[Samba] Re: NT domain migration to LDAP/SAMBA

Kang Sun ksun at abinitio.com
Fri Jul 23 18:39:10 GMT 2004


Hello Mike,

I did similar things and have similar problems.
I looked at the ldap database, the migration did nothing but get all the
names of users and machines.
If the smbldap-* scripts are the only things vampire process is calling, I
don't see how would it would get  anything else.

After vampiring,

1. All the computer accounts and user accounts (posixAccount as well) are
created just like being created by by smbldap-useradd, with the default
parameters as defined in the smbldap.conf or smbldap_config.pm, eg,
profiles, logon scripts, etc, user name, etc.
2. Users lost its domain membership. Every user accounts are now belonging
to "Domain Users" group. No one in "Domain Admins" group except
Administrator.

The migration process must have done more than just calling these
smbldap-tools scripts, but I just don't see the effect.

What do you see if you do
smbldap-usershow <userid> or <machinename>$  ?
or smbldap-groupshow <groupid>  ?

-- Kang Sun


"Mike Brodbelt" <m.brodbelt at acu.ac.uk> wrote in message
news:41014220.7090509 at acu.ac.uk...
> Hi,
>
> I'm attempting to migrate an NT4 domain to Samba3, and getting quite
> frustrated with stuff that seems not to work as advertised. I'd
> appreciate any help.
>
> I've set up an OpenLDAP server, and Samba 3, configured it as a BDC, and
> tried running "net rpc vampire". This all works, and Samba does the
> appropriate stuff to try and populate the LDAP database. The scripts
> I've got configured are:-
>
>
> add user script = /usr/local/sbin/smbldap-useradd -a -m '%u'
> delete user script = /usr/local/sbin/smbldap-userdel '%u'
> add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/local/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
> delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u'
> '%g'
> set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
>
> All the scripts are from the IdealX tools, version 0.8.5. I've set up
> the directory, and run smbldap-populate against it first, to check all
> is OK. When I symlink all the smbldap scripts to a test rig that just
> prints how it was called to a log file, and then run vampire, I get this:-
>
>
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Domain Admins
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Domain Users
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Domain Guests
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Wizards
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Watchmen
> Command line: /usr/local/sbin/smbldap-useradd.pl -a -m Administrator
> Command line: /usr/local/sbin/smbldap-useradd.pl -a -m Guest
> Command line: /usr/local/sbin/smbldap-useradd.pl -w WYRMBERG$
> Command line: /usr/local/sbin/smbldap-useradd.pl -a -m rwind
> Command line: /usr/local/sbin/smbldap-useradd.pl -a -m nogg
> Command line: /usr/local/sbin/smbldap-useradd.pl -a -m gwax
> Command line: /usr/local/sbin/smbldap-useradd.pl -a -m carrott
> Command line: /usr/local/sbin/smbldap-useradd.pl -a -m detritus
> Command line: /usr/local/sbin/smbldap-useradd.pl -a -m tfairy
> Command line: /usr/local/sbin/smbldap-useradd.pl -w UBERWALD$
> Command line: /usr/local/sbin/smbldap-useradd.pl -w quirm$
> Command line: /usr/local/sbin/smbldap-useradd.pl -w TALITHA$
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Account Operators
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Administrators
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Backup Operators
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Guests
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Print Operators
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Replicator
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Server Operators
> Command line: /usr/local/sbin/smbldap-groupadd.pl -p Users
>
>
> This is all being done on a test domain, with fake users at the moment,
> before I try a real environment.
>
> >From the command line, I can add users and groups using the commands
> above, and all seems to work. Yet, when I actually try the vampire with
> the real scripts in place, I get errors like this:-
>
> Creating unix group: 'Wizards'
> Creating unix group: 'Watchmen'
> Creating account: Administrator
> /usr/local/sbin/smbldap-useradd: user Administrator exists
> Could not create posix account info for 'Administrator'
> Creating account: Guest
> Could not create posix account info for 'Guest'
> Creating account: WYRMBERG$
> Could not create posix account info for 'WYRMBERG$'
> Creating account: rwind
> Could not create posix account info for 'rwind'
>
> Why do I get this "Could not create posix account info" message, and
> what does it mean?
>
> Also, running "pdbedit -Lw" after vampiring generates:-
>
>
>
Administrator:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXX:[U
>          ]:LCT-00000000:
> nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:NO
> PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU         ]:LCT-00000000:
>
Guest:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXX:[UX
>         ]:LCT-00000000:
>
rwind:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXX:[UX
>         ]:LCT-00000000:
>
nogg:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXX:[UX
>         ]:LCT-00000000:
>
gwax:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXX:[UX
>         ]:LCT-00000000:
>
carrott:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXX:[UX
>         ]:LCT-00000000:
>
detritus:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXX:[UX
>         ]:LCT-00000000:
>
tfairy:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXX:[UX
>         ]:LCT-00000000:
>
>
> For some reason, all the NT password information completely fails to
> migrate. Why? I've installed the Crypt::SmbHash module so perl can find
> it, which is what I thought the tools used.
>
> Is anyone else having these problems? I've been through every piece of
> documentation that I can find thus far, and although I believe I know
> what to do, no combination of steps actually seems to work properly.
> I've read the Samba 3 by example book, the idealx HOWTO, the Samba HOWTO
> collecion, and am coming to the conclusion that it'd just be easier to
> dump my user data with the old windows samdump utility, and just build
> my own ldap directory from scratch.....
>
> Any information/ideas very much appreciated.
>
> Mike.
>
> P.S. Here's a sample created account entry, if that helps any:-
>
> dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSAMAccount
> cn: rwind
> sn: rwind
> uid: rwind
> uidNumber: 1006
> gidNumber: 513
> homeDirectory: /home/rwind
> loginShell: /bin/bash
> gecos: System User
> description: System User
> userPassword:: e2NyeXB0fXg=
> structuralObjectClass: inetOrgPerson
> entryUUID: a3d3720c-7111-1028-96d6-80de4c82e4f8
> creatorsName: cn=admin,dc=acu,dc=ac,dc=uk
> createTimestamp: 20040723163232Z
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> displayName: System User
> sambaAcctFlags: [UX]
> sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012
> sambaLMPassword: XXX
> sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513
> sambaProfilePath: \\TALITHA\profiles\rwind
> sambaHomePath: \\TALITHA\home\rwind
> sambaHomeDrive: M:
> sambaNTPassword: XXX
> entryCSN: 2004072316:32:32Z#0x0004#0#0000
> modifiersName: cn=admin,dc=acu,dc=ac,dc=uk
> modifyTimestamp: 20040723163232Z
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>





More information about the samba mailing list