Hi All, As a result of a company restructure and name change we need to change our AD domain. I know that we can't change the AD domain name in Samba 4, so I'm looking at the smoothest way to migrate everything from one domain to another. Is there any (properly working) way we can export users, groups and policies from one domain and import them into another? I've spent a few months getting everything just the way we want it and would greatly prefer not to have to start from scratch. Incidentally, I don't care about the computer accounts, as they will be dealt with by the normal unjoin/rejoin process. Any tips, advice or warnings anyone cares to share about this process would be greatly appreciated. Thanks, John
We did that recently by building a new empty domain. Then we exported users data in LDIF to get everything but passwords. We don't bother with what follows because we were still in test and had only few users/computers to re-join and because user's passwords can be re-injected into AD from another LDAP tree. Andrew wrote a patch to add a command "samba-tool domain clone" but I have no idea if it is already included in 4.4.5 nor how it really works, I haven't tested it. Without changing domain' SID users will be considered as identical by Windows clients (they rely on SID) and so you would avoid the need of profile migration. For computer accounts re-using SID could not be sufficient. Even if "samba-tool domain clone" extracts passwords in a form you can re-use them, it is still possible that Windows client' system is glue to old domain name, it is possible that you really need to extract them from old domain to join them the new one. For GPO they are hosted into LDAP tree and into SysVol share. For file in the share, no issue. For LDAP data you would have to extract the DB in LDIF to inject them. And that's a tricky point into which I didn't yet dug enough... 2016-08-24 5:40 GMT+02:00 John Gardeniers via samba <samba at lists.samba.org>:> Hi All, > > As a result of a company restructure and name change we need to change our > AD domain. I know that we can't change the AD domain name in Samba 4, so > I'm looking at the smoothest way to migrate everything from one domain to > another. > > Is there any (properly working) way we can export users, groups and > policies from one domain and import them into another? I've spent a few > months getting everything just the way we want it and would greatly prefer > not to have to start from scratch. Incidentally, I don't care about the > computer accounts, as they will be dealt with by the normal unjoin/rejoin > process. > > Any tips, advice or warnings anyone cares to share about this process > would be greatly appreciated. > > Thanks, > John > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 24.08.2016 at 05:40 John Gardeniers via samba wrote:> As a result of a company restructure and name change we need to change > our AD domain. I know that we can't change the AD domain name in Samba > 4, so I'm looking at the smoothest way to migrate everything from one > domain to another.Microsoft offers an Active Directory Migration Tool. Can this be used with Samba?
Hi Klaus, I haven't used that tool for at least 13 years but I do recall that, among other things, it read from the registry. Coupled with the fact that Samba 4 AD is not a complete implementation of AD I can't imagine that it could possibly work. More to the point, I'd be seriously concerned about the results. This is not something I'm prepared to test in a production environment and a test environment may not reveal all the problems, at least not within the time frame I need to deal with. regards, John On 25/08/16 19:49, Klaus Hartnegg via samba wrote:> On 24.08.2016 at 05:40 John Gardeniers via samba wrote: >> As a result of a company restructure and name change we need to change >> our AD domain. I know that we can't change the AD domain name in Samba >> 4, so I'm looking at the smoothest way to migrate everything from one >> domain to another. > > Microsoft offers an Active Directory Migration Tool. > Can this be used with Samba? >
On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote:> Hi All, > > As a result of a company restructure and name change we need to > change > our AD domain. I know that we can't change the AD domain name in > Samba > 4, so I'm looking at the smoothest way to migrate everything from > one > domain to another. > > Is there any (properly working) way we can export users, groups and > policies from one domain and import them into another? I've spent a > few > months getting everything just the way we want it and would greatly > prefer not to have to start from scratch. Incidentally, I don't care > about the computer accounts, as they will be dealt with by the > normal > unjoin/rejoin process. > > Any tips, advice or warnings anyone cares to share about this > process > would be greatly appreciated.This isn't something that Samba natively supports right now, and we don't even support doing it via the Windows tool, or export to Windows, because of various issues. I would love to add it if I could find a funder (it is the level of work that would need that, or the patient work of a community member over quite some time), because it won't be trivial. In the short term I would agree that preserving the domain GUID, SIDs and structure is the most critical part. The things I would most worry about are the krb5 salts for passwords, as these won't show up in a search but might make keeping passwords more difficult (embedded in supplementalCredentials). Finding out exactly what changes in a Windows AD domain when you rename it would be a good place to start. I honestly don't know how well it will go, but you could dump the whole thing to ldif with ldbdump on the backend files, and then do a pile of search and replace. That might at least help pinpoint what other issues to look for. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
In short: I don't have any process to follow as I did it as it came without taking too much notes. The whole process took days, it is not exactly a trivial one. I have extracted user information using ldbsearch (or ldapsearch, no real matter I think). Here you get part of user objects (password, at least, is lost) and this must again filtered (objectGUID must not be in LDIF during injection if my memory works well today, so you would remove it) I've extracted OUs too as they must be created before they are filled with users, groups and computers. Finally extracting groups was the last point. I expect you will have to create first all groups and then you will be able to add members to these groups. Creating all group empty first is important to avoid sorting groups, to avoid trying to create a group with some member which is a not-yet-created-group. For GPO, as they are spread across LDAP tree (a lot spread or a few, no idea) I decided not to extract them but to recreate them. In fact we have two kind of GPO: some which are unique, some which are the same on different containers. For unique GPOs the simpler was to recreate them manually. For duplicated GPO (ex: add gr_adm_01 to builtin\administrators on all machines into OU=computers_01, which can be repeated a lot of times) a script was written, mixing Linux scripting and Powershell (dirty isn't it? ;) Since I did play more with Powershell and I expect it comes with necessary tools to create GPO (unique or multiple) in a nice way. Sorry not to help more... 2016-08-29 11:48 GMT+02:00 Andrew Bartlett via samba <samba at lists.samba.org> :> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote: > > Hi All, > > > > As a result of a company restructure and name change we need to > > change > > our AD domain. I know that we can't change the AD domain name in > > Samba > > 4, so I'm looking at the smoothest way to migrate everything from > > one > > domain to another. > > > > Is there any (properly working) way we can export users, groups and > > policies from one domain and import them into another? I've spent a > > few > > months getting everything just the way we want it and would greatly > > prefer not to have to start from scratch. Incidentally, I don't care > > about the computer accounts, as they will be dealt with by the > > normal > > unjoin/rejoin process. > > > > Any tips, advice or warnings anyone cares to share about this > > process > > would be greatly appreciated. > > This isn't something that Samba natively supports right now, and we > don't even support doing it via the Windows tool, or export to Windows, > because of various issues. > > I would love to add it if I could find a funder (it is the level of > work that would need that, or the patient work of a community member > over quite some time), because it won't be trivial. > > In the short term I would agree that preserving the domain GUID, SIDs > and structure is the most critical part. > > The things I would most worry about are the krb5 salts for passwords, > as these won't show up in a search but might make keeping passwords > more difficult (embedded in supplementalCredentials). > > Finding out exactly what changes in a Windows AD domain when you rename > it would be a good place to start. I honestly don't know how well it > will go, but you could dump the whole thing to ldif with ldbdump on the > backend files, and then do a pile of search and replace. That might at > least help pinpoint what other issues to look for. > > I hope this helps, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Hi Andrew, I understand that Samba doesn't support domain renaming, which is why I'm looking for a way to export the data from one domain and import it into a new one. Passwords and machine accounts are not a problem and can be ignored for this exercise. The key things I need to copy across are user accounts and groups, as they would be an absolute pain in the rear end to redo from scratch. Machine accounts will be dealt with by the required unjoin/rejoin process. If a forced password change is the only thing users complain about I'll consider the migration a great success. Getting from a Samba 3 NT domain to a Samba 4 AD domain was relatively simple and painless. Surely there's a way to go from one Samba 4 AD domain to another. Sure it would be nice to have a domain rename supported natively but of all the things that still need to be done in Samba 4's implementation of AD I don't believe it should be a high priority. Domain renames are a fact of life in many organisations, so I figure somebody on this list has probably done it already and I would be grateful if they could share the details of how they went about it. I'm not looking for a magic wand, merely some guidance. regards, John On 29/08/16 19:48, Andrew Bartlett via samba wrote:> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote: >> Hi All, >> >> As a result of a company restructure and name change we need to >> change >> our AD domain. I know that we can't change the AD domain name in >> Samba >> 4, so I'm looking at the smoothest way to migrate everything from >> one >> domain to another. >> >> Is there any (properly working) way we can export users, groups and >> policies from one domain and import them into another? I've spent a >> few >> months getting everything just the way we want it and would greatly >> prefer not to have to start from scratch. Incidentally, I don't care >> about the computer accounts, as they will be dealt with by the >> normal >> unjoin/rejoin process. >> >> Any tips, advice or warnings anyone cares to share about this >> process >> would be greatly appreciated. > This isn't something that Samba natively supports right now, and we > don't even support doing it via the Windows tool, or export to Windows, > because of various issues. > > I would love to add it if I could find a funder (it is the level of > work that would need that, or the patient work of a community member > over quite some time), because it won't be trivial. > > In the short term I would agree that preserving the domain GUID, SIDs > and structure is the most critical part. > > The things I would most worry about are the krb5 salts for passwords, > as these won't show up in a search but might make keeping passwords > more difficult (embedded in supplementalCredentials). > > Finding out exactly what changes in a Windows AD domain when you rename > it would be a good place to start. I honestly don't know how well it > will go, but you could dump the whole thing to ldif with ldbdump on the > backend files, and then do a pile of search and replace. That might at > least help pinpoint what other issues to look for. > > I hope this helps, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > >
Hai,> I understand that Samba doesn't support domain renaming, which is why> I'm looking for a way to export the data from one domain and import it> into a new one.Export your user/group data to CSV, its not that hard. https://www.manageengine.com/products/free-windows-active-directory-tools/free-active-directory-csv-generator-tool.html Some things work some dont.. try what you can use. Or use CSVDE ( which i preffer ) http://www.computerperformance.co.uk/Logon/Logon_CSVDE_Export.htm I used it for exports to csv only, for the import u use the regular tools on the samba server. Simple user export just open CMD. Type : CSVDE -f adusers.csv -r "(objectClass=user)" And check your adusers.csv> Sure it would be nice to have a domain rename supported natively but of all the things that still need to be done in> Samba 4's implementation of AD I don't believe it should be a high priority.>> Domain renames are a fact of life in many organisations, .....Yes and No, after almost 15 years field work, i only had 1 company who did this and ended up with lots of problems, which we all got fixed, but setting up a new domain and import the users/groups is much quicker and results in a much cleaner AD. This is how i imported my users from csv for the groups and dns records its about the same. ( The variable change for you ofcourse since the layout can be different. ) #!/bin/bash ## Show in AD as example : Louis van Belle cat users.csv | awk -F "|" '{system("samba-tool user create "$5" --surname=\""$3"\" --given-name=\""$4"\" \ --department="$1" --mail-address="$7" --telephone-number="$6" --random-password --userou=ou=SOMEOU ") }' Or ## Shown in ad example : L.P.H. van Belle cat users.csv | awk -F ";" '{system("/usr/bin/samba-tool user create "$5" --mail-address="$7" \ --given-name="$2" --surname=\""$3"\" --telephone-number="$6" --department="$1" --description=\""$1"\" \ --random-password --userou=ou=SOMEOU ")}'; Good luck, Greetz, Louis
Hi Andrew,>> As a result of a company restructure and name change we need to >> change >> our AD domain. I know that we can't change the AD domain name in >> Samba >> 4, so I'm looking at the smoothest way to migrate everything from >> one >> domain to another. >> >> Is there any (properly working) way we can export users, groups and >> policies from one domain and import them into another? I've spent a >> few >> months getting everything just the way we want it and would greatly >> prefer not to have to start from scratch. Incidentally, I don't care >> about the computer accounts, as they will be dealt with by the >> normal >> unjoin/rejoin process. >> >> Any tips, advice or warnings anyone cares to share about this >> process >> would be greatly appreciated. > > This isn't something that Samba natively supports right now, and we > don't even support doing it via the Windows tool, or export to Windows, > because of various issues. > > I would love to add it if I could find a funder (it is the level of > work that would need that, or the patient work of a community member > over quite some time), because it won't be trivial. > > In the short term I would agree that preserving the domain GUID, SIDs > and structure is the most critical part. > > The things I would most worry about are the krb5 salts for passwords, > as these won't show up in a search but might make keeping passwords > more difficult (embedded in supplementalCredentials).I have never tried to directly extract krb5 hashes, but it seems to me that "pdbedit --set-nt-hash" with corresponding ntlm hash recreate the krb5 hash with RC4-HMAC the same way as the classicupgrade does. It makes it very easy to recreate the credentials (thanks to all those legacy auth mechanisms :-) Cheers, Denis> > Finding out exactly what changes in a Windows AD domain when you rename > it would be a good place to start. I honestly don't know how well it > will go, but you could dump the whole thing to ldif with ldbdump on the > backend files, and then do a pile of search and replace. That might at > least help pinpoint what other issues to look for. > > I hope this helps, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr