Trust and migration from Samba Classic domains
ein.net at gmail.com
Fri Jun 1 19:39:43 UTC 2018
On 06/01/2018 08:17 PM, Andrew Bartlett wrote:
> On Fri, 2018-06-01 at 10:10 +0200, ein via samba-technical wrote:
>> Maybe because Samba AD did never received working trust relationship with Samba NT domain?
>> Or maybe because migration process eats most of the LDAP tree data?
Firstly, I'd like to apologize for my tone, it's frustration only.
> Just stepping back to the base assumption for a moment, I would like to
> say that the parts of trusts between a Samba Classic (NT) domain and
> Samba's AD DC are there. The same code that allowed that between Samba
> classic domains is still there (the most important part is winbindd)
> and the rest falls mostly into place with the inter-forest trust
> changes, particularly those now in 4.8.
> Now, this isn't currently tested in Samba's make test, so I can't say
> it is all working and there isn't some annoying blocker in the way, but
> if this is the biggest issue your network faces, then at least give it
> a try in the lab. Once you know what works and what doesn't, you may
> wish to work with a Samba developer to complete this feature, and
> ensure it stays working by putting it into our 'make test'.
Samba developer, namely?
Well, I wish I knew this after my 3rd rename. I think I'll try classic
upgrade approach first. Thanks for pointing that out.
> The same can be said around the migration process. The current
> classicupgrade tool was always meant to be a starting point. I had
> imagined that folks would extend the tool to migrate other data (I
> certainly designed that to be possible).
That's currently the idea, to script export/import of custom attributes
from old DC and to ldif it to new one.
> Sadly the economics for patching the classicupgrade tool just don't add
> up. Each site is only ever migrated once, meaning that it is always
> easier to write a local custom, site-specific script to go along after
> classicupgrade than it is to patch and submit changes to the upstream
> tool. Even organisations that do these migrations professionally seem
> to prefer this approach.
It's understandable, too much complexity and variability.
> Finally, I would say that it we have seen time and time again the
> migration is possible, even in live environments. There is a fair bit
> of experience on the list here, and companies that can help.
It's not that simple in my environment, we cannot just hire someone
because of the information confidentiality, therefore I can't even
use my own name.
Lastly, Andrew, thank you for the time. At least you gave me some
new options, I didn't know about.
> Andrew Bartlett
PGP Public Key (RSA/4096b):
SHA-1: 51DA 40EE 832A 0572 5AD8 B3C0 7AFF 69E1 F2C6 EA10
More information about the samba-technical