Web lists-archives.com

Re: [Samba] Share users across domains




There is a documented upgrade process

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)



With 5000 users you probably want to create a test environment first.        Moving from samba 3 to samba 4 but staying in a classic domain should not require a huge learning curve and you don't have to change the LDAP backend.      Just don't count on domain trusts working.


You definitely want to document how the various other systems are configured for LDAP authentication or coordinate with whomever is managing those systems.   I moved from a classic samba domain to a AD domain with "real" Windows 2012 domain controllers.   (This was because we needed to support MS Exchange.)       I had to tweek things like search base and naming attributes.  Also, if you are using TLS encryption with LDAP, that may require some fiddling to get working.        Also, depending on how you set up LDAP,  your current setup MAY allow anonymous access to retrieve a list of users and groups  (although not passwords.)   With AD there is no anonymous access via LDAP.



It is a little scary to hear a system administrator say he knows nothing about AD.            Kerberos can be quite a challenge though.     It also seems like with 5000 accounts that the migration task is too much for one person to handle by himself.    When I did a major step of the domain migration in my company (under 100 people) I had 3 extra people helping me over the weekend, with over 12 hours per person per day.





On 04/02/18 10:15, Rodrigo Abrantes Antunes via samba wrote:
 I know these systems work with AD, the problem is the migration, I don't think is easy to migrate 5000 accounts from current systems to new systems. I will need to learn the sintaxes of all these new systems and this would take huge time because I know nothing of samba4, or AD, or dovecot, or kerberos and the boss whants the emails for students for next month. We don't plan to change cyrus/postfix and horde, whats the problem with them? I already tried kopano and the users hated it. And like I said there are a lot of internal administrative systems that were programmed (not by me) to work with ldap only, including some that are not opensource. A while ago I did research on how to migrate my current domain to samba4 and from what I understand it would be almost impossible or too difficult for my scenario

Citando Rowland Penny <rpenny@xxxxxxxxx>:

On Mon, 02 Apr 2018 13:06:16 +0000
Rodrigo Abrantes Antunes via samba <samba@xxxxxxxxxxxxxxx> wrote:

A lot of administrative systems made by the institution, current
domain, fileservers, glpi, cyrus mail, horde, gosa, svn, freeradius,
dotproject, vcenter. Thats what I remebmber for now.

OK, I just spent about 10 minutes searching the internet and found out
this:

current domain : can be replaced by Sanba AD
fileservers    : As above

glpi           : will work with AD, see here:
                http://wiki.glpi-project.org/doku.php?id=en:ldap

cyrus mail     : This can probably be made to work with AD, but you
would probably be better off moving to Postfix/Dovecot

horde          : This will work with AD, but you will probably need to
                move to Dovecot

gosa           : You would probably be better off using LAM, this is
                still being developed, unlike Gosa, which seems to
                have stalled.

svn            : will work with AD

freeradius     : This definitely works with AD, see here
https://wiki.samba.org/index.php/Authenticating_Freeradius_against_Active_Directory

dotproject     : will work with AD
vcenter        : will work with AD

What I am trying to say is, you will probably find it easier to make
your infrastructure work with AD, rather than trying to keep Samba 3
working. You may find it easier to move some of your systems to other,
newer packages, for instance, you could upgrade your email system to
something like Kopano.

You will certainly have something more secure than what you have at the
moment, especially if you use kerberos.
Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba