[Samba] External Authentication

[Vex Mage]

Julien,

Thank you, I hadn't even considered Samba4 updating the existing LDAP
server. I think since the central campus LDAP will be authoritative I'll
allow it to override Samba4 and not have Samba4 push upstream.

What you described is how a group of our IT staff here are going to solve
this problem. They've already created a proof of concept. In fact the
reason I've taken this case is because I couldn't believe that Samba4 would
require such a finessed solution to solve this problem however; I'm
starting to believe that it may be one of the ways we'll have to move
forward.

Thank you!

On Fri, Apr 12, 2019 at 3:27 AM Julien TEHERY via samba <
samba at lists.samba.org> wrote:

> Hi there
>
> Le 12/04/2019 à 09:57, Marco Gaiarin via samba a écrit :
> > Mandi! Vex Mage via samba
> >    In chel di` si favelave...
> >
> >> I've spun up a Samba4 server and set it up as an active directory domain
> >> controller and I can definitely see that this is a very robust system
> and
> >> is working well however; I don't see a management solution to
> >> synchronization between the campus LDAP server and Samba4 AD/DC.
> > You can sync users simply wrapping some 'ldapserch' on 'old' LDAP server
> > and some 'samba-tool user create' on AD.
> > I've setup some scripts, but probably are soo tightned to my setup to
> > be littleor no help generally.
> >
> > To sync password, you can instead wrap 'check password script' in old
> > samba with 'samba-tool user syncpassword' in new samba/AD, look at:
> >
> >
> https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
> >
> > Supposing a frequent password change (3 months?) you can wait a bit to
> > have password in sync, and then use both the domain in 'parallel'.
> >
> I agree with marco, I'm actually working on migrating a samba3 domain to
> a samba4 domain (with different name).
> A POC environment is setup in a separate network
> I popuplated Samba4/AD  from samba3 with this very usefull tool
>
> https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory
>
> Keep in mind you will have to map attributes from one to another, and
> don't forget to synchronize uid/gid as unix attributes in Samba4, so
> that your migrated users can still have access to their samba shares or
> whatever you had in your old samba3 domain.
>
> And keep password synchronized between the two domains with (works as a
> trigger, once a password is updated on samb4 server, et keeps it
> synchronized to your old ldap server
>
>
> https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
>
>
> But there's a trick, you'll have to modifiy the script to update both
> userpassword _*AND *_sambantpassword fields (the script only updates
> userpassword), so you can access to your former samba resources.
>
> @Rowland :
>
> |See the answer above, plus there is a very big hole in your proposed
> |set up, if your clients see the AD DC, they will not contact the NT4
> |PDC again.
>
> I've seen some setups where a company had a (real) AD domain and a samba3
> domain working together on the same subnets with win7 or win10 workstations
> who could join one or another domain without troubles.
> What you mean is if samba4 domain has the same name as samba3 domain,
> workstations won't be able so see the oldest anymore once joined to the new
> one?
> Or does it mean that whatever the name of the new samba4 domain is, if a
> workstation joins it, it won't be able to join the old domain anymore?
> (never tried it)
>
> As my POC seems to work well, I intend ton install it in production soon.
> Is it recommended to set the new samba4 domain in production up on a
> different subnet or not?
>
>
>
> Julien
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
Vex