Christian Thanks for the information. Also thanks to mj. That's sounds promising How did you migrate your data? Did you need to add any schema to samba4 ad? Were in 5 cities and some of the Internet is not 100% reliable. Will need samba4 in each office to make sure they can log in even if the Internet is down. How reliable is the the ad syncing? Does it need a lot of bandwidth? One of the offices with no windows computers has slow dsl. We will have to reconfigure a lot of computers during conversion. I'm thinking if the openldap is not on the same server as samba4 one could keep both running for a few days. Do you think that's feasible? I can see some possible issues but think they can be dealt with. Again thanks for your input. John On 3/20/19 2:00 PM, Christian Naumer via samba wrote:> We also moved from Samba3/ldap to AD. On the servers we also only use Linux. We had no problem with the move. our mailserver is also cyrus with postfix and also SOGo. Everything works no problems at all. The migration needs to be planned carefully but it is worth the effort. You can still use lam with AD we also use it. > > Regards > > Christian > > > Am 19. März 2019 21:41:43 MEZ schrieb John McMonagle via samba <samba at lists.samba.org>: >> On 3/19/19 2:52 PM, Rowland Penny via samba wrote: >>> On Tue, 19 Mar 2019 14:04:27 -0500 >>> John McMonagle <johnm at advocap.org> wrote: >>> >>>> I'm open to alternatives but need to be up and running 24/7 on the >>>> linux side. >>>> My boss hates windows more than I do and will likely be looking for >> a >>>> new job if I use windows to administer the the linux side. >>>> We only use windows if there is no other way do do something. >>>> >>>> On 3/19/19 12:08 PM, Rowland Penny via samba wrote: >>>>> On Tue, 19 Mar 2019 11:03:12 -0500 >>>>> John McMonagle via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> We are currently running samba3 nt4 domain controllers using >>>>>> smb-ldap-tools. We want to convert to samba4 ad so we can run new >>>>>> versions of windows server. >>>>> >>>>> Why do you need a newer Windows version ? >>>> >>>> Running server 2008 and support is ending soon. >>>>> You state you have no Windows workstations. >>>>> But you are correct, you need to upgrade, Samba3 is dead, but has >>>>> later versions, smbldap-tools is totally dead, there doesn't seem >>>>> to be a source website antmore, it just needs a Perl upgrade that >>>>> breaks it and you are lost. >>>>> >>>>>> >>>>>> I know of: >>>>>> >> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >>>>>> >>>>>> But that would break us by moving all ldap to the ad ldap. >>>>>> We have lot's of stuff in ldap. >>>>> >>>>> So what, most if not all of that could be moved to AD, though you >>>>> may have to use later versions of your software or migrate to >> other, >>>>> possibly better software. >>>>> >>>> At them moment the main thing I can think of is the mail server uses >>>> it for mailing lists and all authentication and authorization. >>> >>> What is your mail server ? >> Debian, cyrus imap postfix, amavis, clamav, sogo ... >> >>> >>>> >>>> All it takes is one crucial thing that ad will not do and it's >>>> eliminated as the only source of data. >>>>>> Currently administer using ldap account manager. >>>>>> We are in 5 cities and about 95% linux. >>>>> >>>>> Looks like a probable good use of 'sites' >>>> What is sites? >>> >>> Try reading this: >>> >>> https://wiki.samba.org/index.php/Active_Directory_Sites >>> >>> Basically boils down to having a DC (at least) at each site and >>> configuring AD to be in its own 'site' in AD. >> That takes care of part of the problem. >>> >>>> >>>>> >>>>>> Have 7 openldap servers controlling everything. >>>>>> Have just 3 nt4 domain controllers and only 3 windows servers on >>>>>> the domain. We have no windows workstations on the domain. >>>>> >>>>> As I said above, why do you need the Windows servers, what do they >>>>> do ? >>>> Accounting, any thing that can not be done in linux. >>> >>> Is this a proprietary accounting package ? >> Yes >> It's a non-profit charitable organization and we need a very flexible >> accounting system. >> Besides the irs, everyone that gives us money wants to define how we do >> >> our accounting. >>> >>>> All services are provided by linux. >>>> >>>>> >>>>>> All workstations are linux ltsp and all windows is done via rdp. >>>>>> >>>>>> Getting rid of the openldap is too painful to contemplate. >>>>>> Even if I was willing to more all the authentication and >>>>>> authorization stuff to ad would still need openldap. >>>>> >>>>> Why, what do you use openldap for ? >>>> Pretty much all authorization and authentication, groups, mailing >>>> lists for hundreds of computers at 5 locations. >>> >>> What you could do is, run the openldap servers as Unix domain members >>> and sync user names and password from AD, probably the easiest way >>> would be to investigate the Univention server: >>> https://www.univention.com/ >>> >> I'll check it out. >> >> >> >>> Rowland >>> >-- John McMonagle IT Manager Advocap Inc.
Christian Naumer
2019-Mar-21 15:25 UTC
[Samba] Migration to samba4 ad and sync to openldap.
Am 21.03.19 um 15:50 schrieb John McMonagle via samba:> That's sounds promising > How did you migrate your data?We did the "classicupgrade" as discribed in the wiki.> Did you need to add any schema to samba4 ad?No. But this depends of what you have in ldap now. Do you have dhcp-data in there?> > Were in 5 cities and some of the Internet is not 100% reliable. > Will need samba4 in each office to make sure they can log in even if the > Internet is down. > How reliable is the the ad syncing?We have 4 DCs and never realy had a Problem. However, reading this list, this is not always the case it seems.> Does it need a lot of bandwidth?I can't comment on that as our DCs are at one site.> One of the offices with no windows computers has slow dsl. > > We will have to reconfigure a lot of computers during conversion. > I'm thinking if the openldap is not on the same server as samba4 one > could keep both running for a few days.The windows machines cant go back if they once saw the AD. With the linux servers you probably could do it.> Do you think that's feasible?We planned very carefully. We did some test migrations of the data in closed of VMs. Tested each service that we thought could cause problems in that environment. Then we migrated 2-3 days before we planned the big switch. Stopped all password changes so that we didn't have old data. We made the rest of the switch in one day on a week end. There were 5 Windows Server domainmembers. About 15 Linux servers with several differnt softwares (web app with php, cyrus, postfix, lokal auth of users, Samba member servers, Radius, dhcp, etc). Most of them we tested before as VMs in a closed of environment.> I can see some possible issues but think they > can be dealt with.Planning is everything. And testing the whole thing too. Regards Christian -- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
I managed to do migration using "classicupgrade". Doing tests with debian buster 2:4.9.4+dfsg-4. For the moment using samba internal dns and sub-domain of ad.advocap.org. Had issue forwarding dns if I used main domain. When it comes to real production will use bind that I understand better but don't want to mess with my other dns servers now. Had a w10 box join samba4 ad controller so it's a promising start :-) From w10 all looks good.. There are a number of rough edges to work out. It did not migrate a lot of attributes that are in active directory. The most important one to us is "mail" Others by ldap account manager names: User name First Name Last Name I'm sure there are others. I did full dump of samba4 ldap with ldapsearch and the attributes do not exist. They should have been migrate able. What do I do to migrate the other parameters? Does the domain administrator account give me access to everything in ldap? Lam sort of works. I'm using the domain administrator account to authenticate. Is that the correct? The lam site gives very little info on setup. Followed what I could find. At the moment just using the using the Windows module for Users and Groups Users: LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org List attributes: #givenName;#sn;#mail (None of these exist as migrated) Groups: LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org List attributes:#cn;#gidNumber;#memberUID;#description Any assistance is appreciated. They are are a lot more questions to come :-( John On 3/21/19 10:25 AM, Christian Naumer via samba wrote:> Am 21.03.19 um 15:50 schrieb John McMonagle via samba: > >> That's sounds promising >> How did you migrate your data? > > We did the "classicupgrade" as discribed in the wiki. > >> Did you need to add any schema to samba4 ad? > > No. But this depends of what you have in ldap now. Do you have dhcp-data > in there? > >> >> Were in 5 cities and some of the Internet is not 100% reliable. >> Will need samba4 in each office to make sure they can log in even if the >> Internet is down. >> How reliable is the the ad syncing? > > We have 4 DCs and never realy had a Problem. However, reading this list, > this is not always the case it seems. > > >> Does it need a lot of bandwidth? > > I can't comment on that as our DCs are at one site. > > >> One of the offices with no windows computers has slow dsl. >> >> We will have to reconfigure a lot of computers during conversion. >> I'm thinking if the openldap is not on the same server as samba4 one >> could keep both running for a few days. > > The windows machines cant go back if they once saw the AD. With the > linux servers you probably could do it. > > >> Do you think that's feasible? > > We planned very carefully. We did some test migrations of the data in > closed of VMs. Tested each service that we thought could cause problems > in that environment. > Then we migrated 2-3 days before we planned the big switch. Stopped all > password changes so that we didn't have old data. We made the rest of > the switch in one day on a week end. There were 5 Windows Server > domainmembers. About 15 Linux servers with several differnt softwares > (web app with php, cyrus, postfix, lokal auth of users, Samba member > servers, Radius, dhcp, etc). Most of them we tested before as VMs in a > closed of environment. > > >> I can see some possible issues but think they >> can be dealt with. > > Planning is everything. And testing the whole thing too. > > Regards > > Christian >-- John McMonagle IT Manager Advocap Inc.