[Samba] Migrating MIT Kerberos based AD DC to Heimdal based AD DC
Robert Marcano
robert at marcanoonline.com
Wed Feb 3 16:45:30 UTC 2021
On 2/3/21 10:23 AM, MATYAS, Tibor via samba wrote:
> Shall I update? We can live with the limitations of the MIT
> Kerberos based AD DC.
When I started migrating customers (small businesses) using NT 4 style
domains to Samba AD. I tried a Samba AD linked with MIT Kerberos.
Testing on a lab, it worked fine. So I decided to switch the smallest of
the domains to it, and then started to experience bugs that only happen
on the experimental MIT Kerberos based Samba, for example machine based
GPOs not applying.
So all other domains where moved directly to Samba linked to Heimdal.
That particular test domain, was moved to Heimdal only replacing the
Samba binaries. All the Samba data files at $prefix/var remained the
same and it was an easy migration without the need to join another DC
with the new Samba and later demote the old one.
I remember I did that because I saw an old post of someone asking about
that kind of MIT to Heimdal migration, and the response was that there
aren't specific files based on the Kerberos implementation and that it
should work, but there aren't guarantees of it working. It worked for
this case, of a very small domain at that time.
More information about the samba
mailing list