[Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbacked PDC and MS Exchange 5.5 still
Looking to make some changes to an old but working LAN, that has about 10 samba servers serving printers and network shares and a NT 4 PDC server with Exchange 5.5 on it. The samba servers are members of the nt4 domain, XP systems are members of the nt 4 domain also. Samba servers are ldapbacked. We use the ldap component directly to login to the Linux servers. I'd like to be able to support windows 7 clients as domain members, right now the clients are all XP. The plan I'm considering is building a new domain with the latest version of samba 3.x stable series for my RHEL6 servers, join my new windows clients to that domain and create a trust relationship to the NT 4 domain. The existing samba servers can be joined to the new domain so that only the email server will be in the old domain. The idea behind the trust relationship is so that entering email for my users can be just a click and won't have to login again. We'd want to keep the ldap backend capability too. Keeping the exchange is really a stop gap till we can move that function to the cloud. Have others done similar upgrades successfully? Does this sound reasonable? Is the trust relationship overkill and likely to cause problems? (tell users to cache the outlook login and be done) Thanks Derek Derek Werthmuller Director of Technology Innovation and Services Center for Technology in Government 518.442.3892 www.ctg.albany.edu www.ctg.albany.edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbac ked PDC and MS Exchange 5.5 still
I have a client in a similar situation. NT4 PDC w/Exchange 5.5 and Samba member servers. Main problem is that they're running an old custom Outlook/Exchange workflow app which locks them in until it can be replaced. Similar situation - though we've been able to replicate it fairly easily in google apps. As you're aware newer then XP cannot join an NT4 domain but can join a Samba domain - and they will eventually need some new desktops. So my thoughts have been running along the lines of demoting the NT4 PDC and having a Samba server take over those duties. Problem's are the NT4 PDC is not a supported task, and even if a registry hack can accomplish it (according to an old post by Minasi it should) but the effect on Exchange after this is apparently unknown. Also a test attempt to vampire the PDC did not work due to capitalization problems (if the vampire script did a lower case conversion this might have been a big start). I did consider this, though the issue is what do I do with the existing NT4 PDC - I can demote this to BDC but from the samba docs samba PDC and Windows BDC is not supported. And I don't think it can demote the PDC to server role. I'm also trying to be very careful not to make substantial changes to the exchange host - I need that working for a short while longer. Thanks Derek -Original Message- From: Chris Smith [mailto:smb...@chrissmith.org] Sent: Friday, October 28, 2011 12:07 PM To: Derek Werthmuller Cc: samba@lists.samba.org Subject: Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbacked PDC and MS Exchange 5.5 still On Fri, Oct 28, 2011 at 10:34 AM, Derek Werthmuller dwert...@ctg.albany.edu wrote: Looking to make some changes to an old but working LAN, that has about 10 samba servers serving printers and network shares and a NT 4 PDC server with Exchange 5.5 on it. The samba servers are members of the nt4 domain, XP systems are members of the nt 4 domain also. I'd like to be able to support windows 7 clients as domain members, right now the clients are all XP. Keeping the exchange is really a stop gap till we can move that function to the cloud. Have others done similar upgrades successfully? Does this sound reasonable? All services except for PDC, WINS and Exchange have been moved from the NT4 box. Outside email is handled by Google Apps. DNS, NTP, file and print services, etc. all handled by Linux servers, firewall is OpenBSD/PF. Also to protect from failure of the old hardware the PDC has been virtrualized and running under VirtualBox where regular snapshots can be taken. The virtualization of the NT4 PDC also provides an opportunity to experiment with copies/snapshots so I hope to tackle this a bit more in depth when time permits. Of course any clues, hints, experience to be shared in this area are very welcome. I will gladly provide anything I find out that may be useful. Chris -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbac ked PDC and MS Exchange 5.5 still
Thanks for the advice - Good to know not to go down the trust relationship path. A seperate domain does sound like a good path. Leave the existing nt/exchange setup as just an email platform. Users are likely to need to login again once we move that email/calendar/contacts funtion to the cloud anyway. Gives a nice clean migration path - here is your new win7 pc and your new login for it. Though I've also considered not making the new win7 domain members anyway. They are all going laptops and staff are somewhat mobile to highly mobile. When the domain is not avilable because of poor network link quality or no network at all laptop performance suffers. I know this to be the case with XP, I have no indication that its any different with Win7. Thanks Derek -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Gaiseric Vandal Sent: Friday, October 28, 2011 11:05 AM To: samba@lists.samba.org Subject: Re: [Samba] NT4 SP3 PDC with MS Exchange 5.5 to Samba 3.x ldapbacked PDC and MS Exchange 5.5 still If you are getting rid of the exchange server it seems a lot of work to do the trusts thing. Having outlook remember your password isn't a major problem. Except of course then people are pretty likely to have forgotten their e-mail password if they ever use another PC. I have found Samba trusts to be fairly painful. I had a Samba 3.0.x PDC (LDAP backend) which I tried having a trust with a Windows 2003 domain.In order for trusts to work, the Samba machine uses Idmap to create a range of unix uid's and gid's for the trusted Windows users. With Samba 3.0.x, these idmap entries were created but would stop working after the cache period expired.I don't know why. When I moved to Samba 3.4.x, the expiration issue went away but then idmap entries were not automatically. We didn't have many people in the Windows 2003 domain so I can manually create idmap entries as needed. My gut feeling is that any changes you make to support Windows 7 machines will break compatibility with legacy machines (e.g. NT4) or the domain trusts- altho installing the latest NT4 SP pack (6a?) may help. Could you make migrate the PDC role from your NT server to a samba 3.4.x or 3.5.x server? I don't think Exchange 5.5 has to be on the domain controller. At my work we have a Samba domain for most of the users and computers. We also have a separate untrusted Win 2008 domain just to support our Exchange 2007 server.It would be nice if we could consolidate to a single domain (or at least a single Active Directory tree) but for the moment people have to maintain separate e-mail accounts. FYI- I had a look at the latest version of Zimbra- it looks like a pretty nice product for a small business, if you decide not to go with the hosting route.I do like Exchange 2007 but it can be a big challenge to set up and maintain, and you really have to have a background with Active Directory and Exchange.Not what I would use for a really small site. On 10/28/2011 10:34 AM, Derek Werthmuller wrote: Looking to make some changes to an old but working LAN, that has about 10 samba servers serving printers and network shares and a NT 4 PDC server with Exchange 5.5 on it. The samba servers are members of the nt4 domain, XP systems are members of the nt 4 domain also. Samba servers are ldapbacked. We use the ldap component directly to login to the Linux servers. I'd like to be able to support windows 7 clients as domain members, right now the clients are all XP. The plan I'm considering is building a new domain with the latest version of samba 3.x stable series for my RHEL6 servers, join my new windows clients to that domain and create a trust relationship to the NT 4 domain. The existing samba servers can be joined to the new domain so that only the email server will be in the old domain. The idea behind the trust relationship is so that entering email for my users can be just a click and won't have to login again. We'd want to keep the ldap backend capability too. Keeping the exchange is really a stop gap till we can move that function to the cloud. Have others done similar upgrades successfully? Does this sound reasonable? Is the trust relationship overkill and likely to cause problems? (tell users to cache the outlook login and be done) Thanks Derek Derek Werthmuller Director of Technology Innovation and Services Center for Technology in Government 518.442.3892 www.ctg.albany.eduwww.ctg.albany.edu -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] gidNumber's and ldap backed samba PDC
In the planning process for migrating from NT4 PDC, and external ldap directory to samba 3.2.8 PDC. The external existing openldap directory is used currently to support the local uid mapping for the Linux logins and samba file servers that are members of the current NT4 PDC. While looking at the existing openldap UIDs and GIDs in use and what the samba PDC wants to use I see some uid/gid collisions. For example I see that the Domain Admins uses gid 512, just so happens to be the same as a file system group(in the ldap directory). Is it better to change the users group gid and leave the samba domain admins and such the way they are? I suspect a small shell script can crawl the file system and replace one gid for another if I were to change the users GID. Thanks Derek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
RE: [Samba] gidNumber's and ldap backed samba PDC
Ok I see it appears that the ldap entries that samba needs in the directory are under a different O. ou=groups,o=smb,dc=unav,dc=es for example. dn: cn=Domain Admins,ou=groups,o=smb,dc=unav,dc=es objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins Where my user/file system groups would be under traditional ldap entries like: dn: cn=usrgrp,ou=Group,dc=ct,dc=unav,dc=es objectClass: posixGroup objectClass: top cn: usrgrp userPassword:: e2NyexB0fX9g= gidNumber: 512 creatorsName: cn=Manager, dc=ct,dc=unav,dc=es createTimestamp: 20021007160601Z modifiersName: cn=Manager,dc=ct,dc=unav,dc=es modifyTimestamp: 20081205192619Z This right? Thanks Derek -Original Message- From: samba-bounces+dwerthmu=ctg.albany@lists.samba.org [mailto:samba-bounces+dwerthmu=ctg.albany@lists.samba.org] On Behalf Of Adam Tauno Williams Sent: Tuesday, March 24, 2009 1:38 PM To: 'samba@lists.samba.org' Subject: Re: [Samba] gidNumber's and ldap backed samba PDC On Tue, 2009-03-24 at 12:10 -0500, Derek Werthmuller wrote: In the planning process for migrating from NT4 PDC, and external ldap directory to samba 3.2.8 PDC. The external existing openldap directory is used currently to support the local uid mapping for the Linux logins and samba file servers that are members of the current NT4 PDC. While looking at the existing openldap UIDs and GIDs in use and what the samba PDC wants to use I see some uid/gid collisions. For example I see that the Domain Admins uses gid 512, just so happens to be the same as a file system group(in the ldap directory). No, it doesn't. RID != GID. A RID is a component of the SID and SIDs are mapped to UIDs GIDs. Is it better to change the users group gid and leave the samba domain admins and such the way they are? Not necessary. I suspect a small shell script can crawl the file system and replace one gid for another if I were to change the users GID. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Is the net rpc vampire at all destructive to a NT4 PDC?
Reading through the Samba3 -By Example guide and I'm confused with the statement section 9.2 http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html#id2594565 about accessing the SAM and Security sections of the registry will render the PDC non operable. Its clear from the text if you go and edit the registry(regedit etc..) so you can read the entries your PDC will not work. What's not exactly clear is if any of the tools like net rcp vampire or getsid tools change the operation of the PDC in this way or any other way for that mater. The net rcp tools don't access the registry in this destructive way do they? Like: # net rpc vampire -S TRANSGRESSION -U Administrator%not24get /tmp/vampire.log 21 Is it safe to run the net rpc vampire command on a PDC as many times as you want in effort to test the NT4 - samba PDC? While keeping the NT4 PDC in production mode? With the goal of test the full operation of the migrated PDC on a separate network. Thanks Derek -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
