Geoff Scott
2005-May-11 02:19 UTC
[Samba] Does or doesn't vampiring users add them into multipl e groups at the same time?
John H Terpstra wrote:> On Tuesday 10 May 2005 01:33, Geoff Scott wrote: >> Hi all, >> >> The new NT migration chapter of Samba guide seems to indicate in the >> migration Log Validation (section 9.3.1.1) that users get added to >> all >> the same groups that they were in under the NT4 domain. However I am >> not seeing this despite having had a seemingly successful migration. >> All my users get added into the Domain User group but not into any >> other group. Is the text below now wrong or right???? > > If you use version 3.0.12 or later, for most migrations the > multi-group info should transfer OK. I am now aware that if the NT4 > domain is post SP5 on some migrations multi-group info is not > transferred and some account (both user and machine) password entries > are not transferred either. > > Maybe Andrew Bartlett will chime in on this?OK. After testing this out on a vanilla system that I built to test out the changes to chapter 9 for you John, it appears that on a system configured like this: Ubuntu Hoary All ldap, nss_ldap, etc obtained from Ubuntu sources Samba 3.0.13 Debian stable from samba.planetmirror.com smbldap-tools-0.8.7.tgz Users in ou=People,dc=guestshire,dc=com etc And the adduser script like this: add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u' NT4 server system SP6a vampiring users works %100, there are absolutely no errors in the error log, and the vampire log show the users being added to the multiple groups successfully. The users all have sambaLMPassword & sambaNTPassword set properly and *all* old settings are brought across. So what is the difference between the 2 servers? The differences are these: The "add user script =" has "smbldap-useradd -a -m '%u'" I added a "-a" after looking at the output of "smbldap-useradd -?" as that coupled with The *OLD* version of the NT migration chapter (I thought that the omission of that in the NEW sample chapter 9 smb.conf was a typo) seemed to indicate that only POSIX attributes would be added if the "-a" was left out. However, adding the "-a" to the smbldap-useradd script in the smb.conf results in errors along the lines of "user already exists with samba attributes" in the vampire error log and no multiple group membership, no passwords, no sambaHomeDrive, no sambaMungedDial and so on. My users are in ou=Users,ou=OxObjects,dc=guestsfurniturehire,dc=com,dc=au to fit in with OpenExchange. I am using samba 3.0.14a I am using smbldap-tools-0.8.8.tgz (which as you mentioned to me recently appear to be broken) The questions I now ask are these: Is the subtraction of "-a" for the smbldap-useradd script only for the migration? Does it need to be added back in later? Can the smbldap-tools cope with an extra "ou" ? If after testing some of my findings on the non-vanilla server and finding them to work can I set the NetBIOS aliases to include the old server name as the sambaHomeDrive directive in LDAP after vampiring lists the path as \\oldserver\username . How can I work around old settings such as these? I will now go and test against the non-vanilla server. Regards Geoff Scott
Geoff Scott
2005-May-11 02:38 UTC
[Samba] Does or doesn't vampiring users add them into multipl e groups at the same time?
Geoff Scott wrote:> John H Terpstra wrote: >> On Tuesday 10 May 2005 01:33, Geoff Scott wrote: >>> Hi all, >>> >>> The new NT migration chapter of Samba guide seems to indicate in the >>> migration Log Validation (section 9.3.1.1) that users get added to >>> all the same groups that they were in under the NT4 domain. However >>> I am not seeing this despite having had a seemingly successful >>> migration. All my users get added into the Domain User group but >>> not into any other group. Is the text below now wrong or right???? >> >> If you use version 3.0.12 or later, for most migrations the >> multi-group info should transfer OK. I am now aware that if the NT4 >> domain is post SP5 on some migrations multi-group info is not >> transferred and some account (both user and machine) password >> entries are not transferred either. >> >> Maybe Andrew Bartlett will chime in on this? > > OK. After testing this out on a vanilla system that I built to test > out the changes to chapter 9 for you John, it appears that on a > system configured like this: > Ubuntu Hoary > All ldap, nss_ldap, etc obtained from Ubuntu sources Samba 3.0.13 > Debian stable from samba.planetmirror.com smbldap-tools-0.8.7.tgz > Users in ou=People,dc=guestshire,dc=com etc And the adduser script > like this: > add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u' > NT4 server system SP6a > > vampiring users works %100, there are absolutely no errors in the > error log, and the vampire log show the users being added to the > multiple groups successfully. The users all have sambaLMPassword & > sambaNTPassword set properly and *all* old settings are brought > across. > > So what is the difference between the 2 servers? The differences are > these: > > The "add user script =" has "smbldap-useradd -a -m '%u'" I added a > "-a" > after looking at the output of "smbldap-useradd -?" as that coupled > with The *OLD* version of the NT migration chapter (I thought that > the omission of that in the NEW sample chapter 9 smb.conf was a typo) > seemed to indicate that only POSIX attributes would be added if the > "-a" was left out. > However, adding the "-a" to the smbldap-useradd script in the > smb.conf results in errors along the lines of "user already exists > with samba attributes" in the vampire error log and no multiple group > membership, no passwords, no sambaHomeDrive, no sambaMungedDial and > so on. > > My users are in > ou=Users,ou=OxObjects,dc=guestsfurniturehire,dc=com,dc=au to fit in > with OpenExchange. > > I am using samba 3.0.14a > > I am using smbldap-tools-0.8.8.tgz (which as you mentioned to me > recently appear to be broken) > > The questions I now ask are these: > Is the subtraction of "-a" for the smbldap-useradd script only for > the migration? Does it need to be added back in later? > Can the smbldap-tools cope with an extra "ou" ? > If after testing some of my findings on the non-vanilla server and > finding them to work can I set the NetBIOS aliases to include the old > server name as the sambaHomeDrive directive in LDAP after vampiring > lists the path as \\oldserver\username . How can I work around old > settings such as these? > > I will now go and test against the non-vanilla server. >The other thing that I forgot to ask was this. I understand for reasons of efficency and simplicity why it is that we generally put the machine accounts into ou=People,dc=domain,dc=com. But on Both systems after vampiring the computers end up with an entry in ldap of gidNumber: 513 and a sambaPrimaryGroupSID: that ends in -513 this is even though I have defaultComputerGid="515" set in smbldap.conf. Can I provide any further info to help figure out what is going on? Regards Geoff Scott
Michael Gasch
2005-May-11 08:48 UTC
[Samba] Does or doesn't vampiring users add them into multipl e groups at the same time?
> vampiring users works %100, there are absolutely no errors in the error log, > and the vampire log show the users being added to the multiple groups > successfully. The users all have sambaLMPassword & sambaNTPassword set > properly and *all* old settings are brought across.so did you also vampire things like "account expires on..." ? i'm able to set it via usrmgr *after* migration but with my last vampire attempt on 3.0.13 i wasn't able to *vampire* expiry information greez -- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137