Re: [Samba] Questions regarding upgrading existing PDC to Active Directory
- Date: Wed, 2 Jan 2019 21:32:01 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Questions regarding upgrading existing PDC to Active Directory
On Wed, 2 Jan 2019 19:44:56 +0000
Bruce Vrieling via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Hi all,
> I have an existing CentOS server at my school running Samba 4.8.8 as
> a PDC and using the Tranquil RPM’s (so they support AD). Samba has
> worked great for me for more than a decade with the users stored now
> in tdbsam (have not used LDAP, hope not to). This summer I want up
> upgrade the domain to an AD, and have some questions I was hoping
> someone could answer:
If you are going to use Samba AD, you ARE going to use ldap ;-)
Are you absolutely wedded to Centos, there will never be OS Samba AD
packages, can I suggest Debian instead, you will get better support for
> 1. TWO SERVERS: At the moment I have a single server (called
> Bigfoot) which acts as the PDC, file server, print server, pretty
> much everything. Given that in an AD world a DC should not also be a
> fileserver (we use Unix ACL’s exclusively, not Windows ACL’s), I plan
> to create a new server to be the DC (called Heimdall)
Why call it Heimdall ? this will just be confusing, why to use
something like 'DC1'
> and then
> Bigfoot will just be a domain member “file and email server” (I
> assume many single-server PDC setups take a route something like this
> when upgrading to AD).
One DC and a fileserver is a good idea, but two DC's and a fileserver
is better ;-)
>In order to kick this off, I plan to a)
> transplant my existing Samba PDC setup on Bigfoot to Heimdall, b)
> classicupgrade it to AD to be the new DC; and then c) create a new,
> virgin Samba config on Bigfoot before joining Bigfoot to the AD
> domain as a member server. There are a lot of specifics I am missing,
> but does this approach generally sound right?
It sounds okay so far.
>2. NSSWITCH.CONF: Our
> users will continue to need to scp and ssh into Bigfoot. In order to
> allow AD domain users to authenticate to Bigfoot as unix users, do I
> just have to play with /etc/nsswitch.conf (assuming a valid winbind
Provided the correct packages are installed and AD is configured
correctly, then yes.
> Some sources say I also have to play with files
> in /etc/pam.d. Do I?
>3. EXISTING UNIX INFORMATION: I understand that
> the DC on Heimdall will now contain all my Windows authentication
> information, and that if add RFC2307 extensions to the directory,
> will also be able to store unix UID and GID information.
>Question: I have 500 existing users. Should I be stuffing their existing UID and
> GID information into the AD before I let them log into Bigfoot?
If you run the classicupgrade, this will be done for you, but more
> Or when someone ssh’s into Bigfoot, and winbind sees that user already
> exists locally, would it stuff this information itself automatically
> if it doesn’t exist yet?
They will not be able to login unless the exist in AD.
>4. VALID UID’s: My existing unix uid’s on
> bigfoot start at 500 (that is how CentOS started numbering them many
> years ago). Is that a problem?
Could be, when you had users in /etc/passwd and Samba, this was
acceptable, but now all your users will be in AD, it isn't really a
> I thought I saw somewhere that starting at 1000 is the new normal.
For normal Unix users it is.
>5. NEW USERS AND /ETC/PASSWD: Suppose I create a totally new user
>in the AD. Then they connect/authenticate to bigfoot for the first time. Do they get
> entries in /etc/passwd and others? If I am understanding the purpose
> of a directory properly, I am thinking *not*.
Correct, your users & groups will never be in /etc/passwd or /etc/group.
>So, when do their uid and gid get stuffed into the AD? Will this happen automagically or do
> I have to do this manually?
When you add them.
> 6. EXTENT OF NSSWITCH.CONF: Suppose I create a totally new Windows
> user in AD on my DC, they have not yet logged into Bigfoot, and an
> email arrives at Bigfoot addressed to them. Does the nsswitch.conf
> magic also ensure that sendmail/procmail/dovecot will realize that
> this email is for a real user and accept it?
Should do, as long as 'getent passwd username' shows them as users. I
would however suggest you consider using something like Kopana, this
will store the mailserver info in AD.
> I do plan to model this all in VM’s before I actually do this in
> production, but I am trying to understand the process as much as
> possible before I begin.
It might be a good idea to read the Samba wiki:
Running a PDC is nothing like running an AD DC, in some ways it is
easier, but others, it is harder, but only because it does more ;-)
To unsubscribe from this list go to the following URL and read the