[Samba] Importing standalone users into Active Directory

[Rowland Penny]

On Thu, 2021-07-29 at 12:18 -0700, David Brodbeck via samba wrote:
> I've done a lot of Googling but haven't found the answer to this yet.
> 
> I have a standalone Samba server I want to add to my Samba4 Active
> Directory domain. However, the standalone server has about 300 Samba
> user
> accounts in its local tdbsam database that I need to retain. As I see
> it,
> there are two possibilities:
> 
> 1. Import the tdbsam accounts into Active Directory. This would be my
> first
> choice.
>     - I've found information on importing tdb files from NT4-style
> domains
> to new AD domains using samba-tool, but nothing about taking users
> from a
> standalone server and inserting them into an existing AD.
>    - I looked into pdbedit but it doesn't seem to have AD as one of
> its
> backend options (or maybe I'm just missing it.)
> 
> 2. Have Samba authenticate against the TDB file when it can't find an
> AD
> account for a user.
>    - Researching this led me to references to the command "auth
> method",
> which looked promising, but it was removed in 2017.
> 
> Has anyone faced this problem, and found a good solution? I really
> don't
> want to have to continue to maintain this server as a standalone one,
> but
> getting 300 people to all set new passwords simultaneously is not
> going to
> happen.
> 

You can output the samba database with:

pdbedit -L -w

This will produce output like this:

sorce:500:508818B733CE64BEAAD3B435B51404EE:
            D2A2418EFC466A8A0F6B1DBB5C3DB80C:
            [UX         ]:LCT-00000000:
samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
            BC281CE3F53B6A5146629CD4751D3490:
            [UX         ]:LCT-3BFA1E8D:

See 'man pdbedit' for more information

You can then parse that for the data you require and use it to create
your users in AD, though you will have 'crack' the NT hash

Rowland