NT users integration

Anders Östling anders.ostling at neurope.ikea.com
Wed Jun 9 07:56:47 GMT 1999 

Ok, quite a few of you people on the list were interested on how I integrated my NT user database into Linux, so here is a summary of the steps, and the script that did the final conversion.

1. I obtained an eval version of XLNT from www.advsyscon.com. Using the DCL emulator on NT, I wrote a small script that extracted all two fields from the NT SAM into a comma-separated textfile. The two items were USERNAME and REAL NAME. I am sorry, but I dont can't find this script right now :-(, but some reading of the docs should give enough hints. Maybe someone else on the list can re-create the needed script

2. I ftp'd the textfile to Linux and executed the following script

#!/bin/bash

scram ()
{
echo We did ALMOST make it
echo Pls check /etc/passwd aliases and group
echo I recommend to restore the files again
exit 0

}

# ALLUSERS.TXT is the file created on NT using XLNT's scripting language
# It contains all user accounts AND the user's real names (2 colums).

UFILE=/home/ftp/pub/ALLUSERS.TXT
if [ ! -f $UFILE ]; then
    echo User database $UFILE missing 
    exit
fi

# Save the user database files before starting. If something goes wrong, restore them before restarting

for db in passwd aliases group
do
    cp /etc/$db /etc/$db.orig.$$
done

#
# Add all NT users from the NT domain to the local passwd file and
# send them a welcome message
#

while read record
do
    username=`echo $record | awk -F":" {'print $1'}`
    fullname=`echo $record | awk -F":" {'print $2'}`
    adduser $username || scram
    rm -f /var/spool/mail/$username
    mail -s  "Hello $fullname" $username << EOF

This is an automatic message from FOO. Welcome as a mail user
in the neurope domain.

Your admin
EOF
done < $UFILE

# Replace the "empty pwd" marker with a asterisk

echo Cleaning up password fields
sed -e 's/!!/*/g' < /etc/passwd > passwd.new || scram
mv -f /etc/passwd.new /etc/passwd || scram

# Create sendmail aliases for all users so they can
# use their "NT Full names" as mail accounts. Make
# sure that local characters are mapped to 7 bits. 
# If this looks funny with your char set, I am replacing swedish 
# characters in names with non-umlaut ones.

TEMPFILE=/tmp/ntnames.$$
>$TEMPFILE
echo Building temporary alias file
while read RECORD
do
    xUSER=`echo $RECORD | awk -F":" {'print $1'}`
    aNAME=`echo $RECORD | awk -F":" {'print $2'}`
    bNAME=`echo $aNAME | sed -e 's/Ö/O/g'`
    cNAME=`echo $bNAME | sed -e 's/Å/A/g'`
    dNAME=`echo $cNAME | sed -e 's/Ä/A/g'`
    eNAME=`echo $dNAME | sed -e 's/ö/o/g'`
    fNAME=`echo $eNAME | sed -e 's/å/a/g'`
    gNAME=`echo $fNAME | sed -e 's/ä/a/g'`

    FNAME=`echo $gNAME | awk -F" " {'print $1'}`
    LNAME=`echo $gNAME | awk -F" " {'print $2'}`

    echo User $xUSER named $FNAME.$LNAME at neurope.ikea.com
    echo "$FNAME.$LNAME: $xUSER" >> $TEMPFILE
done < $UFILE 

# Create a new /etc/aliases for SENDMAIL

echo Merging new and old aliases
cat $TEMPFILE >> /etc/aliases
echo Creating alias database
/usr/bin/newaliases

# Since we have so many users, they has been grouped in
# /home/a/axxx, /home/b/byyy etc. This mean we have to 
# edit the /etc/passwd to accomodate for this

tmpfile=/tmp/pathname.$$
>/tmp/XXX
for a in a b c d e f g h i j k l m n o p q r s t u v w x y z
do
    echo Fixing accounts starting with $a
    echo "s/home/home\/"$a"/" > $tmpfile
    grep ^$a /etc/passwd | grep home | sed -f $tmpfile - >> /tmp/XXX
done

# Replace the /etc/passwd with our new file

cat /tmp/XXX >> /etc/passwd

TEMP=/tmp/$$.users
PWFILE=/tmp/passwd.$$
cp /etc/passwd $PWFILE
grep ^sys $PWFILE | awk -F":" {'print $1'} > $TEMP
while read record 
do
# Extract all characters from the 4'th position in the username
# and store in "ruser". Also extract the first letter of the new
# username in order to locate the correct subdirectory in /home

    ruser=`echo $record | cut -b4-10`
    initial=`echo $ruser | cut -b1-1`

# Save the real users UID:GID as a string. We will replace the
# sys* user record's uid/gid with these two lines.

    uid=`grep ^$ruser /etc/passwd | awk -F ":" {'print $3'}`
    xuid=`grep ^$record $PWFILE | awk -F":" {'print $3'}`

    echo -n Replacing $xuid with $uid

    SEDFILE=/tmp/sed.$$
    echo "s/$xuid/$uid/g" >> $SEDFILE
    cat $PWFILE | \
    sed -f $SEDFILE > $PWFILE.new 2>/dev/null && \
    mv -f $PWFILE.new $PWFILE
    rm -f $SEDFILE

    echo " done."

# Remove old sys* directory tree and symlink to the real user's
# directory. Also change ownership on the new symlink from root
# to the real user.

    BASEDIR=/home/s/$record
    rm -rf $BASEDIR || continue
    ln -sf /home/$initial/$ruser $BASEDIR
    chown $ruser.$ruser $BASEDIR > /dev/null 2>&1 || \
    echo Failed to chmod $ruser for $BASEDIR
done < $TEMP
cp /etc/passwd /root/passwd.orig && mv -f $PWFILE /etc/passwd

# Implement disk quots as last step

echo Editing user quotas in /home
for prefix in a b c d e f g h i j k l m n o p q r s t u v w x y z
do
    cd /home/$prefix
    for u in *
       do
        edquota -p anos -u $u > /dev/null 2>&1
    done
done

# Finally, restart the SMB daemon. 

/etc/rc.d/init.d/smb restart

# What we have after this is
#
# All NT users have a mail account w NT synced passwords
# All NT accounts have an real name alias (i.e ANOS = Anders.Ostling)
# All users have a file share (for manual mail file manipulation)
# called \\foo\<username>. 
# All sysxxx accounts are tweaked (UID changed to xxx and directory 
# for sysxxx is symlinked to xxx).
# Choice of POP or IMAP mail support
# WEB managed SMTP mail server


When I had created the new database files, I installed PAM_SMB by compiling the sources. I edited the resulting files 

/etc/pam_smb.conf
<domainname>
<logon server 1>
<logon server 2>

/etc/pam.d/samba

auth    required    /lib/security/pam_smb_auth.so
account required /lib/security/pam_pwdb.so

/etc/pam.d/imap

(same as samba)

/etc/pam.d/login

auth    required    /lib/security/pam_securetty.so
auth    required    /lib/security/pam_smb_auth.so
...
(rest of lines as default)

/etc/pam/ftp

(also added smb as second auth method after pam_listfile.so)

That was all I did to have all 3500 user accounts copied to the Linux system. Any password changes the users does on NT is reflected to the Linux system since all validation goes back to NT, both for mail access, login and ftp. Works great. The users can now send mail using their real names, as well as the login names. I also enforced quotas on their home directories (50 MB for my template directory, anos). See
online help for EDQUOTA.

/Anders

PS. If you have big time trobles creating the user file from NT, there were some suggestion that other tools could be used for extracting 
the needed account information. I have not tried that way, so I cant say if it works or not. Be creative...



-------------- next part --------------
HTML attachment scrubbed and removed

More information about the samba-ntdom mailing list