[Samba] Migration to samba4 ad and sync to openldap.
johnm at advocap.org
Sat Apr 6 13:07:20 UTC 2019
On 4/4/19 3:18 PM, Rowland Penny via samba wrote:
> On Thu, 4 Apr 2019 14:09:18 -0500
> John McMonagle via samba <samba at lists.samba.org> wrote:
>> I managed to do migration using "classicupgrade".
>> Doing tests with debian buster 2:4.9.4+dfsg-4.
>> For the moment using samba internal dns and sub-domain of
>> ad.advocap.org. Had issue forwarding dns if I used main domain.
> Please define 'forwarding'. Your DC needs to be authoritative for its
> dns domain, so all that it should forward is anything outside its own
> dns domain.
For this test the samba4 ad controller is ad.advocap.org.
Everything else is advocap.org.
put this in smb.conf pointing to one of our internal dns controllers.
dns forwarder = 192.168.2.1
I assume if I have bind use samba I can have bind push out the samba
created records to the other dns servers.
At that point all the dns servers have the same information and they are
all authoritative for the domain.
At as this is just a testing phase I doesn't want to tamper with my
other dns servers.
At the moment mostly concerned with the ldap and kerberos parts and how
to get that working with the linux parts.
In the end all the internal dns may be on samba4 ad directory boxes but
that will take a long time.
>> It did not migrate a lot of attributes that are in active directory.
>> The most important one to us is "mail"
>> Others by ldap account manager names:
>> User name
>> First Name
>> Last Name
>> I'm sure there are others.
> The upgrade only migrates the attributes really required by AD, you
> will have to script any others you require.
>> Does the domain administrator account give me access to everything in
>> Lam sort of works.
>> I'm using the domain administrator account to authenticate.
>> Is that the correct?
> You can also use users that are members of 'Administrators', 'Domain
> Admins' or any other group you have delegated privileges to.
>> The lam site gives very little info on setup.
> You need 'Windows (windowsUser)(*)' & 'Unix (posixAccount)' for users,
> 'Windows(windowsGroup)(*)' & Unix (windowsPosixGroup) for groups
> on the Accounts type tab you need:
> #sAMAccountName;#givenName;#sn;#uidNumber;#gidNumber for users
> #cn;#gidNumber;#member;#description for groups
More information about the samba