samba - Mar 2015 - strategies to run two NT4 domains or merge them on one samba host

Hi,

we currently run one samba v3.0 domain "DOMAIN30" with WinXP domain 
members and Win7/8 accessing the file server without domain membership.

Then we run a second samba v3.5 domain "NEWDOMAIN" with WinXP/7/8
domain
members. Which was migrated from a NT4 PDC to samba 3.0 and to v3.5 
eventually.

Neither domain has anything fancy about it: users and joined workstations, 
but no trusts, almost no groups (could be re-created manually easily).

a) I want to upgrade at least DOMAIN30 to a samba v3.5. And preferrably 
have one user base and one domain NEWDOMAIN.

https://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html

explains "If you want to merge multiple NT4 domain account databases into 
one Samba domain", that I can merge user and machine accounts from 
different domains into one, right?
But how can I make existing machine joined to DOMAIN30 to contact 
NEWDOMAIN? Is is possible to merge two NT4 domains into one samba 3.5 and 
keep all joined members?
Can I run a second smbd on the same server with another domain name that 
forwards any auth request to NEWDOMAIN? Can I do something with aliases?

b) Would a migration of both NT4 domains to samba 4 help?
So I would merge the users only, create two NT4 domains in the AD and 
leave the machines in there?
New machines would joine NEWDOMAIN only and eventually DOMAIN30 dies 
because of lack of members.
Is there a documentation how to migrate two or more NT4 domains to smaba 
4?

Kind regards,

-- 
Steffen

On 17/03/15 08:15, Steffen wrote:
> Hi,
>
> we currently run one samba v3.0 domain "DOMAIN30" with WinXP
domain
> members and Win7/8 accessing the file server without domain membership.
>
> Then we run a second samba v3.5 domain "NEWDOMAIN" with WinXP/7/8
> domain members. Which was migrated from a NT4 PDC to samba 3.0 and to 
> v3.5 eventually.
>
> Neither domain has anything fancy about it: users and joined 
> workstations, but no trusts, almost no groups (could be re-created 
> manually easily).
>
> a) I want to upgrade at least DOMAIN30 to a samba v3.5. And 
> preferrably have one user base and one domain NEWDOMAIN.
>
> https://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html
>
> explains "If you want to merge multiple NT4 domain account databases 
> into one Samba domain", that I can merge user and machine accounts 
> from different domains into one, right?
> But how can I make existing machine joined to DOMAIN30 to contact 
> NEWDOMAIN? Is is possible to merge two NT4 domains into one samba 3.5 
> and keep all joined members?
> Can I run a second smbd on the same server with another domain name 
> that forwards any auth request to NEWDOMAIN? Can I do something with 
> aliases?
>
> b) Would a migration of both NT4 domains to samba 4 help?
> So I would merge the users only, create two NT4 domains in the AD and 
> leave the machines in there?
> New machines would joine NEWDOMAIN only and eventually DOMAIN30 dies 
> because of lack of members.
> Is there a documentation how to migrate two or more NT4 domains to 
> smaba 4?
>
> Kind regards,
>
I don't think you can merge the domains together and keep all the 
computers joined (though undoubtedly someone will post if they have done 
this). You also cannot create NT4 domains in AD, they are very different.

Whilst you can migrate an NT4 style domain to a samba4 active directory 
domain, I am uncertain if you can combine two domains into one AD domain 
with the available samba tools, I think that you may have to write your 
own scripts to do this. The main problems are likely to be duplicate 
users & groups and different users with the same ID number.

I personally think that it would be easier to start from scratch, create 
a new samba4 AD domain and slowly start to migrate your users to this. I 
feel I must also point out that samba 3.5 went EOL in 2013 and 3.6 went 
EOL earlier this month, so I would suggest that whatever you end up 
doing, you use the latest 4.2 version or the latest 4.1.x

Rowland