Usage of myldap-pub.py
Charles Tryon
charles.tryon at gmail.com
Fri Nov 12 20:34:57 MST 2010
OK, that got me a couple of steps closer! I now have:
--remove_input_attributes 'homePhone,ntUserDomainId'
...which isn't so bad. Now I have a new error. For a generated entry like
this:
# op[add]: 2
dn: CN=sue,ou=People,dc=bbaggins,dc=net
changetype: add
uid: sue
objectClass: user
uidNumber: 11006
unicodePwd:: IeAEvjoztqjfTslVeIi3oQ==
objectSid: S-1-5-21-1104678897-1477468196-890409133-11006
scriptPath: OMLOGON.CMD
mail: tryonszy at yahoo.com
pwdLastSet: 129326833780000000
sAMAccountName: sue
loginShell: /bin/bash
unixHomeDirectory: /home/sue
gidNumber: 5003
unixUserPassword: {crypt}
profilePath: \\weathertop\profiles\sue
ntPwdHistory:: IeAEvjoztqjfTslVeIi3oQ==
homeDrive: N:
userAccountControl: 512
gecos: Sue Tryon
sn: Tryon
homeDirectory: \\weathertop\homes\
givenName: Sue
I get the error:
<samba4:dev>? ldapmodify -a -D
"CN=Administrator,CN=Users,DC=bbaggins,DC=net" -w Xxxxxxxx -f add.ldif
adding new entry "CN=sue,ou=People,dc=bbaggins,dc=net"
ldap_add: Server is unwilling to perform (53)
additional info: error in module password_hash: Unwilling to perform (53)
On Fri, Nov 12, 2010 at 10:16 AM, Lukasz Zalewski <lukas at eecs.qmul.ac.uk>wrote:
> On 11/12/2010 02:46 PM, Charles Tryon wrote:
>
>> Greetings!
>>
>> Mark Rutherford was so kind as to send me his copy of the myldap-pub.py
>> script, so I have a working copy of the script. (I found a copy in an list
>> archive, but the indenting was foobared, which really confused Python!)
>> However, with my still limited knowledge of Samba4 and Python, I'm having
>> a
>> lot of difficulty figuring out how to use it to migrate users out of my
>> existing Samba3/Fedora389 setup into a new Samba4 domain I am trying to
>> build.
>>
>> I am currently running S4 from the git repository (last pull on 11/11).
>> I
>> used the HOWTO at http://wiki.samba.org/index.php/Samba4/HOWTO to set up
>> the
>> domain. I have Dynamic DNS working with DHCP, and I believe Kerberos is
>> working correctly. I can add users through the "samba-tool", and join
>> both
>> XP and Windows7 machines to the domain. I even have the Microsoft AD
>> administrative tools talking to the domain to add or manage users.
>>
>> My problem is that I would like to migrate over a large number of
>> existing
>> users and machines to the domain such that if I shut down the old domain
>> and
>> connect the new one, the users and machines won't know the difference.
>>
>> What I have done is to provision a clean domain:
>>
>> sudo /usr/local/samba/sbin/provision --realm=bbaggins.net \
>> --domain=ARDA \
>> --domain-sid=S-1-5-21-1104678897-1477468196-890409133
>> \
>> --adminpass=Xxxxxxx \
>> --server-role='domain controller'
>>
>> I then tried to run the migrate script, trying to guess at the
>> parameters:
>>
>> ./myldap-pub.py \
>> --ldap_uri=ldap://weathertop.bbaggins.net \ URI of existing
>> LDAP?
>> --ldap_binddn="CN=Directory Manager" \ binddn "
>> --ldap_bindpwd="Yyyyyyy" \ passwd "
>> --output_basedn="dc=bbaggins,dc=net" \
>> --input_domain_name=SHIRE \
>> --input_basedn="dc=bbaggins,dc=net" \
>> --import_accounts=Users \
>> --output_users_ou="ou=People"
>>
>> The response I get is:
>>
>> Traceback (most recent call last):
>> File "./myldap-pub.py", line 1934, in<module>
>> ldap_cmd.run()
>> File "./myldap-pub.py", line 1927, in run
>> user_principal_name=options.user_principal_name)
>> File "./myldap-pub.py", line 449, in __init__
>> computer_replace_attrs=computer_replace_attrs)
>> File "./myldap-pub.py", line 1713, in convertObjects
>> disable_if_no_unicodePwd=True)
>> File "./myldap-pub.py", line 1371, in convert_sambaSamAccount
>> assert keep != remove, 'keep[%s] remove[%s] error attr[%s] in: %s\n' %
>> (str(keep), str(remove), attr, str(old))
>> AssertionError: keep[False] remove[False] error attr[ntUserDomainId] in:
>> {'cn': ['Sam Tryon'], 'objectClass': ['top', 'person', 'account',
>> 'organizationalPerson', 'inetorgperson', 'ntuser', 'posixAccount',
>> 'sambaSamAccount'], 'uidNumber': ['11008'], 'sambaAcctFlags': ['[U
>> ]'], 'sambaPrimaryGroupSID':
>> ['S-1-5-21-1104678897-1477468196-890409133-513'], 'uid': ['sam'],
>> 'sambaHomePath': ['\\\\weathertop\\homes\\'], 'userPassword': ['{crypt}'],
>> 'sambaProfilePath': ['\\\\weathertop\\profiles\\sam'],
>> 'sambaPwdMustChange':
>> ['7776000'], 'mail': ['laadass at gmail.com'], 'sambaLogonScript':
>> ['OMLOGON.CMD'], 'loginShell': ['/bin/bash'], 'gidNumber': ['5004'],
>> 'sambaPwdLastSet': ['1288209778'], 'sambaNTPassword':
>> ['FAE44DBF10C32BEB313D3DDF1235280D'], 'ntUserDomainId': ['Sam.Tryon'],
>> 'homePhone': ['770-631-3448', '770-851-2879'], 'telephoneNumber':
>> ['5207'],
>> 'sambaHomeDrive': ['N:'], 'sambaSID':
>> ['S-1-5-21-1104678897-1477468196-890409133-11008'], 'gecos': ['Sam
>> Tryon'],
>> 'sn': ['Tryon'], 'homeDirectory': ['/home/sam'], 'givenName': ['Sam']}
>>
>> Any hints on what is going on here?
>>
>>
> Hi Charles,
> It seems like you use custom schema which contains ntUserDomainId attribute
> - for those you have to explicitly reject (or remove them) using
> --remove_input_attributes switch. Every time an attribute is found that is
> not on the keep or remove list the assertion will be triggered, i.e.
>
> AssertionError: keep[False] remove[False] error attr[ntUserDomainId]
>
> for example our incantation for that switch looks like
> --remove_input_attributes
> 'eduPersonPrimaryAffiliation,shadowMin,shadowMax,eduPersonAffiliation,shadowExpire,shadowFlag,shadowWarning,shadowInactive,qmulStudentType,qmulStudentDevYear,departmentNumber,qmulStudentDeptCode,qmulStudentID'
>
> Metze,
> should we by default add automatic removal of shadow releated attributes
> (for completeness) as shadowLastChange is already in the remove list (but
> other have to be explicitly rejected)
>
> Regards
>
> Luk
>
--
Charles Tryon
_________________________________________________________________________
"It's the job that's never started that takes longest to finish."
-- Samwise Gamgee
More information about the samba-technical
mailing list