Proper way to migrate samba pdc from unslung NSLU to Sheeva?

[odoll]

Hi folks,

so far I use a unslung Linksys NSLU2.0 with a pen drive for the rootfs and an external HDD for my smb/cifs shares.

It acts as a file sharing device and as the primary domain controller to my hand full of Windows XP Prof systems and my family and a few others (<10) roaming accounts.

I now want to replace the NSLU (unslung 6.3, samba 3.2.15) by the Sheeva Plug (kernel 2.6.31.3, samba 3.3.2), but the more I read at the samba site or other forums the more I get confused how to plan a proper migration.

Hopefully you can give me some suggestions. I'll try to give a brief insight into the current setup and my thought which make me struggle.

i) while I have to migrate anyway would it wise to move from PDC to AD (e.g. Vista W7)?
  (or should I have this done in two steps (PDC_nslu -> PDC_sheeva -> AD_sheeva)
ii) the Ubuntu uses shadow files (which the NSLU doesn't - how do I migrate my users (' pwds)?
iii) how should the "adduser" etc. scripts be adjusted
  (should I add the former gids and uids manually to the plug)
iv) can I work with "net rpc vampire"?
  (will it set the actual user pwds?)
v) should I expand the new smb.conf with the "pam" related stuff?
...

Here's how my actual global section looks like

Code:

[global]
workgroup = MyDomain
server string = Linksys NSLU2.0
#new config should be: server string = SheevaPLug
interfaces = 127.0.0.1/24, a.b.c.d/24, ixp0, lo
#new config should be?: interfaces = eth0, lo
bind interfaces only = Yes
map to guest = Bad User
null passwords = Yes
smb passwd file = /opt/etc/samba/passdb.tdb
#new config should be: smb passwd file = /etc/samba/passdb.tdb
passdb backend = tdbsam
guest account = guest
username map = no
log level = 1
max log size = 10
name resolve order = wins bcast
socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=16384 SO_RCVBUF=16384
load printers = No
add user script = /opt/bin/adduser -H '%u'
#new config should be?: add user script = /usr/sbin/adduser '%u'
delete user script = /opt/bin/deluser '%u'
#new config should be?: delete user script = /usr/sbin/deluser '%u'
add group script = /opt/bin/addgroup '%g'
#new config should be?: add group script = /usr/sbin/addgroup '%g'
delete group script = /opt/bin/delgroup '%g'
#new config should be?: delete group script = /usr/sbin/delgroup '%g'
add user to group script = /opt/bin/addgroup '%g' '%u'
#new config should be?: add user to group script = /usr/sbin/addgroup '%g' '%u'
add machine script = /opt/bin/adduser -s /bin/false -h /dev/null '%u'
#new config should be?: add machine script = /usr/sbin/adduser -s /bin/false -h /dev/null '%u'
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
config file = /opt/etc/samba/smb.conf
#new config should be: config file = /etc/samba/smb.conf
create mask = 0775
force create mode = 0660
force directory mode = 0775
guest ok = Yes
hosts allow = 127.0.0.1, 192.168.
hosts deny = 0.0.0.0/0
default case = upper
case sensitive = No
map system = Yes
#should this below be added to the new smb.conf on the plug?
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
panic action = /usr/share/samba/panic-action %d

I noticed that my users' accounts are all in the same group gid 501 on the Slug, but that every machine has it's own uid = gid!?

[odoll]

I tried to move from the NSLU to the Plug yesterday but without success.

I manually recreated all - except some empty "Shema Admin" etc. groups and users with adduser / addgroup on the Plug (same uid/gids).

Further I stopped samba on the slug and copied the files from PRIVATE_DIR: /opt/etc/samba and LOCKDIR: /opt/var/samba to the plug PRIVATE_DIR: /etc/samba and LOCKDIR: /var/run/samba
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html#tdbdocs

Thou I could access the public shares I couldn't access e.g. my users share even for read.

And I noticed that rather seeing all user accounts I just find root@Share:~# pdbedit -Lv
---------------
Unix username:        nobody
[...]

still struggling ...

[odoll]

Ups, though I think this didn't caused the issue as I didn't reboot after copying over the files, yet

But I noticed that re fstab /var/run is tmpfs_

varrun /var/run tmpfs rw,nosuid,mode=0755 0 0

Shouldn't I either

i) mount /var/run to the SD card
 or
ii) change the default LOCKDIR /var/run/samba compiled into the default Ubuntu Samba to another path on the SD
?!?

[DamonHD]

/var/run (and indeed /tmp) should be tmpfs for speed and to avoid wear on your flash/SD.

Rgds

Damon

[odoll]

OK, set
  lock directory = /etc/samba/locks
in smb.conf.

However still struggling and curious why pdbedit -Lv just returns the info about the user nobody.

Created a new user to find out if i) he gets inserted and ii) which files are going to change.

Hence, the file sits in /var/lib/samba/passdb.tdb

though the follwoing pathes are specified

  smb passwd file = /etc/samba/passdb.tdb
  config file = /etc/samba/smb.conf

and "smbd -b | grep -i dir" says:

   SRCDIR:      /build/buildd/samba-3.3.2/source
   BUILDDIR:    /build/buildd/samba-3.3.2/source
   SBINDIR: /usr/sbin
   BINDIR: /usr/bin
   SWATDIR: /usr/share/samba/swat
   LIBDIR: /usr/lib/samba
   MODULESDIR: /usr/lib/samba
   LOCKDIR: /var/run/samba
   PIDDIR: /var/run/samba
   PRIVATE_DIR: /etc/samba

Lost! Am I using a wrong/outdated doc? (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/install.html#tdbdocs) or are pathes returned by smbd wrong?

[kilowatt]

I had to run smbpasswd to get access working for my users samba users.  Did you run that?

smbpasswd -a user

[odoll]

No I didn't.

Though I had been trapped by the /var/run vs /var/lib path issue I went ahead with another try and overcame the missing users issue, however got stuck with a logon issue.

But here's the story step by step.

After realizing that no *.tbd files should go into path /var/run/samba on the Plug I updated my smb.conf (/etc/smb.com) as follows:

Code:

cat /etc/samba/smb.conf.new
[global]
        workgroup = MYDOMAIN
        netbios name = %h
#       server string = Linksys NSLU2.0
        server string = SheevaPlug
#       interfaces = 127.0.0.1/24, ixp0, lo
        interfaces = eth0, lo
        bind interfaces only = Yes
        map to guest = Bad User
        null passwords = Yes
#       smb passwd file = /opt/etc/samba/passdb.tdb
#       smb passwd file = /etc/samba/passdb.tdb
        passdb backend = tdbsam
        guest account = guest
        username map = no
        log level = 1
        max log size = 10
        name resolve order = wins bcast
        socket options = TCP_NODELAY SO_KEEPALIVE SO_SNDBUF=16384 SO_RCVBUF=16384
        load printers = No
#       add user script = /opt/bin/adduser -H '%u'
#       delete user script = /opt/bin/deluser '%u'
#       add group script = /opt/bin/addgroup '%g'
#       delete group script = /opt/bin/delgroup '%g'
#       add user to group script = /opt/bin/addgroup '%g' '%u'
#       add machine script = /opt/bin/adduser -s /bin/false -h /dev/null '%u'
        add user script = /usr/sbin/useradd --create-home '%u'
        delete user script = /usr/sbin/userdel '%u'
        add group script = /usr/sbin/groupadd '%g'
        delete group script = /usr/sbin/groupdel '%g'
        add user to group script = /usr/sbin/useradd --gid '%g' '%u'
        add machine script = /usr/sbin/useradd --home /dev/null --shell /bin/false '%u'
# http://us1.samba.org/samba/docs/man/manpages-3/smb.conf.5.html
# http://www.comptechdoc.org/os/linux/manual4/smbconf.html
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
#       config file = /opt/etc/samba/smb.conf
#       config file = /etc/samba/smb.conf
        create mask = 0775
        force create mode = 0660
        force directory mode = 0775
        guest ok = Yes
        hosts allow = 127.0.0.1, 192.168.
        hosts deny = 0.0.0.0/0
        default case = upper
        case sensitive = No
        map system = Yes
# new from here as not defined in the previous SLUGs config
        obey pam restrictions = Yes
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
        panic action = /usr/share/samba/panic-action %d
#       lock directory = /etc/samba/locks

#[ADMIN 1]
[Admin1]
        comment = access restricted
#       path = /share/hdd/data/
        path = /
        valid users = @administrators
        write list = @administrators

#[DISK 1]
#       comment = access restricted
#       path = /share/hdd/data/public/
#       valid users = @administrators
#       write list = @administrators

#[ADMIN 2]
[Admin2]
        comment = access restricted
#       path = /share/flash/data/
        path = /mnt/sda1/
        valid users = @administrators
        write list = @administrators

[Video]
        comment = public RO
#       path = /share/flash/data/video/
        path = /mnt/sda1/video/
        valid users = @administrators, @everyone
        write list = @administrators

[Music]
        comment = public RO
#       path = /share/flash/data/music/
        path = /mnt/sda1/music/
        valid users = @administrators, @everyone
        write list = @administrators

[Pictures]
        comment = public RO
#       path = /share/flash/data/pictures/
        path = /mnt/sda1/pictures/
        valid users = @administrators, @everyone
        write list = @administrators

#[DISK 2]
[Public]
        comment = public RW
#       path = /share/flash/data/public/
        path = /mnt/sda1/public/
        valid users = @administrators, @everyone
        write list = @administrators, @everyone

[Software]
        comment = public RO
#       path = /share/flash/data/software/
        path = /mnt/sda1/software/
        valid users = @administrators, @everyone
        write list = @administrators

[bd]
        comment = User bd
#       path = /share/flash/data/bd/
        path = /mnt/sda1/bd/
        valid users = @administrators, @bd
        write list = @administrators, @bd

[hw]
        comment = User hw
#       path = /share/flash/data/hw/
        path = /mnt/sda1/hw/
        valid users = @administrators, @hw, @wedo
        write list = @administrators, @hw, @wedo

[md]
        comment = User md
#       path = /share/flash/data/md/
        path = /mnt/sda1/md/
        valid users = @administrators, @md
        write list = @administrators, @md

[od]
        comment = User od
#       path = /share/flash/data/od/
        path = /mnt/sda1/od/
        valid users = @administrators, @od
        write list = @administrators, @od

[so]
        comment = User so
#       path = /share/flash/data/so/
        path = /mnt/sda1/so/
        valid users = @administrators, @so
        write list = @administrators, @so

[ssd]
        comment = User ssd
#       path = /share/flash/data/ssd/
        path = /mnt/sda1/ssd/
        valid users = @administrators, @ssd
        write list = @administrators, @ssd

[td]
        comment = User td
#       path = /share/flash/data/td/
        path = /mnt/sda1/td/
        valid users = @administrators, @td
        write list = @administrators, @td

Thus I shut down samba on the NLSU and copied the files to the Plug

  scp share:/opt/etc/samba/*.tdb /var/lib/samba/.
  scp share:/opt/var/samba/*.tdb /var/lib/samba/.

Replaced the smb.conf on the Plug

  cp /etc/samba/smb.conf.new /etc/samba/smb.conf

Shut down the NSLU and attached the external USB-HDD to the Plug

  mount /dev/sda1 /mnt/sda1

and started nmbd and smbd on the Plug.

Hurrah! Me as user od (also in group administrators) can access all Shares as expected.

Woke up my daughter's PC from hibernation (she was logged-in already) and yes. Her drive Z: mapped to \\share\md is still there and accessable.

She can also see all other shares, but as expected she can only access the ones defined as such
 
Now the sad part starts: logged her off, but when rebooted and trying to logon again I got a message that some permissions may be wrong and that I should contact the admin (but the h**l, I'm the bloody admin and I have no clue ;-))

Nevertheless the logon continues and Z: is mapped as it should be, but as something isn't working as it should be I had to revert to the old setup and fire off the NSLU again ...

[odoll]

PS: BTW I also got the following error message:

root@Share:~# net rpc info
Domain Name: MYDOMAIN
Domain SID: S-1-5-352321536-2717123682-xxxx
Sequence number: 125xxxxx
Num users: 10
Num domain groups: 0
Num local groups: 0

root@Share:~# net rpc user
Connection to localhost failed (Error NT_STATUS_BAD_NETWORK_NAME)

??

I wasn't aware that it's such a hassle to migrate a PDC to another device and nearly considering giving up and starting from scratch meaning:

  returning to my pre migration attempts SD-card image (luckily I made one)

  leaving the existing domain with all PCs
  deleting all (roaming) profiles on all PCs

  just putting the adapted smb.conf in place on the plug
  attaching the usb-drive to the plug

  firing up samba on the plug
  joing all PCs to the domain again
  recreating the user accounts again

  hope that the users' profile/config still stored on the usb-drive (/mnt/sda1/<user>/profile will still work when the users login the first time ...
 

[odoll]

While trying to add the former Windows domain groups as spelled before

  root@Share:~# groupadd "Domain Users"
  groupadd: Domain Users is not a valid group name

re the above error message I ran into the following hint http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/groupmapping.html

So I added a mapping

  root@Share:/var/lib# net groupmap add ntgroup="Domain Admins" unixgroup="Domain_Admins" rid=512 type=d
  Successfully added group Domain Admins to the mapping db as a domain group
  root@Share:/var/lib# net groupmap add ntgroup="Domain Users" unixgroup="Domain_Users" rid=513 type=d
  Successfully added group Domain Users to the mapping db as a domain group
  root@Share:/var/lib# net groupmap add ntgroup="Domain Guests" unixgroup="Domain_Guests" rid=514 type=d
  Successfully added group Domain Guests to the mapping db as a domain group
  root@Share:/var/lib# net groupmap add ntgroup="Domain Computers" unixgroup="Domain_Computers" rid=515 type=d
  Successfully added group Domain Computers to the mapping db as a domain group

  root@Share:/var/lib# net groupmap list
  Domain Users (S-1-5-352321536-2717123682-1120367698-xxxx-513) -> Domain_Users
  Domain Guests (S-1-5-352321536-2717123682-1120367698-xxxx-514) -> Domain_Guests
  Domain Computers (S-1-5-352321536-2717123682-1120367698-xxxx-515) -> Domain_Computers
  Domain Admins (S-1-5-352321536-2717123682-1120367698-xxxx-512) -> Domain_Admins

At least the info shows now

  root@Share:/var/lib# net rpc info
  Enter root's password:
  Domain Name: MYDOMAIN
  Domain SID: S-1-5-21-1644491937-1383384898-xxxx
  Sequence number: 125xxxxx
  Num users: 10
  Num domain groups: 9
  Num local groups: 3

I think a step into the right direction, but error

 "Das servergespeicherte Benutzerprofil wurde nicht geladen. Sie werden mit einem lokalen Benutzerprofil angemeldet. Änderungen an dem Profil werden nach der Abmeldung nicht auf den Server kopiert. Das Profil wurde nicht geladen, weil eine bereits vorhandene Serverkopie des Profilordners nicht die richtigen Sicherheitseinstellungen besitzt. Entweder muss der aktuelle Benutzer oder die Administratorengruppe Besitzer dieses Ordners sein. Wenden Sie sich an den Netzwerkadministrator."

persists. Also confused, why the Domain SID differs from the one in my previous post, though all files have just been copied from the NSLU to the Plug?

[odoll]

Success, I think I got it. At least no obvious errors. Users can logon & logoff properly and much faster than with the NSLU.

I wanted to give up and planned to add all users' SID manaully, but after I just ran

  net rpc getsid

suddenly the Domain's and all users' SID on the Plug match with the ones on the active NSLU

  root@Share:/etc/samba# net rpc info
  Enter root's password:
  Domain Name: MYDOMAIN
  Domain SID: S-1-5-21-1644491937-1383384898-xxxx
  Sequence number: 125xxxxx
  Num users: 10
  Num domain groups: 4
  Num local groups: 0

  root@Share:/etc/samba# net groupmap list
  Domain Guests (S-1-5-21-1644491937-1383384898-xxxx-514) -> Domain_Guests
  Domain Computers (S-1-5-21-1644491937-1383384898-xxxx8-515) -> Domain_Computers
  Domain Admins (S-1-5-21-1644491937-1383384898-xxxx-512) -> Domain_Admins
  Domain Users (S-1-5-21-1644491937-1383384898-xxxx-513) -> Domain_Users

As a final test I'll have to reboot the SheevaPlug to see if everything come up by default. If so I'll make a snapshot of the SD card ;-)

[odoll]

logon & logoff with roaming profiles and acting as network file sharing seems to work for existing machines and users.

However there's something odd still though I haven't figured where it might cause issues

  root@Share:~# net rpc info
  Unable to find a suitable server for domain MYDOMAIN

I added the Plug itself to the domain

  net rpc join -S Share

but this didn't make a difference nor increasing the

  os level = 65

from 33 in the smb.conf ...

[odoll]

I accidently still hat the pre migation IP address in the cache file wins.dat. After deleting (renaming) the files the Plug comes properly as the primary DC.