Re: [Samba] migrate several samba3+openldap pdc to samba3

Mandi! Guido Lorenzutti via samba
  In chel di` si favelave...

> Hi there! I have one domain, shared between several samba3+openldap
> on different geographical locations. I want to migrate them to samba4.

'Same' domain, or every geographical location have different domains,
trusted each others?

I'm in the same phase, but i've different domains for every site.

> I was able to successfully migrate the domain in a
> test environment.

Consider, i'm doing now, not to migrate domains, but instead build the
new domain ''in parallel'' with the old.
As just stated:
 + 'classicmigration' works, but leave an IdMap ''dirty'', and with
   problematic low ID
 + you still need to have, for every site, (at least) a domain controller
   and (at least) a domain member: it is theoretically doable, but it
   is preferrable to split DM/DC role in different box.
   Corollary: consider to switch to virtualization, like Proxmox.

With old and new domain in place, you can switch users/PC from the old
to the new also ''one by one''.
If login and password are the same (see later) you can also access the
old server from the new domain.

> Any idea to gradually migrate
> every location without having the problem that since I made the first
> migration, there have probably been changes in passwords, creations of
> users, etc?

a) project and setup the new domain; test it. Start to use GPO and that

b) build a script su ''suck'' users from old OpenLDAP to new AD; i've
 done one myself, i can contribute, but it is really a matter of some
 LDAP queries...

c) build a wrapper around the 'samba-tool user syncpasswords' (for
 samba AD) and the 'check password script' (for samba NT) to keep
password in sync.

I hope i was useful.

