Usage of myldap-pub.py

Lukasz Zalewski lukas at eecs.qmul.ac.uk
Sat Nov 13 04:12:01 MST 2010


On 13/11/2010 03:34, Charles Tryon wrote:
> OK, that got me a couple of steps closer!  I now have:
>
>      --remove_input_attributes 'homePhone,ntUserDomainId'
>
> ...which isn't so bad.  Now I have a new error.  For a generated entry
> like this:
>
> # op[add]: 2
> dn: CN=sue,ou=People,dc=bbaggins,dc=net
> changetype: add
> uid: sue
> objectClass: user
> uidNumber: 11006
> unicodePwd:: IeAEvjoztqjfTslVeIi3oQ==
> objectSid: S-1-5-21-1104678897-1477468196-890409133-11006
> scriptPath: OMLOGON.CMD
> mail: tryonszy at yahoo.com <mailto:tryonszy at yahoo.com>
> pwdLastSet: 129326833780000000
> sAMAccountName: sue
> loginShell: /bin/bash
> unixHomeDirectory: /home/sue
> gidNumber: 5003
> unixUserPassword: {crypt}
> profilePath: \\weathertop\profiles\sue
> ntPwdHistory:: IeAEvjoztqjfTslVeIi3oQ==
> homeDrive: N:
> userAccountControl: 512
> gecos: Sue Tryon
> sn: Tryon
> homeDirectory: \\weathertop\homes\
> givenName: Sue
>
> I get the error:
>
> <samba4:dev>? ldapmodify -a -D
> "CN=Administrator,CN=Users,DC=bbaggins,DC=net" -w Xxxxxxxx -f add.ldif
> adding new entry "CN=sue,ou=People,dc=bbaggins,dc=net"
> ldap_add: Server is unwilling to perform (53)
> additional info: error in module password_hash: Unwilling to perform (53)
>
You are very close. In order to add the accounts you must use s4's 
ldbadd utility with appropriate modifiers:
bin/ldbadd -H private/sam.ldb --nosync --verbose --controls=relax:0 
--controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 add.ldif

HTH

Luk
>
> On Fri, Nov 12, 2010 at 10:16 AM, Lukasz Zalewski <lukas at eecs.qmul.ac.uk
> <mailto:lukas at eecs.qmul.ac.uk>> wrote:
>
>     On 11/12/2010 02:46 PM, Charles Tryon wrote:
>
>         Greetings!
>
>            Mark Rutherford was so kind as to send me his copy of the
>         myldap-pub.py
>         script, so I have a working copy of the script. (I found a copy
>         in an list
>         archive, but the indenting was foobared, which really confused
>         Python!)
>           However, with my still limited knowledge of Samba4 and Python,
>         I'm having a
>         lot of difficulty figuring out how to use it to migrate users
>         out of my
>         existing Samba3/Fedora389 setup into a new Samba4 domain I am
>         trying to
>         build.
>
>            I am currently running S4 from the git repository (last pull
>         on 11/11).  I
>         used the HOWTO at http://wiki.samba.org/index.php/Samba4/HOWTO
>         to set up the
>         domain.  I have Dynamic DNS working with DHCP, and I believe
>         Kerberos is
>         working correctly.  I can add users through the "samba-tool",
>         and join both
>         XP and Windows7 machines to the domain.  I even have the
>         Microsoft AD
>         administrative tools talking to the domain to add or manage users.
>
>            My problem is that I would like to migrate over a large
>         number of existing
>         users and machines to the domain such that if I shut down the
>         old domain and
>         connect the new one, the users and machines won't know the
>         difference.
>
>            What I have done is to provision a clean domain:
>
>              sudo /usr/local/samba/sbin/provision --realm=bbaggins.net
>         <http://bbaggins.net> \
>                              --domain=ARDA \
>
>         --domain-sid=S-1-5-21-1104678897-1477468196-890409133
>         \
>                              --adminpass=Xxxxxxx \
>                              --server-role='domain controller'
>
>            I then tried to run the migrate script, trying to guess at
>         the parameters:
>
>              ./myldap-pub.py      \
>                  --ldap_uri=ldap://weathertop.bbaggins.net
>         <http://weathertop.bbaggins.net> \     URI of existing
>         LDAP?
>                  --ldap_binddn="CN=Directory Manager"     \      binddn "
>                  --ldap_bindpwd="Yyyyyyy"      \                 passwd "
>                  --output_basedn="dc=bbaggins,dc=net"     \
>                  --input_domain_name=SHIRE        \
>                  --input_basedn="dc=bbaggins,dc=net"      \
>                  --import_accounts=Users        \
>                  --output_users_ou="ou=People"
>
>            The response I get is:
>
>         Traceback (most recent call last):
>            File "./myldap-pub.py", line 1934, in<module>
>              ldap_cmd.run()
>            File "./myldap-pub.py", line 1927, in run
>              user_principal_name=options.user_principal_name)
>            File "./myldap-pub.py", line 449, in __init__
>              computer_replace_attrs=computer_replace_attrs)
>            File "./myldap-pub.py", line 1713, in convertObjects
>              disable_if_no_unicodePwd=True)
>            File "./myldap-pub.py", line 1371, in convert_sambaSamAccount
>              assert keep != remove, 'keep[%s] remove[%s] error attr[%s]
>         in: %s\n' %
>         (str(keep), str(remove), attr, str(old))
>         AssertionError: keep[False] remove[False] error
>         attr[ntUserDomainId] in:
>         {'cn': ['Sam Tryon'], 'objectClass': ['top', 'person', 'account',
>         'organizationalPerson', 'inetorgperson', 'ntuser', 'posixAccount',
>         'sambaSamAccount'], 'uidNumber': ['11008'], 'sambaAcctFlags': ['[U
>           ]'], 'sambaPrimaryGroupSID':
>         ['S-1-5-21-1104678897-1477468196-890409133-513'], 'uid': ['sam'],
>         'sambaHomePath': ['\\\\weathertop\\homes\\'], 'userPassword':
>         ['{crypt}'],
>         'sambaProfilePath': ['\\\\weathertop\\profiles\\sam'],
>         'sambaPwdMustChange':
>         ['7776000'], 'mail': ['laadass at gmail.com
>         <mailto:laadass at gmail.com>'], 'sambaLogonScript':
>         ['OMLOGON.CMD'], 'loginShell': ['/bin/bash'], 'gidNumber': ['5004'],
>         'sambaPwdLastSet': ['1288209778'], 'sambaNTPassword':
>         ['FAE44DBF10C32BEB313D3DDF1235280D'], 'ntUserDomainId':
>         ['Sam.Tryon'],
>         'homePhone': ['770-631-3448', '770-851-2879'],
>         'telephoneNumber': ['5207'],
>         'sambaHomeDrive': ['N:'], 'sambaSID':
>         ['S-1-5-21-1104678897-1477468196-890409133-11008'], 'gecos':
>         ['Sam Tryon'],
>         'sn': ['Tryon'], 'homeDirectory': ['/home/sam'], 'givenName':
>         ['Sam']}
>
>            Any hints on what is going on here?
>
>
>     Hi Charles,
>     It seems like you use custom schema which contains ntUserDomainId
>     attribute - for those you have to explicitly reject (or remove them)
>     using --remove_input_attributes switch. Every time an attribute is
>     found that is not on the keep or remove list the assertion will be
>     triggered, i.e.
>
>     AssertionError: keep[False] remove[False] error attr[ntUserDomainId]
>
>     for example our incantation for that switch looks like
>     --remove_input_attributes
>     'eduPersonPrimaryAffiliation,shadowMin,shadowMax,eduPersonAffiliation,shadowExpire,shadowFlag,shadowWarning,shadowInactive,qmulStudentType,qmulStudentDevYear,departmentNumber,qmulStudentDeptCode,qmulStudentID'
>
>     Metze,
>     should we by default add automatic removal of shadow releated
>     attributes (for completeness) as shadowLastChange is already in the
>     remove list (but other have to be explicitly rejected)
>
>     Regards
>
>     Luk
>
>
>
>
> --
>      Charles Tryon
> _________________________________________________________________________
> "It's the job that's never started that takes longest to finish."
>                                   -- Samwise Gamgee



More information about the samba-technical mailing list