Migrating s3+ldap integrated solution (SambaEdu3) to s4 ?

[denis bonnenfant]

Hello,

I'm one of the maintainers of SambaEdu3 
http://wwdeb.crdp.ac-caen.fr/mediase3/index.php/Accueil, A french 
all-in-one solution for schools, based on Samba3, ldap, and a custom 
logon hack to allow .pol policies to be used as "pseudo-GPOs", dhcp 
reservations, application deployment with wpkg, automated cloning and 
unattended installs...

As Samba4 is going more and more mature, i'm trying to figure the 
migration path from our solution to a Samba4 one. It's a long-term goal, 
but as correct Seven integration in our domains raises some new issues, 
i'm wondering if it is worth solving it, or if starting to work on s4 
switch will be better.

- Directory and domain migration : we are using the standard samba3 
openldap schema, so the migration to s4 builtin directory should work 
with migration scripts ? AD tree is quite "flat", how to migrate 
existing branches ?

- files an print server :  s3 server is still required, can it be 
located on the same machine ? is there any important issues in this area ?

- GPO : As far as I understand, s4 serves standard policies generated 
with Windows tools. So user must use windows to generate it. Is there 
samba4-specific tools, libs, allowing linux-side GPO generation, 
typically a web python or php frontend allowing .admx/.adml parsing and 
.pol generation in conformance with AD structure ? we already have a 
python generator for .pol and php frontend, but it uses a mysql 
database, not admx/adml.

- DNS/dhcp : I saw on the list many messages about it : does bind9 and 
dhcp integration can be considered as production-ready ?

- Web frontend : we have our own ldap frontend. Switching it to AD 
schema is not difficult, but it is a time-consuming work. User experiences ?

- DC replication : samba4 allows automatic DC replication. is it 
production-ready ?

- File server clustering / load balancing  : is there any changes in 
this area with samba4 ? as the fileserver is still samba3 I guess no, 
but maybe i missed something...


The strength of SE3 project is to allow the user to manage a domain 
completly from a single web interface, GPO included, but the weakness is 
the hacky nature of our "pseudo GPO" system and the s3 domain controller 
limitations.

So finally, the only missing thing will be a web frontend for GPO 
editing. Is this analysis true ?

Thanks in advance for your advises, and maybe sharing similar experiences.

Denis Bonnenfant