[Samba] We need to change our AD domain

mathias dufresne infractory at gmail.com
Tue Aug 30 11:39:46 UTC 2016

Hi Denis,

What tool do you use to export users including their nt-hash password? I'm
still missing that...

Le 30 août 2016 10:27, "Denis Cardon via samba" <samba at lists.samba.org> a
écrit :

> Hi John,
> I understand that Samba doesn't support domain renaming, which is why
>> I'm looking for a way to export the data from one domain and import it
>> into a new one. Passwords and machine accounts are not a problem and can
>> be ignored for this exercise. The key things I need to copy across are
>> user accounts and groups, as they would be an absolute pain in the rear
>> end to redo from scratch.
> Samba may miss a few pieces, but its FOSS nature and the python scripting
> libraries make it a wonderful tools for all AD automation. I'd say that it
> more versatil than MSAD once you accept to look into the guts of the beast.
> For our daily work, we have a bunch of in-house scripts for domain
> management, among others domain rename. For rename, one way of going is to
> create a new domain with the same domain SID, then recreate all the
> user/group/machines entries, pipe in the old object SID (so that user
> profiles are kept during migration), then pipe in the nt hash password with
> pdbedit --set-nt-hash.
> We have done dozens of migration/merge this year using this method among
> others, going from samba3 PDC, samba4 AD, and MSAD from 2003 up to 2012R2.
> It even works with a 2012R2 forest level using clone-dc-database option to
> get all the data you need, then pipe all the data in the new s4 domain!
> So yes, it can be done, you just have to roll up the sleeves, fire up your
> favorite editor and get your python straight :-)
> Cheers,
> Denis
> Machine accounts will be dealt with by the required unjoin/rejoin
>> process. If a forced password change is the only thing users complain
>> about I'll consider the migration a great success.
>> Getting from a Samba 3 NT domain to a Samba 4 AD domain was relatively
>> simple and painless. Surely there's a way to go from one Samba 4 AD
>> domain to another. Sure it would be nice to have a domain rename
>> supported natively but of all the things that still need to be done in
>> Samba 4's implementation of AD I don't believe it should be a high
>> priority.
>> Domain renames are a fact of life in many organisations, so I figure
>> somebody on this list has probably done it already and I would be
>> grateful if they could share the details of how they went about it. I'm
>> not looking for a magic wand, merely some guidance.
>> regards,
>> John
>> On 29/08/16 19:48, Andrew Bartlett via samba wrote:
>>> On Wed, 2016-08-24 at 13:40 +1000, John Gardeniers via samba wrote:
>>>> Hi All,
>>>> As a result of a company restructure and name change we need to
>>>> change
>>>> our AD domain. I know that we can't change the AD domain name in
>>>> Samba
>>>> 4, so I'm looking at the smoothest way to migrate everything from
>>>> one
>>>> domain to another.
>>>> Is there any (properly working) way we can export users, groups and
>>>> policies from one domain and import them into another? I've spent a
>>>> few
>>>> months getting everything just the way we want it and would greatly
>>>> prefer not to have to start from scratch. Incidentally, I don't care
>>>> about the computer accounts, as they will be dealt with by the
>>>> normal
>>>> unjoin/rejoin process.
>>>> Any tips, advice or warnings anyone cares to share about this
>>>> process
>>>> would be greatly appreciated.
>>> This isn't something that Samba natively supports right now, and we
>>> don't even support doing it via the Windows tool, or export to Windows,
>>> because of various issues.
>>> I would love to add it if I could find a funder (it is the level of
>>> work that would need that, or the patient work of a community member
>>> over quite some time), because it won't be trivial.
>>> In the short term I would agree that preserving the domain GUID, SIDs
>>> and structure is the most critical part.
>>> The things I would most worry about are the krb5 salts for passwords,
>>> as these won't show up in a search but might make keeping passwords
>>> more difficult (embedded in supplementalCredentials).
>>> Finding out exactly what changes in a Windows AD domain when you rename
>>> it would be a good place to start.  I honestly don't know how well it
>>> will go, but you could dump the whole thing to ldif with ldbdump on the
>>> backend files, and then do a pile of search and replace.  That might at
>>> least help pinpoint what other issues to look for.
>>> I hope this helps,
>>> Andrew Bartlett
>>> --
>>> Andrew Bartlett                       http://samba.org/~abartlet/
>>> Authentication Developer, Samba Team  http://samba.org
>>> Samba Developer, Catalyst IT
>>> http://catalyst.net.nz/services/samba
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint Sébastien sur Loire
> tel : +33 (0)
> http://www.tranquil-it-systems.fr
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list