Topic: PDC migration 5.5 to 6.0

[Loek]

Hi,

I'm planning to upgrade an SME 5.5 that functions as PDC in a W2K network to SME 6.0 but I have the following question:
I prefer to do a clean install (which is also adviced in some forum posts) but for that I need to give the upgraded server the exact same id's (at least the SID), otherwise the user profiles won't migrate.

Following the samba HowTo for PDC migration, I extracted the MACHINE.SID from the 5.5 server using the rpcclient command, but I can't find the file MACHINE.SID on either of the SME machines. According to the Samba HowTo I need to set the extracted SID in this file on the new machine.

The only thing I found on the SME servers is a commanc called 'setsid', but I don't know if this is related, or what the syntax is.

Help is appreciated.

Loek

[ryan]

Read up before you upgrade.  I screwed myself upgrading 5.1.2 to 5.6 in a pure XP environment.  A different pure 2k environment with the same upgrade did not have any isssues.  

If you upgrade to 6.0, you will have to rejoin the clients to the domain.  Search this forum and look at the bugs section.  I set up a test environment with 1 2k box and 1 XP box.  I joined them to a 5.6 domain then upgraded to 6.0.  Both clients lost membership to the domain.

ryan

[Loek]

Ryan,

Thanks for your answer. I'm having a similar problem. I can join the W2K boxes to the domain of the new 6.0 server (that part works fine) but the problem is that all users loose their (roaming) user profiles. I have set up a test environment under VMWare so I can experiment freely, but no success yet.

I recreated all users, copied all data (incl. profiles), and also set the SID of the 6.0 server to the SID of the former SME5.5 (using smbpasswd).
Still the W2K machines refuse to accept the profiles of the new server, so I must be missing something. I've been browsing through various samba howto's, but haven't found the answer to this one yet.

Any ideas?

Loek

[ryan]

Loek,

When your systems loose contact with the PDC after the upgrade, have them join a workgroup, reboot, join the domain again, reboot, as local admin fix up the local groups again, then login in with a domain account.  

I am not sure if the profiles from the old domain will be applied or if a new one will be created, but it will get your systems back on the 6.0 domain.

I only tested this with 3 systems...sme, 2k, and XP.  There could be other issues or problems here so I would do this in a test environment to make sure it works for you.

ryan

[Loek]

Hi Ryan,

Thanks again. I succeed to make the machines join the 6.0 domain, but whatever I do, I the W2K machines always create new - empty - profiles for the domain users. The profiles contain so much settings (email accounts, printer settings, etc.) that I don't fancy having to fix all that for all users.

There must be a way to replace one samba server for another without any of the clients even noticing anything has changed.

The new server has the same server name, same IP, same SID, and contains all data including the user profiles in the right place. What more should be done?! (said I, already a little desperate)

Loek

[PeterG]

This would be sooooo handy to know how to do. I bet the knowledge is out there somewhere....

I am currently stuck in the same position, trying to upgrade (completly new hardware, ide -> SCSI) a 5.5 server to 6.0

I don't relish the thought of having to re-configure all the clients.

PeterG.

[Alex]

Hi! I have a same problem. Migration from PDC 5.6 to PDC 5.6 to new hardware. Config files are completely synchronized, but SMB clients are not identified by a new server. Only rejoin to domain each workstation... But this huge quantity of work. I have 60 workstations.

[PeterG]

From what I understand there are a number of issues regarding the move from 5.5/5.6 to 6.0 of SME that specifically effect XP and more general issues with windows clients as a whole.

With XP clients, Microsoft introduced a number of new registry settings regarding domain handshaking, these have already been documented in the forums and I believe there is a .reg? files included in the v6.0 distribution release to import straight into the xp clients using regedit. This resolves the problem of xp clients joining a domain but then not being able to logon to it.

The other is regarding complete moves of hardware rather than just upgrading components. I haven't yet looked but I am guessing that may be there was a functionality change with the samba release that was issued with 5.5/5.6 and 6.0 that is complicating matters.

I have the option of restoring a complete 5.5 system onto a new hardware platform from tape, but the new platform will be scsi rather than ide and I do not want to clutter the system with modules that it does not need.

There must be a definitive method and list of directories/files that are required to move one sever to another that will mean no impact on the client PC's. This is such a relatively common task that it must have been done before.

The search goes on...(probably on the samba website)


PeterG.

[Alex]

I have found a way! Closely read Samba how-to. Now instead of MACHINE.SID and WORKGROUP.SID it is used secrets.tdb. Migration is carried out through rsinc, search on the forum. And complitely new hardware - IDE to SCSI are OK!

[ryan]

Could you list a link or possibly some more details....when you did it want what you did....that would be helpful.

Thanks,

ryan

[PeterG]

A random thought....

If a 5.5 version of the server is running as a Primary Domain Controler (pdc) and we have a new bit of kit that we want to take over this server, would this work...

Install new server on network and configure it in the same workgroup, at this point is it running as a Backup Domain controler (BDC)?

I have just ried this and the new server is in the same domain as the old server and after a brief hunt around the samba list archives I have found this little jem and tried it.

[root@oulton e-smith]# smbpasswd -S
Successfully set domain SID to S-1-5-21-2672183053-1999075282-1853768680.
[root@oulton e-smith]#

This is performed on the new machine and queries the old machine for its SID. It appears to have been sucessfull.

I am guessing that the SID is something important (can you tell I am still learning) after this is it a case of copying over the various password and group files and presumably there are accounts for the client computers themselves somewhere?

PeterG.

[Alex]

http://forums.contribs.org/index.php?topic=18005.msg70553#msg70553

I have added only /etc/samba for secrets.tdb

[PeterG]

Found it...


http://tehvand.com/tehvand/index.cgi?opt=projex&project=rsyncmigrate



I just want to copy the users and the data though not an exact copy of the old server. New server is server new one will be server/gateway etc.


PeterG.

[Alex]

Yes you migrate user settings and data only.
And i am sorry - /etc/secrets.tdb , not /etc/samba/secrets.tdb

[PeterG]

So to just get the windows domain section transfered this could be a solution?

Configure new server as required, presumably to any version?

make sure its in the same workgroup and then...

1. smbpasswd -S on the new server

2. a rsync of these files -

 /etc/group
 /etc/gshadow
 /etc/passwd
 /etc/shadow
 /etc/smbpasswd


3. Shutdown old server
 
4. /sbin/e-smith/signal-event post-upgrade

5. /sbin/e-smith/signal-event reboot

6. When its back up tell it it's a domain controller


to simple?



PeterG.

[Alex]

No! smbpasswd -S only display current SID!
You need rsync /etc/secrets.tdb too.
Then
sbin/e-smith/signal-event post-upgrade

 /sbin/e-smith/signal-event reboot
That's all

[Loek]

Alex,

I also found on one of the many posts on the samba lists that this secrets.tdb file replaces the former MACHINE.SID, I am about to test this and post my results here. Did you clients accept their profiles from the new server?

|  Peter wrote:
|  
|  1. smbpasswd -S on the new server
|  2. a rsync of these files -
|  /etc/group
|  /etc/gshadow
|  /etc/passwd
|  /etc/shadow
|  /etc/smbpasswd
|  3. Shutdown old server
|  4. /sbin/e-smith/signal-event post-upgrade
|  5. /sbin/e-smith/signal-event reboot

This may work if you stick to the same sme version, but still you have to copy the SID and the secrets.tdb (I tested without the secrets and that did not work, t.i., the server works but you'll have to redo all user profiles).

If you migrate to sme6.0 at the same time, then just copying the passwd files will seriously mess up your server. 6.0 uses a series of entries (at least in passwd, I think) that were not in 5.5 (I don't know about 5.6). So you'll have to paste your accounts into these files.

More to follow.

Loek

[PeterG]

Hmmm, when I tried on my v6.0 server it tels me this -

[root@oulton e-smith]# smbpasswd -S
Successfully set domain SID to S-1-5-21-2672183053-1999075282-1853768680.
[root@oulton e-smith]#


and the man pages for smbpasswd tell me this -
"
-S     This  option  causes  smbpasswd to query a domain controller of the domain specified by the work group parameter in smb.conf and store the domain SID in the secrets.tdb file as its  own  machine SID.  This  is  only  useful when configuring a Samba PDC and Samba BDC, or when migrating from a Windows PDC to a Samba PDC.
"

So probably the same thing only different


Presumably the rest of mu mini how to sounds ok?



PeterG.

[PeterG]

Good info, thanks.


I have had a look on the 5.5 up6 server I have here and the same smbpasswd -S is documented as per the 6.0.

I will rebuild the new server as a 5.5 and then try the howto.

Fingers crossed.


PeterG.

[ryan]

This discussion has been helpful for me to understand the problem.

If a simple upgrade from 5.6 to 6.0 keeping the same computer, what must I copy from the 5.6 prior to upgrading so I can copy it back?

ryan

[PeterG]

Only had a chance to very quickly test this and i believe most of it worked, a client was able to login but it then failed when trying to write some sort of file during the login process. I hadn't created any home directories, etc!

Looks promising though, will try again tomorrow.

PeterG.

[Alex]

I'm agree. In this case I have migrating from PDC to PDC. I have executed smbpasswd -S and then have copied secrets.tdb to new machine. Yes, it was in such order. In result I have identical SID by both machines. But in this case it is not clear, why date of change of a secrets.tdb in my case not yesterday's number, and much earlier? I think, that if smbpasswd is carried out on PDC in secrets.tdb it is written nothing. It works only if PDC other machine is. In my case of the machine were not connected to a network simultaneously at executing smbpasswd -S.

[PeterG]

What I failed to remember, is that sme holds user data in its own configuration. doh.

i.e. when looking in the users panel in server-manager, nothing appears even though there are users in the passwd file.

Anyone know what the path is for the e-smith configuration database thingy.

PeterG.

[PeterG]

Right then,

making progress, I think

I used this to migrate the users

http://www.tech-geeks.org/contrib/loveless/batch_users/README-0.6.txt

There are entries in the e-smith accounts database for each maachine but it is one field for each PC.
e.g.
pc8$=machine

I am struggling to get the format correct to get these entries into the database. Anyone help?

After this I think all it needs are the entries from each of the passwd and group (+shadows) files appended and then that might work...

PeterG.

[Loek]

Hi,

I finally succeeded to get the clients in my test environment login to the new installed 6.0 server and keep their old user profiles. The clients don't even notice that the server has been replaced. The secret is indeed copying the secrets.tdb file in /etc (beware: on 6.0 it has to go in /etc/samba !)

You should also set the name and IP of the new server identical to the old one (although have not tested if it would work if you don't).

If you had roaming profiles set to "No" under the workgroup settings using SME 5.5 or 5.6, then you probably were probably using roaming profiles for W2K/XP clients anyway because of a bug in those versions, see http://forums.contribs.org/index.php?topic=15867.msg61253#msg61253

For this situation, to keep the roaming profiles you should set Roaming Profiles to "Yes" and move each profile from
/home/e-smith/files/users/[username]/files/home/profiles/  to  /home/e-smith/files/samba/profiles/[username]/

To be sure to have all settings right, I created all users on 6.0 manually, then copied the data. Then I created the machine accounts using /sbin/e-smith/signal-event machine-account-create MachineName$
but this still required the machines to be added to /etc/samba/smbpasswd, with the same passwords as the had under 5.x (note: on 5.x smbpasswd is located in /etc, not in /etc/samba), but with the UID of the new machine accounts (check in e.g. /etc/passwd)

I works, but altogether it's a lengthy process. It's ok if you have about 10 users, but you don't want to be doing this for a 100 users or more, there may be an easier way. It looks like 6.0 stores user data in LDAP, is this documented somewhere?

Peter, are you moving to 5.6 or also trying to use 6.0? E-smith 5.5 stored the user account in /home/e-smith/accounts. I think replicating a server used to work under these versions if you transferred your data, the password files in /etc and then the files /home/e-smith/accounts and /home/e-smith/configuration (plus of course optional custom templates, installed updates, extensions, etc.) For 6.0 this won't do, but I hope to find an easier procedure than what I have now and then document it.

That's it for now,
Cheers
Loek