NT users integration

Anders Vstling anders.ostling at neurope.ikea.com
Fri Jun 11 15:47:12 GMT 1999

Here we go again, now from NETSCAPE instead of MSOutlook...

Ok, quite a few of you people on the list were interested on how I
integrated my NT user database into Linux, so here is a summary of the
steps, and the script that did the final conversion.

1. I obtained an eval version of XLNT from www.advsyscon.com. Using the DCL
emulator on NT, I wrote a small script that extracted all two fields from
the NT SAM into a comma-separated textfile. The two items were USERNAME and
REAL NAME. I am sorry, but I dont can't find this script right now :-(, but
some reading of the docs should give enough hints. Maybe someone else on the
list can re-create the needed script

2. I ftp'd the textfile to Linux and executed the following script


scram ()
echo We did ALMOST make it
echo Pls check /etc/passwd aliases and group
echo I recommend to restore the files again
exit 0


# ALLUSERS.TXT is the file created on NT using XLNT's scripting language
# It contains all user accounts AND the user's real names (2 colums).

if [ ! -f $UFILE ]; then
    echo User database $UFILE missing

# Save the user database files before starting. If something goes wrong,
restore them before restarting

for db in passwd aliases group
    cp /etc/$db /etc/$db.orig.$$

# Add all NT users from the NT domain to the local passwd file and
# send them a welcome message

while read record
    username=`echo $record | awk -F":" {'print $1'}`
    fullname=`echo $record | awk -F":" {'print $2'}`
    adduser $username || scram
    rm -f /var/spool/mail/$username
    mail -s  "Hello $fullname" $username << EOF

This is an automatic message from FOO. Welcome as a mail user
in the neurope domain.

Your admin
done < $UFILE

# Replace the "empty pwd" marker with a asterisk

echo Cleaning up password fields
sed -e 's/!!/*/g' < /etc/passwd > passwd.new || scram
mv -f /etc/passwd.new /etc/passwd || scram

# Create sendmail aliases for all users so they can
# use their "NT Full names" as mail accounts. Make
# sure that local characters are mapped to 7 bits.
# If this looks funny with your char set, I am replacing swedish
# characters in names with non-umlaut ones.

echo Building temporary alias file
while read RECORD
    xUSER=`echo $RECORD | awk -F":" {'print $1'}`
    aNAME=`echo $RECORD | awk -F":" {'print $2'}`
    bNAME=`echo $aNAME | sed -e 's/Ö/O/g'`
    cNAME=`echo $bNAME | sed -e 's/Å/A/g'`
    dNAME=`echo $cNAME | sed -e 's/Ä/A/g'`
    eNAME=`echo $dNAME | sed -e 's/ö/o/g'`
    fNAME=`echo $eNAME | sed -e 's/å/a/g'`
    gNAME=`echo $fNAME | sed -e 's/ä/a/g'`

    FNAME=`echo $gNAME | awk -F" " {'print $1'}`
    LNAME=`echo $gNAME | awk -F" " {'print $2'}`

    echo User $xUSER named $FNAME.$LNAME at neurope.ikea.com
    echo "$FNAME.$LNAME: $xUSER" >> $TEMPFILE
done < $UFILE

# Create a new /etc/aliases for SENDMAIL

echo Merging new and old aliases
cat $TEMPFILE >> /etc/aliases
echo Creating alias database

# Since we have so many users, they has been grouped in
# /home/a/axxx, /home/b/byyy etc. This mean we have to
# edit the /etc/passwd to accomodate for this

for a in a b c d e f g h i j k l m n o p q r s t u v w x y z
    echo Fixing accounts starting with $a
    echo "s/home/home\/"$a"/" > $tmpfile
    grep ^$a /etc/passwd | grep home | sed -f $tmpfile - >> /tmp/XXX

# Replace the /etc/passwd with our new file

cat /tmp/XXX >> /etc/passwd

cp /etc/passwd $PWFILE
grep ^sys $PWFILE | awk -F":" {'print $1'} > $TEMP
while read record
# Extract all characters from the 4'th position in the username
# and store in "ruser". Also extract the first letter of the new
# username in order to locate the correct subdirectory in /home

    ruser=`echo $record | cut -b4-10`
    initial=`echo $ruser | cut -b1-1`

# Save the real users UID:GID as a string. We will replace the
# sys* user record's uid/gid with these two lines.

    uid=`grep ^$ruser /etc/passwd | awk -F ":" {'print $3'}`
    xuid=`grep ^$record $PWFILE | awk -F":" {'print $3'}`

    echo -n Replacing $xuid with $uid

    echo "s/$xuid/$uid/g" >> $SEDFILE
    cat $PWFILE | \
    sed -f $SEDFILE > $PWFILE.new 2>/dev/null && \
    mv -f $PWFILE.new $PWFILE
    rm -f $SEDFILE

    echo " done."

# Remove old sys* directory tree and symlink to the real user's
# directory. Also change ownership on the new symlink from root
# to the real user.

    rm -rf $BASEDIR || continue
    ln -sf /home/$initial/$ruser $BASEDIR
    chown $ruser.$ruser $BASEDIR > /dev/null 2>&1 || \
    echo Failed to chmod $ruser for $BASEDIR
done < $TEMP
cp /etc/passwd /root/passwd.orig && mv -f $PWFILE /etc/passwd

# Implement disk quots as last step

echo Editing user quotas in /home
for prefix in a b c d e f g h i j k l m n o p q r s t u v w x y z
    cd /home/$prefix
    for u in *
        edquota -p anos -u $u > /dev/null 2>&1

# Finally, restart the SMB daemon.

/etc/rc.d/init.d/smb restart

# What we have after this is
# All NT users have a mail account w NT synced passwords
# All NT accounts have an real name alias (i.e ANOS = Anders.Ostling)
# All users have a file share (for manual mail file manipulation)
# called \\foo\<username>.
# All sysxxx accounts are tweaked (UID changed to xxx and directory
# for sysxxx is symlinked to xxx).
# Choice of POP or IMAP mail support
# WEB managed SMTP mail server

When I had created the new database files, I installed PAM_SMB by compiling
the sources. I edited the resulting files

<logon server 1>
<logon server 2>


auth    required    /lib/security/pam_smb_auth.so
account required /lib/security/pam_pwdb.so


(same as samba)


auth    required    /lib/security/pam_securetty.so
auth    required    /lib/security/pam_smb_auth.so
(rest of lines as default)


(also added smb as second auth method after pam_listfile.so)

That was all I did to have all 3500 user accounts copied to the Linux
system. Any password changes the users does on NT is reflected to the Linux
system since all validation goes back to NT, both for mail access, login and
ftp. Works great. The users can now send mail using their real names, as
well as the login names. I also enforced quotas on their home directories
(50 MB for my template directory, anos). See
online help for EDQUOTA.


PS. If you have big time trobles creating the user file from NT, there were
some suggestion that other tools could be used for extracting
the needed account information. I have not tried that way, so I cant say if
it works or not. Be creative...

Anders Östling
IKEA Corporate Technology Group
Email: anders dot ostling AT neurope dot ikea dot com
Phone: +46-42-25 73 45
Fax  : +46-42-25 73 70
Mobil: +46-70-753 70 39

More information about the samba-ntdom mailing list