[Samba] Migrating Samba NT4 Domain to Samba AD

Bartłomiej Solarz-Niesłuchowski Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Mon Sep 16 19:39:56 UTC 2019

W dniu 2019-09-16 o 19:43, Rowland penny via samba pisze:
> On 16/09/2019 17:26, Bartłomiej Solarz-Niesłuchowski wrote:
>> So how can I drop DC "oceanic" and reconnect whole network to DC 
>> "themes"?
>> (when I do it DC will be on server which has no shares (only netlogon 
>> + sysvol?))
> If 'oceanic' was the first AD DC you created, then it will hold the 
> FSMO roles, you can check this with:
> samba-tool fsmo show
> If you see 'oceanic' amongst the output, then run this command on 
> 'themes''
> samba-tool fsmo transfer --role=all -U Administrator
> You can then demote 'oceanic' by running this command on 'oceanic':
> samba-tool domain demote -U Administrator
DONE - only online demoting was unsuccessful - i use offline demoting 

How many AD DC servers are recommended for network my size (600+ 
workstations?) 2? 3? more?

>> And after disconnecting oceanic as DC - i want to make cleaning with 
>> ldap/AD ldap.
> At this point you can just remove Samba entirely
snip... -removed and added as domain member - %H works
>> I have workstation based both on windows and linux.
>> Currently for windows workstations source of user data is Samba AD , 
>> but for linux workstations is openldap.
>> Problems are two:
>> on windows worstation we use "NThash" on linux workstations we use 
>> "SHA512" hash.
>> So how can i arrange that if user change password via CTRL+ALT+DEL 
>> via windows if fact pasword changing procedure changes both hash?
> If you must keep your openldap machine (and you haven't actually told 
> us what auths from it) you will need to script around this:
> See here for an example (in French):
> https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP 
it looks like this synchronizes change of password for windows side to 
openldap one... - so i must check it...
> However, if you are referring to Linux workstations running as Unix 
> domain members, then you do not need to do anything, they and the 
> users will auth directly from the Samba AD DC, provided that Samba is 
> set up correctly. If you run:

linux workstation aren't samba domain member... they use ldap as source 
for passwd and authentication - thru e.g. nslcd

> I am not 100% convinced you need to do anything like this.
> What do you use the openldap for ?
> A mailserver or something else ?
mailserver, ssh, as source of authentication for users for e.g. apache, 
email aliases database for postfix
> You may be able to extend the AD schema with whatever it is you are 
> using openldap for.

May I please ssome link how to extend AD schema (I made it on openldap 
but on samba ldap I have no idea how add custom schema)?

Best Regards

Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 404, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz

More information about the samba mailing list