Guido Lorenzutti
2018-Feb-17 23:44 UTC
[Samba] migrate several samba3+openldap pdc to samba3
Hi there! I have one domain, shared between several samba3+openldap on different geographical locations. I want to migrate them to samba4. The domain has aprox 4000 users accounts, 4000 workstations, and several groups. I was able to successfully migrate the domain in a test environment. But I am faced with the problem that I will not be able to migrate in parallel the more than 20 locations at the same time. Most likely I have to do one per day, or one every other day. But during that time, users will continue to use the domain and change their passwords. As also the machine accounts will continue to interact with the domain to update their credentials. Any idea to gradually migrate every location without having the problem that since I made the first migration, there have probably been changes in passwords, creations of users, etc? Thanks in advance.
Andrew Bartlett
2018-Feb-18 01:05 UTC
[Samba] migrate several samba3+openldap pdc to samba3
On Sat, 2018-02-17 at 20:44 -0300, Guido Lorenzutti via samba wrote:> > > Hi there! I have one domain, shared between several samba3+openldap > on different geographical locations. I want to migrate them to samba4. > > > The domain has aprox 4000 users accounts, 4000 workstations, and > several groups. > > I was able to successfully migrate the domain in a > test environment. But I am faced with the problem that I will not be > able to migrate in parallel the more than 20 locations at the same time. > Most likely I have to do one per day, or one every other day. But during > that time, users will continue to use the domain and change their > passwords. As also the machine accounts will continue to interact with > the domain to update their credentials. > > Any idea to gradually migrate > every location without having the problem that since I made the first > migration, there have probably been changes in passwords, creations of > users, etc?I certainly can and has been done. It is easier if you can assert that now new users will be added during the migration. Password changes can be forced though by exporting the password and forcing it in to the AD DC. For a long time I've wanted to extend the classicupgrade tool to operate in an incremental mode (watching the pwdLastSet to pick the most recent password change) but for the moment you will need to write your own scripts. Others on the list who have done this in operational migrations will be able to give more specific advise. In general ensure the two domains can't see each other (not share the same netbios namespace) during the migration to ensure a client can't attempt a domain login against one and then the other. I wish you all the best with the migration, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Guido Lorenzutti
2018-Feb-18 13:22 UTC
[Samba] migrate several samba3+openldap pdc to samba3
On Sun, 18 Feb 2018 14:05:38 +1300, Andrew Bartlett via samba wrote:> On Sat, 2018-02-17 at 20:44 -0300, Guido Lorenzutti via sambawrote:> >> Hi there! I have one domain, shared between severalsamba3+openldap on different geographical locations. I want to migrate them to samba4. The domain has aprox 4000 users accounts, 4000 workstations, and several groups. I was able to successfully migrate the domain in a test environment. But I am faced with the problem that I will not be able to migrate in parallel the more than 20 locations at the same time. Most likely I have to do one per day, or one every other day. But during that time, users will continue to use the domain and change their passwords. As also the machine accounts will continue to interact with the domain to update their credentials. Any idea to gradually migrate every location without having the problem that since I made the first migration, there have probably been changes in passwords, creations of users, etc?> > I certainly can and has been done. It iseasier if you can assert that> now new users will be added during themigration. Password changes can> be forced though by exporting thepassword and forcing it in to the AD> DC. > > For a long time I'vewanted to extend the classicupgrade tool to> operate in an incrementalmode (watching the pwdLastSet to pick the> most recent password change)but for the moment you will need to write> your own scripts. > >Others on the list who have done this in operational migrations will be> able to give more specific advise. In general ensure the twodomains> can't see each other (not share the same netbios namespace)during the> migration to ensure a client can't attempt a domain loginagainst one> and then the other. > > I wish you all the best with themigration, Thank you Andrew! How can import the modified passwords to the AD? I can do a search in the ldap to get the modified atributes and export them. But I didnt find a way to import this atributes on the samba AD. Tnxs.
Mandi! Guido Lorenzutti via samba In chel di` si favelave...> Hi there! I have one domain, shared between several samba3+openldap > on different geographical locations. I want to migrate them to samba4.'Same' domain, or every geographical location have different domains, trusted each others? I'm in the same phase, but i've different domains for every site.> I was able to successfully migrate the domain in a > test environment.Consider, i'm doing now, not to migrate domains, but instead build the new domain ''in parallel'' with the old. As just stated: + 'classicmigration' works, but leave an IdMap ''dirty'', and with problematic low ID + you still need to have, for every site, (at least) a domain controller and (at least) a domain member: it is theoretically doable, but it is preferrable to split DM/DC role in different box. Corollary: consider to switch to virtualization, like Proxmox. With old and new domain in place, you can switch users/PC from the old to the new also ''one by one''. If login and password are the same (see later) you can also access the old server from the new domain.> Any idea to gradually migrate > every location without having the problem that since I made the first > migration, there have probably been changes in passwords, creations of > users, etc?a) project and setup the new domain; test it. Start to use GPO and that goodies. b) build a script su ''suck'' users from old OpenLDAP to new AD; i've done one myself, i can contribute, but it is really a matter of some LDAP queries... c) build a wrapper around the 'samba-tool user syncpasswords' (for samba AD) and the 'check password script' (for samba NT) to keep password in sync. I hope i was useful. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)