[Samba] Share users across domains

Rodrigo Abrantes Antunes rodrigoantunes at pelotas.ifsul.edu.br
Mon Apr 2 14:43:21 UTC 2018

  I never worked with AD, I really know nothing about it. And yes it's  
about 5000 accounts that should be migrated. This structure was not  
created by me, it was already working when I arrive. I use SSL  
encryption with LDAP and it allows anonymous access

Citando Gaiseric Vandal via samba <samba at lists.samba.org>:

> There is a documented upgrade process
> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
> With 5000 users you probably want to create a test environment  
> first.        Moving from samba 3 to samba 4 but staying in a  
> classic domain should not require a huge learning curve and you  
> don't have to change the LDAP backend.      Just don't count on  
> domain trusts working.
> You definitely want to document how the various other systems are  
> configured for LDAP authentication or coordinate with whomever is  
> managing those systems.   I moved from a classic samba domain to a  
> AD domain with "real" Windows 2012 domain controllers.   (This was  
> because we needed to support MS Exchange.)       I had to tweek  
> things like search base and naming attributes.  Also, if you are  
> using TLS encryption with LDAP, that may require some fiddling to  
> get working.        Also, depending on how you set up LDAP,  your  
> current setup MAY allow anonymous access to retrieve a list of users  
> and groups  (although not passwords.)   With AD there is no  
> anonymous access via LDAP.
> It is a little scary to hear a system administrator say he knows  
> nothing about AD.            Kerberos can be quite a challenge  
> though.     It also seems like with 5000 accounts that the migration  
> task is too much for one person to handle by himself.    When I did  
> a major step of the domain migration in my company (under 100  
> people) I had 3 extra people helping me over the weekend, with over  
> 12 hours per person per day.
> On 04/02/18 10:15, Rodrigo Abrantes Antunes via samba wrote:
>>  I know these systems work with AD, the problem is the migration, I  
>> don't think is easy to migrate 5000 accounts from current systems  
>> to new systems. I will need to learn the sintaxes of all these new  
>> systems and this would take huge time because I know nothing of  
>> samba4, or AD, or dovecot, or kerberos and the boss whants the  
>> emails for students for next month. We don't plan to change  
>> cyrus/postfix and horde, whats the problem with them? I already  
>> tried kopano and the users hated it. And like I said there are a  
>> lot of internal administrative systems that were programmed (not by  
>> me) to work with ldap only, including some that are not opensource.  
>> A while ago I did research on how to migrate my current domain to  
>> samba4 and from what I understand it would be almost impossible or  
>> too difficult for my scenario
>> Citando Rowland Penny <rpenny at samba.org>:
>>> On Mon, 02 Apr 2018 13:06:16 +0000
>>> Rodrigo Abrantes Antunes via samba <samba at lists.samba.org> wrote:
>>>> A lot of administrative systems made by the institution, current
>>>> domain, fileservers, glpi, cyrus mail, horde, gosa, svn, freeradius,
>>>> dotproject, vcenter. Thats what I remebmber for now.
>>> OK, I just spent about 10 minutes searching the internet and found out
>>> this:
>>> current domain : can be replaced by Sanba AD
>>> fileservers    : As above
>>> glpi           : will work with AD, see here:
>>>                 http://wiki.glpi-project.org/doku.php?id=en:ldap
>>> cyrus mail     : This can probably be made to work with AD, but you
>>> would probably be better off moving to Postfix/Dovecot
>>> horde          : This will work with AD, but you will probably need to
>>>                 move to Dovecot
>>> gosa           : You would probably be better off using LAM, this is
>>>                 still being developed, unlike Gosa, which seems to
>>>                 have stalled.
>>> svn            : will work with AD
>>> freeradius     : This definitely works with AD, see here
>>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory dotproject     : will work with  
>>> AD
>>> vcenter        : will work with AD
>>> What I am trying to say is, you will probably find it easier to make
>>> your infrastructure work with AD, rather than trying to keep Samba 3
>>> working. You may find it easier to move some of your systems to other,
>>> newer packages, for instance, you could upgrade your email system to
>>> something like Kopano.
>>> You will certainly have something more secure than what you have at the
>>> moment, especially if you use kerberos.
>>> Rowland
> --
> To unsubscribe from this list go to the following URL and read  
> theinstructions:  https://lists.samba.org/mailman/options/samba
Rodrigo Abrantes Antunes
Instituto Federal Sul-rio-grandense

More information about the samba mailing list