Trust and migration from Samba Classic domains

ein at
Fri Jun 1 19:39:43 UTC 2018

On 06/01/2018 08:17 PM, Andrew Bartlett wrote:
> On Fri, 2018-06-01 at 10:10 +0200, ein via samba-technical wrote:
>> Maybe because Samba AD did never received working trust relationship with Samba NT domain?
>> Or maybe because migration process eats most of the LDAP tree data?
> G'Day,

Good morning.

Firstly, I'd like to apologize for my tone, it's frustration only.

> Just stepping back to the base assumption for a moment, I would like to
> say that the parts of trusts between a Samba Classic (NT) domain and
> Samba's AD DC are there.  The same code that allowed that between Samba
> classic domains is still there (the most important part is winbindd)
> and the rest falls mostly into place with the inter-forest trust
> changes, particularly those now in 4.8.
> Now, this isn't currently tested in Samba's make test, so I can't say
> it is all working and there isn't some annoying blocker in the way, but
> if this is the biggest issue your network faces, then at least give it
> a try in the lab.  Once you know what works and what doesn't, you may
> wish to work with a Samba developer to complete this feature, and
> ensure it stays working by  putting it into our 'make test'.

Samba developer, namely?

Well, I wish I knew this after my 3rd rename. I think I'll try classic
upgrade approach first. Thanks for pointing that out.

> The same can be said around the migration process.  The current
> classicupgrade tool was always meant to be a starting point.  I had
> imagined that folks would extend the tool to migrate other data (I
> certainly designed that to be possible).  

That's currently the idea, to script export/import of custom attributes
from old DC and to ldif it to new one.

> Sadly the economics for patching the classicupgrade tool just don't add
> up.  Each site is only ever migrated once, meaning that it is always
> easier to write a local custom, site-specific script to go along after
> classicupgrade than it is to patch and submit changes to the upstream
> tool.  Even organisations that do these migrations professionally seem
> to prefer this approach.
> [...]

It's understandable, too much complexity and variability.

> Finally, I would say that it we have seen time and time again the
> migration is possible, even in live environments.  There is a fair bit
> of experience on the list here, and companies that can help.

It's not that simple in my environment, we cannot just hire someone
because of the information confidentiality, therefore I can't even
use my own name.

Lastly, Andrew, thank you for the time. At least you gave me some
new options, I didn't know about.

> Andrew Bartlett

PGP Public Key (RSA/4096b):
ID: 0xF2C6EA10
SHA-1: 51DA 40EE 832A 0572 5AD8 B3C0 7AFF 69E1 F2C6 EA10

More information about the samba-technical mailing list