[Samba] How to change objectSid?

Diego Woitasen diego at woitasen.com.ar
Wed Feb 5 18:57:23 MST 2014 

On Wed, Feb 5, 2014 at 10:12 PM, Diego Woitasen <diego at woitasen.com.ar> wrote:
> On Wed, Feb 5, 2014 at 6:17 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> On Wed, 2014-02-05 at 16:46 -0300, Diego Woitasen wrote:
>>> On Wed, Feb 5, 2014 at 3:43 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>>> > On Wed, 2014-02-05 at 09:18 -0300, Diego Woitasen wrote:
>>> >> I'm migrating from Samba3 o Samba4 in en environment where I have a
>>> >> central location and branches. Every branch with its own Samba3, using
>>> >> OpenLDAP.
>>> >
>>> > In each of these locations, did Samba have it's own domain, or was this
>>> > one big domain?
>>>
>>> One big domain.
>>>
>>> >
>>> >> I can't migrate all the locations at the same time. I'm
>>> >> going to migrate the central site and then I'm one site per week
>>> >> (around 10 locations).
>>> >
>>> > OK.
>>> >
>>> >> In the meantime, users and groups will be created in Samba3, so I was
>>> >> thinking about injecting the new users and groups in the Samba4 until
>>> >> we eliminate Samba3 definitely.
>>> >
>>> > Could you create them into Samba4, and instead back-populate them into
>>> > Samba3?
>>>
>>> Yes, I like that solution. I'm going to do it in that way.
>>>
>>> The only remaining issue are the new workstations. I'll need to copy
>>> the new machines from S3 to S4. If we don't do it, it's not a serious
>>> issue, but it would be great. I think our client is not going to buy a
>>> lot of machine in the middle of the migration :)
>>
>> It should be pretty easy to rejoin those machines, if that helps avoid
>> another special case to handle.
>
> By rejoin, you mean that I can rejoin the machines without going one
> by one typing user and password? Could you explain this better?
>
>>
>>> My modified classsicupgrade works to copy wks, but I'd prefer
>>> something more simple. I'll open another thread about an script that
>>> I've tried to do without success.
>>
>> OK.  I would like to understand how to make this tool and Samba in
>> general more helpful for those doing complex migrations, particularly
>> those for whom a once-over cut just isn't practical.
>
> Something like this?
>
> s3_passdb = get_s3_db()
> s4_passdb = get_s4_db()
>
> wkslist = s3db.search_users(0)
> for entry in wkslist:
>     machine_name = entry['account_name']
>     machine = s3db.getsampwnam(machine_name)
>     acct_type = get_account_type(machine)
>     if acct_type == (samr.ACB_WSTRUST) and machine_name[-1] == '$':
>         try:
>             userentry = s4_passdb.getsampwnam(user)
>         except passdb.error:
>             s4_passdb.add_sam_account(data)
>
> For some reason I can't connect to s3 and s4 like classicupgrade does,
> I'll post about this tomorrow. Anyway, We need something simple like
> that to inject workstations created in the middle of the migration
> process.
>

Here is the code snippet that I'm using to connect passdb to s3 and s4:

from samba.samba3 import param as s3param
from samba.samba3 import passdb
from samba.samba3 import Samba3

s4conf = s3param.get_context()
s4conf.load('/usr/local/samba/etc/smb.conf')
s4db = passdb.PDB(s4conf.get("passdb backend"))

print s4db.getsampwnam("dwoitasen").username

smbconf = '/root/etc/samba/smb.conf'
s3conf = s3param.get_context()
s3conf.set("private dir", "/root/var/lib/samba")
s3conf.load(smbconf)
samba3 = Samba3(smbconf, s3conf)
s3db = passdb.PDB(s3conf.get("passdb backend"))

print s3db.getsampwnam("dwoitasen").username

This code works, but only for samba4 setup, samba3 fails with this error:

  File "passdb-example.py", line 20, in <module>
    s3db = passdb.PDB(s3conf.get("passdb backend"))
passdb.error: Cannot load backend methods for 'samba_dsdb' backend
(-1073741823,Undetermined error)

If I switch the lines setting up Samba3 before Samba4, Samba4
connection fails with the same error:

   File "passdb-example.py", line 20, in <module>
    s4db = passdb.PDB(s4conf.get("passdb backend"))
passdb.error: Cannot load backend methods for 'samba_dsdb' backend
(-1073741823,Undetermined error)

I copied the code from classicupgrade, is very similar, I don't
undertand where is the difference that makes this to fail.

If this works, we'll be able to add new wks from the old domain.

Regards,
  Diego

-- 
Diego Woitasen
Linux and Open Source solutions architect at www.vhgroup.net

More information about the samba mailing list