samba - Nov 2013 - some samba4 AD questions, after a week of playing around

Hi,

I've been experimenting with samba4 for a little while now, and some 
things go very smoothly, others not quite so. :-) However I have some 
questions that hopefully some of you can help with.

1. In samba3/openldap we have seperate ou for groups and users. The 
samba-tool classicupgrade migrates these both into one single CN=Users. 
Is there a way to seperate them, like we had in samba3? (or is that not 
recommendable anymore?)

2. We have many openldap users with more than one mail attribute. Works 
good with postfix/dovecot. I found out that in AD users can only have 
one single mail attribute? I'm guessing we're not alone in this... How 
to best deal with this?

3. We would like to copy many more attributes than just the basic 
username/displayname/groups and logonscript. I was advised here of the 
list to build a script to connect to my ldap and update my sam 
accordingly with ldbmodify (thread: http://marc.info/?t=138419682600017) 
While I'm trying to do that now, I'm not a scripting guru, and it's
not
progressing very quickly. Therefore: anyone has some more tips/clues 
that could save me some time?

Thanks for some tips...!

MJ

On 19/11/13 14:20, mourik jan heupink wrote:
> Hi,
>
> I've been experimenting with samba4 for a little while now, and some 
> things go very smoothly, others not quite so. :-) However I have some 
> questions that hopefully some of you can help with.
>
> 1. In samba3/openldap we have seperate ou for groups and users. The 
> samba-tool classicupgrade migrates these both into one single 
> CN=Users. Is there a way to seperate them, like we had in samba3? (or 
> is that not recommendable anymore?)
Samba4 works like a windows AD server, this is why all your users and 
groups are in CN=Users, but you can create different OU's if you wish.
>
> 2. We have many openldap users with more than one mail attribute. 
> Works good with postfix/dovecot. I found out that in AD users can only 
> have one single mail attribute? I'm guessing we're not alone in 
> this... How to best deal with this?
>
There is another mail attribute, otherMailbox - this is multi-valued 
unlike mail which is single-valued, but it cannot be used with groups.
> 3. We would like to copy many more attributes than just the basic 
> username/displayname/groups and logonscript. I was advised here of the 
> list to build a script to connect to my ldap and update my sam 
> accordingly with ldbmodify (thread: 
> http://marc.info/?t=138419682600017) While I'm trying to do that now, 
> I'm not a scripting guru, and it's not progressing very quickly. 
> Therefore: anyone has some more tips/clues that could save me some time?
>
> Thanks for some tips...!
>
> MJ
Never had to do this, but it boils down to comparing your s3 user with 
your s4 user and adding the differences, do not bother with the posix 
objectclasses, they are auxillaries of user & group.

Rowland

Answering my own question here, perhaps it helps somebody else:
> 3. We would like to copy many more attributes than just the basic
> username/displayname/groups and logonscript. I was advised here of the
> list to build a script to connect to my ldap and update my sam
> accordingly with ldbmodify (thread: http://marc.info/?t=138419682600017)
> While I'm trying to do that now, I'm not a scripting guru, and
it's not
> progressing very quickly. Therefore: anyone has some more tips/clues
> that could save me some time?
I have now taken another approach on this: After the classicupgrade, the 
domain is basically ready to roll, so you can also use native windows AD 
tools to update your samba4 users with details from samba3 openldap:

1. use lam to export your users to a .csv file
	(https://www.ldap-account-manager.org/lamcms/)
2. adjust columnnames etc to match what you want to copy to AD
3. use any tool to update the samba4 AD from a csv file
	(I used http://www.manageengine.com/products/ad-manager)

Much easier (to me, anyway) than updating with a script and ldbmodify.

Have a nice weekend,
MJ