[Samba] Migration Of Records From Old Samba Domain To New One

Sun Feb 11 17:01:08 UTC 2018

Hello from Sunny and frigidly cold Minneapolis, MN, USA!

I have a SAMBA domain with three DCs running v4.4.16 on Ubuntu Server 14.04.5 LTS (BIND9 DLZ Backend). I need to move all my records to a new domain (from DOMAIN.LOC to SAMDOM.DOMAIN.NET).

I know that it's not possible to change domains on a samba install, so I've created three new DCs running v4.7.4 on Ubuntu Server 16.04.3 LTS (also with a BIND9 DLZ backend). They've got a minimal install's worth of records in them, but now I'd like to export my accounts from my old domain and import them into the new one.

My idea was to use ldapsearch (or maybe ldbsearch would be better?) to create a huge dump of records from my old domain and then edit the resulting ldif file with some slick find-and-replace-fu so that the records can easily slide into the new domain I've setup (dn, userPrincipalName, msSFU30NisDomain stand out as good ideas to alter).

Then, I was going to turn off my new DCs and import the ldif file with ldbadd to pull in all the ldif records.

My question to the team of experts is this: 
 1) is there a better way and, if so, what might it be?
 2) If this is a fine approach, are there some parameters I would be wise to exclude from the import (like, all the timestamps, objectGUID and objectSid, for example)?

I believe that my worst-case-scenario is that I'll need to create a shell script filled with "samba-tool" commands for each user and group, then (gulp) readd all my users to the groups they belonged to.

Matthew Delfino
VP Information Technology
KNOCK, inc.

© 2018 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.