Migrate Existing Samba 3 Installations to UCS 4 with Samba 3
From Univention Wiki
Existing Samba/LDAP environments can be transferred script-based to UCS 4 with Samba 3 without the user noticing the migration. The following how-to shows the steps necessary for success. Please note that this how-to is not compatible with a direct migration to Samba 4, you will need to move your users first to Samba 3 following this guide and then follow the guide Update to UCS 4.0 Samba 4 . Please also note, that this how-to might not be fit for any particular situation.
We also won't look in detail into the migration of the user data as this highly depends on your old system.
During the installation of the UCS Master, you should choose the same Windows domain name as you are currently using. Please do not install any additional software. All further software can later be added through the App Center.
It is also advisable to use the current server name and IP address of your Samba PDC for the UCS-Master. Please make sure, that you are doing the installation in a separate network segment. Else you might want to use a different IP and change it when moving the UCS system into productive use but before migrating to Samba 4.
Using the same name and IP becomes especially of concern if you are not using DHCP but coded fixed WINS or DNS Server into your Clients. If you are not using the same name, you should check your logon scripts whether it contains hardcoded a server name or IP address. Please note, that if you are moving to a multi-server Samba 4 installation, it might be a good time to replace hardcoded names and IPs with variables in any case.
All steps need to be executed on the UCS Domaincontroller Master.
- First install Samba 3 on the Current Master:
- Then extract the current SID from your UCS System:
univention-ldapsearch -LLL univentionObjectType=settings/sambadomain sambaSIDand find the entry sambaSID. We will refer to this entry with the tag <oldSID>
- Further you need to find the SID of your old Samba Systems (<currentSID>). If you don't know the SID you can find it on your Samba PDC using the following command:
net sam show <windows domain>
- Change the SID to the one of your current System
/usr/share/univention-samba/set_domain_sid "<Windows Domainname>" "<currentSID>"
- Also change the SID of all existing accounts:
/usr/share/univention-samba/change_sid "<oldSID>" "<currentSID>"
- Now import all users, groups and computers using the Univention Directory Manager. Thereby you should use the username, Posix-ID and RID, tailing group of the SID, from your current Systems. The Kerberos-Option should thereby not be activated. A very simple udm call could look like the following:
udm users/user create --position cn=users,$(ucr get ldap/base) --set username=<old username> --set lastname=<lastname> --set password=$(makepasswd) \ --set firstname=<firstname> --set sambaRID=<old rid> --set uidNumber=<old uid> \ --option samba --option person --option posix --option mail
- To copy the password import the NT Hash using an ldapmodify on the entry sambaNTPassword of the respective user. When having set the hash for all users start the Kerberos key generation:
- During the import password policies are not considered. To enforce the password policies you can set the option to force a password change at the next login in the UDM.
- Migrate your Data and Printers to the new server. For the migration of the data ensure that you transfer the ACLs as well. As Samba is backed up by the Posix usernames it should be sufficient to transfer its rights. If you are relying on Sambas internal database you will need to set the ACLs manually on the UCS System. Printers should be added using the UDM
- To go productive you must switch off your old Samba servers and reboot your windows clients. Using NETBIOS they should detect the new servers and be able to authenticate against them.
Post Migration Tasks
After migrating your users, groups and computers to the new system you will need to switch off your old Samba Servers and migrate your UCS Servers to the productive IPs and Network.
You will need to restart all Windows clients to have them complete their entries in the UCS LDAP. You should not migrate to Samba 4 before having restarted all Windows Systems and, in the best case, have all users logged in once.
These links are provided as additional information. Univention is not responsible for the content, please test for your own environment.
- Script to import Samba3 LDAP objects to UCS https://github.com/dansan/Samba3toUCS