s3 - s4 conversion
Lukasz Zalewski
lukas at eecs.qmul.ac.uk
Wed Apr 13 14:00:32 MDT 2011
On 13/04/2011 18:12, Aaron E. wrote:
>
>>> I was able to get the script to run on the Users I had to change Line #
>>> 1083 to read,
>>> assert rid >= 500, "sid[%s] rid < 1000" % (sid) instead of
>>> assert rid >= 1000, "sid[%s] rid < 1000" % (sid)..
>> This is not a good idea. You should not bypass this check - the imported
>> account's sid will conflict with existing Administrator account in samba4
>>>
>>> Computer/Groups still does not work.. If I come up with anything Ill let
>>> you know.
>>>
>>> I was not able to import the users.ldif using the following command..
>>> ./ldbmodify -H ldap://172.20.1.15 --user=CONVERT/administrator%xxxxxxxx
>>> /root/users.ldif
>> To import accounts use:
>> $targetdir/bin/ldbadd -H $targetdir/private/sam.ldb --nosync --verbose
>> --controls=relax:0 --controls=local_oid:1.3.6.1.4.1.7165.4.3.7:0
>> --controls=local_oid:1.3.6.1.4.1.7165.4.3.12:0 users.ldif
>> where targetdir=/usr/local/samba
>> I do not think the accounts can be imported through ldap interface this
>> way (defenately not hashed passwords)
>>>
>>> It gave me this error for all 408 users...
>>> ERR: (Unwilling to perform) "LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
>>> <00002035: Unwilling to perform - The primary group isn't settable on
>>> add operations!> <>" on DN CN=aaron.e,OU=Imported
>>> Users,dc=convert,dc=com
>>>
>>
>>
>
Hi Aaron,
>
> Luke,
>
> Would I import the Groups and Computers with the same command?
Yes
It is not
> importing the computers or groups exports I have created using the
> script. The grouptype attribute in my export is as follows.. groupType:
> 2147483650 ...I get the following error.
>
> ERR: Invalid attribute syntax : "objectclass_attrs: attribute
> 'groupType' on entry 'CN=Quality,OU=Imported Groups,DC=convert,DC=com'
> contains at least one invalid value!" on DN CN=Quality,OU=Imported
> Groups,dc=convert,dc=com
>
What is the sambaGroupType on the s3 ldap entry?
>
> Also, I'm trying to decipher why it is splitting my computer accounts
> into user accounts.. It is only doing this for certain accounts. They
> all have the W flag set for sambaAcctFlags so I'm not sure why they
> aren't working. If this is they attribute that is being looked at to
> filter?
I'm assuming there is no errors regarding those accounts during the
conversion. Could you give us an example of a workstation account that
after conversion becomes a user account (i.e. before and after)?
Samba account flags are converted, and during the import of computers an
explicit flag is used to assign the appropriate primary group membership
(Domain Computers).
>
> I think thats all I have.. for now,, I had to clean up my ldap dump
> error by error to get the script to work. But those were all
> discrepancies from the 15 years of data there..
Yup the beauty of this script is that it thoroughly checks all of the
data prior to import and will not allow imports of the broken data (this
could be painful on large and somehow broken ldap trees)
>
> As always thank you for your assistance, I know you don't have to do
> it... sorry to be a bother to you..
>
Pleasure :)
Luk
More information about the samba-technical
mailing list