[Samba] strategies to run two NT4 domains or merge them on one samba host

Rowland Penny rowlandpenny at googlemail.com
Tue Mar 17 03:41:27 MDT 2015 

On 17/03/15 08:15, Steffen wrote:
> Hi,
>
> we currently run one samba v3.0 domain "DOMAIN30" with WinXP domain 
> members and Win7/8 accessing the file server without domain membership.
>
> Then we run a second samba v3.5 domain "NEWDOMAIN" with WinXP/7/8 
> domain members. Which was migrated from a NT4 PDC to samba 3.0 and to 
> v3.5 eventually.
>
> Neither domain has anything fancy about it: users and joined 
> workstations, but no trusts, almost no groups (could be re-created 
> manually easily).
>
> a) I want to upgrade at least DOMAIN30 to a samba v3.5. And 
> preferrably have one user base and one domain NEWDOMAIN.
>
> https://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html
>
> explains "If you want to merge multiple NT4 domain account databases 
> into one Samba domain", that I can merge user and machine accounts 
> from different domains into one, right?
> But how can I make existing machine joined to DOMAIN30 to contact 
> NEWDOMAIN? Is is possible to merge two NT4 domains into one samba 3.5 
> and keep all joined members?
> Can I run a second smbd on the same server with another domain name 
> that forwards any auth request to NEWDOMAIN? Can I do something with 
> aliases?
>
> b) Would a migration of both NT4 domains to samba 4 help?
> So I would merge the users only, create two NT4 domains in the AD and 
> leave the machines in there?
> New machines would joine NEWDOMAIN only and eventually DOMAIN30 dies 
> because of lack of members.
> Is there a documentation how to migrate two or more NT4 domains to 
> smaba 4?
>
> Kind regards,
>

I don't think you can merge the domains together and keep all the 
computers joined (though undoubtedly someone will post if they have done 
this). You also cannot create NT4 domains in AD, they are very different.

Whilst you can migrate an NT4 style domain to a samba4 active directory 
domain, I am uncertain if you can combine two domains into one AD domain 
with the available samba tools, I think that you may have to write your 
own scripts to do this. The main problems are likely to be duplicate 
users & groups and different users with the same ID number.

I personally think that it would be easier to start from scratch, create 
a new samba4 AD domain and slowly start to migrate your users to this. I 
feel I must also point out that samba 3.5 went EOL in 2013 and 3.6 went 
EOL earlier this month, so I would suggest that whatever you end up 
doing, you use the latest 4.2 version or the latest 4.1.x

Rowland

More information about the samba mailing list