Discussion:
[Samba] Upgrading Samba 3 to Samba 4 with Active Directory at many sites
Luke Barone
2016-05-25 20:28:54 UTC
Permalink
First, background information. We are a large (geographically local)
organization with 50 sites, including our HQ. Each site has a Debian Server
running Samba in NT-Domain Controller mode. Each site is independant of the
next, but are all named <SITE>.example.com. The workstations are connected,
and working fine in our sites with the single servers.

We had a recent network upgrade that now has every site with a 10.X.Y.Z
address. X is the site code, so each site is in the same 10.0.0.0/8 subnet,
and we can see the networks from each site. Now is the time to setup Active
Directory, right?

My goal is to create a forest, starting at the HQ (HQ.example.com) level,
and working down to each site (SITEA.example.com, SITEB.example.com, etc).
Our goal is to upgrade to Active Directory at each location, so as to not
lose any of the user data (username/passwords, group memberships, etc), and
then merge the AD Domains into a hierarchial forest, with each of the techs
responsible for the domain at their sites. We are hoping that it will also
allow us to have a user's primary DC (I know that term isn't use, but let's
say it's the site's main one) down, but still authenticate to another
trusted domain controller.

Will Samba 4 allow us to do this? If so, is it simply a process of 1)
Upgrade role to Active Directory Domain Controller, 2) Use Active Directory
Sites and Services to link each of the 50 domains together? Or is there
more to it that we need to work on first?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-05-30 16:01:59 UTC
Permalink
Hi Luke,

What you want to do is several AD domains, one per geographical site, with
trust relationship between them?

Two things regarding that:
1° Samba 4 as AD is not yet able to perform trust relationships except for
full, bi-directional and transitive relationship. At least it is how I
understood the changelog from 4.3.0 and the following (where I see no
updates regarding trusts since 4.3.0, I could have missed some).
2° Microsoft itself advise to not use trust relationship as they are...
what they are. And of course they advise not to use trust relationship for
purely MS AD domains, as they speak only about MS stuff, not about Samba
stuffs.

According to that (and admitting I was right about 1°) I would avoid trust
relationship, just not using them.

So how would I do?
This means you change domain SID, I believe you can't re-use one because
you have several domains trusting each others, so several domain SIDs.
A - create an AD domain with Samba 4
B - Import everything from old domain to the new AD domain.
C - check all went well
D - prepare AD sites (one per geographical site)
E - add computers into the new AD domain

Now all re-joined machine to the new domain should be able to use your new
AD.

But what about application which use old DNS names SITEA.your.domain.tld or
filesrv.SITEC.your.domain.tld?

I would just recreate them into AD DNS database, to keep compatibility with
application you can't change code (in companies there are always apps with
hardcoded stuffs, for we have something to complain perhaps).

Not changing domain SID (starting from one big domain)
A - create an AD domain with Samba 4 with old SID and
B - Import everything from old domain to the new AD domain. Be careful: you
will have to re-inject all user passwords, including computers' passwords
(for clients, to not re-join them)
C - check all went well -> changing DNS on some client you have a chance it
works: computer's registry contains the right SID, right one files are good
(SID does not change), the machine can log on the domain (if you have well
imported computer's password, there's a slighty chance it works...)
D - prepare AD sites (one per geographical site)

All that on a new domain to not take risk on the working one...

Hoping this helps, cheers,

mathias
Just wondering if anyone is able to give some advice with this?
Post by Luke Barone
First, background information. We are a large (geographically local)
organization with 50 sites, including our HQ. Each site has a Debian
Server
Post by Luke Barone
running Samba in NT-Domain Controller mode. Each site is independant of
the
Post by Luke Barone
next, but are all named <SITE>.example.com. The workstations are
connected, and working fine in our sites with the single servers.
We had a recent network upgrade that now has every site with a 10.X.Y.Z
address. X is the site code, so each site is in the same 10.0.0.0/8
subnet, and we can see the networks from each site. Now is the time to
setup Active Directory, right?
My goal is to create a forest, starting at the HQ (HQ.example.com)
level,
Post by Luke Barone
and working down to each site (SITEA.example.com, SITEB.example.com,
etc). Our goal is to upgrade to Active Directory at each location, so as
to
Post by Luke Barone
not lose any of the user data (username/passwords, group memberships,
etc),
Post by Luke Barone
and then merge the AD Domains into a hierarchial forest, with each of the
techs responsible for the domain at their sites. We are hoping that it
will
Post by Luke Barone
also allow us to have a user's primary DC (I know that term isn't use,
but
Post by Luke Barone
let's say it's the site's main one) down, but still authenticate to
another
Post by Luke Barone
trusted domain controller.
Will Samba 4 allow us to do this? If so, is it simply a process of 1)
Upgrade role to Active Directory Domain Controller, 2) Use Active
Directory
Post by Luke Barone
Sites and Services to link each of the 50 domains together? Or is there
more to it that we need to work on first?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Luke Barone
2016-07-05 22:27:13 UTC
Permalink
Final question regarding this... Do I just join each "site" Samba server as
a Samba Client to provide file sharing? Or will I need two Samba DCs at
each site (one for authenticating, one for file sharing)? I just want to
try to get it right for when I do my testing.
Regarding speeding auth using local DC that's the whole point of AD Sites,
have a look on them, declare one or CIDR network addresses for them, you
get your speed up auth stuffs.
Cheers
Post by mathias dufresne
So how would I do?
This means you change domain SID, I believe you can't re-use one because
you have several domains trusting each others, so several domain SIDs.
A - create an AD domain with Samba 4
B - Import everything from old domain to the new AD domain.
C - check all went well
D - prepare AD sites (one per geographical site)
E - add computers into the new AD domain
So, with the current versions of Samba, I should not need to create Trust
Relationships, as it's not possible in Samba right now anyways, correct?
Thinking about this a little more, I'm wondering if it's even required,
if we are all going to be on a big LAN in the end anyways... I was hoping
though for fast authentication when users are at a different site, and
speed after logging in can be slower if needed.
I'll be getting some Raspberry Pis to duplicate our current setup, then
put them in the setup we are working towards, and test it out. As for
connecting the AD servers together, is it enough to just "add" the server
to the domain, or will each server be its own entity still, pulling/pushing
updates to a master server at the head office?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Data Control Systems - Mike Elkevizth
2016-07-05 23:05:18 UTC
Permalink
The Samba wiki suggest that you don't use a domain controller for file
serving. My experience says that it can be done, but there are a number of
hacks that need to be used in order to get the desired results. So, if you
have the resources, I would strongly suggest one DC and a separate file
server per site.

Mike E.
Post by Luke Barone
Final question regarding this... Do I just join each "site" Samba server as
a Samba Client to provide file sharing? Or will I need two Samba DCs at
each site (one for authenticating, one for file sharing)? I just want to
try to get it right for when I do my testing.
Regarding speeding auth using local DC that's the whole point of AD
Sites,
have a look on them, declare one or CIDR network addresses for them, you
get your speed up auth stuffs.
Cheers
Post by mathias dufresne
So how would I do?
This means you change domain SID, I believe you can't re-use one
because
Post by mathias dufresne
you have several domains trusting each others, so several domain SIDs.
A - create an AD domain with Samba 4
B - Import everything from old domain to the new AD domain.
C - check all went well
D - prepare AD sites (one per geographical site)
E - add computers into the new AD domain
So, with the current versions of Samba, I should not need to create
Trust
Relationships, as it's not possible in Samba right now anyways, correct?
Thinking about this a little more, I'm wondering if it's even required,
if we are all going to be on a big LAN in the end anyways... I was
hoping
though for fast authentication when users are at a different site, and
speed after logging in can be slower if needed.
I'll be getting some Raspberry Pis to duplicate our current setup, then
put them in the setup we are working towards, and test it out. As for
connecting the AD servers together, is it enough to just "add" the
server
to the domain, or will each server be its own entity still,
pulling/pushing
updates to a master server at the head office?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...