We are currently running samba3 nt4 domain controllers using smb-ldap-tools. We want to convert to samba4 ad so we can run new versions of windows server. I know of: https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) But that would break us by moving all ldap to the ad ldap. We have lot's of stuff in ldap. Currently administer using ldap account manager. We are in 5 cities and about 95% linux. Have 7 openldap servers controlling everything. Have just 3 nt4 domain controllers and only 3 windows servers on the domain. We have no windows workstations on the domain. All workstations are linux ltsp and all windows is done via rdp. Getting rid of the openldap is too painful to contemplate. Even if I was willing to more all the authentication and authorization stuff to ad would still need openldap. Seen references to solutions to sync ad to openldap like: https://lsc-project.org/documentation/howto/activedirectory Suspect there are other ways to attack the problem. I'm willing to live with the issue of not being able to sync passwords from kerberos -> ldap. May switch to kerberos for authentication at some point. I have set up a lab environment to test migration. I have not seen any cook book solutions. Ready test migration but not sure what to do next. Any suggestions are appreciated. John -- John McMonagle IT Manager Advocap Inc.
On Tue, 19 Mar 2019 11:03:12 -0500 John McMonagle via samba <samba at lists.samba.org> wrote:> We are currently running samba3 nt4 domain controllers using > smb-ldap-tools. We want to convert to samba4 ad so we can run new > versions of windows server.Why do you need a newer Windows version ? You state you have no Windows workstations. But you are correct, you need to upgrade, Samba3 is dead, but has later versions, smbldap-tools is totally dead, there doesn't seem to be a source website antmore, it just needs a Perl upgrade that breaks it and you are lost.> > I know of: > https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) > > But that would break us by moving all ldap to the ad ldap. > We have lot's of stuff in ldap.So what, most if not all of that could be moved to AD, though you may have to use later versions of your software or migrate to other, possibly better software.> Currently administer using ldap account manager. > We are in 5 cities and about 95% linux.Looks like a probable good use of 'sites'> Have 7 openldap servers controlling everything. > Have just 3 nt4 domain controllers and only 3 windows servers on the > domain. We have no windows workstations on the domain.As I said above, why do you need the Windows servers, what do they do ?> All workstations are linux ltsp and all windows is done via rdp. > > Getting rid of the openldap is too painful to contemplate. > Even if I was willing to more all the authentication and > authorization stuff to ad would still need openldap.Why, what do you use openldap for ?> > Seen references to solutions to sync ad to openldap like: > https://lsc-project.org/documentation/howto/activedirectory > > Suspect there are other ways to attack the problem. > I'm willing to live with the issue of not being able to sync > passwords from kerberos -> ldap. > May switch to kerberos for authentication at some point.Kerberos is undoubtedly the most secure. Rowland
I'm open to alternatives but need to be up and running 24/7 on the linux side. My boss hates windows more than I do and will likely be looking for a new job if I use windows to administer the the linux side. We only use windows if there is no other way do do something. On 3/19/19 12:08 PM, Rowland Penny via samba wrote:> On Tue, 19 Mar 2019 11:03:12 -0500 > John McMonagle via samba <samba at lists.samba.org> wrote: > >> We are currently running samba3 nt4 domain controllers using >> smb-ldap-tools. We want to convert to samba4 ad so we can run new >> versions of windows server. > > Why do you need a newer Windows version ?Running server 2008 and support is ending soon.> You state you have no Windows workstations. > But you are correct, you need to upgrade, Samba3 is dead, but has later > versions, smbldap-tools is totally dead, there doesn't seem to be a > source website antmore, it just needs a Perl upgrade that breaks it and > you are lost. > >> >> I know of: >> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) >> >> But that would break us by moving all ldap to the ad ldap. >> We have lot's of stuff in ldap. > > So what, most if not all of that could be moved to AD, though you may > have to use later versions of your software or migrate to other, > possibly better software. >At them moment the main thing I can think of is the mail server uses it for mailing lists and all authentication and authorization. All it takes is one crucial thing that ad will not do and it's eliminated as the only source of data.>> Currently administer using ldap account manager. >> We are in 5 cities and about 95% linux. > > Looks like a probable good use of 'sites'What is sites?> >> Have 7 openldap servers controlling everything. >> Have just 3 nt4 domain controllers and only 3 windows servers on the >> domain. We have no windows workstations on the domain. > > As I said above, why do you need the Windows servers, what do they do ?Accounting, any thing that can not be done in linux. All services are provided by linux.> >> All workstations are linux ltsp and all windows is done via rdp. >> >> Getting rid of the openldap is too painful to contemplate. >> Even if I was willing to more all the authentication and >> authorization stuff to ad would still need openldap. > > Why, what do you use openldap for ?Pretty much all authorization and authentication, groups, mailing lists for hundreds of computers at 5 locations.> >> >> Seen references to solutions to sync ad to openldap like: >> https://lsc-project.org/documentation/howto/activedirectory >> >> Suspect there are other ways to attack the problem. >> I'm willing to live with the issue of not being able to sync >> passwords from kerberos -> ldap. >> May switch to kerberos for authentication at some point. > > Kerberos is undoubtedly the most secure. > > Rowland > > >-- John McMonagle IT Manager Advocap Inc.
Hi, Just some small remarks: On 3/19/19 5:03 PM, John McMonagle via samba wrote:> But that would break us by moving all ldap to the ad ldap. > We have lot's of stuff in ldap. > Currently administer using ldap account manager. > We are in 5 cities and about 95% linux. > Have 7 openldap servers controlling everything.Perhaps you need to change your view upon AD. We were like you: we had everything in openldap/samba3. We migrated to AD a couple of years back, and now we have everything in AD (ldap), just like in the old days with openldap. Even though we at this moment don't, you also can still use LAM to manage your samba AD. Not so much will change. Just many configurations to edit, so do proper testing. :-)> Getting rid of the openldap is too painful to contemplate.Perhaps it is, perhaps it is not. In our case, it was not, even though I feared it would be.> Even if I was willing to more all the authentication and authorization > stuff to ad would still need openldap.Perhaps you do have stuff in openldad that cannot be moved over, but I would not write off that option too easily. We have generally been happy after our move away from openldap. MJ