[Samba] Demote a samba DC and rejoin as member

[Denis Cardon]

Hi Andreas,

>> Yes, when switching, it is much safer to clean up your /var/lib/samba.
>> Be sure to recreate the /var/lib/samba/private folder after cleanup,
>> that folder is not recreated automatically most of the time.
>>
>> There is nothing very complicated in what you wanted to do. Just be
>> sure to double check the replication before demoting, be sure to
>> demote to remove all the old DNS entries pointing to your old server,
>> check your DNS config on servers and desktops.
>>
>> I do that regularly, kind of business as usual, but the other way
>> around, from MS-AD to Samba AD... By the way Samba-AD is much more
>> easy to maintain if you are familiar with AD and at easy with command
>> line / scripting. Unless you have a business/corporate requirement
>> expressly needing a MS-AD, I'd say it would be better to stick with
>> Samba-AD.
> Hello,
>
> thanks for your help.
>
> For the reasons to do that: until now, I had the impression it was the
> other way round, MS-AD looked easier to maintain, at least as long as
> everything works... Part of the problem may be that I am bound to use
> the samba packages shipped with Debian stable, which is 4.5.12 at the
> moment. I already encountered several points which were already fixed in
> newer versions, but I would have to wait for Debian 10 to get these.
> But I am more familiar with Linux and the command line, so I am
> considering your words and staying with samba. What is absolutely
> required is to have domain members running Windows 10 and Server 2016,
> and I am unsure whether this works with this rather old version of samba.

As far as packaging is concerned, you are right in saying that distro 
version are too outdated for production Samba-AD. For file servers it 
might be OK depending on your requirements, but for AD it is better to 
mostly follow new version. Samba-AD is a fast moving target with a lot 
of improvement/bug fixes at each version. Currently you can go with 
Samba 4.7.4.

You can check LPH van Belle packages or the one we bakes at my office 
[1]. You should also be sure to use Bind DLZ for DNS (Samba internal DNS 
does not do caching currently, so it forwards all the queries which are 
not pointing to its own zones).

By the way, one thing that you started to do your migration process, 
splitting AD server and fileserver, is a good thing to do in any cases. 
Winbind process behaves differently on AD and fileserver, and it is much 
better for maintenance to split those two roles. And from a 
cyber-security point of view, it is advised, be it MS or Samba, to put 
as few stuff as possible on AD since it is a very critical machine from 
a security stand point.

Once Samba-AD is properly setup, it does run smoothly. We've got 
hundreds of them humming happily at clients. And you can have win10 and 
win2k16 member servers without problems. There are cases where MS-AD is 
the only options, mainly if you need 2k12 schema support (currently 
being implemented) or 2k12 security features like FAST or silos, or a 
tight SIEM integration (logging framework needs to be improved), 
inter-domain trusts, or third party software requirements.

Cheers,

Denis

[1] https://dev.tranquil.it

>
> Bye,
> Andreas
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr