[Samba] Samba on Debian 8; NT4 domain, win10

Rowland Penny rpenny at samba.org
Tue Nov 29 18:55:12 UTC 2016

On Tue, 29 Nov 2016 19:26:30 +0100
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 2016-11-29 um 19:12 schrieb Andrew Bartlett:
> > I'll let you choose the way forward for your site, but if you can
> > just re-create what fails to convert because it is just a service
> > account, that seems quite reasonable. 
> > 
> > In the days of passdb on the NT4-like domain controller, there
> > wasn't and still isn't any kind of fsck for the database.  That
> > means that all manner of incorrect, odd or unexpected combinations
> > of entries can persist, without warning or notice.  Duplicate SIDs,
> > which is not an issue you have faced thankfully, are quite common
> > it seems. 
> > 
> > I suspect Rowland jumped on the rid < 1000 suggestion quite
> > reasonably because we have seen that too, but usually just because
> > of confusion around the Administrator account.  (Samba won't
> > normally create such sids).
> > 
> > When users are transferred to Samba's AD DC, they get put into a
> > quite strict database.  The reason why we strictly suggest
> > migration on an isolated test network is that this almost never
> > goes smoothly, and manual intervention is almost always required. 
> > 
> > I wish you all the best with your migration.
> Thanks a lot for your wishes and the explanations.
> Is there any good list of what to check in the test network before
> deciding to go productive?
> I would think of:
> * try to logon to a member-PC with an old domain-user
> * create new user, try logon
> * try to add a new member pc ... then logins ...
> * test login-scripts
> Any killer-test to get a really good feeling ? ;-)
> For the real switch: turn off all PCs, turn down old samba-config,
> switch on ADS-PDC, join file server, switch on test PC ... ?
> -
> One reason for me keeping this NT4-based for so long is the fact that
> I now need an additional machine for the PDC: you samba-guys
> recommend to run the PDC separated from the file server. 

You can use the DC as a fileserver, it is only for minor technical
reasons that it isn't recommended, amongst which is that you have to use
windows ACLs.
>So I have to
> deal with that without having to buy new hardware (the customer
> stopped understanding all the work around swapping server-hardware
> weeks ago). We talk small office here: ~25-30 PCs.

Your DC should be able to easily deal with that amount of PCs (provided
it is a reasonable spec and not out of the ark ;-) 


More information about the samba mailing list