[Samba] Migrating Samba NT4 Domain to Samba AD

Bartłomiej Solarz-Niesłuchowski Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Mon Sep 16 16:26:50 UTC 2019 

W dniu 2019-09-16 o 16:30, Rowland penny via samba pisze:
> On 16/09/2019 15:04, L.P.H. van Belle via samba wrote:
>> Well it was worth checking.. We just dont know what you already 
>> checked..

now I setup the Ubuntu Server 18.04.3 LTS +

http://apt.van-belle.nl/ + 
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt#L268

+ i changed krb (default is ... MIT!) to heimdal

apt install heimdal-clients



So now I have some success....

1. I add the second AD controler "themes" as stated in

https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller

2. bind configured and it looks like working:

root at themes:~# samba_dnsupdate --verbose --all-names

...

update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl 
themes.ad.wsisiz.edu.pl 389
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl 
themes.ad.wsisiz.edu.pl 389 (add)
Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl as 
THEMES$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl. 900 IN SRV 0 100 389 
themes.ad.wsisiz.edu.pl.

update(nsupdate): SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl 
themes.ad.wsisiz.edu.pl 389
Calling nsupdate for SRV 
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl 
themes.ad.wsisiz.edu.pl 389 (add)
Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl as 
THEMES$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl. 
900 IN SRV 0 100 389 themes.ad.wsisiz.edu.pl.

3. when I try to join another samba server (but as AD member!):

[root at mask ~]# net ads join -U administrator
Using short domain name -- WSISIZ.EDU.PL
Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl'
DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

message looks not good BUT domain connection in fact works.....

[root at mask ~]# wbinfo --ping-dc
checking the NETLOGON for domain[WSISIZ.EDU.PL] dc connection to 
"oceanic.ad.wsisiz.edu.pl" succeeded


So how can I drop DC "oceanic" and reconnect whole network to DC "themes"?

(when I do it DC will be on server which has no shares (only netlogon + 
sysvol?))


And after disconnecting oceanic as DC - i want to make cleaning with 
ldap/AD ldap.


I have workstation based both on windows and linux.

Currently for windows workstations source of user data is Samba AD , but 
for linux workstations is openldap.

Problems are two:

on windows worstation we use "NThash" on linux workstations we use 
"SHA512" hash.

So how can i arrange that if user change password via CTRL+ALT+DEL via 
windows if fact pasword changing procedure changes both hash?

in NT4 domain it was used

pam password change = Yes

which changes BOTH hashes.


What I need to do to conserve this feature?


Best Regards


-- 
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz

More information about the samba mailing list