[Samba] Migrating MIT Kerberos based AD DC to Heimdal based AD DC
Rowland penny
rpenny at samba.org
Wed Feb 3 16:51:44 UTC 2021
On 03/02/2021 16:45, Robert Marcano via samba wrote:
> On 2/3/21 10:23 AM, MATYAS, Tibor via samba wrote:
>> Shall I update? We can live with the limitations of the MIT
>> Kerberos based AD DC.
>
> When I started migrating customers (small businesses) using NT 4 style
> domains to Samba AD. I tried a Samba AD linked with MIT Kerberos.
> Testing on a lab, it worked fine. So I decided to switch the smallest
> of the domains to it, and then started to experience bugs that only
> happen on the experimental MIT Kerberos based Samba, for example
> machine based GPOs not applying.
>
> So all other domains where moved directly to Samba linked to Heimdal.
> That particular test domain, was moved to Heimdal only replacing the
> Samba binaries. All the Samba data files at $prefix/var remained the
> same and it was an easy migration without the need to join another DC
> with the new Samba and later demote the old one.
>
> I remember I did that because I saw an old post of someone asking
> about that kind of MIT to Heimdal migration, and the response was that
> there aren't specific files based on the Kerberos implementation and
> that it should work, but there aren't guarantees of it working. It
> worked for this case, of a very small domain at that time.
>
That may have worked for you, but what if it doesn't for the OP, they
could lose everything, joining a new DC is a lot safer.
Rowland
More information about the samba
mailing list