[Samba] Migrating Samba NT4 Domain to Samba AD
Bartłomiej Solarz-Niesłuchowski
Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Mon Sep 16 16:26:50 UTC 2019
W dniu 2019-09-16 o 16:30, Rowland penny via samba pisze:
> On 16/09/2019 15:04, L.P.H. van Belle via samba wrote:
>> Well it was worth checking.. We just dont know what you already
>> checked..
now I setup the Ubuntu Server 18.04.3 LTS +
http://apt.van-belle.nl/ +
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt#L268
+ i changed krb (default is ... MIT!) to heimdal
apt install heimdal-clients
So now I have some success....
1. I add the second AD controler "themes" as stated in
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory#Joining_the_Active_Directory_as_a_Domain_Controller
2. bind configured and it looks like working:
root at themes:~# samba_dnsupdate --verbose --all-names
...
update(nsupdate): SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl
themes.ad.wsisiz.edu.pl 389
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl
themes.ad.wsisiz.edu.pl 389 (add)
Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl as
THEMES$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.ad.wsisiz.edu.pl. 900 IN SRV 0 100 389
themes.ad.wsisiz.edu.pl.
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl
themes.ad.wsisiz.edu.pl 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl
themes.ad.wsisiz.edu.pl 389 (add)
Successfully obtained Kerberos ticket to DNS/themes.ad.wsisiz.edu.pl as
THEMES$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.ad.wsisiz.edu.pl.
900 IN SRV 0 100 389 themes.ad.wsisiz.edu.pl.
3. when I try to join another samba server (but as AD member!):
[root at mask ~]# net ads join -U administrator
Using short domain name -- WSISIZ.EDU.PL
Joined 'MASK' to dns domain 'ad.wsisiz.edu.pl'
DNS Update for mask.wsisiz.edu.pl failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL
message looks not good BUT domain connection in fact works.....
[root at mask ~]# wbinfo --ping-dc
checking the NETLOGON for domain[WSISIZ.EDU.PL] dc connection to
"oceanic.ad.wsisiz.edu.pl" succeeded
So how can I drop DC "oceanic" and reconnect whole network to DC "themes"?
(when I do it DC will be on server which has no shares (only netlogon +
sysvol?))
And after disconnecting oceanic as DC - i want to make cleaning with
ldap/AD ldap.
I have workstation based both on windows and linux.
Currently for windows workstations source of user data is Samba AD , but
for linux workstations is openldap.
Problems are two:
on windows worstation we use "NThash" on linux workstations we use
"SHA512" hash.
So how can i arrange that if user change password via CTRL+ALT+DEL via
windows if fact pasword changing procedure changes both hash?
in NT4 domain it was used
pam password change = Yes
which changes BOTH hashes.
What I need to do to conserve this feature?
Best Regards
--
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 421, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz
More information about the samba
mailing list