[Samba] how to migrate to samba-ldap transparently?
craigwhite at azapple.com
Fri Nov 11 14:28:51 GMT 2005
On Fri, 2005-11-11 at 07:46 -0500, Pablo Chamorro C. wrote:
> >> Somebody of you know if this process can be made transparently without
> >> rejoin every PC to the domain? how?. We have disabled the roaming profiles
> >> option. We have some 100 clients/users.
> > ----
> > Nowhere do you say what type of system is currently the PDC and that
> > probably matters.
> Is a samba 3.0.5-2 one under RH 9.0. This domain was built from scratch,
> without any NT to Samba migration. Now we are changing the local
> authentication for one based on openldap.
> The person who is leading the migration says that when a windows machine
> is joined a password in the field "sambaNTPassword" is created and the
> rejoin process is required in order to register that password in openldap.
> That's what I understand.
> But, e.g. we have another PDC with FC4 and samba 3.0.15, so the question
> was in general, but if there is an especific answer it is worthful for us.
> I tried to post this query to the openldap list but the administrator
> clasified my email as 'off topic'!
Actually, the passdb you use is not of consequence to this issue. A
machine account on a Windows domain is somewhat like a user account in
that there is an SID and a password that are readily understood by both
the machine joined to the domain and the domain controller(s). That
password is going to be stored on the domain controller in whichever
form of passdb a samba DC is using.
Each domain would necessarily have a different SID and that SID affects
all systems and users.
If you have 2 domains and a number of Windows computers attached to both
domains and you want to consolidate into one domain, there really is
little choice but to join the Windows computers to the one remaining
domain as there is no simpler way to change the SID of the machine to
If you have user profiles that need to be saved/migrated from one domain
to the other, see the samba documentation for a comprehensive discussion
on migrating user profiles.
Thus, this never was an LDAP question but if you are talking about the
openldap mail list, they are very provincial that the discussions on
that list are specifically about their software and not about
integration. If you want mailing lists where ldap integration is
appropriate, you might want to check ldap at umich.edu  and ldap-interop
 LDAP UMICH
 LDAP-interop mailing list
LDAP-interop at fini.net
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba