Marco Gaiarin
2017-Aug-30 16:29 UTC
[Samba] Some hint on migration from a set of NT4 domains to an AD domain...
I've lurked (and posted) on that list by some month, getting many
vaulable informations, but still i've many doubts.
Most of my doubt i think came from the fact that 'AD' (generally) a is
a very complex beast, and if samba in NT4 mode fit very well in a UNIX
environment (and mind ;), samba in AD mode forced me to think in some
''microsoft way'. And i'm not used to.
I'm an old (my daughters say that! ;) UNIX sysadmin, that manage some
set of NT4 domains, built in branch offices when, here in italy,
connectivity was a chime, and so we never minded about ''account
management''.
Many users have now accounts on every domain, and password to manage.
Every domain is LDAP-backed, and LDAP provide account and password info
for other services, most notably email (every samba domain have a
compelling email domain). I'm not using winbind (apart for native NTLM
auth, freeradius and squid).
Initially my plan was to move every domain in his AD domain, doing
after that some sort of ''foresting''.
In this month, i've test-classicupgraded a domain (in a virtual
environment) and start to play, most notably with schema extensions to
keep all the email routing stuff.
But after reading here by some month, and most notably after
understanding that:
a) it is better to have the AD DC role in a machine on their own.
b) all my UID/GID are ''wrong'' (low), better have to be
remapped.
c) i can still use domains, in an AD forest, but the simpliest things
is to manage different OU in a single domain
I'm really thinking of throwing all my 4 domains, simply
moving/importing users using sets of non-overlapping UID/GID, and
moving users from old domains to OU.
Clearly, i've to do some more work (eg, prepare set of script to move
files permission/ACL from old to new ACL; rejoin all workstation; ...),
but i hope the result can be better.
Someone have just done such a migration, or something like this?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Denis Cardon
2017-Aug-31 19:26 UTC
[Samba] Some hint on migration from a set of NT4 domains to an AD domain...
Hi Marco,> I've lurked (and posted) on that list by some month, getting many > vaulable informations, but still i've many doubts. > > Most of my doubt i think came from the fact that 'AD' (generally) a is > a very complex beast, and if samba in NT4 mode fit very well in a UNIX > environment (and mind ;), samba in AD mode forced me to think in some > ''microsoft way'. And i'm not used to.Active Directory is not a simple beast, but the underlying tech and what it provides is not simple either. If you want to properly set up ldap, kerberos, dns in a multi-master replication scenario, it is not easy at all, and Samba AD make it really simple IMHO... Nowadays, even for full linux client setup I prefer to have Samba AD and SMB connectivity.> I'm an old (my daughters say that! ;) UNIX sysadmin, that manage some > set of NT4 domains, built in branch offices when, here in italy, > connectivity was a chime, and so we never minded about ''account > management''. > Many users have now accounts on every domain, and password to manage. > > > Every domain is LDAP-backed, and LDAP provide account and password info > for other services, most notably email (every samba domain have a > compelling email domain). I'm not using winbind (apart for native NTLM > auth, freeradius and squid). > > > Initially my plan was to move every domain in his AD domain, doing > after that some sort of ''foresting''.domain trust relationship is not yet fully supported, so AD forest are not yet for tomorrow.> In this month, i've test-classicupgraded a domain (in a virtual > environment) and start to play, most notably with schema extensions to > keep all the email routing stuff. > > > But after reading here by some month, and most notably after > understanding that: > > a) it is better to have the AD DC role in a machine on their own.yes definitely> b) all my UID/GID are ''wrong'' (low), better have to be remapped.yes, get rid of everything below 1000> c) i can still use domains, in an AD forest, but the simpliest things > is to manage different OU in a single domainyes, even in MS AD scenario where forest are supported, it is recommended to consolidate your domains.> I'm really thinking of throwing all my 4 domains, simply > moving/importing users using sets of non-overlapping UID/GID, and > moving users from old domains to OU.if you have windows workstation, the main PITA during migration is the user profile migration. If you change the user SID, then the user will get a new shiny clean profile after migration. So you can chose the domain with the largest number of users and keep that domain SID and the users SID in the new domain. You should re-inject password hashes to avoid re-issuing credentials. For all the other users, they will have new sid, so you'll have to migrate also their profile. Actually the server side migration part is the fastest and easiest (Samba team is really doing a great job!). If you have a large number of user, your real pain will be on desktops and with business apps. Cheers, Denis> > Clearly, i've to do some more work (eg, prepare set of script to move > files permission/ACL from old to new ACL; rejoin all workstation; ...), > but i hope the result can be better. > > > Someone have just done such a migration, or something like this? > > > Thanks. >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
Marco Gaiarin
2017-Sep-01 15:33 UTC
[Samba] Some hint on migration from a set of NT4 domains to an AD domain...
Mandi! Denis Cardon via samba In chel di` si favelave...> >Most of my doubt i think came from the fact that 'AD' (generally) a is > >a very complex beast, and if samba in NT4 mode fit very well in a UNIX > >environment (and mind ;), samba in AD mode forced me to think in some > >''microsoft way'. And i'm not used to. > Active Directory is not a simple beast, but the underlying tech and what it > provides is not simple either. If you want to properly set up ldap, > kerberos, dns in a multi-master replication scenario, it is not easy at all, > and Samba AD make it really simple IMHO...Sure. But it is not a simple matter of ''simplicity'': as sysadmin i'm aware that, to prevent bad things to happen, i need to understood very well how things works. Samba 3 had excellent (and libre, indeed) documentation, and a more ''UNIX'' approach to things, so was realtively easy to understand how worked, also in correlation with ''microsoft stuff''. But, there's no more time for cry... ;-)> >Initially my plan was to move every domain in his AD domain, doing > >after that some sort of ''foresting''. > domain trust relationship is not yet fully supported, so AD forest are not > yet for tomorrow.Ah. Oh. I was not aware of that. Thanks.> >I'm really thinking of throwing all my 4 domains, simply > >moving/importing users using sets of non-overlapping UID/GID, and > >moving users from old domains to OU. > if you have windows workstation, the main PITA during migration is the user > profile migration. If you change the user SID, then the user will get a new > shiny clean profile after migration.Ah. Right. I've forgot about that. Thanks. But probably this can be done also migrating to Win10, that AFAI've understood use another format for profiles (.V4?).> also their profile. Actually the server side migration part is the fastest > and easiest (Samba team is really doing a great job!). If you have a large > number of user, your real pain will be on desktops and with business apps.I think i'll need to setup some scripts. Someone have just done this? Or, there's a way to ''redirect'' the classicupgrade script work to a ldif file, for 'post processing'?! Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)