ldap base transfer (not samba3 + ldap) in samba4

Matthieu Patou mat at samba.org
Mon Apr 29 22:20:20 MDT 2013

On 04/26/2013 07:23 AM, Alexandr Kuznecov wrote:
> ldap base transfer (not samba3 + ldap) in samba4
> Good afternoon dear team of the SAMBA developers. Your help is necessary to
> me. I have ldap the server on which the accounts linux of users, not are
> stored by samba3. structure such:
> dn: UID=test, OU=progs, DC=exam, DC=tt
> uid: test
> cn: test
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> shadowLastChange: 14872
> shadowMax: 99999
> shadowWarning: 7
> loginShell: / bin/bash
> uidNumber: 1009
> homeDirectory: / home/test
> gecos: test
> gidNumber: 1003
> userPassword: YpmjVOVuGQhYTjl7pSv1id0+PMJpemhFQ2RCQ2JuV0o {SSHA} =
> or such:
> dn: UID=test1, OU=progs, DC=exam, DC=tt
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: posixAccount
> sn: test1
> givenName: test1
> homeDirectory: / home/test1
> loginShell: / bin/bash
> uid: test1
> cn: test1
> uidNumber: 1901
> gidNumber: 1003
> userPassword: YpmjVOVuGQhYTjl7pSv1id0+PMJpemhFQ2RCQ2JuV0o {SSHA} =

> I want to transfer these users to samba4 and in a consequence using
> ldap-client on linux systems as to use these accounts. Transfer comes to
> the end without mistakes using.ldif files and programs with which it is
> possible to make export/import to ldap. But there is a problem: at
> authorization the system tells me that the password isn't right. getent
> passwd shows the list of users, so the system distinguishes them.

> if I by
> means of the control panel from microsoft on the Active Directory control
> change the password, the user can become authorized and work. I would
> accept also such option,
I'm not sure to understand this question.

Would it be ok that during the transfer all the user are marked as 
expired and be forced to change their password with a default password 
based on their login + something like their birthdate.

If so we can find a trick to make it work.

> BUT! I have 695 users and to everyone to change
> the password and then to recustomize all connections will take a lot of
> time and heavy losses in connection with impossibility of users to perform
> the work. I so understand that in this case a problem that KDC doesn't know
> how the password is ciphered, but I can be mistaken. I know that on old
> ldap the server passwords of users are stored in "userPassword:  ".  Here I
> also ask your help help to transfer all users with server ldap to samba4 so
> that they could work without change of passwords.  SAMBA4 acts as AD DC.
> Thanks for found time and I hope for your help.
In theory we can import password but it highly depend on how it was 
stored in your current LDAP server, can you tell us a bit more ?

 From a 10 000 feet view it looks like your password are stored in the 
form of the SHA1 which is useless for a migration to Samba 4 AD DC.
If you can force the expriration on the current LDAP the following thing 
can be tested, start to store the MD4 of the password in another 
attribute (ie. unicodePwd) and force the password expiration. Then as 
after all the user have changed their password you can migrate them to 
samba 4 DC using the same trick that we use to migrate from Samba 3 to 
Samba 4.

You might need some guidance for this so feel free to ask more questions.


Matthieu Patou
Samba Team

More information about the samba-technical mailing list