Wed, 15 Jul 2020 21:08:44 +0100 Rowland penny via samba <samba at lists.samba.org>:> On 15/07/2020 20:33, RhineDevil via samba wrote: > > Could someone show me differences in both groups and users between a full NT4 LDAP schema and a full ActiveDirectory LDAP schema? > I could, but we would be here all night, the AD schema is much larger.Just a brief explaination, I need to know what fields are different and how to reproduce them if I choose to... let's SUPPOSE Migrate data from /etc/passwd and /etc/group files It would be nice knowing for ex if old sambaSID and new objectSID are the same thing, because I already know (from smbldap tools) how to calculate it> > Is ActiveDirectory fully retrocompatible with NT4? > NoSo I guess I can't use an ldif file made for NT4 for populating an AD, right?> > > > There are plans for supporting again an OpenLDAP backend when LDAPcon objectives will be achieved? > > https://ldapcon.org/2019/wp-content/events/presentations/ni_samba_backend.pdf > That has been worked on for the last 8 years (at least) and it still > doesn't work (not for want of trying)How could I get an idea of what still needs to be done? AFAIK the project leader for this thing is in vacation> > > > Why an user in old NT4 schema looks like this: > > dn: uid=myuser,ou=People,dc=mydomain > > while in AD LDAP schema looks like this > > dn: CN=myuser,CN=Users,DC=mydomain ? > Because Microsoft decided it had to be that way.What I meant is would uid=myuser,ou=People,dc=mydomain still work?> > > > To what extent is LDB retrocompatible (with abstractions of course) with ldif files made for OpenLDAP, could I import an ldif thought for old NT4 LDAP into LDB? > > If you are asking if the AD schema can be extended, then the answer is > very possibly yes, you just need the correct ldifs and to apply them in > the right order. There are schemas available that work without > modification, for others, Samba provides a script to modify a schema to > an AD ldif. You should be aware that extending the AD schema is one way, > you can extend it, but you cannot remove the schema extension, so you > should test any extensions before extending a production domain.Thank you, what I meant is pretty much what I asked in "Is ActiveDirectory fully retrocompatible with NT4?"> > Rowland-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: Firma digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20200715/74d26bc9/attachment.sig>
On 15/07/2020 21:30, RhineDevil wrote:> Wed, 15 Jul 2020 21:08:44 +0100 Rowland penny via samba <samba at lists.samba.org>: > > Just a brief explaination, I need to know what fields are different and how to reproduce them if I choose to... let's SUPPOSE > Migrate data from /etc/passwd and /etc/group files > It would be nice knowing for ex if old sambaSID and new objectSID are the same thing, because I already know (from smbldap tools) how to calculate itWell, a SID is just a SID, but you do not calculate an objectSID, AD does this for you from the domain SID and the next available RID>>> Is ActiveDirectory fully retrocompatible with NT4? >> No > So I guess I can't use an ldif file made for NT4 for populating an AD, right?No, definitely not, to populate a new Samba AD domain, you would use 'samba-tool domain provision .........'>>> There are plans for supporting again an OpenLDAP backend when LDAPcon objectives will be achieved? >>> https://ldapcon.org/2019/wp-content/events/presentations/ni_samba_backend.pdf >> That has been worked on for the last 8 years (at least) and it still >> doesn't work (not for want of trying) > How could I get an idea of what still needs to be done? AFAIK the project leader for this thing is in vacationIt is (as far as I am aware) a team of one and whilst it may one day come to fruition, I am not holding my breath. If it does, it will look nothing like an NT4-style domain, it will look like the present Samba AD, but sat on openldap.>>> Why an user in old NT4 schema looks like this: >>> dn: uid=myuser,ou=People,dc=mydomain >>> while in AD LDAP schema looks like this >>> dn: CN=myuser,CN=Users,DC=mydomain ? >> Because Microsoft decided it had to be that way. > What I meant is would uid=myuser,ou=People,dc=mydomain still work?No, because it wouldn't be compatible with Microsoft AD.>>> To what extent is LDB retrocompatible (with abstractions of course) with ldif files made for OpenLDAP, could I import an ldif thought for old NT4 LDAP into LDB? >> If you are asking if the AD schema can be extended, then the answer is >> very possibly yes, you just need the correct ldifs and to apply them in >> the right order. There are schemas available that work without >> modification, for others, Samba provides a script to modify a schema to >> an AD ldif. You should be aware that extending the AD schema is one way, >> you can extend it, but you cannot remove the schema extension, so you >> should test any extensions before extending a production domain. > Thank you, what I meant is pretty much what I asked in "Is ActiveDirectory fully retrocompatible with NT4?"In that case, no, the Active Directory schema is totally different from the old NT4-style Samba schema. Active Directory is totally different from the old NT4-style domains, it uses DNS and kerberos for a start. Rowland
Wed, 15 Jul 2020 21:49:12 +0100 Rowland penny via samba <samba at lists.samba.org>:> On 15/07/2020 21:30, RhineDevil wrote: > > Wed, 15 Jul 2020 21:08:44 +0100 Rowland penny via samba <samba at lists.samba.org>: > > > > Just a brief explaination, I need to know what fields are different and how to reproduce them if I choose to... let's SUPPOSE > > Migrate data from /etc/passwd and /etc/group files > > It would be nice knowing for ex if old sambaSID and new objectSID are the same thing, because I already know (from smbldap tools) how to calculate it > Well, a SID is just a SID, but you do not calculate an objectSID, AD > does this for you from the domain SID and the next available RIDDave, I'm afraid I can't do that. Since it would be an import from /etc flat files it won't be just as easy as typing `samba-tool user create $user`, transferring rfc2037 NIS data (including loginShell, uidNumber, gidNumber, homeDirectory etc) will be needed as well> >>> Is ActiveDirectory fully retrocompatible with NT4? > >> No > > So I guess I can't use an ldif file made for NT4 for populating an AD, right? > No, definitely not, to populate a new Samba AD domain, you would use > 'samba-tool domain provision .........' > >>> There are plans for supporting again an OpenLDAP backend when LDAPcon objectives will be achieved? > >>> https://ldapcon.org/2019/wp-content/events/presentations/ni_samba_backend.pdf > >> That has been worked on for the last 8 years (at least) and it still > >> doesn't work (not for want of trying) > > How could I get an idea of what still needs to be done? AFAIK the project leader for this thing is in vacation > It is (as far as I am aware) a team of one and whilst it may one day > come to fruition, I am not holding my breath. If it does, it will look > nothing like an NT4-style domain, it will look like the present Samba > AD, but sat on openldap. > >>> Why an user in old NT4 schema looks like this: > >>> dn: uid=myuser,ou=People,dc=mydomain > >>> while in AD LDAP schema looks like this > >>> dn: CN=myuser,CN=Users,DC=mydomain ? > >> Because Microsoft decided it had to be that way. > > What I meant is would uid=myuser,ou=People,dc=mydomain still work? > No, because it wouldn't be compatible with Microsoft AD. > >>> To what extent is LDB retrocompatible (with abstractions of course) with ldif files made for OpenLDAP, could I import an ldif thought for old NT4 LDAP into LDB? > >> If you are asking if the AD schema can be extended, then the answer is > >> very possibly yes, you just need the correct ldifs and to apply them in > >> the right order. There are schemas available that work without > >> modification, for others, Samba provides a script to modify a schema to > >> an AD ldif. You should be aware that extending the AD schema is one way, > >> you can extend it, but you cannot remove the schema extension, so you > >> should test any extensions before extending a production domain. > > Thank you, what I meant is pretty much what I asked in "Is ActiveDirectory fully retrocompatible with NT4?" > > In that case, no, the Active Directory schema is totally different from > the old NT4-style Samba schema. > > Active Directory is totally different from the old NT4-style domains, it > uses DNS and kerberos for a start. > > Rowland-------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: Firma digitale OpenPGP URL: <http://lists.samba.org/pipermail/samba/attachments/20200715/b78ac685/attachment.sig>