[Samba] How to convert stand-alone samba servers to join existing Windows Active Directory domain

Rowland penny rpenny at samba.org
Fri Sep 11 18:40:22 UTC 2020

On 11/09/2020 19:23, Robert Marcano via samba wrote:
> On 9/10/20 3:28 PM, Ted Buchanan via samba wrote:
>> We have multiple stand-alone samba (4.2.10 and 4.10.4) file sharing
>> servers with hundreds of local users on each server (not the same on all
>> samba servers) in a CentOS/Oracle Linux (6 and 7) network.  We would 
>> like
>> to convert these stand-alone servers to join an existing Windows 
>> based AD
>> domain without losing data or ownership/permission metadata on these
>> servers.  Is there a guide for doing so or can someone give the steps
>> necessary to accomplish this task?  I see in the samba wiki how to 
>> set up
>> samba as a domain controller or stand-alone server but nothing really on
>> how to convert from stand-alone to domain member.  I am not real 
>> familiar
>> with the Active Directory side of things so perhaps I'm not asking the
>> right questions or looking in the right places.  Thank you in advance.
> Samba id mapping strategies are plugable, one of those is the winbind 
> tdb id mapping. So in theory you could collect all users from one of 
> those servers, annotate their user, group and ids, and create a new 
> tdb file with the corresponding mapping from the AD domain to the 
> local id, and then configure winbind to use that tdb mapping.
> You will have to generate a new idmap tdb file for each server because 
> when running each one as an standalone server, there is no 
> relationship on the mapping between the servers.
> If you plan on sharing or syncing content between these servers, you 
> will need to use tools that sync permissions and POSIX acls, by name 
> and not by id, but you will have problems with Windows ACLs because 
> these are stored on a Samba specific way many tools can't process. So 
> be careful.
> This could be a temporary strategy, so you can then migrate it to a 
> new server gradually that doesn't use that tdb mapping strategy.
the 'tdb' backend is an allocating backend, so I don't think that method 
is going to work, but I am open to persuasion ;-)

Yes, some method will have to be found to identify the file & directory 
ownership before the join and then change them to the new ID's after the 


More information about the samba mailing list