[Samba] Does or doesn't vampiring users add them into multipl e groups at the same time?

Geoff Scott geoffs at guestshire.com
Wed May 11 02:48:16 GMT 2005

Geoff Scott wrote:
> John H Terpstra wrote:
>> On Tuesday 10 May 2005 01:33, Geoff Scott wrote:
>>> Hi all,
>>> The new NT migration chapter of Samba guide seems to indicate in the
>>> migration Log Validation (section that users get added to
>>> all the same groups that they were in under the NT4 domain.  However
>>> I am not seeing this despite having had a seemingly successful
>>> migration. All my users get added into the Domain User group but
>>> not into any other group. Is the text below now wrong or right????
>> If you use version 3.0.12 or later, for most migrations the
>> multi-group info should transfer OK. I am now aware that if the NT4
>> domain is post SP5 on some migrations multi-group info is not
>> transferred and some account (both user and machine) password
>> entries are not transferred either. 
>> Maybe Andrew Bartlett will chime in on this?
> OK. After testing this out on a vanilla system that I built to test
> out the changes to chapter 9 for you John, it appears that on a
> system configured like this:  
> Ubuntu Hoary
> All ldap, nss_ldap, etc obtained from Ubuntu sources Samba 3.0.13
> Debian stable from samba.planetmirror.com smbldap-tools-0.8.7.tgz
> Users in ou=People,dc=guestshire,dc=com  etc And the adduser script
> like this:   
> add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'
> NT4 server system SP6a
> vampiring users works %100, there are absolutely no errors in the
> error log, and the vampire log show the users being added to the
> multiple groups successfully. The users all have  sambaLMPassword &
> sambaNTPassword set properly and *all* old settings are brought
> across.    
> So what is the difference between the 2 servers? The differences are
> these: 
> The "add user script =" has "smbldap-useradd -a -m '%u'"  I added a
> "-a" 
> after looking at the output of "smbldap-useradd -?" as that coupled
> with The *OLD* version of the NT migration chapter (I thought that
> the omission of that in the NEW sample chapter 9 smb.conf was a typo)
> seemed to indicate that only POSIX attributes would be added if the
> "-a" was left out.   
> However, adding the "-a" to the smbldap-useradd script in the
> smb.conf results in errors along the lines of "user already exists
> with samba attributes" in the vampire error log and no multiple group
> membership, no passwords, no sambaHomeDrive, no sambaMungedDial and
> so on.    
> My users are in
> ou=Users,ou=OxObjects,dc=guestsfurniturehire,dc=com,dc=au to fit in
> with OpenExchange.  
> I am using samba 3.0.14a
> I am using smbldap-tools-0.8.8.tgz (which as you mentioned to me
> recently appear to be broken) 
> The questions I now ask are these:
> Is the subtraction of "-a" for the smbldap-useradd script only for
> the migration?  Does it need to be added back in later? 
> Can the smbldap-tools cope with  an extra "ou" ?
> If after testing some of my findings on the non-vanilla server and
> finding them to work can I set the NetBIOS aliases to include the old
> server name as the sambaHomeDrive directive in LDAP after vampiring
> lists the path as \\oldserver\username .  How can I work around old
> settings such as these?    
> I will now go and test against the non-vanilla server.

The other thing that I forgot to ask was this.  I understand for reasons of
efficency and simplicity why it is that we generally put the machine
accounts into ou=People,dc=domain,dc=com.  But on Both systems after
vampiring the computers end up with an entry in ldap of gidNumber: 513  and
a sambaPrimaryGroupSID: that ends in -513 this is even though I have
defaultComputerGid="515" set in smbldap.conf.  Can I provide any further
info to help figure out what is going on?

Regards Geoff Scott

More information about the samba mailing list