[Samba] File server and AD

[Elias Pereira via samba]

Hello guys,

I will migrate our nt4-style to AD. Today we have a samba with openldap as
backend. I'll get this openldap server and use to classic upgrade. I guess
is the best way, right?

And the samba server I'll use as a file server.

My question. As the old samba has everything (files, permissions, etc) of
the users, when I join this server as member of the AD, the users will be
able to access your own share and files?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny via samba]

On Wed, 21 Sep 2016 13:33:43 -0300
Elias Pereira via samba <sa...@lists.samba.org> wrote:

> Hello guys,
>
> I will migrate our nt4-style to AD. Today we have a samba with
> openldap as backend. I'll get this openldap server and use to classic
> upgrade. I guess is the best way, right?

It is probably the only way, but I would read this before you start:

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29

>
> And the samba server I'll use as a file server.
>

Do you mean you will be using the DC as a fileserver ?

> My question. As the old samba has everything (files, permissions,
> etc) of the users, when I join this server as member of the AD, the
> users will be able to access your own share and files?

Provided everything goes corrrectly, then yes.

Rowland

[Elias Pereira via samba]

>
> It is probably the only way, but I would read this before you start:

Ok.

> Do you mean you will be using the DC as a fileserver ?

No. I was thinking of using the old samba server (NT4-style) as a file
server. AD stays separate.

--
Elias Pereira

[Rowland Penny via samba]

On Wed, 21 Sep 2016 17:58:22 -0300
Elias Pereira via samba <sa...@lists.samba.org> wrote:

>
> > Do you mean you will be using the DC as a fileserver ?
>
> No. I was thinking of using the old samba server (NT4-style) as a file
> server. AD stays separate.
>

I don't think that will work and if it does, it will mean keeping a
separate user & group database and keeping the passwords in sync.

I would suggest turning it into a domain member and then use this as a
fileserver, see here for more info:

https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
https://wiki.samba.org/index.php/Shares_with_Windows_ACLs

I would also, if possible, take the opportunity to upgrade the OS and
Samba.

[Elias Pereira via samba]

I get it! :D

The old Samba NT4 is in a freebsd. I would like to migrate to a new distro.
I will use debian8.

I have to copy the files and permissions from groups and users for this
new. I've been searching and with rsync maybe I could do this.
http://amar-linux.blogspot.com.br/2012/03/migrating-
samba-server-and-users-in.html?m=1

Have you done something like that?

--
Elias Pereira

[Rowland Penny via samba]

On Thu, 22 Sep 2016 14:38:57 -0300
Elias Pereira via samba <sa...@lists.samba.org> wrote:

> I get it! :D
>
> The old Samba NT4 is in a freebsd. I would like to migrate to a new
> distro. I will use debian8.
>
> I have to copy the files and permissions from groups and users for
> this new. I've been searching and with rsync maybe I could do this.
> http://amar-linux.blogspot.com.br/2012/03/migrating-
> samba-server-and-users-in.html?m=1
>
> Have you done something like that?
>

well no, I also think you shouldn't need to either.

If you classic upgrade your NT4-style PDC to an AD DC, your users and
groups should have the same IDs, so if you back up everything you need,
then reformat the hard drive and install the new OS and install Samba
and join it to the new domain, you should find all your users and
groups are available. Now restore your backup and all the data should
be back.

[Elias Pereira via samba]

Performing the backup, for example on an external hard drive and restoring
after all ok, the permissions will not be changed?

In NT4 use the "lam" for management. Can I use ldap account manager for
managing Samba4 ADDC or should only use the RSAT? Or is possible using both?

--
Elias Pereira

[Rowland Penny via samba]

On Fri, 23 Sep 2016 17:15:21 -0300
Elias Pereira via samba <sa...@lists.samba.org> wrote:

> Performing the backup, for example on an external hard drive and
> restoring after all ok, the permissions will not be changed?

It would be better if you could back everything up to another domain
member, such as the new DC, but you will have to set up nsswitch and
the required links i.e. whatever you use will have to know who your
users are.

>
> In NT4 use the "lam" for management. Can I use ldap account manager
> for managing Samba4 ADDC or should only use the RSAT? Or is possible
> using both?
>

Yes, you can use LAM, the only problem that I am aware of (if you can
call it a problem) it adds the totally un-required posix objectclasses.

[Roland Gruber via samba]

Hi Rowland,

On 23.09.2016 22:37, Rowland Penny via samba wrote:
>> In NT4 use the "lam" for management. Can I use ldap account manager
>> for managing Samba4 ADDC or should only use the RSAT? Or is possible
>> using both?
>>
>
> Yes, you can use LAM, the only problem that I am aware of (if you can
> call it a problem) it adds the totally un-required posix objectclasses.

there is an option to not add this object class in LAM. ;-) Please note
that there might be applications that require this object class.


--

Best regards

Roland

[Rowland Penny via samba]

If there are applications that rely on the posix objectclasses being in
AD, then they are broken, Windows ADUC never added them and now
Samba doesn't either.