Hubert, Laurent
2013-Nov-26 17:53 UTC
[Samba] How to keep idmapping, when Samba servers becomes part of a Windows AD from a larger organisation.
Hi Since 2006, I used in my departement a Samba solutions based on NT4 style PDC, 2 BDCs and some files servers, desserving one hunderd persons. The backends for passwords and idd are a master and two slave openldap. Now i have to integrate a much larger organisation, an University Hospital, running with Windows AD. For political reasons, I should not maintain DCs anymore, but I will still maintain Windows stations, Linux stations and Linux servers. One point then is to see if there is a way to keep the idmapping of users and groups I already have, in order to reduced interventions on file servers and stations to a minimum while migrating. For now, I dont know how to do it. (Note?: new users and groups may have any Linux ??id?? we want) One point here is that I succeeded to test the integration of a samba member into the AD with samba 4.x, winbind and idmap config DOMAIN?: backend = rid. Now I want to go further and look for a solution for this problem of keeping idmaps of current users. Is it possible to have a coherent configuration together for /etc/ldap.conf, /etc/nsswitch.conf and /etc/samba/smb.conf for this solution? Thanks to help and warm thanks for Samba Laurent -- Laurent Hubert, PhD Professionnel de recherche Administration de syst?mes Linux, d?ploiement de solutions Open Source Centre d'imagerie mol?culaire de Sherbrooke Centre hospitalier universitaire de Sherbrooke 819 346 1110 x 11836 pagette: 6475 http://www.cims.med.usherbrooke.ca
Denis Cardon
2013-Nov-26 18:55 UTC
[Samba] How to keep idmapping, when Samba servers becomes part of a Windows AD from a larger organisation.
Hi Laurent,> > Since 2006, I used in my departement a Samba solutions based on NT4 style PDC, 2 BDCs and some files servers, desserving one hunderd persons. The backends for passwords and idd are a master and two slave openldap. Now i have to integrate a much larger organisation, an University Hospital, running with Windows AD. For political reasons, I should not maintain DCs anymore, but I will still maintain Windows stations, Linux stations and Linux servers. One point then is to see if there is a way to keep the idmapping of users and groups I already have, in order to reduced interventions on file servers and stations to a minimum while migrating. For now, I dont know how to do it. (Note : new users and groups may have any Linux ? id ? we want) > > One point here is that I succeeded to test the integration of a samba member into the AD with samba 4.x, winbind and idmap config DOMAIN : backend = rid. Now I want to go further and look for a solution for this problem of keeping idmaps of current users. Is it possible to have a coherent configuration together for /etc/ldap.conf, /etc/nsswitch.conf and /etc/samba/smb.conf for this solution?With rfc2307/SFU you should be able to do what you plan, provided that openldap uid/gid number are not yet used in the target ActiveDirectory. Using python-ldap and python-win32com, it should be quite easy to read the data in the old ldap and recreate the uidnumber and gidnumber attribute in the ActiveDirectory after creating the user. Actually I have already done the revert, ie populate uid/gid from RID in a Samba4 directory after a migration from MSAD. Once you have your uidnumber/gidnumber attributes set, then you just have to enable rfc2307 in your winbind or sssd and it should be fine, user uid and gid should map to the old value with nsswitch. However I guess in this case that you'll have to recreate a new password for all the users and rejoin all the computer to the domain... If you want to ease the transition, I think you could go the following path: upgrade the samba3 PDC domain to samba4, join a MSAD to the samba4, demote the samba4 and make an interdomain trust between the two MSAD domains, then you'll buy some time to rejoin the computer to the new domain and migrate user accounts. Hope this helps. Denis PS : it seems like you are fluent in French. I have a few tutorials in Frog tongue at the following address to help in doing a migration : http://dev.tranquil.it/index.php/Samba4> > > > Thanks to help > and warm thanks for Samba > Laurent > > -- > Laurent Hubert, PhD > Professionnel de recherche > Administration de syst?mes Linux, d?ploiement de solutions Open Source > Centre d'imagerie mol?culaire de Sherbrooke > Centre hospitalier universitaire de Sherbrooke > 819 346 1110 x 11836 > pagette: 6475 > http://www.cims.med.usherbrooke.ca >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, b?timent A 12 avenue Jules Verne 44230 Saint S?bastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Seemingly Similar Threads
- adding AD domain users in local Linux group for acces to share
- Sharing group definitions between some server members and workstations but not with AD
- Authentication to Secondary Domain Controller initially fails when PDC is offline
- pwdLastSet, password required to change (samba vs MSAD)
- pwdLastSet, password required to change (samba vs MSAD)