Re-Provisioning Samba4 on a DC Primary taken over from a german AD
This Article fits only, if you have an very old domain, which was originally taken over from a german Microsoft AD.
Problem:
samba-tool domain level show
Domain and forest function level for domain 'DC=schein,DC=ig'
Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2003
It is not possible to raise the domainlevel as described here but you will need some steps from this article.
Solution:
reprovisioning is a supported way to raise the domain level.
Samba 4 can be re-provisioned with the help of the existing LDAP data
The following steps will describe the needed procedure:
Note:
Make sure that all of your groups/users have a sambaSID in open LDAP. No offense: some older apps used non-UCS ways adding groups. Therefore a SID was added to the group in samba but not in OpenLDAP. Reprovisioning uses openLDAP Data only, so that these SIDs got lost and ACL problems e.g with shares access may occur, with immense restoration efforts.
univention-ldapsearch '(&(objectClass=univentionGroup)(!(sambaSID=*)))' 1.1
1. Stop Samba 4 on all connected systems in the environment
If there are other Samba 4 systems available, samba 4 has to be stopped there
/etc/init.d/samba stop
2. Sync time on DC Master:
rdate ptbtime1.ptb.de
3. Save RID Pools on DC Master: {#save-rid-pools-on-dc-master .ace-line}
ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)" > /root/ridpool.ldif
4. Stop Samba 4 and S4-Connector on DC Master
/etc/init.d/samba stop
systemctl stop univention-s4-connector.service
5. Move/Delete Samba 4 and S4-Connector data on DC Master
find /etc/univention/connector/ \( -name "s4*.sqlite" -o -name "lockingdb.sqlite" \) -exec mv "{}" "{}.bak_$(date +%s)" \;
rm -rf /var/lib/univention-connector/s4/*
mv /var/lib/samba/private "/var/lib/samba/private.bak_$(date +%s)"
logrotate -f /etc/logrotate.d/univention-s4-connector
6. Preparation to rename the german group names into english
create a list (grouplist) with the english and german names which needs to be renamed:
You can use cat > grouplist
for that
Administrators:Administratoren
Backup Operators:Sicherungs-Operatoren
Cert Publishers:Zertifikatherausgeber
Distributed COM Users:Distributed COM-Benutzer
Domain Admins:Domänen-Admins
Domain Controllers:Domänencontroller
Domain Guests:Domänen-Gäste
Domain Users:Domänen-Benutzer
Guests:Gäste
Incoming Forest Trust Builders:Erstellungen eingehender Gesamtstrukturvertrauensstellung
Network Configuration Operators:Netzwerkkonfigurations-Operatoren
Performance Log Users:Leistungsprotokollbenutzer
Performance Monitor Users:Systemmonitorbenutzer
Pre-windows 2000 Compatible Access:Prä-Windows 2000 kompatibler Zugriff
Remote Desktop Users:Remotedesktopbenutzer
Replicator:Replikations-Operator
Server Operators:Server-Operatoren
Terminal Server License Servers:Terminalserver-Lizenzserver
Users:Benutzer
Windows Authorization Access Group:Windows-Autorisierungszugriffsgruppe
Account Operators:Konten-Operatoren
Enterprise Admins:Organisations-Admins
Group Policy Creator Owners:Richtlinien-Ersteller-Besitzer
Print Operators:Druck-Operatoren
RAS and IAS Servers:RAS- und IAS-Server
Schema Admins:Schema-Admins
Domain Computers:Domänencomputer
There may be already some groups with english names these have to be found:
while read groupname; do IFS=':'; read -a ARR <<< $groupname; univention-ldapsearch -xLLL "(&(cn=${ARR[0]})(objectClass=univentionGroup))" ; done < grouplist
and renamend, if these groups have already groupmemberships, these members has to be synchonized to one group. (please adjust the domain to yours)
e.g.
udm groups/group modify --dn="cn=Domain Computers,cn=groups,dc=schein,dc=ig" --set name="Domain Computers2"
note: we hvae no sync example here, yet
7. Renaming the groups:
while read groupname; do IFS=':'; read -a ARR <<< $groupname; dn=$(univention-ldapsearch -xLLL "(&(cn=${ARR[1]})(objectClass=univentionGroup))" 1.1| ldapsearch-decode64 | sed -n 's/^dn: //p') ; echo "$dn"; echo "${ARR[1]}" to "${ARR[0]}"; udm groups/group modify --dn="$dn" --set name="${ARR[0]}"; done < grouplist
8 Setting the new groupname as default (please adjust the domain to yours)
root@ucs:~# ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<EOR
dn: cn=default,cn=univention,dc=schein,dc=ig
changetype: modify
replace: univentionDefaultGroup
univentionDefaultGroup: cn=Domain Users,cn=groups,dc=schein,dc=ig
-
replace: univentionDefaultComputerGroup
univentionDefaultComputerGroup: cn=Domain Computers,cn=groups,dcschein,dc=ig
EOR
9 Remove Samba 4 and S4-Connector packages on DC Master
univention-remove univention-samba4 univention-s4-connector
10. Set needed UCR-Variables for re-provision on DC Master
ucr set connector/s4/mapping/group/grouptype='false' \
connector/s4/mapping/sid_to_s4='true' \
samba4/provision/primary='true'
11. Install Samba 4 and S4-Connector packkages on DC Master
univention-install univention-s4-connector univention-samba4
So you should wait untill all objects are synced via the s4-connector. You can watch the process in /var/log/univention/connector-s4.log
Also check for rejects afterwards before you prioceed with the next steps. This may take some time, depending on the amount of your ldap objects.
12. Remove UCR variables which were set for re-provision on DC Master
ucr unset samba4/provision/primary \
connector/s4/mapping/sid_to_s4
13. Correct newly created RID-Pool with the help of the saved data on DC Master
A new RID-Pool was created by re-provision - it has to be corrected with the help of tha saved data - see pt.3:
ldbedit -H /var/lib/samba/private/sam.ldb CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"
The following attributes has to be corrected:
rIDAllocationPool
rIDPreviousAllocationPool
rIDNextRID
Please also see SDB-Artikel Samba 4 - RID Pool renewal
14 in case you worked this article to raise the domain level,
you need to do raise the functional level Step3 and renew Kerberos keys from Step4 and finally Step5 and Step6 from this raise-domain-functional-level article
15 check for samba database
samba-tool dbcheck --cross-ncs
#→ may show errors like this:
ERROR: incorrect DN SID component for memberOf in object CN=Read-only Domain Controllers,CN=Groups,DC=schein,DC=ig - <GUID=ef92e00c-78d6-49bd-8e2c-88add2
22a76a>;<SID=S-1-5-21-1999524357-978345479-19512341-572>;CN=Denied RODC Password Replication Group,CN=Groups,DC=larbg,DC=verwalt-berlin,DC=de
Not fixing SID component mismatch
samba-tool dbcheck --cross-ncs --fix --yes
#→ should fix these issues
Checking 5953 objects
Checked 5953 objects (0 errors)
16 After the steps 1-13 (14) the (test-)system should be rebooted and tested.
You should think of the renamed objects possibly created in step6. If everything went fine and the (in this case) new Domain Computer group is fine and holds all objects, you can remove Domain Computer2
17 If there were other systems using samba 4 in this environment, all of them have to be re-joined!
univention-join
18 clean up to prevent system-dignoses messages for well-known-sids
ucr variables:
ucr search --brief groups/default
groups/default/.*: <empty>
groups/default/accountoperators: Konten-Operatoren
groups/default/administrators: Administratoren
groups/default/backupoperators: Sicherungs-Operatoren
groups/default/certpublishers: Zertifikatherausgeber
groups/default/distributedcomusers: Distributed COM-Benutzer
groups/default/enterpriseadmins: Organisations-Admins
groups/default/grouppolicycreatorowners: Richtlinien-Ersteller-Besitzer
groups/default/incomingforesttrustbuilders: Erstellungen eingehender Gesamtstrukturvertrauensstellung
groups/default/networkconfigurationoperators: Netzwerkkonfigurations-Operatoren
groups/default/performancelogusers: Leistungsprotokollbenutzer
groups/default/performancemonitorusers: Systemmonitorbenutzer
groups/default/printer-admins: Druck-Operatoren
groups/default/printoperators: Printer-Admins
groups/default/rasandiasservers: RAS- und IAS-Server
groups/default/remotedesktopusers: Remotedesktopbenutzer
groups/default/replicator: Reproduktions-Operator
groups/default/schemaadmins: Schema-Admins
groups/default/serveroperators: Server-Operatoren
groups/default/terminalserverlicenseservers: Terminalserver-Lizenzserver
groups/default/users: Benutzer
groups/default/windowsauthorizationaccessgroup: Windows-Autorisierungszugriffsgruppe
groups/default/windowshosts: Domänencomputer
can be cleaned up. These might come from a univention-config-regestry policy → default-settings.
You will need the default group for printer-admins:
ucr set groups/default/printoperators=Printer-Admins