samba - Apr 2015 - Migration of 2 samba3 PDC+OpenLDAP in one new Samba4 AD

Hello,

i have question about samba3 migration.

I have 2 distincts sites whith samba3 PDC+OpenLDAP running on each site.

On Site1, the machines accounts are specifics, same for the Users and
Groups except 1 group that is common with Site2 (The Teachers).
Today, each site is independant,

Now, i would like a create a new domain Samba4 AD whith all machines and
users from site1 and site2 together.
Then, i would make a replication between the two sites, and add one RODC
server on each site

How can i proceed? The migration tool from samba3 is working fine on each
site (tested on isolated network)
Can someone give me some hints about this. I would be happy if the
migration could be transparent for the machines account, as 90% of the
Users are deleted in July (i'm IT manager in a school)

Can someone help me?
thanks in advance

Pierre


--

Hello Pierre,

Am 08.04.2015 um 17:25 schrieb BRIEC, Pierre:
> On Site1, the machines accounts are specifics, same for the Users and
> Groups except 1 group that is common with Site2 (The Teachers).
> Today, each site is independant,
>
> Now, i would like a create a new domain Samba4 AD whith all machines and
> users from site1 and site2 together.
> Then, i would make a replication between the two sites, and add one RODC
> server on each site
RODC support isn't completely working yet. You shouldn't use it atm.



> How can i proceed? The migration tool from samba3 is working fine on each
> site (tested on isolated network)
> Can someone give me some hints about this. I would be happy if the
> migration could be transparent for the machines account, as 90% of the
> Users are deleted in July (i'm IT manager in a school)
AD trust are currently not fully implemented. If they were, then you 
chould do the classicupgrade on both domains, create a trust, move 
everything into one domain and demote the other.

Because you can't do it that way, you could upgrade the domain which has 
more objects (user, machines, groups) and join the workstations from the 
other site to it and recreate the users. You can write a script to 
export the users on the second site and create them with samba-tool.

What kind of IDmapping are you using on the member servers in the 
domains? If the member servers are pulling the UIDs/GIDs from LDAP and 
the ID ranges don't overlap with the other domain, then you could really 
recreate the users with a script running over an export. This prevents 
you from loosing ownership on files.

For more details/ideas, you have to give some more information about the 
two backends.



Regards,
Marc

Hi Marc,
> Am 08.04.2015 um 17:25 schrieb BRIEC, Pierre:
>> On Site1, the machines accounts are specifics, same for the Users and
>> Groups except 1 group that is common with Site2 (The Teachers).
>> Today, each site is independant,
>>
>> Now, i would like a create a new domain Samba4 AD whith all machines
and
>> users from site1 and site2 together.
>> Then, i would make a replication between the two sites, and add one
RODC
>> server on each site
>
> RODC support isn't completely working yet. You shouldn't use it
atm.
could you please develop on that RODC support? I am very curious to know 
what should be working and what should not.

Actually I've been using RODC with partial success: RODC join, user and 
machine account preload (with corresponding patch), dns update throught 
netlogon service on RWDC, connexion when RWDC is disconnected. It has 
been running in production in our datacenter for webapp authentication 
for months, albeit with some hicups. I has never been completly fine 
from a stability and reproductibility point of view, and I switched it 
back to RWDC earlier this week....

Thanks,

Denis
>
>
>
>
>> How can i proceed? The migration tool from samba3 is working fine on
each
>> site (tested on isolated network)
>> Can someone give me some hints about this. I would be happy if the
>> migration could be transparent for the machines account, as 90% of the
>> Users are deleted in July (i'm IT manager in a school)
>
> AD trust are currently not fully implemented. If they were, then you
> chould do the classicupgrade on both domains, create a trust, move
> everything into one domain and demote the other.
>
> Because you can't do it that way, you could upgrade the domain which
has
> more objects (user, machines, groups) and join the workstations from the
> other site to it and recreate the users. You can write a script to
> export the users on the second site and create them with samba-tool.
>
> What kind of IDmapping are you using on the member servers in the
> domains? If the member servers are pulling the UIDs/GIDs from LDAP and
> the ID ranges don't overlap with the other domain, then you could
really
> recreate the users with a script running over an export. This prevents
> you from loosing ownership on files.
>
> For more details/ideas, you have to give some more information about the
> two backends.
>
>
>
> Regards,
> Marc
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, b?timent A
12 avenue Jules Verne
44230 Saint S?bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

Hello Pierre,

Am 09.04.2015 um 10:27 schrieb BRIEC, Pierre:
 > The current samba3 domains doesn't have the same name, is it a
 > problem? Do you know when this functionnality will be implemented?

It doesn't matter, because in my suggestion, one domain would die and 
you re-create all users in the other and join all machines to the new one.




 > I'm not really aware with AD stuff so could you explain me how the
 > different sites could communicate themselves if AD Trust is not
 > implemented? The Inter-Sites functionnality is not working atm?

You need of course a connection between the two sites (LAN, VPN, etc.). 
Depending on the changes that happen in AD, a small bandwidth can be 
sufficient. AD sites work great with Samba.

In AD you setup sites and configure replication between them. I 
described it here:
https://wiki.samba.org/index.php/Active_Directory_Sites





 > the main problem is not the Users, as i will delete them and only
 > keep the Teachers after July.

About how many user accounts and groups are we talking in the smaller 
domain? And about how many workstations?



 > I want to be sure that i can have the following functionalities with
 > Samba4 AD:
 > - intersites communications
 > - DC replication between the two sites.
 > - only one domain

Is all possible with Samba in it's current state.



Regards,
Marc