[Samba] Migrate to samba 4 in ( relatively ) complex openLDAP environment

Andrew Bartlett abartlet at samba.org
Fri Dec 14 05:03:35 MST 2012

On Thu, 2012-12-13 at 16:54 +0100, andreas wrote:
> Hello,
> we, a public hospital, would like to migrate to samba4 from our samba3.x 
> environment. According to the documentation samba4 does use a internal ldap 
> server.
> We use openLDAP as directory for 
> samba
> horde
> Oracle name resolution
> zope user authentication, 
> Checkpoint Firewall authentication (only few users ), 
> squid proxy authentication,
> logon authentication to our linux servers, 
> logon authentication to our enterasys switches via freeradius

This will be a long process, and one that will probably benefit from the
extension of some of our scripts, or the writing of additional scripts.

You can of course continue using the 'classic' domain you already have
with Samba 4.0, but without the AD features, while you prepare the

Specifically, the 'samba-tool domain classicupgrade' tool does not
currently pick up the additional attributes, and doesn't know how to
import the additional schema that may be required in any case.  You will
have to convert the schema to AD format, load it and then add the
attributes back on to the users/groups/hosts.

Other attributes don't make sense in an AD environment, where things
like the shadowExpires attributes are instead handled by Samba's
internal account expiry code. 

I would like to work with you, not only if you do manage to improve our
scripts, but also to share your experiences so that others in a
similarly complex situation can get some guideance. 

I'm sorry this isn't as simple as we would prefer, but I'm sure we can
work something out. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list