I need LDAP for other uses, how could I have samba4 and ldap without having 2 bases? Citando Harry Jede via samba <samba at lists.samba.org>:> Am Dienstag, 27. März 2018, 21:58:22 CEST schrieb Rowland Penny: >> On Tue, 27 Mar 2018 22:41:15 +0200 >> >> Harry Jede via samba <samba at lists.samba.org> wrote: >> Am Dienstag, 27. März 2018, 14:25:47 CEST schrieb Rodrigo Abrantes >> >> Antunes via samba: >>> I forgot to mention, I'm using samba 3. >> >> OK. Quiet old thingy :-( >> >> you should read realy old docs: >> https://www.samba.org/samba/docs/old/Samba3-HOWTO/ >> InterdomainTrusts.html >> >> chapter : Interdomain Trust Facilities >> >> Have fun >> >> Please don't give the OP ideas, > > Why not? Are you my master of any kind? > >> Samba 3 is dead > > Yes > >> and shouldn't be used > > Yes > >> to set up anything new. > > Hmmh, I thought the op uses two samba3 (NT) style domain with > thousands of users. > >> I can understand maintaining an existing >> NT4-style domain, but not setting up a new one. >> >> It gets harder and harder to keep windows machines working with an >> NT4-style domain, > > No and no, > M$ trys to set up new windows client installations to not work with NT- > Domains. And yes, that is ok if security is the thing what one prefers. > > But sometimes sysadmins has other reasons to use old software and wish > support. > >> it doesn't make sense to set up a new one, not when >> it is easier to set up and maintain an AD domain. > > Yes > > @ Rodrigo Abrantes Antunes > An idea to get things to work: > > Setup a testbed with current samba version. > Their are to many changes from old samba3 to current release. You should > not expect that old config statements will work with newer releases of > samba. So try to find out which server statements in smb.conf maps to > your old behaviour. > > If this is OK for you, try the domain join. But do not expect, that the join > command works as described in the old docs. You are using much newer > software. > > PS > And yes, NT style domains are insecure from the first day I have seen > them. Are Ad domains secure??? > >> Rowland > > -- > > Gruss > Harry Jede > -- > To unsubscribe from this list go to the following URL and read > theinstructions: https://lists.samba.org/mailman/options/samba-- Rodrigo Abrantes Antunes Instituto Federal Sul-rio-grandense
On Mon, 02 Apr 2018 12:09:39 +0000 Rodrigo Abrantes Antunes via samba <samba at lists.samba.org> wrote:> I need LDAP for other uses, how could I have samba4 and ldap > without having 2 bases? >Samba 4 when running as a DC has a version of LDAP built-in and this can usually be used very much in the same way as an openldap server. What do you need LDAP for ? just what programs do you need to connect to ldap ? Rowland
I moved from Samba 3 to Samba 4, with samba domain controllers and remaining in a classic domain several years ago with out too much trouble. Obviously backup your /etc/samba and /var/lib/samba (or similar) directories. Default settings will change between versions so you do have to plan for some troubleshooting. The safer approach may be to setup a new domain controller as a BDC and see how that works out. With classic domains, trusts are completely unreliable. With Samba AD domains, I believe trusts are not completely implemented. In short, don't plan for using trusts with samba domains. And a lot of what you use trusts for can be done with OU's instead. I have to say I am a little surprised any one can make Samba 3 work any more (unless they are NOT patching all their windows systems.) On 04/02/18 08:09, Rodrigo Abrantes Antunes via samba wrote:> I need LDAP for other uses, how could I have samba4 and ldap without > having 2 bases? > > > Citando Harry Jede via samba <samba at lists.samba.org>: > >> Am Dienstag, 27. März 2018, 21:58:22 CEST schrieb Rowland Penny: >>> On Tue, 27 Mar 2018 22:41:15 +0200 >>> >>> Harry Jede via samba <samba at lists.samba.org> wrote: >>> Am Dienstag, 27. März 2018, 14:25:47 CEST schrieb Rodrigo Abrantes >>> >>> Antunes via samba: >>>> I forgot to mention, I'm using samba 3. >>> >>> OK. Quiet old thingy :-( >>> >>> you should read realy old docs: >>> https://www.samba.org/samba/docs/old/Samba3-HOWTO/ >>> InterdomainTrusts.html >>> >>> chapter : Interdomain Trust Facilities >>> >>> Have fun >>> >>> Please don't give the OP ideas, >> >> Why not? Are you my master of any kind? >> >>> Samba 3 is dead >> >> Yes >> >>> and shouldn't be used >> >> Yes >> >>> to set up anything new. >> >> Hmmh, I thought the op uses two samba3 (NT) style domain with >> thousands of users. >> >>> I can understand maintaining an existing >>> NT4-style domain, but not setting up a new one. >>> >>> It gets harder and harder to keep windows machines working with an >>> NT4-style domain, >> >> No and no, >> M$ trys to set up new windows client installations to not work with NT- >> Domains. And yes, that is ok if security is the thing what one prefers. >> >> But sometimes sysadmins has other reasons to use old software and wish >> support. >> >>> it doesn't make sense to set up a new one, not when >>> it is easier to set up and maintain an AD domain. >> >> Yes >> >> @ Rodrigo Abrantes Antunes >> An idea to get things to work: >> >> Setup a testbed with current samba version. >> Their are to many changes from old samba3 to current release. You should >> not expect that old config statements will work with newer releases of >> samba. So try to find out which server statements in smb.conf maps to >> your old behaviour. >> >> If this is OK for you, try the domain join. But do not expect, that >> the join >> command works as described in the old docs. You are using much newer >> software. >> >> PS >> And yes, NT style domains are insecure from the first day I have seen >> them. Are Ad domains secure??? >> >>> Rowland >> >> -- >> >> Gruss >> Harry Jede >> -- >> To unsubscribe from this list go to the following URL and read >> theinstructions: https://lists.samba.org/mailman/options/samba
A lot of administrative systems made by the institution, current domain, fileservers, glpi, cyrus mail, horde, gosa, svn, freeradius, dotproject, vcenter. Thats what I remebmber for now. Citando Rowland Penny via samba <samba at lists.samba.org>:> On Mon, 02 Apr 2018 12:09:39 +0000 > Rodrigo Abrantes Antunes via samba <samba at lists.samba.org> wrote: > >> I need LDAP for other uses, how could I have samba4 and ldap >> without having 2 bases? > > Samba 4 when running as a DC has a version of LDAP built-in and this > can usually be used very much in the same way as an openldap server. > > What do you need LDAP for ? just what programs do you need to connect > to ldap ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read > theinstructions: https://lists.samba.org/mailman/options/samba-- Rodrigo Abrantes Antunes Instituto Federal Sul-rio-grandense
Hi Rodrigo, despite all the things we have heared now about AD, let us talk about your needs.> I need LDAP for other uses, how could I have samba4 and ldap > without having 2 bases?I do not understand your question? I can guess something: 1. You have one central ldap store 2. you need a new claasic samba domain called: Administrative 3. your Students and your Administrative should use same ldap backend 4. Students domain sould trust Administrative domain 5. Administrative domain should not trust Students domain Is this what you want? -- Gruss Harry Jede
Thanks for the help, I end up doing something different. I value the things you said about Samba4 and AD but like I said, I don't have the required time to do that by now, and I thought I would'nt need to explain this here. What I end up doing was put student machines in the same domain as the other users, added the students to group students and via logon script denied login for this group in the administrative network. Now maybe I have some time to research on Samba4.. Citando Harry Jede <walk2sun at arcor.de>:> Hi Rodrigo, > > despite all the things we have heared now about AD, let us talk > about your needs. > > > > > I need LDAP for other uses, how could I have samba4 and ldap > > > without having 2 bases? > > I do not understand your question? I can guess something: > > > > 1. You have one central ldap store > > 2. you need a new claasic samba domain called: Administrative > > 3. your Students and your Administrative should use same ldap backend > > 4. Students domain sould trust Administrative domain > > 5. Administrative domain should not trust Students domain > > > > Is this what you want? > > > > -- > > > > Gruss > > Harry Jede-- Rodrigo Abrantes Antunes Instituto Federal Sul-rio-grandense