[Samba] Migrating Samba NT4 Domain to Samba AD
Rowland penny
rpenny at samba.org
Sun Sep 15 16:32:40 UTC 2019
On 15/09/2019 16:44, Bartłomiej Solarz-Niesłuchowski wrote:
>
>> Done with some problems:
>
> 1. bugs reported here:
>
> https://bugzilla.altlinux.org/show_bug.cgi?id=36496
>
> and here
>
> https://bugzilla.samba.org/show_bug.cgi?id=13060
>
> involved me - but and make workarounds and migration was done.
>
>
> Basically AD samba works.
>
>
> I have some questions:
>
> I not currently understood - bind9 connected to AD server must be used
> by the LAN workstations - or only via AD server?
>
> currently workstations are pointed to the another DNS server than AD -
> how must be it done correctly?
>
Your domain workstations must use the AD DC(s) as their nameserver, the
DC(s) will forward anything outside the AD dns domain to an external dns
server.
>
> So i have, current open problems:
>
> 1. share:
>
> [private]
>
> path = %H
>
> does not work:
>
> smbd[42055]: make_connection_snum: canonicalize_connect_path failed
> for service private, path /%H
>
> on console cd ~user works correctly
>
If this share is on the DC, then it really shouldn't be, using a DC as a
fileserver isn't recommended.
>
> 2. How to connect internal AD LDAP server?
>
> I tried with:
>
> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H
> ldaps://oceanic.wsisiz.edu.pl
> search error - 00002020: Operation unavailable without authentication
>
I would have thought that was fairly obvious, you need to authenticate,
try this instead (as root):
kinit Administrator
Then:
ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes
That way, your password never leaves the machine.
> I want to add necessary attributes e.g.:
>
> uidNumber: 10000
> gidNumber: 10000
>
> when creating the account.
>
'samba-tool user create --help' will show you how to do this.
>
> 3. How about password aging - i need it not only on Windows part but
> on unix part it is needed too (unix have acounts/password/etc. via ldap)?
>
A Unix user in AD is just a Windows user with RFC2307 attributes, so
they all get the same password rules
BIG NOTE: I hope that 'via ldap' means users in AD
'samba-tool domain passwordsettings show' will display the current
settings, something like this:
Password complexity: on
Store plaintext passwords: off
Password history length: 24
Minimum password length: 7
Minimum password age (days): 0
Maximum password age (days): 42
Account lockout duration (mins): 30
Account lockout threshold (attempts): 0
Reset account lockout after (mins): 30
Rowland
More information about the samba
mailing list