samba - Sep 2006 - migrating smbpasswd backend to ldap backend

i would like to use an ldap backend in place of my existing smbpasswd  
backend because i just can't get unix password synchronization to work.

Any suggestions on how i can make this smooth migration ?

On Wed, Sep 20, 2006 at 05:59:54PM +0300, Peter Collins Wasenda enlightened
us:
> i would like to use an ldap backend in place of my existing smbpasswd  
> backend because i just can't get unix password synchronization to work.
> 
> Any suggestions on how i can make this smooth migration ?
I wrote a script to do it, attached. You'll have to fill in the blanks, of
course, and you might modify it a bit if you're comfortable with python. It
currently outputs individual LDIF files for each user. For me that was ok
because I only had about 20 users to migrate, but if you have more, you
might want to change the output to a single LDIF file.

Matt

-- 
Matt Hyclak
Department of Mathematics 
Department of Social Work
Ohio University
(740) 593-1263
-------------- next part --------------
#!/usr/bin/env python

passwdfile="/etc/passwd"
shadowfile="/etc/shadow"
smbpassfile="/etc/samba/smbpasswd"

import os, pwd, re, string

userdic = {}
shadowdic = {}
smbdic = {}

for record in pwd.getpwall(): 
	userdic[record[0]] = record

sfh = open(shadowfile, 'r')
for line in sfh:
	fields = line.strip().split(':')
	shadowdic[fields[0]] = fields[1]
sfh.close()

smfh = open(smbpassfile, 'r')
for line in smfh:
	fields = line.strip().split(':')
	smbdic[fields[0]] = fields
smfh.close()

for i in userdic.keys():
	if int(userdic[i][2]) > 500 and int(userdic[i][2]) < 1000:
		if i[-1] == '$':
			group = "Computers"
		else:
			group = "People"
		namelist = userdic[i][4].split(' ')
		lastname = namelist[-1]
		firstname = ' '.join(namelist[:-1])
		ldifentries = [
			"version: 1\n\n",
			"dn: uid=%s,ou=%s,dc=example,dc=com\n" % (i, group),
			"uid: %s\n" % i,
			"cn: %s\n" % userdic[i][4],
			"loginShell: %s\n" % userdic[i][6],
			"uidNumber: %s\n" % userdic[i][2],
			"gidNumber: %s\n" % userdic[i][3],
			"homeDirectory: %s\n" % userdic[i][5],
			"sambaSID: S-1-5-21-XXXXXXXXXXX-XXXXXXXXX-XXXXXXXXX-%s\n" %
str(int(userdic[i][2]) * 2 + 10)
			"sambaPwdMustChange: 2147483647\n",
			"sambaAcctFlags: %s\n" % smbdic[i][4],
			"sambaPwdCanChange: 1094045290\n"
			"sambaNTPassword: %s\n" % smbdic[i][3],
			"sambaPwdLastSet: 1094045290\n",
			"userPassword: {crypt}%s\n" % shadowdic[i],
		]
		if group == "People":
			addlentries = [
				"givenName: %s\n" % firstname,
				"sn: %s\n" % lastname,
				"mail: %s@example.com\n" % i,
				"shadowMax: 99999\n",
				"shadowWarning: 7\n",
				"objectClass: person\nobjectClass: organizationalPerson\nobjectClass:
inetOrgPerson\nobjectClass: posixAccount\nobjectClass: top\nobjectClass:
shadowAccount\nobjectClass: sambaSamAccount\n",
				"gecos: %s\n" % userdic[i][4],
				"sambaPrimaryGroupSID:
S-1-5-21-XXXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-%s\n" % userdic[i][3],
				"sambaLMPassword: %s\n" % smbdic[i][2],
				"shadowLastChange: 13397\n"
			]
		else:
			addlentries = [
				"objectClass: account\nobjectClass: posixAccount\nobjectClass:
sambaSamAccount\n",
				"sambaDomainName: EXAMPLE\n",
				"sambaPrimaryGroupSID:
S-1-5-21-XXXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-515\n",
			]
		ldifentries = ldifentries + addlentries
		print ldifentries
				
		lfh = open("/root/migration/%s.ldif" % i, "w")
		lfh.writelines(ldifentries)
		lfh.close()
	else:
		continue

# vim:tabstop=4

We use the samba schema in openldap, which adds the following attributes:

sambaNTPasswod
sambaLMPassword

in addition to userPassword and some other samba password related 
attributes.

The samba clients are configured to use our samba server, which is 
configured to use our openldap server.

Regards,

Michael Martinez
Engineering Manager
Tech Computer Center (TCC), Speare Room 128
New Mexico Tech, 801 Leroy Place, Socorro, NM 87801
(505) 835-5388 mikem@nmt.edu
http://www.nmt.edu/tcc/
--
http://sftplogging.sourceforge.net
http://atftplocalnet.sourceforge.net/


Peter Collins Wasenda wrote:
> i would like to use an ldap backend in place of my existing smbpasswd  
> backend because i just can't get unix password synchronization to work.
> 
> Any suggestions on how i can make this smooth migration ?
>