LDAP (Schemas,Users) to Samba4 migration

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP (Schemas,Users) to Samba4 migration

alxgrb
This post was updated on .
Hi all,

How can I migrate existing LDAP users ( or schemas) on Ubuntu 10.04.2 to the new Samba4 (Ubuntu 12.04.2) server?

Does anyone have an idea?
Thanks for support

Alex
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

alxgrb
I've tried with Apache Directory Studio to export LDAP (Schema) into LDIF file. Its works.
But convert to (AD ldif) with oLschema2ldif don't work. S. message:

sudo /usr/local/samba/bin/oLschema2ldif -b DN=domainname -I /home/alxgrb/ldapschemas/old_ldap_schema_250313.ldif -O converted.ldif
malformed entry on line 1265
Converted 0 records with 1 failures

Any Idea? (The line 1265 is empty)
Can I use ldbadd?

Thanks,
Alex
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

Andrew Bartlett
On Thu, 2013-04-04 at 01:15 -0700, alxgrb wrote:

> I've tried with Apache Directory Studio to export LDAP (Schema) into LDIF
> file. Its works.
> But convert to (AD ldif) with oLschema2ldif don't work. S. message:
>
> sudo /usr/local/samba/bin/oLschema2ldif -b DN=domainname -I
> /home/alxgrb/ldapschemas/old_ldap_schema_250313.ldif -O converted.ldif
> malformed entry on line 1265
> Converted 0 records with 1 failures
>
> Any Idea? (The line 1265 is empty)
> Can I use ldbadd?

We really need to drop this tool, it has never really worked well, the
parsing text schema with a C tool was always a bad idea.  It would be
faster and more effective to have someone rewrite it in python.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

Andrew Bartlett
On Fri, 2013-04-05 at 12:10 +1100, Andrew Bartlett wrote:

> On Thu, 2013-04-04 at 01:15 -0700, alxgrb wrote:
> > I've tried with Apache Directory Studio to export LDAP (Schema) into LDIF
> > file. Its works.
> > But convert to (AD ldif) with oLschema2ldif don't work. S. message:
> >
> > sudo /usr/local/samba/bin/oLschema2ldif -b DN=domainname -I
> > /home/alxgrb/ldapschemas/old_ldap_schema_250313.ldif -O converted.ldif
> > malformed entry on line 1265
> > Converted 0 records with 1 failures
> >
> > Any Idea? (The line 1265 is empty)
> > Can I use ldbadd?
>
> We really need to drop this tool, it has never really worked well, the
> parsing text schema with a C tool was always a bad idea.  It would be
> faster and more effective to have someone rewrite it in python.

I should however be clear:

To convert existing users and groups, use samba-tool domain
classicupgrade.  This is different to if you can convert specific schema
extensions, which you may need to re-create by hand, and then import the
data for.

Andrew Bartlett
--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

alxgrb
Ok is clear, but samba-tool domain classicupgrade works only if samba
instance is installed. Is it right?
 
Our old server has only LDAP/Automount services without any samba's
instances.
 
I would like to migrate only the LDAP users in the new samba4 server.

Greetings,
Alexander
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

Andrew Bartlett
On Mon, 2013-04-08 at 07:07 -0700, alxgrb wrote:
> Ok is clear, but samba-tool domain classicupgrade works only if samba
> instance is installed. Is it right?

Correct

> Our old server has only LDAP/Automount services without any samba's
> instances.

Then you won't be able to migrate passwords in any case.

> I would like to migrate only the LDAP users in the new samba4 server.

For simple user accounts, you shouldn't need to add any new schema
anyway.  Just migrate the users, manually translating the required
attributes.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

alxgrb
Thank you for support.

OK. If one has 10 users, it goes by hand, but we have ca. 110 users.
Maybe there for it an automatic solution?
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

Gémes Géza-2
2013-04-09 14:56 keltezéssel, alxgrb írta:

> Thank you for support.
>
> OK. If one has 10 users, it goes by hand, but we have ca. 110 users.
> Maybe there for it an automatic solution?
>
>
>
> --
> View this message in context: http://samba.2283325.n4.nabble.com/LDAP-Schemas-Users-to-Samba4-migration-tp4646168p4646470.html
> Sent from the Samba - General mailing list archive at Nabble.com.
The problem is: If you have users with only posixAccount (or similar)
objectClasses (without samba 3.x aka classic attributes) you could add
them by an ldapsearch ldbadd based script, but you won't be able to
transfer the passwords, as OpenLDAP (with posixAccount and similar
objectClasses) uses a differently encrypted userPassword attribute, than
Samba as an AD controller (kerberos keys) can use. As the passwords are
one way encrypted without having an NTPassword attribute (which
correspond to a arcfour-hmac-md5 enctype) you will lose the password
during //migration.

Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

alxgrb
Hi,

please look at this:=>

alxgrb@ubsrv:~ sudo /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[DEMO] OS=[Unix] Server=[Samba 4.0.5]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk      
        sysvol          Disk      
        home            Disk      Home drive
        data            Disk      Data disk
        IPC$            IPC       IPC Service (Samba 4.0.5)
Domain=[DEMO] OS=[Unix] Server=[Samba 4.0.5]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------

The testuser.ldif file:=>
cat testuser.ldif
dn: uid=bmontag,ou=Users,dc=demo,dc=lan
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: Brigitte Montag
gidNumber: 10001
homeDirectory: /home/bmontag
sambaSID: -59220
sn: Montag
uid: bmontag
uidNumber: 29110
displayName: Brigitte Montag
givenName: Brigitte
loginShell: /bin/bash
mail: brigitte.montag@mailserver.com

I have tried add the testuser.ldif file to sam.ldb:=>
sudo /usr/local/samba/bin/ldbadd -H /usr/local/samba/private/sam.ldb testuser.ldif
ERR: No such object : "objectclass: Cannot add uid=bmontag,ou=Users,dc=demo,dc=lan, parent does not exist!" on DN uid=bmontag,ou=Users,dc=demo,dc=lan at block before line 18
Add failed after processing 0 records

What do I have to do to make my ldbadd work??

Thanks,
Alexander
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

Andrew Bartlett
On Thu, 2013-04-11 at 01:00 -0700, alxgrb wrote:

> Hi,
>
> please look at this:=>
>
> alxgrb@ubsrv:~ sudo /usr/local/samba/bin/smbclient -L localhost -U%
> Domain=[DEMO] OS=[Unix] Server=[Samba 4.0.5]
>
> Sharename       Type      Comment
> ---------       ----      -------
> netlogon        Disk      
> sysvol          Disk      
> home            Disk      Home drive
> data            Disk      Data disk
> IPC$            IPC       IPC Service (Samba 4.0.5)
> Domain=[DEMO] OS=[Unix] Server=[Samba 4.0.5]
>
> Server               Comment
> ---------            -------
>
> Workgroup            Master
> ---------            -------
>
> The testuser.ldif file:=>
> cat testuser.ldif
> dn: uid=bmontag,ou=Users,dc=demo,dc=lan
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: top
> cn: Brigitte Montag
> gidNumber: 10001
> homeDirectory: /home/bmontag
> sambaSID: -59220
> sn: Montag
> uid: bmontag
> uidNumber: 29110
> displayName: Brigitte Montag
> givenName: Brigitte
> loginShell: /bin/bash
> mail: [hidden email]
>
> I have tried add the testuser.ldif file to sam.ldb:=>
> sudo /usr/local/samba/bin/ldbadd -H /usr/local/samba/private/sam.ldb
> testuser.ldif
> ERR: No such object : "objectclass: Cannot add
> uid=bmontag,ou=Users,dc=demo,dc=lan, parent does not exist!" on DN
> uid=bmontag,ou=Users,dc=demo,dc=lan at block before line 18
> Add failed after processing 0 records
>
> What do I have to do to make my ldbadd work??

change ou=users to cn=users.

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

alxgrb
I have changed...
alxgrb@ubsrv:~ sudo /usr/local/samba/bin/ldbadd -H /usr/local/samba/private/sam.ldb testuser.ldif
[sudo] password for alxgrb:
ERR: No such attribute : "objectclass_attrs: attribute 'sambaSID' on entry 'UID=bmontag,CN=Users,DC=demo,DC=lan' was not found in the schema!" on DN uid=bmontag,cn=Users,dc=demo,dc=lan at block before line 18
Add failed after processing 0 records

Must I create a schema?
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

Andrew Bartlett
On Thu, 2013-04-11 at 05:06 -0700, alxgrb wrote:

> I have changed...
> alxgrb@ubsrv:~ sudo /usr/local/samba/bin/ldbadd -H
> /usr/local/samba/private/sam.ldb testuser.ldif
> [sudo] password for alxgrb:
> ERR: No such attribute : "objectclass_attrs: attribute 'sambaSID' on entry
> 'UID=bmontag,CN=Users,DC=demo,DC=lan' was not found in the schema!" on DN
> uid=bmontag,cn=Users,dc=demo,dc=lan at block before line 18
> Add failed after processing 0 records
>
> Must I create a schema?

At this stage, the discussion is getting quite circular, because I think
you need to go back and do some background research in the difference
between AD and traditional openldap based LDAP configurations.

You seem to be trying to have a bit of both, and that is really causing
you trouble.

If you don't have a Samba domain currently, why do you try and specify a
sambaSID?  

If you do have a samba domain (why else do you have sambaSID values),
then please use the classicupgrade script.  

In any case, you cannot specify specific SID values in active directory
- except during upgrades that we very carefully handle, this is
prohibited because it would interfere with the distributed allocation
scheme.  

I do wish you the best with installing Samba 4.0, but please where
possible follow the already established approaches, as it is that way
that others can help you most, because it will be similar to what they
have done.

Find some examples of adding users via LDIF, and then make your LDIF
look as similar to that as possible.

Please specify as little as possible in your ldif.  You actually only
need objectclass: person.  AD will fill the other bits, and that will
skip the shadowAccount that also makes no sense.  You should also be
aware that the username in AD is samAccountName, not uid.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: LDAP (Schemas,Users) to Samba4 migration

alxgrb
Thanks for your help Andrew!
It works perfectly.

see messages:

>>> cat simpleuser2samba.ldif
dn: cn=firstuser,cn=Users,dc=demo,dc=lan
objectclass: user
sAMAccountName: firstuser

>>> /usr/local/samba/bin/ldbadd -H /usr/local/samba/private/sam.ldb simpleuser2samba.ldif
Added 1 records successfully

>>> /usr/local/samba/bin/samba-tool user list
Administrator
dns-ubsrv
firstuser
demouser
testuser
alxgrb
krbtgt
Guest
alex


Many thanks again,
Alexander
Reply | Threaded
Open this post in threaded view
|

Re: Samba4 migration

Andreas Calvo Gómez-2
In reply to this post by alxgrb
Follow the classic upgrade howto:
https://wiki.samba.org/index.php/Samba4/samba-tool/domain/classicupgrade/HOWTO


On Tue, Apr 2, 2013 at 10:28 AM, alxgrb <[hidden email]> wrote:

> I have a question ...
>
> How can I migrate existing LDAP users ( or schemas) on Ubuntu 10.04.2 to
> the
> new Samba4 (Ubuntu 12.04.2) server?
>
> Does anyone have an idea?
> Thanks for support
>
> Alex
>
>
>
> --
> View this message in context:
> http://samba.2283325.n4.nabble.com/Samba4-migration-tp4646168.html
> Sent from the Samba - General mailing list archive at Nabble.com.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--
Atentamente,
Andreas Calvo
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba