[Samba] Migrating NT4 Domain with Idealx tools
Paul Coray
paul.coray at unibas.ch
Tue Nov 9 16:57:33 GMT 2004
Hi all
For several days I've been doing tests for our upcoming migration from
an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4
and some Win2k. We want all of our users eventually switch from Windows
to KDE on Linux with thin clients through NX :-)
I managed to net rpc vampire all user and machine accounts into LDAP,
but then I realized some problems:
- The migrated machine accounts have no samba attributes. I can
reproduce this behavior adding a machine account doing smbldap-useradd
-w [machinename], just as in the 'add machine script' line in smb.conf
suggested by Idealx. The machine account machinename$ will exist then,
but without sambaSAMAccount object class nor any other samba attribute.
Only after adding these by hand and joning the machine to my samba
domain, users can login. I tried also using smbldap-useradd with
multiple options, -w for workstation account and -a for samba
attributes, but no luck. I wish I shouldn't add 200 machines to an
already existing domain after the migration...
- Users, once logged in to Linux, cannot change their password with
smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm
talking about a logged in user...
This is how Samba, OpenLDAP and the Idealx-Tools are configured:
# egrep -v '^$|^#' smb.conf
[global]
netbios name = SARGE-TS
workgroup = UB
security = User
server string = %h server (Samba %v)
wins support = yes
preferred master = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
encrypt passwords = true
domain logons = yes
domain master = yes
logon drive = H:
logon home = \\%L\%U
ldap passwd sync = Yes
os level = 65
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=manager,dc=ub,dc=unibas,dc=ch
ldap suffix = dc=ub,dc=unibas,dc=ch
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
short preserve case = yes
case sensitive = no
map to guest = Bad User
guest account = nobody
invalid users = root
ldap password sync = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[homes]
comment = Home Directory for %U
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
[netlogon]
path = /export/home/samba/netlogon/
# browseable = No
# locking = No
read only = yes
[profiles]
path = /export/home/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
force user = %U
valid users = %U "Domain Admins"
# egrep -v '^$|^#' slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/solaris-nis.schema
include /etc/ldap/schema/solaris.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/phpgwaccount.schema
include /etc/ldap/schema/phpgwcontact.schema
modulepath /usr/lib/ldap
moduleload back_ldbm
backend ldbm
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
password-hash {MD5}
replogfile /var/lib/ldap/replog
loglevel 256
database ldbm
suffix "dc=ub,dc=unibas,dc=ch"
rootdn "cn=manager,dc=ub,dc=unibas,dc=ch"
rootpw {MD5}XXXXXXXXXXXXXXXXXXXXXX==
directory "/var/lib/ldap/ub"
lastmod on
cachesize 40000
dbcachesize 60000000
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq
index default sub
index phpgwContactOwner pres,eq,sub
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by dn="cn=manager,dc=ub,dc=unibas,dc=ch" write
by dn="cn=nss,dc=ub,dc=unibas,dc=ch" read
by * auth
# egrep -v '^$|^#' smbldap_bind.conf
slaveDN="cn=manager,dc=ub,dc=unibas,dc=ch"
slavePw="XXXXXXX"
masterDN="cn=manager,dc=ub,dc=unibas,dc=ch"
masterPw="XXXXXX"
# egrep -v '^$|^#' smbldap.conf
SID="S-1-5-21-98201057-1281969052-1085559986"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
suffix="dc=ub,dc=unibas,dc=ch"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
scope="sub"
hash_encrypt="MD5"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="UB Domain User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
userSmbHome="\\sarge-ts\%U"
userProfile="\\sarge-ts\%U\winprofile"
userHomeDrive="H:"
mailDomain="unibas.ch"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
Thanks for any suggestions!
Paul
--
Paul Coray
Administrator Server und Netzwerk
Oeffentliche Bibliothek der Universitaet Basel
EDV-Abteilung
Schoenbeinstrasse 18-20
CH-4056 Basel
Tel: +41 61 267 05 13
Fax: +41 61 267 31 03
mailto:paul.coray at unibas.ch
http://www.ub.unibas.ch
More information about the samba
mailing list