[Samba] Migrate Samba AD to Windows AD for M365

Andrew Bartlett abartlet at samba.org
Fri Apr 16 20:19:26 UTC 2021

G'Day Max,

I'm sorry to hear you need to move on from Samba.

The Office 365 situation frustrates me greatly.  A number of
organisations have approached us here at Samba and my team at Catalyst
looking to a fully supported synchronisation between Samba and Office

As I've written before sadly in the face of a fast-moving set of
requirements from the tools (there seems to be quite a number of
different agent versions and cloud-based options) and the small-to-
medium sized scale of the affected operations, funding fixes in the
traditional development model has been quite difficult. 

I've written before on this, and have appreciated the suggestions.
Samba donations remain critical to funding our increasing CI bill, but
don't fund ongoing development (the scale would need to be 10x higher),
and even if they did it would build 'Samba, Inc.'.  This would be a big
change that we remain quite hesitant to take, so for how this is all
left to commercial arrangements between interested users and interested
Samba commercial support/development providers.

(And if you think funding a fully supported, just work solution here is
hard, imagine how hard it is to get funding for our security release

Anyway, you don't ask any of that.

To answer what you actually asked:

You could 'just' migrate to Windows by joining Windows to the Samba
domain, demoting Samba and going on your way.  This is the simplest
option with the least disruption.

You may need to go via an old version of Windows, or upgrade your
schema first and run our adprep, depending on when you started with
Samba.  We now ship with the Windows 2012 schema on by default, but
previously shipped an old one and even missed some bits.  Ouch.

Otherwise, if you want to be really sure your environment is free of
any differences between our Samba provision compared with Windows you
might rebuild.  It is possible to re-inject users with the same SID
(preserving file ownership) and passwords with some skill and care, if
that matters.

Finally, you could rebuild everything, reset all the file ownership and
passwords as you suggest.  A inter-forest trust might help keep some
things working in the transition.

While we don't desire to see you locked in, none of the options are
trivial, I'm sorry.

Andrew Bartlett

On Fri, 2021-04-16 at 10:56 -0600, Max Olivas via samba wrote:
> Hello,
> We are being forced into a situation where we must abandon Samba AD
> and move to a "supported" environment using MS AD with M365.  So,
> what is the best path towards moving to a full MS AD?  I have a
> Windows Server 2016 DC in my environment now with 2 Ubuntu 20.04
> Samba 4.11.6 DC's. 
> - Can I simply add another Windows DC and demote/deactivate my Samba
> DCs and move forward without problems?
> - Should I spin up a new Windows AD domain/forest and do the Trust
> relationship thing to transfer over users/computers?
> - Create a new MS AD and recreate everything?
> - Other options or experiences?
> Thanks in advance for any responses.
> Thanks,
> Max
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba mailing list