[Samba] Does or doesn't vampiring users add them into multipl e
groups at the same time?
Geoff Scott
geoffs at guestshire.com
Wed May 11 02:48:16 GMT 2005
Geoff Scott wrote:
> John H Terpstra wrote:
>> On Tuesday 10 May 2005 01:33, Geoff Scott wrote:
>>> Hi all,
>>>
>>> The new NT migration chapter of Samba guide seems to indicate in the
>>> migration Log Validation (section 9.3.1.1) that users get added to
>>> all the same groups that they were in under the NT4 domain. However
>>> I am not seeing this despite having had a seemingly successful
>>> migration. All my users get added into the Domain User group but
>>> not into any other group. Is the text below now wrong or right????
>>
>> If you use version 3.0.12 or later, for most migrations the
>> multi-group info should transfer OK. I am now aware that if the NT4
>> domain is post SP5 on some migrations multi-group info is not
>> transferred and some account (both user and machine) password
>> entries are not transferred either.
>>
>> Maybe Andrew Bartlett will chime in on this?
>
> OK. After testing this out on a vanilla system that I built to test
> out the changes to chapter 9 for you John, it appears that on a
> system configured like this:
> Ubuntu Hoary
> All ldap, nss_ldap, etc obtained from Ubuntu sources Samba 3.0.13
> Debian stable from samba.planetmirror.com smbldap-tools-0.8.7.tgz
> Users in ou=People,dc=guestshire,dc=com etc And the adduser script
> like this:
> add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'
> NT4 server system SP6a
>
> vampiring users works %100, there are absolutely no errors in the
> error log, and the vampire log show the users being added to the
> multiple groups successfully. The users all have sambaLMPassword &
> sambaNTPassword set properly and *all* old settings are brought
> across.
>
> So what is the difference between the 2 servers? The differences are
> these:
>
> The "add user script =" has "smbldap-useradd -a -m '%u'" I added a
> "-a"
> after looking at the output of "smbldap-useradd -?" as that coupled
> with The *OLD* version of the NT migration chapter (I thought that
> the omission of that in the NEW sample chapter 9 smb.conf was a typo)
> seemed to indicate that only POSIX attributes would be added if the
> "-a" was left out.
> However, adding the "-a" to the smbldap-useradd script in the
> smb.conf results in errors along the lines of "user already exists
> with samba attributes" in the vampire error log and no multiple group
> membership, no passwords, no sambaHomeDrive, no sambaMungedDial and
> so on.
>
> My users are in
> ou=Users,ou=OxObjects,dc=guestsfurniturehire,dc=com,dc=au to fit in
> with OpenExchange.
>
> I am using samba 3.0.14a
>
> I am using smbldap-tools-0.8.8.tgz (which as you mentioned to me
> recently appear to be broken)
>
> The questions I now ask are these:
> Is the subtraction of "-a" for the smbldap-useradd script only for
> the migration? Does it need to be added back in later?
> Can the smbldap-tools cope with an extra "ou" ?
> If after testing some of my findings on the non-vanilla server and
> finding them to work can I set the NetBIOS aliases to include the old
> server name as the sambaHomeDrive directive in LDAP after vampiring
> lists the path as \\oldserver\username . How can I work around old
> settings such as these?
>
> I will now go and test against the non-vanilla server.
>
The other thing that I forgot to ask was this. I understand for reasons of
efficency and simplicity why it is that we generally put the machine
accounts into ou=People,dc=domain,dc=com. But on Both systems after
vampiring the computers end up with an entry in ldap of gidNumber: 513 and
a sambaPrimaryGroupSID: that ends in -513 this is even though I have
defaultComputerGid="515" set in smbldap.conf. Can I provide any further
info to help figure out what is going on?
Regards Geoff Scott
More information about the samba
mailing list