[Samba] Technical questions on AD and NT4

RhineDevil tanyadegurechaff at disroot.org
Wed Jul 15 20:30:22 UTC 2020 

Wed, 15 Jul 2020 21:08:44 +0100 Rowland penny via samba <samba at lists.samba.org>:
> On 15/07/2020 20:33, RhineDevil via samba wrote:
> > Could someone show me differences in both groups and users between a full NT4 LDAP schema and a full ActiveDirectory LDAP schema?
> I could, but we would be here all night, the AD schema is much larger.
Just a brief explaination, I need to know what fields are different and how to reproduce them if I choose to... let's SUPPOSE
Migrate data from /etc/passwd and /etc/group files
It would be nice knowing for ex if old sambaSID and new objectSID are the same thing, because I already know (from smbldap tools) how to calculate it
> > Is ActiveDirectory fully retrocompatible with NT4?
> No
So I guess I can't use an ldif file made for NT4 for populating an AD, right?
> >
> > There are plans for supporting again an OpenLDAP backend when LDAPcon objectives will be achieved?
> > https://ldapcon.org/2019/wp-content/events/presentations/ni_samba_backend.pdf
> That has been worked on for the last 8 years (at least) and it still 
> doesn't work (not for want of trying)
How could I get an idea of what still needs to be done? AFAIK the project leader for this thing is in vacation
> >
> > Why an user in old NT4 schema looks like this:
> > dn: uid=myuser,ou=People,dc=mydomain
> > while in AD LDAP schema looks like this
> > dn: CN=myuser,CN=Users,DC=mydomain ?
> Because Microsoft decided it had to be that way.
What I meant is would uid=myuser,ou=People,dc=mydomain still work?
> >
> > To what extent is LDB retrocompatible (with abstractions of course) with ldif files made for OpenLDAP, could I import an ldif thought for old NT4 LDAP into LDB?
> 
> If you are asking if the AD schema can be extended, then the answer is 
> very possibly yes, you just need the correct ldifs and to apply them in 
> the right order. There are schemas available that work without 
> modification, for others, Samba provides a script to modify a schema to 
> an AD ldif. You should be aware that extending the AD schema is one way, 
> you can extend it, but you cannot remove the schema extension, so you 
> should test any extensions before extending a production domain.
Thank you, what I meant is pretty much what I asked in "Is ActiveDirectory fully retrocompatible with NT4?"
> 
> Rowland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20200715/74d26bc9/attachment.sig>

More information about the samba mailing list