Samba3 / Samba4 migration -- question

[Gémes Géza]

2011-10-19 07:16 keltezéssel, Zombie Ryushu írta:
> On 10/19/2011 12:42 AM, Zombie Ryushu wrote:
>> On 10/18/2011 11:42 PM, Andrew Bartlett wrote:
>>> On Tue, 2011-10-18 at 19:58 -0400, Zombie Ryushu wrote:
>>>
>>>> I have a question here. This may be relevant. I thought that when
>>>> migrating from S3 to S4, the key was to import S3's old Schema
>>>> attributes normally used in OpenLDAP, and use S3's ldapsam backend to
>>>> keep the S3 servers up to date with what is in S4's directory
>>>> services.
>>> No, this is not how samba3 ->  Samba4 migrations will happen.  As
>>> Samba3
>>> and Samba4 do not share a common schema, it is not possible to keep s3
>>> servers alive once the domain has been cut over.  Samba4 similarly
>>> cannot operate against an OpenLDAP backend, it must use the internal
>>> LDB.
>>>
>>> The migration script will copy over all the samba-known attributes, but
>>> will not migrate custom schema.  We can either extend the script to
>>> handle some common cases here, or simply suggest that administrators
>>> run
>>> a second python script to move objects to their desired final locations
>>> and add any additional attributes or schema.
>>>
>>> I hope this clarifies the options available for migration,
>>>
>>> Andrew Bartlett
>>>
>> This goes back to a problem that I have had. I understand that S4
>> will make OpenLDAP and Heimdal Kerberos completely obsolete. Samba 4
>> provides the services they did as an LDAP server and Kerberos KDC.
>>
>> I experimented with this a few months back with S4 A15. (I am unable
>> to compile anything past A15 due to linking errors.)
>>
>> I have a fair number of OpenLDAP schemas that I use to control things
>> like FreeRadius, PostFix, eGroupware and sudoers. Samba 3 ldapsam
>> attributes are among these. Samba 3's schema is the only one that
>> wouldn't crash the migration tool on import on Alpha 15, OR Crash
>> Samba 4 with a 'Constraint Violation.'
>>
>> I was fully expecting to be able to simply import the schemas of all
>> my OpenLDAP oriented applications including Samba 3 into Samba 4 for
>> compatibility purposes.
>>
>> The point is there are all these services that were built up and
>> integrated around the OpenLDAP database paradigm.
>>
>> I guess what I am getting at that probably 80% of the time we're not
>> talking about a migration from Samba 3, to Samba 4. We are talking
>> about a Migration from OpenLDAP, Heimdal Kerberos, and Samba 3, to
>> Samba 4 alone.
>>
>> But OpenLDAP stores all these database attributes that have nothing
>> to do with Samba that all these other applications rely on? What if
>> an infrastructure keeps Samba 3 Servers in place in some locations
>> for compatibility reasons? The scary part is OpenLDAP going away.
>
Hi,

I'm currently experimenting a similar upgrade scenario, where an
OpenLDAP+Heimdal+Samba3 controlled domain would get upgraded to Samba4.
My Heimdal+OpenLDAP critical apps are:
OpenAFS
SSH
Apache+mod_krb5
PowerDNS (ldap module)
ISC DHCPD (with an ldap database)
Sudoers

In my test setup (using a recent git clone) I was able to create an
OpenAFS cell using Samba4 as th KDC. IMHO the Heimdal part (OpenAFS, SSH
mod_krb5) seems working. from PowerDNS I will need to migrate to
Bind-dlz (bind >=9.8.0 has a dlz dlopen module for which samba4
provisioned with --dns_backend=BIND9_DLZ is able to store the DNS
records in AD in the same manner as Windows200x does), I've alredy
started to work on zone2ad migration scripts. About DHCPD and Sudoers my
hope is in oLschema2ldif tool which is specificaly written to convert
OpenLDAP schema files int AD schema ldif.

As we are in the same boat I'm happy to share my experience.


Cheers

Geza