How to migrate Zimbra Samba PDC to Samba 4 AD DC

Intro

I had to migrate an old CentOS 5 with Zimbra Samba PDC to a CentOS 7 Samba 4 AD DC.

This how to is very oriented to my specific source server configuration but I hope it will help to migrate others Zimbra Samba PDC.

Configuration

From Source Server (CentOS 5.11)

Server preparation

If you don't have it, reset samba password

root@host:~# smbpasswd -w SMBpass

Disable services

root@host:~# service iptables stop
root@host:~# /etc/init.d/smb stop

Address ip modification

  • Change infos on your DNS server, here with named server
  • root@host:~# sed -i 's/201/101/' /var/named/rev-192.168.10.hosts
    root@host:~# sed -i 's/192.168.10.201/192.168.10.101/' /var/named/shebangthedolphins.net.hosts
    root@host:~# /etc/init.d/named restart

    /etc/resolv.conf

    search shebangthedolphins.net
    nameserver 192.168.10.101
    domain shebangthedolphins.net
    

    Disable services

    root@host:~# service iptables stop
    root@host:~# /etc/init.d/smb stop

    /etc/sysconfig/network-scripts/ifcfg-eth0

  • Modify ip address
  • IPADDR=192.168.10.101
    root@host:~# /etc/init.d/network restart

    /etc/hosts

    192.168.10.101          zimbra.shebangthedolphins.net zimbra
    root@host:~# reboot

    From Destination Server (CentOS 7)

    Server preparation

    Disable services

    root@host:~# systemctl stop firewalld.service; systemctl disable firewalld

    install packages

    root@host:~# yum install vim screen ntp

    Network configuration

  • Edit /etc/sysconfig/network-scripts/ifcfg-ens160
  • root@host:~# TYPE="Ethernet"
    PROXY_METHOD="none"
    BROWSER_ONLY="no"
    BOOTPROTO="static"
    IPADDR=192.168.10.201
    NETMASK=255.255.255.0
    DEFROUTE="yes"
    IPV4_FAILURE_FATAL="no"
    IPV6INIT="yes"
    IPV6_AUTOCONF="yes"
    IPV6_DEFROUTE="yes"
    IPV6_FAILURE_FATAL="no"
    IPV6_ADDR_GEN_MODE="stable-privacy"
    NAME="ens160"
    UUID="45419305-2ae8-4963-af8f-899a86934156"
    DEVICE="ens160"
    ONBOOT="yes"
    GATEWAY=192.168.10.1
    DNS1=192.168.10.201
    DNS2=10.0.0.1
  • Restart network service
  • root@host:~# systemctl restart network.service

    Download and install Samba AD DC

    root@host:~# yum install perl gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl openldap-devel pam-devel bzip2 vim wget -y
    root@host:~# wget https://download.samba.org/pub/samba/stable/samba-4.1.23.tar.gz
    root@host:~# tar xzvf samba-4.1.23.tar.gz
    root@host:~# ./configure --with-systemd
    root@host:~# make && make install
    

    Add samba programs to $PATH

    root@host:~# echo 'pathmunge /usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH' >> /etc/profile.d/samba.sh
    root@host:~# chmod +x /etc/profile.d/samba.sh
    root@host:~# . /etc/profile

    resolv.conf

    search shebangthedolphins.net
    nameserver 192.168.10.101
    nameserver 192.168.10.201

    /etc/hosts

    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    192.168.10.201 samba4 samba4.shebangthedolphins.net
    192.168.10.101 zimbra.shebangthedolphins.net zimbra

    copy samba files

    root@host:~# scp -r 192.168.10.101:/var/lib/samba/wins.dat /home/user/dbdir/
    scp -r 192.168.10.101:/etc/passwd /home/user/dbdir/
    scp -r 192.168.10.101:/etc/shadow /home/user/dbdir/
    scp -r 192.168.10.101:/etc/samba/smb.conf /home/user/dbdir/
    scp -r 192.168.10.101:/var/lib/samba/secrets.tdb /home/user/dbdir/
    scp -r 192.168.10.101:/var/lib/samba/schannel_store.tdb /home/user/dbdir/
    scp -r 192.168.10.101:/var/lib/samba/passdb.tdb /home/user/dbdir/
    scp -r 192.168.10.101:/var/lib/samba/gencache_notrans.tdb /home/user/dbdir/
    scp -r 192.168.10.101:/var/lib/samba/group_mapping.ldb /home/user/dbdir/
    scp -r 192.168.10.101:/var/lib/samba/account_policy.tdb /home/user/dbdir/

    /home/user/dbdir/smb.conf

     netbios name = SAMBA4
     ldap admin dn = cn=config
     ppssdb backend = ldapsam:ldap://192.168.10.101/

    /etc/passwd and /etc/shadow

  • Add users and workstations to /etc/passwd and /etc/shadow
  • root@host:~# grep Work /home/user/dbdir/passwd >> /etc/passwd
    grep '$:' /home/user/dbdir/shadow >> /etc/shadow
    grep -v "Workstation" /home/user/dbdir/passwd | grep ".*\..*:x" >> /etc/passwd
    grep "^[a-z].*\..*[a-z]:" /home/user/dbdir/shadow >> /etc/shadow

    From Source Server (CentOS 5.11)

    Delete computers which are only in the LDAP database

  • Get ldap computers list
  • root@host:~# ldapsearch -h 192.168.10.101 -xWD 'uid=zimbra,cn=admins,cn=zimbra' | grep "ou=machines,dc=shebangthedolphins,dc=net" | sed 's/.*uid=\(.*\),ou.*/\1/' |tr '[:lower:]' '[:upper:]' | sort > /tmp/ldap
  • Get passwd computers list
  • root@host:~# grep orks /etc/passwd | awk -F: '{print $1}' |tr '[:lower:]' '[:upper:]' | sort > /tmp/etc_passwd
  • Delete computers which are only on the LDAP base
  • root@host:~# for i in $(diff /tmp/ldap /tmp/etc_passwd | grep -v MACHINES | grep -E "^< " | sed 's/< //'); do echo dn: uid="$i",ou=machines,dc=shebangthedolphins,dc=net >> /tmp/ldap_supp.ldiff;  echo changetype: delete >> /tmp/ldap_supp.ldiff; echo >> /tmp/ldap_supp.ldiff; done
    root@host:~# ldapmodify -xWD 'uid=zimbra,cn=admins,cn=zimbra' -f /tmp/ldap_supp.ldiff

    From Destination Server (CentOS 7)

  • In /etc/krb5.conf comment the line :
  • #includedir /etc/krb5.conf.d/

    Start migration process

    root@host:~# /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/home/user/dbdir/ --use-xattrs=auto --realm=shebangthedolphins.net --dns-backend=SAMBA_INTERNAL /home/user/dbdir/smb.conf

    Edit /usr/local/samba/etc/smb.conf

    server role = active directory domain controller
    dns forwarder = 192.168.10.254
    # manage fr charset
    unix charset = ISO8859-1
    dos charset = 850
    # server name alias (if the oldname is needed to be used)
    netbios aliases = OLDNAME
    # folders are hidden if users doesn't have rights
    access based share enum = Yes

    Copy krb5.conf

    cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

    From Source Server (CentOS 5.11)

    Stop the server

    root@host:~# poweroff

    From Destination Server (CentOS 7)

    /etc/hosts

    127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
    192.168.10.201 samba4 samba4.shebangthedolphins.net

    delete accounts and computers inside /etc/passwd and /etc/shadow

    start samba

    root@host:~# samba

    create a systemd entry

    root@host:~# touch /etc/systemd/system/samba-ad-dc.service
    [Unit]
    Description=Samba Active Directory Domain Controller
    After=network.target remote-fs.target nss-lookup.target
    
    [Service]
    Type=forking
    ExecStart=/usr/local/samba/sbin/samba -D
    PIDFile=/usr/local/samba/var/run/samba.pid
    ExecReload=/bin/kill -HUP $MAINPID
    
    [Install]
    WantedBy=multi-user.target
    root@host:~# systemctl daemon-reload
    root@host:~# systemctl enable samba-ad-dc

    Define administrator domain password

    root@host:~# samba-tool user setpassword administrator

    Check your samba health

    root@host:~# smbclient -L localhost -U%
    root@host:~# smbclient //localhost/netlogon -UAdministrator -c 'ls'
    root@host:~# host -t SRV _ldap._tcp.shebangthedolphins.net. 127.0.0.1
    root@host:~# host -t SRV _kerberos._udp.shebangthedolphins.net. 127.0.0.1
    root@host:~# host -t A samba4.shebangthedolphins.net. 127.0.0.1
    root@host:~# reboot
    root@host:~# kinit administrator
    root@host:~# klist

    Database check

    root@host:~# samba-tool dbcheck --cross-ncs --fix

    Upgrade to 4.7.7

    root@host:~# wget https://download.samba.org/pub/samba/stable/samba-4.7.7.tar.gz
    root@host:~# systemctl stop samba-ad-dc
    root@host:~# ./configure --with-systemd
    root@host:~# make >> make install
    root@host:~# systemctl start samba-ad-dc
    root@host:~# samba-tool dbcheck --cross-ncs --fix

    Allow linux computer to get AD DC accounts

    root@host:~# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
    root@host:~# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
    root@host:~# ldconfig
  • /etc/nsswitch.conf
  • passwd:     files sss winbind
    shadow:     files sss
    group:      files sss winbind
    root@host:~# net rpc rights grant "SHEBANGTHEDOLPHINS\Domain Admins" SeDiskOperatorPrivilege -U "SHEBANGTHEDOLPHINS\administrator"
    root@host:~# net rpc rights list privileges SeDiskOperatorPrivilege -U "SHEBANGTHEDOLPHINS\administrator"

    Set shares

    root@host:~# chown -R root:"Domain Users" /samba
    root@host:~# chmod -R 0770 /samba
    root@host:~# getfacl /samba
    root@host:~# grep -E "\[|path|read" /home/user/dbdir/smb.conf >> /usr/local/samba/etc/smb.conf
    root@host:~# for i in $(grep path /home/user/dbdir/smb.conf | grep -vE "^logon|netlogon|/var/spool/samba|disables" | sed 's/^M//' | awk '{ print $3 }'); do mkdir -v "$i" ; done
    root@host:~# smbcontrol all reload-config

    References

    Licence Creative Commons
    This website http://shebangthedolphins.net is licensed to the public under a licence Creative Commons Attribution licence.
    Contact :