Samba 3 to Samba 4 Migration.
esiotrot at gmail.com
Fri Oct 29 01:43:51 MDT 2010
On 29 October 2010 03:23, William E Jojo <w.jojo at hvcc.edu> wrote:
> Hello all!
> Does the update_from_s3 migrate the users, passwords and SIDs from Samba3 into Samba 4 with LDB so that it is ready to be an active directory server? Or does it just become a Samba4 server that is NT 4 compatible?
Samba 4 acts as an AD domain controller, not an NT 4 PDC/BDC.
Lukasz Zalewski has recently migrated from s3 to s4.
Metze posted a script called myldap-pub.py that he had started on and
Luk has posted some patches. The script has not yet been imported
into the GIT repository and will be renamed before that happens.
> Our user database is in LDAP and we are testing migrating our users to AD and want to know if this is the right way to do it and the notes read:
I have not run an s3 PDC before, but I suspect myldap-pub.py is the
best way to go at the moment.
> We have to recommend against upgrading production servers
> from Samba 3 to Samba 4 at this stage, because there may be the features
> on which you may rely that are not present, or the mapping of
> your configuration and user database may not be complete.
> Which is fine since we are testing. It's the "user database may not be complete" that has me puzzled. We are attempting to avoid trying to migrate with ADMT into 2008 forcing us to re-password 60,000 users. Besides, we would like to continue to use Samba and I'm happy to test a more complicated setup with 60K+ entries in LDAP.
That sounds like it should work, but as mentioned, I've not tried it.
> Could someone provide the gory details of what may happen on the upgrade path when the users are in LDAP? We do not need to stay with OpenLDAP as the backend, this is strictly an exercise in user/password/SID migration.
At the moment the OpenLDAP backend is not working properly (unless
something's changed recently), so LDB is definitely the way to go.
> Any additional technical details would be greatly appreciated such as:
> * can new schemas be put into LDB or is it preferred to use referrals to another tree with that data?
AFAIK, you can't use custom schemas (schemata? :) with LDB yet.
> * will nis.schema attributes by migrated/mapped to SFU-like attributes in Samba 4 ?
I don't know.
> * can we extend LDB with something like the FreeRADIUS schema?
I don't think so.
> * can we dump the AD tree to a flat file for disaster recovery like we could with something like slapcat in OpenLDAP?
Perhaps ldbsearch will do what you want? See also tdbbackup and tdbdump.
> As always, we really appreciate your hard work and effort on such a fine product.
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical