samba - Sep 2019 - Migrating Samba NT4 Domain to Samba AD

On 12/09/2019 20:37, Bart?omiej Solarz-Nies?uchowski via samba-technical 
wrote:
> Dear List,
Sorry but this is the wrong list, it should have been the samba mailing 
list, not samba-technical, I have cc'ed the samba list, please reply
there.
>
> I need to migrate my Samba NT4 domain (5000+ users, 600+ workstation, 
> 50+ printers) urgently.
>
>
> Backend for samba is on an replicated openldap environment is mixed 
> (both linux and windows) i use password aging on windows AND linux and 
> use ldap with samba.schema and posix.schema.
>
> Please help me to find manuals for those migration.
>
> I found:
>
>
https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>
You have found it, that is where to start if you want to migrate to
AD
>
> and
>
> https://wiki.samba.org/index.php/Samba4/LDAP_Backend
For what you require, you can basically ignore that.
>
>
> Problems which i have not found good links:
>
> how to replicate ldap (one ldap server for network in my size is not 
> enought)?
You migrate your NT4-style domain to AD and then just join additional 
DCs and replication is done for you, see here:

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
> how to use both samba.schema (windows user data) and posix.schema 
> (unix user data) + password aging in both environments?
You don't
>
> how configure and use bind9 as dns backend for samba AD?
see here:

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server
>
> how backup (daily) contents of the samba data (e.g. slapcat)?
Nope you would use the samba-tool backup commands, see here:

https://wiki.samba.org/index.php/Back_up_and_Restoring_a_Samba_AD_DC
>
>
> Migration will be try to done at this sunday so i am in hurry......
I will be round on Monday to sweep up the pieces ;-)

You need more time to test and fix problems before you do it for real, 3 
days is nowhere near enough time.
>
>
> Please help me with those migration if you have links for good howtos.
>
See above links and remember to reply to the samba mailing list: 
samba at lists.samba.org

Rowland

W dniu 2019-09-12 o?22:17, Rowland penny via samba-technical
pisze:
> On 12/09/2019 20:37, Bart?omiej Solarz-Nies?uchowski via 
> samba-technical wrote:
>> Dear List,
> Sorry but this is the wrong list, it should have been the samba 
> mailing list, not samba-technical, I have cc'ed the samba list, please 
> reply there.
>>
>> I need to migrate my Samba NT4 domain (5000+ users, 600+ workstation, 
>> 50+ printers) urgently.
>>
>>
> You migrate your NT4-style domain to AD and then just join additional 
> DCs and replication is done for you, see here:
>
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
>
Done with some problems:

1. bugs reported here:

https://bugzilla.altlinux.org/show_bug.cgi?id=36496

and here

https://bugzilla.samba.org/show_bug.cgi?id=13060

involved me - but and make workarounds and migration was done.


Basically AD samba works.


I have some questions:

I not currently understood - bind9 connected to AD server must be used 
by the LAN workstations - or only via AD server?

currently workstations are pointed to the another DNS server than AD - 
how must be it done correctly?
>
>> Migration will be try to done at this sunday so i am in hurry......
>
> I will be round on Monday to sweep up the pieces ;-)

So i have, current open problems:

1. share:

[private]

path = %H

does not work:

 ?smbd[42055]:?? make_connection_snum: canonicalize_connect_path failed 
for service private, path /%H

on console cd ~user works correctly

2. How to connect internal AD LDAP server?

I tried with:

oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H 
ldaps://oceanic.wsisiz.edu.pl
search error - 00002020: Operation unavailable without authentication

I want to add necessary attributes e.g.:

uidNumber: 10000
gidNumber: 10000

when creating the account.

3. How about password aging - i need it not only on Windows part but on 
unix part it is needed too (unix have acounts/password/etc. via ldap)?


I will be grateful for any help


Best Regards

On 15/09/2019 16:44, Bart?omiej Solarz-Nies?uchowski
wrote:
>
>> Done with some problems:
>
> 1. bugs reported here:
>
> https://bugzilla.altlinux.org/show_bug.cgi?id=36496
>
> and here
>
> https://bugzilla.samba.org/show_bug.cgi?id=13060
>
> involved me - but and make workarounds and migration was done.
>
>
> Basically AD samba works.
>
>
> I have some questions:
>
> I not currently understood - bind9 connected to AD server must be used 
> by the LAN workstations - or only via AD server?
>
> currently workstations are pointed to the another DNS server than AD - 
> how must be it done correctly?
>
Your domain workstations must use the AD DC(s) as their nameserver, the 
DC(s) will forward anything outside the AD dns domain to an external dns 
server.
>
> So i have, current open problems:
>
> 1. share:
>
> [private]
>
> path = %H
>
> does not work:
>
> ?smbd[42055]:?? make_connection_snum: canonicalize_connect_path failed 
> for service private, path /%H
>
> on console cd ~user works correctly
>
If this share is on the DC, then it really shouldn't be, using a DC as a 
fileserver isn't recommended.
>
> 2. How to connect internal AD LDAP server?
>
> I tried with:
>
> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H 
> ldaps://oceanic.wsisiz.edu.pl
> search error - 00002020: Operation unavailable without authentication
>
I would have thought that was fairly obvious, you need to authenticate, 
try this instead (as root):

kinit Administrator

Then:

ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes

That way, your password never leaves the machine.
> I want to add necessary attributes e.g.:
>
> uidNumber: 10000
> gidNumber: 10000
>
> when creating the account.
>
'samba-tool user create --help' will show you how to do
this.
>
> 3. How about password aging - i need it not only on Windows part but 
> on unix part it is needed too (unix have acounts/password/etc. via ldap)?
>
A Unix user in AD is just a Windows user with RFC2307 attributes, so 
they all get the same password rules

BIG NOTE: I hope that 'via ldap' means users in AD

'samba-tool domain passwordsettings show' will display the current 
settings, something like this:

Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30

Rowland