Warning: Constant ABSPATH already defined in /mnt/web/blog.justaguy.ca/wp-config.php on line 21
The Blog of Greg » 2012 » June » 8

samba4 here we come!

Uncategorized No Comments

Recently I’ve gotten to try out samba4 at 2 different clients. Here were the scenarios:

client1: wants to migrate from a Windows 2003 SBS AD to something more open (ie: not windows). I initially thought of just bringing everything into OpenLDAP but samba4 looked like it would be less disruptive while still meeting the goals. This was my first try setting up samba4. In this scenario I just built a samba4 alpha, joined is at a DC to the domain, transferred all the roles to it and then demoted the old windows DC and removed it. Although I did try the bind DLZ and the internal DNS servers, for thgis client the best solution was to consolidate DNS on an existing bind server so I moved the zone there and let the DCs update it.This transition went very well aside from some delays figuring out how AD works exactly. There is one issue in this case however, and that is UID mappings. Because Win2003 did not have any RFC2307 schema attributes there is no where to store these in the active directory. Would have either needed to add  SFU before the migration (too much windows!) or extend/migrate the schema after the fact (will try this one).

client2: wants to migrate from an LDAP backed  Samba 3.x hosted domain to a Windows AD infrastructure. As there is no obvious way I know of to import all the LDAP data into a windows AD, I thought it would be good to just run the builtin upgrade procedure to migrate from samba3 to samba4 (using samba-tool domain   samba3upgrade), then join a windows AD DC to that realm and demote the samba4 server leaving just the desired windows infrastructure. This went fairly well, I just followed the wiki article (http://wiki.samba.org/index.php/Samba4/samba3upgrade/HOWTO) and the only real problem was some accounts that the migration script did not handle so I removed those and eventually it want through. There was one other little problem. If you get:

Failed to modify account record CN=auser,CN=Users,DC=domain,DC=local to
set user attributes: Unsupported critical extension 1.3.6.1.4.1.7165.4.3.20

To fix this I had to patch the source code. The other issue is that UID/GID mappings are not migrated by the upgrade process so I had to write a script to grab them from the old LDAP and update them in the new AD. Because it’s a base 2008 schema the attributes are there but need to be populated.

 

Overall my first experience with samba4 was great!