[Samba] [samba] OpenLDAP proxy to samba4 AD

Rowland Penny rowlandpenny at googlemail.com
Sat Dec 6 10:08:10 MST 2014


On 06/12/14 16:44, Elias Pereira wrote:
> Rowland,
>
> The *openldap* will be the same that is already working on our campus 
> (technological courses).
>
> I have samba3 on a freebsd, but the samba4 I will switch to Debian.
>
> I believe that in addition to the *smb.conf*, I have to also copy the 
> following folders:
>
> */etc/samba/*
> */var/lib/samba/*
>
> Proceeds?

It has been some time since I did any of this, but if your samba users 
and their passwords are stored in ldap, then you dont need really need 
anything else because if everything else is set up correctly, then samba 
will create new files. The only thing that I did forget, your users will 
also have to be Unix users as well, so you need to migrate the Unix 
users & groups as well, along with their passwords.

Anybody else have anything to add ??

Rowland

>
> On Sat, Dec 6, 2014 at 2:23 PM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 06/12/14 16:12, Elias Pereira wrote:
>>     I greatly appreciate the answers. Are of great value to me and to
>>     others who like me do not have much experience.
>>
>>     Another question. :D
>>
>>     I believe that we will use debian as distribution for the new
>>     Samba4. What I need to copy from the old to the new distro?
>>
>>     On Sat, Dec 6, 2014 at 12:49 PM, Rowland Penny
>>     <rowlandpenny at googlemail.com
>>     <mailto:rowlandpenny at googlemail.com>> wrote:
>>
>>         On 06/12/14 14:32, Elias Pereira wrote:
>>
>>             Hello Marc,
>>
>>             I appreciate your response, as well as the other members.
>>             Reading your
>>             answer, I believe I found what I wanted. Option 3, the
>>             principle is what I
>>             need right now. I'll try to explain.
>>
>>             Today in production, we have the samba3 + openldap. The
>>             samba3 is installed
>>             on a freebsd, but has some problems that we can not
>>             detect. My boss does
>>             not want to drop the openldap now. We have discussed
>>             about it, and he does
>>             not want. :D
>>
>>             Let's get this straight. What you say under option 3, can
>>             I upgrade to
>>             Samba4 and continue using openldap the same way we are
>>             using now, ie samba3
>>             + openldap. Then would be, Samba4 (without AD DC) +
>>             openldap. Would that be?
>>
>>             On Sat, Dec 6, 2014 at 11:56 AM, Marc Muehlfeld
>>             <mmuehlfeld at samba.org <mailto:mmuehlfeld at samba.org>>
>>             wrote:
>>
>>                 Hello Elias,
>>
>>                 Am 06.12.2014 um 14:44 schrieb Elias Pereira:
>>
>>                     We already have a Openldap in production, with a
>>                     samba3. What I am
>>
>>                 wanting
>>
>>                     to do is install the Samba4, and still continue
>>                     to use the "openldap" for
>>                     authentication of users in various services that
>>                     are operating.
>>
>>                     You think it's possible?
>>
>>                 Depends on what your exact plan on this is. You're
>>                 still not very
>>                 detailed. ;-)
>>
>>
>>
>>                 1.) If you do the classicupgrade to Samba AD then all
>>                 your workstations
>>                 will use the Samba AD for authentication. You have to
>>                 turn off your
>>                 Samba PDC service then. Of course, you can keep the
>>                 openLDAP to
>>                 authenticate other services against. But this is a
>>                 separate database and
>>                 passwords won't change in openLDAP, if users do in AD.
>>
>>                 This would be a way for a slower migration to Samba
>>                 AD and hooking up
>>                 the other services to AD afterwards (with the
>>                 disadvantage of e. g. the
>>                 passwort situation).
>>
>>
>>
>>                 2.) If you're having other services, that should not
>>                 contact DCs
>>                 directly (like hosts in DMZ), you can use the
>>                 openLDAP proxy
>>                 documentation from the Wiki.
>>
>>
>>
>>                 3.) If you don't want/need to move to Samba AD, then
>>                 simply upgrade as
>>                 usual and continue running Samba as NT4 PDC. Samba 4
>>                 doesn't require to
>>                 migrate to AD:
>>
>>                 https://wiki.samba.org/index.php/Updating_Samba#Common_misconceptions_about_Samba_4
>>
>>
>>
>>                 If this doesn't answer you question, then please give
>>                 a comprehensive
>>                 overview about your current setup, the setup you plan
>>                 to get and about
>>                 your environment. This would make it easier to help,
>>                 instead of
>>                 guessing. ;-)
>>
>>
>>
>>
>>                 Regards,
>>                 Marc
>>
>>
>>
>>
>>         Hi, it might help if you read this:
>>         https://wiki.samba.org/index.php/Samba_Readme_First
>>
>>
>>         Note to Marc, can we put a link to this on main wiki page ?
>>         the page seems to be protected.
>>
>>         Rowland
>>
>>         -- 
>>         To unsubscribe from this list go to the following URL and
>>         read the
>>         instructions: https://lists.samba.org/mailman/options/samba
>>
>>
>>
>>
>>     -- 
>>     Elias Pereira
>
>     If you going to just update like for like on a new machine i.e.
>     run samba4 in classic mode with OpenLDAP, then you will only
>     really need the smb.conf (though this may require tweaking) and an
>     ldif dump from your old ldap. Set up your new machine, set up
>     samba, set up OpenLDAP and import your ldif and you should be good
>     to go. However if your old machine is a PDC, then you will
>     probably be better setting your new machine up as a BDC, then
>     remove the PDC and make the BDC the PDC when everything is running ok.
>
>     Rowland
>
>
>
>
> -- 
> Elias Pereira



More information about the samba mailing list