[Samba] Standalone Server User Import / Export

Thu Aug 8 20:23:25 UTC 2019

On 08/08/2019 21:10, David Ayers wrote:
> Am Donnerstag, den 08.08.2019, 20:52 +0100 schrieb Rowland penny via
> samba:
>> On 08/08/2019 20:42, David Ayers via samba wrote:
>>> Am Freitag, den 09.08.2019, 07:08 +1200 schrieb Andrew Bartlett:
>>>> On Thu, 2019-08-08 at 17:04 +0200, David Ayers via samba wrote:
>>>>> Hello!
>>>>>
>>>>> when using Samba [4.5.16-Debian] as standalone server in
>>>>> Windows
>>>>> environment to allow certain users to access shares, we are
>>>>> currently
>>>>> using the default tdbsam backend with a bunch of users.
>>>>>
>>>>> We now want to migrate the users from one standalone server to
>>>>> a
>>>>> replacement server.  To migrate the users I expected to able to
>>>>> export
>>>>> the users (incl. passwords) into a file on one server, copy the
>>>>> file
>>>>> over to the new server and import the users
>>>>> there.  Specifically I
>>>>> expected using:
>>>>>
>>>>> old: pdbedit -e tdbsam:/root/samba.user.tdbexp
>>>>> new: pdbedit -I tdbsam:/root/samba.user.tdbexp
>>>>>
>>>>> would do the trick.  A file is created during the export.  The
>>>>> import
>>>>> does not complain and has a return value indicating
>>>>> success.  But
>>>>> pdbedit -L (-v) does not list any of the imported users.
>>>> Just copy (use tdbbackup for safety if you can't stop Samba) all
>>>> the
>>>> tdb files and put them in the same spot on the new server.  That
>>>> is
>>>> the
>>>> easiest way to do this.
>>>>
>>>> My guess is that the domain sid has been re-randomised on the new
>>>> server.  Dump that with 'net' (I forget the subcommand) and force
>>>> it
>>>> in again (it is stored in a host-name specific key in
>>>> secrets.tdb).
>>> I am not very familiar with the concept of a "domain" in the case
>>> of a
>>> standalone server.
>> What I was asking was, what are you connecting from  ?
> I was logged into the Debian server and executed the command as root
> (via sudo).
>
>> If they are members of an Active Directory domain, you would probably
>> be
>> better of changing your standalone server into a Unix domain member,
>> that way you can set permissions from Windows.
> There was no AD involved when the user was created.  Some of clients
> that will be connected may be and others won't be part of an AD [mostly
> standalone quasi embedded manufacturing CNC-type controller systems,
> which probably won't be added to AD in the near future picking up
> definition files] but they are all currently not using AD to
> authenticate to the standalone server.
>
> In fact I'm currently unsure whether there is an AD at all but I'll
> suggest it the administrators there whether they would consider it.
> But currently we just want to transfer the same setup.

It was just an idea, it sounds like the rest of the machines are running 
in a workgroup and another name for 'standalone server' is 'workgroup 
member'.

The benefits of a domain are that you administrate all the users, groups 
and computers in just one place, but I don't think this would work in 
your network.

>
>
>>> The new server is indeed simply a new installation with the
>>> smb.conf
>>> edited to match the old one.  My goal is to transfer the users
>>> including the passwords (which I have no knowledge of) from the old
>>> server to the new server.
>>>
>>>   From your comment I deduce that this may not possible without
>>> actually
>>> copying all tdb files directly.  Is that truly the case?
>> You should be able export your database, but it isn't working for
>> you,
>> so it looks like Andrews idea is the best option.
> Thank you for verifying that it should work as I had imagined.  I guess
> I'll first try copying the tdb files tomorrow when I have a maintenance
> window.  If that works, I guess I'll be fine until/if the setup an AD.
>
> Thank you very much!
> David
>
Good luck and just remember what I said about the 'username' parameter ;-)

Rowland