[Samba] Migrating MIT Kerberos based AD DC to Heimdal based AD DC

Rowland penny rpenny at samba.org
Wed Feb 3 16:51:44 UTC 2021

On 03/02/2021 16:45, Robert Marcano via samba wrote:
> On 2/3/21 10:23 AM, MATYAS, Tibor via samba wrote:
>> Shall I update? We can live with the limitations of the MIT
>> Kerberos based AD DC.
> When I started migrating customers (small businesses) using NT 4 style 
> domains to Samba AD. I tried a Samba AD linked with MIT Kerberos. 
> Testing on a lab, it worked fine. So I decided to switch the smallest 
> of the domains to it, and then started to experience bugs that only 
> happen on the experimental MIT Kerberos based Samba, for example 
> machine based GPOs not applying.
> So all other domains where moved directly to Samba linked to Heimdal. 
> That particular test domain, was moved to Heimdal only replacing the 
> Samba binaries. All the Samba data files at $prefix/var remained the 
> same and it was an easy migration without the need to join another DC 
> with the new Samba and later demote the old one.
> I remember I did that because I saw an old post of someone asking 
> about that kind of MIT to Heimdal migration, and the response was that 
> there aren't specific files based on the Kerberos implementation and 
> that it should work, but there aren't guarantees of it working. It 
> worked for this case, of a very small domain at that time.

That may have worked for you, but what if it doesn't for the OP, they 
could lose everything, joining a new DC is a lot safer.


More information about the samba mailing list