helped the way from the article link to which I unfortunately did not save.
Here is a direct quote from it:

if Samba is in AD-DC mode, it and winbind fail.
do

it out now
systemmtl smbd nmbd winbind systemctl disable smbd nmbd winbind
systemctl unmask samba-ad-dc
systemctl start
samba-ad-dc

After updating the SAMBA version, it is recommended to run: “Samba AD DC database check”.

# samba-tool dbcheck --cross-ncs

Since in Deb 9 SAMBA version 4.5, I got a bunch of “replPropertyMetaData” errors.
The elimination process is described in the documentation:

wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes

And it comes down to running the command:

samba-tool dbcheck --cross-ncs --fix --yes

List of used sources

Documentation the SAMBA:

Migrating a the Samba NT4 the Domain to the Samba the AD (Classic the Upgrade)
Setting up closeup the Samba as with the an the Active Directory the Domain Controller software
Setting up closeup a Share Solution: Using the Windows the ACLs
the User Home Folders
Excellent article:
Domain controller on Debian 8 (... which already has collected Samba4 )
Samba error: Unable to connect to CUPS server localhost: 631
An article by an unknown English-language author describing how to solve the problem with upgrading to Debian 9

Tags: