Web lists-archives.com

Re: [Samba] External Authentication




Hi there

Le 12/04/2019 à 09:57, Marco Gaiarin via samba a écrit :
Mandi! Vex Mage via samba
   In chel di` si favelave...

I've spun up a Samba4 server and set it up as an active directory domain
controller and I can definitely see that this is a very robust system and
is working well however; I don't see a management solution to
synchronization between the campus LDAP server and Samba4 AD/DC.
You can sync users simply wrapping some 'ldapserch' on 'old' LDAP server
and some 'samba-tool user create' on AD.
I've setup some scripts, but probably are soo tightned to my setup to
be littleor no help generally.

To sync password, you can instead wrap 'check password script' in old
samba with 'samba-tool user syncpassword' in new samba/AD, look at:

	https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP

Supposing a frequent password change (3 months?) you can wait a bit to
have password in sync, and then use both the domain in 'parallel'.

I agree with marco, I'm actually working on migrating a samba3 domain to a samba4 domain (with different name).
A POC environment is setup in a separate network
I popuplated Samba4/AD  from samba3 with this very usefull tool

https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory

Keep in mind you will have to map attributes from one to another, and don't forget to synchronize uid/gid as unix attributes in Samba4, so that your migrated users can still have access to their samba shares or whatever you had in your old samba3 domain.

And keep password synchronized between the two domains with (works as a trigger, once a password is updated on samb4 server, et keeps it synchronized to your old ldap server

https://dev.tranquil.it/wiki/SAMBA_-_Synchronisation_des_mots_de_passe_entre_un_Samba4_et_une_OpenLDAP


But there's a trick, you'll have to modifiy the script to update both userpassword _*AND *_sambantpassword fields (the script only updates userpassword), so you can access to your former samba resources.

@Rowland :

|See the answer above, plus there is a very big hole in your proposed
|set up, if your clients see the AD DC, they will not contact the NT4
|PDC again.

I've seen some setups where a company had a (real) AD domain and a samba3 domain working together on the same subnets with win7 or win10 workstations who could join one or another domain without troubles.
What you mean is if samba4 domain has the same name as samba3 domain, workstations won't be able so see the oldest anymore once joined to the new one?
Or does it mean that whatever the name of the new samba4 domain is, if a workstation joins it, it won't be able to join the old domain anymore? (never tried it)

As my POC seems to work well, I intend ton install it in production soon.
Is it recommended to set the new samba4 domain in production up on a different subnet or not?



Julien


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba