[Samba] How to convert stand-alone samba servers to join existing Windows Active Directory domain
rpenny at samba.org
Fri Sep 11 18:40:22 UTC 2020
On 11/09/2020 19:23, Robert Marcano via samba wrote:
> On 9/10/20 3:28 PM, Ted Buchanan via samba wrote:
>> We have multiple stand-alone samba (4.2.10 and 4.10.4) file sharing
>> servers with hundreds of local users on each server (not the same on all
>> samba servers) in a CentOS/Oracle Linux (6 and 7) network. We would
>> to convert these stand-alone servers to join an existing Windows
>> based AD
>> domain without losing data or ownership/permission metadata on these
>> servers. Is there a guide for doing so or can someone give the steps
>> necessary to accomplish this task? I see in the samba wiki how to
>> set up
>> samba as a domain controller or stand-alone server but nothing really on
>> how to convert from stand-alone to domain member. I am not real
>> with the Active Directory side of things so perhaps I'm not asking the
>> right questions or looking in the right places. Thank you in advance.
> Samba id mapping strategies are plugable, one of those is the winbind
> tdb id mapping. So in theory you could collect all users from one of
> those servers, annotate their user, group and ids, and create a new
> tdb file with the corresponding mapping from the AD domain to the
> local id, and then configure winbind to use that tdb mapping.
> You will have to generate a new idmap tdb file for each server because
> when running each one as an standalone server, there is no
> relationship on the mapping between the servers.
> If you plan on sharing or syncing content between these servers, you
> will need to use tools that sync permissions and POSIX acls, by name
> and not by id, but you will have problems with Windows ACLs because
> these are stored on a Samba specific way many tools can't process. So
> be careful.
> This could be a temporary strategy, so you can then migrate it to a
> new server gradually that doesn't use that tdb mapping strategy.
the 'tdb' backend is an allocating backend, so I don't think that method
is going to work, but I am open to persuasion ;-)
Yes, some method will have to be found to identify the file & directory
ownership before the join and then change them to the new ID's after the
More information about the samba