s3 - s4 conversion

Lukasz Zalewski lukas at eecs.qmul.ac.uk
Tue Apr 12 15:36:37 MDT 2011 

On 12/04/2011 21:32, Aaron E. wrote:
>
>
> On 04/12/2011 10:57 AM, Aaron E. wrote:
>>
>>
>> On 04/11/2011 04:48 PM, Lukasz Zalewski wrote:
>>> On 11/04/2011 19:28, Lukasz Zalewski wrote:
>>>> On 11/04/2011 19:02, Aaron E. wrote:
>>>>>
>>>>>
>>>>> On 04/11/2011 12:58 PM, Lukasz Zalewski wrote:
>>>>>> On 11/04/11 17:30, Aaron E. wrote:
>>>>>>> I'm trying to convert a dump of my openldap database to samba4 using
>>>>>>> the
>>>>>>> mylap-pub.py script. I keep getting the same error. I'm not sure
>>>>>>> what
>>>>>>> I'm missing here. I've scrubbed my ldap.dump and all looks good.
>>>>>>> I've
>>>>>>> hit a wall and can't seem to get past this.
>>>>>>>
>>>>>>> Where is this error derived from? Is it an error with my database or
>>>>>>> the
>>>>>>> script I'm using? I don't see an option to specify sid in the help
>>>>>>> options.
>>>>>>>
>>>>>>> Any and all input I greatly appreciate. Thank you all
>>>>>>>
>>>>>>>
>>>>>>> I believe I have the latest version of the script Thanks to Lukasz.
>>>>>>>
>>>>>>> Below is the conversion command I'm using.........................
>>>>>>> ..................................................................
>>>>>>>
>>>>>>> "/myldap-pub.py --input_ldif=ldap.dump.ldif
>>>>>>> --input_domain_name=CONVERT
>>>>>>> --input_basedn=dc=convert,dc=com --output_basedn=DC=convert,DC=com
>>>>>>> --remove_input_attributes
>>>>>>> 'phpgwAccountExpires,phpgwAccount,phpgwAccountType'"
>>>>>>>
>>>>>>> The error I recieve---------------------------------------------
>>>>>>> ----------------------------------------------------------------
>>>>>>>
>>>>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-512 =>
>>>>>>> <SID=S-1-5-21-496710657-683828429-1874078741-512>
>>>>>>>
>>>>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-514 =>
>>>>>>> <SID=S-1-5-21-496710657-683828429-1874078741-514>
>>>>>>>
>>>>>>> Traceback (most recent call last):
>>>>>>> File "./myldap-pub.py", line 1934, in <module>
>>>>>>> ldap_cmd.run()
>>>>>>> File "./myldap-pub.py", line 1927, in run
>>>>>>> user_principal_name=options.user_principal_name)
>>>>>>> File "./myldap-pub.py", line 449, in __init__
>>>>>>> computer_replace_attrs=computer_replace_attrs)
>>>>>>> File "./myldap-pub.py", line 1654, in convertObjects
>>>>>>> output_display=bool(import_type & IMPORT_TYPE_GROUPS))
>>>>>>> File "./myldap-pub.py", line 1507, in convert_sambaGroupMapping
>>>>>>> "sid[%s] doesn't belong to domain[%s]" % (sid, domain_sid)
>>>>>>> NameError: global name 'sid' is not defined
>>>>>>>
>>>>>>
>>>>>> Hi Aaron,
>>>>>> I'am looking into this issue but need to create an appropriate test
>>>>>> data
>>>>>> to be able to replicate this.
>>>>>> From the error message it seems you groups contain a sid that is not
>>>>>> part of the domain - however the final error message is obscured by a
>>>>>> bug in the code.
>>>>>> Can you edit the script and on line 1507 replace:
>>>>>> sid[%s] doesn't belong to domain[%s]" % (sid, domain_sid)
>>>>>> with
>>>>>> "sid[%s] doesn't belong to domain[%s]" % (objectSid, domain_sid)
>>>>>>
>>>>>> and tell us the missmatched sids?
>>>>>>
>>>>>> HTH
>>>>>>
>>>>>> Luk
>>>>>>
>>>>> Progress !!! Hope this information helps ...
>>>>>
>>>>> I filtered through my groups and removed 5 groups that did not have a
>>>>> sambaSid attached to them. They were not needed and left over through
>>>>> the years so no big deal.....
>>>>>
>>>>> I am getting farther and it seems to complete with the groups now it's
>>>>> possibly erring out with the Computers?
>>>>>
>>>>> ./myldap-pub.py --input_ldif=ldap.dump.ldif
>>>>> --input_domain_name=CONVERT
>>>>> --input_basedn=dc=CONVERT,dc=com --output_basedn=DC=CONVERT,DC=com
>>>>> --remove_input_attributes=phpgwAccountExpires,phpgwAccount,phpgwAccountType
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-512 =>
>>>>> <SID=S-1-5-21-496710657-683828429-1874078741-512>
>>>>>
>>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-514 =>
>>>>> <SID=S-1-5-21-496710657-683828429-1874078741-514>
>>>>>
>>>>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-513 =>
>>>>> <SID=S-1-5-21-496710657-683828429-1874078741-513>
>>>>>
>>>>> Traceback (most recent call last):
>>>>> File "./myldap-pub.py", line 1934, in <module>
>>>>> ldap_cmd.run()
>>>>> File "./myldap-pub.py", line 1927, in run
>>>>> user_principal_name=options.user_principal_name)
>>>>> File "./myldap-pub.py", line 449, in __init__
>>>>> computer_replace_attrs=computer_replace_attrs)
>>>>> File "./myldap-pub.py", line 1680, in convertObjects
>>>>> self.computers.filterstr)
>>>>> File "./myldap-pub.py", line 248, in search
>>>>> return self.ldif.search(base, scope, filterstr, attrlist, attrsonly)
>>>>> File "./myldap-pub.py", line 225, in search
>>>>> filter = self.parse_filter(filterstr)
>>>>> File "./myldap-pub.py", line 92, in parse_filter
>>>>> raise "not ("
>>>>> TypeError: exceptions must be old-style classes or derived from
>>>>> BaseException, not str
>>>>>
>>>
>>> Hi Aaron, all
>>> Please find attached new version of the script. This corrects some of
>>> the string based exception throws by wrapping them in an Exception
>>> class. However some of the more complex try/except constructs are still
>>> outstanding.
>>>
>>> The above error was caused by a bad default search filter (strangely
>>> only being triggered in the ldif based conversion) which should be now
>>> corrected
>>>
>>> Regards
>>>
>>> Luk
>>
>> I'm trying to drill down on the Groups,Users,Computers separately, it
>> looks as though Groups/Users have almost same error and computers have a
>> different..
>>
>> Groups
>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-512 =>
>> <SID=S-1-5-21-496710657-683828429-1874078741-512>
>>
>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-514 =>
>> <SID=S-1-5-21-496710657-683828429-1874078741-514>
>>
>> # wellknown SID: S-1-5-21-496710657-683828429-1874078741-513 =>
>> <SID=S-1-5-21-496710657-683828429-1874078741-513>
>>
>> Traceback (most recent call last):
>> File "./myldap-pub.v2.py", line 1934, in <module>
>> ldap_cmd.run()
>> File "./myldap-pub.v2.py", line 1927, in run
>> user_principal_name=options.user_principal_name)
>> File "./myldap-pub.v2.py", line 449, in __init__
>> computer_replace_attrs=computer_replace_attrs)
>> File "./myldap-pub.v2.py", line 1713, in convertObjects
>> disable_if_no_unicodePwd=True)
>> File "./myldap-pub.v2.py", line 1412, in convert_sambaSamAccount
>> self.insert_objectSid(objectSid, dn, domain=True)
>> File "./myldap-pub.v2.py", line 1083, in insert_objectSid
>> assert rid >= 1000, "sid[%s] rid < 1000" % (sid)
>> AssertionError: sid[S-1-5-21-496710657-683828429-1874078741-500] rid <
>> 1000
>>
>> Users,
>> Traceback (most recent call last):
>> File "./myldap-pub.v2.py", line 1934, in <module>
>> ldap_cmd.run()
>> File "./myldap-pub.v2.py", line 1927, in run
>> user_principal_name=options.user_principal_name)
>> File "./myldap-pub.v2.py", line 449, in __init__
>> computer_replace_attrs=computer_replace_attrs)
>> File "./myldap-pub.v2.py", line 1713, in convertObjects
>> disable_if_no_unicodePwd=True)
>> File "./myldap-pub.v2.py", line 1412, in convert_sambaSamAccount
>> self.insert_objectSid(objectSid, dn, domain=True)
>> File "./myldap-pub.v2.py", line 1083, in insert_objectSid
>> assert rid >= 1000, "sid[%s] rid < 1000" % (sid)
>> AssertionError: sid[S-1-5-21-496710657-683828429-1874078741-500] rid <
>> 1000
>>
>> Computers
>> # fix SID[S-1-5-21-496710657-683828429-1874078741-500 =>
>> S-1-5-21-496710657-683828429-1874078741-140000] for
>> DN[CN=ADMINISTRATOR,OU=Imported Computers,DC=convert,DC=com]
>>
>> Traceback (most recent call last):
>> File "./myldap-pub.v2.py", line 1934, in <module>
>> ldap_cmd.run()
>> File "./myldap-pub.v2.py", line 1927, in run
>> user_principal_name=options.user_principal_name)
>> File "./myldap-pub.v2.py", line 449, in __init__
>> computer_replace_attrs=computer_replace_attrs)
>> File "./myldap-pub.v2.py", line 1694, in convertObjects
>> replace_attrs=computer_replace_attrs)
>> File "./myldap-pub.v2.py", line 1411, in convert_sambaSamAccount
>> self.insert_sAMAccountName(sAMAccountName, dn)
>> File "./myldap-pub.v2.py", line 1044, in insert_sAMAccountName
>> % (name, self.new_sAMAccountNames[name_lower])
>> AssertionError: sAMAccountName[NCMAREA$] already exists as
>> CN=NCMAREA,OU=Imported Computers,DC=convert,DC=com
>>
>>
>>
>>
> I was able to get the script to run on the Users I had to change Line #
> 1083 to read,
> assert rid >= 500, "sid[%s] rid < 1000" % (sid) instead of
> assert rid >= 1000, "sid[%s] rid < 1000" % (sid)..
This is not a good idea. You should not bypass this check - the imported 
account's sid will conflict with existing Administrator account in samba4
>
> Computer/Groups still does not work.. If I come up with anything Ill let
> you know.
>
> I was not able to import the users.ldif using the following command..
> ./ldbmodify -H ldap://172.20.1.15 --user=CONVERT/administrator%xxxxxxxx
> /root/users.ldif
To import accounts use:
$targetdir/bin/ldbadd -H $targetdir/private/sam.ldb --nosync --verbose 
--controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0 
--controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 users.ldif
where targetdir=/usr/local/samba
I do not think the accounts can be imported through ldap interface this 
way (defenately not hashed passwords)
>
> It gave me this error for all 408 users...
> ERR: (Unwilling to perform) "LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
> <00002035: Unwilling to perform - The primary group isn't settable on
> add operations!> <>" on DN CN=aaron.e,OU=Imported Users,dc=convert,dc=com
>

More information about the samba-technical mailing list