NT users integration
Anders Östling
anders.ostling at neurope.ikea.com
Wed Jun 9 07:56:47 GMT 1999
Ok, quite a few of you people on the list were interested on how I integrated my NT user database into Linux, so here is a summary of the steps, and the script that did the final conversion.
1. I obtained an eval version of XLNT from www.advsyscon.com. Using the DCL emulator on NT, I wrote a small script that extracted all two fields from the NT SAM into a comma-separated textfile. The two items were USERNAME and REAL NAME. I am sorry, but I dont can't find this script right now :-(, but some reading of the docs should give enough hints. Maybe someone else on the list can re-create the needed script
2. I ftp'd the textfile to Linux and executed the following script
#!/bin/bash
scram ()
{
echo We did ALMOST make it
echo Pls check /etc/passwd aliases and group
echo I recommend to restore the files again
exit 0
}
# ALLUSERS.TXT is the file created on NT using XLNT's scripting language
# It contains all user accounts AND the user's real names (2 colums).
UFILE=/home/ftp/pub/ALLUSERS.TXT
if [ ! -f $UFILE ]; then
echo User database $UFILE missing
exit
fi
# Save the user database files before starting. If something goes wrong, restore them before restarting
for db in passwd aliases group
do
cp /etc/$db /etc/$db.orig.$$
done
#
# Add all NT users from the NT domain to the local passwd file and
# send them a welcome message
#
while read record
do
username=`echo $record | awk -F":" {'print $1'}`
fullname=`echo $record | awk -F":" {'print $2'}`
adduser $username || scram
rm -f /var/spool/mail/$username
mail -s "Hello $fullname" $username << EOF
This is an automatic message from FOO. Welcome as a mail user
in the neurope domain.
Your admin
EOF
done < $UFILE
# Replace the "empty pwd" marker with a asterisk
echo Cleaning up password fields
sed -e 's/!!/*/g' < /etc/passwd > passwd.new || scram
mv -f /etc/passwd.new /etc/passwd || scram
# Create sendmail aliases for all users so they can
# use their "NT Full names" as mail accounts. Make
# sure that local characters are mapped to 7 bits.
# If this looks funny with your char set, I am replacing swedish
# characters in names with non-umlaut ones.
TEMPFILE=/tmp/ntnames.$$
>$TEMPFILE
echo Building temporary alias file
while read RECORD
do
xUSER=`echo $RECORD | awk -F":" {'print $1'}`
aNAME=`echo $RECORD | awk -F":" {'print $2'}`
bNAME=`echo $aNAME | sed -e 's/Ö/O/g'`
cNAME=`echo $bNAME | sed -e 's/Å/A/g'`
dNAME=`echo $cNAME | sed -e 's/Ä/A/g'`
eNAME=`echo $dNAME | sed -e 's/ö/o/g'`
fNAME=`echo $eNAME | sed -e 's/å/a/g'`
gNAME=`echo $fNAME | sed -e 's/ä/a/g'`
FNAME=`echo $gNAME | awk -F" " {'print $1'}`
LNAME=`echo $gNAME | awk -F" " {'print $2'}`
echo User $xUSER named $FNAME.$LNAME at neurope.ikea.com
echo "$FNAME.$LNAME: $xUSER" >> $TEMPFILE
done < $UFILE
# Create a new /etc/aliases for SENDMAIL
echo Merging new and old aliases
cat $TEMPFILE >> /etc/aliases
echo Creating alias database
/usr/bin/newaliases
# Since we have so many users, they has been grouped in
# /home/a/axxx, /home/b/byyy etc. This mean we have to
# edit the /etc/passwd to accomodate for this
tmpfile=/tmp/pathname.$$
>/tmp/XXX
for a in a b c d e f g h i j k l m n o p q r s t u v w x y z
do
echo Fixing accounts starting with $a
echo "s/home/home\/"$a"/" > $tmpfile
grep ^$a /etc/passwd | grep home | sed -f $tmpfile - >> /tmp/XXX
done
# Replace the /etc/passwd with our new file
cat /tmp/XXX >> /etc/passwd
TEMP=/tmp/$$.users
PWFILE=/tmp/passwd.$$
cp /etc/passwd $PWFILE
grep ^sys $PWFILE | awk -F":" {'print $1'} > $TEMP
while read record
do
# Extract all characters from the 4'th position in the username
# and store in "ruser". Also extract the first letter of the new
# username in order to locate the correct subdirectory in /home
ruser=`echo $record | cut -b4-10`
initial=`echo $ruser | cut -b1-1`
# Save the real users UID:GID as a string. We will replace the
# sys* user record's uid/gid with these two lines.
uid=`grep ^$ruser /etc/passwd | awk -F ":" {'print $3'}`
xuid=`grep ^$record $PWFILE | awk -F":" {'print $3'}`
echo -n Replacing $xuid with $uid
SEDFILE=/tmp/sed.$$
echo "s/$xuid/$uid/g" >> $SEDFILE
cat $PWFILE | \
sed -f $SEDFILE > $PWFILE.new 2>/dev/null && \
mv -f $PWFILE.new $PWFILE
rm -f $SEDFILE
echo " done."
# Remove old sys* directory tree and symlink to the real user's
# directory. Also change ownership on the new symlink from root
# to the real user.
BASEDIR=/home/s/$record
rm -rf $BASEDIR || continue
ln -sf /home/$initial/$ruser $BASEDIR
chown $ruser.$ruser $BASEDIR > /dev/null 2>&1 || \
echo Failed to chmod $ruser for $BASEDIR
done < $TEMP
cp /etc/passwd /root/passwd.orig && mv -f $PWFILE /etc/passwd
# Implement disk quots as last step
echo Editing user quotas in /home
for prefix in a b c d e f g h i j k l m n o p q r s t u v w x y z
do
cd /home/$prefix
for u in *
do
edquota -p anos -u $u > /dev/null 2>&1
done
done
# Finally, restart the SMB daemon.
/etc/rc.d/init.d/smb restart
# What we have after this is
#
# All NT users have a mail account w NT synced passwords
# All NT accounts have an real name alias (i.e ANOS = Anders.Ostling)
# All users have a file share (for manual mail file manipulation)
# called \\foo\<username>.
# All sysxxx accounts are tweaked (UID changed to xxx and directory
# for sysxxx is symlinked to xxx).
# Choice of POP or IMAP mail support
# WEB managed SMTP mail server
When I had created the new database files, I installed PAM_SMB by compiling the sources. I edited the resulting files
/etc/pam_smb.conf
<domainname>
<logon server 1>
<logon server 2>
/etc/pam.d/samba
auth required /lib/security/pam_smb_auth.so
account required /lib/security/pam_pwdb.so
/etc/pam.d/imap
(same as samba)
/etc/pam.d/login
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_smb_auth.so
...
(rest of lines as default)
/etc/pam/ftp
(also added smb as second auth method after pam_listfile.so)
That was all I did to have all 3500 user accounts copied to the Linux system. Any password changes the users does on NT is reflected to the Linux system since all validation goes back to NT, both for mail access, login and ftp. Works great. The users can now send mail using their real names, as well as the login names. I also enforced quotas on their home directories (50 MB for my template directory, anos). See
online help for EDQUOTA.
/Anders
PS. If you have big time trobles creating the user file from NT, there were some suggestion that other tools could be used for extracting
the needed account information. I have not tried that way, so I cant say if it works or not. Be creative...
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the samba-ntdom
mailing list