Web lists-archives.com

Re: [Samba] Migration Of Records From Old Samba Domain To New One




On Sun, 11 Feb 2018 11:01:08 -0600
Matthew Delfino via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello from Sunny and frigidly cold Minneapolis, MN, USA!
> 
> I have a SAMBA domain with three DCs running v4.4.16 on Ubuntu Server
> 14.04.5 LTS (BIND9 DLZ Backend). I need to move all my records to a
> new domain (from DOMAIN.LOC to SAMDOM.DOMAIN.NET).
> 
> I know that it's not possible to change domains on a samba install,
> so I've created three new DCs running v4.7.4 on Ubuntu Server 16.04.3
> LTS (also with a BIND9 DLZ backend). They've got a minimal install's
> worth of records in them, but now I'd like to export my accounts from
> my old domain and import them into the new one.
> 
> My idea was to use ldapsearch (or maybe ldbsearch would be better?)
> to create a huge dump of records from my old domain and then edit the
> resulting ldif file with some slick find-and-replace-fu so that the
> records can easily slide into the new domain I've setup (dn,
> userPrincipalName, msSFU30NisDomain stand out as good ideas to alter).
> 
> Then, I was going to turn off my new DCs and import the ldif file
> with ldbadd to pull in all the ldif records.
> 
> My question to the team of experts is this: 
>  1) is there a better way and, if so, what might it be?
>  2) If this is a fine approach, are there some parameters I would be
> wise to exclude from the import (like, all the timestamps, objectGUID
> and objectSid, for example)?
> 
> I believe that my worst-case-scenario is that I'll need to create a
> shell script filled with "samba-tool" commands for each user and
> group, then (gulp) readd all my users to the groups they belonged to.
> 

Sorry, but personally, I do not think this is going to work, AD is a
lot more complex than an ldap based domain. Each 'object' has its own
GUID and objectsid, the SID part of 'objectsid' identifies the domain,
there are other problems as well. Whatever you do, you will have to
join your clients to the new domain.

I think the best you can do is to dump your users and groups, then use
this info to create them again in the new AD, along with their group
memberships. You will probably need to give your users new passwords
and force them to change at next login.

You can certainly try what you are proposing, even though I don't think
it will work, but ensure you test it thoroughly before putting it into
production.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba