[Samba] Migration to samba4 ad and sync to openldap.

Rowland Penny rpenny at samba.org
Sat Apr 6 13:23:32 UTC 2019 

On Sat, 6 Apr 2019 08:07:20 -0500
John McMonagle <johnm at advocap.org> wrote:

> On 4/4/19 3:18 PM, Rowland Penny via samba wrote:
> > On Thu, 4 Apr 2019 14:09:18 -0500
> > John McMonagle via samba <samba at lists.samba.org> wrote:
> >   
> >> I managed to do migration using "classicupgrade".
> >> Doing tests with debian buster 2:4.9.4+dfsg-4.
> >> For the moment using samba internal dns and sub-domain of
> >> ad.advocap.org. Had issue forwarding dns if I used main domain.  
> > 
> > Please define 'forwarding'. Your DC needs to be authoritative for
> > its dns domain, so all that it should forward is anything outside
> > its own dns domain.  
> For this test the samba4 ad controller is ad.advocap.org.
> Everything else is advocap.org.

So 'ad.advocap.org' is a subdomain of 'advocap.org', so far so good.

> put this in smb.conf pointing to one of our internal dns controllers.
> dns forwarder = 192.168.2.1

Again good.

> 
> I assume if I have bind use samba I can have bind push out the samba 
> created records to the other dns servers.

Bad idea.

> 
> At that point all the dns servers have the same information and they
> are all authoritative for the domain.

Wrong, only the Samba AD DC's should be authoritative for the domain
and hold the records.

> 
> At as this is just a testing phase I doesn't want to tamper with my 
> other dns servers.

You never need to. You just make the domain members use the Samba DC's
as their nameservers. When they ask them for info about another domain
member, the DC should return it, but if the domain member asks for info
about an address outside the domain (www.samba.org for instance), the
DC will not know this and should ask its forwarder(s), who, if they
know it, will return the info, otherwise, they will ask their
forwarder(s).

> At the moment mostly concerned with the ldap and kerberos parts and
> how to get that working with the linux parts.

Try asking.

> 
> In the end all the internal dns may be on samba4 ad directory boxes
> but that will take a long time.

No, you need to get this correct from the start, AD lives and dies on
DNS.

Rowland

More information about the samba mailing list