Migrate Existing Samba 3 Installations to UCS 3 with Samba 3

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 3.0

Existing Samba/LDAP environments can be transferred script-based to UCS 3 with Samba 3 without the user noticing the migration. The following how-to shows the steps necessary for the migration. Please note that this how-to is not compatible with a direct migration to Samba 4, you will need to first move your users to Samba 3 following this guide and then follow the guide Update to UCS 3.0 Samba 4 . Please also note, that this how-to might not be fit for any particular situation.

We also won't look in detail into the migration of the userdata as this highly depends on your old system.

Installation

During the installation of the UCS Master you should choose the same Windows domain name as your are currently using. It might also be advisable to use the current server-name and IP address of your Samba PDC for the UCS-Master. Please make sure, that you are doing the installation in a separate network segment. Else you might want to use a different IP and change it when moving the UCS system into productive use

Especially if you are not using DHCP but coded fixed WINS and/or DNS Server into your Clients. If you are not using the same name you should also check your logon scripts whether it contains hardcoded a server-name or IP address.

Migration

All steps need to be executed on the UCS Domaincontroller Master.

  • First extract the current SID from your UCS System:
     udm settings/sambadomain list
    and find the entry SID. We will refer to this entry with the tag <oldSID>
  • Further you need to find the SID of your old Samba Systems (<currentSID>). If you don't know the SID you can find it on your Samba PDC using the following command:
    net sam show <windows domain>
  • Change the SID to the one of your current System
 /usr/share/univention-samba/set_domain_sid "<Windows Domainname>" "<currentSID>"
  • Also change the SID of all existing accounts:
 /usr/share/univention-samba/change_sid "<oldSID>" "<currentSID>"
  • Now import all users, groups and computers using the Univention Directory Manager. Thereby you should use the username, Posix-ID and RID, tailing group of the SID, from your current Systems. The Kerberos-Option should thereby not be activated. A very simple udm call could look like the following:
udm users/user create --position cn=users,$(ucr get ldap/base) --set username=<old username> --set lastname=<lastname> --set password=$(makepasswd) \
--set firstname=<firstname> --set sambaRID=<old rid> --set uidNumber=<old uid> \
--option samba --option person --option posix --option mail
  • To copy the password import the NT Hash using an ldapmodify on the entry sambaNTPassword of the respective user. When having set the hash for all users start the Kerberos key generation:
/usr/share/univention-heimdal/kerberos_now
  • During the import password policies are not considered. To enforce the password policies you can set the option to force a password change at the next login in the UDM.
  • Migrate your Data and Printers to the new server. For the migration of the data ensure that you transfer the ACLs as well. As Samba is backed up by the Posix usernames it should be sufficient to transfer its rights. If you are relying on Sambas internal database you will need to set the ACLs manually on the UCS System. Printers should be added using the UDM
  • To go productive you must switch off your old Samba servers and reboot your windows clients. Using NETBIOS they should detect the new servers and be able to authenticate against them.

Post Migration Tasks

After migrating your users, groups and computers to the new system you will need to switch off your old Samba Servers and migrate your UCS Servers to the productive IPs and Network.

You will need to restart all Windows clients to have them complete their entries in the UCS LDAP. You should not migrate to Samba 4 before having restarted all Windows Systems and, in the best case, have all users logged in once.

External Ressources

These links are provided as additional information. Univention is not responsible for the content, please test for your own environment.

Personal tools