Transparent Samba PDC Migration

This was brought about by problems I encountered while working for Kangare Software Engineering in Kiribati. We had a number of Red Hat 7.3 machines operating as Primary Domain Controllers (PDC) for clients and wanted to migrate the servers to Debian. As some of the clients had over 40 workstations, we didn't want to have to re-join the domain for every workstation and required a way to transparently migrate to a new PDC.

You can use LDAP to store the Samba databases you can avoid the hassle when migrating Samba PDC's. But if you're reading this its probably a bit late for that now...

Prerequisites

This assumes you have Samba set up as a PDC with machines joined to the domain and users logging on correctly. Information about joining Win2k and XP machines to a Samba domain is available elsewhere on the web.

Setup

The test setup consisted of the following machines:

I used Debian on both the servers, but this should all be distro independent anyway

Steps

  1. Upgrade both the old and new servers to at least Samba 2.2.8. (The options for extracting and setting the SID in smbpasswd only appear from version 2.2.8). The Debian packages for 2.2.11 can be found here:

    http://us1.samba.org/samba/ftp/Binary_Packages/Debian/dists/stable/main/binary-i386/

  2. Extract the SID for the domain:
    srv1:~# smbpasswd -X TEST SID for domain TEST is: S-1-5-21-4114446979-1452487925-2869499296
    and store it somewhere safe
  3. Merge the old and new passwd,shadow and group files, you'll need to copy both the user accounts and the machine accounts (the ones that end in a '$' ).

    So for example, I copied the following out of /etc/passwd:

    simon:x:1000:1000:simmo:/home/simon:/bin/bash test-xp$:x:1001:100::/home/test-xp:/bin/false quigon$:x:1002:100::/home/quigon$:/bin/false jack:x:1003:1003:Jack:/home/jack:/bin/bash
    The shadow and group files are similar.

  4. Copy over the home directories, and use chown to set the proper ownership

  5. Copy the smbpasswd and smb.conf files to /etc/samba

  6. Store the SID that we got before :
    smbpasswd -W S-1-5-21-4114446979-1452487925-2869499296
  7. Start Samba:
    /etc/init.d/samba start

Testing

Upon logging in on the Windows 2000 Desktop first, I got the following error:

Windows did not load your roaming profile and is attempting to log you in without your local profile...
A bit of Googling turned up this. As mentioned, adding
profile acls = Yes
To the share that holds the profiles solved that problem (in this case [homes])

Conclusions

Well it seems to work. Both machines can login again and profiles appear to be working. The Windows 2k machine has decided to stop logging out but it was doing that intermittently before I started so I don't think it's related.

Comments / Additions ? email nomis52 <AT> westnet.com.au