Migrate Samba

Migration from Samba 2.2.8 to 3.0

I migrate from an old Samba based on smbpasswd to a new samba based on LDAP-auth. I used the smbldap-tools to perform the necessary conversions.


http://cvs.samba.org/cgi-bin/cvsweb/samba/examples/LDAP/smbldap-tools/ http://www.idealx.com/content/view/184/169/lang,fr/ http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/ http://www.samba.org/samba/docs/man/Samba-Guide/ http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html

I used the following commands to get the SIDs for domain/server:

smbpasswd -X DOMAINNAME
smbpasswd -X SERVERNAME

This should give the same SID’s for both commands.

In my case I entered the new SID in two locations on the new server:

• net setlocalsid NEWSID
• in the SambaDomainName-entry in my LDAP-structure. (still dont know why its there and what it does)

new users can be added with the smbldap-useradd script. Please note that I had to modify this script on two places to make it possible to import the mailadresses with the -M - option as well.

I wanted to use the -M option and so I had to adapt the script to my schemes:
First this script obviously uses the misc-scheme, which I dont use and so I dont use and dont need the mailLocalAddress-value. The script failed in my case.

find the line

push(@adds, 'mailLocalAddress' => [ @userMailLocal ]);

and replace it with

#  push(@adds, 'mailLocalAddress' => [ @userMailLocal ]);

Second (a few lines below):

replace

push(@adds, 'objectClass' => 'inetLocalMailRecipient');

with

# push(@adds, 'objectClass' => 'inetLocalMailRecipient');

this is only for doublechecking the result. you can skip it if everything is ok.

the old smbpasswd-file has the following structure:

username:uid:sambaLMpassword:sambaNTpassword:sambaAcctFlags:UNKNOWN:
You can compare this passwords with the ones created by smbldap-useradd to verify your work.

this is only for doublechecking the result. you can skip it if everything is ok.

Every user has a sambaSID-value. This value is not stored in old smbpasswd, but in the NTUSER.DAT-file. You’ll find out, that it’s calculated from the DomainSID and the uid, so you dont need to retrieve it, but can simply let calculate it. smbldap-useradd does this for you !!

RID=1000+uid*2
sambaSID=domainSID-RID

After adding a user with smbldap-useradd you can use the profiles-command on the old NTUSER.DAT-file of this user to check if its the same sambaSID.

profiles NTUSER.DAT | grep domainSID

will give you a list of entries containing your sambaSID

To add a machine you call smbldap-useradd with -w

 smbldap-useradd -u 817 -w ihf17$

There is no need for the -P option, cause the password cant be set this way.

To set the password based on an existing smbpasswd-file or simply adding the necessary attributes you have to call pdbedit

pdbedit -i smbpasswd:/data/migration/smbpasswd.machines 

There can be more than one entry in the specified file, but I removed all the users and just kept the machines. Also note that pdbedit is very sensible about the fact that the user has already to exist. So trying to create a user with pdbedit never worked for me

I wrote a small perl-script that reads all the old userdata from a plain textfile (output from my postgres-userdatabase) and invokes smbldap-useradd on each entry to add the users and sets the password for the users. This script is very specialized for my migrationprocess but will be put online here soon as soon as I finished my migrationprocess.

1. save a list of all users with email
2. save a list of all users
3. run the script on the email-list
4. run the script on the all-list. users with email will not be added anymore cause smbldap-useradd states “user alreasy exists”

bugs:

• machine-accounts not added yet
• does not take care about the samba and imap-flag yet