[Samba] how to populate Samba AD DC with groups and users?

Wed Aug 25 09:06:03 UTC 2021

On Wed, 2021-08-25 at 10:16 +0200, Franta Hanzlik wrote:
> Hi Rowland,
> 
> thanks for Your valuable advice!
> When please You still can:
> 
> Dne 2021-08-25 08:47, Rowland Penny via samba napsal:
> > On Wed, 2021-08-25 at 03:08 +0200, Franta Hanzlík via samba wrote:
> ...
> > > 3) Use ldbsearch to dump the AD DC groups and users (except
> > > system/builtin)
> > > to an LDIF file from the old DC, exclude unnecessary attributes
> > > from
> > > them,
> > > and modify them for ldbadd and add them to the new one.
> > > This seems like a better way, but what attributes will be needed
> > > in
> > > the file to import into the new DC?
> > > And what about Unix attributes (home directory, UID / GID, etc.)?
> > 
> > A method based on the above is probably the best way to go, but
> > beware,
> > you will not be able to extract any passwords.
> 
> Passwords is not possible to extract?
> When I did dump from old 4.0.4 DC as:
> 
> ldbsearch -H 
> /usr/local/samba/private/sam.ldb.d/DC\=OURAD\,DC\=SKOLA\,DC\=CZ.ldb  
> '(sAMAccountType=805306368)'
> 
> (it seems as sAMAccountType=805306368 return user accounts, 
> sAMAccountType=268435456 group objects, 536870912 are
> special/builtin 
> groups, and 805306369 are computer accounts)
> 
> I got also attribute 'unicodePwd:: iJhulVWNcy4NiOaOPOoO6g=='

You are lucky, if you dump the AD database, you now do not get the
unicodePwd attribute. You can get the password, but only ON a Samba DC
and by explicitly asking for it, you can then set it after creating or
modifying a user.

>   - and I was hoping that these attributes would also be written to
> the new 
> AD using ldbadd and that it would behave like user passwords (or
> maybe more 
> like their hashes - after base64 decoding I get a 16 byte binary
> value).
> Do you think that this conversion and writing of the password/hash is
> not 
> possible?

It is, to encode the password to add to AD, you would use this:

UNICODEPW=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0)
This would provide the password you could add with this ldif:

dn: cn=username,cn=Users,dc=samdom,dc=example,dc=com
changetype: modify
replace: unicodePwd
unicodePwd:: $UNICODEPW

> I don't mind using samba-tool, on the contrary, I welcome it if it
> can 
write valid user or group data. I was rather surprised that I didn't
> find 
any examples of how to set up groups and users, and maybe some advice
> and 
tricks around it. But maybe I was just looking wrong, my English is
> lousy.

There is no difference on how to set up users & groups on Samba AD than
Windows AD, and there is lots of documentation out there about Windows
AD.

Rowland