s3 - s4 conversion

Aaron E. ssureshot at gmail.com
Wed Apr 13 11:12:13 MDT 2011 

>> I was able to get the script to run on the Users I had to change Line #
>> 1083 to read,
>> assert rid >= 500, "sid[%s] rid < 1000" % (sid) instead of
>> assert rid >= 1000, "sid[%s] rid < 1000" % (sid)..
> This is not a good idea. You should not bypass this check - the imported
> account's sid will conflict with existing Administrator account in samba4
>>
>> Computer/Groups still does not work.. If I come up with anything Ill let
>> you know.
>>
>> I was not able to import the users.ldif using the following command..
>> ./ldbmodify -H ldap://172.20.1.15 --user=CONVERT/administrator%xxxxxxxx
>> /root/users.ldif
> To import accounts use:
> $targetdir/bin/ldbadd -H $targetdir/private/sam.ldb --nosync --verbose
> --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0
> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 users.ldif
> where targetdir=/usr/local/samba
> I do not think the accounts can be imported through ldap interface this
> way (defenately not hashed passwords)
>>
>> It gave me this error for all 408 users...
>> ERR: (Unwilling to perform) "LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
>> <00002035: Unwilling to perform - The primary group isn't settable on
>> add operations!> <>" on DN CN=aaron.e,OU=Imported Users,dc=convert,dc=com
>>
>
>


Luke,

Would I import the Groups and Computers with the same command? It is not 
importing the computers or groups exports I have created using the 
script.  The grouptype attribute in my export is as follows.. 
groupType: 2147483650  ...I get the following error.

ERR: Invalid attribute syntax : "objectclass_attrs: attribute 
'groupType' on entry 'CN=Quality,OU=Imported Groups,DC=convert,DC=com' 
contains at least one invalid value!" on DN CN=Quality,OU=Imported 
Groups,dc=convert,dc=com


Also, I'm trying to decipher why it is splitting my computer accounts 
into user accounts.. It is only doing this for certain accounts. They 
all have the W flag set for sambaAcctFlags so I'm not sure why they 
aren't working. If this is they attribute that is being looked at to filter?

I think thats all I have.. for now,, I had to clean up my ldap dump 
error by error to get the script to work. But those were all 
discrepancies from the 15 years of data there..

As always  thank you for your assistance, I know you don't have to do 
it... sorry to be a bother to you..

More information about the samba-technical mailing list