Web lists-archives.com

Re: [Samba] Samba 3 domain to AD domain migration.




On 6/1/18 9:36 AM, Rowland Penny via samba wrote:
> On Fri, 1 Jun 2018 08:56:18 -0400
> Nathan Lager via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Good Morning Samba list,
>>
>> I know I don't post here often (or.. maybe ever) but i've been
>> watching along for years.
>>
>> We're in a situation where we have an aging samba 3 domain.  It acts
>> like an old NT domain, samba folks should understand that.  Its just
>> where the capabilities of samba3 landed us. 
>>
>> For many reasons we want to get off of this domain, and on to
>> something more modern, and we've decided that a true windows AD is
>> the place to go.  We have a lot of the migration worked out, but
>> we're down to one last caveat.  Passwords.  We don't want to force a
>> password reset for all of our users.  At least not within the
>> timeframe of this migration. So we're trying to find migration
>> options that will take the existing samba passwords and migrate them
>> over to AD.  The passwords are currently stored in NT4 hashes (one of
>> the reasons we want to get off of this domain). 
>>
>> So, all that background to ask my question.  Samba 3 to Samba4
>> migration MIGHT be an option. 
>> https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade) 
>>
>>
>> I'm an accomplished nix admin, so i'm not afraid to try that upgrade,
>> we didnt want to take the time to do that step if we could avoid it. 
>> However, since we're stuck on these passwords, i'm wondering if it's
>> back on the table.  The problem is, the document doesn't seem to
>> directly address passwords.  It doesn't say that it does convert the
>> passwords, it also doesn't say that it doesn't.  At least not that
>> i've found in the doc. 
>>
>> My goal would be to use the samba4 migration as a go-between from
>> smb3/nt to Windows AD.  Would migrating to samba4 migrate passwords,
>> AND set me up such that I can then use a domain trust, or a windows DC
>> joined to the samba4 domain, to replicate passwords over to Windows
>> AD?
>>
>>
>> Sorry for being long-winded, let me know if you need more info.
>> Thanks!
>>
> I will be brief:
> Yes and Yes, but why migrate to a Windows DC, think of the cost of all
> those CALS, not to mention the cost of the DCs, but it is your
> decision.
>
> Rowland
>   
>
The answer is also long, so i'll be brief.  It's not completely my
decision, and the team has decided Windows AD is the right choice. 
Moving to smb4/AD was my gameplan, but im not the only one living with
the decision.

So, if we do the smb4 migration, we should end up with passwords
migrated, and we should be able to then migrate those accounts to a
windows domain.  That's great news.  Thanks!

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Nathan Lager, RHCSA, RHCE, RHCVA (#110-011-426) 
Sr. System Administrator
1 South 3rd St.
4th Floor
Easton, PA 18042


Attachment: signature.asc
Description: OpenPGP digital signature

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba