Section 8.2. Upgrading from Samba 1.x and 2.x to Samba-3


8.2. Upgrading from Samba 1.x and 2.x to Samba-3

Sites that are being upgraded from Samba-2 (or earlier versions) to Samba-3 may experience little difficulty or may require a lot of effort, depending on the complexity of the configuration. Samba-1.9.x upgrades to Samba-3 will generally be simple and straightforward, although no upgrade should be attempted without proper planning and preparation.

There are two basic modes of use of Samba versions prior to Samba-3. The first does not use LDAP, the other does. Samba-1.9.x did not provide LDAP support. Samba-2.x could be compiled with LDAP support.

8.2.1. Samba 1.9.x and 2.x Versions Without LDAP

Where it is necessary to upgrade an old Samba installation to Samba-3, the following procedure can be followed:

UPGRADING FROM A PRE-SAMBA-3 VERSION

1.

Stop Samba. This can be done using the appropriate system tool that is particular for each operating system or by executing the kill command on smbd, nmbd, and winbindd.

2.

Find the location of the Samba smb.conf file and back it up to a safe location.

3.

Find the location of the smbpasswd file and back it up to a safe location.

4.

Find the location of the secrets.tdb file and back it up to a safe location.

5.

Find the location of the lock directory. This is the directory in which Samba stores all its tdb control files. The default location used by the Samba Team is in /usr/local/samba/var/locks directory, but on Linux systems the old location was under the /var/cache/samba directory. However, the Linux Standards Base specified location is now under the /var/lib/samba directory. Copy all the tdb files to a safe location.

6.

It is now safe to upgrade the Samba installation. On Linux systems it is not necessary to remove the Samba RPMs because a simple upgrade installation will automatically remove the old files. On systems that do not support a reliable package management system it is advisable either to delete the Samba old installation or to move it out of the way by renaming the directories that contain the Samba binary files.

7.

When the Samba upgrade has been installed, the first step that should be completed is to identify the new target locations for the control files. Follow the steps shown in Section 8.1.1.4 to locate the correct directories to which each control file must be moved.

8.

Do not change the hostname.

9.

Do not change the workgroup name.

10.

Execute the testparm to validate the smb.conf file. This process will flag any parameters that are no longer supported. It will also flag configuration settings that may be in conflict. One solution that may be used to clean up and to update the smb.conf file involves renaming it to smb.conf.master and then executing the following:

root#  cd /etc/samba root#  testparm -s smb.conf.master > smb.conf 

The resulting smb.conf file will be stripped of all comments and of all nonconforming configuration settings.

11.

It is now safe to start Samba using the appropriate system tool. Alternately, it is possible to just execute nmbd, smbd, and winbindd for the command line while logged in as the root user.

8.2.2. Applicable to All Samba 2.x to Samba-3 Upgrades

Samba 2.x servers that were running as a domain controller (PDC) require changes to the configuration of the scripting interface tools that Samba uses to perform OS updates for users, groups, and trust accounts (machines and interdomain).

The following parameters are new to Samba-3 and should be correctly configured. Please refer to Chapter 3, "Secure Office Networking" through Chapter 6, "A Distributed 2000-User Network" in this book for examples of use of the new parameters shown here:

add group script

add machine script

add user to group script

delete group script

delete user from group script

passdb backend

set primary group script

The add machine script functionality was previously handled by the add user script, which in Samba-3 is used exclusively to add user accounts.

Where the passdb backend used is either smbpasswd (the default) or the new tdbsam, the system interface scripts are typically used. These involve use of OS tools such as useradd, usermod, userdel, groupadd, groupmod, groupdel, and so on.

Where the passdb backend makes use of an LDAP directory, it is necessary either to use the smbldap-tools provided by Idealx or to use an alternate toolset provided by a third party or else home-crafted to manage the LDAP directory accounts.

8.2.3. Samba-2.x with LDAP Support

Samba version 2.x could be compiled for use either with or without LDAP. The LDAP control settings in the smb.conf file in this old version are completely different (and less complete) than they are with Samba-3. This means that after migrating the control files, it is necessary to reconfigure the LDAP settings entirely.

Follow the procedure outlined in Section 8.2.1 to affect a migration of all files to the correct locations.

The Samba SAM schema required for Samba-3 is significantly different from that used with Samba 2.x. This means that the LDAP directory must be updated using the procedure outlined in the Samba WHATSNEW.txt file that accompanies all releases of Samba-3. This information is repeated here directly from this file:

This is an extract from the Samba-3.0.x WHATSNEW.txt file: ========================================================== Changes in Behavior ------------------- The following issues are known changes in behavior between Samba 2.2 and Samba 3.0 that may affect certain installations of Samba.   1)  When operating as a member of a Windows domain, Samba 2.2 would       map any users authenticated by the remote DC to the 'guest account'       if a uid could not be obtained via the getpwnam() call. Samba 3.0       rejects the connection as NT_STATUS_LOGON_FAILURE. There is no       current work around to re-establish the 2.2 behavior.   2)  When adding machines to a Samba 2.2 controlled domain, the       'add user script' was used to create the UNIX identity of the       machine trust account.  Samba 3.0 introduces a new 'add machine       script' that must be specified for this purpose.  Samba 3.0 will       not fall back to using the 'add user script' in the absence of       an 'add machine script' ###################################################################### Passdb Backends and Authentication ################################## There have been a few new changes that Samba administrators should be aware of when moving to Samba 3.0.   1) encrypted passwords have been enabled by default in order to      inter-operate better with out-of-the-box Windows client      installations.  This does mean that either (a) a samba account      must be created for each user, or (b) 'encrypt passwords = no'      must be explicitly defined in smb.conf.   2) Inclusion of new 'security = ads' option for integration      with an Active Directory domain using the native Windows      Kerberos 5 and LDAP protocols.      MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption      type which is necessary for servers on which the      administrator password has not been changed, or kerberos-enabled      SMB connections to servers that require Kerberos SMB signing.      Besides this one difference, either MIT or Heimdal Kerberos      distributions are usable by Samba 3.0. Samba 3.0 also includes the possibility of setting up chains of authentication methods (auth methods) and account storage backends (passdb backend). Please refer to the smb.conf(5) man page for details.  While both parameters assume sane default values, it is likely that you will need to understand what the values actually mean in order to ensure Samba operates correctly. The recommended passdb backends at this time are   * smbpasswd - 2.2 compatible flat file format   * tdbsam - attribute rich database intended as an smbpasswd     replacement for stand alone servers   * ldapsam - attribute rich account storage and retrieval     backend utilizing an LDAP directory.   * ldapsam_compat - a 2.2 backward compatible LDAP account     backend Certain functions of the smbpasswd(8) tool have been split between the new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) utility. See the respective man pages for details. ###################################################################### LDAP #### This section outlines the new features affecting Samba /LDAP integration. New Schema ---------- A new object class (sambaSamAccount) has been introduced to replace the old sambaAccount. This change aids us in the renaming of attributes to prevent clashes with attributes from other vendors. There is a conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF file to the new schema. Example:   $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif   $ convertSambaAccount --sid=<Domain SID> \     --input=sambaAcct.ldif --output=sambaSamAcct.ldif \     --changetype=[modify|add] The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>' on the Samba PDC as root.  The changetype determines the format of the generated LDIF output--either create new entries or modify existing entries. The old sambaAccount schema may still be used by specifying the "ldapsam_compat" passdb backend. However, the sambaAccount and associated attributes have been moved to the historical section of the schema file and must be uncommented before use if needed. The 2.2 object class declaration for a sambaAccount has not changed in the 3.0 samba.schema file. Other new object classes and their uses include:   * sambaDomain - domain information used to allocate rids     for users and groups as necessary. The attributes are added     in 'ldap suffix' directory entry automatically if     an idmap uid/gid range has been set and the 'ldapsam'     passdb backend has been selected.   * sambaGroupMapping - an object representing the     relationship between a posixGroup and a Windows     group/SID. These entries are stored in the 'ldap     group suffix' and managed by the 'net groupmap' command.   * sambaUnixIdPool - created in the 'ldap idmap suffix' entry     automatically and contains the next available 'idmap uid' and     'idmap gid'   * sambaIdmapEntry - object storing a mapping between a     SID and a UNIX uid/gid. These objects are created by the     idmap_ldap module as needed.   * sambaSidEntry - object representing a SID alone, as a Structural     class on which to build the sambaIdmapEntry. New Suffix for Searching ------------------------ The following new smb.conf parameters have been added to aid in directing certain LDAP queries when 'passdb backend = ldapsam://...' has been specified.   * ldap suffix         - used to search for user and computer accounts   * ldap user suffix    - used to store user accounts   * ldap machine suffix - used to store machine trust accounts   * ldap group suffix   - location of posixGroup/sambaGroupMapping entries   * ldap idmap suffix   - location of sambaIdmapEntry objects If an 'ldap suffix' is defined, it will be appended to all of the remaining sub-suffix parameters.  In this case, the order of the suffix listings in smb.conf is important.  Always place the 'ldap suffix' first in the list. Due to a limitation in Samba's smb.conf parsing, you should not surround the DN's with quotation marks. 



    Samba-3 by Example. Practical Exercises to Successful Deployment
    Samba-3 by Example: Practical Exercises to Successful Deployment (2nd Edition)
    ISBN: 013188221X
    EAN: 2147483647
    Year: 2005
    Pages: 142

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net