Microsoft's support for Windows NT4 ended December 31, 2004. You have an NT4 domain controller or controllers, and are wondering what to do next—keep them? Upgrade to Windows 2003 with Active Directory, which is expensive, has a learning curve, and probably means buying new computers as well? Find something else entirely?
Find something else entirely—a nice Linux system running Samba 3 makes a dandy drop-in NT4 PDC replacement. Your users will never know the difference, except perhaps in better performance.
Follow these steps:
Do some housecleaning first—get rid of unused and duplicate accounts on the NT4 PDC.
Make a Backup Domain Controller (BDC) account for Samba using NT Server Manager.
Configure Samba.
Join the Samba BDC to your NT4 domain.
Migrate user and machine accounts.
Shut down the NT4 domain controller.
Promote Samba to a PDC.
This is a simple /etc/samba/smb.conf
designed just for migration from NT4. The workgroup name is the existing domain
name—do not change it! The netbios
name can be anything you want, and you must use the real IP of your
WINS server:
[global] workgroup = reddomain netbios name = samba11 passdb backend = tdbsam security = user domain master = No domain logons = Yes os level = 33 add user script = /usr/sbin/useradd -m '%u' delete user script = /usr/sbin/userdel -r '%u' add group script = /usr/sbin/groupadd '%g' delete group script = /usr/sbin/groupdel '%g' add user to group script = /usr/sbin/usermod -G '%g' '%u' add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null '%u' wins server = 192.168.1.30
Run testparm to check syntax:
$ testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_BDC
Press enter to see a dump of your service definitionsStart or restart Samba, then join it to the domain using the IP address or NetBIOS name of the NT4 PDC, and the NT4 Administrator login, or any NT4 user with administrative rights:
# net rpc join -S ntpdc -U Administrator%password
Joined domain REDDOMAIN.Now comes the fun part; this is where you get to vampire your accounts from the NT4 box to Samba:
# net rpc vampire -S ntpdc -W reddomain -U Administrator%password
Fetching REDDOMAIN database
SAM_DELTA_REDDOMAIN_INFO not handled
Creating unix group: 'Domain Admins'
Creating unix group: 'Domain Users'
Creating unix group: 'Domain Guests'
Creating unix group: 'Web_team'
Creating unix group: 'Sysadmins'
...
Creating account: Administrator
Creating account: Guest
Creating account: NTSERVER$
Creating account: 'carla'
Creating account: 'foober'
...Verify that your user accounts moved over by running pbdedit to show a list of migrated accounts:
# pdbedit -L
powerpc-w2k$:1010:POWERPC-W2K$
stinkpad$:1012:STINKPAD$
alrac:1013:
root:0:root
foober5:1007:
...Finally, promote Samba to Primary Domain Controller by reworking /etc/samba/smb.conf to look just like the example in Recipe 11.4. Restart Samba, and your users should be able to log in without a hitch.
Shut down your old NT4 domain controller and find it another job, perhaps as a nice Samba file or printer server.
If you change the domain name you're committed to starting over, and will have to enter all user accounts manually, so don't.
man 8 pdbedit
man 5 smb.conf
Chapter 8, "Managing Users and Groups," in Linux Cookbook, by Carla Schroder (O'Reilly)
Chapter 23, "File and Printer Sharing, and Domain Authentication with Samba," in Linux Cookbook