s3 - s4 conversion

Aaron E. ssureshot at gmail.com
Tue Apr 12 14:32:01 MDT 2011 


On 04/12/2011 10:57 AM, Aaron E. wrote:
>
>
> On 04/11/2011 04:48 PM, Lukasz Zalewski wrote:
>> On 11/04/2011 19:28, Lukasz Zalewski wrote:
>>> On 11/04/2011 19:02, Aaron E. wrote:
>>>>
>>>>
>>>> On 04/11/2011 12:58 PM, Lukasz Zalewski wrote:
>>>>> On 11/04/11 17:30, Aaron E. wrote:
>>>>>> I'm trying to convert a dump of my openldap database to samba4 using
>>>>>> the
>>>>>> mylap-pub.py script. I keep getting the same error. I'm not sure what
>>>>>> I'm missing here. I've scrubbed my ldap.dump and all looks good. I've
>>>>>> hit a wall and can't seem to get past this.
>>>>>>
>>>>>> Where is this error derived from? Is it an error with my database or
>>>>>> the
>>>>>> script I'm using? I don't see an option to specify sid in the help
>>>>>> options.
>>>>>>
>>>>>> Any and all input I greatly appreciate. Thank you all
>>>>>>
>>>>>>
>>>>>> I believe I have the latest version of the script Thanks to Lukasz.
>>>>>>
>>>>>> Below is the conversion command I'm using.........................
>>>>>> ..................................................................
>>>>>>
>>>>>> "/myldap-pub.py --input_ldif=ldap.dump.ldif
>>>>>> --input_domain_name=CONVERT
>>>>>> --input_basedn=dc=convert,dc=com --output_basedn=DC=convert,DC=com
>>>>>> --remove_input_attributes
>>>>>> 'phpgwAccountExpires,phpgwAccount,phpgwAccountType'"
>>>>>>
>>>>>> The error I recieve---------------------------------------------
>>>>>> ----------------------------------------------------------------
>>>>>>
>>>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-512 =>
>>>>>> <SID=S-1-5-21-496710657-683828429-1874078741-512>
>>>>>>
>>>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-514 =>
>>>>>> <SID=S-1-5-21-496710657-683828429-1874078741-514>
>>>>>>
>>>>>> Traceback (most recent call last):
>>>>>> File "./myldap-pub.py", line 1934, in <module>
>>>>>> ldap_cmd.run()
>>>>>> File "./myldap-pub.py", line 1927, in run
>>>>>> user_principal_name=options.user_principal_name)
>>>>>> File "./myldap-pub.py", line 449, in __init__
>>>>>> computer_replace_attrs=computer_replace_attrs)
>>>>>> File "./myldap-pub.py", line 1654, in convertObjects
>>>>>> output_display=bool(import_type & IMPORT_TYPE_GROUPS))
>>>>>> File "./myldap-pub.py", line 1507, in convert_sambaGroupMapping
>>>>>> "sid[%s] doesn't belong to domain[%s]" % (sid, domain_sid)
>>>>>> NameError: global name 'sid' is not defined
>>>>>>
>>>>>
>>>>> Hi Aaron,
>>>>> I'am looking into this issue but need to create an appropriate test
>>>>> data
>>>>> to be able to replicate this.
>>>>> From the error message it seems you groups contain a sid that is not
>>>>> part of the domain - however the final error message is obscured by a
>>>>> bug in the code.
>>>>> Can you edit the script and on line 1507 replace:
>>>>> sid[%s] doesn't belong to domain[%s]" % (sid, domain_sid)
>>>>> with
>>>>> "sid[%s] doesn't belong to domain[%s]" % (objectSid, domain_sid)
>>>>>
>>>>> and tell us the missmatched sids?
>>>>>
>>>>> HTH
>>>>>
>>>>> Luk
>>>>>
>>>> Progress !!! Hope this information helps ...
>>>>
>>>> I filtered through my groups and removed 5 groups that did not have a
>>>> sambaSid attached to them. They were not needed and left over through
>>>> the years so no big deal.....
>>>>
>>>> I am getting farther and it seems to complete with the groups now it's
>>>> possibly erring out with the Computers?
>>>>
>>>> ./myldap-pub.py --input_ldif=ldap.dump.ldif --input_domain_name=CONVERT
>>>> --input_basedn=dc=CONVERT,dc=com --output_basedn=DC=CONVERT,DC=com
>>>> --remove_input_attributes=phpgwAccountExpires,phpgwAccount,phpgwAccountType
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-512 =>
>>>> <SID=S-1-5-21-496710657-683828429-1874078741-512>
>>>>
>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-514 =>
>>>> <SID=S-1-5-21-496710657-683828429-1874078741-514>
>>>>
>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-513 =>
>>>> <SID=S-1-5-21-496710657-683828429-1874078741-513>
>>>>
>>>> Traceback (most recent call last):
>>>> File "./myldap-pub.py", line 1934, in <module>
>>>> ldap_cmd.run()
>>>> File "./myldap-pub.py", line 1927, in run
>>>> user_principal_name=options.user_principal_name)
>>>> File "./myldap-pub.py", line 449, in __init__
>>>> computer_replace_attrs=computer_replace_attrs)
>>>> File "./myldap-pub.py", line 1680, in convertObjects
>>>> self.computers.filterstr)
>>>> File "./myldap-pub.py", line 248, in search
>>>> return self.ldif.search(base, scope, filterstr, attrlist, attrsonly)
>>>> File "./myldap-pub.py", line 225, in search
>>>> filter = self.parse_filter(filterstr)
>>>> File "./myldap-pub.py", line 92, in parse_filter
>>>> raise "not ("
>>>> TypeError: exceptions must be old-style classes or derived from
>>>> BaseException, not str
>>>>
>>
>> Hi Aaron, all
>> Please find attached new version of the script. This corrects some of
>> the string based exception throws by wrapping them in an Exception
>> class. However some of the more complex try/except constructs are still
>> outstanding.
>>
>> The above error was caused by a bad default search filter (strangely
>> only being triggered in the ldif based conversion) which should be now
>> corrected
>>
>> Regards
>>
>> Luk
>
> I'm trying to drill down on the Groups,Users,Computers separately, it
> looks as though Groups/Users have almost same error and computers have a
> different..
>
> Groups
> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-512 =>
> <SID=S-1-5-21-496710657-683828429-1874078741-512>
>
> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-514 =>
> <SID=S-1-5-21-496710657-683828429-1874078741-514>
>
> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-513 =>
> <SID=S-1-5-21-496710657-683828429-1874078741-513>
>
> Traceback (most recent call last):
> File "./myldap-pub.v2.py", line 1934, in <module>
> ldap_cmd.run()
> File "./myldap-pub.v2.py", line 1927, in run
> user_principal_name=options.user_principal_name)
> File "./myldap-pub.v2.py", line 449, in __init__
> computer_replace_attrs=computer_replace_attrs)
> File "./myldap-pub.v2.py", line 1713, in convertObjects
> disable_if_no_unicodePwd=True)
> File "./myldap-pub.v2.py", line 1412, in convert_sambaSamAccount
> self.insert_objectSid(objectSid, dn, domain=True)
> File "./myldap-pub.v2.py", line 1083, in insert_objectSid
> assert rid >= 1000, "sid[%s] rid < 1000" % (sid)
> AssertionError: sid[S-1-5-21-496710657-683828429-1874078741-500] rid < 1000
>
> Users,
> Traceback (most recent call last):
> File "./myldap-pub.v2.py", line 1934, in <module>
> ldap_cmd.run()
> File "./myldap-pub.v2.py", line 1927, in run
> user_principal_name=options.user_principal_name)
> File "./myldap-pub.v2.py", line 449, in __init__
> computer_replace_attrs=computer_replace_attrs)
> File "./myldap-pub.v2.py", line 1713, in convertObjects
> disable_if_no_unicodePwd=True)
> File "./myldap-pub.v2.py", line 1412, in convert_sambaSamAccount
> self.insert_objectSid(objectSid, dn, domain=True)
> File "./myldap-pub.v2.py", line 1083, in insert_objectSid
> assert rid >= 1000, "sid[%s] rid < 1000" % (sid)
> AssertionError: sid[S-1-5-21-496710657-683828429-1874078741-500] rid < 1000
>
> Computers
> # fix SID[S-1-5-21-496710657-683828429-1874078741-500 =>
> S-1-5-21-496710657-683828429-1874078741-140000] for
> DN[CN=ADMINISTRATOR,OU=Imported Computers,DC=convert,DC=com]
>
> Traceback (most recent call last):
> File "./myldap-pub.v2.py", line 1934, in <module>
> ldap_cmd.run()
> File "./myldap-pub.v2.py", line 1927, in run
> user_principal_name=options.user_principal_name)
> File "./myldap-pub.v2.py", line 449, in __init__
> computer_replace_attrs=computer_replace_attrs)
> File "./myldap-pub.v2.py", line 1694, in convertObjects
> replace_attrs=computer_replace_attrs)
> File "./myldap-pub.v2.py", line 1411, in convert_sambaSamAccount
> self.insert_sAMAccountName(sAMAccountName, dn)
> File "./myldap-pub.v2.py", line 1044, in insert_sAMAccountName
> % (name, self.new_sAMAccountNames[name_lower])
> AssertionError: sAMAccountName[NCMAREA$] already exists as
> CN=NCMAREA,OU=Imported Computers,DC=convert,DC=com
>
>
>
>
I was able to get the script to run on the Users I had to change Line # 
1083 to read,
assert rid >= 500, "sid[%s] rid < 1000" % (sid) instead of
assert rid >= 1000, "sid[%s] rid < 1000" % (sid)..

Computer/Groups still does not work.. If I come up with anything Ill let 
you know.

I was not able to import the users.ldif using the following command..
./ldbmodify -H ldap://172.20.1.15 --user=CONVERT/administrator%xxxxxxxx 
  /root/users.ldif

It gave me this error for all 408 users...
ERR: (Unwilling to perform) "LDAP error 53 LDAP_UNWILLING_TO_PERFORM - 
<00002035: Unwilling to perform - The primary group isn't settable on 
add operations!> <>" on DN CN=aaron.e,OU=Imported Users,dc=convert,dc=com

More information about the samba-technical mailing list