Samba3 / Samba4 migration -- question

Zombie Ryushu zombie_ryushu at
Tue Oct 18 23:16:07 MDT 2011

On 10/19/2011 12:42 AM, Zombie Ryushu wrote:
> On 10/18/2011 11:42 PM, Andrew Bartlett wrote:
>> On Tue, 2011-10-18 at 19:58 -0400, Zombie Ryushu wrote:
>>> I have a question here. This may be relevant. I thought that when
>>> migrating from S3 to S4, the key was to import S3's old Schema
>>> attributes normally used in OpenLDAP, and use S3's ldapsam backend to
>>> keep the S3 servers up to date with what is in S4's directory services.
>> No, this is not how samba3 ->  Samba4 migrations will happen.  As Samba3
>> and Samba4 do not share a common schema, it is not possible to keep s3
>> servers alive once the domain has been cut over.  Samba4 similarly
>> cannot operate against an OpenLDAP backend, it must use the internal
>> LDB.
>> The migration script will copy over all the samba-known attributes, but
>> will not migrate custom schema.  We can either extend the script to
>> handle some common cases here, or simply suggest that administrators run
>> a second python script to move objects to their desired final locations
>> and add any additional attributes or schema.
>> I hope this clarifies the options available for migration,
>> Andrew Bartlett
> This goes back to a problem that I have had. I understand that S4 will 
> make OpenLDAP and Heimdal Kerberos completely obsolete. Samba 4 
> provides the services they did as an LDAP server and Kerberos KDC.
> I experimented with this a few months back with S4 A15. (I am unable 
> to compile anything past A15 due to linking errors.)
> I have a fair number of OpenLDAP schemas that I use to control things 
> like FreeRadius, PostFix, eGroupware and sudoers. Samba 3 ldapsam 
> attributes are among these. Samba 3's schema is the only one that 
> wouldn't crash the migration tool on import on Alpha 15, OR Crash 
> Samba 4 with a 'Constraint Violation.'
> I was fully expecting to be able to simply import the schemas of all 
> my OpenLDAP oriented applications including Samba 3 into Samba 4 for 
> compatibility purposes.
> The point is there are all these services that were built up and 
> integrated around the OpenLDAP database paradigm.
> I guess what I am getting at that probably 80% of the time we're not 
> talking about a migration from Samba 3, to Samba 4. We are talking 
> about a Migration from OpenLDAP, Heimdal Kerberos, and Samba 3, to 
> Samba 4 alone.
> But OpenLDAP stores all these database attributes that have nothing to 
> do with Samba that all these other applications rely on? What if an 
> infrastructure keeps Samba 3 Servers in place in some locations for 
> compatibility reasons? The scary part is OpenLDAP going away.

More information about the samba-technical mailing list