Franta Hanzlik
2021-Aug-24 09:50 UTC
[Samba] how to populate Samba AD DC with groups and users?
Hi Samba experts, I built a new Samba 4.16 AD DC and did the initial provisioning. Now I'm working on how best to deploy groups and users - when I have the old Samba 4.0 AD, where the same users and groups already exist (basically, this is a migration from the old server to the new one, but the domain/realm on old and new are different). What is the best way to perform this migration? Exporting users and groups from the old server to ldif using ldbsearch is probably the first step, but what next? TIA, Franta Hanzlik
Franta Hanzlík
2021-Aug-25 01:08 UTC
[Samba] how to populate Samba AD DC with groups and users?
On Tue, 24 Aug 2021 11:50:49 +0200 Franta Hanzlik via samba <samba at lists.samba.org> wrote:> Hi Samba experts, > > I built a new Samba 4.16 AD DC and did the initial provisioning. Now I'm > working on how best to deploy groups and users - when I have the old Samba > 4.0 AD, where the same users and groups already exist (basically, this is a > migration from the old server to the new one, but the domain/realm on old > and new are different). > > What is the best way to perform this migration? Exporting users and groups > from the old server to ldif using ldbsearch is probably the first step, but > what next? > > TIA, Franta HanzlikNo one can advise? I can think of several options, but there seem to be ambiguities or negatives for each: 1) Assign the new controller to the existing domain with the old controller, and remove and reconfigure it after replication. This way is probably not recommended even for the same versions of Samba, and here the difference between 4.0.4 and 4.16.6 is huge. 2) Backup the old AD DC and restore to the new one. Firstly, according to the Samba Wiki, renaming is not (completely) supported, and also mainly samba-tool in version 4.0.4 does not support domain backup. 3) Use ldbsearch to dump the AD DC groups and users (except system/builtin) to an LDIF file from the old DC, exclude unnecessary attributes from them, and modify them for ldbadd and add them to the new one. This seems like a better way, but what attributes will be needed in the file to import into the new DC? And what about Unix attributes (home directory, UID / GID, etc.)? 4) Use group/user attributes (extracted from LDIF ldbsearch export from the old 4.0.4 DC) on the new 4.16.6 DC as parameters for 'samba-tool user add'/'samba-tool group add' (and maybe also 'samba-tool [user | group] addunixattrs'). Is this the best and safest (in terms of AD) way to add groups and users? The Samba Wiki, a very good source of information, seems to consider/describe in this case only the interactive RSAT and the samba-tool only for adding Unix attributes. Or was I looking wrong and missed some important infos? Thanks, Franta Hanzlik