Hi all, I'm planning to migrate a NT domain to a AD domain. Someone suggested me to create a new AD domain, then add manually users to AD with the same username and password of the NT domain and then join every PC to the new AD domain. This way the migration should be flawlessly because in a windows network a user can works on foreign resources (resources that are shared from server joined to other domains) if he shares same username and password. On my network that's doesn't seems to works. I have a samba3 (4.1.17-Debian) NT domain, I have a new AD domain (4.10.4) and I have a user in AD domain with the same credentials in the NT domain. I have joined a windows PC to the AD domain and when the user logon to the PC he can successfully works on all pc/server _windows_ shares joined to NT domain but can't on _samba_ shares joined to the NT domain. Please can someone help me to troubleshoot the problem? Thank you very much Piviul
On 24/08/2020 15:02, Piviul via samba wrote:> Hi all, I'm planning to migrate a NT domain to a AD domain. Someone > suggested me to create a new AD domain,Who was this 'someone' ? I ask because the correct way of doing this is to run 'samba-tool domain classicupgrade', we even have a wikipage: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)> then add manually users to AD with the same username and password of > the NT domain and then join every PC to the new AD domain. This way > the migration should be flawlessly because in a windows network a user > can works on foreign resources (resources that are shared from server > joined to other domains) if he shares same username and password. On > my network that's doesn't seems to works.Your users and groups in your new AD domain are not the same users and groups as in your old NT4-style domain.> > I have a samba3 (4.1.17-Debian) NT domain, I have a new AD domain > (4.10.4) and I have a user in AD domain with the same credentials in > the NT domain. I have joined a? windows PC to the AD domain and when > the user logon to the PC he can successfully works on all pc/server > _windows_ shares joined to NT domain but can't on _samba_ shares > joined to the NT domain.Just because they use the same password does not make them the same user.> > Please can someone help me to troubleshoot the problem?Yes, stop listening to spurious people who have never done the upgrade and follow our documentation ;-) Rowland
Hai, Due some changes somewhere.. Windows/samba, not sure where, I had to change something also here. "sometimes" a win 10 cant connect (with passthrough auth ) on my old PDC. The (old) network drive's stop workin in that case. I added simple script to fix it untill my PDC is gone. @echo off net use g: /delete ping localhost -n 3 >nul net use g: \\server.fqdn.tld\share /persistent:yes exit And i do that for all driverletter having this problem.. So what i did change here. This line: net use g: \\server.fqdn.tld\share /persistent:yes Was : net use g: \\server.fqdn.tld\share /persistent:yes /user:NT4DOM\%username% I dont know why this is, but it happend offcourse after windows 10 update(s). Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Piviul via samba > Verzonden: maandag 24 augustus 2020 16:03 > Aan: samba at lists.samba.org > Onderwerp: [Samba] accessing foreign AD users to NT domain > > Hi all, I'm planning to migrate a NT domain to a AD domain. Someone > suggested me to create a new AD domain, then add manually users to AD > with the same username and password of the NT domain and then > join every > PC to the new AD domain. This way the migration should be flawlessly > because in a windows network a user can works on foreign resources > (resources that are shared from server joined to other domains) if he > shares same username and password. On my network that's > doesn't seems to > works. > > I have a samba3 (4.1.17-Debian) NT domain, I have a new AD domain > (4.10.4) and I have a user in AD domain with the same > credentials in the > NT domain. I have joined a windows PC to the AD domain and when the > user logon to the PC he can successfully works on all pc/server > _windows_ shares joined to NT domain but can't on _samba_ > shares joined > to the NT domain. > > Please can someone help me to troubleshoot the problem? > > Thank you very much > > Piviul > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
> > > > Please can someone help me to troubleshoot the problem? > > Yes, stop listening to spurious people who have never done > the upgrade > and follow our documentation ;-) > > Rowland >I'm spurious people ? ;-) But your correct, i've never done that upgrade. I just started clean. And that setup, what i adviced, to be able to slowy transition from NT4 to AD Thats running here for almost 5 years now. Only this last few months, my driverletters didnt want to connect anymore. ;-) Greetz, Louis
Mandi! Rowland penny via samba In chel di` si favelave...> Who was this 'someone' ?[...]> Yes, stop listening to spurious people who have never done the upgrade and > follow our documentation ;-)I'm 'someone'! ;-) And, as you know, i've correctly migrated/merged 4 NT domains in an AD domain some year ago, following also hint from this list. ;-)> I ask because the correct way of doing this is to > run 'samba-tool domain classicupgrade', we even have a wikipage: > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)As just discussed in this list, while 'classicupgrade' is clearly the main path for a migration, pose some glitches. - there's no 'merge' of multiple domains - it is a go/no go tool, there's no way back. So bulding a new domain is a, surely, longer path, but, at least for me, smoothest one.> Your users and groups in your new AD domain are not the same users and > groups as in your old NT4-style domain.[...]> Just because they use the same password does not make them the same user.Sure. But ACL are evaluated 'locally' to the server we are connecting, so we can buld a totally differend domain, with different goups and ACLs, this is not the point. The point here is that, as Louis say, something changed in samba/windows client os and something that worked without trouble with Win7/samba4.5 two years ago seems does not work now. I've suggested also to Paolo to: + enable on servers/domain members 'winbind use default domain = yes' + try to access shares with IP, to (try to) 'disable' kerberos auth If was Win10, surely also SMB1 have to be enabled, but seems that also Win7 does not work anymore... so we are asking here... -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)