[Samba] Share users across domains
Rodrigo Abrantes Antunes
rodrigoantunes at pelotas.ifsul.edu.br
Mon Apr 2 14:43:21 UTC 2018
I never worked with AD, I really know nothing about it. And yes it's
about 5000 accounts that should be migrated. This structure was not
created by me, it was already working when I arrive. I use SSL
encryption with LDAP and it allows anonymous access
Citando Gaiseric Vandal via samba <samba at lists.samba.org>:
> There is a documented upgrade process
>
> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>
> With 5000 users you probably want to create a test environment
> first. Moving from samba 3 to samba 4 but staying in a
> classic domain should not require a huge learning curve and you
> don't have to change the LDAP backend. Just don't count on
> domain trusts working.
>
> You definitely want to document how the various other systems are
> configured for LDAP authentication or coordinate with whomever is
> managing those systems. I moved from a classic samba domain to a
> AD domain with "real" Windows 2012 domain controllers. (This was
> because we needed to support MS Exchange.) I had to tweek
> things like search base and naming attributes. Also, if you are
> using TLS encryption with LDAP, that may require some fiddling to
> get working. Also, depending on how you set up LDAP, your
> current setup MAY allow anonymous access to retrieve a list of users
> and groups (although not passwords.) With AD there is no
> anonymous access via LDAP.
>
> It is a little scary to hear a system administrator say he knows
> nothing about AD. Kerberos can be quite a challenge
> though. It also seems like with 5000 accounts that the migration
> task is too much for one person to handle by himself. When I did
> a major step of the domain migration in my company (under 100
> people) I had 3 extra people helping me over the weekend, with over
> 12 hours per person per day.
>
> On 04/02/18 10:15, Rodrigo Abrantes Antunes via samba wrote:
>> I know these systems work with AD, the problem is the migration, I
>> don't think is easy to migrate 5000 accounts from current systems
>> to new systems. I will need to learn the sintaxes of all these new
>> systems and this would take huge time because I know nothing of
>> samba4, or AD, or dovecot, or kerberos and the boss whants the
>> emails for students for next month. We don't plan to change
>> cyrus/postfix and horde, whats the problem with them? I already
>> tried kopano and the users hated it. And like I said there are a
>> lot of internal administrative systems that were programmed (not by
>> me) to work with ldap only, including some that are not opensource.
>> A while ago I did research on how to migrate my current domain to
>> samba4 and from what I understand it would be almost impossible or
>> too difficult for my scenario
>>
>> Citando Rowland Penny <rpenny at samba.org>:
>>
>>> On Mon, 02 Apr 2018 13:06:16 +0000
>>> Rodrigo Abrantes Antunes via samba <samba at lists.samba.org> wrote:
>>>
>>>> A lot of administrative systems made by the institution, current
>>>> domain, fileservers, glpi, cyrus mail, horde, gosa, svn, freeradius,
>>>> dotproject, vcenter. Thats what I remebmber for now.
>>>
>>> OK, I just spent about 10 minutes searching the internet and found out
>>> this:
>>>
>>> current domain : can be replaced by Sanba AD
>>> fileservers : As above
>>>
>>> glpi : will work with AD, see here:
>>> http://wiki.glpi-project.org/doku.php?id=en:ldap
>>>
>>> cyrus mail : This can probably be made to work with AD, but you
>>> would probably be better off moving to Postfix/Dovecot
>>>
>>> horde : This will work with AD, but you will probably need to
>>> move to Dovecot
>>>
>>> gosa : You would probably be better off using LAM, this is
>>> still being developed, unlike Gosa, which seems to
>>> have stalled.
>>>
>>> svn : will work with AD
>>>
>>> freeradius : This definitely works with AD, see here
>>> https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory dotproject : will work with
>>> AD
>>> vcenter : will work with AD
>>>
>>> What I am trying to say is, you will probably find it easier to make
>>> your infrastructure work with AD, rather than trying to keep Samba 3
>>> working. You may find it easier to move some of your systems to other,
>>> newer packages, for instance, you could upgrade your email system to
>>> something like Kopano.
>>>
>>> You will certainly have something more secure than what you have at the
>>> moment, especially if you use kerberos.
>>> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read
> theinstructions: https://lists.samba.org/mailman/options/samba
--
Rodrigo Abrantes Antunes
Instituto Federal Sul-rio-grandense
More information about the samba
mailing list