Am 2016-03-23 um 20:12 schrieb Stefan G. Weichinger:>> If that doesn't help, then you need to upgrade to Samba as an AD DC. > > Now *that* sounds scary ;-)Is the step from NT4-based domain on 3.6.x to ADS-based domain on 4.x a very risky and complicated one or should it be rather standard procedure? Can it be tested and prepared in a way?
On 29/03/16 08:03, Stefan G. Weichinger wrote:> Am 2016-03-23 um 20:12 schrieb Stefan G. Weichinger: > >>> If that doesn't help, then you need to upgrade to Samba as an AD DC. >> Now *that* sounds scary ;-) > Is the step from NT4-based domain on 3.6.x to ADS-based domain on 4.x a > very risky and complicated one or should it be rather standard procedure? > > Can it be tested and prepared in a way? > > >Well, very little in life is without risk :-) There is however a tool to help you with this and a wiki page that describes how to use it: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29 I would create a VM to test this in, rather than just ploughing in :-) There are a few gotchas, such as you will need to change any normal user & group SIDs that have RIDs less than 1000, note that I am not talking about users like 'Administrator' or groups like 'Domain Users', just normal users & groups. Try to use the latest supported version of Samba that you can. Any questions, problems etc, just ask. Rowland
Am 2016-03-29 um 10:44 schrieb Rowland penny:> Well, very little in life is without risk :-)oh, yes, how true> There is however a tool to help you with this and a wiki page that > describes how to use it: > > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_%28classic_upgrade%29 > > > I would create a VM to test this in, rather than just ploughing in :-) > > There are a few gotchas, such as you will need to change any normal user > & group SIDs that have RIDs less than 1000, note that I am not talking > about users like 'Administrator' or groups like 'Domain Users', just > normal users & groups. > > Try to use the latest supported version of Samba that you can. > > Any questions, problems etc, just ask.thanks for the pointer and the URL, I had my try with that some months ago already ... and yes, in a test VM. I will maybe retry this soon and report/ask back here.
Am 2016-03-29 um 10:44 schrieb Rowland penny:> There are a few gotchas, such as you will need to change any normal user > & group SIDs that have RIDs less than 1000, note that I am not talking > about users like 'Administrator' or groups like 'Domain Users', just > normal users & groups. > > Try to use the latest supported version of Samba that you can.I am starting a new test of this in a current Debian-Jessie-VM. Took me some time to get the initial setup of "source" and "target" dirs correctly ... now the samba-tool runs through at last. a) question regarding the groups (seems the main problem here): I get something like this for one group Exporting groups Ignoring group 'mygroup' S-1-5-21-2940660672-4062535256-4144655499-1010 listed but then not found: Unable to enumerate group members, (-1073741722,No such group) and something like this for all users: Exporting users Ignoring group memberships of 'user' S-1-5-21-2940660672-4062535256-4144655499-1036: Unable to enumerate group memberships, (-1073741724,No such user) What does that mean? That the users and the group don't exist in /etc/passwd and /etc/group on the new server? I realize I could try as I write this ... no, does not change a thing. b) I want to change the stupid workgroup-name from OFFICE to something useful ... I assume that's problematic as the clients would have to be rejoined then? thanks, Stefan