|Using an APC BE550R UPS with Debian Etch Linux||
Migrating a Windows NT4 PDC to Linux
Last updated: 2010 Sep 12
3d account across adding administrator apache array attached attempts changes clock created depth distribution distributions docs edit enter failed family happened head hit hl howto italic item job knoppix later lines machines manager map mouse mozilla names never notes pick safe script select sept stephen table tutorial ubuntu wait whole worked
Various Samba Links
Migrating a Windows NT4 PDC to Linux (Debian Etch) and Samba 3.0The following is a recipe for migrating an Windows NT4 PDC (Primary Domain Controller) to a simple install of Linux Debian 4.0R1 - (Etch) running Samba 3.0.24. I worked through this install procedure a number of times until it finally worked correctly, as all of the examples I could find for this were in some way incomplete or flawed. If you have a small network with an old NT4 server that you have been using for domain login authentication or file serving that you want to replace and are considering just getting a small Linux box to do the job, then this recipe may be useful to you.
Much of this procedure is based on Replace Your NT4 Domain Controller with Samba 3 (Part 2) By Carla Schroder, which is one of the few articles that almost worked. Of course samba.org is the main support site for all things relating to Samba, and the Official HOWTO has a whole chapter: Migration from NT4 PDC to Samba-3 PDC that documents this process too (but misses some essential steps, which might be obvious to an experienced Samba person but won't be done by the inexperienced as they are following a documented procedure).
Install Your LinuxI chose to use Debian 4.0R1 Etch, their "netinstaller" version for Debian Server. Its a smallish ISO download at 167MB because it does not include much desktop stuff.
Before starting the install you need to set your BIOS clock to GMT time as they don't seem to accommodate local time in the BIOS.
Install Debian, just the standard packages and the file server packages (which I think gets you Samba).
Once installed and rebooted you'll probably want to add "ssh" to your system by doing an "apt-get install ssh".
At this point you've spent about 20 minutes and should have a functioning server that you can now boot without a monitor, keyboard and mouse attached and control via SSH. It will be running a minimal Samba at this time, but we'll shut that down shortly.
Create a BDC Server Machine AccountIn order to migrate user account information from the old NT4 PDC you will need to configure your new Linux Samba for a short time as a BDC. To do this you must:
Initially Configure Samba as a BDCNow go to the Samba machine, login as root (if you're using Ubuntu you'll need to "sudo" in front of most commands) and edit the file /etc/samba/smb.conf which is the primary configuration file for Samba. Debian puts a sample file in place for you, which contains a lot of helpful comments, but its got so much extra stuff in it you might just want to rename it out of the way and start with a fresh file. The following is what you need:
[global] workgroup = BUTLER netbios name = STAR6 passdb backend = tdbsam domain master = No domain logons = Yes os level = 40 add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u' # username map = /etc/samba/smbusers logon path = logon home = # wins support = yes [files] comment = SAMBA File Server path = /files read only = NoYou can use this as-is, you need only replace "BUTLER" with the name of your NT domain and pick a name for your Linux server and put it in place of "STAR6".
Next you need to set the root account password into Samba. Do this by running "smbpasswd" and entering the password.
Now check that the smb.conf file is reasonable, run the command "testparm" and make sure it reports: "Server role: ROLE_DOMAIN_BDC". If it does not, then there's something wrong with your smb.conf file.
Now find out what your Samba box's SID is currently set to, issue the command "net getlocalsid" and you'll get something like: S-1-5-21-2906888183-500865873-4023403494. Make a note of it somewhere.
Get Domain InformationStart up the Linux Samba services with /etc/init.d/samba start
Then complete the process of adding your Samba box into the existing NT Domain with a command like: net rpc join -S nova -U administrator note that you should replace nova with the name of your Windows Domain server machine (not the domain name).
Next get a copy of the account information by doing: net rpc vampire -S nova -w butler -U administrator note that you need to replace butler with your domain name. This command will print a lot of output, listing all the accounts and machines that are being transferred. It might also print some errors (especially on very old abandoned machines and accounts), you should probably check later to see if any of those errors are for things you actually need so save a copy of the output.
The "net vampire" is described as acquiring the full account database and other things needed for the Linux box to take over the full PDC role, but from the testing I did it appears that it does not acquire the SID for the domain. Because of this you will find that if you just follow the usual examples and enable the Samba server to take on the PDC role that not all things will work.
It appears you need to do one more step, first re-issue the net getlocalsid command and verify that the SID has not changed. Now issue the command net rpc getsid -S nova -U Administrator" and note that its output:
Storing SID S-1-5-21-1965320917-1955335400-7473742 for Domain BUTLER in secrets.tdbshows you a different SID, and it tells you that it has stored it in your local system. However, if you check with net getlocalsid again you will find the domain SID is still not there.
So you need to issue one more command like: net setlocalsid S-1-5-21-1965320917-1955335400-7473742 and then the Linux Samba server will really have the same SID as the old PDC (which is how Microsoft documents a BDC as functioning)
Shutdown the NT PDCAt this point your Samba server is pretty much ready to assume the full PDC role on your LAN. You must first shutdown the old Windows domain server, so that when you promote your Samba BDC to PDC they don't get in a fight.
Now you need to stop Samba as well: /etc/init.d/samba stop.
Then edit your smb.conf file so that:
domain master = Yes wins support = YesAnd at last restart Samba with: /etc/init.d/samba start
Test Your Samba ServerYou should do at least the following tests to convince yourself that this really did work (it might be a good idea to do this with a test Windows XP or 2000 machine that you can afford to rebuild if necessary):
How to Return Things to How They Used to BeIn the event that some of your tests with the Samba server as PDC failed or were not working the way you wanted, you just need to set the lines:
domain master = No # wins support = Yesback into the smb.conf file and then do a /etc/init.d/samba restart, then it will be safe to restart the old Windows Domain server while you spend many hours of searching for solutions.
About the worst that happened to me while I was testing and figuring this out was that on occasion when I went to login I would get the warning that the domain server could not be found and so it was going to use a roaming profile. Some times I had to set this back to a local profile by hand. Once I set the lines:
logon path = logon home =in smb.conf these problems went away.
Building a Replacement for a Windows NT4 Server with Linux (Old Version)This is a section of working notes on my attempts (in about 2004) to replace an old Windows NT4 Server (which is a primary domain controller) with a Linux box.
# filesystem mountpoint type options dump pass
/dev/hda1 / ext3 defaults,errors=remount-ro 0 1
/proc /proc proc defaults 0 0
/dev/fd0 /floppy vfat defaults,user,noauto,showexec,umask=022 0 0
usbdevfs /proc/bus/usb usbdevfs defaults 0 0
sysfs /sys sysfs defaults 0 0
/dev/cdrom /cdrom iso9660 defaults,ro,user,noexec,noauto 0 0
/dev/dvd /dvd iso9660 defaults,ro,user,noexec,noauto 0 0
/dev/cdaudio /cdaudio iso9660 defaults,ro,user,noexec,noauto 0 0
/dev/hda3 /files ext3 defaults,errors=remount-ro 0 1<>
# Added by KNOPPIX
/dev/hda2 none swap defaults 0 0
workgroup = MIDEARTH
netbios name = TEST
security = share
comment = Data
path = /files/export
read only = Yes
guest ok = Yes
ln -s ../init.d/samba S55samba
ln -s ../init.d/samba S50inetd
cp /some/appropriate/path/test.html public_html
ln -s /home/fred/public_html fred
ln -s ../init.d/apache S60apache
shutdown -r now
I added the following lines to the /etc/inetd.conf file:
vnc stream tcp nowait nobody /usr/sbin/tcpd /usr/local/bin/Xvnc :1 -inetd -query localhost -geometry 1232x900 -depth 24 -once -securitytypes=none
vnca stream tcp wait svermeul /usr/sbin/tcpd /usr/local/bin/Xvnc -inetd -query localhost -geometry 1232x900 -depth 24 -once -passwordFile=/home/svermeul/.vnc/passwd
and the following lines to the /etc/services file:
vnc 5950/tcp vnc-raw # VNC Server Connection
vnc 5950/udp vnc-raw
vnca 5951/tcp vnc-server # VNC Server Connection
vnca 5951/udp vnc-server