samba - Feb 2021 - Migrating MIT Kerberos based AD DC to Heimdal based AD DC

We operate a MIT Kerberos based single Samba 4.8.6 AD DC on Gentoo Linux
(BIND DLZ). I know, I know: very outdated!
The "setup" and LAN? is completely decoupled from the internet, with a
few Windows 10 members only.
It is not clear to me, what is the current status of the Kerberos based
AD DC
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
was last updated on March 2019.

Because it is getting harder to keep the Gentoo Linux up-to-date with
masking the current stable samba versions
and it's dependencies, I guess we have two options:
#1 update samba to the current stable of the gentoo portage tree: as I
told you, I am not sure that this is possible without any
issue.... Shall I update? We can live with the limitations of the MIT
Kerberos based AD DC.
#2 migrate to a Heimdal based AD DC. But how? Is there an offline way?
Or add a second, Heimdal based AD DC, demote the
Kerberos based (to much work)...?

Thank you for your support
Tibor





--------------------------------------------------
DSI Aerospace Technologie GmbH

Sitz der Gesellschaft: Otto-Lilienthal-Str. 1, D-28199 Bremen, Germany
Web: http://www.dsi-as.de

Geschaeftsfuehrer: Dr.-Ing. Christian Dierker
                   M. Sc. Elias Hashem

HRB 17726, Amtsgericht Bremen
USt-IdNr.: DE 192 681 774
--------------------------------------------------

On 03/02/2021 14:23, MATYAS, Tibor via samba wrote:
> We operate a MIT Kerberos based single Samba 4.8.6 AD DC on Gentoo Linux
> (BIND DLZ). I know, I know: very outdated!

I would be more concerned that you seem to be using an 'experimental' 
MIT Samba DC in production.

> The "setup" and LAN? is completely decoupled from the internet,
with a
> few Windows 10 members only.
> It is not clear to me, what is the current status of the Kerberos based
> AD DC
>
https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> was last updated on March 2019.

It is still experimental and should only be used for testing purposes.

> Because it is getting harder to keep the Gentoo Linux up-to-date with
> masking the current stable samba versions
> and it's dependencies, I guess we have two options:
> #1 update samba to the current stable of the gentoo portage tree: as I
> told you, I am not sure that this is possible without any
> issue.... Shall I update? We can live with the limitations of the MIT
> Kerberos based AD DC.

Why would you want to ?

> #2 migrate to a Heimdal based AD DC. But how? Is there an offline way?
> Or add a second, Heimdal based AD DC, demote the
> Kerberos based (to much work)...?

The last method is the correct one to get a fully production supported 
Samba AD DC, Add a Samba AD DC using the Heimdal built into the Samba 
source, transfer all the FSMO roles to the new DC and then demote the 
original DC.

Rowland

On 2/3/21 10:23 AM, MATYAS, Tibor via samba wrote:
> Shall I update? We can live with the limitations of the MIT
> Kerberos based AD DC.
When I started migrating customers (small businesses) using NT 4 style 
domains to Samba AD. I tried a Samba AD linked with MIT Kerberos. 
Testing on a lab, it worked fine. So I decided to switch the smallest of 
the domains to it, and then started to experience bugs that only happen 
on the experimental MIT Kerberos based Samba, for example machine based 
GPOs not applying.

So all other domains where moved directly to Samba linked to Heimdal. 
That particular test domain, was moved to Heimdal only replacing the 
Samba binaries. All the Samba data files at $prefix/var remained the 
same and it was an easy migration without the need to join another DC 
with the new Samba and later demote the old one.

I remember I did that because I saw an old post of someone asking about 
that kind of MIT to Heimdal migration, and the response was that there 
aren't specific files based on the Kerberos implementation and that it 
should work, but there aren't guarantees of it working. It worked for 
this case, of a very small domain at that time.