samba - Jun 2022 - Migration 3.5 to 4.x, realm identical to domain

Le mardi 31 mai 2022 ? 16:45 +0100, Rowland Penny via samba a
?crit?:
> On Tue, 2022-05-31 at 16:17 +0200, Philippe Maladjian via samba
> wrote:
> > In order to comply with the recommendations, I thought of renaming
> > the
> > domain with my external domain (mondomaine.fr) and adding a prefix
> > for
> > the AD domain.
> > 
> > Currently the Samba 3 domain is: dom.mondomain
> > TLD after migration: mondomaine.fr
> 
> No, the TLD would be 'fr'. 'TLD' is short for 'Top
Level Domain'
> 
> > Realm: nomrue205.mondomaine.fr
> 
> No, that would be the dns domain name, the realm is that in uppercase
> 'NOMRUE205.MONODOMAINE.FR'
> 
> > AD domain: nomrue205
> 
> No, that would be the Netbios domain name (aka workgroup)
> 
> Sorry to be a bit pedantic about this, but it saves problems in the
> long term :-)
No problem, these are notions that I don't necessarily master well so I
have no problem being taken up on the subject ;)
> 
> > 
> > Can I do this through a classic update?
> 
> Again, no, you need to do all this before the classic upgrade, which
> is
> one of the reasons we suggest doing a trial upgrade before doing it
> for
> real, you find all the problems before destroying your production
> domain.
That's exactly what I do. I copied the VM from my samba 3.5 and created
a VM of a user station, all placed in a dedicated network that does not
communicate with the prod network. After adding the VM pc to the domain
at 3.5 test, I make several connection/disconnection attempts to make
sure that the rights management works correctly.

To perform the migration by changing the domain name I should follow
this procedure:
- take the test pc out of the domain;
- stop samba;
- change the workgroup name in smb.conf;
- modify LDAP data by replacing the old domain (dom.mondomain) with the
new one (nomrue205);
- restart samba;
- reintegrate the test pc.

Won't I encounter a problem with user and machine SIDs?
> 
> Rowland
> 
Philippe.
> 
>

On Wed, 2022-06-01 at 08:59 +0200, Philippe Maladjian
wrote:
> 
> That's exactly what I do. I copied the VM from my samba 3.5 and
> created a VM of a user station, all placed in a dedicated network
> that does not communicate with the prod network. After adding the VM
> pc to the domain at 3.5 test, I make several connection/disconnection
> attempts to make sure that the rights management works correctly.
> 
> To perform the migration by changing the domain name I should follow
> this procedure:
> - take the test pc out of the domain;
If by 'pc' you mean the Samba PDC, then yes, but I would 'clone'
it and
then place this on a separate subnet that isn't connected to your
production network.
> - stop samba;
> - change the workgroup name in smb.conf;
You will also need to change the dns domain
> - modify LDAP data by replacing the old domain (dom.mondomain) with
> the new one (nomrue205);
> - restart samba;
> - reintegrate the test pc.
No, not unless you want to destroy your production domain. Do all your
testing away from the production domain.
> 
> Won't I encounter a problem with user and machine SIDs?
No, because, provided you change all mention of the old
workgroup/Netbios domain name (DOM.MONDOMAIN) with the new one, the SID
will then point to the new Netbios domain name on the clone.

Rowland