[Samba] Migrating Samba NT4 Domain to Samba AD

Rowland penny rpenny at samba.org
Sun Sep 15 18:38:02 UTC 2019

On 15/09/2019 19:08, Bartłomiej Solarz-Niesłuchowski wrote:
> W dniu 2019-09-15 o 18:32, Rowland penny via samba pisze:
>> On 15/09/2019 16:44, Bartłomiej Solarz-Niesłuchowski wrote:
>>> I have some questions:
>>> I not currently understood - bind9 connected to AD server must be 
>>> used by the LAN workstations - or only via AD server?
>>> currently workstations are pointed to the another DNS server than AD 
>>> - how must be it done correctly?
>> Your domain workstations must use the AD DC(s) as their nameserver, 
>> the DC(s) will forward anything outside the AD dns domain to an 
>> external dns server.
> so i need only forward form my common DNS server querries to 
> ad.wsisiz.edu.pl? (AD.WSISIZ.EDU.PL it is my samba AD)?
 From any domain joined computers, yes. They would ask the DC for any 
dns info they require, if it is something inside the AD domain, the DC 
will return the data, if it is something outside the AD domain e.g. 
google.com, the DC would ask its forwarder and then return whatever the 
forwarder returns.
>>> So i have, current open problems:
>>> 1. share:
>>> [private]
>>> path = %H
>>> does not work:
>>>  smbd[42055]:   make_connection_snum: canonicalize_connect_path 
>>> failed for service private, path /%H
>>> on console cd ~user works correctly
>> If this share is on the DC, then it really shouldn't be, using a DC 
>> as a fileserver isn't recommended.
> yes understood - I try to setup second AD server on which i use only 
> domain part of samba and on my major server I start to use only 
> smbd/nmbd/winbindd.

I take it that you are referring to a Unix domain member being used as a 

> But my current problem is:
> there are not working dynamic updates in bind/internal_dns...
> Can you help me?
> (dns updates are needed e.g. for joining into this AD new samba 
> servers as domain members....)

Try adding this to the DC smb.conf:

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

>>> 2. How to connect internal AD LDAP server?
>>> I tried with:
>>> oceanic:/etc/pki/ca-trust/extracted/pem# ldbsearch -H 
>>> ldaps://oceanic.wsisiz.edu.pl
>>> search error - 00002020: Operation unavailable without authentication
>> I would have thought that was fairly obvious, you need to 
>> authenticate, try this instead (as root):
>> kinit Administrator
>> Then:
>> ldbsearch -H ldap://oceanic.wsisiz.edu.pl -k yes
>> That way, your password never leaves the machine.
> not works:
> oceanic:/var/lib/samba/bind-dns# ldbsearch -H 
> ldap://oceanic.wsisiz.edu.pl -k yes
> Invalid option -k: unknown option

When I run it, I get this:

ldbsearch -H ldap://dc4.samdom.example.com -k yes

# record 1
dn: CN=W10PRO,CN=Computers,DC=samdom,DC=example,DC=com
cn: W10PRO
instanceType: 4
whenCreated: 20190704082927.0Z
uSNCreated: 555788




# record 457
dn: CN=RID Set,CN=DC4,OU=Domain Controllers,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: rIDSet
cn: RID Set
instanceType: 4
whenCreated: 20180324201834.0Z
whenChanged: 20180324201834.0Z
uSNCreated: 4097
uSNChanged: 4097
showInAdvancedViewOnly: TRUE
name: RID Set
objectGUID: 2ac1e0a9-4e65-4681-9592-0ee6a87ed379
rIDAllocationPool: 5100-5599
rIDUsedPool: 0
rIDPreviousAllocationPool: 5100-5599
rIDNextRID: 5176
distinguishedName: CN=RID Set,CN=DC4,OU=Domain 

# Referral
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# returned 460 records
# 457 entries
# 3 referrals

What OS is this and what Samba packages did you install ?

>>> 3. How about password aging - i need it not only on Windows part but 
>>> on unix part it is needed too (unix have acounts/password/etc. via 
>>> ldap)?
>> A Unix user in AD is just a Windows user with RFC2307 attributes, so 
>> they all get the same password rules
>> BIG NOTE: I hope that 'via ldap' means users in AD
> khhm.. currently on linux workstation I use openldap for linux 
> password aging i use shadow attributes stored in ldap

I think you will find that it is now 'I used openldap'

You can sync passwords etc between AD and openldap, but you will 
probably find that it easier to migrate whatever you have in openldap to 
AD and then have just one point of maintenance.

So, what do you have in openldap ?


More information about the samba mailing list