[Samba] Share users across domains

Gaiseric Vandal gaiseric.vandal at gmail.com
Mon Apr 2 14:33:52 UTC 2018

There is a documented upgrade process


With 5000 users you probably want to create a test environment 
first.        Moving from samba 3 to samba 4 but staying in a classic 
domain should not require a huge learning curve and you don't have to 
change the LDAP backend.      Just don't count on domain trusts working.

You definitely want to document how the various other systems are 
configured for LDAP authentication or coordinate with whomever is 
managing those systems.   I moved from a classic samba domain to a AD 
domain with "real" Windows 2012 domain controllers.   (This was because 
we needed to support MS Exchange.)       I had to tweek things like 
search base and naming attributes.  Also, if you are using TLS 
encryption with LDAP, that may require some fiddling to get 
working.        Also, depending on how you set up LDAP,  your current 
setup MAY allow anonymous access to retrieve a list of users and groups  
(although not passwords.)   With AD there is no anonymous access via LDAP.

It is a little scary to hear a system administrator say he knows nothing 
about AD.            Kerberos can be quite a challenge though.     It 
also seems like with 5000 accounts that the migration task is too much 
for one person to handle by himself.    When I did a major step of the 
domain migration in my company (under 100 people) I had 3 extra people 
helping me over the weekend, with over 12 hours per person per day.

On 04/02/18 10:15, Rodrigo Abrantes Antunes via samba wrote:
>  I know these systems work with AD, the problem is the migration, I 
> don't think is easy to migrate 5000 accounts from current systems to 
> new systems. I will need to learn the sintaxes of all these new 
> systems and this would take huge time because I know nothing of 
> samba4, or AD, or dovecot, or kerberos and the boss whants the emails 
> for students for next month. We don't plan to change cyrus/postfix and 
> horde, whats the problem with them? I already tried kopano and the 
> users hated it. And like I said there are a lot of internal 
> administrative systems that were programmed (not by me) to work with 
> ldap only, including some that are not opensource. A while ago I did 
> research on how to migrate my current domain to samba4 and from what I 
> understand it would be almost impossible or too difficult for my scenario
> Citando Rowland Penny <rpenny at samba.org>:
>> On Mon, 02 Apr 2018 13:06:16 +0000
>> Rodrigo Abrantes Antunes via samba <samba at lists.samba.org> wrote:
>>> A lot of administrative systems made by the institution, current
>>> domain, fileservers, glpi, cyrus mail, horde, gosa, svn, freeradius,
>>> dotproject, vcenter. Thats what I remebmber for now.
>> OK, I just spent about 10 minutes searching the internet and found out
>> this:
>> current domain : can be replaced by Sanba AD
>> fileservers    : As above
>> glpi           : will work with AD, see here:
>>                 http://wiki.glpi-project.org/doku.php?id=en:ldap
>> cyrus mail     : This can probably be made to work with AD, but you
>> would probably be better off moving to Postfix/Dovecot
>> horde          : This will work with AD, but you will probably need to
>>                 move to Dovecot
>> gosa           : You would probably be better off using LAM, this is
>>                 still being developed, unlike Gosa, which seems to
>>                 have stalled.
>> svn            : will work with AD
>> freeradius     : This definitely works with AD, see here
>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory 
>> dotproject     : will work with AD
>> vcenter        : will work with AD
>> What I am trying to say is, you will probably find it easier to make
>> your infrastructure work with AD, rather than trying to keep Samba 3
>> working. You may find it easier to move some of your systems to other,
>> newer packages, for instance, you could upgrade your email system to
>> something like Kopano.
>> You will certainly have something more secure than what you have at the
>> moment, especially if you use kerberos.
>> Rowland

More information about the samba mailing list