[Samba] Migrating MIT Kerberos based AD DC to Heimdal based AD DC

Robert Marcano robert at marcanoonline.com
Wed Feb 3 16:45:30 UTC 2021

On 2/3/21 10:23 AM, MATYAS, Tibor via samba wrote:
> Shall I update? We can live with the limitations of the MIT
> Kerberos based AD DC.

When I started migrating customers (small businesses) using NT 4 style 
domains to Samba AD. I tried a Samba AD linked with MIT Kerberos. 
Testing on a lab, it worked fine. So I decided to switch the smallest of 
the domains to it, and then started to experience bugs that only happen 
on the experimental MIT Kerberos based Samba, for example machine based 
GPOs not applying.

So all other domains where moved directly to Samba linked to Heimdal. 
That particular test domain, was moved to Heimdal only replacing the 
Samba binaries. All the Samba data files at $prefix/var remained the 
same and it was an easy migration without the need to join another DC 
with the new Samba and later demote the old one.

I remember I did that because I saw an old post of someone asking about 
that kind of MIT to Heimdal migration, and the response was that there 
aren't specific files based on the Kerberos implementation and that it 
should work, but there aren't guarantees of it working. It worked for 
this case, of a very small domain at that time.

More information about the samba mailing list