[Samba] Re: NT domain migration to LDAP/SAMBA
Mike Brodbelt
m.brodbelt at acu.ac.uk
Mon Jul 26 10:12:39 GMT 2004
Kang Sun wrote:
>> Hello Mike,
>>
>> I did similar things and have similar problems.
>> I looked at the ldap database, the migration did nothing but get all
>> the names of users and machines.
>> If the smbldap-* scripts are the only things vampire process is
>> calling, I don't see how would it would get anything else.
Agreed, although when migrating with a tdbsam backend, the vampire
process will populate the tdbsam with NT passwords and suchlike, but
also runs the useradd scripts to add the posix users, so I thought that
there may be some other data that Samba puts into LDAP directly, not via
invoking the scripts.
The documentation from John Terpstra's book (available online at
http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
suggests that the process should work with an LDAP backend, but I'm
currently at a loss to see howm and I'm unable to replicate this, even
on a test network, with various versions of the Idealx smbldap-tools. It
doesn't appear to work as advertised at the moment.
>> After vampiring,
>>
>> 1. All the computer accounts and user accounts (posixAccount as well)
Kang Sun wrote:
>> Hello Mike,
>>
>> I did similar things and have similar problems.
>> I looked at the ldap database, the migration did nothing but get all the
>> names of users and machines.
>> If the smbldap-* scripts are the only things vampire process is
calling, I
>> don't see how would it would get anything else.
Agreed, although when migrating with a tdbsam backend, the vampire
process will populate the tdbsam with NT passwords and suchlike, but
also runs the useradd scripts to add the posix users, so I thought that
there may be some other data that Samba puts into LDAP directly, not via
invoking the scripts.
The documentation from John Terpstra's book (available online at
http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
suggests that the process should work with an LDAP backend, but I'm
currently at a loss to see howm and I'm unable to replicate this, even
on a test network, with various versions of the Idealx smbldap-tools. It
doesn't appear to work as advertised at the moment.
>> After vampiring,
>>
>> 1. All the computer accounts and user accounts (posixAccount as well)
>> are created just like being created by by smbldap-useradd, with the
>> default parameters as defined in the smbldap.conf or
>> smbldap_config.pm, eg, profiles, logon scripts, etc, user name, etc.
Yes, this seems to work when run from the command line. Vampiring seems
to throw up some errors that I've not tracked down yet though.
>> 2. Users lost its domain membership. Every user accounts are now
>> belonging to "Domain Users" group. No one in "Domain Admins" group
>> except Administrator.
>>
>> The migration process must have done more than just calling these
>> smbldap-tools scripts, but I just don't see the effect.
>>
>> What do you see if you do
>> smbldap-usershow <userid> or <machinename>$ ?
# smbldap-usershow detritus
dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount
cn: rwind
sn: rwind
uid: rwind
uidNumber: 1006
gidNumber: 513
homeDirectory: /home/rwind
loginShell: /bin/bash
gecos: System User
description: System User
userPassword: {crypt}x
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012
sambaLMPassword: XXX
sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513
sambaProfilePath: \\TALITHA\profiles\rwind
sambaHomePath: \\TALITHA\home\rwind
sambaHomeDrive: M:
sambaNTPassword: XXX
# smbldap-usershow "quirm$"
dn: uid=quirm$,ou=Computers,dc=acu,dc=ac,dc=uk
objectClass: top,inetOrgPerson,posixAccount
cn: quirm$
sn: quirm$
uid: quirm$
uidNumber: 1013
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
>> or smbldap-groupshow <groupid> ?
# smbldap-groupshow "Domain Admins"
dn: cn=Domain Admins,ou=Groups,dc=acu,dc=ac,dc=uk
objectClass: posixGroup,sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
description: Netbios Domain Administrators
sambaSID: S-1-5-21-2704678572-2069052080-1039482078-512
sambaGroupType: 2
displayName: Domain Admins
So all that seems to have worked. It's just that some of the information
hasn't migrated across, and in the context of a transparent migration
off the NT4 server, the information that hasn't propagated is a
showstopper. Despite reading all the docs I can lay hands on, I still
can't see why, and the vampire process is not transparent to me - the
docs just assume it'll work completely or not at all - there's nothing
to tell one how to try and troubleshoot it if it half works, which is
what's happening for me.
Mike.
More information about the samba
mailing list