Usage of myldap-pub.py

Lukasz Zalewski lukas at eecs.qmul.ac.uk
Fri Nov 12 08:16:46 MST 2010


On 11/12/2010 02:46 PM, Charles Tryon wrote:
> Greetings!
>
>    Mark Rutherford was so kind as to send me his copy of the myldap-pub.py
> script, so I have a working copy of the script. (I found a copy in an list
> archive, but the indenting was foobared, which really confused Python!)
>   However, with my still limited knowledge of Samba4 and Python, I'm having a
> lot of difficulty figuring out how to use it to migrate users out of my
> existing Samba3/Fedora389 setup into a new Samba4 domain I am trying to
> build.
>
>    I am currently running S4 from the git repository (last pull on 11/11).  I
> used the HOWTO at http://wiki.samba.org/index.php/Samba4/HOWTO to set up the
> domain.  I have Dynamic DNS working with DHCP, and I believe Kerberos is
> working correctly.  I can add users through the "samba-tool", and join both
> XP and Windows7 machines to the domain.  I even have the Microsoft AD
> administrative tools talking to the domain to add or manage users.
>
>    My problem is that I would like to migrate over a large number of existing
> users and machines to the domain such that if I shut down the old domain and
> connect the new one, the users and machines won't know the difference.
>
>    What I have done is to provision a clean domain:
>
>      sudo /usr/local/samba/sbin/provision --realm=bbaggins.net \
>                      --domain=ARDA \
>                      --domain-sid=S-1-5-21-1104678897-1477468196-890409133
> \
>                      --adminpass=Xxxxxxx \
>                      --server-role='domain controller'
>
>    I then tried to run the migrate script, trying to guess at the parameters:
>
>      ./myldap-pub.py      \
>          --ldap_uri=ldap://weathertop.bbaggins.net \     URI of existing
> LDAP?
>          --ldap_binddn="CN=Directory Manager"     \      binddn    "
>          --ldap_bindpwd="Yyyyyyy"      \                 passwd   "
>          --output_basedn="dc=bbaggins,dc=net"     \
>          --input_domain_name=SHIRE        \
>          --input_basedn="dc=bbaggins,dc=net"      \
>          --import_accounts=Users        \
>          --output_users_ou="ou=People"
>
>    The response I get is:
>
> Traceback (most recent call last):
>    File "./myldap-pub.py", line 1934, in<module>
>      ldap_cmd.run()
>    File "./myldap-pub.py", line 1927, in run
>      user_principal_name=options.user_principal_name)
>    File "./myldap-pub.py", line 449, in __init__
>      computer_replace_attrs=computer_replace_attrs)
>    File "./myldap-pub.py", line 1713, in convertObjects
>      disable_if_no_unicodePwd=True)
>    File "./myldap-pub.py", line 1371, in convert_sambaSamAccount
>      assert keep != remove, 'keep[%s] remove[%s] error attr[%s] in: %s\n' %
> (str(keep), str(remove), attr, str(old))
> AssertionError: keep[False] remove[False] error attr[ntUserDomainId] in:
> {'cn': ['Sam Tryon'], 'objectClass': ['top', 'person', 'account',
> 'organizationalPerson', 'inetorgperson', 'ntuser', 'posixAccount',
> 'sambaSamAccount'], 'uidNumber': ['11008'], 'sambaAcctFlags': ['[U
>   ]'], 'sambaPrimaryGroupSID':
> ['S-1-5-21-1104678897-1477468196-890409133-513'], 'uid': ['sam'],
> 'sambaHomePath': ['\\\\weathertop\\homes\\'], 'userPassword': ['{crypt}'],
> 'sambaProfilePath': ['\\\\weathertop\\profiles\\sam'], 'sambaPwdMustChange':
> ['7776000'], 'mail': ['laadass at gmail.com'], 'sambaLogonScript':
> ['OMLOGON.CMD'], 'loginShell': ['/bin/bash'], 'gidNumber': ['5004'],
> 'sambaPwdLastSet': ['1288209778'], 'sambaNTPassword':
> ['FAE44DBF10C32BEB313D3DDF1235280D'], 'ntUserDomainId': ['Sam.Tryon'],
> 'homePhone': ['770-631-3448', '770-851-2879'], 'telephoneNumber': ['5207'],
> 'sambaHomeDrive': ['N:'], 'sambaSID':
> ['S-1-5-21-1104678897-1477468196-890409133-11008'], 'gecos': ['Sam Tryon'],
> 'sn': ['Tryon'], 'homeDirectory': ['/home/sam'], 'givenName': ['Sam']}
>
>    Any hints on what is going on here?
>

Hi Charles,
It seems like you use custom schema which contains ntUserDomainId 
attribute - for those you have to explicitly reject (or remove them) 
using --remove_input_attributes switch. Every time an attribute is found 
that is not on the keep or remove list the assertion will be triggered, i.e.
AssertionError: keep[False] remove[False] error attr[ntUserDomainId]

for example our incantation for that switch looks like
--remove_input_attributes 
'eduPersonPrimaryAffiliation,shadowMin,shadowMax,eduPersonAffiliation,shadowExpire,shadowFlag,shadowWarning,shadowInactive,qmulStudentType,qmulStudentDevYear,departmentNumber,qmulStudentDeptCode,qmulStudentID'

Metze,
should we by default add automatic removal of shadow releated attributes 
(for completeness) as shadowLastChange is already in the remove list 
(but other have to be explicitly rejected)

Regards

Luk


More information about the samba-technical mailing list