Web lists-archives.com

Re: [Samba] Demote a samba DC and rejoin as member




Hi Andreas,

Yes, when switching, it is much safer to clean up your /var/lib/samba.
Be sure to recreate the /var/lib/samba/private folder after cleanup,
that folder is not recreated automatically most of the time.

There is nothing very complicated in what you wanted to do. Just be
sure to double check the replication before demoting, be sure to
demote to remove all the old DNS entries pointing to your old server,
check your DNS config on servers and desktops.

I do that regularly, kind of business as usual, but the other way
around, from MS-AD to Samba AD... By the way Samba-AD is much more
easy to maintain if you are familiar with AD and at easy with command
line / scripting. Unless you have a business/corporate requirement
expressly needing a MS-AD, I'd say it would be better to stick with
Samba-AD.
Hello,

thanks for your help.

For the reasons to do that: until now, I had the impression it was the
other way round, MS-AD looked easier to maintain, at least as long as
everything works... Part of the problem may be that I am bound to use
the samba packages shipped with Debian stable, which is 4.5.12 at the
moment. I already encountered several points which were already fixed in
newer versions, but I would have to wait for Debian 10 to get these.
But I am more familiar with Linux and the command line, so I am
considering your words and staying with samba. What is absolutely
required is to have domain members running Windows 10 and Server 2016,
and I am unsure whether this works with this rather old version of samba.

As far as packaging is concerned, you are right in saying that distro version are too outdated for production Samba-AD. For file servers it might be OK depending on your requirements, but for AD it is better to mostly follow new version. Samba-AD is a fast moving target with a lot of improvement/bug fixes at each version. Currently you can go with Samba 4.7.4.

You can check LPH van Belle packages or the one we bakes at my office [1]. You should also be sure to use Bind DLZ for DNS (Samba internal DNS does not do caching currently, so it forwards all the queries which are not pointing to its own zones).

By the way, one thing that you started to do your migration process, splitting AD server and fileserver, is a good thing to do in any cases. Winbind process behaves differently on AD and fileserver, and it is much better for maintenance to split those two roles. And from a cyber-security point of view, it is advised, be it MS or Samba, to put as few stuff as possible on AD since it is a very critical machine from a security stand point.

Once Samba-AD is properly setup, it does run smoothly. We've got hundreds of them humming happily at clients. And you can have win10 and win2k16 member servers without problems. There are cases where MS-AD is the only options, mainly if you need 2k12 schema support (currently being implemented) or 2k12 security features like FAST or silos, or a tight SIEM integration (logging framework needs to be improved), inter-domain trusts, or third party software requirements.

Cheers,

Denis

[1] https://dev.tranquil.it


Bye,
Andreas


--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba