Hi Andrew, I understand that Samba doesn't support domain renaming, which is why I'm looking for a way to export the data from one domain and import it into a new one. Passwords and machine accounts are not a problem and can be ignored for this exercise. The key things I need to copy across are user accounts and groups, as they would be an absolute pain in the rear end to redo from scratch. Machine accounts will be dealt with by the required unjoin/rejoin process. If a forced password change is the only thing users complain about I'll consider the migration a great success. Getting from a Samba 3 NT domain to a Samba 4 AD domain was relatively simple and painless. Surely there's a way to go from one Samba 4 AD domain to another. Sure it would be nice to have a domain rename supported natively but of all the things that still need to be done in Samba 4's implementation of AD I don't believe it should be a high priority. Domain renames are a fact of life in many organisations, so I figure somebody on this list has probably done it already and I would be grateful if they could share the details of how they went about it. I'm not looking for a magic wand, merely some guidance. regards, John On 29/08/16 19:48, Andrew Bartlett via samba wrote:> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote: >> Hi All, >> >> As a result of a company restructure and name change we need to >> change >> our AD domain. I know that we can't change the AD domain name in >> Samba >> 4, so I'm looking at the smoothest way to migrate everything from >> one >> domain to another. >> >> Is there any (properly working) way we can export users, groups and >> policies from one domain and import them into another? I've spent a >> few >> months getting everything just the way we want it and would greatly >> prefer not to have to start from scratch. Incidentally, I don't care >> about the computer accounts, as they will be dealt with by the >> normal >> unjoin/rejoin process. >> >> Any tips, advice or warnings anyone cares to share about this >> process >> would be greatly appreciated. > This isn't something that Samba natively supports right now, and we > don't even support doing it via the Windows tool, or export to Windows, > because of various issues. > > I would love to add it if I could find a funder (it is the level of > work that would need that, or the patient work of a community member > over quite some time), because it won't be trivial. > > In the short term I would agree that preserving the domain GUID, SIDs > and structure is the most critical part. > > The things I would most worry about are the krb5 salts for passwords, > as these won't show up in a search but might make keeping passwords > more difficult (embedded in supplementalCredentials). > > Finding out exactly what changes in a Windows AD domain when you rename > it would be a good place to start. I honestly don't know how well it > will go, but you could dump the whole thing to ldif with ldbdump on the > backend files, and then do a pile of search and replace. That might at > least help pinpoint what other issues to look for. > > I hope this helps, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba > >
Hi John,> I understand that Samba doesn't support domain renaming, which is why > I'm looking for a way to export the data from one domain and import it > into a new one. Passwords and machine accounts are not a problem and can > be ignored for this exercise. The key things I need to copy across are > user accounts and groups, as they would be an absolute pain in the rear > end to redo from scratch.Samba may miss a few pieces, but its FOSS nature and the python scripting libraries make it a wonderful tools for all AD automation. I'd say that it more versatil than MSAD once you accept to look into the guts of the beast. For our daily work, we have a bunch of in-house scripts for domain management, among others domain rename. For rename, one way of going is to create a new domain with the same domain SID, then recreate all the user/group/machines entries, pipe in the old object SID (so that user profiles are kept during migration), then pipe in the nt hash password with pdbedit --set-nt-hash. We have done dozens of migration/merge this year using this method among others, going from samba3 PDC, samba4 AD, and MSAD from 2003 up to 2012R2. It even works with a 2012R2 forest level using clone-dc-database option to get all the data you need, then pipe all the data in the new s4 domain! So yes, it can be done, you just have to roll up the sleeves, fire up your favorite editor and get your python straight :-) Cheers, Denis> Machine accounts will be dealt with by the required unjoin/rejoin > process. If a forced password change is the only thing users complain > about I'll consider the migration a great success. > > Getting from a Samba 3 NT domain to a Samba 4 AD domain was relatively > simple and painless. Surely there's a way to go from one Samba 4 AD > domain to another. Sure it would be nice to have a domain rename > supported natively but of all the things that still need to be done in > Samba 4's implementation of AD I don't believe it should be a high > priority. > > Domain renames are a fact of life in many organisations, so I figure > somebody on this list has probably done it already and I would be > grateful if they could share the details of how they went about it. I'm > not looking for a magic wand, merely some guidance. > > regards, > John > > > On 29/08/16 19:48, Andrew Bartlett via samba wrote: >> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote: >>> Hi All, >>> >>> As a result of a company restructure and name change we need to >>> change >>> our AD domain. I know that we can't change the AD domain name in >>> Samba >>> 4, so I'm looking at the smoothest way to migrate everything from >>> one >>> domain to another. >>> >>> Is there any (properly working) way we can export users, groups and >>> policies from one domain and import them into another? I've spent a >>> few >>> months getting everything just the way we want it and would greatly >>> prefer not to have to start from scratch. Incidentally, I don't care >>> about the computer accounts, as they will be dealt with by the >>> normal >>> unjoin/rejoin process. >>> >>> Any tips, advice or warnings anyone cares to share about this >>> process >>> would be greatly appreciated. >> This isn't something that Samba natively supports right now, and we >> don't even support doing it via the Windows tool, or export to Windows, >> because of various issues. >> >> I would love to add it if I could find a funder (it is the level of >> work that would need that, or the patient work of a community member >> over quite some time), because it won't be trivial. >> >> In the short term I would agree that preserving the domain GUID, SIDs >> and structure is the most critical part. >> >> The things I would most worry about are the krb5 salts for passwords, >> as these won't show up in a search but might make keeping passwords >> more difficult (embedded in supplementalCredentials). >> >> Finding out exactly what changes in a Windows AD domain when you rename >> it would be a good place to start. I honestly don't know how well it >> will go, but you could dump the whole thing to ldif with ldbdump on the >> backend files, and then do a pile of search and replace. That might at >> least help pinpoint what other issues to look for. >> >> I hope this helps, >> >> Andrew Bartlett >> >> -- >> Andrew Bartlett http://samba.org/~abartlet/ >> Authentication Developer, Samba Team http://samba.org >> Samba Developer, Catalyst IT >> http://catalyst.net.nz/services/samba >> >> > >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Hi Denis, What tool do you use to export users including their nt-hash password? I'm still missing that... Le 30 août 2016 10:27, "Denis Cardon via samba" <samba at lists.samba.org> a écrit :> Hi John, > > I understand that Samba doesn't support domain renaming, which is why >> I'm looking for a way to export the data from one domain and import it >> into a new one. Passwords and machine accounts are not a problem and can >> be ignored for this exercise. The key things I need to copy across are >> user accounts and groups, as they would be an absolute pain in the rear >> end to redo from scratch. >> > > Samba may miss a few pieces, but its FOSS nature and the python scripting > libraries make it a wonderful tools for all AD automation. I'd say that it > more versatil than MSAD once you accept to look into the guts of the beast. > > For our daily work, we have a bunch of in-house scripts for domain > management, among others domain rename. For rename, one way of going is to > create a new domain with the same domain SID, then recreate all the > user/group/machines entries, pipe in the old object SID (so that user > profiles are kept during migration), then pipe in the nt hash password with > pdbedit --set-nt-hash. > > We have done dozens of migration/merge this year using this method among > others, going from samba3 PDC, samba4 AD, and MSAD from 2003 up to 2012R2. > It even works with a 2012R2 forest level using clone-dc-database option to > get all the data you need, then pipe all the data in the new s4 domain! > > So yes, it can be done, you just have to roll up the sleeves, fire up your > favorite editor and get your python straight :-) > > Cheers, > > Denis > > Machine accounts will be dealt with by the required unjoin/rejoin >> process. If a forced password change is the only thing users complain >> about I'll consider the migration a great success. >> >> Getting from a Samba 3 NT domain to a Samba 4 AD domain was relatively >> simple and painless. Surely there's a way to go from one Samba 4 AD >> domain to another. Sure it would be nice to have a domain rename >> supported natively but of all the things that still need to be done in >> Samba 4's implementation of AD I don't believe it should be a high >> priority. >> >> Domain renames are a fact of life in many organisations, so I figure >> somebody on this list has probably done it already and I would be >> grateful if they could share the details of how they went about it. I'm >> not looking for a magic wand, merely some guidance. >> >> regards, >> John >> >> >> On 29/08/16 19:48, Andrew Bartlett via samba wrote: >> >>> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote: >>> >>>> Hi All, >>>> >>>> As a result of a company restructure and name change we need to >>>> change >>>> our AD domain. I know that we can't change the AD domain name in >>>> Samba >>>> 4, so I'm looking at the smoothest way to migrate everything from >>>> one >>>> domain to another. >>>> >>>> Is there any (properly working) way we can export users, groups and >>>> policies from one domain and import them into another? I've spent a >>>> few >>>> months getting everything just the way we want it and would greatly >>>> prefer not to have to start from scratch. Incidentally, I don't care >>>> about the computer accounts, as they will be dealt with by the >>>> normal >>>> unjoin/rejoin process. >>>> >>>> Any tips, advice or warnings anyone cares to share about this >>>> process >>>> would be greatly appreciated. >>>> >>> This isn't something that Samba natively supports right now, and we >>> don't even support doing it via the Windows tool, or export to Windows, >>> because of various issues. >>> >>> I would love to add it if I could find a funder (it is the level of >>> work that would need that, or the patient work of a community member >>> over quite some time), because it won't be trivial. >>> >>> In the short term I would agree that preserving the domain GUID, SIDs >>> and structure is the most critical part. >>> >>> The things I would most worry about are the krb5 salts for passwords, >>> as these won't show up in a search but might make keeping passwords >>> more difficult (embedded in supplementalCredentials). >>> >>> Finding out exactly what changes in a Windows AD domain when you rename >>> it would be a good place to start. I honestly don't know how well it >>> will go, but you could dump the whole thing to ldif with ldbdump on the >>> backend files, and then do a pile of search and replace. That might at >>> least help pinpoint what other issues to look for. >>> >>> I hope this helps, >>> >>> Andrew Bartlett >>> >>> -- >>> Andrew Bartlett http://samba.org/~abartlet/ >>> Authentication Developer, Samba Team http://samba.org >>> Samba Developer, Catalyst IT >>> http://catalyst.net.nz/services/samba >>> >>> >>> >> >> > -- > Denis Cardon > Tranquil IT Systems > Les Espaces Jules Verne, bâtiment A > 12 avenue Jules Verne > 44230 Saint Sébastien sur Loire > tel : +33 (0) 2.40.97.57.55 > http://www.tranquil-it-systems.fr > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >