[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon

Havany havany at asalluhi.fr
Thu Jun 6 11:33:04 UTC 2024 

Hi Darin,



Le 05/06/2024 à 17:34, Darin via samba a écrit :
>   
> 
> Hello Havany,
> I am just going to jump into this discussion.
> 
Welcome!

>> We try 2 scenarios : - A "Big bang" migration to an new domain made from scratch : but we need to migrate all users, computers, laptops, filers without loosing profiles, files server access... In a short time (1-2 weeks maximum) - A "classicupgrade" migration, but it need several steps to improve security. And at the same time, and we are afraid to import "silently" many misconfiguration from our old NT4 Domain that could have an impact in the future.
> 
> I would strongly avoid your "Big Bang" approach. What your describing is
> going to most certainly backfire. It sounds like a fail forward vs fail
> backward. When something goes wrong you need to be able to go back to a
> working configuration. So I suppose the best option is to do a slow
> migration with the ability to quickly do and undo changes.

- Classisupgrade is destructive for the NT4 Domain, but we can keep data 
of the old NT4 Domain and we can rollback to this with ours Ansible 
playbooks. We will loose all change between migration and rollback and 
we will improve a possible long downtime.

- With "Big Bang" approach we are able to keep our old NT4 Domain if we 
need to rollback to it. But in this case the problem is the access to 
the filers. I think that we can't have a file server that allow access 
at the same time to an NT4 Domain and a Samba 4 AD Domain (I will search 
information about that). The second problem for this approach is that we 
need to write a (maybe complex) logon script to be able to keep user 
local profile when a computer is moved to the new Domain.

> 
>> around 400 Windows computers and 1500 active users.
> 
> Your deployment is not small or trivial. I would be very careful doing
> anything as you could create a significant IT trainwreck.
> 
> To help you I need some more information. Are you migrating from a
> Windows Server environment? If so, what version. 

All is on FreeBSD iocage and ZFS filesystem.
Actual situation (NT4) :
* 1 PDC and 1 BDC
* 7 Files servers members
* 1 CUPS server member
* LDAP backend

What we want :
* 2-3 DC samba4 AD
* all files servers and cups server members of the new domain
* crontab synchronization of users and groups from the ldap with LSC 
(successfully tested)
* our password manager system change the user's password at the same 
time on the ldap and samba4 (tested too)

> I think a 2008_R2
> domain level should not be much of an issue. From a security aspect you
> can do a few things like only using SMB3 and strong encryption.

Given everything that has been said previously, I will wait before 
moving to FL 2012_R2 at least until Samba 4.20 is released on FreeBSD 
(currently only 4.19 is available), regardless of the migration method 
we choose. I will replay the classicupgrade today after adapting my 
Ansible playbooks accordingly.

> 
> https://wiki.samba.org/index.php/Hardening_Samba_as_an_AD_DC
> 
> Darin
>   

Regards,

More information about the samba mailing list