[Samba] How to migrate samba 2.x account to ldap backend

[Ben Tisdall]

GreeG wrote:
> Hi there,
> 
> Is anybody has ever made this: Migrate samba 2.x users (and their unix
> accounts) to an openldap? I've found plenty of how to for building a
> blank samba/ldap authentication system, but nothing for migrate existing
> samba 2.x account (but samba 3.x)... smbldap-tools are useful for
> creating groups etc., migratetools are useful for unix account, but what
> about samba 2.x?

I'm in the midst of such a migration & agree the information out there
is surprisingly sparse. **I should point out that was already already on
Samba 3 so apologies if this doesn't apply here - test in a safe manner**

I'm asssuming you've already got all your posix accounts & groups in
place - if you've used the PADL scripts to migrate these you'll have to
modify some entries so that your machine accounts are under ou=computers
rather ou=users or ou=people.

Having laid the ground, I would firstly copy your smb.conf to something
like migrate.smb.conf & put all the stuff in the copy to allow it to
talk to your LDAP server, **but not including the ldapsam backend
directive**, eg:

ldap ssl = [off|on|start_tls]
ldap admin dn = uid=admin,dc=example,dc=com
ldap suffix = dc=example,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=users
ldap machine suffix = ou=computers

Put the ldap admin user in secrets.tdb by doing: smbpasswd -w adminpass

Copy your smbpasswd file to an alternate location avoid accidentally
clobbering the real one with a typo.

Now you can use pdbedit to export users, letting it using the new conf
file by specifying it with '-s':

pdbedit -s /path/to/migrate.smb.conf -e \
ldapsam:ldap://ldap.example.com[:port]

Also group mappings:

pdbedit -s /path/to/migrate.smb.conf -g -e \
ldapsam:ldap://ldap.example.com[:port]


Obviously you'll need to point samba to the new backend once it's ready.

HTH
-- 
Ben Tisdall