[Samba] Migrating MIT Kerberos based AD DC to Heimdal based AD DC
Robert Marcano
robert at marcanoonline.com
Thu Feb 4 13:33:23 UTC 2021
On 2/3/21 12:51 PM, Rowland penny via samba wrote:
> On 03/02/2021 16:45, Robert Marcano via samba wrote:
>> On 2/3/21 10:23 AM, MATYAS, Tibor via samba wrote:
>>> Shall I update? We can live with the limitations of the MIT
>>> Kerberos based AD DC.
>>
>> When I started migrating customers (small businesses) using NT 4
>> style domains to Samba AD. I tried a Samba AD linked with MIT
>> Kerberos. Testing on a lab, it worked fine. So I decided to switch
>> the smallest of the domains to it, and then started to experience
>> bugs that only happen on the experimental MIT Kerberos based Samba,
>> for example machine based GPOs not applying.
>>
>> So all other domains where moved directly to Samba linked to Heimdal.
>> That particular test domain, was moved to Heimdal only replacing the
>> Samba binaries. All the Samba data files at $prefix/var remained the
>> same and it was an easy migration without the need to join another DC
>> with the new Samba and later demote the old one.
>>
>> I remember I did that because I saw an old post of someone asking
>> about that kind of MIT to Heimdal migration, and the response was
>> that there aren't specific files based on the Kerberos implementation
>> and that it should work, but there aren't guarantees of it working.
>> It worked for this case, of a very small domain at that time.
>>
>
> That may have worked for you, but what if it doesn't for the OP, they
> could lose everything, joining a new DC is a lot safer.
>
> Rowland
>
Quoting myself:
"but there aren't guarantees of it working"
More information about the samba
mailing list