How to migrate Zimbra Samba PDC to Samba 4 AD DC

Intro

I had to migrate an old CentOS 5 with Zimbra Samba PDC to a CentOS 7 Samba 4 AD DC.

This how to is very oriented to my specific source server configuration but I hope it will help to migrate others Zimbra Samba PDC.

Configuration

From Source Server (CentOS 5.11)

Server preparation

If you don't have it, reset samba password

root@host:~# smbpasswd -w SMBpass

Disable services

root@host:~# service iptables stop
root@host:~# /etc/init.d/smb stop

Address ip modification

root@host:~# sed -i 's/201/101/' /var/named/rev-192.168.10.hosts
root@host:~# sed -i 's/192.168.10.201/192.168.10.101/' /var/named/shebangthedolphins.net.hosts
root@host:~# /etc/init.d/named restart

/etc/resolv.conf

search shebangthedolphins.net
nameserver 192.168.10.101
domain shebangthedolphins.net

Disable services

root@host:~# service iptables stop
root@host:~# /etc/init.d/smb stop

/etc/sysconfig/network-scripts/ifcfg-eth0

IPADDR=192.168.10.101
root@host:~# /etc/init.d/network restart

/etc/hosts

192.168.10.101          zimbra.shebangthedolphins.net zimbra
root@host:~# reboot

From Destination Server (CentOS 7)

Server preparation

Disable services

root@host:~# systemctl stop firewalld.service; systemctl disable firewalld

install packages

root@host:~# yum install vim screen ntp

Network configuration

root@host:~# TYPE="Ethernet"
PROXY_METHOD="none"
BROWSER_ONLY="no"
BOOTPROTO="static"
IPADDR=192.168.10.201
NETMASK=255.255.255.0
DEFROUTE="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens160"
UUID="45419305-2ae8-4963-af8f-899a86934156"
DEVICE="ens160"
ONBOOT="yes"
GATEWAY=192.168.10.1
DNS1=192.168.10.201
DNS2=10.0.0.1
root@host:~# systemctl restart network.service

Download and install Samba AD DC

root@host:~# yum install perl gcc libacl-devel libblkid-devel gnutls-devel readline-devel python-devel gdb pkgconfig krb5-workstation zlib-devel setroubleshoot-server libaio-devel setroubleshoot-plugins policycoreutils-python libsemanage-python setools-libs-python setools-libs popt-devel libpcap-devel sqlite-devel libidn-devel libxml2-devel libacl-devel libsepol-devel libattr-devel keyutils-libs-devel cyrus-sasl-devel cups-devel bind-utils libxslt docbook-style-xsl openldap-devel pam-devel bzip2 vim wget -y
root@host:~# wget https://download.samba.org/pub/samba/stable/samba-4.1.23.tar.gz
root@host:~# tar xzvf samba-4.1.23.tar.gz
root@host:~# ./configure --with-systemd
root@host:~# make && make install

Add samba programs to $PATH

root@host:~# echo 'pathmunge /usr/local/samba/bin/:/usr/local/samba/sbin/:$PATH' >> /etc/profile.d/samba.sh
root@host:~# chmod +x /etc/profile.d/samba.sh
root@host:~# . /etc/profile

resolv.conf

search shebangthedolphins.net
nameserver 192.168.10.101
nameserver 192.168.10.201

/etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.201 samba4 samba4.shebangthedolphins.net
192.168.10.101 zimbra.shebangthedolphins.net zimbra

copy samba files

root@host:~# scp -r 192.168.10.101:/var/lib/samba/wins.dat /home/user/dbdir/
root@host:~# scp -r 192.168.10.101:/etc/passwd /home/user/dbdir/
root@host:~# scp -r 192.168.10.101:/etc/shadow /home/user/dbdir/
root@host:~# scp -r 192.168.10.101:/etc/samba/smb.conf /home/user/dbdir/
root@host:~# scp -r 192.168.10.101:/var/lib/samba/secrets.tdb /home/user/dbdir/
root@host:~# scp -r 192.168.10.101:/var/lib/samba/schannel_store.tdb /home/user/dbdir/
root@host:~# scp -r 192.168.10.101:/var/lib/samba/passdb.tdb /home/user/dbdir/
root@host:~# scp -r 192.168.10.101:/var/lib/samba/gencache_notrans.tdb /home/user/dbdir/
root@host:~# scp -r 192.168.10.101:/var/lib/samba/group_mapping.ldb /home/user/dbdir/
root@host:~# scp -r 192.168.10.101:/var/lib/samba/account_policy.tdb /home/user/dbdir/

/home/user/dbdir/smb.conf

 netbios name = SAMBA4
 ldap admin dn = cn=config
 passdb backend = ldapsam:ldap://192.168.10.101/

/etc/passwd and /etc/shadow

root@host:~# grep Work /home/user/dbdir/passwd >> /etc/passwd
root@host:~# grep '$:' /home/user/dbdir/shadow >> /etc/shadow
root@host:~# grep -v "Workstation" /home/user/dbdir/passwd | grep ".*\..*:x" >> /etc/passwd
root@host:~# grep "^[a-z].*\..*[a-z]:" /home/user/dbdir/shadow >> /etc/shadow

From Source Server (CentOS 5.11)

Delete computers which are only in the LDAP database

root@host:~# ldapsearch -h 192.168.10.101 -xWD 'uid=zimbra,cn=admins,cn=zimbra' | grep "ou=machines,dc=shebangthedolphins,dc=net" | sed 's/.*uid=\(.*\),ou.*/\1/' |tr '[:lower:]' '[:upper:]' | sort > /tmp/ldap
root@host:~# grep orks /etc/passwd | awk -F: '{print $1}' |tr '[:lower:]' '[:upper:]' | sort > /tmp/etc_passwd
root@host:~# for i in $(diff /tmp/ldap /tmp/etc_passwd | grep -v MACHINES | grep -E "^< " | sed 's/< //'); do echo dn: uid="$i",ou=machines,dc=shebangthedolphins,dc=net >> /tmp/ldap_supp.ldiff;  echo changetype: delete >> /tmp/ldap_supp.ldiff; echo >> /tmp/ldap_supp.ldiff; done
root@host:~# ldapmodify -xWD 'uid=zimbra,cn=admins,cn=zimbra' -f /tmp/ldap_supp.ldiff

From Destination Server (CentOS 7)

#includedir /etc/krb5.conf.d/

Start migration process

root@host:~# /usr/local/samba/bin/samba-tool domain classicupgrade --dbdir=/home/user/dbdir/ --use-xattrs=auto --realm=shebangthedolphins.net --dns-backend=SAMBA_INTERNAL /home/user/dbdir/smb.conf

Edit /usr/local/samba/etc/smb.conf

server role = active directory domain controller
dns forwarder = 192.168.10.254
# manage fr charset
unix charset = ISO8859-1
dos charset = 850
# server name alias (if the oldname is needed to be used)
netbios aliases = OLDNAME
# folders are hidden if users doesn't have rights
access based share enum = Yes

Copy krb5.conf

cp /usr/local/samba/private/krb5.conf /etc/krb5.conf

From Source Server (CentOS 5.11)

Stop the server

root@host:~# poweroff

From Destination Server (CentOS 7)

/etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.10.201 samba4 samba4.shebangthedolphins.net

delete accounts and computers inside /etc/passwd and /etc/shadow

start samba

root@host:~# samba

create a systemd entry

root@host:~# touch /etc/systemd/system/samba-ad-dc.service
[Unit]
Description=Samba Active Directory Domain Controller
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
ExecStart=/usr/local/samba/sbin/samba -D
PIDFile=/usr/local/samba/var/run/samba.pid
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target
root@host:~# systemctl daemon-reload
root@host:~# systemctl enable samba-ad-dc

Define administrator domain password

root@host:~# samba-tool user setpassword administrator

Check your samba health

root@host:~# smbclient -L localhost -U%
root@host:~# smbclient //localhost/netlogon -UAdministrator -c 'ls'
root@host:~# host -t SRV _ldap._tcp.shebangthedolphins.net. 127.0.0.1
root@host:~# host -t SRV _kerberos._udp.shebangthedolphins.net. 127.0.0.1
root@host:~# host -t A samba4.shebangthedolphins.net. 127.0.0.1
root@host:~# reboot
root@host:~# kinit administrator
root@host:~# klist

Database check

root@host:~# samba-tool dbcheck --cross-ncs --fix

Upgrade to 4.7.7

root@host:~# wget https://download.samba.org/pub/samba/stable/samba-4.7.7.tar.gz
root@host:~# systemctl stop samba-ad-dc
root@host:~# ./configure --with-systemd
root@host:~# make >> make install
root@host:~# systemctl start samba-ad-dc
root@host:~# samba-tool dbcheck --cross-ncs --fix

Allow linux computer to get AD DC accounts

root@host:~# ln -s /usr/local/samba/lib/libnss_winbind.so.2 /lib64/
root@host:~# ln -s /lib64/libnss_winbind.so.2 /lib64/libnss_winbind.so
root@host:~# ldconfig
passwd:     files sss winbind
shadow:     files sss
group:      files sss winbind
root@host:~# net rpc rights grant "SHEBANGTHEDOLPHINS\Domain Admins" SeDiskOperatorPrivilege -U "SHEBANGTHEDOLPHINS\administrator"
root@host:~# net rpc rights list privileges SeDiskOperatorPrivilege -U "SHEBANGTHEDOLPHINS\administrator"

Set shares

root@host:~# chown -R root:"Domain Users" /samba
root@host:~# chmod -R 0770 /samba
root@host:~# getfacl /samba
root@host:~# grep -E "\[|path|read" /home/user/dbdir/smb.conf >> /usr/local/samba/etc/smb.conf
root@host:~# for i in $(grep path /home/user/dbdir/smb.conf | grep -vE "^logon|netlogon|/var/spool/samba|disables" | sed 's/^M//' | awk '{ print $3 }'); do mkdir -v "$i" ; done
root@host:~# smbcontrol all reload-config

References

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :