Windows to Samba migration

I’m wanting to replace a Windows Server 2003 with OpenSuSE and Samba. The Windows server is doing two things: providing client authentication via Active Directory, and hosting one network share. I want to migrate the Domain to Samba keeping all the current users and current Domain so no changes need to be made on the workstations. Then I want to retire the Windows server so that the OpenSuSE box (VM) is running everything and the users never see anything different. We’re only talking less than 20 users.

So, first question: can it be done?

Second question is how? I’m finding docs on making Samba a new PDC, but not for migrating an existing Domain. I’m new to Samba and I’m finding the docs to be less than helpful. I have used Yast and setup Samba as best as I know how and I did find the Samba machine show up in the Computers list when I use the Active Directory Users and Computers tool on the 2003 server. However, it does not show up under the Domain Controllers list.

I’m looking for help or pointers to docs on how to accomplish this, preferably OpenSuSE / Yast specific. How to setup Samba, Kerberos, and any other bits that are part of the puzzle.

I was working through this: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory

But when I got to the step: kinit administrator

I get the following error: Preauthentication failed while getting initial credentials

Which did not help me in any way other than to tell me that something’s wrong with my Kerberos.

-Farren

Hello,

AFAIK it is not possible in OpenSuse to install Samba as an active directory server.
The problem is that samba OpenSuse works with Kerberos MIT while Samba from the Samba site uses Heimdal Kerberos.
The consequence is that OpenSuse delivers Samba without the capability to be an active directory server and the samba_tool package is not present:(
See
https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller
https://doc.opensuse.org/documentation/leap/reference/html/book.opensuse.reference/cha.samba.html
and
https://forums.opensuse.org/showthread.php/514259-Configuring-Samba-4-as-Active-Directory-Domain-Controller

As far as i understand you can only set the Samba server as a member of a windows AD in standard OpenSuse.
Recompiling samba with Kerberos MIT seems not working (see the Samba site)
https://wiki.samba.org/index.php/MIT_Build

Regards
Philippe

Well, perhaps it’s not very polite to ask this in the OpenSuSE forum, but what’s the best distro to run Samba on that’ll give me all the tools I need to migrate my AD and run just Samba as the AD server?

I tried the Turnkey Linux Domain Controller VM/distro, and got nowhere. It seemed to me to be broken. (https://www.turnkeylinux.org/domain-controller)

-Farren

Hello,

Good question see this reference (archlinux)
https://wiki.archlinux.org/index.php/Samba/Active_Directory_domain_controller
Take in account of some other problems

•   BIND must be installed on the same machine as the Samba AD domain     controller (DC). 
  

•   BIND must not run in a changed root environment. (jail). 
  

•   zones are stored and replicated within the directory. 
  

• BIND you must use a specific version: BIND9_DLZ

The setting of the ntpd is also important.
If you have Windows 10 clients these should bring more problems

See also for use of kerberos MIT
https://sambaxp.org/archive_data/SambaXP2016-SLIDES/thu/track2/sambaxp2016-thu-track2-Alexander_Bokovoy-Andreas_Schneider-SambaAndFreeIPAAnUpdateOnActiveDirectoryIntegration.pdf

I never tried these settings.
Many references that I found are just adding a SAMBA AD controller to an existing Primary AD (Windows) controller and this is not every time well reported.
So good luck

Philippe

It’s actually possible to compile Samba with AD support on SUSE, interested by this thread I did it using Samba 4.6.1.

It needed a few alterations to the default spec file, allowing bundling of tdb and heimdal (heimdal to get ad support and tdb because the system version was too old and I didn’t want to replace it with my own).

I can put it up on the OBS (openSUSE Build Service) so you can try it out on a fresh box but I must remind you that I haven’t been able to test it in live production yet and as such it should only be used in a lab test setup.