Re: [Samba] Migration to samba4 ad and sync to openldap.
- Date: Tue, 19 Mar 2019 15:41:43 -0500
- From: John McMonagle via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Migration to samba4 ad and sync to openldap.
On 3/19/19 2:52 PM, Rowland Penny via samba wrote:
On Tue, 19 Mar 2019 14:04:27 -0500
John McMonagle <johnm@xxxxxxxxxxx> wrote:
I'm open to alternatives but need to be up and running 24/7 on the
My boss hates windows more than I do and will likely be looking for a
new job if I use windows to administer the the linux side.
We only use windows if there is no other way do do something.
On 3/19/19 12:08 PM, Rowland Penny via samba wrote:
On Tue, 19 Mar 2019 11:03:12 -0500
John McMonagle via samba <samba@xxxxxxxxxxxxxxx> wrote:
We are currently running samba3 nt4 domain controllers using
smb-ldap-tools. We want to convert to samba4 ad so we can run new
versions of windows server.
Why do you need a newer Windows version ?
Running server 2008 and support is ending soon.
You state you have no Windows workstations.
But you are correct, you need to upgrade, Samba3 is dead, but has
later versions, smbldap-tools is totally dead, there doesn't seem
to be a source website antmore, it just needs a Perl upgrade that
breaks it and you are lost.
I know of:
But that would break us by moving all ldap to the ad ldap.
We have lot's of stuff in ldap.
So what, most if not all of that could be moved to AD, though you
may have to use later versions of your software or migrate to other,
possibly better software.
At them moment the main thing I can think of is the mail server uses
it for mailing lists and all authentication and authorization.
What is your mail server ?
Debian, cyrus imap postfix, amavis, clamav, sogo ...
All it takes is one crucial thing that ad will not do and it's
eliminated as the only source of data.
Currently administer using ldap account manager.
We are in 5 cities and about 95% linux.
Looks like a probable good use of 'sites'
What is sites?
Try reading this:
Basically boils down to having a DC (at least) at each site and
configuring AD to be in its own 'site' in AD.
That takes care of part of the problem.
Have 7 openldap servers controlling everything.
Have just 3 nt4 domain controllers and only 3 windows servers on
the domain. We have no windows workstations on the domain.
As I said above, why do you need the Windows servers, what do they
Accounting, any thing that can not be done in linux.
Is this a proprietary accounting package ?
It's a non-profit charitable organization and we need a very flexible
Besides the irs, everyone that gives us money wants to define how we do
All services are provided by linux.
All workstations are linux ltsp and all windows is done via rdp.
Getting rid of the openldap is too painful to contemplate.
Even if I was willing to more all the authentication and
authorization stuff to ad would still need openldap.
Why, what do you use openldap for ?
Pretty much all authorization and authentication, groups, mailing
lists for hundreds of computers at 5 locations.
What you could do is, run the openldap servers as Unix domain members
and sync user names and password from AD, probably the easiest way
would be to investigate the Univention server:
I'll check it out.
To unsubscribe from this list go to the following URL and read the