[Samba] Migrating Samba NT4 Domain to Samba AD
rpenny at samba.org
Sun Sep 15 18:38:02 UTC 2019
On 15/09/2019 19:08, Bartłomiej Solarz-Niesłuchowski wrote:
> W dniu 2019-09-15 o 18:32, Rowland penny via samba pisze:
>> On 15/09/2019 16:44, Bartłomiej Solarz-Niesłuchowski wrote:
>>> I have some questions:
>>> I not currently understood - bind9 connected to AD server must be
>>> used by the LAN workstations - or only via AD server?
>>> currently workstations are pointed to the another DNS server than AD
>>> - how must be it done correctly?
>> Your domain workstations must use the AD DC(s) as their nameserver,
>> the DC(s) will forward anything outside the AD dns domain to an
>> external dns server.
> so i need only forward form my common DNS server querries to
> ad.wsisiz.edu.pl? (AD.WSISIZ.EDU.PL it is my samba AD)?
From any domain joined computers, yes. They would ask the DC for any
dns info they require, if it is something inside the AD domain, the DC
will return the data, if it is something outside the AD domain e.g.
google.com, the DC would ask its forwarder and then return whatever the
>>> So i have, current open problems:
>>> 1. share:
>>> path = %H
>>> does not work:
>>> smbd: make_connection_snum: canonicalize_connect_path
>>> failed for service private, path /%H
>>> on console cd ~user works correctly
>> If this share is on the DC, then it really shouldn't be, using a DC
>> as a fileserver isn't recommended.
> yes understood - I try to setup second AD server on which i use only
> domain part of samba and on my major server I start to use only
I take it that you are referring to a Unix domain member being used as a
> But my current problem is:
> there are not working dynamic updates in bind/internal_dns...
> Can you help me?
> (dns updates are needed e.g. for joining into this AD new samba
> servers as domain members....)
Try adding this to the DC smb.conf:
dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>>> 2. How to connect internal AD LDAP server?
>>> I tried with:
>>> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H
>>> search error - 00002020: Operation unavailable without authentication
>> I would have thought that was fairly obvious, you need to
>> authenticate, try this instead (as root):
>> kinit Administrator
>> ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes
>> That way, your password never leaves the machine.
> not works:
> oceanic:/var/lib/samba/bind-dns# ldbsearch -H
> ldap://oceanic.wsisiz.edu.pl -k yes
> Invalid option -k: unknown option
When I run it, I get this:
ldbsearch -H ldap://dc4.samdom.example.com -k yes
# record 1
# record 457
dn: CN=RID Set,CN=DC4,OU=Domain Controllers,DC=samdom,DC=example,DC=com
cn: RID Set
name: RID Set
distinguishedName: CN=RID Set,CN=DC4,OU=Domain
# returned 460 records
# 457 entries
# 3 referrals
What OS is this and what Samba packages did you install ?
>>> 3. How about password aging - i need it not only on Windows part but
>>> on unix part it is needed too (unix have acounts/password/etc. via
>> A Unix user in AD is just a Windows user with RFC2307 attributes, so
>> they all get the same password rules
>> BIG NOTE: I hope that 'via ldap' means users in AD
> khhm.. currently on linux workstation I use openldap for linux
> password aging i use shadow attributes stored in ldap
I think you will find that it is now 'I used openldap'
You can sync passwords etc between AD and openldap, but you will
probably find that it easier to migrate whatever you have in openldap to
AD and then have just one point of maintenance.
So, what do you have in openldap ?
More information about the samba