[Samba] How to change objectSid?

Diego Woitasen diego at woitasen.com.ar
Sun Feb 9 16:42:14 MST 2014


On Fri, Feb 7, 2014 at 6:14 AM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2014-02-07 at 16:51 +1300, Andrew Bartlett wrote:
>> On Wed, 2014-02-05 at 22:57 -0300, Diego Woitasen wrote:
>> > On Wed, Feb 5, 2014 at 10:12 PM, Diego Woitasen <diego at woitasen.com.ar> wrote:
>> > > On Wed, Feb 5, 2014 at 6:17 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> > >> On Wed, 2014-02-05 at 16:46 -0300, Diego Woitasen wrote:
>> > >>> On Wed, Feb 5, 2014 at 3:43 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> > >>> > On Wed, 2014-02-05 at 09:18 -0300, Diego Woitasen wrote:
>> > >>> >> I'm migrating from Samba3 o Samba4 in en environment where I have a
>> > >>> >> central location and branches. Every branch with its own Samba3, using
>> > >>> >> OpenLDAP.
>> > >>> >
>> > >>> > In each of these locations, did Samba have it's own domain, or was this
>> > >>> > one big domain?
>> > >>>
>> > >>> One big domain.
>> > >>>
>> > >>> >
>> > >>> >> I can't migrate all the locations at the same time. I'm
>> > >>> >> going to migrate the central site and then I'm one site per week
>> > >>> >> (around 10 locations).
>> > >>> >
>> > >>> > OK.
>> > >>> >
>> > >>> >> In the meantime, users and groups will be created in Samba3, so I was
>> > >>> >> thinking about injecting the new users and groups in the Samba4 until
>> > >>> >> we eliminate Samba3 definitely.
>> > >>> >
>> > >>> > Could you create them into Samba4, and instead back-populate them into
>> > >>> > Samba3?
>> > >>>
>> > >>> Yes, I like that solution. I'm going to do it in that way.
>> > >>>
>> > >>> The only remaining issue are the new workstations. I'll need to copy
>> > >>> the new machines from S3 to S4. If we don't do it, it's not a serious
>> > >>> issue, but it would be great. I think our client is not going to buy a
>> > >>> lot of machine in the middle of the migration :)
>> > >>
>> > >> It should be pretty easy to rejoin those machines, if that helps avoid
>> > >> another special case to handle.
>> > >
>> > > By rejoin, you mean that I can rejoin the machines without going one
>> > > by one typing user and password? Could you explain this better?
>> > >
>> > >>
>> > >>> My modified classsicupgrade works to copy wks, but I'd prefer
>> > >>> something more simple. I'll open another thread about an script that
>> > >>> I've tried to do without success.
>> > >>
>> > >> OK.  I would like to understand how to make this tool and Samba in
>> > >> general more helpful for those doing complex migrations, particularly
>> > >> those for whom a once-over cut just isn't practical.
>> > >
>> > > Something like this?
>> > >
>> > > s3_passdb = get_s3_db()
>> > > s4_passdb = get_s4_db()
>> > >
>> > > wkslist = s3db.search_users(0)
>> > > for entry in wkslist:
>> > >     machine_name = entry['account_name']
>> > >     machine = s3db.getsampwnam(machine_name)
>> > >     acct_type = get_account_type(machine)
>> > >     if acct_type == (samr.ACB_WSTRUST) and machine_name[-1] == '$':
>> > >         try:
>> > >             userentry = s4_passdb.getsampwnam(user)
>> > >         except passdb.error:
>> > >             s4_passdb.add_sam_account(data)
>> > >
>> > > For some reason I can't connect to s3 and s4 like classicupgrade does,
>> > > I'll post about this tomorrow. Anyway, We need something simple like
>> > > that to inject workstations created in the middle of the migration
>> > > process.
>> > >
>> >
>> > Here is the code snippet that I'm using to connect passdb to s3 and s4:
>> >
>> > from samba.samba3 import param as s3param
>> > from samba.samba3 import passdb
>> > from samba.samba3 import Samba3
>> >
>> > s4conf = s3param.get_context()
>> > s4conf.load('/usr/local/samba/etc/smb.conf')
>> > s4db = passdb.PDB(s4conf.get("passdb backend"))
>> >
>> > print s4db.getsampwnam("dwoitasen").username
>> >
>> > smbconf = '/root/etc/samba/smb.conf'
>> > s3conf = s3param.get_context()
>> > s3conf.set("private dir", "/root/var/lib/samba")
>> > s3conf.load(smbconf)
>> > samba3 = Samba3(smbconf, s3conf)
>> > s3db = passdb.PDB(s3conf.get("passdb backend"))
>> >
>> > print s3db.getsampwnam("dwoitasen").username
>> >
>> > This code works, but only for samba4 setup, samba3 fails with this error:
>> >
>> >   File "passdb-example.py", line 20, in <module>
>> >     s3db = passdb.PDB(s3conf.get("passdb backend"))
>> > passdb.error: Cannot load backend methods for 'samba_dsdb' backend
>> > (-1073741823,Undetermined error)
>> >
>> > If I switch the lines setting up Samba3 before Samba4, Samba4
>> > connection fails with the same error:
>> >
>> >    File "passdb-example.py", line 20, in <module>
>> >     s4db = passdb.PDB(s4conf.get("passdb backend"))
>> > passdb.error: Cannot load backend methods for 'samba_dsdb' backend
>> > (-1073741823,Undetermined error)
>> >
>> > I copied the code from classicupgrade, is very similar, I don't
>> > undertand where is the difference that makes this to fail.
>>
>> The interactions between the s3conf.load calls is very subtle.  In
>> short, the clue you don't know is that there is really only one global
>> variable behind the s3param code.  What I suggest doing is hard-coding
>> in the pass to your 'samba3' backend, and only loading an smb.conf
>> once.
>>
>> Don't despair, we should be able to work something out here.
>
> There are two different ways we should fix this in the long term.
> Either have a --update and --update-newer-passwords mode to
> classicupgrade, or add a --update-newer-passwords mode to pdbedit.
>
> pdbedit was the original 'migrate between databases' tool, and upgrades
> from smbpasswd to tdbsam used pdbedit -i smbpasswd:/etc/smbpasswd -e
> tdbsam:/etc/samba/passdb.tdb, and classicupgrade is deliberately reusing
> much of the same backend logic.
>
> An operation on the AD database would use something like pdbedit -i
> tdbsam:/etc/samba/passdb.tdb -e
> samba_dsdb:/var/lib/samba/private/sam.ldb (I think).  Run it with the DC
> smb.conf file.
>
> Having the operation based on comparing the password change time would
> make this kind of migration much easier, as while user modification can
> be tracked or administratively forbidden, password changes are really
> hard to handle.
>
> Do you want to have a go at hacking pdbedit or the classicupgrade
> script?  pdbedit is C, but not a very complex program.  You want to call
> pdb_get_pass_last_set_time and then only copy across the NT, LM
> passwords and password last set time if it has changed more recently in
> the import.
>
> Thanks,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
>

Right now I have a deadline for this migration, but I'll keep the
testing environment running to add that feature.

I'll have a look at the code and I'll ask you a few things for sure :)



-- 
Diego Woitasen
Linux and Open Source solutions architect at www.vhgroup.net


More information about the samba mailing list