[Samba] Samba and Migration to an existing LDAP backend

John H Terpstra - Samba Team jht at samba.org
Wed May 20 00:37:39 GMT 2009

John Goubeaux wrote:
>> John,
>> You can migrate all your /etc/passwd, /etc/shadow, /etc/group entries to
>> LDAP using the PADL Migration Tools. See:
>> http://www.padl.com/OSS/MigrationTools.html
>> After the UNIX system accounts have been migrated to LDAP, just execute:
>>     pdbedit -i smbpasswd -e ldapsam
>>     pdbedit -i smbpasswd -e ldapsam -g
>> The first migrates user SambaSAM account info, the second your group
>> configuration.
>> PS: If your samba account info is in tdb files (ie: tdbsam) then execute:
>>     pdbedit -i tdbsam -e ldapsam
>>     pdbedit -i tdbsam -e ldapsam -g
>> - John T.
>> -- 
>> John H Terpstra
>> "If at first you don't succeed, don't go sky-diving!"
> Thanks John,
> What if the user's passwd in /etc/shadow is not the same as in their
> existing directory entry ?

Well, then you will have some resolution work ahead of you!

> Meaning, user  <bob>  has an /etc/passwd entry ( crypt) for the old
> samba server but ALSO has a directory entry uid=bob,  but with a passwd 
> (SSSH ) that is different ?

So you set up a new LDAP directory and now you have a problem? You could
dump your current directory, then migrate the existing /etc/passwd   and
/etc/shadow info into your LDAP directory, then dump that LDAP directory
contents, then perform a merge of the two directory dumps and then reload.

slapcat and slapadd are you friend - check the man pages.

> I do not see a way to populate their directory entry AND sync up their
> entry without running pdbedit -a bob   and entering their Directory
> passwd in clear txt as am prompted.

Why? Why?  The use of pbdedit -i source -e ldapsam, where source is
either 'smbpasswd' or 'tdbsam' - is your friend also.  This will import
all the SambaSAM info (including Windows passwords) into the LDAP
directory.  What part of this does not compute?

> Meaning I am trying to avoid having all the users have to re-enter a
> passwd but maybe this is not possible ?

Sorry, I must have missed something here - the advice I gave was exactly
intent on avoiding the need for users to reenter their passwords.

Please read the man page for pdbedit and take note of the command line
parameters I pointed out to you.

John T.

More information about the samba mailing list