[Samba] how to populate Samba AD DC with groups and users?

Rowland Penny rpenny at samba.org
Wed Aug 25 06:47:37 UTC 2021

On Wed, 2021-08-25 at 03:08 +0200, Franta Hanzlík via samba wrote:
> No one can advise?
> I can think of several options, but there seem to be ambiguities or
> negatives for each:
> 1) Assign the new controller to the existing domain with the old
> controller,
> and remove and reconfigure it after replication.

You would have to re-configure the computer holding the DC to have the
same dns domain and join it to the domain, this would totally overwrite
sam.ldb and you would loose your users and groups.

> This way is probably not recommended even for the same versions of
> Samba,
> and here the difference between 4.0.4 and 4.16.6 is huge.

And this is why you should update Samba regularly, not wait approx 6
years before considering it.

> 2) Backup the old AD DC and restore to the new one.
> Firstly, according to the Samba Wiki, renaming is not (completely)
> supported,
> and also mainly samba-tool in version 4.0.4 does not support domain
> backup.

Not going to work, there are too many differences, not least the dns
domain name.

> 3) Use ldbsearch to dump the AD DC groups and users (except
> system/builtin)
> to an LDIF file from the old DC, exclude unnecessary attributes from
> them,
> and modify them for ldbadd and add them to the new one.
> This seems like a better way, but what attributes will be needed in
> the file to import into the new DC?
> And what about Unix attributes (home directory, UID / GID, etc.)?

A method based on the above is probably the best way to go, but beware,
you will not be able to extract any passwords.

> 4) Use group/user attributes (extracted from LDIF ldbsearch export
> from
> the old 4.0.4 DC) on the new 4.16.6 DC as parameters for
> 'samba-tool user add'/'samba-tool group add' (and maybe also
> 'samba-tool [user | group] addunixattrs').
> Is this the best and safest (in terms of AD) way to add groups and
> users?

This will also work, because it is a variant of the method above.

> The Samba Wiki, a very good source of information, seems to
> consider/describe
> in this case only the interactive RSAT and the samba-tool only for
> adding
> Unix attributes. Or was I looking wrong and missed some important
> infos?

There are other ways of maintaining Samba AD, but RSAT and samba-tool
are the only Samba supported methods, the others are supported by their

More information about the samba mailing list