[Samba] Technical questions on AD and NT4

RhineDevil tanyadegurechaff at disroot.org
Wed Jul 15 21:17:40 UTC 2020

Wed, 15 Jul 2020 21:49:12 +0100 Rowland penny via samba <samba at lists.samba.org>:
> On 15/07/2020 21:30, RhineDevil wrote:
> > Wed, 15 Jul 2020 21:08:44 +0100 Rowland penny via samba <samba at lists.samba.org>:
> >
> > Just a brief explaination, I need to know what fields are different and how to reproduce them if I choose to... let's SUPPOSE
> > Migrate data from /etc/passwd and /etc/group files
> > It would be nice knowing for ex if old sambaSID and new objectSID are the same thing, because I already know (from smbldap tools) how to calculate it
> Well, a SID is just a SID, but you do not calculate an objectSID, AD 
> does this for you from the domain SID and the next available RID
Dave, I'm afraid I can't do that. Since it would be an import from /etc flat files it won't be just as easy as typing `samba-tool user create $user`, transferring rfc2037 NIS data (including loginShell, uidNumber, gidNumber, homeDirectory etc) will be needed as well
> >>> Is ActiveDirectory fully retrocompatible with NT4?
> >> No
> > So I guess I can't use an ldif file made for NT4 for populating an AD, right?
> No, definitely not, to populate a new Samba AD domain, you would use 
> 'samba-tool domain provision .........'
> >>> There are plans for supporting again an OpenLDAP backend when LDAPcon objectives will be achieved?
> >>> https://ldapcon.org/2019/wp-content/events/presentations/ni_samba_backend.pdf
> >> That has been worked on for the last 8 years (at least) and it still
> >> doesn't work (not for want of trying)
> > How could I get an idea of what still needs to be done? AFAIK the project leader for this thing is in vacation
> It is (as far as I am aware) a team of one and whilst it may one day 
> come to fruition, I am not holding my breath. If it does, it will look 
> nothing like an NT4-style domain, it will look like the present Samba 
> AD, but sat on openldap.
> >>> Why an user in old NT4 schema looks like this:
> >>> dn: uid=myuser,ou=People,dc=mydomain
> >>> while in AD LDAP schema looks like this
> >>> dn: CN=myuser,CN=Users,DC=mydomain ?
> >> Because Microsoft decided it had to be that way.
> > What I meant is would uid=myuser,ou=People,dc=mydomain still work?
> No, because it wouldn't be compatible with Microsoft AD.
> >>> To what extent is LDB retrocompatible (with abstractions of course) with ldif files made for OpenLDAP, could I import an ldif thought for old NT4 LDAP into LDB?
> >> If you are asking if the AD schema can be extended, then the answer is
> >> very possibly yes, you just need the correct ldifs and to apply them in
> >> the right order. There are schemas available that work without
> >> modification, for others, Samba provides a script to modify a schema to
> >> an AD ldif. You should be aware that extending the AD schema is one way,
> >> you can extend it, but you cannot remove the schema extension, so you
> >> should test any extensions before extending a production domain.
> > Thank you, what I meant is pretty much what I asked in "Is ActiveDirectory fully retrocompatible with NT4?"
> In that case, no, the Active Directory schema is totally different from 
> the old NT4-style Samba schema.
> Active Directory is totally different from the old NT4-style domains, it 
> uses DNS and kerberos for a start.
> Rowland
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: Firma digitale OpenPGP
URL: <http://lists.samba.org/pipermail/samba/attachments/20200715/b78ac685/attachment.sig>

More information about the samba mailing list