[Samba] NT domain migration to LDAP/SAMBA

Mike Brodbelt m.brodbelt at acu.ac.uk
Fri Jul 23 16:51:44 GMT 2004 

Hi,

I'm attempting to migrate an NT4 domain to Samba3, and getting quite
frustrated with stuff that seems not to work as advertised. I'd
appreciate any help.

I've set up an OpenLDAP server, and Samba 3, configured it as a BDC, and
tried running "net rpc vampire". This all works, and Samba does the
appropriate stuff to try and populate the LDAP database. The scripts
I've got configured are:-


add user script = /usr/local/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel '%u'
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'

All the scripts are from the IdealX tools, version 0.8.5. I've set up
the directory, and run smbldap-populate against it first, to check all
is OK. When I symlink all the smbldap scripts to a test rig that just
prints how it was called to a log file, and then run vampire, I get this:-


Command line: /usr/local/sbin/smbldap-groupadd.pl -p Domain Admins
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Domain Users
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Domain Guests
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Wizards
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Watchmen
Command line: /usr/local/sbin/smbldap-useradd.pl -a -m Administrator
Command line: /usr/local/sbin/smbldap-useradd.pl -a -m Guest
Command line: /usr/local/sbin/smbldap-useradd.pl -w WYRMBERG$
Command line: /usr/local/sbin/smbldap-useradd.pl -a -m rwind
Command line: /usr/local/sbin/smbldap-useradd.pl -a -m nogg
Command line: /usr/local/sbin/smbldap-useradd.pl -a -m gwax
Command line: /usr/local/sbin/smbldap-useradd.pl -a -m carrott
Command line: /usr/local/sbin/smbldap-useradd.pl -a -m detritus
Command line: /usr/local/sbin/smbldap-useradd.pl -a -m tfairy
Command line: /usr/local/sbin/smbldap-useradd.pl -w UBERWALD$
Command line: /usr/local/sbin/smbldap-useradd.pl -w quirm$
Command line: /usr/local/sbin/smbldap-useradd.pl -w TALITHA$
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Account Operators
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Administrators
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Backup Operators
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Guests
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Print Operators
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Replicator
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Server Operators
Command line: /usr/local/sbin/smbldap-groupadd.pl -p Users


This is all being done on a test domain, with fake users at the moment,
before I try a real environment.

>From the command line, I can add users and groups using the commands
above, and all seems to work. Yet, when I actually try the vampire with
the real scripts in place, I get errors like this:-

Creating unix group: 'Wizards'
Creating unix group: 'Watchmen'
Creating account: Administrator
/usr/local/sbin/smbldap-useradd: user Administrator exists
Could not create posix account info for 'Administrator'
Creating account: Guest
Could not create posix account info for 'Guest'
Creating account: WYRMBERG$
Could not create posix account info for 'WYRMBERG$'
Creating account: rwind
Could not create posix account info for 'rwind'

Why do I get this "Could not create posix account info" message, and
what does it mean?

Also, running "pdbedit -Lw" after vampiring generates:-


Administrator:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U
         ]:LCT-00000000:
nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO
PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU         ]:LCT-00000000:
Guest:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX
        ]:LCT-00000000:
rwind:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX
        ]:LCT-00000000:
nogg:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX
        ]:LCT-00000000:
gwax:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX
        ]:LCT-00000000:
carrott:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX
        ]:LCT-00000000:
detritus:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX
        ]:LCT-00000000:
tfairy:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[UX
        ]:LCT-00000000:


For some reason, all the NT password information completely fails to
migrate. Why? I've installed the Crypt::SmbHash module so perl can find
it, which is what I thought the tools used.

Is anyone else having these problems? I've been through every piece of
documentation that I can find thus far, and although I believe I know
what to do, no combination of steps actually seems to work properly.
I've read the Samba 3 by example book, the idealx HOWTO, the Samba HOWTO
collecion, and am coming to the conclusion that it'd just be easier to
dump my user data with the old windows samdump utility, and just build
my own ldap directory from scratch.....

Any information/ideas very much appreciated.

Mike.

P.S. Here's a sample created account entry, if that helps any:-

dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSAMAccount
cn: rwind
sn: rwind
uid: rwind
uidNumber: 1006
gidNumber: 513
homeDirectory: /home/rwind
loginShell: /bin/bash
gecos: System User
description: System User
userPassword:: e2NyeXB0fXg=
structuralObjectClass: inetOrgPerson
entryUUID: a3d3720c-7111-1028-96d6-80de4c82e4f8
creatorsName: cn=admin,dc=acu,dc=ac,dc=uk
createTimestamp: 20040723163232Z
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012
sambaLMPassword: XXX
sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513
sambaProfilePath: \\TALITHA\profiles\rwind
sambaHomePath: \\TALITHA\home\rwind
sambaHomeDrive: M:
sambaNTPassword: XXX
entryCSN: 2004072316:32:32Z#0x0004#0#0000
modifiersName: cn=admin,dc=acu,dc=ac,dc=uk
modifyTimestamp: 20040723163232Z

More information about the samba mailing list