[Samba] Samba 3.0.9 ==> 3.0.14a migration LDIF problem

Craig White craigwhite at azapple.com
Fri Dec 2 14:56:19 GMT 2005 

On Fri, 2005-12-02 at 08:22 -0500, Collins, Kevin wrote:
> (This time to the list)
> 
> Andrew and Craig:  Thank you both for replying.
> 
> Following Andrew's advice, I set out to add the line
> 
> "objectClass: account"
> 
> to all of my computer accounts in the LDIF.  (None of them had this declaration)
> 
> After that was acommplished, I tried to re-import the LDIF.  The process got much farther than before, but it again failed a computer account.  A little closer investigation revealed a difference in these accounts.  And it appears to be coincidental to certain point in time.  All of the older accounts are one way and the newer accounts are a different way.  Now, I'm wondering which the "proper" way for me moving forward.  Here are the examples:
> 
> "Old" computer account
> ===============================================================================
> dn: uid=nei-10$,ou=Computers,dc=nesbitt,dc=local
> uidNumber: 1008
> gidNumber: 553
> homeDirectory: /dev/null
> loginShell: /bin/false
> objectClass: top
> objectClass: posixAccount
> objectClass: sambaSamAccount
> objectClass: account
> uid: nei-10$
> displayName: NEI-10$
> cn: NEI-10$
> description: Computer
> sambaSID: S-1-5-21-3325760187-3909277049-4208064797-3016
> sambaPrimaryGroupSID: S-1-5-21-3325760187-3909277049-4208064797-2107
> sambaAcctFlags: [W          ]
> sambaLogonTime: 0
> sambaLogoffTime: 0
> sambaKickoffTime: 0
> sambaPwdMustChange: 2147483647
> sambaPwdCanChange: 1130941262
> sambaNTPassword: 3520D823FF3A3EA0D246ACF5D99F5061
> sambaPwdLastSet: 1130941262
> modifiersName: cn=Manager,dc=nesbitt,dc=local
> modifyTimestamp: 20051102142102Z
> ===============================================================================
> 
> 
> "New" computer account:
> ===============================================================================
> dn: uid=stargazer$,ou=Computers,dc=nesbitt,dc=local
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: sambaSamAccount
> objectClass: account
> cn: stargazer$
> sn: stargazer$
> uid: stargazer$
> uidNumber: 1081
> gidNumber: 553
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> creatorsName: cn=Manager,dc=nesbitt,dc=local
> createTimestamp: 20040309024546Z
> sambaSID: S-1-5-21-3325760187-3909277049-4208064797-3162
> sambaPrimaryGroupSID: S-1-5-21-3325760187-3909277049-4208064797-2107
> displayName: stargazer$
> sambaPwdMustChange: 2147483647
> sambaAcctFlags: [W          ]
> sambaPwdCanChange: 1078869765
> sambaLMPassword: F8490F746485FE71A1E92A4788FB2592
> sambaNTPassword: F8490F746485FE71A1E92A4788FB2592
> sambaPwdLastSet: 1078869765
> modifiersName: cn=Manager,dc=nesbitt,dc=local
> modifyTimestamp: 20040309220245Z
> ===============================================================================
> 
> When I run the LDIF import, I get this error:
> 
> slapadd: dn="uid=stargazer$,ou=Computers,dc=nesbitt,dc=local" (line=2415): (65) invalid structural object class chain (inetOrgPerson/account)
> 
> My "gut" tells me the "new" definition minus the "objectClass: account" is the way to go, but before I do anything else, I'd like to know.
> 
> John T: If you're reading this, it might not be a bad idea to show the "proper" basic requirements for each of the account types in LDIF format somewhere in one of your books.  I searched through both of them looking for the answer to this and couldn't find it.  Maybe it would help someone in the future.
> 
----
My domain workstations only have the account and sambaSamAccount
objectclasses but when I looked at yours, I didn't know that
sambaSamAccount had a specific requirements beyond uid and sambaSID but
got the impression from Andrew's response that you must have the account
objectclass and thought that your usage of posixAccount was enough.

thus one of my workstations would end up with this...

# win-workstation$, People, azapple.com
dn: uid=win-workstation$,ou=Computers,ou=Accounts,dc=azapple,dc=com
uid: win-workstation$
sambaSID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXX-2006
objectClass: sambaSamAccount
objectClass: account
displayName: WIN-WORKSTATION$
sambaPwdMustChange: 2147483647
sambaAcctFlags: [W          ]
sambaPrimaryGroupSID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXX-553
sambaPwdCanChange: 1132660033
sambaNTPassword: removed
sambaPwdLastSet: 1132660033

and thus, I don't have to deal with all the other attributes required by
the posixAccount and inetOrgPerson objectclasses and the structural
problems of all those, though it would seem that having to top
structural object should put them in order...it may be as simple as the
order of the objectclasses as they are presented within your ldif file.

I would suggest that you consider...

copying the ldif file and sectioning it to import all the easy stuff
first and perhaps move the computer accounts to a separate section
(file) to deal with separately. This way, you could try adding one
computer account at a time to simplify troubleshooting

use slapadd instead of ldapadd (you didn't specify which you are using)

Craig

More information about the samba mailing list