Migrating Unix and smbpasswd Accounts to LDAP

Firstly, when dealing with a few hundred accounts this can be a serious ball ache if you decide not to take the scripting approach for account migration. If you have about 20 or so users you could just grab a cup of coffee and hammer away for 30 mins or so creating your users manually. I wasn’t so lucky, as I had about 200 users to move across
from a unix system account setup into an LDAP database.

Ok, the tools you need are:

  • smbldap-tools (obviously)
  • pdbedit
  • coffee

I’m going to assume you already have Samba configured with LDAP and working fine. If not, best start with the Samba-HOWTO to get to this point.

Firstly you need to compile a neat list of the users you wish to import. For me this was a serious nut scraping process, as I had to carefully go through my user list and remove old users, update their real names…etc. Make sure you’ve done some tidying up with you current user account lists before jumping into the migration process as having to go back and update accounts after the import with current data can also be a soul destroying process.

Make sure you verify UID’s, GID’s, home directories and you probably want to set /dev/null for your users shell.Also, it’s easier to just start with the U samba account flag (smbpasswd file), this represents a normal samba user account, you can update the smbAcctFlags value of the accounts later if needed for specific account types.

So get your passwd, shadow and smbpasswd file formatted and sorted nicely, something like this:

users.passwd format:
jsoap:x:860:513:Joe Soap:/home/jsoap:/dev/null

users.shadow format:
jsoap:$1$KCWwWGgE$KXUSYpxQV10ovVJejGG7G1:12825:0:99999:7:::

users.smbpasswd format:
jsoap:860:F57E3EEFF0C8303EC482C03F54CDB5D9:43594F6DD8434172EF4CB80387838BC1:[U         ]:LCT-420C8152:

Great. Ok, so this is really just a 2 step process:

  1. import the user accounts across (keeping their unix passwd’s)
  2. import the smbpasswd accounts, updating the accounts and adding the users sambaNTPassword’s

First, we need to import these files into our LDAP database. To do this we use the migration scripts which come with the smbldap-tools package. On debian systems these scripts are found in /usr/share/doc/smbldap-tools/examples/migration.

Let’s run a test import incase we $#@* our LDAP database up with retarded entries. This is also a good time to make a backup of your current LDAP database.

# perl smbldap-migrate-unix-accounts  -P users.passwd -S users.shadow -v -n -a

This spits out the entry that it would add to your LDAP database, make sure it is what you want:

————————————————————————
dn:uid=jsoap,ou=people,dc=boobies,dc=com

objectClass: top
Person
organizationalPerson
inetOrgPerson
posixAccount
shadowAccount
sambaSamAccount
uid: jsoap
cn: Joe Soap
sn: Soap
displayName: Joe Soap
description: Joe Soap
gidNumber: 513
sambaHomeDrive: U:
sambaAcctFlags: [U]
sambaBadPasswordTime: 0
sambaBadPasswordCount: 0
sambaPrimaryGroupSID: S-1-5-21-3877643464-1458406261-1666480780-513
userPassword: {crypt}$1$xlpUMLpe$GAjlNo.asFZJ0jXXf0BUo/
uidNumber: 860
gecos: Joe Soap
homeDirectory: /home/jsoap
loginShell: /dev/null
shadowLastChange: 12369
shadowMax: 99999
shadowWarning: 7
sambaSID: S-1-5-21-3877642164-1458406261-1666480780-2628
————————————————————————

The output won’t look exactly like above, obviously. I needed to add a few extra fields to my user entries, fields such as description, sambaAcctFlags…etc so I made some modifications to the smbldap-migrate-unix-accounts perl script. I’ll add a breakdown of the modifications I made at a later stage.

Ok so when you’re happy with the output, go for it and add them to your LDAP database:

# perl smbldap-migrate-unix-accounts  -P users.passwd -S users.shadow -a

No output. That’s cool, your accounts should have been added. Verify that the accounts were added by running something
like:

# smbldap-usershow jsoap

Stoked, he’s there. So you’ve imported your unix accounts across, time to import your users old smbpasswd account info, this way keeping the users old passwords.

# pdbedit -i smbpasswd:users.smbpasswd -e ldapsam:ldap://127.0.0.1/

You should see something like:

smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BOOBIES))]
smbldap_open_connection: connection opened
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=BOOBIES))]
smbldap_open_connection: connection opened
init_sam_from_ldap: Entry found for user: jsoap

init_ldap_from_sam: Setting entry for user: jsoap
Importing account for jsoap…ok
..

Nice, your accounts were updated with their old sambaNTPassword values. Verify this again by running smbldap-usershow on a known account and check that your user has the sambaNTPassword attribute added with his old value.

That’s it. This note brings me to where I am in my current project, now I need to add all the old machine accounts… faaaaak.

Advertisements
This entry was posted in ldap, samba. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s