[Samba] Technical questions on AD and NT4

Rowland penny rpenny at samba.org
Wed Jul 15 20:49:12 UTC 2020

On 15/07/2020 21:30, RhineDevil wrote:
> Wed, 15 Jul 2020 21:08:44 +0100 Rowland penny via samba <samba at lists.samba.org>:
> Just a brief explaination, I need to know what fields are different and how to reproduce them if I choose to... let's SUPPOSE
> Migrate data from /etc/passwd and /etc/group files
> It would be nice knowing for ex if old sambaSID and new objectSID are the same thing, because I already know (from smbldap tools) how to calculate it
Well, a SID is just a SID, but you do not calculate an objectSID, AD 
does this for you from the domain SID and the next available RID
>>> Is ActiveDirectory fully retrocompatible with NT4?
>> No
> So I guess I can't use an ldif file made for NT4 for populating an AD, right?
No, definitely not, to populate a new Samba AD domain, you would use 
'samba-tool domain provision .........'
>>> There are plans for supporting again an OpenLDAP backend when LDAPcon objectives will be achieved?
>>> https://ldapcon.org/2019/wp-content/events/presentations/ni_samba_backend.pdf
>> That has been worked on for the last 8 years (at least) and it still
>> doesn't work (not for want of trying)
> How could I get an idea of what still needs to be done? AFAIK the project leader for this thing is in vacation
It is (as far as I am aware) a team of one and whilst it may one day 
come to fruition, I am not holding my breath. If it does, it will look 
nothing like an NT4-style domain, it will look like the present Samba 
AD, but sat on openldap.
>>> Why an user in old NT4 schema looks like this:
>>> dn: uid=myuser,ou=People,dc=mydomain
>>> while in AD LDAP schema looks like this
>>> dn: CN=myuser,CN=Users,DC=mydomain ?
>> Because Microsoft decided it had to be that way.
> What I meant is would uid=myuser,ou=People,dc=mydomain still work?
No, because it wouldn't be compatible with Microsoft AD.
>>> To what extent is LDB retrocompatible (with abstractions of course) with ldif files made for OpenLDAP, could I import an ldif thought for old NT4 LDAP into LDB?
>> If you are asking if the AD schema can be extended, then the answer is
>> very possibly yes, you just need the correct ldifs and to apply them in
>> the right order. There are schemas available that work without
>> modification, for others, Samba provides a script to modify a schema to
>> an AD ldif. You should be aware that extending the AD schema is one way,
>> you can extend it, but you cannot remove the schema extension, so you
>> should test any extensions before extending a production domain.
> Thank you, what I meant is pretty much what I asked in "Is ActiveDirectory fully retrocompatible with NT4?"

In that case, no, the Active Directory schema is totally different from 
the old NT4-style Samba schema.

Active Directory is totally different from the old NT4-style domains, it 
uses DNS and kerberos for a start.


More information about the samba mailing list