contactdarin at posteo.net
2024-Jun-05 15:34 UTC
[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon
Hello Havany, I am just going to jump into this discussion.> We try 2 scenarios : - A "Big bang" migration to an new domain made from scratch : but we need to migrate all users, computers, laptops, filers without loosing profiles, files server access... In a short time (1-2 weeks maximum) - A "classicupgrade" migration, but it need several steps to improve security. And at the same time, and we are afraid to import "silently" many misconfiguration from our old NT4 Domain that could have an impact in the future.I would strongly avoid your "Big Bang" approach. What your describing is going to most certainly backfire. It sounds like a fail forward vs fail backward. When something goes wrong you need to be able to go back to a working configuration. So I suppose the best option is to do a slow migration with the ability to quickly do and undo changes.> around 400 Windows computers and 1500 active users.Your deployment is not small or trivial. I would be very careful doing anything as you could create a significant IT trainwreck. To help you I need some more information. Are you migrating from a Windows Server environment? If so, what version. I think a 2008_R2 domain level should not be much of an issue. From a security aspect you can do a few things like only using SMB3 and strong encryption. https://wiki.samba.org/index.php/Hardening_Samba_as_an_AD_DC Darin
Hi Darin, Le 05/06/2024 ? 17:34, Darin via samba a ?crit?:> > > Hello Havany, > I am just going to jump into this discussion. >Welcome!>> We try 2 scenarios : - A "Big bang" migration to an new domain made from scratch : but we need to migrate all users, computers, laptops, filers without loosing profiles, files server access... In a short time (1-2 weeks maximum) - A "classicupgrade" migration, but it need several steps to improve security. And at the same time, and we are afraid to import "silently" many misconfiguration from our old NT4 Domain that could have an impact in the future. > > I would strongly avoid your "Big Bang" approach. What your describing is > going to most certainly backfire. It sounds like a fail forward vs fail > backward. When something goes wrong you need to be able to go back to a > working configuration. So I suppose the best option is to do a slow > migration with the ability to quickly do and undo changes.- Classisupgrade is destructive for the NT4 Domain, but we can keep data of the old NT4 Domain and we can rollback to this with ours Ansible playbooks. We will loose all change between migration and rollback and we will improve a possible long downtime. - With "Big Bang" approach we are able to keep our old NT4 Domain if we need to rollback to it. But in this case the problem is the access to the filers. I think that we can't have a file server that allow access at the same time to an NT4 Domain and a Samba 4 AD Domain (I will search information about that). The second problem for this approach is that we need to write a (maybe complex) logon script to be able to keep user local profile when a computer is moved to the new Domain.> >> around 400 Windows computers and 1500 active users. > > Your deployment is not small or trivial. I would be very careful doing > anything as you could create a significant IT trainwreck. > > To help you I need some more information. Are you migrating from a > Windows Server environment? If so, what version.All is on FreeBSD iocage and ZFS filesystem. Actual situation (NT4) : * 1 PDC and 1 BDC * 7 Files servers members * 1 CUPS server member * LDAP backend What we want : * 2-3 DC samba4 AD * all files servers and cups server members of the new domain * crontab synchronization of users and groups from the ldap with LSC (successfully tested) * our password manager system change the user's password at the same time on the ldap and samba4 (tested too)> I think a 2008_R2 > domain level should not be much of an issue. From a security aspect you > can do a few things like only using SMB3 and strong encryption.Given everything that has been said previously, I will wait before moving to FL 2012_R2 at least until Samba 4.20 is released on FreeBSD (currently only 4.19 is available), regardless of the migration method we choose. I will replay the classicupgrade today after adapting my Ansible playbooks accordingly.> > https://wiki.samba.org/index.php/Hardening_Samba_as_an_AD_DC > > Darin >Regards,