Trust and migration from Samba Classic domains

Andrew Bartlett abartlet at samba.org
Fri Jun 1 18:17:50 UTC 2018 

On Fri, 2018-06-01 at 10:10 +0200, ein via samba-technical wrote:
> Maybe because Samba AD did never received working trust relationship with Samba NT domain?
> Or maybe because migration process eats most of the LDAP tree data?

G'Day,

Just stepping back to the base assumption for a moment, I would like to
say that the parts of trusts between a Samba Classic (NT) domain and
Samba's AD DC are there.  The same code that allowed that between Samba
classic domains is still there (the most important part is winbindd)
and the rest falls mostly into place with the inter-forest trust
changes, particularly those now in 4.8.

Now, this isn't currently tested in Samba's make test, so I can't say
it is all working and there isn't some annoying blocker in the way, but
if this is the biggest issue your network faces, then at least give it
a try in the lab.  Once you know what works and what doesn't, you may
wish to work with a Samba developer to complete this feature, and
ensure it stays working by  putting it into our 'make test'.

The same can be said around the migration process.  The current
classicupgrade tool was always meant to be a starting point.  I had
imagined that folks would extend the tool to migrate other data (I
certainly designed that to be possible).  

Sadly the economics for patching the classicupgrade tool just don't add
up.  Each site is only ever migrated once, meaning that it is always
easier to write a local custom, site-specific script to go along after
classicupgrade than it is to patch and submit changes to the upstream
tool.  Even organisations that do these migrations professionally seem
to prefer this approach.

We would still appreciate contributions naturally. 

Finally, I would say that it we have seen time and time again the
migration is possible, even in live environments.  There is a fair bit
of experience on the list here, and companies that can help.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list