[Samba] S4 - Upgrade options from S3

Andrew Bartlett abartlet at samba.org
Fri Sep 9 07:38:47 MDT 2011

On Fri, 2011-09-09 at 14:44 +0200, Matthieu Patou wrote:
> Hi Thys,
> > We've been running samba3 with an ldap backend for several years now in our
> > company. We use a separate exchange server for email, requiring users to
> > keep two separate passwords - one for the domain (samba) and one for
> > exchange.
> >
> > I've been looking at samba4 for a while and am running a test server with
> > it, built from the latest git source as per the howto description. We would
> > be quite happy to use the current s4 in production if we could migrate the
> > user and computer accounts seamlessly (more or less).
> >
> > I know the upgrade from s3 to s4 is one of the priorities for S4, but
> > looking through the lists it seems there already are possible usable upgrade
> > scripts available. It is however not clear exactly what the capabilities or
> > options are.
> >
> > Can someone please answer the following questions:
> >
> > 1. From what I see it looks like the upgrade script upgrades an existing s3
> > installation (on the same machine) to s4. Does it also migrate password
> > info, i.e. is it possible to do a seamless transition without having to
> > modify passwords individually?

That's exactly what it was written to achieve. 

> > 2. Can the current upgrade script convert s3 user and machine accounts to s4
> > where s3 uses an ldap backend?


> > 3. If yes, please point me in the right direction re. parameters etc. Can I
> > export the ldif database and use this as input to the upgrade script? This
> > would be helpful in that I can leave the production server running
> > (unmodified) and test the s4 database on a separate test machine.
> I copy the technical list for this S4 related question, I guess Amitay 
> and Andrew that are taking care of this script will be ready to help

No, the upgrade script requires runtime access to the old database.  It
does not (intentionally) modify the DB, but it must read it at runtime,
not via an LDIF file. 

Be very careful to note that once a Windows clients finds a domain has
been upgrade to AD, some NT4 features like poledit style NT4 system
policy will no longer work, even if the AD servers are turned off.  

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list