[Samba] Migrating MIT Kerberos based AD DC to Heimdal based AD DC

Robert Marcano robert at marcanoonline.com
Thu Feb 4 13:33:23 UTC 2021

On 2/3/21 12:51 PM, Rowland penny via samba wrote:
> On 03/02/2021 16:45, Robert Marcano via samba wrote:
>> On 2/3/21 10:23 AM, MATYAS, Tibor via samba wrote:
>>> Shall I update? We can live with the limitations of the MIT
>>> Kerberos based AD DC.
>> When I started migrating customers (small businesses) using NT 4 
>> style domains to Samba AD. I tried a Samba AD linked with MIT 
>> Kerberos. Testing on a lab, it worked fine. So I decided to switch 
>> the smallest of the domains to it, and then started to experience 
>> bugs that only happen on the experimental MIT Kerberos based Samba, 
>> for example machine based GPOs not applying.
>> So all other domains where moved directly to Samba linked to Heimdal. 
>> That particular test domain, was moved to Heimdal only replacing the 
>> Samba binaries. All the Samba data files at $prefix/var remained the 
>> same and it was an easy migration without the need to join another DC 
>> with the new Samba and later demote the old one.
>> I remember I did that because I saw an old post of someone asking 
>> about that kind of MIT to Heimdal migration, and the response was 
>> that there aren't specific files based on the Kerberos implementation 
>> and that it should work, but there aren't guarantees of it working. 
>> It worked for this case, of a very small domain at that time.
> That may have worked for you, but what if it doesn't for the OP, they 
> could lose everything, joining a new DC is a lot safer.
> Rowland
Quoting myself:

  "but there aren't guarantees of it working"

More information about the samba mailing list