lukas at dcs.qmul.ac.uk
Thu Aug 19 02:59:27 MDT 2010
On 08/18/2010 05:03 PM, Lukasz Zalewski wrote:
> Hi Metze, all
> Attached is a first iteration patch to myldap-pub.py that extends and
> hopefully generalises its functionality.
> Without any options it should behave exactly the same as original, by
> allowing to import the whole domain.
> Additional options allow to fine tune various bits'n'bobs of the import
> At the moment the ldap connection is performed using only simple bind.
> Also the trust import is still TODO. After a brief conversation with gd
> on IRC it seems that the incoming trust will be represented as a
> computer account (with only [ I ] acctFlag set), but outgoing trust will
> be represented differently, using differentObject class - from samba3x
> schema there are two objectClasses: sambaTrustedDomainPassword and
> sambaTrustPassword. Which one should we check for? Which trusts should
> be imported? What would be the s4 objectClass for them?
> I have also noticed that the computer account import also imports
> machine accounts with [ I ] flag - is this intended behaviour? Should we
> condition the import on the presence of [ W ] flag?
> Any info and comments appreciated
I have noticed that when NTpassword is missing the new unicodePwd
element is set to None. However the account is not disabled, but it does
not have the empty password either. So does ldbadd process generate some
random password value if that attribute is missing? Should the account
be disabled during the import if password information is missing?
More information about the samba-technical