Web lists-archives.com

Re: [Samba] v3 to AD migration: home folders, quotas, users..




On Wed, 27 Jun 2018 11:04:53 +0200 (CEST)
Michal via samba <samba@xxxxxxxxxxxxxxx> wrote:

>  Hi,
>   we want to migrate from samba3 NT4 domain (we were using it for a
> long time) to Samba4 AD. A lot of questions.
>   a) user homes mapping
>     From our v3 smb.conf
>       logon drive = S:
>   [homes]
>         comment = Home Directories
>         path = /home/%u
>         read only = No
>         create mask = 0700
>         directory mask = 0700
>         inherit acls = Yes
>         browseable = No
>         root preexec = /usr/local/bin/RPE4 '%u' 'HOMESHARE' '%m'
> '%a' 
>     I tried -according to samba wiki- to map home folders through
> group policy. It worked, but it only maps network drive S: and it
> does NOT set it as user home folder; home folder remains mapped to
> c:\users\username. Should I use samba v3 style? Other way?

You can set various attributes in AD, amongst which is one called
'homeDrive', this is the AD equivalent of 'logon drive' and allows
you to set different drive letters per user.
   
>   
>   b) In /usr/local/bin/RPE4 (which is run everytime user tries to use
> the share) we do a lot of actions, eg
>      - creating user home folder, if it not exists
>      - creating user profile folder, if it not exists
>      - setting user quota (via setquota command) according to user
> name (we have about 10 different quota groups) (there is a default
> quota, but some user groups have different user quotas) 

Probably very similarly to what you are doing now, except that you can
use PAM to create the users home directory (pam_mkhomedir)

>      
>      What is the best way to do this in samba AD? Note that we use
> the home folders not only for users, which are logged into windows
> (into domain from windows logon screen), we map the home folders via
> "net use.." for not domain users too.
>        
>   c) We use openldap and both linux/unix and windows/samba
> authentication against it (samba has ldap backend configured, linuxes
> use sssd).

You do not use the ldap backend on Unix domain members and you do not
need sssd, Samba can do virtually all that sssd can do. Try reading
this:

https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member

You can still use ldap against Samba AD, but there are possibly better
ways of doing things, depending on just what you are trying to
authenticate against AD.

> We use not very handy mechanism of setting sambaNTpasswd
> and userPassword (crypted, set from HPUX) via ldapmodify. This is not
> standard and acceptable solution for future. 

You do not use either of those, you just use the AD password.

> How to do it in samba
> AD? We have 1000+ users, all with both samba SIDs and unix user
> attribs and we need to migrate them from openldap to samba AD.

Try reading this:

https://wiki.samba.org/index.php/Migrating_a_Samba_NT4_Domain_to_Samba_AD_(Classic_Upgrade)

I would however recommend changing the ID's (if possible) before the
migration, they will undoubtedly be based on the RIDs i.e. very low
numbers such as '1000' and these will interfere with the local Unix
users.
 
>   
>   Next questions, eh, challenges, will come soon.

I am sure they will ;-)

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba