[Samba] Re: NT domain migration to LDAP/SAMBA (password migration)

[Kang Sun]

Previous question was regarding the passwords was not migrated ...

Well, I find one error, at least that was what happened to me.

In the smb.conf file,  I had
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m "%u"
while it should have been
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -m "%u"

The add user script only suppose to add a posix account. The windows account
is migrated and mapped to that posix account.
with "-a" option on, a windows account is also created together with the
Posix account. The migration failed because a windows account, with all the
default atrributes from smbldap.conf, already exists.

I hope this helps to others with similar problems.


-- Kang

"Mike Brodbelt" <m.brodbelt at acu.ac.uk> wrote in message
news:4104D917.7070602 at acu.ac.uk...
> Kang Sun wrote:
>
> >> Hello Mike,
> >>
> >> I did similar things and have similar problems.
> >> I looked at the ldap database, the migration did nothing but get all
> >> the names of users and machines.
> >> If the smbldap-* scripts are the only things vampire process is
> >> calling, I don't see how would it would get  anything else.
>
>
> Agreed, although when migrating with a tdbsam backend, the vampire
> process will populate the tdbsam with NT passwords and suchlike, but
> also runs the useradd scripts to add the posix users, so I thought that
> there may be some other data that Samba puts into LDAP directly, not via
> invoking the scripts.
>
> The documentation from John Terpstra's book (available online at
> http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
> suggests that the process should work with an LDAP backend, but I'm
> currently at a loss to see howm and I'm unable to replicate this, even
> on a test network, with various versions of the Idealx smbldap-tools. It
> doesn't appear to work as advertised at the moment.
>
>
> >> After vampiring,
> >>
> >> 1. All the computer accounts and user accounts (posixAccount as well)
> Kang Sun wrote:
>
> >> Hello Mike,
> >>
> >> I did similar things and have similar problems.
> >> I looked at the ldap database, the migration did nothing but get all
the
> >> names of users and machines.
> >> If the smbldap-* scripts are the only things vampire process is
> calling, I
> >> don't see how would it would get  anything else.
>
>
> Agreed, although when migrating with a tdbsam backend, the vampire
> process will populate the tdbsam with NT passwords and suchlike, but
> also runs the useradd scripts to add the posix users, so I thought that
> there may be some other data that Samba puts into LDAP directly, not via
> invoking the scripts.
>
> The documentation from John Terpstra's book (available online at
> http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828)
> suggests that the process should work with an LDAP backend, but I'm
> currently at a loss to see howm and I'm unable to replicate this, even
> on a test network, with various versions of the Idealx smbldap-tools. It
> doesn't appear to work as advertised at the moment.
>
>
> >> After vampiring,
> >>
> >> 1. All the computer accounts and user accounts (posixAccount as well)
> >> are created just like being created by by smbldap-useradd, with the
> >> default parameters as defined in the smbldap.conf or
> >> smbldap_config.pm, eg, profiles, logon scripts, etc, user name, etc.
>
>
> Yes, this seems to work when run from the command line. Vampiring seems
> to throw up some errors that I've not tracked down yet though.
>
>
> >> 2. Users lost its domain membership. Every user accounts are now
> >> belonging to "Domain Users" group. No one in "Domain Admins" group
> >> except Administrator.
> >>
> >> The migration process must have done more than just calling these
> >> smbldap-tools scripts, but I just don't see the effect.
> >>
> >> What do you see if you do
> >> smbldap-usershow <userid> or <machinename>$  ?
>
>
> # smbldap-usershow detritus
> dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk
> objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount
> cn: rwind
> sn: rwind
> uid: rwind
> uidNumber: 1006
> gidNumber: 513
> homeDirectory: /home/rwind
> loginShell: /bin/bash
> gecos: System User
> description: System User
> userPassword: {crypt}x
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> displayName: System User
> sambaAcctFlags: [UX]
> sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012
> sambaLMPassword: XXX
> sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513
> sambaProfilePath: \\TALITHA\profiles\rwind
> sambaHomePath: \\TALITHA\home\rwind
> sambaHomeDrive: M:
> sambaNTPassword: XXX
>
> # smbldap-usershow "quirm$"
> dn: uid=quirm$,ou=Computers,dc=acu,dc=ac,dc=uk
> objectClass: top,inetOrgPerson,posixAccount
> cn: quirm$
> sn: quirm$
> uid: quirm$
> uidNumber: 1013
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
>
>
> >> or smbldap-groupshow <groupid>  ?
>
>
> # smbldap-groupshow "Domain Admins"
> dn: cn=Domain Admins,ou=Groups,dc=acu,dc=ac,dc=uk
> objectClass: posixGroup,sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: Administrator
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-2704678572-2069052080-1039482078-512
> sambaGroupType: 2
> displayName: Domain Admins
>
>
> So all that seems to have worked. It's just that some of the information
> hasn't migrated across, and in the context of a transparent migration
> off the NT4 server, the information that hasn't propagated is a
> showstopper. Despite reading all the docs I can lay hands on, I still
> can't see why, and the vampire process is not transparent to me - the
> docs just assume it'll work completely or not at all - there's nothing
> to tell one how to try and troubleshoot it if it half works, which is
> what's happening for me.
>
> Mike.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>