[Samba] Upgrading LDAP entries from 2.2.7 for Samba 3 not happening

Andrew Bartlett abartlet at samba.org
Sat Mar 27 00:54:52 GMT 2004 

On Sat, 2004-03-27 at 08:47, jamie wrote:
> I know I'm not the only person to upgrade from 2.2.7 to 3.0. Some one PLEASE
> chime in. I have 600+ users coming back from spring break Monday!
> 
> PLEASE PLEASE PLEASE HELP!
> 
> jamie 
> 
> On 3/25/04 4:44 PM, "jamie" <mcparlandj at newberg.k12.or.us> wrote:
> 
> > We have been using samba 2.2.7 for awhile now with ldap no problem. We are
> > ready to move to Samba 3 though, and this is where the trouble begins.
> > We do not have a domain set up. We have a few samba boxes and they just use
> > the ldap servers to get their passwords from. (no roaming desktops or
> > anything like that.)
> > 
> > I did a bit of reading up and see that I need to run the convertSambaAccount
> > script against an ldif export.
> > 
> > So here's what I did
> > 
> > ldapsearch -LL -x -h localhost -D
> > "uid=root,ou=People,dc=newberg,dc=k12,dc=or,dc=us" -b
> > "ou=People,dc=newberg,dc=k12,dc=or,dc=us" -w > old.ldif
> > 
> > I got an ldif no problem. I don't really know what a SID is or what's it
> > for. Something to do with having a domain (which we don't)
> > 
> > So I try this 
> > 
> > [root at ldap /]# net getlocalsid
> > bash: net: command not found
> > 
> > So i can't get the SID from this machine.
> > 
> > I decide to just make one up and try that.
> > 
> > /convertSambaAccount --input=old.ldif --output new.ldif --changetype=modify
> > --sid=S-1-0-0

That is a *really* bad idea.  There is a SID, and you can find it out. 
Use the 'net' command from 3.0, it does not exist in 2.2.  There is also
an smbpasswd option I think.

If you want to keep your existing Samba 2.2 schema in LDAP, that is
supported.  Simply use ldapsam_compat, or configure --with-ldapsam
(which enables the compatibility modes by default)

If you want to move to the 3.0 schema, you will find that there is a
one-domain per LDAP subtree restriction, that is, all the machines
talking to those entries in LDAP must agree to be part of a single
domain.

Simply nominate a master box as PDC, and the rest as   There is no need
to have actual clients in the domain.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040327/9f1a8fe2/attachment.bin

More information about the samba mailing list