samba - Jun 2018 - v3 to AD migration: home folders, quotas, users..

 Hi,
  we want to migrate from samba3 NT4 domain (we were using it for a long 
time) to Samba4 AD. A lot of questions.
  a) user homes mapping
    From our v3 smb.conf
      logon drive = S:
  [homes]
        comment = Home Directories
        path = /home/%u
        read only = No
        create mask = 0700
        directory mask = 0700
        inherit acls = Yes
        browseable = No
        root preexec = /usr/local/bin/RPE4 '%u' 'HOMESHARE'
'%m' '%a'    
    
    I tried -according to samba wiki- to map home folders through group 
policy. It worked, but it only maps network drive S: and it does NOT set it 
as user home folder; home folder remains mapped to c:\users\username. Should
I use samba v3 style? Other way?
  
  b) In /usr/local/bin/RPE4 (which is run everytime user tries to use the 
share) we do a lot of actions, eg
     - creating user home folder, if it not exists
     - creating user profile folder, if it not exists
     - setting user quota (via setquota command) according to user name (we 
have about 10 different quota groups) (there is a default quota, but some 
user groups have different user quotas) 
     
     What is the best way to do this in samba AD? Note that we use the home 
folders not only for users, which are logged into windows (into domain from 
windows logon screen), we map the home folders via "net use.." for not
domain users too.
       
  c) We use openldap and both linux/unix and windows/samba authentication 
against it (samba has ldap backend configured, linuxes use sssd). We use not
very handy mechanism of setting sambaNTpasswd and userPassword (crypted, set
from HPUX) via ldapmodify. This is not standard and acceptable solution for 
future. How to do it in samba AD? We have 1000+ users, all with both samba 
SIDs and unix user attribs and we need to migrate them from openldap to 
samba AD.
  
  Next questions, eh, challenges, will come soon.
  
  Thanks, Michal

On Wed, 27 Jun 2018 11:04:53 +0200 (CEST)
Michal via samba <samba at lists.samba.org> wrote:
>  Hi,
>   we want to migrate from samba3 NT4 domain (we were using it for a
> long time) to Samba4 AD. A lot of questions.
>   a) user homes mapping
>     From our v3 smb.conf
>       logon drive = S:
>   [homes]
>         comment = Home Directories
>         path = /home/%u
>         read only = No
>         create mask = 0700
>         directory mask = 0700
>         inherit acls = Yes
>         browseable = No
>         root preexec = /usr/local/bin/RPE4 '%u' 'HOMESHARE'
'%m'
> '%a' 
>     I tried -according to samba wiki- to map home folders through
> group policy. It worked, but it only maps network drive S: and it
> does NOT set it as user home folder; home folder remains mapped to
> c:\users\username. Should I use samba v3 style? Other way?
You can set various attributes in AD, amongst which is one called
'homeDrive', this is the AD equivalent of 'logon drive' and
allows
you to set different drive letters per user.
   
>   
>   b) In /usr/local/bin/RPE4 (which is run everytime user tries to use
> the share) we do a lot of actions, eg
>      - creating user home folder, if it not exists
>      - creating user profile folder, if it not exists
>      - setting user quota (via setquota command) according to user
> name (we have about 10 different quota groups) (there is a default
> quota, but some user groups have different user quotas) 
Probably very similarly to what you are doing now, except that you can
use PAM to create the users home directory (pam_mkhomedir)
>      
>      What is the best way to do this in samba AD? Note that we use
> the home folders not only for users, which are logged into windows
> (into domain from windows logon screen), we map the home folders via
> "net use.." for not domain users too.
>        
>   c) We use openldap and both linux/unix and windows/samba
> authentication against it (samba has ldap backend configured, linuxes
> use sssd).
You do not use the ldap backend on Unix domain members and you do not
need sssd, Samba can do virtually all that sssd can do. Try reading
this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

You can still use ldap against Samba AD, but there are possibly better
ways of doing things, depending on just what you are trying to
authenticate against AD.
> We use not very handy mechanism of setting sambaNTpasswd
> and userPassword (crypted, set from HPUX) via ldapmodify. This is not
> standard and acceptable solution for future. 
You do not use either of those, you just use the AD password.
> How to do it in samba
> AD? We have 1000+ users, all with both samba SIDs and unix user
> attribs and we need to migrate them from openldap to samba AD.
Try reading this:

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

I would however recommend changing the ID's (if possible) before the
migration, they will undoubtedly be based on the RIDs i.e. very low
numbers such as '1000' and these will interfere with the local Unix
users.
 
>   
>   Next questions, eh, challenges, will come soon.
I am sure they will ;-)

Rowland