andreas
2012-Dec-13 15:54 UTC
[Samba] Migrate to samba 4 in ( relatively ) complex openLDAP environment
Hello, we, a public hospital, would like to migrate to samba4 from our samba3.x environment. According to the documentation samba4 does use a internal ldap server. We use openLDAP as directory for samba horde Oracle name resolution zope user authentication, Checkpoint Firewall authentication (only few users ), squid proxy authentication, logon authentication to our linux servers, logon authentication to our enterasys switches via freeradius The objectClasses we need are objectClass: account objectClass: dcObject objectClass: device objectClass: domain objectClass: groupOfNames objectClass: hordePerson objectClass: hostObject objectClass: inetOrgPerson objectClass: ipHost objectClass: ipNetwork objectClass: orclNetService objectClass: orcluser objectClass: organizationalPerson objectClass: organizationalUnit objectClass: person objectClass: posixAccount objectClass: posixGroup objectClass: radiusprofile objectClass: sambaDomain objectClass: sambaGroupMapping objectClass: sambaSamAccount objectClass: sambaTrustedDomainPassword objectClass: sambaUnixIdPool objectClass: shadowAccount objectClass: SuSEeMailObject objectClass: top that are defined int this schema files /etc/openldap/schema/core.schema /etc/openldap/schema/cosine.schema /etc/openldap/schema/freeradius.schema /etc/openldap/schema/inetorgperson.schema /etc/openldap/schema/horde.schema /etc/openldap/schema/nis.schema /etc/openldap/schema/oracle.schema /etc/openldap/schema/oracle-neu.schema /etc/openldap/schema/suse.schema /etc/openldap/schema/samba.schema /etc/openldap/schema/yast.schema Below the attributes I got exporting to ldif and awk | sort -u We have one master and two replicas ( one direction replication ) Is it possible to implement this with samba4 ? Thanks Andreas Attributes alias c cn dc departmentNumber description displayName dn employeeNumber employeeType facsimileTelephoneNumber gecos gidNumber givenName groupMemberShip homeDirectory homePhone host imapPort imapServer initials ipHostNumber ipNetmaskNumber ipNetworkNumber l labeledURI loginShell mail mailDomain mailenabled member memberUid mobile o objectClass orclnetdescstring orclpassword ou pager postalCode preferredLanguage radiusFilterId radiusTunnelMediumType radiusTunnelPrivateGroupId radiusTunnelType sambaAcctFlags sambaAlgorithmicRidBase sambaClearTextPassword sambaDomainName sambaForceLogoff sambaGroupType sambaHomeDrive sambaKickoffTime sambaLMPassword sambaLockoutDuration sambaLockoutObservationWindow sambaLockoutThreshold sambaLogoffTime sambaLogonHours sambaLogonScript sambaLogonTime sambaLogonToChgPwd sambaMaxPwdAge sambaMinPwdAge sambaMinPwdLength sambaNextRid sambaNextUserRid sambaNTPassword sambaPasswordHistory sambaPreviousClearTextPassword sambaPrimaryGroupSID sambaProfilePath sambaPwdCanChange sambaPwdHistoryLength sambaPwdLastSet sambaPwdMustChange sambaRefuseMachinePwdChange sambaSID shadowExpire shadowInactive shadowLastChange shadowMax shadowMin shadowWarning sn st street telephoneNumber title uid uidNumber userPassword
Andrew Bartlett
2012-Dec-14 12:03 UTC
[Samba] Migrate to samba 4 in ( relatively ) complex openLDAP environment
On Thu, 2012-12-13 at 16:54 +0100, andreas wrote:> Hello, > > we, a public hospital, would like to migrate to samba4 from our samba3.x > environment. According to the documentation samba4 does use a internal ldap > server. > > We use openLDAP as directory for > samba > horde > Oracle name resolution > zope user authentication, > Checkpoint Firewall authentication (only few users ), > squid proxy authentication, > logon authentication to our linux servers, > logon authentication to our enterasys switches via freeradiusThis will be a long process, and one that will probably benefit from the extension of some of our scripts, or the writing of additional scripts. You can of course continue using the 'classic' domain you already have with Samba 4.0, but without the AD features, while you prepare the upgrade. Specifically, the 'samba-tool domain classicupgrade' tool does not currently pick up the additional attributes, and doesn't know how to import the additional schema that may be required in any case. You will have to convert the schema to AD format, load it and then add the attributes back on to the users/groups/hosts. Other attributes don't make sense in an AD environment, where things like the shadowExpires attributes are instead handled by Samba's internal account expiry code. I would like to work with you, not only if you do manage to improve our scripts, but also to share your experiences so that others in a similarly complex situation can get some guideance. I'm sorry this isn't as simple as we would prefer, but I'm sure we can work something out. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org