[Samba] classic upgrade with rfc2307bis

Dr. Hansjoerg Maurer hansjoerg.maurer at itsd.de
Tue Oct 18 10:34:13 UTC 2016

Hi Christian

we did someithing similar some month ago and I only found only a rather complicated way.

1) We extracted the normal passwd and group information

getent passwd > /root/passwd.out
getent group > /root/group.out

deleted system user and password, converted to ASCIi and sorted computers out of passwd.out 

grep '\$' /root/passwd.out.ascii  > /root/computer.out.ascii
grep -v '\$' /root/passwd.out.ascii  > /root/user.out.ascii

2) we transfered the ldapsam Information to tdbsam

pdbedit -i ldapsam -e tdbsam 
pdbedit -g -i ldapsam -e tdbsam

3) then we startet openldap with 2307 (without bis) and no data and added an empty ldif with just the OU's

4) the we added posix accounts and groups again in ldap, using the fiels from above

/usr/share/doc/smbldap-tools-0.9.10/migration_scripts/smbldap-migrate-unix-accounts_work -v -P /root/user.out.ascii 
/usr/share/doc/smbldap-tools-0.9.10/migration_scripts/smbldap-migrate-unix-computers -v -P /root/computer.out.ascii 
/usr/share/doc/smbldap-tools-0.9.10/migration_scripts/smbldap-migrate-unix-groups -v -G /root/group.out.ascii 

5) than we filled the samba attributes migration back from tdb to ldap

pdbedit -e ldapsam -i tdbsam
pdbedit -e ldapsam -i tdbsam -g

With this steps we could migrate towards AD

Most parts and the consolidation steps (duplicated SID's) we ware able to script in a test setup...


Hansjörg Maurer



itsystems Deutschland AG -- Sorglos und leise. So geht IT


-----Ursprüngliche Nachricht-----
Von: Christian Naumer via samba <samba at lists.samba.org>
Gesendet: Die 18 Oktober 2016 11:44
An: samba at lists.samba.org
Betreff: [Samba] classic upgrade with rfc2307bis

We are in the process of testing an upgrade of our NT-style domain on samba 3.6 and ldap backend to
an AD on samba 4.4. The classic upgrade works fine so far the only problem we have is that all our
groups are migrated without members. I think this is because we use rfc2307bis in our schema which
uses "uniqueMember" instead of "memberUid" to link groups to users. Is there an option to the
classic upgrade script to tell it to use uniqueMember ?



To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Unser System ist mit einem Mailverschluesselungs-Gateway ausgestattet. Wenn Sie moechten, dass an Sie gerichtete E-Mails verschluesselt werden, senden Sie einfach eine S/MIME-signierte E-Mail oder Ihren PGP Public Key an hansjoerg.maurer at itsd.de.

Our system is equipped with an email encryption gateway. If you want email sent to you to be encrypted please send a S/MIME signed email or your PGP public key to hansjoerg.maurer at itsd.de.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5507 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20161018/f75c8984/smime.bin>

More information about the samba mailing list