On 30/07/13 04:27 PM, Mike wrote:
My network currently has the following server running Samba 3 as a
standalone server to 50 client boxes: Linux a1 2.6.35.7 #3 SMP Samba
Version 3.5.6. Currently, no true NT Domain Controller, in Windows speak -
it's a Workgroup only.
I have another server that I want to configure to use Samba 4 as an Active
Directory Domain Controller and file server: Linux a10 3.7.10-gentoo-r1 #1
SMP Samba Version 4.0.4.
I only have one subnet and cannot disrupt the users, but have read the
following concerns on the Samba wiki: Make sure you thoroughly test your
conversion and how your clients react before you activate your new server
in your production environment! Once a Windows client finds and connects to
the new server, it is not possible to go back!
Also, it is necessary to do testing on a separate network so that the old
and new domain controllers don't clash. The issues with having both domains
'live' at the same time are:
The databases are not syncronised after the initial migration
Even if no changes are made to the DB, clients which see an AD DC will no
longer honour NT4 system policies
The new Samba4 PDC and the old DC will both claim to hold the #1b name as
the netbios domain master
The paths to certain files and directories for your Samba3 installation are
often distribution specific (for example, /var/lib/samba vs. /etc/samba).
Please be sure to verify and if necessary, modify paths used in examples
appropriately.
- - - - - -
Has anyone dealt with only having one subnet upon which to configure and
test a new Samba 4 server in the presence of a currently active Samba 3
server?
I was thinking maybe the simplest way would be to make an iptables firewall
on the Samba 4 server -- allowing connections from only one particular
address on the subnet and use that one address for a client box to test on.
Possible iptables rule (allowing one client address, blocking all others on
subnet):
iptables -t filter -A INPUT -i eth0 -s 192.168.1.200 -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -i eth0 ! -s 192.168.1.200 -j DROP
Would this be adequate to separate the Samba 4 server from others on the
LAN?
You're way overthinking this. Just give the new server an IP address
that is on a different subnet. e.g. if your current server is
192.168,.1.10/24, give your new server 192.168.2.10/24.
Secondly, since you don't have an NT domain, the differences between it
and AD are not relevant. What you will find is the difference between a
workgroup and a domain. This involves the logins and roaming profiles.
What really doesn't change much are the file shares, although you can
now simplify them by setting sharing according to domain group rather
than individual ids.
An even simpler way is to simply NOT use a separate subdomain. Set up
the new server as the domain controller for the group. Leave the files &
printers on the old server. Once all the clients have been switched from
the workgroup to the domain, move the files and printers over to the new
server, shut down the old one, then create an alias for the old server
on the new one. This way, there are no more changes required on the
clients. If a problem is identified, you can simply remove the alias and
bring the old server back.
Of course, you can convert the individual workstations to use the new
server name at your leisure so that you can eventually remove the alias.
However this is not necessary. In fact, if you later replace the new
server, the replacement can assume the old name so that the alias isn't
needed any more.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
