[Samba] Migrating Samba NT4 Domain to Samba AD
Bartłomiej Solarz-Niesłuchowski
Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
Mon Sep 16 19:39:56 UTC 2019
W dniu 2019-09-16 o 19:43, Rowland penny via samba pisze:
> On 16/09/2019 17:26, Bartłomiej Solarz-Niesłuchowski wrote:
>> So how can I drop DC "oceanic" and reconnect whole network to DC
>> "themes"?
>>
>> (when I do it DC will be on server which has no shares (only netlogon
>> + sysvol?))
>
> If 'oceanic' was the first AD DC you created, then it will hold the
> FSMO roles, you can check this with:
>
> samba-tool fsmo show
>
> If you see 'oceanic' amongst the output, then run this command on
> 'themes''
>
> samba-tool fsmo transfer --role=all -U Administrator
>
> You can then demote 'oceanic' by running this command on 'oceanic':
>
> samba-tool domain demote -U Administrator
>
DONE - only online demoting was unsuccessful - i use offline demoting
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
How many AD DC servers are recommended for network my size (600+
workstations?) 2? 3? more?
>>
>>
>> And after disconnecting oceanic as DC - i want to make cleaning with
>> ldap/AD ldap.
> At this point you can just remove Samba entirely
snip... -removed and added as domain member - %H works
>>
>>
>> I have workstation based both on windows and linux.
>>
>> Currently for windows workstations source of user data is Samba AD ,
>> but for linux workstations is openldap.
>>
>> Problems are two:
>>
>> on windows worstation we use "NThash" on linux workstations we use
>> "SHA512" hash.
>>
>> So how can i arrange that if user change password via CTRL+ALT+DEL
>> via windows if fact pasword changing procedure changes both hash?
>
> If you must keep your openldap machine (and you haven't actually told
> us what auths from it) you will need to script around this:
>
> See here for an example (in French):
>
> https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP
>
it looks like this synchronizes change of password for windows side to
openldap one... - so i must check it...
>
> However, if you are referring to Linux workstations running as Unix
> domain members, then you do not need to do anything, they and the
> users will auth directly from the Samba AD DC, provided that Samba is
> set up correctly. If you run:
linux workstation aren't samba domain member... they use ldap as source
for passwd and authentication - thru e.g. nslcd
> I am not 100% convinced you need to do anything like this.
>
> What do you use the openldap for ?
>
> A mailserver or something else ?
mailserver, ssh, as source of authentication for users for e.g. apache,
email aliases database for postfix
>
> You may be able to extend the AD schema with whatever it is you are
> using openldap for.
May I please ssome link how to extend AD schema (I made it on openldap
but on samba ldap I have no idea how add custom schema)?
Best Regards
--
Bartłomiej Solarz-Niesłuchowski, Administrator WSISiZ
e-mail: Bartlomiej.Solarz-Niesluchowski at wit.edu.pl
tel. 223486547, fax 223486501
JID: solarz at jabber.wit.edu.pl
01-447 Warszawa, ul. Newelska 6, pokój 404, pon.-pt. 8-16
Motto - Jak sobie pościelisz tak sie wyśpisz
More information about the samba
mailing list