Using an APC BE550R UPS with Debian Etch Linux

Migrating a Windows NT4 PDC to Linux

Copyright 2010 by Stephen Vermeulen
Last updated: 2010 Sep 12
Vermeulen.ca





3d account across adding administrator apache array attached attempts changes clock created depth distribution distributions docs edit enter failed family happened head hit hl howto italic item job knoppix later lines machines manager map mouse mozilla names never notes pick safe script select sept stephen table tutorial ubuntu wait whole worked

See also:

Various Samba Links

Migrating a Windows NT4 PDC to Linux (Debian Etch) and Samba 3.0

The following is a recipe for migrating an Windows NT4 PDC (Primary Domain Controller) to a simple install of Linux Debian 4.0R1 - (Etch) running Samba 3.0.24. I worked through this install procedure a number of times until it finally worked correctly, as all of the examples I could find for this were in some way incomplete or flawed. If you have a small network with an old NT4 server that you have been using for domain login authentication or file serving that you want to replace and are considering just getting a small Linux box to do the job, then this recipe may be useful to you.

Much of this procedure is based on Replace Your NT4 Domain Controller with Samba 3 (Part 2) By Carla Schroder, which is one of the few articles that almost worked. Of course samba.org is the main support site for all things relating to Samba, and the Official HOWTO has a whole chapter: Migration from NT4 PDC to Samba-3 PDC that documents this process too (but misses some essential steps, which might be obvious to an experienced Samba person but won't be done by the inexperienced as they are following a documented procedure).

Install Your Linux

I chose to use Debian 4.0R1 Etch, their "netinstaller" version for Debian Server. Its a smallish ISO download at 167MB because it does not include much desktop stuff.

Before starting the install you need to set your BIOS clock to GMT time as they don't seem to accommodate local time in the BIOS.

Install Debian, just the standard packages and the file server packages (which I think gets you Samba).

Once installed and rebooted you'll probably want to add "ssh" to your system by doing an "apt-get install ssh".

At this point you've spent about 20 minutes and should have a functioning server that you can now boot without a monitor, keyboard and mouse attached and control via SSH. It will be running a minimal Samba at this time, but we'll shut that down shortly.

Create a BDC Server Machine Account

In order to migrate user account information from the old NT4 PDC you will need to configure your new Linux Samba for a short time as a BDC. To do this you must:
  1. stop the samba services by doing: /etc/init.d/samba stop
  2. login to the NT4 server, start up the "Server Manager" (its in the Administrative Tools area of the Start menu) and then add the new machine as a BDC server. The detailed steps are:
    1. Menu: Computer / Add to Domain...
    2. Select: Windows NT Backup Domain Controller
    3. enter the computer name and then press "Add"
    4. then press "Close"
    5. Now you should see the new computer in the list and it should be identified as being "Windows NT Backup"
    6. close the server manager
  3. If you have any old machine or user accounts for machines that no longer exist now would be a good time to remove then from the NT4 domain database.

Initially Configure Samba as a BDC

Now go to the Samba machine, login as root (if you're using Ubuntu you'll need to "sudo" in front of most commands) and edit the file /etc/samba/smb.conf which is the primary configuration file for Samba. Debian puts a sample file in place for you, which contains a lot of helpful comments, but its got so much extra stuff in it you might just want to rename it out of the way and start with a fresh file. The following is what you need:
[global]
     workgroup = BUTLER
     netbios name = STAR6
     passdb backend = tdbsam
     domain master = No
     domain logons = Yes
     os level = 40
     add user script = /usr/sbin/useradd -m '%u'
     delete user script = /usr/sbin/userdel -r '%u'
     add group script = /usr/sbin/groupadd '%g'
     delete group script = /usr/sbin/groupdel '%g'
     add user to group script = /usr/sbin/usermod -G '%g' '%u'
     add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u'
#     username map = /etc/samba/smbusers
     logon path =
     logon home =
#     wins support = yes

[files]
        comment = SAMBA File Server
        path = /files
        read only = No
You can use this as-is, you need only replace "BUTLER" with the name of your NT domain and pick a name for your Linux server and put it in place of "STAR6".

Next you need to set the root account password into Samba. Do this by running "smbpasswd" and entering the password.

Now check that the smb.conf file is reasonable, run the command "testparm" and make sure it reports: "Server role: ROLE_DOMAIN_BDC". If it does not, then there's something wrong with your smb.conf file.

Now find out what your Samba box's SID is currently set to, issue the command "net getlocalsid" and you'll get something like: S-1-5-21-2906888183-500865873-4023403494. Make a note of it somewhere.

Get Domain Information

Start up the Linux Samba services with /etc/init.d/samba start

Then complete the process of adding your Samba box into the existing NT Domain with a command like: net rpc join -S nova -U administrator note that you should replace nova with the name of your Windows Domain server machine (not the domain name).

Next get a copy of the account information by doing: net rpc vampire -S nova -w butler -U administrator note that you need to replace butler with your domain name. This command will print a lot of output, listing all the accounts and machines that are being transferred. It might also print some errors (especially on very old abandoned machines and accounts), you should probably check later to see if any of those errors are for things you actually need so save a copy of the output.

The "net vampire" is described as acquiring the full account database and other things needed for the Linux box to take over the full PDC role, but from the testing I did it appears that it does not acquire the SID for the domain. Because of this you will find that if you just follow the usual examples and enable the Samba server to take on the PDC role that not all things will work.

It appears you need to do one more step, first re-issue the net getlocalsid command and verify that the SID has not changed. Now issue the command net rpc getsid -S nova -U Administrator" and note that its output:

Storing SID S-1-5-21-1965320917-1955335400-7473742 for Domain BUTLER in secrets.tdb
shows you a different SID, and it tells you that it has stored it in your local system. However, if you check with net getlocalsid again you will find the domain SID is still not there.

So you need to issue one more command like: net setlocalsid S-1-5-21-1965320917-1955335400-7473742 and then the Linux Samba server will really have the same SID as the old PDC (which is how Microsoft documents a BDC as functioning)

Shutdown the NT PDC

At this point your Samba server is pretty much ready to assume the full PDC role on your LAN. You must first shutdown the old Windows domain server, so that when you promote your Samba BDC to PDC they don't get in a fight.

Now you need to stop Samba as well: /etc/init.d/samba stop.

Then edit your smb.conf file so that:

  domain master = Yes
  wins support = Yes
And at last restart Samba with: /etc/init.d/samba start

Test Your Samba Server

You should do at least the following tests to convince yourself that this really did work (it might be a good idea to do this with a test Windows XP or 2000 machine that you can afford to rebuild if necessary):
  1. login/logout of a windows workstation using a domain account
  2. change the password on a domain account from within windows
  3. remove a windows box from the domain and put it back in to the domain. On this one you will hit a small snag: it will probably refuse to add the machine when you use the domain Administrator account - you will need to use the Linux box's "root" for user name and the root password. You can get around this by adding an "smbusers" file that contains the single line root = Administrator and uncommenting the line username map in the smb.conf file. But then all the files and directories that Administrator creates from within windows will show as root ownership.
  4. add some sub directories under /files and "chown" and "chgrp" them to a few different users, then verify that you can restrict access as to who can read and write those directories appropriately.
  5. check that printer sharing works (I never played with this, so its not even in the smb.conf file)
  6. do a net groupmap list to see some of the group mapping
  7. do a pdbedit -Lv to see details on what the vampire fetched.

How to Return Things to How They Used to Be

In the event that some of your tests with the Samba server as PDC failed or were not working the way you wanted, you just need to set the lines:
  domain master = No
#  wins support = Yes
back into the smb.conf file and then do a /etc/init.d/samba restart, then it will be safe to restart the old Windows Domain server while you spend many hours of searching for solutions.

About the worst that happened to me while I was testing and figuring this out was that on occasion when I went to login I would get the warning that the domain server could not be found and so it was going to use a roaming profile. Some times I had to set this back to a local profile by hand. Once I set the lines:

     logon path =
     logon home =
in smb.conf these problems went away.

Building a Replacement for a Windows NT4 Server with Linux (Old Version)

This is a section of working notes on my attempts (in about 2004) to replace an old Windows NT4 Server (which is a primary domain controller) with a Linux box.
  • Did a test install of Linux using the Knoppix 3.7 distribution. This was done to an empty 40GB IDE drive partitioned as an 8GB root partition, a 512MB swap partition and a 31.5GB data partition. The installation was done following the instructions of Hack#33 in Knoppix Hacks (see above for information) and went without any surprises.
  • Once the system was installed I could only see one partition, turns out the 31GB data partition was not mounted by default. To add this to the system I just needed to edit the /etc/fstab table to mount it at boot time and then make a directory in the root directory to mount it on and set the permissions on that directory. The fstab file looks like:
<># /etc/fstab: filesystem table.
#
# filesystem mountpoint type options dump pass
/dev/hda1 / ext3 defaults,errors=remount-ro 0 1
/proc /proc proc defaults 0 0
/dev/fd0 /floppy vfat defaults,user,noauto,showexec,umask=022 0 0
usbdevfs /proc/bus/usb usbdevfs defaults 0 0
sysfs /sys sysfs defaults 0 0
/dev/cdrom /cdrom iso9660 defaults,ro,user,noexec,noauto 0 0
/dev/dvd /dvd iso9660 defaults,ro,user,noexec,noauto 0 0
/dev/cdaudio /cdaudio iso9660 defaults,ro,user,noexec,noauto 0 0
/dev/hda3 /files ext3 defaults,errors=remount-ro 0 1<>
# Added by KNOPPIX
/dev/hda2 none swap defaults 0 0
  • By default Knoppix had installed so that it used DHCP to configure the LAN, as I wanted the server to have a static IP address I had to manually configure the card, this I did using the Knoppix tool from the KNOPPIX menu, sub-menu: "Network/Internet", item: "Network Card Configuration", which then runs as root and prompts you for the necessary information
  • Tested doing an image backup of the installed Linux, used Acronis version 8.0 and it did a full backup of the partitions (with a verify) to a shared drive across my 100baseT LAN in under 30 minutes. Still need to do a test of the restoration process to see if that also goes smoothly.
  • At this point I started playing with Samba, first I wanted to just get file sharing happening, to do this I created a new /etc/samba/smb.conf file:
[global]
workgroup = MIDEARTH
netbios name = TEST
security = share

[data]
comment = Data
path = /files/export
read only = Yes
guest ok = Yes

  • as per the example 2.1 in The Official SAMBA-3 Howto and Reference Guide. Since Knoppix does not start the Samba server at boot time I needed to add the following link:
cd /etc/rcS.d
ln -s ../init.d/samba S55samba

  • and then rebooted (this was only partially described in the Samba howto section 35.5.2). I also needed to add an smb password for my Windows box account with:
smbpasswd -a username

  • I also configured the inetd to start at boot time by adding the following link:
cd /etc/rcS.d
ln -s ../init.d/samba S50inetd
  • to start apache manually:
su
/etc/init.d/apache start
  • apache log files are in /var/log/apache, config files are in /etc/apache,
  • to allow individual users to manage their own html files on the server you get the user to make a public_html directory in their home directory, then you add a symbolic link in the /var/www/users directory that points to the user's public_html directory. So if the user is called fred:
cd /home/fred
mkdir public_html
cp /some/appropriate/path/test.html public_html
cd /var/www/users
ln -s /home/fred/public_html fred
  • then when someone asks for the URL: http://server/users/fred/test.html they will be served this document from fred's own public_html directory
  • to start apache at boot time:
cd /etc/rcS.d
ln -s ../init.d/apache S60apache
  • to reboot right away:
su
shutdown -r now
  • todo:
    • test restore of acronis image
    • look for a Linux version of the DNS2Go client from Deerfield.com
    • sort out how to configure SAMBA as a PDC to replace the old NT4 server
A good writeup on configuring RealVNC to work with Knoppix 3.7. (this is another, similar, artical, but it did not work) I encountered much grief while trying to arrange for VNC to automatically start when needed from the inetd superserver. In the end this writeup was almost correct, the only two issues I had were:
  1. there were actually two Xaccess files on my system, one in /etc/X11/xdm and the other in /etc/kde3/kdm, I made the same change to both
  2. upon connecting the VNC client prompted me for a password, and it did not accept any password I tried, so I added the "-securitytypes=none" parameter to the end of the command in the inetd.conf (this artical suggests that there should be a "-" on the securitytypes parameter)
once I had done these changes I got the X desktop login prompt and was able to login to the KDE desktop just fine.

I added the following lines to the /etc/inetd.conf file:

vnc stream tcp nowait nobody /usr/sbin/tcpd /usr/local/bin/Xvnc :1 -inetd -query localhost -geometry 1232x900 -depth 24 -once -securitytypes=none

vnca stream tcp wait svermeul /usr/sbin/tcpd /usr/local/bin/Xvnc -inetd -query localhost -geometry 1232x900 -depth 24 -once -passwordFile=/home/svermeul/.vnc/passwd

and the following lines to the /etc/services file:

vnc 5950/tcp vnc-raw # VNC Server Connection
vnc 5950/udp vnc-raw
vnca 5951/tcp vnc-server # VNC Server Connection
vnca 5951/udp vnc-server




              back to vermeulen.ca home