[Samba] Migration to samba4 ad and sync to openldap.

John McMonagle johnm at advocap.org
Sat Apr 6 13:07:20 UTC 2019

On 4/4/19 3:18 PM, Rowland Penny via samba wrote:
> On Thu, 4 Apr 2019 14:09:18 -0500
> John McMonagle via samba <samba at lists.samba.org> wrote:
>> I managed to do migration using "classicupgrade".
>> Doing tests with debian buster 2:4.9.4+dfsg-4.
>> For the moment using samba internal dns and sub-domain of
>> ad.advocap.org. Had issue forwarding dns if I used main domain.
> Please define 'forwarding'. Your DC needs to be authoritative for its
> dns domain, so all that it should forward is anything outside its own
> dns domain.
For this test the samba4 ad controller is ad.advocap.org.
Everything else is advocap.org.
put this in smb.conf pointing to one of our internal dns controllers.
dns forwarder =

I assume if I have bind use samba I can have bind push out the samba 
created records to the other dns servers.

At that point all the dns servers have the same information and they are 
all authoritative for the domain.

At as this is just a testing phase I doesn't want to tamper with my 
other dns servers.
At the moment mostly concerned with the ldap and kerberos parts and how 
to get that working with the linux parts.

In the end all the internal dns may be on samba4 ad directory boxes but 
that will take a long time.

>> It did not migrate a lot of attributes that are in active directory.
>> The most important one to us is "mail"
>> Others by ldap account manager names:
>> User name
>> First Name
>> Last Name
>> I'm sure there are others.
> The upgrade only migrates the attributes really required by AD, you
> will have to script any others you require.
>> Does the domain administrator account give me access to everything in
>> ldap?
> Yes
>> Lam sort of works.
>> I'm using the domain administrator account to authenticate.
>> Is that the correct?
> You can also use users that are members of 'Administrators', 'Domain
> Admins' or any other group you have delegated privileges to.
>> The lam site gives very little info on setup.
> You need 'Windows (windowsUser)(*)' & 'Unix (posixAccount)' for users,
> 'Windows(windowsGroup)(*)' & Unix (windowsPosixGroup) for groups
> on the Accounts type tab you need:
> #sAMAccountName;#givenName;#sn;#uidNumber;#gidNumber for users
> #cn;#gidNumber;#member;#description for groups
> Rowland

John McMonagle
IT Manager
Advocap Inc.

More information about the samba mailing list