Robert Marcano
2021-Feb-03 16:45 UTC
[Samba] Migrating MIT Kerberos based AD DC to Heimdal based AD DC
On 2/3/21 10:23 AM, MATYAS, Tibor via samba wrote:> Shall I update? We can live with the limitations of the MIT > Kerberos based AD DC.When I started migrating customers (small businesses) using NT 4 style domains to Samba AD. I tried a Samba AD linked with MIT Kerberos. Testing on a lab, it worked fine. So I decided to switch the smallest of the domains to it, and then started to experience bugs that only happen on the experimental MIT Kerberos based Samba, for example machine based GPOs not applying. So all other domains where moved directly to Samba linked to Heimdal. That particular test domain, was moved to Heimdal only replacing the Samba binaries. All the Samba data files at $prefix/var remained the same and it was an easy migration without the need to join another DC with the new Samba and later demote the old one. I remember I did that because I saw an old post of someone asking about that kind of MIT to Heimdal migration, and the response was that there aren't specific files based on the Kerberos implementation and that it should work, but there aren't guarantees of it working. It worked for this case, of a very small domain at that time.
Rowland penny
2021-Feb-03 16:51 UTC
[Samba] Migrating MIT Kerberos based AD DC to Heimdal based AD DC
On 03/02/2021 16:45, Robert Marcano via samba wrote:> On 2/3/21 10:23 AM, MATYAS, Tibor via samba wrote: >> Shall I update? We can live with the limitations of the MIT >> Kerberos based AD DC. > > When I started migrating customers (small businesses) using NT 4 style > domains to Samba AD. I tried a Samba AD linked with MIT Kerberos. > Testing on a lab, it worked fine. So I decided to switch the smallest > of the domains to it, and then started to experience bugs that only > happen on the experimental MIT Kerberos based Samba, for example > machine based GPOs not applying. > > So all other domains where moved directly to Samba linked to Heimdal. > That particular test domain, was moved to Heimdal only replacing the > Samba binaries. All the Samba data files at $prefix/var remained the > same and it was an easy migration without the need to join another DC > with the new Samba and later demote the old one. > > I remember I did that because I saw an old post of someone asking > about that kind of MIT to Heimdal migration, and the response was that > there aren't specific files based on the Kerberos implementation and > that it should work, but there aren't guarantees of it working. It > worked for this case, of a very small domain at that time. >That may have worked for you, but what if it doesn't for the OP, they could lose everything, joining a new DC is a lot safer. Rowland