samba - Dec 2014 - OpenLDAP proxy to samba4 AD

Hello Marc,

I appreciate your response, as well as the other members. Reading your
answer, I believe I found what I wanted. Option 3, the principle is what I
need right now. I'll try to explain.

Today in production, we have the samba3 + openldap. The samba3 is installed
on a freebsd, but has some problems that we can not detect. My boss does
not want to drop the openldap now. We have discussed about it, and he does
not want. :D

Let's get this straight. What you say under option 3, can I upgrade to
Samba4 and continue using openldap the same way we are using now, ie samba3
+ openldap. Then would be, Samba4 (without AD DC) + openldap. Would that be?

On Sat, Dec 6, 2014 at 11:56 AM, Marc Muehlfeld <mmuehlfeld at samba.org>
wrote:
> Hello Elias,
>
> Am 06.12.2014 um 14:44 schrieb Elias Pereira:
> > We already have a Openldap in production, with a samba3. What I am
> wanting
> > to do is install the Samba4, and still continue to use the
"openldap" for
> > authentication of users in various services that are operating.
> >
> > You think it's possible?
>
> Depends on what your exact plan on this is. You're still not very
> detailed. ;-)
>
>
>
> 1.) If you do the classicupgrade to Samba AD then all your workstations
> will use the Samba AD for authentication. You have to turn off your
> Samba PDC service then. Of course, you can keep the openLDAP to
> authenticate other services against. But this is a separate database and
> passwords won't change in openLDAP, if users do in AD.
>
> This would be a way for a slower migration to Samba AD and hooking up
> the other services to AD afterwards (with the disadvantage of e. g. the
> passwort situation).
>
>
>
> 2.) If you're having other services, that should not contact DCs
> directly (like hosts in DMZ), you can use the openLDAP proxy
> documentation from the Wiki.
>
>
>
> 3.) If you don't want/need to move to Samba AD, then simply upgrade as
> usual and continue running Samba as NT4 PDC. Samba 4 doesn't require to
> migrate to AD:
>
>
https://wiki.samba.org/index.php/Updating_Samba#Common_misconceptions_about_Samba_4
>
>
>
> If this doesn't answer you question, then please give a comprehensive
> overview about your current setup, the setup you plan to get and about
> your environment. This would make it easier to help, instead of
> guessing. ;-)
>
>
>
>
> Regards,
> Marc
>


-- 
Elias Pereira

Hello Elias,

Am 06.12.2014 um 15:32 schrieb Elias Pereira:
> Let's get this straight. What you say under option 3, can I upgrade to
> Samba4 and continue using openldap the same way we are using now, ie samba3
> + openldap. Then would be, Samba4 (without AD DC) + openldap. Would that
be?

Samba 4.0 is just the version following 3.6 - with additional features
(e. g. AD) - but contains everything that was inside in the past, too.

So you can update to 4.1.14 in the same way, like you did in the past
(3.x -> 3.y) without changing your environment to AD. There is no plan
to remove the NT4 domain support. And when ever you want to switch to
Samba AD, then follow the classicupgrade documentation in the Wiki.

Depending on the age of your current Samba version, you should need to
adapt your configs to changes that came up in the past, like the new
Idmap config syntax in 3.6 (or was it 3.5?). It's always a good idea to
read the release notes from the versions you will skip. :-)


Regards,
Marc

On 06/12/14 14:32, Elias Pereira wrote:
> Hello Marc,
>
> I appreciate your response, as well as the other members. Reading your
> answer, I believe I found what I wanted. Option 3, the principle is what I
> need right now. I'll try to explain.
>
> Today in production, we have the samba3 + openldap. The samba3 is installed
> on a freebsd, but has some problems that we can not detect. My boss does
> not want to drop the openldap now. We have discussed about it, and he does
> not want. :D
>
> Let's get this straight. What you say under option 3, can I upgrade to
> Samba4 and continue using openldap the same way we are using now, ie samba3
> + openldap. Then would be, Samba4 (without AD DC) + openldap. Would that
be?
>
> On Sat, Dec 6, 2014 at 11:56 AM, Marc Muehlfeld <mmuehlfeld at
samba.org>
> wrote:
>
>> Hello Elias,
>>
>> Am 06.12.2014 um 14:44 schrieb Elias Pereira:
>>> We already have a Openldap in production, with a samba3. What I am
>> wanting
>>> to do is install the Samba4, and still continue to use the
"openldap" for
>>> authentication of users in various services that are operating.
>>>
>>> You think it's possible?
>> Depends on what your exact plan on this is. You're still not very
>> detailed. ;-)
>>
>>
>>
>> 1.) If you do the classicupgrade to Samba AD then all your workstations
>> will use the Samba AD for authentication. You have to turn off your
>> Samba PDC service then. Of course, you can keep the openLDAP to
>> authenticate other services against. But this is a separate database
and
>> passwords won't change in openLDAP, if users do in AD.
>>
>> This would be a way for a slower migration to Samba AD and hooking up
>> the other services to AD afterwards (with the disadvantage of e. g. the
>> passwort situation).
>>
>>
>>
>> 2.) If you're having other services, that should not contact DCs
>> directly (like hosts in DMZ), you can use the openLDAP proxy
>> documentation from the Wiki.
>>
>>
>>
>> 3.) If you don't want/need to move to Samba AD, then simply upgrade
as
>> usual and continue running Samba as NT4 PDC. Samba 4 doesn't
require to
>> migrate to AD:
>>
>>
https://wiki.samba.org/index.php/Updating_Samba#Common_misconceptions_about_Samba_4
>>
>>
>>
>> If this doesn't answer you question, then please give a
comprehensive
>> overview about your current setup, the setup you plan to get and about
>> your environment. This would make it easier to help, instead of
>> guessing. ;-)
>>
>>
>>
>>
>> Regards,
>> Marc
>>
>
>
Hi, it might help if you read this: 
https://wiki.samba.org/index.php/Samba_Readme_First


Note to Marc, can we put a link to this on main wiki page ? the page 
seems to be protected.

Rowland

Hello Rowland,

Am 06.12.2014 um 15:49 schrieb Rowland Penny:
> Note to Marc, can we put a link to this on main wiki page ? the page
> seems to be protected.
Yes. I think, this is reasonable.

I haven't read in detail yet, but maybe some minor changes should be
done. What do you think?

* Title "Samba 4.x Readme First" is more suitable
* "Samba 4 is work in progress, use only the very latest version."
This
might sound like "unstable" or "not ready for production
use", to some
users. We should more clarify what was ment.
* vfs objects section: Is this a general behaviour or just something,
that came up with Samba 4 or Samba4 on a DC/Member/PDC and was different
on 3x?

I think, we should review and refresh he page a bit and then link it to
the front page. Let me have a look at it during the next days.


Regards,
Marc

I greatly appreciate the answers. Are of great value to me and to others
who like me do not have much experience.

Another question. :D

I believe that we will use debian as distribution for the new Samba4. What
I need to copy from the old to the new distro?

On Sat, Dec 6, 2014 at 12:49 PM, Rowland Penny <rowlandpenny at
googlemail.com>
wrote:
> On 06/12/14 14:32, Elias Pereira wrote:
>
>> Hello Marc,
>>
>> I appreciate your response, as well as the other members. Reading your
>> answer, I believe I found what I wanted. Option 3, the principle is
what I
>> need right now. I'll try to explain.
>>
>> Today in production, we have the samba3 + openldap. The samba3 is
>> installed
>> on a freebsd, but has some problems that we can not detect. My boss
does
>> not want to drop the openldap now. We have discussed about it, and he
does
>> not want. :D
>>
>> Let's get this straight. What you say under option 3, can I upgrade
to
>> Samba4 and continue using openldap the same way we are using now, ie
>> samba3
>> + openldap. Then would be, Samba4 (without AD DC) + openldap. Would
that
>> be?
>>
>> On Sat, Dec 6, 2014 at 11:56 AM, Marc Muehlfeld <mmuehlfeld at
samba.org>
>> wrote:
>>
>>  Hello Elias,
>>>
>>> Am 06.12.2014 um 14:44 schrieb Elias Pereira:
>>>
>>>> We already have a Openldap in production, with a samba3. What I
am
>>>>
>>> wanting
>>>
>>>> to do is install the Samba4, and still continue to use the
"openldap"
>>>> for
>>>> authentication of users in various services that are operating.
>>>>
>>>> You think it's possible?
>>>>
>>> Depends on what your exact plan on this is. You're still not
very
>>> detailed. ;-)
>>>
>>>
>>>
>>> 1.) If you do the classicupgrade to Samba AD then all your
workstations
>>> will use the Samba AD for authentication. You have to turn off your
>>> Samba PDC service then. Of course, you can keep the openLDAP to
>>> authenticate other services against. But this is a separate
database and
>>> passwords won't change in openLDAP, if users do in AD.
>>>
>>> This would be a way for a slower migration to Samba AD and hooking
up
>>> the other services to AD afterwards (with the disadvantage of e. g.
the
>>> passwort situation).
>>>
>>>
>>>
>>> 2.) If you're having other services, that should not contact
DCs
>>> directly (like hosts in DMZ), you can use the openLDAP proxy
>>> documentation from the Wiki.
>>>
>>>
>>>
>>> 3.) If you don't want/need to move to Samba AD, then simply
upgrade as
>>> usual and continue running Samba as NT4 PDC. Samba 4 doesn't
require to
>>> migrate to AD:
>>>
>>> https://wiki.samba.org/index.php/Updating_Samba#Common_
>>> misconceptions_about_Samba_4
>>>
>>>
>>>
>>> If this doesn't answer you question, then please give a
comprehensive
>>> overview about your current setup, the setup you plan to get and
about
>>> your environment. This would make it easier to help, instead of
>>> guessing. ;-)
>>>
>>>
>>>
>>>
>>> Regards,
>>> Marc
>>>
>>>
>>
>>
> Hi, it might help if you read this: https://wiki.samba.org/index.
> php/Samba_Readme_First
>
>
> Note to Marc, can we put a link to this on main wiki page ? the page seems
> to be protected.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Elias Pereira