Trust and migration from Samba Classic domains

Andrew Bartlett abartlet at
Sun Jun 3 04:08:23 UTC 2018

On Fri, 2018-06-01 at 21:39 +0200, ein wrote:
> On 06/01/2018 08:17 PM, Andrew Bartlett wrote:
> > On Fri, 2018-06-01 at 10:10 +0200, ein via samba-technical wrote:
> > > Maybe because Samba AD did never received working trust relationship with Samba NT domain?
> > > Or maybe because migration process eats most of the LDAP tree data?
> > 
> > G'Day,
> Good morning.
> Firstly, I'd like to apologize for my tone, it's frustration only.

It certainly sounds like you are managing a complex situation.  I'm
sorry if Samba has made it any more frustrating than it naturally is.

> > Just stepping back to the base assumption for a moment, I would like to
> > say that the parts of trusts between a Samba Classic (NT) domain and
> > Samba's AD DC are there.  The same code that allowed that between Samba
> > classic domains is still there (the most important part is winbindd)
> > and the rest falls mostly into place with the inter-forest trust
> > changes, particularly those now in 4.8.
> > 
> > Now, this isn't currently tested in Samba's make test, so I can't say
> > it is all working and there isn't some annoying blocker in the way, but
> > if this is the biggest issue your network faces, then at least give it
> > a try in the lab.  Once you know what works and what doesn't, you may
> > wish to work with a Samba developer to complete this feature, and
> > ensure it stays working by  putting it into our 'make test'.
> Samba developer, namely?

We hang out here, and are listed, along with some of the companies we
work for here:

> Well, I wish I knew this after my 3rd rename. I think I'll try classic
> upgrade approach first. Thanks for pointing that out.

This is the approach most organisations use.  Some do it site-by-site,
which is possible with some care. 

> > The same can be said around the migration process.  The current
> > classicupgrade tool was always meant to be a starting point.  I had
> > imagined that folks would extend the tool to migrate other data (I
> > certainly designed that to be possible).  
> That's currently the idea, to script export/import of custom attributes
> from old DC and to ldif it to new one.
> > Sadly the economics for patching the classicupgrade tool just don't add
> > up.  Each site is only ever migrated once, meaning that it is always
> > easier to write a local custom, site-specific script to go along after
> > classicupgrade than it is to patch and submit changes to the upstream
> > tool.  Even organisations that do these migrations professionally seem
> > to prefer this approach.
> > [...]
> It's understandable, too much complexity and variability.
> > Finally, I would say that it we have seen time and time again the
> > migration is possible, even in live environments.  There is a fair bit
> > of experience on the list here, and companies that can help.
> It's not that simple in my environment, we cannot just hire someone
> because of the information confidentiality, therefore I can't even
> use my own name.

This sound tricky.  However I hope you can get some help, even without
seeing information Samba can be improved and good advise given to make
it easier for you.

> Lastly, Andrew, thank you for the time. At least you gave me some
> new options, I didn't know about.

No worries!

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list