Monthly Archives: November 2011

Samba domain migration (to a new machine)

samba

This project involved migrating a samba domain from an old server to a new server (different machine, different hardware), versions below

RedHat ES 3 –old server
Ubuntu 11.04 –new server

Samba 3.0.9 –old version
Samba 3.5.8 –new version

Mostly I used these instructions:
http://www.samba.org/samba/docs/man/Samba-Guide/upgrades.html#id2600749
See the –“Replacing a Domain Controller”–

Get the SID: (security identifier for the domain)

Get the SID from the old machine:
net getlocalsid > /etc/samba/my-local-SID

The contents of the file will look like this
S-1-5-21-726309263-4128913605-1168186429

Restore the SID to the new machine:
net setlocalsid S-1-5-21-726309263-4128913605-1168186429

Files copied over from the old machine:
/etc/passwd
/etc/shadow
in the password and shadow make sure to get the user accounts and machine accounts, the machine accounts end with a $ e.g. “computername$”
/etc/group –I don’t think this this was necessary, but there may be groups you want to move

It isn’t necessary to use the entire files;
I copied the lines for users and machine accounts from old shadow and passwd and put them into the existing file on the new server. You may have to go to each workstation on the domain to get the machine names.

Make sure the hostname of the new machine matches the old one and there is a mapping in /etc/hosts for it if you start getting weird errors after you change the hostname.

IP address doesn’t matter, it can be different.

Samba files that need to be copied over;
smb.conf –main samba config file
secrets.tdb –stores machine account passwords
smbpasswd –stores user account and passwords, needs to be converted to tdbsam format “passdb.tdb”

I used pdbedit to convert the smbpasswd to passdb.tdb adjust your directories as needed;

pdbedit -i smbpasswd:/var/lib/samba/smbpasswd -e tdbsam:/var/lib/samba/passdb.tdb

To view what users and machine accounts made it to the new passdb.tdb file you can run the command. (The file is database file and cannot be viewed directly)
pdbedit -L

Errors you may get:

If you get these errors below:

idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL

or

winbindd/idmap_tdb.c:341(idmap_tdb_alloc_init)
idmap will be unable to map foreign SIDs: NT_STATUS_UNSUCCESSFUL
winbindd/idmap.c:599(idmap_alloc_init)
ERROR: Initialization failed for alloc backend, deferred!
winbindd/idmap.c:201(smb_register_idmap_alloc)
idmap_alloc module tdb already registered!
winbindd/idmap.c:149(smb_register_idmap)
Idmap module passdb already registered!
winbindd/idmap.c:149(smb_register_idmap)
Idmap module nss already registered!
winbindd/idmap_tdb.c:214(idmap_tdb_load_ranges)
idmap uid missing

add;

idmap uid = 10000-15000
idmap gid = 10000-15000

to your smb.conf file and restart samba

I believe this sets the user and group Id mapping for machine ID’s

A problem I ran into:
The problem I ran into was finding the correct samba files to move over, for some reason there was a couple locations where the secrets.tdb and other files were, and I moved over the wrong files.