We have a large website that we're migrating to a new machine. The current server uses Samba with the 'Server' security mode (deprecated), and it's also an NIS client for for ssh/sftp logins.

The new server is Redhat EL 5.4 with Samba 3.0.33. We're planning to get rid of the NIS server and authenticate ssh/sftp logins against AD. From what I've read, this can be done with Samba, using the 'ADS' security mode, and Kerberos. Since Samba's 'Server' security mode is deprecated, it makes sense to switch to ADS anyway.

Here's the challenge. We have a very large number of files/directories uploaded by users that are owned by local accounts/groups. When we switch to Samba with ADS and join the new server to our AD domain, we'll need to get rid of all local accounts. This means that all of the current user/group ownerships will no longer be valid.

One possible solution is to write a script to grab the current user/group ownerships and then modify them on the new server. There are a lot of potential 'gotchas' though, and we have very little time to do this (this sprang up suddenly). Is there a way to have local accounts, setup ssh/sftp to authenticate logins against AD, yet use local account/group permissions?

If not, any other suggestions?

I would write scripts and try and get another machine with which to do trial runs. ie. duplicate the relevant portion of the hard drive on that other machine and runs the scripts on there.

Then I could iron out the gotchas before doing the final run.

In any event if you do this kind of thing too quickly you end up taking more time in the long run as you rebuild huge disasters by hand.

I agree that you'd be better off thoroughly testing some scripts to do the migration. However, there's no reason why you can't (AFAIK) just have ssh/sftp authenticating against the AD. Just set up PAM to use kerberos, and point it to the AD server. You may well have to do a bit of messing around with usernames, but it should work (famous last words ). Of course, since you'd be using two different sets of passwords (samba and AD), they could get out of sync, but as a temporary measure it might be good enough until you properly convert to AD throughout.

Good luck.

Out of interest, why the rush? This sort of thing really does require thorough testing before 'going live'.

Thanks for the replies.

I know! Unfortunately, planning and testing don't seem to interest 'higher ups'.