[Samba] External Authentication
Julien TEHERY
julien.tehery at openevents.fr
Fri Apr 12 10:06:14 UTC 2019
Hi there
Le 12/04/2019 à 09:57, Marco Gaiarin via samba a écrit :
> Mandi! Vex Mage via samba
> In chel di` si favelave...
>
>> I've spun up a Samba4 server and set it up as an active directory domain
>> controller and I can definitely see that this is a very robust system and
>> is working well however; I don't see a management solution to
>> synchronization between the campus LDAP server and Samba4 AD/DC.
> You can sync users simply wrapping some 'ldapserch' on 'old' LDAP server
> and some 'samba-tool user create' on AD.
> I've setup some scripts, but probably are soo tightned to my setup to
> be littleor no help generally.
>
> To sync password, you can instead wrap 'check password script' in old
> samba with 'samba-tool user syncpassword' in new samba/AD, look at:
>
> https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
>
> Supposing a frequent password change (3 months?) you can wait a bit to
> have password in sync, and then use both the domain in 'parallel'.
>
I agree with marco, I'm actually working on migrating a samba3 domain to
a samba4 domain (with different name).
A POC environment is setup in a separate network
I popuplated Samba4/AD from samba3 with this very usefull tool
https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory
Keep in mind you will have to map attributes from one to another, and
don't forget to synchronize uid/gid as unix attributes in Samba4, so
that your migrated users can still have access to their samba shares or
whatever you had in your old samba3 domain.
And keep password synchronized between the two domains with (works as a
trigger, once a password is updated on samb4 server, et keeps it
synchronized to your old ldap server
https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
But there's a trick, you'll have to modifiy the script to update both
userpassword _*AND *_sambantpassword fields (the script only updates
userpassword), so you can access to your former samba resources.
@Rowland :
|See the answer above, plus there is a very big hole in your proposed
|set up, if your clients see the AD DC, they will not contact the NT4
|PDC again.
I've seen some setups where a company had a (real) AD domain and a samba3 domain working together on the same subnets with win7 or win10 workstations who could join one or another domain without troubles.
What you mean is if samba4 domain has the same name as samba3 domain, workstations won't be able so see the oldest anymore once joined to the new one?
Or does it mean that whatever the name of the new samba4 domain is, if a workstation joins it, it won't be able to join the old domain anymore? (never tried it)
As my POC seems to work well, I intend ton install it in production soon.
Is it recommended to set the new samba4 domain in production up on a different subnet or not?
Julien
More information about the samba
mailing list