[Samba] Migration to samba4 ad and sync to openldap.

John McMonagle johnm at advocap.org
Thu Apr 4 19:09:18 UTC 2019 

I managed to do migration using "classicupgrade".
Doing tests with debian buster 2:4.9.4+dfsg-4.
For the moment using samba internal dns and sub-domain of ad.advocap.org.
Had issue forwarding dns if I used main domain.
When it comes to real production will use bind that I understand better 
but don't want to mess with my other dns servers now.

Had a w10 box  join samba4 ad controller so it's a promising start :-)
 From w10 all looks good..
There are a number of rough edges to work out.

It did not migrate a lot of attributes that are in active directory.
The most important one to us is "mail"
Others by ldap account manager names:
User name
First Name
Last Name
I'm sure there are others.

I did full dump of samba4 ldap with ldapsearch and the attributes do not 
exist.

They should have been migrate able.
What do I do to migrate the other parameters?

Does the domain administrator account give me access to everything in ldap?

Lam sort of works.
I'm using the domain administrator account to authenticate.
Is that the correct?

The lam site gives very little info on setup.
Followed what I could find.
At the moment just using the using the Windows module for Users and Groups
Users:
LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org
List attributes:  #givenName;#sn;#mail   (None of these exist as migrated)
Groups:
LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org
List attributes:#cn;#gidNumber;#memberUID;#description

Any assistance is appreciated.
They are are a lot more questions to come :-(

John



On 3/21/19 10:25 AM, Christian Naumer via samba wrote:
> Am 21.03.19 um 15:50 schrieb John McMonagle via samba:
> 
>> That's sounds promising
>> How did you migrate your data?
> 
> We did the "classicupgrade" as discribed in the wiki.
> 
>> Did you need to add any schema to samba4 ad?
> 
> No. But this depends of what you have in ldap now. Do you have dhcp-data
> in there?
> 
>>
>> Were in 5 cities and some of the Internet is not 100% reliable.
>> Will need samba4 in each office to make sure they can log in even if the
>> Internet is down.
>> How reliable is the the ad syncing?
> 
> We have 4 DCs and never realy had a Problem. However, reading this list,
> this is not always the case it seems.
> 
> 
>> Does it need a lot of bandwidth?
> 
> I can't comment on that as our DCs are at one site.
> 
> 
>> One of the offices with no windows computers has slow dsl.
>>
>> We will have to reconfigure a lot of computers during conversion.
>> I'm thinking if the openldap is not on the same server as samba4 one
>> could keep both running for a few days.
> 
> The windows machines cant go back if they once saw the AD. With the
> linux servers you probably could do it.
> 
> 
>> Do you think that's feasible?
> 
> We planned very carefully. We did some test migrations of the data in
> closed of VMs. Tested each service that we thought could cause problems
> in that environment.
> Then we migrated 2-3 days before we planned the big switch. Stopped all
> password changes so that we didn't have old data. We made the rest of
> the switch in one day on a week end. There were 5 Windows Server
> domainmembers. About 15 Linux servers with several differnt softwares
> (web app with php, cyrus, postfix, lokal auth of users, Samba member
> servers, Radius, dhcp, etc). Most of them we tested before as VMs in a
> closed of environment.
> 
> 
>> I can see some possible issues but think they
>> can be dealt with.
> 
> Planning is everything. And testing the whole thing too.
> 
> Regards
> 
> Christian
> 


-- 
John McMonagle
IT Manager
Advocap Inc.

More information about the samba mailing list