[Samba] How to convert stand-alone samba servers to join existing Windows Active Directory domain

[Robert Marcano]

On 9/10/20 3:28 PM, Ted Buchanan via samba wrote:
> We have multiple stand-alone samba (4.2.10 and 4.10.4) file sharing
> servers with hundreds of local users on each server (not the same on all
> samba servers) in a CentOS/Oracle Linux (6 and 7) network.  We would like
> to convert these stand-alone servers to join an existing Windows based AD
> domain without losing data or ownership/permission metadata on these
> servers.  Is there a guide for doing so or can someone give the steps
> necessary to accomplish this task?  I see in the samba wiki how to set up
> samba as a domain controller or stand-alone server but nothing really on
> how to convert from stand-alone to domain member.  I am not real familiar
> with the Active Directory side of things so perhaps I'm not asking the
> right questions or looking in the right places.  Thank you in advance.
> 

Samba id mapping strategies are plugable, one of those is the winbind 
tdb id mapping. So in theory you could collect all users from one of 
those servers, annotate their user, group and ids, and create a new tdb 
file with the corresponding mapping from the AD domain to the local id, 
and then configure winbind to use that tdb mapping.

You will have to generate a new idmap tdb file for each server because 
when running each one as an standalone server, there is no relationship 
on the mapping between the servers.

If you plan on sharing or syncing content between these servers, you 
will need to use tools that sync permissions and POSIX acls, by name and 
not by id, but you will have problems with Windows ACLs because these 
are stored on a Samba specific way many tools can't process. So be careful.

This could be a temporary strategy, so you can then migrate it to a new 
server gradually that doesn't use that tdb mapping strategy.