Web lists-archives.com

Re: [Samba] Migration to samba4 ad and sync to openldap.




On 4/4/19 3:18 PM, Rowland Penny via samba wrote:
On Thu, 4 Apr 2019 14:09:18 -0500
John McMonagle via samba <samba@xxxxxxxxxxxxxxx> wrote:

I managed to do migration using "classicupgrade".
Doing tests with debian buster 2:4.9.4+dfsg-4.
For the moment using samba internal dns and sub-domain of
ad.advocap.org. Had issue forwarding dns if I used main domain.

Please define 'forwarding'. Your DC needs to be authoritative for its
dns domain, so all that it should forward is anything outside its own
dns domain.
For this test the samba4 ad controller is ad.advocap.org.
Everything else is advocap.org.
put this in smb.conf pointing to one of our internal dns controllers.
dns forwarder = 192.168.2.1

I assume if I have bind use samba I can have bind push out the samba created records to the other dns servers.

At that point all the dns servers have the same information and they are all authoritative for the domain.

At as this is just a testing phase I doesn't want to tamper with my other dns servers. At the moment mostly concerned with the ldap and kerberos parts and how to get that working with the linux parts.

In the end all the internal dns may be on samba4 ad directory boxes but that will take a long time.


It did not migrate a lot of attributes that are in active directory.
The most important one to us is "mail"
Others by ldap account manager names:
User name
First Name
Last Name
I'm sure there are others.

The upgrade only migrates the attributes really required by AD, you
will have to script any others you require.
Does the domain administrator account give me access to everything in
ldap?

Yes

Lam sort of works.
I'm using the domain administrator account to authenticate.
Is that the correct?

You can also use users that are members of 'Administrators', 'Domain
Admins' or any other group you have delegated privileges to.


The lam site gives very little info on setup.

You need 'Windows (windowsUser)(*)' & 'Unix (posixAccount)' for users,
'Windows(windowsGroup)(*)' & Unix (windowsPosixGroup) for groups

on the Accounts type tab you need:

#sAMAccountName;#givenName;#sn;#uidNumber;#gidNumber for users

#cn;#gidNumber;#member;#description for groups

Rowland



--
John McMonagle
IT Manager
Advocap Inc.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba