I know these systems work with AD, the problem is the migration, I don't think is easy to migrate 5000 accounts from current systems to new systems. I will need to learn the sintaxes of all these new systems and this would take huge time because I know nothing of samba4, or AD, or dovecot, or kerberos and the boss whants the emails for students for next month. We don't plan to change cyrus/postfix and horde, whats the problem with them? I already tried kopano and the users hated it. And like I said there are a lot of internal administrative systems that were programmed (not by me) to work with ldap only, including some that are not opensource. A while ago I did research on how to migrate my current domain to samba4 and from what I understand it would be almost impossible or too difficult for my scenario Citando Rowland Penny <rpenny at samba.org>:> On Mon, 02 Apr 2018 13:06:16 +0000 > Rodrigo Abrantes Antunes via samba <samba at lists.samba.org> wrote: > >> A lot of administrative systems made by the institution, current >> domain, fileservers, glpi, cyrus mail, horde, gosa, svn, freeradius, >> dotproject, vcenter. Thats what I remebmber for now. > > OK, I just spent about 10 minutes searching the internet and found out > this: > > current domain : can be replaced by Sanba AD > fileservers : As above > > glpi : will work with AD, see here: > http://wiki.glpi-project.org/doku.php?id=en:ldap > > cyrus mail : This can probably be made to work with AD, but you > would probably be better off moving to Postfix/Dovecot > > horde : This will work with AD, but you will probably need to > move to Dovecot > > gosa : You would probably be better off using LAM, this is > still being developed, unlike Gosa, which seems to > have stalled. > > svn : will work with AD > > freeradius : This definitely works with AD, see here > https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory > > dotproject : will work with AD > vcenter : will work with AD > > What I am trying to say is, you will probably find it easier to make > your infrastructure work with AD, rather than trying to keep Samba 3 > working. You may find it easier to move some of your systems to other, > newer packages, for instance, you could upgrade your email system to > something like Kopano. > > You will certainly have something more secure than what you have at the > moment, especially if you use kerberos. > Rowland-- Rodrigo Abrantes Antunes Instituto Federal Sul-rio-grandense
There is a documented upgrade process https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) With 5000 users you probably want to create a test environment first. Moving from samba 3 to samba 4 but staying in a classic domain should not require a huge learning curve and you don't have to change the LDAP backend. Just don't count on domain trusts working. You definitely want to document how the various other systems are configured for LDAP authentication or coordinate with whomever is managing those systems. I moved from a classic samba domain to a AD domain with "real" Windows 2012 domain controllers. (This was because we needed to support MS Exchange.) I had to tweek things like search base and naming attributes. Also, if you are using TLS encryption with LDAP, that may require some fiddling to get working. Also, depending on how you set up LDAP, your current setup MAY allow anonymous access to retrieve a list of users and groups (although not passwords.) With AD there is no anonymous access via LDAP. It is a little scary to hear a system administrator say he knows nothing about AD. Kerberos can be quite a challenge though. It also seems like with 5000 accounts that the migration task is too much for one person to handle by himself. When I did a major step of the domain migration in my company (under 100 people) I had 3 extra people helping me over the weekend, with over 12 hours per person per day. On 04/02/18 10:15, Rodrigo Abrantes Antunes via samba wrote:> I know these systems work with AD, the problem is the migration, I > don't think is easy to migrate 5000 accounts from current systems to > new systems. I will need to learn the sintaxes of all these new > systems and this would take huge time because I know nothing of > samba4, or AD, or dovecot, or kerberos and the boss whants the emails > for students for next month. We don't plan to change cyrus/postfix and > horde, whats the problem with them? I already tried kopano and the > users hated it. And like I said there are a lot of internal > administrative systems that were programmed (not by me) to work with > ldap only, including some that are not opensource. A while ago I did > research on how to migrate my current domain to samba4 and from what I > understand it would be almost impossible or too difficult for my scenario > > Citando Rowland Penny <rpenny at samba.org>: > >> On Mon, 02 Apr 2018 13:06:16 +0000 >> Rodrigo Abrantes Antunes via samba <samba at lists.samba.org> wrote: >> >>> A lot of administrative systems made by the institution, current >>> domain, fileservers, glpi, cyrus mail, horde, gosa, svn, freeradius, >>> dotproject, vcenter. Thats what I remebmber for now. >> >> OK, I just spent about 10 minutes searching the internet and found out >> this: >> >> current domain : can be replaced by Sanba AD >> fileservers : As above >> >> glpi : will work with AD, see here: >> http://wiki.glpi-project.org/doku.php?id=en:ldap >> >> cyrus mail : This can probably be made to work with AD, but you >> would probably be better off moving to Postfix/Dovecot >> >> horde : This will work with AD, but you will probably need to >> move to Dovecot >> >> gosa : You would probably be better off using LAM, this is >> still being developed, unlike Gosa, which seems to >> have stalled. >> >> svn : will work with AD >> >> freeradius : This definitely works with AD, see here >> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory >> >> >> dotproject : will work with AD >> vcenter : will work with AD >> >> What I am trying to say is, you will probably find it easier to make >> your infrastructure work with AD, rather than trying to keep Samba 3 >> working. You may find it easier to move some of your systems to other, >> newer packages, for instance, you could upgrade your email system to >> something like Kopano. >> >> You will certainly have something more secure than what you have at the >> moment, especially if you use kerberos. >> Rowland
On Mon, 02 Apr 2018 14:15:40 +0000 Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br> wrote:> I know these systems work with AD, the problem is the migration, I > don't think is easy to migrate 5000 accounts from current systems to > new systems. I will need to learn the sintaxes of all these new > systems and this would take huge time because I know nothing of > samba4, or AD, or dovecot, or kerberos and the boss whants the > emails for students for next month. We don't plan to change > cyrus/postfix and horde, whats the problem with them? I already tried > kopano and the users hated it. And like I said there are a lot of > internal administrative systems that were programmed (not by me) to > work with ldap only, including some that are not opensource. A while > ago I did research on how to migrate my current domain to samba4 and > from what I understand it would be almost impossible or too difficult > for my scenario >I know that at least one of the other Samba-team members wants to retain the use of NT4-style domains, but Microsoft seems to be trying to ensure that they go away. Microsoft stopped supporting NT domains over 10 years ago and bit by bit they seem to be removing the ability to use windows with them. You might find that one day, after a windows update, your domain doesn't work with your windows machines any more and then what will you do ? Far better to migrate to Samba AD now, whilst you are not being forced to in a rush, but it is your decision and you will have to account for it, if/when it all goes wrong. Rowland
I never worked with AD, I really know nothing about it. And yes it's about 5000 accounts that should be migrated. This structure was not created by me, it was already working when I arrive. I use SSL encryption with LDAP and it allows anonymous access Citando Gaiseric Vandal via samba <samba at lists.samba.org>:> There is a documented upgrade process > > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) > > With 5000 users you probably want to create a test environment > first. Moving from samba 3 to samba 4 but staying in a > classic domain should not require a huge learning curve and you > don't have to change the LDAP backend. Just don't count on > domain trusts working. > > You definitely want to document how the various other systems are > configured for LDAP authentication or coordinate with whomever is > managing those systems. I moved from a classic samba domain to a > AD domain with "real" Windows 2012 domain controllers. (This was > because we needed to support MS Exchange.) I had to tweek > things like search base and naming attributes. Also, if you are > using TLS encryption with LDAP, that may require some fiddling to > get working. Also, depending on how you set up LDAP, your > current setup MAY allow anonymous access to retrieve a list of users > and groups (although not passwords.) With AD there is no > anonymous access via LDAP. > > It is a little scary to hear a system administrator say he knows > nothing about AD. Kerberos can be quite a challenge > though. It also seems like with 5000 accounts that the migration > task is too much for one person to handle by himself. When I did > a major step of the domain migration in my company (under 100 > people) I had 3 extra people helping me over the weekend, with over > 12 hours per person per day. > > On 04/02/18 10:15, Rodrigo Abrantes Antunes via samba wrote: >> I know these systems work with AD, the problem is the migration, I >> don't think is easy to migrate 5000 accounts from current systems >> to new systems. I will need to learn the sintaxes of all these new >> systems and this would take huge time because I know nothing of >> samba4, or AD, or dovecot, or kerberos and the boss whants the >> emails for students for next month. We don't plan to change >> cyrus/postfix and horde, whats the problem with them? I already >> tried kopano and the users hated it. And like I said there are a >> lot of internal administrative systems that were programmed (not by >> me) to work with ldap only, including some that are not opensource. >> A while ago I did research on how to migrate my current domain to >> samba4 and from what I understand it would be almost impossible or >> too difficult for my scenario >> >> Citando Rowland Penny <rpenny at samba.org>: >> >>> On Mon, 02 Apr 2018 13:06:16 +0000 >>> Rodrigo Abrantes Antunes via samba <samba at lists.samba.org> wrote: >>> >>>> A lot of administrative systems made by the institution, current >>>> domain, fileservers, glpi, cyrus mail, horde, gosa, svn, freeradius, >>>> dotproject, vcenter. Thats what I remebmber for now. >>> >>> OK, I just spent about 10 minutes searching the internet and found out >>> this: >>> >>> current domain : can be replaced by Sanba AD >>> fileservers : As above >>> >>> glpi : will work with AD, see here: >>> http://wiki.glpi-project.org/doku.php?id=en:ldap >>> >>> cyrus mail : This can probably be made to work with AD, but you >>> would probably be better off moving to Postfix/Dovecot >>> >>> horde : This will work with AD, but you will probably need to >>> move to Dovecot >>> >>> gosa : You would probably be better off using LAM, this is >>> still being developed, unlike Gosa, which seems to >>> have stalled. >>> >>> svn : will work with AD >>> >>> freeradius : This definitely works with AD, see here >>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory dotproject : will work with >>> AD >>> vcenter : will work with AD >>> >>> What I am trying to say is, you will probably find it easier to make >>> your infrastructure work with AD, rather than trying to keep Samba 3 >>> working. You may find it easier to move some of your systems to other, >>> newer packages, for instance, you could upgrade your email system to >>> something like Kopano. >>> >>> You will certainly have something more secure than what you have at the >>> moment, especially if you use kerberos. >>> Rowland > > -- > To unsubscribe from this list go to the following URL and read > theinstructions: https://lists.samba.org/mailman/options/samba-- Rodrigo Abrantes Antunes Instituto Federal Sul-rio-grandense
I don't think microsoft plans to do this with Windows 7, and yes we don't have money to buy windows 10, thats Brazil guys. Citando Rowland Penny <rpenny at samba.org>:> On Mon, 02 Apr 2018 14:15:40 +0000 > Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br> wrote: > >> I know these systems work with AD, the problem is the migration, I >> don't think is easy to migrate 5000 accounts from current systems to >> new systems. I will need to learn the sintaxes of all these new >> systems and this would take huge time because I know nothing of >> samba4, or AD, or dovecot, or kerberos and the boss whants the >> emails for students for next month. We don't plan to change >> cyrus/postfix and horde, whats the problem with them? I already tried >> kopano and the users hated it. And like I said there are a lot of >> internal administrative systems that were programmed (not by me) to >> work with ldap only, including some that are not opensource. A while >> ago I did research on how to migrate my current domain to samba4 and >> from what I understand it would be almost impossible or too difficult >> for my scenario > > I know that at least one of the other Samba-team members wants to > retain the use of NT4-style domains, but Microsoft seems to be trying > to ensure that they go away. Microsoft stopped supporting NT domains > over 10 years ago and bit by bit they seem to be removing the > ability to use windows with them. You might find that one day, after > a windows update, your domain doesn't work with your windows machines > any more and then what will you do ? > > Far better to migrate to Samba AD now, whilst you are not being forced > to in a rush, but it is your decision and you will have to account for > it, if/when it all goes wrong. > Rowland-- Rodrigo Abrantes Antunes Instituto Federal Sul-rio-grandense
On Mon, Apr 02, 2018 at 03:42:39PM +0100, Rowland Penny via samba wrote:> On Mon, 02 Apr 2018 14:15:40 +0000 > Rodrigo Abrantes Antunes <rodrigoantunes at pelotas.ifsul.edu.br> wrote: > > > I know these systems work with AD, the problem is the migration, I > > don't think is easy to migrate 5000 accounts from current systems to > > new systems. I will need to learn the sintaxes of all these new > > systems and this would take huge time because I know nothing of > > samba4, or AD, or dovecot, or kerberos and the boss whants the > > emails for students for next month. We don't plan to change > > cyrus/postfix and horde, whats the problem with them? I already tried > > kopano and the users hated it. And like I said there are a lot of > > internal administrative systems that were programmed (not by me) to > > work with ldap only, including some that are not opensource. A while > > ago I did research on how to migrate my current domain to samba4 and > > from what I understand it would be almost impossible or too difficult > > for my scenario > > > > I know that at least one of the other Samba-team members wants to > retain the use of NT4-style domains, but Microsoft seems to be trying > to ensure that they go away. Microsoft stopped supporting NT domains > over 10 years ago and bit by bit they seem to be removing the > ability to use windows with them. You might find that one day, after > a windows update, your domain doesn't work with your windows machines > any more and then what will you do ? > > Far better to migrate to Samba AD now, whilst you are not being forced > to in a rush, but it is your decision and you will have to account for > it, if/when it all goes wrong.+1 to this. Folks, the NT4-style domains are out of maintanence from Microsoft (can't blame them for this, we move code to out of maintanence status all the time). Samba-AD is getting more scalable, more support and being adopted by some large organizations who will ensure support and continuation for many years to come. I really would listen to Rowland on this, he knows what he is talking about. Jeremy.