PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04
in [Samba]
|
From: GG on 28 May 2010 05:30 Hello! So in the end LDAP has been converted with the provided conversion script and is not a problem anymore. For reference, we said we needed net getlocalsid but I found that also smbpasswd -X DomainName or -S DomainName outputs the domainsid :-) (for some reason I have no net command albeit having smbclient installed) Now migrating samba is a big issue to me. So samba authenticates on /etc/samba/smbpasswd and not on LDAP as I thought.... The admin creates a LDAP user, then via webmin converts users from unix to samba and then ssh changes smbpasswd UserName. Silly, isn't it? But smbpasswd database receives converted account from ldap, not unix as /etc/passwd does not have a newly added user, it mainly keeps computeraccounts$ with $ at the end. So we migrated the whole thing to a 3.5.3 telling it to use a switch for compatibility with old smbpasswd file. It did work as \\server\shares but not quite for domain logon for non cached passwords... I believe nmb had not been stopped... anyway We went for a new virtual machine with the ancient Suse 8.2 with same rpm -qa| samba ldap versions and copied /etc/samba and /etc/openldap /etc/passwd+shadow and /var/lib/ldap. Should I also have taken /var/lib/samba??? Computers do not logon but can be added to the domain and nblookup resolves the DomainName to the DC... Had to revert to the old physical server... What else should I consider? After migrating the old services to a new server (the old one is on its final months...) I would like to change the authentication to LDAP backend directly, is this possible or does it nees smbpasswd? Cheers, Giorgio On Sun, Apr 11, 2010 at 11:54 AM, Vladimir Psenicka <vladimir.psenicka(a)prodeco.cz> wrote: > I found this document to upgrade from samba 2 schema to 3: > http://samba.org/samba/docs/man/Samba-HOWTO-Collection/upgrading-to-3.0.html, > search "New Schema". Script is in /usr/share/doc/samba-doc/examples/LDAP/ > on Ubuntu. > > On Sat, 10 Apr 2010 21:32:19 +0200, Giorgio Gallo <giorgiogallo(a)gmail.com> > wrote: >> Hi Vladimir! >> >> Ok for changing into sambaSamAccount but what about the sambaSID? >> It appears to be required! >> >> Cheers, >> Giorgio >> >> -----Original Message----- >> From: Vladimir Psenicka <vladimir.psenicka(a)prodeco.cz> >> Sent: sabato 10 aprile 2010 18.40 >> To: GG <jojomi(a)gmail.com> >> Cc: samba(a)lists.samba.org >> Subject: Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to >> latest versions on ubuntu 8.04 >> >> Hi GG >> >> 1. no delete, change objectClass:sambaAccount to >> objectClass:sambaSamAccount in ldif, sambaAccount is deprecated >> 2. uncomment lines with rid in samba.schema in HISTORICAL if you want to >> preserve rid attribute, else delete it (don't see rid in our ldif) >> 3. make all dn:uid=uid attribute >> >> And after this try to import ldif ... >> >> >> On Fri, 9 Apr 2010 17:43:45 +0200, GG <jojomi(a)gmail.com> wrote: >>> Hello, >>> >>> I would delete sambaAccount but all users also use samba to logon to >>> windows machines, wouldn't this prevent them from entering the domain >>> etc? >>> >>>> dn: *uid=Christian Sanvi*,dc=Sistemi >>>> *uid: csanvi* >>> >>> - I see what you mean. correct uid is csanvi: shall I make all dn: >>> uid=*uid later defined*,dc,dc,dc? >>> >>> - I imported user correctly with no sambaAccount but what are the >>> consequences for usage with samba? >>> >>> - sambaSID = should I put here the domain SID? >>> http://www.aput.net/~jheiss/samba/ldap.shtml (seems he ) >>> sambaLMPassword = this should be like on LDAP any info? >>> sambaNTPassword = this should be like on LDAP any info? >>> sambaAcctFlags = >>> sambaDomain = this should be like domain-name?? >>> >>> The thing is I have to import LDAP and also make samba work after. >>> >>> - Is it possible to just import all LDAP without sambaAccount or >>> sambaSamAccount and then add samba and domain part? >>> >>> Ldap is just the back end, what then needs to work is samba and domain >> PDC >>> etc.. >>> >>> Giorgio >>> >>> >>> >>> On 4/9/10, Vladimir Psenicka <vladimir.psenicka(a)prodeco.cz> wrote: >>>> Hi. >>>> >>>> Can you change *objectClass: sambaAccount* to *objectClass: >>>> sambaSamAccount* in whole ldif, but object class 'sambaSamAccount' >>>> requires attribute 'sambaSID' and maybee other samba* attributes. Or >>>> delete objectClass: sambaAccount from this dn when no samba* attribute >>>> is specified in this dn. I can't see objectClass: sambaAccount in our >>>> Samba 3.0 samba.schema. >>>> >>>> You can tune your old atributes (rid) in samba.schema: see HISTORICAL >>>> >>>> >>>> Next your uid in dn must exactly be same as atribute uid >>>> >>>> >>>> dn: *uid=Christian Sanvi*,dc=Sistemi >>>> Informativi,dc=People,dc=GG-s-Domain,dc=it >>>> structuralObjectClass: inetOrgPerson >>>> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f >>>> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it >>>> createTimestamp: 20030801093311Z >>>> objectClass: inetOrgPerson >>>> objectClass: person >>>> objectClass: posixAccount >>>> objectClass: shadowAccount >>>> mail: christian.sanvi(a)GG-s-Domain.it >>>> mailHost: mail.GG-s-Domain.it >>>> mailMessageStore: /var/qmail/maildirs/GG-s-Domain.it/christian.sanvi >>>> *uid: Christian Sanvi* >>>> cn: csanvi >>>> sn: sanvi >>>> shadowMax: 99999 >>>> shadowWarning: 7 >>>> loginShell: /bin/bash >>>> uidNumber: 1000 >>>> gidNumber: 100 >>>> homeDirectory: /home/christian >>>> gecos: Christian Sanvi,,, >>>> entryCSN: 2008042908:48:24Z#0x0002#0#0000 >>>> modifiersName: cn=Manager,dc=GG-s-Domain,dc=it >>>> modifyTimestamp: 20080429084824Z >>>> userPassword:: e2NyeXB0fVc4Tmx0ck9pZDZhd3M= >>>> shadowLastChange: 14695 >>>> >>>> >>>> This dn imported me fine (delete qmail and samba objectclass and rid >>>> attribute). >>>> >>>> >>>> Dne 9.4.2010 12:40, GG napsal(a): >>>> > Hello! >>>> > >>>> > So I added openldap.schema and qmail.schema, deleted /var/lib/ldap/* >>>> > and slapadd the ldif; I still get the same errors though! >>>> > >>>> > Being on the first line it seems as if dn: uid=,dc=,dc=,dc= is not > ok >>>> > for the new version, because it imports groups correctly dn: >>>> > dc=,dc=,dc= >>>> > >>>> > Ideas? >>>> > >>>> > Cheers, >>>> > Giorgio >>>> > >>>> > On 4/8/10, Vladimir Psenicka <vladimir.psenicka(a)prodeco.cz> wrote: >>>> >> You have in gg-edited.ldif (first error on line 52): >>>> >> >>>> >> dn: uid=name surname,dc=Sistemi >>>> >> Informativi,dc=People,dc=GG-s-Domain,dc=it >>>> >> structuralObjectClass: inetOrgPerson >>>> >> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f >>>> >> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it >>>> >> createTimestamp: 20030801093311Z >>>> >> objectClass: inetOrgPerson >>>> >> objectClass: person >>>> >> objectClass: sambaAccount >>>> >> objectClass: qmailUser >>>> >> objectClass: posixAccount >>>> >> objectClass: shadowAccount >>>> >> >>>> >> Dou you have all apropriate schemas in your slapd.conf and in >>>> >> /etc/ldap/schema/ on your new server? You should have all schemas > in >>>> >> new >>>> >> slapd.conf as you had in slapd.conf on old server...qmail schema >>>> >> etc... >>>> >> >>>> >> Dne 8.4.2010 11:44, GG napsal(a): >>>> >>> Hello Vladimir and NG, >>>> >>> >>>> >>> I added samba.schema and removed the "" and it imported ldif >> without >>>> >>> saying anything about groups now :-) >>>> >>> >>>> >>> There are some warnings I am attaching. >>>> >>> >>>> >>> It moans about >>>> >>> str2entry: invalid value for attributeType objectClass #3 (syntax >>>> >>> 1.3.6.1.4.1.1466.115.121.1.38) >>>> >>> slapadd: could not parse entry (line=11937) >>>> >>> and if I look at the ldif I find this >>>> >>> dn: uid=someuid,dc=Filiali,dc=People,dc=domain,dc=it >>>> >>> >>>> >>> and other error >>>> >>> slapadd: could not parse entry (line=11116) >>> >> >> [The entire original message is not included] > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: ACLs in windows clients w/ GPFS Next: [Samba] libsmbclient licensing |