Trust and migration from Samba Classic domains
abartlet at samba.org
Sun Jun 3 04:08:23 UTC 2018
On Fri, 2018-06-01 at 21:39 +0200, ein wrote:
> On 06/01/2018 08:17 PM, Andrew Bartlett wrote:
> > On Fri, 2018-06-01 at 10:10 +0200, ein via samba-technical wrote:
> > > Maybe because Samba AD did never received working trust relationship with Samba NT domain?
> > > Or maybe because migration process eats most of the LDAP tree data?
> > G'Day,
> Good morning.
> Firstly, I'd like to apologize for my tone, it's frustration only.
It certainly sounds like you are managing a complex situation. I'm
sorry if Samba has made it any more frustrating than it naturally is.
> > Just stepping back to the base assumption for a moment, I would like to
> > say that the parts of trusts between a Samba Classic (NT) domain and
> > Samba's AD DC are there. The same code that allowed that between Samba
> > classic domains is still there (the most important part is winbindd)
> > and the rest falls mostly into place with the inter-forest trust
> > changes, particularly those now in 4.8.
> > Now, this isn't currently tested in Samba's make test, so I can't say
> > it is all working and there isn't some annoying blocker in the way, but
> > if this is the biggest issue your network faces, then at least give it
> > a try in the lab. Once you know what works and what doesn't, you may
> > wish to work with a Samba developer to complete this feature, and
> > ensure it stays working by putting it into our 'make test'.
> Samba developer, namely?
We hang out here, and are listed, along with some of the companies we
work for here:
> Well, I wish I knew this after my 3rd rename. I think I'll try classic
> upgrade approach first. Thanks for pointing that out.
This is the approach most organisations use. Some do it site-by-site,
which is possible with some care.
> > The same can be said around the migration process. The current
> > classicupgrade tool was always meant to be a starting point. I had
> > imagined that folks would extend the tool to migrate other data (I
> > certainly designed that to be possible).
> That's currently the idea, to script export/import of custom attributes
> from old DC and to ldif it to new one.
> > Sadly the economics for patching the classicupgrade tool just don't add
> > up. Each site is only ever migrated once, meaning that it is always
> > easier to write a local custom, site-specific script to go along after
> > classicupgrade than it is to patch and submit changes to the upstream
> > tool. Even organisations that do these migrations professionally seem
> > to prefer this approach.
> > [...]
> It's understandable, too much complexity and variability.
> > Finally, I would say that it we have seen time and time again the
> > migration is possible, even in live environments. There is a fair bit
> > of experience on the list here, and companies that can help.
> It's not that simple in my environment, we cannot just hire someone
> because of the information confidentiality, therefore I can't even
> use my own name.
This sound tricky. However I hope you can get some help, even without
seeing information Samba can be improved and good advise given to make
it easier for you.
> Lastly, Andrew, thank you for the time. At least you gave me some
> new options, I didn't know about.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical