[Samba] External Authentication

Julien TEHERY julien.tehery at openevents.fr
Fri Apr 12 10:06:14 UTC 2019

Hi there

Le 12/04/2019 à 09:57, Marco Gaiarin via samba a écrit :
> Mandi! Vex Mage via samba
>    In chel di` si favelave...
>> I've spun up a Samba4 server and set it up as an active directory domain
>> controller and I can definitely see that this is a very robust system and
>> is working well however; I don't see a management solution to
>> synchronization between the campus LDAP server and Samba4 AD/DC.
> You can sync users simply wrapping some 'ldapserch' on 'old' LDAP server
> and some 'samba-tool user create' on AD.
> I've setup some scripts, but probably are soo tightned to my setup to
> be littleor no help generally.
> To sync password, you can instead wrap 'check password script' in old
> samba with 'samba-tool user syncpassword' in new samba/AD, look at:
> 	https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
> Supposing a frequent password change (3 months?) you can wait a bit to
> have password in sync, and then use both the domain in 'parallel'.
I agree with marco, I'm actually working on migrating a samba3 domain to 
a samba4 domain (with different name).
A POC environment is setup in a separate network
I popuplated Samba4/AD  from samba3 with this very usefull tool


Keep in mind you will have to map attributes from one to another, and 
don't forget to synchronize uid/gid as unix attributes in Samba4, so 
that your migrated users can still have access to their samba shares or 
whatever you had in your old samba3 domain.

And keep password synchronized between the two domains with (works as a 
trigger, once a password is updated on samb4 server, et keeps it 
synchronized to your old ldap server


But there's a trick, you'll have to modifiy the script to update both 
userpassword _*AND *_sambantpassword fields (the script only updates 
userpassword), so you can access to your former samba resources.

@Rowland :

|See the answer above, plus there is a very big hole in your proposed
|set up, if your clients see the AD DC, they will not contact the NT4
|PDC again.

I've seen some setups where a company had a (real) AD domain and a samba3 domain working together on the same subnets with win7 or win10 workstations who could join one or another domain without troubles.
What you mean is if samba4 domain has the same name as samba3 domain, workstations won't be able so see the oldest anymore once joined to the new one?
Or does it mean that whatever the name of the new samba4 domain is, if a workstation joins it, it won't be able to join the old domain anymore? (never tried it)

As my POC seems to work well, I intend ton install it in production soon.
Is it recommended to set the new samba4 domain in production up on a different subnet or not?


More information about the samba mailing list