[Samba] migrate several samba3+openldap pdc to samba3

Guido Lorenzutti guido at lorenzutti.com.ar
Sun Feb 18 13:22:17 UTC 2018


  

On Sun, 18 Feb 2018 14:05:38 +1300, Andrew Bartlett via samba
wrote: 

> On Sat, 2018-02-17 at 20:44 -0300, Guido Lorenzutti via samba
wrote:
> 
>> Hi there! I have one domain, shared between several
samba3+openldap on different geographical locations. I want to migrate
them to samba4. The domain has aprox 4000 users accounts, 4000
workstations, and several groups. I was able to successfully migrate the
domain in a test environment. But I am faced with the problem that I
will not be able to migrate in parallel the more than 20 locations at
the same time. Most likely I have to do one per day, or one every other
day. But during that time, users will continue to use the domain and
change their passwords. As also the machine accounts will continue to
interact with the domain to update their credentials. Any idea to
gradually migrate every location without having the problem that since I
made the first migration, there have probably been changes in passwords,
creations of users, etc?
> 
> I certainly can and has been done. It is
easier if you can assert that
> now new users will be added during the
migration. Password changes can
> be forced though by exporting the
password and forcing it in to the AD
> DC. 
> 
> For a long time I've
wanted to extend the classicupgrade tool to
> operate in an incremental
mode (watching the pwdLastSet to pick the
> most recent password change)
but for the moment you will need to write
> your own scripts. 
> 
>
Others on the list who have done this in operational migrations will
be
> able to give more specific advise. In general ensure the two
domains
> can't see each other (not share the same netbios namespace)
during the
> migration to ensure a client can't attempt a domain login
against one
> and then the other. 
> 
> I wish you all the best with the
migration,

Thank you Andrew!

How can import the modified passwords to
the AD? I can do a search in the ldap to get the modified atributes and
export them. But I didnt find a way to import this atributes on the
samba AD.

Tnxs.

  


More information about the samba mailing list