Re-Provisioning Samba4 on a DC Primary taken over from a german AD

This Article fits only, if you have an very old domain, which was originally taken over from a german Microsoft AD.

Problem:

samba-tool domain level show
Domain and forest function level for domain 'DC=schein,DC=ig'

Forest function level: (Windows) 2003
Domain function level: (Windows) 2003
Lowest function level of a DC: (Windows) 2003

It is not possible to raise the domainlevel as described here but you will need some steps from this article.

Solution:

reprovisioning is a supported way to raise the domain level.

Samba 4 can be re-provisioned with the help of the existing LDAP data

The following steps will describe the needed procedure:
Note:
Make sure that all of your groups/users have a sambaSID in open LDAP. No offense: some older apps used non-UCS ways adding groups. Therefore a SID was added to the group in samba but not in OpenLDAP. Reprovisioning uses openLDAP Data only, so that these SIDs got lost and ACL problems e.g with shares access may occur, with immense restoration efforts.

univention-ldapsearch '(&(objectClass=univentionGroup)(!(sambaSID=*)))' 1.1

1. Stop Samba 4 on all connected systems in the environment

If there are other Samba 4 systems available, samba 4 has to be stopped there

/etc/init.d/samba stop

2. Sync time on DC Master:

rdate ptbtime1.ptb.de

3. Save RID Pools on DC Master: {#save-rid-pools-on-dc-master .ace-line}

ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)" > /root/ridpool.ldif

4. Stop Samba 4 and S4-Connector on DC Master

/etc/init.d/samba stop
systemctl stop univention-s4-connector.service

5. Move/Delete Samba 4 and S4-Connector data on DC Master

find /etc/univention/connector/ \( -name "s4*.sqlite" -o -name "lockingdb.sqlite" \) -exec mv "{}" "{}.bak_$(date +%s)" \;

rm -rf /var/lib/univention-connector/s4/*
mv /var/lib/samba/private "/var/lib/samba/private.bak_$(date +%s)"

6. Preparation to rename the german group names into english

create a list (grouplist) with the english and german names which needs to be renamed:

Administrators:Administratoren
Backup Operators:Sicherungs-Operatoren
Cert Publishers:Zertifikatherausgeber
Distributed COM Users:Distributed COM-Benutzer
Domain Admins:Domänen-Admins
Domain Controllers:Domänencontroller
Domain Guests:Domänen-Gäste
Domain Users:Domänen-Benutzer
Guests:Gäste
Incoming Forest Trust Builders:Erstellungen eingehender Gesamtstrukturvertrauensstellung
Network Configuration Operators:Netzwerkkonfigurations-Operatoren
Performance Log Users:Leistungsprotokollbenutzer
Performance Monitor Users:Systemmonitorbenutzer
Pre-windows 2000 Compatible Access:Prä-Windows 2000 kompatibler Zugriff
Remote Desktop Users:Remotedesktopbenutzer
Replicator:Replikations-Operator
Server Operators:Server-Operatoren
Terminal Server License Servers:Terminalserver-Lizenzserver
Users:Benutzer
Windows Authorization Access Group:Windows-Autorisierungszugriffsgruppe
Account Operators:Konten-Operatoren
Enterprise Admins:Organisations-Admins
Group Policy Creator Owners:Richtlinien-Ersteller-Besitzer
Print Operators:Druck-Operatoren
RAS and IAS Servers:RAS- und IAS-Server
Schema Admins:Schema-Admins
Domain Computers:Domänencomputer

There may be already some groups with english names these have to be found:

while read groupname; do IFS=':'; read -a ARR <<< $groupname; univention-ldapsearch -xLLL "(&(cn=${ARR[0]})(objectClass=univentionGroup))"  ; done < grouplist

and renamend, if these groups have already groupmemberships, these members has to be synchonized to one group. (please adjust the domain to yours)
e.g.

udm groups/group modify --dn="cn=Domain Computers,cn=groups,dc=schein,dc=ig" --set name="Domain Computers2"

note: we hvae no sync example here, yet

7. Renaming the groups:

while read groupname; do IFS=':'; read -a ARR <<< $groupname; dn=$(univention-ldapsearch -xLLL "(&(cn=${ARR[1]})(objectClass=univentionGroup))" 1.1| ldapsearch-decode64 | sed -n 's/^dn: //p') ; echo "$dn"; echo "${ARR[1]}" to "${ARR[0]}"; udm groups/group modify --dn="$dn" --set name="${ARR[0]}"; done < grouplist

8 Setting the new groupname as default (please adjust the domain to yours)

root@ucs:~# ldapmodify -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret <<EOR
dn: cn=default,cn=univention,dc=schein,dc=ig
changetype: modify
replace: univentionDefaultGroup
univentionDefaultGroup: cn=Domain Users,cn=groups,dc=schein,dc=ig
-
replace: univentionDefaultComputerGroup
univentionDefaultComputerGroup: cn=Domain Computers,cn=groups,dcschein,dc=ig  
EOR

9 Remove Samba 4 and S4-Connector packages on DC Master

univention-remove univention-samba4 univention-s4-connector

10. Set needed UCR-Variables for re-provision on DC Master

ucr set connector/s4/mapping/group/grouptype='false' \
connector/s4/mapping/sid_to_s4='true' \
samba4/provision/primary='true'

11. Install Samba 4 and S4-Connector packkages on DC Master

univention-install univention-s4-connector univention-samba4

So you should wait untill all objects are synced via the s4-connector. You can watch the process in /var/log/univention/connector-s4.log
Also check for rejects afterwards before you prioceed with the next steps. This may take some time, depending on the amount of your ldap objects.

12. Remove UCR variables which were set for re-provision on DC Master

ucr unset samba4/provision/primary \
connector/s4/mapping/sid_to_s4

13. Correct newly created RID-Pool with the help of the saved data on DC Master

A new RID-Pool was created by re-provision - it has to be corrected with the help of tha saved data - see pt.3:

ldbedit -H /var/lib/samba/private/sam.ldb CN="RID Set" \
-b CN="$(ucr get hostname),OU=Domain Controllers,$(ucr get ldap/base)"

The following attributes has to be corrected:

rIDAllocationPool
rIDPreviousAllocationPool
rIDNextRID

Please also see SDB-Artikel Samba 4 - RID Pool renewal

14 in case you worked this article to raise the domain level,

you need to do raise the functional level Step3 and renew Kerberos keys from Step4 and finally Ste5 from this raise-domain-functional-level article

15 check for samba database

 samba-tool dbcheck --cross-ncs
#→ may show errors like this:
ERROR: incorrect DN SID component for memberOf in object CN=Read-only Domain Controllers,CN=Groups,DC=schein,DC=ig - <GUID=ef92e00c-78d6-49bd-8e2c-88add2
22a76a>;<SID=S-1-5-21-1999524357-978345479-19512341-572>;CN=Denied RODC Password Replication Group,CN=Groups,DC=larbg,DC=verwalt-berlin,DC=de
Not fixing SID component mismatch

samba-tool dbcheck --cross-ncs --fix --yes
#→ should fix these issues
Checking 5953 objects
Checked 5953 objects (0 errors)

16 After the steps 1-13 (14) the (test-)system should be rebooted and tested.

You should think of the renamed objects possibly created in step6. If everything went fine and the (in this case) new Domain Computer group is fine and holds all objects, you can remove Domain Computer2

17 If there were other systems using samba 4 in this environment, all of them have to be re-joined!

univention-join