samba - Feb 2018 - migrate several samba3+openldap pdc to samba3

Hi there! I have one domain, shared between several samba3+openldap
on different geographical locations. I want to migrate them to samba4.


The domain has aprox 4000 users accounts, 4000 workstations, and
several groups. 

I was able to successfully migrate the domain in a
test environment. But I am faced with the problem that I will not be
able to migrate in parallel the more than 20 locations at the same time.
Most likely I have to do one per day, or one every other day. But during
that time, users will continue to use the domain and change their
passwords. As also the machine accounts will continue to interact with
the domain to update their credentials.

Any idea to gradually migrate
every location without having the problem that since I made the first
migration, there have probably been changes in passwords, creations of
users, etc?

Thanks in advance.

On Sat, 2018-02-17 at 20:44 -0300, Guido Lorenzutti via samba
wrote:
>   
> 
> Hi there! I have one domain, shared between several samba3+openldap
> on different geographical locations. I want to migrate them to samba4.
> 
> 
> The domain has aprox 4000 users accounts, 4000 workstations, and
> several groups. 
> 
> I was able to successfully migrate the domain in a
> test environment. But I am faced with the problem that I will not be
> able to migrate in parallel the more than 20 locations at the same time.
> Most likely I have to do one per day, or one every other day. But during
> that time, users will continue to use the domain and change their
> passwords. As also the machine accounts will continue to interact with
> the domain to update their credentials.
> 
> Any idea to gradually migrate
> every location without having the problem that since I made the first
> migration, there have probably been changes in passwords, creations of
> users, etc?
I certainly can and has been done.  It is easier if you can assert that
now new users will be added during the migration.  Password changes can
be forced though by exporting the password and forcing it in to the AD
DC.  

For a long time I've wanted to extend the classicupgrade tool to
operate in an incremental mode (watching the pwdLastSet to pick the
most recent password change) but for the moment you will need to write
your own scripts. 

Others on the list who have done this in operational migrations will be
able to give more specific advise.  In general ensure the two domains
can't see each other (not share the same netbios namespace) during the
migration to ensure a client can't attempt a domain login against one
and then the other. 

I wish you all the best with the migration,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Sun, 18 Feb 2018 14:05:38 +1300, Andrew Bartlett via samba
wrote: 
> On Sat, 2018-02-17 at 20:44 -0300, Guido Lorenzutti via samba
wrote:
> 
>> Hi there! I have one domain, shared between several
samba3+openldap on different geographical locations. I want to migrate
them to samba4. The domain has aprox 4000 users accounts, 4000
workstations, and several groups. I was able to successfully migrate the
domain in a test environment. But I am faced with the problem that I
will not be able to migrate in parallel the more than 20 locations at
the same time. Most likely I have to do one per day, or one every other
day. But during that time, users will continue to use the domain and
change their passwords. As also the machine accounts will continue to
interact with the domain to update their credentials. Any idea to
gradually migrate every location without having the problem that since I
made the first migration, there have probably been changes in passwords,
creations of users, etc?
> 
> I certainly can and has been done. It is
easier if you can assert that
> now new users will be added during the
migration. Password changes can
> be forced though by exporting the
password and forcing it in to the AD
> DC. 
> 
> For a long time I've
wanted to extend the classicupgrade tool to
> operate in an incremental
mode (watching the pwdLastSet to pick the
> most recent password change)
but for the moment you will need to write
> your own scripts. 
> 
>
Others on the list who have done this in operational migrations will
be
> able to give more specific advise. In general ensure the two
domains
> can't see each other (not share the same netbios namespace)
during the
> migration to ensure a client can't attempt a domain login
against one
> and then the other. 
> 
> I wish you all the best with the
migration,

Thank you Andrew!

How can import the modified passwords to
the AD? I can do a search in the ldap to get the modified atributes and
export them. But I didnt find a way to import this atributes on the
samba AD.

Tnxs.

Mandi! Guido Lorenzutti via samba
  In chel di` si favelave...
> Hi there! I have one domain, shared between several samba3+openldap
> on different geographical locations. I want to migrate them to samba4.
'Same' domain, or every geographical location have different domains,
trusted each others?

I'm in the same phase, but i've different domains for every site.

> I was able to successfully migrate the domain in a
> test environment.
Consider, i'm doing now, not to migrate domains, but instead build the
new domain ''in parallel'' with the old.
As just stated:
 + 'classicmigration' works, but leave an IdMap
''dirty'', and with
   problematic low ID
 + you still need to have, for every site, (at least) a domain controller
   and (at least) a domain member: it is theoretically doable, but it
   is preferrable to split DM/DC role in different box.
   Corollary: consider to switch to virtualization, like Proxmox.

With old and new domain in place, you can switch users/PC from the old
to the new also ''one by one''.
If login and password are the same (see later) you can also access the
old server from the new domain.

> Any idea to gradually migrate
> every location without having the problem that since I made the first
> migration, there have probably been changes in passwords, creations of
> users, etc?
a) project and setup the new domain; test it. Start to use GPO and that
 goodies.

b) build a script su ''suck'' users from old OpenLDAP to new AD;
i've
 done one myself, i can contribute, but it is really a matter of some
 LDAP queries...

c) build a wrapper around the 'samba-tool user syncpasswords' (for
 samba AD) and the 'check password script' (for samba NT) to keep
password in sync.


I hope i was useful.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''         
http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)