Hi there Le 12/04/2019 à 09:57, Marco Gaiarin via samba a écrit :> Mandi! Vex Mage via samba > In chel di` si favelave... > >> I've spun up a Samba4 server and set it up as an active directory domain >> controller and I can definitely see that this is a very robust system and >> is working well however; I don't see a management solution to >> synchronization between the campus LDAP server and Samba4 AD/DC. > You can sync users simply wrapping some 'ldapserch' on 'old' LDAP server > and some 'samba-tool user create' on AD. > I've setup some scripts, but probably are soo tightned to my setup to > be littleor no help generally. > > To sync password, you can instead wrap 'check password script' in old > samba with 'samba-tool user syncpassword' in new samba/AD, look at: > > https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP > > Supposing a frequent password change (3 months?) you can wait a bit to > have password in sync, and then use both the domain in 'parallel'. >I agree with marco, I'm actually working on migrating a samba3 domain to a samba4 domain (with different name). A POC environment is setup in a separate network I popuplated Samba4/AD from samba3 with this very usefull tool https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory Keep in mind you will have to map attributes from one to another, and don't forget to synchronize uid/gid as unix attributes in Samba4, so that your migrated users can still have access to their samba shares or whatever you had in your old samba3 domain. And keep password synchronized between the two domains with (works as a trigger, once a password is updated on samb4 server, et keeps it synchronized to your old ldap server https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP But there's a trick, you'll have to modifiy the script to update both userpassword _*AND *_sambantpassword fields (the script only updates userpassword), so you can access to your former samba resources. @Rowland : |See the answer above, plus there is a very big hole in your proposed |set up, if your clients see the AD DC, they will not contact the NT4 |PDC again. I've seen some setups where a company had a (real) AD domain and a samba3 domain working together on the same subnets with win7 or win10 workstations who could join one or another domain without troubles. What you mean is if samba4 domain has the same name as samba3 domain, workstations won't be able so see the oldest anymore once joined to the new one? Or does it mean that whatever the name of the new samba4 domain is, if a workstation joins it, it won't be able to join the old domain anymore? (never tried it) As my POC seems to work well, I intend ton install it in production soon. Is it recommended to set the new samba4 domain in production up on a different subnet or not? Julien
On Fri, 12 Apr 2019 12:06:14 +0200 Julien TEHERY via samba <samba at lists.samba.org> wrote:> @Rowland : > > |See the answer above, plus there is a very big hole in your proposed > |set up, if your clients see the AD DC, they will not contact the NT4 > |PDC again. > > I've seen some setups where a company had a (real) AD domain and a > samba3 domain working together on the same subnets with win7 or win10 > workstations who could join one or another domain without troubles. > What you mean is if samba4 domain has the same name as samba3 domain, > workstations won't be able so see the oldest anymore once joined to > the new one? Or does it mean that whatever the name of the new samba4 > domain is, if a workstation joins it, it won't be able to join the > old domain anymore? (never tried it) > > As my POC seems to work well, I intend ton install it in production > soon. Is it recommended to set the new samba4 domain in production up > on a different subnet or not?From my understanding, if you classicupgrade a NT4-style domain to an AD domain, once your clients see the new AD DC, they will not reconnect to the old PDC. The classicupgrade reuses the domain name, SID, etc, this is what matters. Rowland
Le 12/04/2019 à 12:44, Rowland Penny via samba a écrit :> On Fri, 12 Apr 2019 12:06:14 +0200 > Julien TEHERY via samba <samba at lists.samba.org> wrote: > > >> @Rowland : >> >> |See the answer above, plus there is a very big hole in your proposed >> |set up, if your clients see the AD DC, they will not contact the NT4 >> |PDC again. >> >> I've seen some setups where a company had a (real) AD domain and a >> samba3 domain working together on the same subnets with win7 or win10 >> workstations who could join one or another domain without troubles. >> What you mean is if samba4 domain has the same name as samba3 domain, >> workstations won't be able so see the oldest anymore once joined to >> the new one? Or does it mean that whatever the name of the new samba4 >> domain is, if a workstation joins it, it won't be able to join the >> old domain anymore? (never tried it) >> >> As my POC seems to work well, I intend ton install it in production >> soon. Is it recommended to set the new samba4 domain in production up >> on a different subnet or not? > From my understanding, if you classicupgrade a NT4-style domain to an > AD domain, once your clients see the new AD DC, they will not reconnect > to the old PDC. The classicupgrade reuses the domain name, SID, etc, > this is what matters. > > Rowland >Ok, in my case I'm migrating from one to another and was wondering if this kind of troubles could happen or not. Also wanted to share somme intereting tools to Christian :) Julien
Mandi! Julien TEHERY via samba In chel di` si favelave...> As my POC seems to work well, I intend ton install it in production soon. > Is it recommended to set the new samba4 domain in production up on a different subnet or not?I've keeped old and new domain on the same subnet/IP space for months, and (providing that usernames and password are the same) accessing both without trouble. Only a note: i've keeped the WINS server of the old domain up&running, and pointed the new AD servers (but also windows client, via DHCP) to that WINS server, so old domain see new server and the reverse. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Le 12/04/2019 à 14:06, Marco Gaiarin via samba a écrit :> Mandi! Julien TEHERY via samba > In chel di` si favelave... > >> As my POC seems to work well, I intend ton install it in production soon. >> Is it recommended to set the new samba4 domain in production up on a different subnet or not? > I've keeped old and new domain on the same subnet/IP space for months, > and (providing that usernames and password are the same) accessing both > without trouble. > > Only a note: i've keeped the WINS server of the old domain up&running, > and pointed the new AD servers (but also windows client, via DHCP) to that > WINS server, so old domain see new server and the reverse. >Thanks Marco, good to know! :) For the Wins server, it's also an interesting information.
Julien, Thank you, I hadn't even considered Samba4 updating the existing LDAP server. I think since the central campus LDAP will be authoritative I'll allow it to override Samba4 and not have Samba4 push upstream. What you described is how a group of our IT staff here are going to solve this problem. They've already created a proof of concept. In fact the reason I've taken this case is because I couldn't believe that Samba4 would require such a finessed solution to solve this problem however; I'm starting to believe that it may be one of the ways we'll have to move forward. Thank you! On Fri, Apr 12, 2019 at 3:27 AM Julien TEHERY via samba < samba at lists.samba.org> wrote:> Hi there > > Le 12/04/2019 à 09:57, Marco Gaiarin via samba a écrit : > > Mandi! Vex Mage via samba > > In chel di` si favelave... > > > >> I've spun up a Samba4 server and set it up as an active directory domain > >> controller and I can definitely see that this is a very robust system > and > >> is working well however; I don't see a management solution to > >> synchronization between the campus LDAP server and Samba4 AD/DC. > > You can sync users simply wrapping some 'ldapserch' on 'old' LDAP server > > and some 'samba-tool user create' on AD. > > I've setup some scripts, but probably are soo tightned to my setup to > > be littleor no help generally. > > > > To sync password, you can instead wrap 'check password script' in old > > samba with 'samba-tool user syncpassword' in new samba/AD, look at: > > > > > https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP > > > > Supposing a frequent password change (3 months?) you can wait a bit to > > have password in sync, and then use both the domain in 'parallel'. > > > I agree with marco, I'm actually working on migrating a samba3 domain to > a samba4 domain (with different name). > A POC environment is setup in a separate network > I popuplated Samba4/AD from samba3 with this very usefull tool > > https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory > > Keep in mind you will have to map attributes from one to another, and > don't forget to synchronize uid/gid as unix attributes in Samba4, so > that your migrated users can still have access to their samba shares or > whatever you had in your old samba3 domain. > > And keep password synchronized between the two domains with (works as a > trigger, once a password is updated on samb4 server, et keeps it > synchronized to your old ldap server > > > https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP > > > But there's a trick, you'll have to modifiy the script to update both > userpassword _*AND *_sambantpassword fields (the script only updates > userpassword), so you can access to your former samba resources. > > @Rowland : > > |See the answer above, plus there is a very big hole in your proposed > |set up, if your clients see the AD DC, they will not contact the NT4 > |PDC again. > > I've seen some setups where a company had a (real) AD domain and a samba3 > domain working together on the same subnets with win7 or win10 workstations > who could join one or another domain without troubles. > What you mean is if samba4 domain has the same name as samba3 domain, > workstations won't be able so see the oldest anymore once joined to the new > one? > Or does it mean that whatever the name of the new samba4 domain is, if a > workstation joins it, it won't be able to join the old domain anymore? > (never tried it) > > As my POC seems to work well, I intend ton install it in production soon. > Is it recommended to set the new samba4 domain in production up on a > different subnet or not? > > > > Julien > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Vex