[Samba] Samba on Debian 8; NT4 domain, win10

Stefan G. Weichinger lists at xunil.at
Tue Nov 29 18:26:30 UTC 2016 

Am 2016-11-29 um 19:12 schrieb Andrew Bartlett:

> I'll let you choose the way forward for your site, but if you can just
> re-create what fails to convert because it is just a service account,
> that seems quite reasonable. 
> 
> In the days of passdb on the NT4-like domain controller, there wasn't
> and still isn't any kind of fsck for the database.  That means that all
> manner of incorrect, odd or unexpected combinations of entries can
> persist, without warning or notice.  Duplicate SIDs, which is not an
> issue you have faced thankfully, are quite common it seems. 
> 
> I suspect Rowland jumped on the rid < 1000 suggestion quite reasonably
> because we have seen that too, but usually just because of confusion
> around the Administrator account.  (Samba won't normally create such
> sids).
> 
> When users are transferred to Samba's AD DC, they get put into a quite
> strict database.  The reason why we strictly suggest migration on an
> isolated test network is that this almost never goes smoothly, and
> manual intervention is almost always required. 
> 
> I wish you all the best with your migration.

Thanks a lot for your wishes and the explanations.

Is there any good list of what to check in the test network before
deciding to go productive?

I would think of:

* try to logon to a member-PC with an old domain-user
* create new user, try logon
* try to add a new member pc ... then logins ...
* test login-scripts

Any killer-test to get a really good feeling ? ;-)

For the real switch: turn off all PCs, turn down old samba-config,
switch on ADS-PDC, join file server, switch on test PC ... ?

-

One reason for me keeping this NT4-based for so long is the fact that I
now need an additional machine for the PDC: you samba-guys recommend to
run the PDC separated from the file server. So I have to deal with that
without having to buy new hardware (the customer stopped understanding
all the work around swapping server-hardware weeks ago). We talk small
office here: ~25-30 PCs.

I consider placing the PDC-part on the existing backup server (gentoo
linux, running Amanda backup suite), I assume this might do the trick?

Although this introduces the possibility of mismatches between the
samba-release gentoo provides as stable vs. the one in Debian (current
file server).

Way too much moving parts, and I have to decide and proceed soon: -> I
have problems with 2 existing Win10-Clients, one can't be joined
anymore, another doesn't let domain users login ....

Thankfully the rest works fine so far.

Stefan

More information about the samba mailing list