[Samba] Migration to samba4 ad and sync to openldap.

John McMonagle johnm at advocap.org
Tue Mar 19 20:41:43 UTC 2019

On 3/19/19 2:52 PM, Rowland Penny via samba wrote:
> On Tue, 19 Mar 2019 14:04:27 -0500
> John McMonagle <johnm at advocap.org> wrote:
>> I'm open to alternatives but need to be up and running 24/7 on the
>> linux side.
>> My boss hates windows more than I do and will likely be looking for a
>> new job if I use windows to administer the the linux side.
>> We only use windows if there is no other way do do something.
>> On 3/19/19 12:08 PM, Rowland Penny via samba wrote:
>>> On Tue, 19 Mar 2019 11:03:12 -0500
>>> John McMonagle via samba <samba at lists.samba.org> wrote:
>>>> We are currently running samba3 nt4 domain controllers using
>>>> smb-ldap-tools. We want to convert to samba4 ad so we can run new
>>>> versions of windows server.
>>> Why do you need a newer Windows version ?
>> Running server 2008 and support is ending soon.
>>> You state you have no Windows workstations.
>>> But you are correct, you need to upgrade, Samba3 is dead, but has
>>> later versions, smbldap-tools is totally dead, there doesn't seem
>>> to be a source website antmore, it just needs a Perl upgrade that
>>> breaks it and you are lost.
>>>> I know of:
>>>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)
>>>> But that would break us by moving all ldap to the ad ldap.
>>>> We have lot's of stuff in ldap.
>>> So what, most if not all of that could be moved to AD, though you
>>> may have to use later versions of your software or migrate to other,
>>> possibly better software.
>> At them moment the main thing I can think of is the mail server uses
>> it for mailing lists and all authentication and authorization.
> What is your mail server ?
Debian, cyrus imap postfix, amavis, clamav, sogo ...

>> All it takes is one crucial thing that ad will not do and it's
>> eliminated as the only source of data.
>>>> Currently administer using ldap account manager.
>>>> We are in 5 cities and about 95% linux.
>>> Looks like a probable good use of 'sites'
>> What is sites?
> Try reading this:
> https://wiki.samba.org/index.php/Active_Directory_Sites
> Basically boils down to having a DC (at least) at each site and
> configuring AD to be in its own 'site' in AD.
That takes care of part of the problem.
>>>> Have 7 openldap servers controlling everything.
>>>> Have just 3 nt4 domain controllers and only 3 windows servers on
>>>> the domain. We have no windows workstations on the domain.
>>> As I said above, why do you need the Windows servers, what do they
>>> do ?
>> Accounting, any thing that can not be done in linux.
> Is this a proprietary accounting package ?
It's a non-profit charitable organization and we need a very flexible 
accounting system.
Besides the irs, everyone that gives us money wants to define how we do 
our accounting.
>> All services are provided by linux.
>>>> All workstations are linux ltsp and all windows is done via rdp.
>>>> Getting rid of the openldap is too painful to contemplate.
>>>> Even if I was willing to more all the authentication and
>>>> authorization stuff to ad would still need openldap.
>>> Why, what do you use openldap for ?
>> Pretty much all authorization and authentication, groups, mailing
>> lists for hundreds of computers at 5 locations.
> What you could do is, run the openldap servers as Unix domain members
> and sync user names and password from AD, probably the easiest way
> would be to investigate the Univention server:
> https://www.univention.com/
I'll check it out.

> Rowland

John McMonagle
IT Manager
Advocap Inc.

More information about the samba mailing list