8.2. Upgrading from Samba 1.x and 2.x to Samba-3Sites that are being upgraded from Samba-2 (or earlier versions) to Samba-3 may experience little difficulty or may require a lot of effort, depending on the complexity of the configuration. Samba-1.9.x upgrades to Samba-3 will generally be simple and straightforward, although no upgrade should be attempted without proper planning and preparation. There are two basic modes of use of Samba versions prior to Samba-3. The first does not use LDAP, the other does. Samba-1.9.x did not provide LDAP support. Samba-2.x could be compiled with LDAP support. 8.2.1. Samba 1.9.x and 2.x Versions Without LDAPWhere it is necessary to upgrade an old Samba installation to Samba-3, the following procedure can be followed: UPGRADING FROM A PRE-SAMBA-3 VERSION
8.2.2. Applicable to All Samba 2.x to Samba-3 UpgradesSamba 2.x servers that were running as a domain controller (PDC) require changes to the configuration of the scripting interface tools that Samba uses to perform OS updates for users, groups, and trust accounts (machines and interdomain). The following parameters are new to Samba-3 and should be correctly configured. Please refer to Chapter 3, "Secure Office Networking" through Chapter 6, "A Distributed 2000-User Network" in this book for examples of use of the new parameters shown here:
The add machine script functionality was previously handled by the add user script, which in Samba-3 is used exclusively to add user accounts. Where the passdb backend used is either smbpasswd (the default) or the new tdbsam, the system interface scripts are typically used. These involve use of OS tools such as useradd, usermod, userdel, groupadd, groupmod, groupdel, and so on. Where the passdb backend makes use of an LDAP directory, it is necessary either to use the smbldap-tools provided by Idealx or to use an alternate toolset provided by a third party or else home-crafted to manage the LDAP directory accounts. 8.2.3. Samba-2.x with LDAP SupportSamba version 2.x could be compiled for use either with or without LDAP. The LDAP control settings in the smb.conf file in this old version are completely different (and less complete) than they are with Samba-3. This means that after migrating the control files, it is necessary to reconfigure the LDAP settings entirely. Follow the procedure outlined in Section 8.2.1 to affect a migration of all files to the correct locations. The Samba SAM schema required for Samba-3 is significantly different from that used with Samba 2.x. This means that the LDAP directory must be updated using the procedure outlined in the Samba WHATSNEW.txt file that accompanies all releases of Samba-3. This information is repeated here directly from this file: This is an extract from the Samba-3.0.x WHATSNEW.txt file: ========================================================== Changes in Behavior ------------------- The following issues are known changes in behavior between Samba 2.2 and Samba 3.0 that may affect certain installations of Samba. 1) When operating as a member of a Windows domain, Samba 2.2 would map any users authenticated by the remote DC to the 'guest account' if a uid could not be obtained via the getpwnam() call. Samba 3.0 rejects the connection as NT_STATUS_LOGON_FAILURE. There is no current work around to re-establish the 2.2 behavior. 2) When adding machines to a Samba 2.2 controlled domain, the 'add user script' was used to create the UNIX identity of the machine trust account. Samba 3.0 introduces a new 'add machine script' that must be specified for this purpose. Samba 3.0 will not fall back to using the 'add user script' in the absence of an 'add machine script' ###################################################################### Passdb Backends and Authentication ################################## There have been a few new changes that Samba administrators should be aware of when moving to Samba 3.0. 1) encrypted passwords have been enabled by default in order to inter-operate better with out-of-the-box Windows client installations. This does mean that either (a) a samba account must be created for each user, or (b) 'encrypt passwords = no' must be explicitly defined in smb.conf. 2) Inclusion of new 'security = ads' option for integration with an Active Directory domain using the native Windows Kerberos 5 and LDAP protocols. MIT kerberos 1.3.1 supports the ARCFOUR-HMAC-MD5 encryption type which is necessary for servers on which the administrator password has not been changed, or kerberos-enabled SMB connections to servers that require Kerberos SMB signing. Besides this one difference, either MIT or Heimdal Kerberos distributions are usable by Samba 3.0. Samba 3.0 also includes the possibility of setting up chains of authentication methods (auth methods) and account storage backends (passdb backend). Please refer to the smb.conf(5) man page for details. While both parameters assume sane default values, it is likely that you will need to understand what the values actually mean in order to ensure Samba operates correctly. The recommended passdb backends at this time are * smbpasswd - 2.2 compatible flat file format * tdbsam - attribute rich database intended as an smbpasswd replacement for stand alone servers * ldapsam - attribute rich account storage and retrieval backend utilizing an LDAP directory. * ldapsam_compat - a 2.2 backward compatible LDAP account backend Certain functions of the smbpasswd(8) tool have been split between the new smbpasswd(8) utility, the net(8) tool, and the new pdbedit(8) utility. See the respective man pages for details. ###################################################################### LDAP #### This section outlines the new features affecting Samba /LDAP integration. New Schema ---------- A new object class (sambaSamAccount) has been introduced to replace the old sambaAccount. This change aids us in the renaming of attributes to prevent clashes with attributes from other vendors. There is a conversion script (examples/LDAP/convertSambaAccount) to modify and LDIF file to the new schema. Example: $ ldapsearch .... -b "ou=people,dc=..." > sambaAcct.ldif $ convertSambaAccount --sid=<Domain SID> \ --input=sambaAcct.ldif --output=sambaSamAcct.ldif \ --changetype=[modify|add] The <DOM SID> can be obtained by running 'net getlocalsid <DOMAINNAME>' on the Samba PDC as root. The changetype determines the format of the generated LDIF output--either create new entries or modify existing entries. The old sambaAccount schema may still be used by specifying the "ldapsam_compat" passdb backend. However, the sambaAccount and associated attributes have been moved to the historical section of the schema file and must be uncommented before use if needed. The 2.2 object class declaration for a sambaAccount has not changed in the 3.0 samba.schema file. Other new object classes and their uses include: * sambaDomain - domain information used to allocate rids for users and groups as necessary. The attributes are added in 'ldap suffix' directory entry automatically if an idmap uid/gid range has been set and the 'ldapsam' passdb backend has been selected. * sambaGroupMapping - an object representing the relationship between a posixGroup and a Windows group/SID. These entries are stored in the 'ldap group suffix' and managed by the 'net groupmap' command. * sambaUnixIdPool - created in the 'ldap idmap suffix' entry automatically and contains the next available 'idmap uid' and 'idmap gid' * sambaIdmapEntry - object storing a mapping between a SID and a UNIX uid/gid. These objects are created by the idmap_ldap module as needed. * sambaSidEntry - object representing a SID alone, as a Structural class on which to build the sambaIdmapEntry. New Suffix for Searching ------------------------ The following new smb.conf parameters have been added to aid in directing certain LDAP queries when 'passdb backend = ldapsam://...' has been specified. * ldap suffix - used to search for user and computer accounts * ldap user suffix - used to store user accounts * ldap machine suffix - used to store machine trust accounts * ldap group suffix - location of posixGroup/sambaGroupMapping entries * ldap idmap suffix - location of sambaIdmapEntry objects If an 'ldap suffix' is defined, it will be appended to all of the remaining sub-suffix parameters. In this case, the order of the suffix listings in smb.conf is important. Always place the 'ldap suffix' first in the list. Due to a limitation in Samba's smb.conf parsing, you should not surround the DN's with quotation marks. |