Trust and migration from Samba Classic domains

Andrew Bartlett abartlet at
Fri Jun 1 18:17:50 UTC 2018

On Fri, 2018-06-01 at 10:10 +0200, ein via samba-technical wrote:
> Maybe because Samba AD did never received working trust relationship with Samba NT domain?
> Or maybe because migration process eats most of the LDAP tree data?


Just stepping back to the base assumption for a moment, I would like to
say that the parts of trusts between a Samba Classic (NT) domain and
Samba's AD DC are there.  The same code that allowed that between Samba
classic domains is still there (the most important part is winbindd)
and the rest falls mostly into place with the inter-forest trust
changes, particularly those now in 4.8.

Now, this isn't currently tested in Samba's make test, so I can't say
it is all working and there isn't some annoying blocker in the way, but
if this is the biggest issue your network faces, then at least give it
a try in the lab.  Once you know what works and what doesn't, you may
wish to work with a Samba developer to complete this feature, and
ensure it stays working by  putting it into our 'make test'.

The same can be said around the migration process.  The current
classicupgrade tool was always meant to be a starting point.  I had
imagined that folks would extend the tool to migrate other data (I
certainly designed that to be possible).  

Sadly the economics for patching the classicupgrade tool just don't add
up.  Each site is only ever migrated once, meaning that it is always
easier to write a local custom, site-specific script to go along after
classicupgrade than it is to patch and submit changes to the upstream
tool.  Even organisations that do these migrations professionally seem
to prefer this approach.

We would still appreciate contributions naturally. 

Finally, I would say that it we have seen time and time again the
migration is possible, even in live environments.  There is a fair bit
of experience on the list here, and companies that can help.

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list