[Samba] Classicupgrade FL 2012_R2 NTLM/Kerberos logon
Havany
havany at asalluhi.fr
Thu Jun 6 11:33:04 UTC 2024
Hi Darin,
Le 05/06/2024 à 17:34, Darin via samba a écrit :
>
>
> Hello Havany,
> I am just going to jump into this discussion.
>
Welcome!
>> We try 2 scenarios : - A "Big bang" migration to an new domain made from scratch : but we need to migrate all users, computers, laptops, filers without loosing profiles, files server access... In a short time (1-2 weeks maximum) - A "classicupgrade" migration, but it need several steps to improve security. And at the same time, and we are afraid to import "silently" many misconfiguration from our old NT4 Domain that could have an impact in the future.
>
> I would strongly avoid your "Big Bang" approach. What your describing is
> going to most certainly backfire. It sounds like a fail forward vs fail
> backward. When something goes wrong you need to be able to go back to a
> working configuration. So I suppose the best option is to do a slow
> migration with the ability to quickly do and undo changes.
- Classisupgrade is destructive for the NT4 Domain, but we can keep data
of the old NT4 Domain and we can rollback to this with ours Ansible
playbooks. We will loose all change between migration and rollback and
we will improve a possible long downtime.
- With "Big Bang" approach we are able to keep our old NT4 Domain if we
need to rollback to it. But in this case the problem is the access to
the filers. I think that we can't have a file server that allow access
at the same time to an NT4 Domain and a Samba 4 AD Domain (I will search
information about that). The second problem for this approach is that we
need to write a (maybe complex) logon script to be able to keep user
local profile when a computer is moved to the new Domain.
>
>> around 400 Windows computers and 1500 active users.
>
> Your deployment is not small or trivial. I would be very careful doing
> anything as you could create a significant IT trainwreck.
>
> To help you I need some more information. Are you migrating from a
> Windows Server environment? If so, what version.
All is on FreeBSD iocage and ZFS filesystem.
Actual situation (NT4) :
* 1 PDC and 1 BDC
* 7 Files servers members
* 1 CUPS server member
* LDAP backend
What we want :
* 2-3 DC samba4 AD
* all files servers and cups server members of the new domain
* crontab synchronization of users and groups from the ldap with LSC
(successfully tested)
* our password manager system change the user's password at the same
time on the ldap and samba4 (tested too)
> I think a 2008_R2
> domain level should not be much of an issue. From a security aspect you
> can do a few things like only using SMB3 and strong encryption.
Given everything that has been said previously, I will wait before
moving to FL 2012_R2 at least until Samba 4.20 is released on FreeBSD
(currently only 4.19 is available), regardless of the migration method
we choose. I will replay the classicupgrade today after adapting my
Ansible playbooks accordingly.
>
> https://wiki.samba.org/index.php/Hardening_Samba_as_an_AD_DC
>
> Darin
>
Regards,
More information about the samba
mailing list