[Samba] how to populate Samba AD DC with groups and users?

Franta Hanzlík franta at hanzlici.cz
Wed Aug 25 01:08:56 UTC 2021

On Tue, 24 Aug 2021 11:50:49 +0200
Franta Hanzlik via samba <samba at lists.samba.org> wrote:

> Hi Samba experts,
> I built a new Samba 4.16 AD DC and did the initial provisioning. Now I'm 
> working on how best to deploy groups and users - when I have the old Samba 
> 4.0 AD, where the same users and groups already exist (basically, this is a 
> migration from the old server to the new one, but the domain/realm on old 
> and new are different).
> What is the best way to perform this migration? Exporting users and groups 
> from the old server to ldif using ldbsearch is probably the first step, but 
> what next?
> TIA, Franta Hanzlik

No one can advise?
I can think of several options, but there seem to be ambiguities or
negatives for each:

1) Assign the new controller to the existing domain with the old controller,
and remove and reconfigure it after replication.
This way is probably not recommended even for the same versions of Samba,
and here the difference between 4.0.4 and 4.16.6 is huge.

2) Backup the old AD DC and restore to the new one.
Firstly, according to the Samba Wiki, renaming is not (completely) supported,
and also mainly samba-tool in version 4.0.4 does not support domain backup.

3) Use ldbsearch to dump the AD DC groups and users (except system/builtin)
to an LDIF file from the old DC, exclude unnecessary attributes from them,
and modify them for ldbadd and add them to the new one.
This seems like a better way, but what attributes will be needed in
the file to import into the new DC?
And what about Unix attributes (home directory, UID / GID, etc.)?

4) Use group/user attributes (extracted from LDIF ldbsearch export from
the old 4.0.4 DC) on the new 4.16.6 DC as parameters for
'samba-tool user add'/'samba-tool group add' (and maybe also
'samba-tool [user | group] addunixattrs').
Is this the best and safest (in terms of AD) way to add groups and users?

The Samba Wiki, a very good source of information, seems to consider/describe
in this case only the interactive RSAT and the samba-tool only for adding
Unix attributes. Or was I looking wrong and missed some important infos?

Thanks, Franta Hanzlik

More information about the samba mailing list