[Samba] Migrating MIT Kerberos based AD DC to Heimdal based AD DC
Rowland penny
rpenny at samba.org
Wed Feb 3 14:57:34 UTC 2021
On 03/02/2021 14:23, MATYAS, Tibor via samba wrote:
> We operate a MIT Kerberos based single Samba 4.8.6 AD DC on Gentoo Linux
> (BIND DLZ). I know, I know: very outdated!
I would be more concerned that you seem to be using an 'experimental'
MIT Samba DC in production.
> The "setup" and LAN is completely decoupled from the internet, with a
> few Windows 10 members only.
> It is not clear to me, what is the current status of the Kerberos based
> AD DC
> https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC
> was last updated on March 2019.
It is still experimental and should only be used for testing purposes.
> Because it is getting harder to keep the Gentoo Linux up-to-date with
> masking the current stable samba versions
> and it's dependencies, I guess we have two options:
> #1 update samba to the current stable of the gentoo portage tree: as I
> told you, I am not sure that this is possible without any
> issue.... Shall I update? We can live with the limitations of the MIT
> Kerberos based AD DC.
Why would you want to ?
> #2 migrate to a Heimdal based AD DC. But how? Is there an offline way?
> Or add a second, Heimdal based AD DC, demote the
> Kerberos based (to much work)...?
The last method is the correct one to get a fully production supported
Samba AD DC, Add a Samba AD DC using the Heimdal built into the Samba
source, transfer all the FSMO roles to the new DC and then demote the
original DC.
Rowland
More information about the samba
mailing list