[Samba] Migration to samba4 ad and sync to openldap.

Rowland Penny rpenny at samba.org
Tue Mar 19 17:08:25 UTC 2019 

On Tue, 19 Mar 2019 11:03:12 -0500
John McMonagle via samba <samba at lists.samba.org> wrote:

> We are currently running samba3 nt4 domain controllers using
> smb-ldap-tools. We want to convert to samba4 ad so we can run new
> versions of windows server.

Why do you need a newer Windows version ?
You state you have no Windows workstations.
But you are correct, you need to upgrade, Samba3 is dead, but has later
versions, smbldap-tools is totally dead, there doesn't seem to be a
source website antmore, it just needs a Perl upgrade that breaks it and
you are lost.

> 
> I know of:
> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
> 
> But that would break us by moving all ldap to the ad ldap.
> We have lot's of stuff in ldap.

So what, most if not all of that could be moved to AD, though you may
have to use later versions of your software or migrate to other,
possibly better software.

> Currently administer using ldap account manager.
> We are in 5 cities and about 95% linux.

Looks like a probable good use of 'sites'

> Have 7 openldap servers controlling everything.
> Have just 3 nt4 domain controllers and only 3 windows servers on the
> domain. We have no windows workstations on the domain.

As I said above, why do you need the Windows servers, what do they do ?

> All workstations are linux ltsp and all windows is done via rdp.
> 
> Getting rid of the openldap is too painful to contemplate.
> Even if I was willing to more all the authentication and
> authorization stuff to ad would still need openldap.

Why, what do you use openldap for ?

> 
> Seen references to solutions to sync ad to openldap like:
> https://lsc-project.org/documentation/howto/activedirectory
> 
> Suspect there are other ways to attack the problem.
> I'm willing to live with the issue of not being able to sync
> passwords from kerberos ->  ldap.
> May switch to kerberos for authentication at some point.

Kerberos is undoubtedly the most secure.

Rowland

More information about the samba mailing list