samba - Jul 2020 - Technical questions on AD and NT4

Could someone show me differences in both groups and users between a full NT4
LDAP schema and a full ActiveDirectory LDAP schema?
Is ActiveDirectory fully retrocompatible with NT4?

There are plans for supporting again an OpenLDAP backend when LDAPcon objectives
will be achieved?
https://ldapcon.org/2019/wp-content/events/presentations/ni_samba_backend.pdf

Why an user in old NT4 schema looks like this:
dn: uid=myuser,ou=People,dc=mydomain
while in AD LDAP schema looks like this
dn: CN=myuser,CN=Users,DC=mydomain ?

To what extent is LDB retrocompatible (with abstractions of course) with ldif
files made for OpenLDAP, could I import an ldif thought for old NT4 LDAP into
LDB?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200715/b18020df/attachment.sig>

On 15/07/2020 20:33, RhineDevil via samba wrote:
> Could someone show me differences in both groups and users between a full
NT4 LDAP schema and a full ActiveDirectory LDAP schema?
I could, but we would be here all night, the AD schema is much
larger.
> Is ActiveDirectory fully retrocompatible with NT4?
No
>
> There are plans for supporting again an OpenLDAP backend when LDAPcon
objectives will be achieved?
>
https://ldapcon.org/2019/wp-content/events/presentations/ni_samba_backend.pdf
That has been worked on for the last 8 years (at least) and it still 
doesn't work (not for want of trying)
>
> Why an user in old NT4 schema looks like this:
> dn: uid=myuser,ou=People,dc=mydomain
> while in AD LDAP schema looks like this
> dn: CN=myuser,CN=Users,DC=mydomain ?
Because Microsoft decided it had to be that way.
>
> To what extent is LDB retrocompatible (with abstractions of course) with
ldif files made for OpenLDAP, could I import an ldif thought for old NT4 LDAP
into LDB?
If you are asking if the AD schema can be extended, then the answer is 
very possibly yes, you just need the correct ldifs and to apply them in 
the right order. There are schemas available that work without 
modification, for others, Samba provides a script to modify a schema to 
an AD ldif. You should be aware that extending the AD schema is one way, 
you can extend it, but you cannot remove the schema extension, so you 
should test any extensions before extending a production domain.

Rowland

Wed, 15 Jul 2020 21:08:44 +0100 Rowland penny via samba <samba at
lists.samba.org>:
> On 15/07/2020 20:33, RhineDevil via samba wrote:
> > Could someone show me differences in both groups and users between a
full NT4 LDAP schema and a full ActiveDirectory LDAP schema?
> I could, but we would be here all night, the AD schema is much larger.
Just a brief explaination, I need to know what fields are different and how to
reproduce them if I choose to... let's SUPPOSE
Migrate data from /etc/passwd and /etc/group files
It would be nice knowing for ex if old sambaSID and new objectSID are the same
thing, because I already know (from smbldap tools) how to calculate
it
> > Is ActiveDirectory fully retrocompatible with NT4?
> No
So I guess I can't use an ldif file made for NT4 for populating an AD,
right?
> >
> > There are plans for supporting again an OpenLDAP backend when LDAPcon
objectives will be achieved?
> >
https://ldapcon.org/2019/wp-content/events/presentations/ni_samba_backend.pdf
> That has been worked on for the last 8 years (at least) and it still 
> doesn't work (not for want of trying)
How could I get an idea of what still needs to be done? AFAIK the project leader
for this thing is in vacation
> >
> > Why an user in old NT4 schema looks like this:
> > dn: uid=myuser,ou=People,dc=mydomain
> > while in AD LDAP schema looks like this
> > dn: CN=myuser,CN=Users,DC=mydomain ?
> Because Microsoft decided it had to be that way.
What I meant is would uid=myuser,ou=People,dc=mydomain still
work?
> >
> > To what extent is LDB retrocompatible (with abstractions of course)
with ldif files made for OpenLDAP, could I import an ldif thought for old NT4
LDAP into LDB?
> 
> If you are asking if the AD schema can be extended, then the answer is 
> very possibly yes, you just need the correct ldifs and to apply them in 
> the right order. There are schemas available that work without 
> modification, for others, Samba provides a script to modify a schema to 
> an AD ldif. You should be aware that extending the AD schema is one way, 
> you can extend it, but you cannot remove the schema extension, so you 
> should test any extensions before extending a production domain.
Thank you, what I meant is pretty much what I asked in "Is ActiveDirectory
fully retrocompatible with NT4?"
> 
> Rowland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200715/74d26bc9/attachment.sig>