[Samba] How to convert stand-alone samba servers to join existing Windows Active Directory domain

Robert Marcano robert at marcanoonline.com
Fri Sep 11 18:59:59 UTC 2020

On 9/11/20 2:40 PM, Rowland penny via samba wrote:
> On 11/09/2020 19:23, Robert Marcano via samba wrote:
>> On 9/10/20 3:28 PM, Ted Buchanan via samba wrote:
>>> We have multiple stand-alone samba (4.2.10 and 4.10.4) file sharing
>>> servers with hundreds of local users on each server (not the same on all
>>> samba servers) in a CentOS/Oracle Linux (6 and 7) network.  We would 
>>> like
>>> to convert these stand-alone servers to join an existing Windows 
>>> based AD
>>> domain without losing data or ownership/permission metadata on these
>>> servers.  Is there a guide for doing so or can someone give the steps
>>> necessary to accomplish this task?  I see in the samba wiki how to 
>>> set up
>>> samba as a domain controller or stand-alone server but nothing really on
>>> how to convert from stand-alone to domain member.  I am not real 
>>> familiar
>>> with the Active Directory side of things so perhaps I'm not asking the
>>> right questions or looking in the right places.  Thank you in advance.
>> Samba id mapping strategies are plugable, one of those is the winbind 
>> tdb id mapping. So in theory you could collect all users from one of 
>> those servers, annotate their user, group and ids, and create a new 
>> tdb file with the corresponding mapping from the AD domain to the 
>> local id, and then configure winbind to use that tdb mapping.
>> You will have to generate a new idmap tdb file for each server because 
>> when running each one as an standalone server, there is no 
>> relationship on the mapping between the servers.
>> If you plan on sharing or syncing content between these servers, you 
>> will need to use tools that sync permissions and POSIX acls, by name 
>> and not by id, but you will have problems with Windows ACLs because 
>> these are stored on a Samba specific way many tools can't process. So 
>> be careful.
>> This could be a temporary strategy, so you can then migrate it to a 
>> new server gradually that doesn't use that tdb mapping strategy.
> the 'tdb' backend is an allocating backend, so I don't think that method 
> is going to work, but I am open to persuasion ;-)

Sure, but with some scripting, for the current allocated local users and 
groups, the initial database could be preallocated. But to be honest, if 
you can create a script to generate that database, you could write one 
that change all file permissions and Windows ACLs too.

Choosing one or the other methods depends if you really will be affected 
by a large downtime doing the later option (script changing permissions 
and acls)

> Yes, some method will have to be found to identify the file & directory 
> ownership before the join and then change them to the new ID's after the 
> join.
> Rowland

More information about the samba mailing list