Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] LDAP/PDC migration to Samba4
74 views
Skip to first unread message
Andrey Repin
Jul 17, 2014, 7:10:02 PM7/17/14
to
Greetings, All!
I'm planning a migration to Samba 4 (for a long time, I admit, but I only
recently got a promise of funds for a new server... whew...), but I'm a little
in the dark on how to arrange whole process.
Right now, the situation is imagined as follows:
Server A: LDAP/PDC/Samba3/NAT/DHCP/BIND/everything else.
Server B: New installation, x86_64, Samba4, would-be-replacement for Server A.
Local network: Win2k/WinXP/Win7 systems, with sparkles of iOS/Android/Win8.
Now, is there a way to transparently add the new server as a BDC, wait for
transfer, then flip a switch and make it primary controller?
If this process already described somewhere, I would really appreciate
not-too-deep-and-sidestepped guidelines.
I'm eternally thankful to rickyjones from ubuntuforums for his comprehensive
guide to setup LDAP+Samba3 PDC, nothing I've seen in the internet on the
subject have matched the quality of his article.
But with migration on hand right now, I'm in the dark... kind of.
I'm really don't want to recreate the domain from scratch. The amount of users
that would be need to migrate/reconfigure/placate/fend off is just unbearable.
--
WBR,
Andrey Repin (anrd...@yandex.ru) 18.07.2014, <01:59>
Sorry for my terrible english...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I'm planning a migration to Samba 4 (for a long time, I admit, but I only
recently got a promise of funds for a new server... whew...), but I'm a little
in the dark on how to arrange whole process.
Right now, the situation is imagined as follows:
Server A: LDAP/PDC/Samba3/NAT/DHCP/BIND/everything else.
Server B: New installation, x86_64, Samba4, would-be-replacement for Server A.
Local network: Win2k/WinXP/Win7 systems, with sparkles of iOS/Android/Win8.
Now, is there a way to transparently add the new server as a BDC, wait for
transfer, then flip a switch and make it primary controller?
If this process already described somewhere, I would really appreciate
not-too-deep-and-sidestepped guidelines.
I'm eternally thankful to rickyjones from ubuntuforums for his comprehensive
guide to setup LDAP+Samba3 PDC, nothing I've seen in the internet on the
subject have matched the quality of his article.
But with migration on hand right now, I'm in the dark... kind of.
I'm really don't want to recreate the domain from scratch. The amount of users
that would be need to migrate/reconfigure/placate/fend off is just unbearable.
--
WBR,
Andrey Repin (anrd...@yandex.ru) 18.07.2014, <01:59>
Sorry for my terrible english...
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrey Repin
Jul 17, 2014, 8:30:02 PM7/17/14
to
Greetings, All!
> I'm planning a migration to Samba 4 (for a long time, I admit, but I only
> recently got a promise of funds for a new server... whew...), but I'm a little
> in the dark on how to arrange whole process.
I forgot to mention, I've found an article[1] on the Samba wiki, but it only
> I'm planning a migration to Samba 4 (for a long time, I admit, but I only
> recently got a promise of funds for a new server... whew...), but I'm a little
> in the dark on how to arrange whole process.
discuss upgrading of existing installation.
[1] https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD)
--
WBR,
Andrey Repin (anrd...@yandex.ru) 18.07.2014, <04:08>
steve
Jul 18, 2014, 4:20:02 AM7/18/14
to
On Fri, 2014-07-18 at 02:12 +0400, Andrey Repin wrote:
>
> I'm eternally thankful to rickyjones from ubuntuforums for his comprehensive
> guide to setup LDAP+Samba3 PDC, nothing I've seen in the internet on the
> subject have matched the quality of his article.
The only guide which comes anywhere near is openSUSE. A beginner can be
>
> I'm eternally thankful to rickyjones from ubuntuforums for his comprehensive
> guide to setup LDAP+Samba3 PDC, nothing I've seen in the internet on the
> subject have matched the quality of his article.
up in around 10 minutes, NT domain, LDAP, TLS:
http://digiplan.eu.org/ldap-samba-howto-v4.html
Andrey Repin
Jul 19, 2014, 5:00:02 PM7/19/14
to
Greetings, steve!
> The only guide which comes anywhere near is openSUSE. A beginner can be
> up in around 10 minutes, NT domain, LDAP, TLS:
> http://digiplan.eu.org/ldap-samba-howto-v4.html
That's for Samba3, and you picked a wrong part of my message to quote.
--
WBR,
Andrey Repin (anrd...@yandex.ru) 20.07.2014, <00:41>
Sorry for my terrible english...
> The only guide which comes anywhere near is openSUSE. A beginner can be
> up in around 10 minutes, NT domain, LDAP, TLS:
> http://digiplan.eu.org/ldap-samba-howto-v4.html
--
WBR,
Andrey Repin (anrd...@yandex.ru) 20.07.2014, <00:41>
Sorry for my terrible english...
Rowland Penny
Jul 19, 2014, 5:20:02 PM7/19/14
to
On 19/07/14 21:41, Andrey Repin wrote:
> Greetings, steve!
>
>> The only guide which comes anywhere near is openSUSE. A beginner can be
>> up in around 10 minutes, NT domain, LDAP, TLS:
>> http://digiplan.eu.org/ldap-samba-howto-v4.html
> That's for Samba3, and you picked a wrong part of my message to quote.
>
>
> --
> WBR,
> Andrey Repin (anrd...@yandex.ru) 20.07.2014, <00:41>
>
> Sorry for my terrible english...
>
Well, yes it is for samba3, but anything samba3 can do, samba4 can do,
> Greetings, steve!
>
>> The only guide which comes anywhere near is openSUSE. A beginner can be
>> up in around 10 minutes, NT domain, LDAP, TLS:
>> http://digiplan.eu.org/ldap-samba-howto-v4.html
> That's for Samba3, and you picked a wrong part of my message to quote.
>
>
> --
> WBR,
> Andrey Repin (anrd...@yandex.ru) 20.07.2014, <00:41>
>
> Sorry for my terrible english...
>
plus be an AD DC. you also posted that you wanted to upgrade from a
samba3 PDC to a samba4 PDC i.e. like for like, or do you really want to
upgrade to an AD DC?
Rowland
Andrew Bartlett
Jul 19, 2014, 5:20:03 PM7/19/14
to
On Fri, 2014-07-18 at 04:10 +0400, Andrey Repin wrote:
> Greetings, All!
>
> > I'm planning a migration to Samba 4 (for a long time, I admit, but I only
> > recently got a promise of funds for a new server... whew...), but I'm a little
> > in the dark on how to arrange whole process.
>
> I forgot to mention, I've found an article[1] on the Samba wiki, but it only
> discuss upgrading of existing installation.
>
> [1] https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD)
Andrey,
> Greetings, All!
>
> > I'm planning a migration to Samba 4 (for a long time, I admit, but I only
> > recently got a promise of funds for a new server... whew...), but I'm a little
> > in the dark on how to arrange whole process.
>
> I forgot to mention, I've found an article[1] on the Samba wiki, but it only
> discuss upgrading of existing installation.
>
> [1] https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD)
The same guide applies if this is on a new server, but of course you
need to get the information about how to talk to your LDAP server
across.
If it helps, think of it as adding a new server to your existing domain,
then upgrading it.
This was expressed more clearly in the old HOWTO:
https://wiki.samba.org/index.php?title=Samba_Classic_Upgrade_%
28NT4-style_domain_to_AD%29&oldid=8471
Marc,
Could you put back the information on migrating on a new server? This
is generally how folks do this migration (as they plan to trial on new
hardware and decommission old hardware), and we need this to be
clearer.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Andrey Repin
Jul 19, 2014, 7:40:01 PM7/19/14
to
Greetings, Andrew Bartlett!
>> > I'm planning a migration to Samba 4 (for a long time, I admit, but I only
>> > recently got a promise of funds for a new server... whew...), but I'm a little
>> > in the dark on how to arrange whole process.
>>
>> I forgot to mention, I've found an article[1] on the Samba wiki, but it only
>> discuss upgrading of existing installation.
>>
>> [1] https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD)
> Andrey,
> The same guide applies if this is on a new server, but of course you
> need to get the information about how to talk to your LDAP server
> across.
> If it helps, think of it as adding a new server to your existing domain,
> then upgrading it.
I'm thinking about it exactly that way :) I just never did anything like that
previously, and a little nervous. Just a little...
> This was expressed more clearly in the old HOWTO:
> https://wiki.samba.org/index.php?title=Samba_Classic_Upgrade_%
> 28NT4-style_domain_to_AD%29&oldid=8471
I'll check it out. Thank you.
--
WBR,
Andrey Repin (anrd...@yandex.ru) 20.07.2014, <03:30>
Sorry for my terrible english...
>> > I'm planning a migration to Samba 4 (for a long time, I admit, but I only
>> > recently got a promise of funds for a new server... whew...), but I'm a little
>> > in the dark on how to arrange whole process.
>>
>> I forgot to mention, I've found an article[1] on the Samba wiki, but it only
>> discuss upgrading of existing installation.
>>
>> [1] https://wiki.samba.org/index.php/Samba_Classic_Upgrade_(NT4-style_domain_to_AD)
> Andrey,
> The same guide applies if this is on a new server, but of course you
> need to get the information about how to talk to your LDAP server
> across.
> If it helps, think of it as adding a new server to your existing domain,
> then upgrading it.
previously, and a little nervous. Just a little...
> This was expressed more clearly in the old HOWTO:
> https://wiki.samba.org/index.php?title=Samba_Classic_Upgrade_%
> 28NT4-style_domain_to_AD%29&oldid=8471
--
WBR,
Andrey Repin (anrd...@yandex.ru) 20.07.2014, <03:30>
Sorry for my terrible english...
Andrey Repin
Jul 19, 2014, 7:40:02 PM7/19/14
to
Greetings, Rowland Penny!
> you also posted that you wanted to upgrade from a
> samba3 PDC to a samba4 PDC i.e. like for like, or do you really want to
> upgrade to an AD DC?
Perhaps, I wasn't exactly clear. Let me reiterate on the issue.
I want to build a new server. Completely new.
The old hardware is running real old, it's a Socket 478 Celeron without 64-bit
support, and I'm running out of free space on it's 40(forty, that is) Gb of storage.
And I really want to get 64-bit system, to free my hands on future upgrades as
much as possible.
As you can see, simple upgrade of old system is not an option.
When the new server is up and running as BDC, I want to move the rest of old
server functionality to replace it as PDC, gateway, accounting and file-server.
When all that done, I want to enable AD support. Ultimate goal is to have
selectable roaming user profiles and full support for Win7 in domain
environment.
That is. At least, from Samba side. There's also associated goals, which are not
directly related to Samba.
P.S.
Please, don't take "enable AD support" literally. If that will come naturally
as a result of migration, I'm fine with it.
--
WBR,
Andrey Repin (anrd...@yandex.ru) 20.07.2014, <02:59>
Sorry for my terrible english...
> you also posted that you wanted to upgrade from a
> samba3 PDC to a samba4 PDC i.e. like for like, or do you really want to
> upgrade to an AD DC?
I want to build a new server. Completely new.
The old hardware is running real old, it's a Socket 478 Celeron without 64-bit
support, and I'm running out of free space on it's 40(forty, that is) Gb of storage.
And I really want to get 64-bit system, to free my hands on future upgrades as
much as possible.
As you can see, simple upgrade of old system is not an option.
When the new server is up and running as BDC, I want to move the rest of old
server functionality to replace it as PDC, gateway, accounting and file-server.
When all that done, I want to enable AD support. Ultimate goal is to have
selectable roaming user profiles and full support for Win7 in domain
environment.
That is. At least, from Samba side. There's also associated goals, which are not
directly related to Samba.
P.S.
Please, don't take "enable AD support" literally. If that will come naturally
as a result of migration, I'm fine with it.
--
WBR,
Andrey Repin (anrd...@yandex.ru) 20.07.2014, <02:59>
Sorry for my terrible english...
Marc Muehlfeld
Jul 19, 2014, 8:10:02 PM7/19/14
to
Hello Andrew,
Am 19.07.2014 23:11, schrieb Andrew Bartlett:
> Could you put back the information on migrating on a new server? This
> is generally how folks do this migration (as they plan to trial on new
> hardware and decommission old hardware), and we need this to be
> clearer.
You're right. This got lost.
I've added a note to the introduction and a new section under the
'preparation' area:
https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29#Upgrading_on_a_new_server
Regards,
Marc
Am 19.07.2014 23:11, schrieb Andrew Bartlett:
> Could you put back the information on migrating on a new server? This
> is generally how folks do this migration (as they plan to trial on new
> hardware and decommission old hardware), and we need this to be
> clearer.
I've added a note to the introduction and a new section under the
'preparation' area:
https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29#Upgrading_on_a_new_server
Regards,
Marc
Marc Muehlfeld
Jul 19, 2014, 8:40:02 PM7/19/14
to
Am 20.07.2014 01:29, schrieb Andrey Repin:
> Perhaps, I wasn't exactly clear. Let me reiterate on the issue.
>
> I want to build a new server. Completely new.
>
> The old hardware is running real old, it's a Socket 478 Celeron without 64-bit
> support, and I'm running out of free space on it's 40(forty, that is) Gb of storage.
>
> And I really want to get 64-bit system, to free my hands on future upgrades as
> much as possible.
>
> As you can see, simple upgrade of old system is not an option.
>
> When the new server is up and running as BDC, I want to move the rest of old
> server functionality to replace it as PDC, gateway, accounting and file-server.
Installing an additional Samba NT4-style BDC is some work. But there is
> Perhaps, I wasn't exactly clear. Let me reiterate on the issue.
>
> I want to build a new server. Completely new.
>
> The old hardware is running real old, it's a Socket 478 Celeron without 64-bit
> support, and I'm running out of free space on it's 40(forty, that is) Gb of storage.
>
> And I really want to get 64-bit system, to free my hands on future upgrades as
> much as possible.
>
> As you can see, simple upgrade of old system is not an option.
>
> When the new server is up and running as BDC, I want to move the rest of old
> server functionality to replace it as PDC, gateway, accounting and file-server.
many documentation about that on the internet. Some you can find here
(don't know if it's outdated meanwhile):
https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html
But maybe the following can be an easier way to bring your Samba to
64-bit: When I remember right, then a PDC-BDC installation requires
LDAP. If you already having an LDAP backend, then most of your data is
already in a good place for a 32-/64-bit migration.
You could install a new machine with x86_64 and tell it to use your LDAP
again. If it was on the old 32-bit host, then export it (slapcat) and
import it on the new one (slapadd).
Depending on what else was in your 32-bit Samba installation, you maybe
don't have to do much more. The TDBs on the new host will be recreated.
If your old Samba server wasn't acting as a printserver with
preconfigured drivers, this shouldn't be a big problem. Because in that
case the settings are stored in the registry.tdb.
> When all that done, I want to enable AD support. Ultimate goal is to have
> selectable roaming user profiles and full support for Win7 in domain
> environment.
and migrate your NT4-style domain to an AD domain.
But before you do all that work with a BDC and later a migration to
Samba AD: Do you have the change to directly migrate to Samba AD? You
could prepare everything on a new 64-bit host, copy everything you need
and do the migration.
Of course this needs intensive testing and maybe adapting other services
as well. But your BDC way also does.
So maybe it's worth copying your 40 GB HDD to a larger disk to play for
time and then do the step to AD next. It will allow managing Win7
clients with GPO and bring you many other benefits.
BTW: What Samba version do you run on your old host?
Regards,
Marc
Andrey Repin
Jul 19, 2014, 9:30:01 PM7/19/14
to
Greetings, Marc Muehlfeld!
> Installing an additional Samba NT4-style BDC is some work. But there is
> many documentation about that on the internet. Some you can find here
> (don't know if it's outdated meanwhile):
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html
Bookmarked :) thanks.
> But maybe the following can be an easier way to bring your Samba to
> 64-bit: When I remember right, then a PDC-BDC installation requires
> LDAP. If you already having an LDAP backend, then most of your data is
> already in a good place for a 32-/64-bit migration.
Yes, I'm running over LDAP backend. (Made my life alot easier, allowing me
transparent authentication in many places beside Samba!)
> You could install a new machine with x86_64 and tell it to use your LDAP
> again. If it was on the old 32-bit host, then export it (slapcat) and
> import it on the new one (slapadd).
> Depending on what else was in your 32-bit Samba installation, you maybe
> don't have to do much more. The TDBs on the new host will be recreated.
> If your old Samba server wasn't acting as a printserver with
> preconfigured drivers, this shouldn't be a big problem. Because in that
> case the settings are stored in the registry.tdb.
So, what you suggest, is... dump LDAP database, import it on the new server,
and just switch cases?
That won't work, I'm afraid. The server constantly in use, including remote
clients. I want the downtime to be as low as possible.
>> When all that done, I want to enable AD support. Ultimate goal is to have
>> selectable roaming user profiles and full support for Win7 in domain
>> environment.
> You can't simply "enable" AD support. You have to do a classicupgrade
> and migrate your NT4-style domain to an AD domain.
Thanks, that makes sense.
> But before you do all that work with a BDC and later a migration to
> Samba AD: Do you have the change to directly migrate to Samba AD? You could
> prepare everything on a new 64-bit host, copy everything you need and do the
> migration.
> Of course this needs intensive testing and maybe adapting other services
> as well. But your BDC way also does.
> So maybe it's worth copying your 40 GB HDD to a larger disk to play for
> time and then do the step to AD next. It will allow managing Win7
> clients with GPO and bring you many other benefits.
I already have a test copy of the network in VM's, so I'm prepared... kind of.
As I said, the server is in use most of the time, and when I need to
experiment, making changes on live server is not an option. :)
All preliminary testing is done in isolated environment.
> BTW: What Samba version do you run on your old host?
# smbd --version
Version 3.0.28a
....it's REALLY old system.
--
WBR,
Andrey Repin (anrd...@yandex.ru) 20.07.2014, <04:56>
Sorry for my terrible english...
> Installing an additional Samba NT4-style BDC is some work. But there is
> many documentation about that on the internet. Some you can find here
> (don't know if it's outdated meanwhile):
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html
> But maybe the following can be an easier way to bring your Samba to
> 64-bit: When I remember right, then a PDC-BDC installation requires
> LDAP. If you already having an LDAP backend, then most of your data is
> already in a good place for a 32-/64-bit migration.
transparent authentication in many places beside Samba!)
> You could install a new machine with x86_64 and tell it to use your LDAP
> again. If it was on the old 32-bit host, then export it (slapcat) and
> import it on the new one (slapadd).
> Depending on what else was in your 32-bit Samba installation, you maybe
> don't have to do much more. The TDBs on the new host will be recreated.
> If your old Samba server wasn't acting as a printserver with
> preconfigured drivers, this shouldn't be a big problem. Because in that
> case the settings are stored in the registry.tdb.
and just switch cases?
That won't work, I'm afraid. The server constantly in use, including remote
clients. I want the downtime to be as low as possible.
>> When all that done, I want to enable AD support. Ultimate goal is to have
>> selectable roaming user profiles and full support for Win7 in domain
>> environment.
> You can't simply "enable" AD support. You have to do a classicupgrade
> and migrate your NT4-style domain to an AD domain.
> But before you do all that work with a BDC and later a migration to
> Samba AD: Do you have the change to directly migrate to Samba AD? You could
> prepare everything on a new 64-bit host, copy everything you need and do the
> migration.
> Of course this needs intensive testing and maybe adapting other services
> as well. But your BDC way also does.
> So maybe it's worth copying your 40 GB HDD to a larger disk to play for
> time and then do the step to AD next. It will allow managing Win7
> clients with GPO and bring you many other benefits.
As I said, the server is in use most of the time, and when I need to
experiment, making changes on live server is not an option. :)
All preliminary testing is done in isolated environment.
> BTW: What Samba version do you run on your old host?
Version 3.0.28a
....it's REALLY old system.
--
WBR,
Andrey Repin (anrd...@yandex.ru) 20.07.2014, <04:56>
Sorry for my terrible english...
Marc Muehlfeld
Jul 19, 2014, 9:50:01 PM7/19/14
to
Am 20.07.2014 03:05, schrieb Andrey Repin:
> Yes, I'm running over LDAP backend. (Made my life alot easier, allowing me
> transparent authentication in many places beside Samba!)
>
>> You could install a new machine with x86_64 and tell it to use your LDAP
>> again. If it was on the old 32-bit host, then export it (slapcat) and
>> import it on the new one (slapadd).
>
>> Depending on what else was in your 32-bit Samba installation, you maybe
>> don't have to do much more. The TDBs on the new host will be recreated.
>> If your old Samba server wasn't acting as a printserver with
>> preconfigured drivers, this shouldn't be a big problem. Because in that
>> case the settings are stored in the registry.tdb.
>
> So, what you suggest, is... dump LDAP database, import it on the new server,
> and just switch cases?
> That won't work, I'm afraid. The server constantly in use, including remote
> clients. I want the downtime to be as low as possible.
You could do a two step switch:
> Yes, I'm running over LDAP backend. (Made my life alot easier, allowing me
> transparent authentication in many places beside Samba!)
>
>> You could install a new machine with x86_64 and tell it to use your LDAP
>> again. If it was on the old 32-bit host, then export it (slapcat) and
>> import it on the new one (slapadd).
>
>> Depending on what else was in your 32-bit Samba installation, you maybe
>> don't have to do much more. The TDBs on the new host will be recreated.
>> If your old Samba server wasn't acting as a printserver with
>> preconfigured drivers, this shouldn't be a big problem. Because in that
>> case the settings are stored in the registry.tdb.
>
> So, what you suggest, is... dump LDAP database, import it on the new server,
> and just switch cases?
> That won't work, I'm afraid. The server constantly in use, including remote
> clients. I want the downtime to be as low as possible.
1) Install Samba on the new 64-Bit server, copy your configs and change
them to use the LDAP on your old host. Stop Samba on the old host and
start on the new one. Samba hostname (netbios name) must be the same.
The real hostname and IP can differ. This should be a minimal downtime
(but of course has to be tested before).
2) Prepare an LDAP server on the new host. Export on the old, import on
the new. Adapt the LDAP server IP in smb.conf. This should also be a
short downtime.
But if the system is so high-critical, that these two steps (I guess
max. 20 minutes if prepared and good tested before) are to long, then
you shouln't run with just a single PDC at all.
>> BTW: What Samba version do you run on your old host?
>
> # smbd --version
> Version 3.0.28a
>
> ....it's REALLY old system.
important. There were huge changes in the last 6.5 years since that release.
Once you are using Samba AD you're having the benefit, that it's easy to
add more DCs. And all DCs are doing multi-master replication. You can
shutdown a DC and upgrade, while the other(s) is/are up and serving.
This allows easier to stay current (I know that it's not always possible
to stay up to date in production).
Regards,
Marc
Davor Vusir
Jul 20, 2014, 12:50:02 AM7/20/14
to
capabilities, copy the user accounts SID to the corresponding accounts
SID-history in the new domain. Create appropriate access groups and apply
them on the resources.
When all is tested and set you migrate the computers.
No downtime.
Regards
Davor
Andrew Bartlett
Jul 20, 2014, 1:30:01 AM7/20/14
to
(sidHistory isn't supported in Samba, trusts are not supported, and
machines would have to be re-joined anyway).
Sorry,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Davor Vusir
Jul 20, 2014, 1:50:02 AM7/20/14
to
Not even one-way trust anymore in S4?
/Davor
Andrew Bartlett
Jul 20, 2014, 2:40:02 AM7/20/14
to
welcome). Any trust support in the AD DC is essentially accidental at
this point, not tested and certainly not something I would recommend as
a migration option.
Davor Vusir
Jul 20, 2014, 3:00:02 AM7/20/14
to
Thank you for the information.
Regards
Davor
Andrey Repin
Jul 21, 2014, 7:40:02 AM7/21/14
to
Greetings, Andrew Bartlett!
>> Or you could create a new Samba AD DC domain, exploit the trust
>> capabilities, copy the user accounts SID to the corresponding accounts
>> SID-history in the new domain. Create appropriate access groups and apply
>> them on the resources.
>>
>> When all is tested and set you migrate the computers.
> With the only downside being that none of the above will work.
Thanks for a fair warning, Andrew :) That's one thing less to worry about.
I was skeptical about this trust thing the moment I read it, for my own
reasons. (If anyone following Cygwin mailing list, you know what I mean.)
But, knowing that this is not possible, leaves me with a clear set of options.
I hope I'll be able to write down my steps (should be no problem, unless money
are rushed on me, and I'll have a system on hands in a week's time), so other
people can benefit from my experience.
> (sidHistory isn't supported in Samba, trusts are not supported, and
> machines would have to be re-joined anyway).
--
WBR,
Andrey Repin (anrd...@yandex.ru) 21.07.2014, <15:00>
Sorry for my terrible english...
>> Or you could create a new Samba AD DC domain, exploit the trust
>> capabilities, copy the user accounts SID to the corresponding accounts
>> SID-history in the new domain. Create appropriate access groups and apply
>> them on the resources.
>>
>> When all is tested and set you migrate the computers.
> With the only downside being that none of the above will work.
I was skeptical about this trust thing the moment I read it, for my own
reasons. (If anyone following Cygwin mailing list, you know what I mean.)
But, knowing that this is not possible, leaves me with a clear set of options.
I hope I'll be able to write down my steps (should be no problem, unless money
are rushed on me, and I'll have a system on hands in a week's time), so other
people can benefit from my experience.
> (sidHistory isn't supported in Samba, trusts are not supported, and
> machines would have to be re-joined anyway).
WBR,
Andrey Repin (anrd...@yandex.ru) 21.07.2014, <15:00>
Sorry for my terrible english...
Andrey Repin
Nov 10, 2014, 5:30:03 PM11/10/14
to
Greetings, All!
Greetings again, helpful people of the mailing list!
I'm looking for advice on the best course of action.
Right now, I've successfully run an upgrade of test system to Ubuntu 12.04
with little to no issues on relevant parts.
The system is currently running openldap-2.4.28 and Samba 3.6.3, with an
option to install Samba 4.0.
The logs show a number of error messages, such as
Nov 11 00:13:53 userl perl: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=ccenter,dc=lan" (Invalid credentials)
but they appears to be harmless…
Now, should I upgrade to 14.04 with presumable newer Samba4 available from
main repo, or attempt Samba4 installation now and upgrade later?
--
WBR,
Andrey Repin (anrd...@yandex.ru) 11.11.2014, <00:47>
Greetings again, helpful people of the mailing list!
I'm looking for advice on the best course of action.
Right now, I've successfully run an upgrade of test system to Ubuntu 12.04
with little to no issues on relevant parts.
The system is currently running openldap-2.4.28 and Samba 3.6.3, with an
option to install Samba 4.0.
The logs show a number of error messages, such as
Nov 11 00:13:53 userl perl: pam_ldap: error trying to bind as user "uid=root,ou=Users,dc=ccenter,dc=lan" (Invalid credentials)
but they appears to be harmless…
Now, should I upgrade to 14.04 with presumable newer Samba4 available from
main repo, or attempt Samba4 installation now and upgrade later?
--
WBR,
Andrey Repin (anrd...@yandex.ru) 11.11.2014, <00:47>
0 new messages