samba - Feb 2018 - Migration Of Records From Old Samba Domain To New One

Hello from Sunny and frigidly cold Minneapolis, MN, USA!

I have a SAMBA domain with three DCs running v4.4.16 on Ubuntu Server 14.04.5
LTS (BIND9 DLZ Backend). I need to move all my records to a new domain (from
DOMAIN.LOC to SAMDOM.DOMAIN.NET).

I know that it's not possible to change domains on a samba install, so
I've created three new DCs running v4.7.4 on Ubuntu Server 16.04.3 LTS (also
with a BIND9 DLZ backend). They've got a minimal install's worth of
records in them, but now I'd like to export my accounts from my old domain
and import them into the new one.

My idea was to use ldapsearch (or maybe ldbsearch would be better?) to create a
huge dump of records from my old domain and then edit the resulting ldif file
with some slick find-and-replace-fu so that the records can easily slide into
the new domain I've setup (dn, userPrincipalName, msSFU30NisDomain stand out
as good ideas to alter).

Then, I was going to turn off my new DCs and import the ldif file with ldbadd to
pull in all the ldif records.

My question to the team of experts is this: 
 1) is there a better way and, if so, what might it be?
 2) If this is a fine approach, are there some parameters I would be wise to
exclude from the import (like, all the timestamps, objectGUID and objectSid, for
example)?

I believe that my worst-case-scenario is that I'll need to create a shell
script filled with "samba-tool" commands for each user and group, then
(gulp) readd all my users to the groups they belonged to.

Matthew Delfino
VP Information Technology
KNOCK, inc.



© 2018 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.

On Sun, 11 Feb 2018 11:01:08 -0600
Matthew Delfino via samba <samba at lists.samba.org> wrote:
> Hello from Sunny and frigidly cold Minneapolis, MN, USA!
> 
> I have a SAMBA domain with three DCs running v4.4.16 on Ubuntu Server
> 14.04.5 LTS (BIND9 DLZ Backend). I need to move all my records to a
> new domain (from DOMAIN.LOC to SAMDOM.DOMAIN.NET).
> 
> I know that it's not possible to change domains on a samba install,
> so I've created three new DCs running v4.7.4 on Ubuntu Server 16.04.3
> LTS (also with a BIND9 DLZ backend). They've got a minimal
install's
> worth of records in them, but now I'd like to export my accounts from
> my old domain and import them into the new one.
> 
> My idea was to use ldapsearch (or maybe ldbsearch would be better?)
> to create a huge dump of records from my old domain and then edit the
> resulting ldif file with some slick find-and-replace-fu so that the
> records can easily slide into the new domain I've setup (dn,
> userPrincipalName, msSFU30NisDomain stand out as good ideas to alter).
> 
> Then, I was going to turn off my new DCs and import the ldif file
> with ldbadd to pull in all the ldif records.
> 
> My question to the team of experts is this: 
>  1) is there a better way and, if so, what might it be?
>  2) If this is a fine approach, are there some parameters I would be
> wise to exclude from the import (like, all the timestamps, objectGUID
> and objectSid, for example)?
> 
> I believe that my worst-case-scenario is that I'll need to create a
> shell script filled with "samba-tool" commands for each user and
> group, then (gulp) readd all my users to the groups they belonged to.
> 
Sorry, but personally, I do not think this is going to work, AD is a
lot more complex than an ldap based domain. Each 'object' has its own
GUID and objectsid, the SID part of 'objectsid' identifies the domain,
there are other problems as well. Whatever you do, you will have to
join your clients to the new domain.

I think the best you can do is to dump your users and groups, then use
this info to create them again in the new AD, along with their group
memberships. You will probably need to give your users new passwords
and force them to change at next login.

You can certainly try what you are proposing, even though I don't think
it will work, but ensure you test it thoroughly before putting it into
production.

Rowland

On Sun, 2018-02-11 at 11:01 -0600, Matthew Delfino via samba
wrote:
> Hello from Sunny and frigidly cold Minneapolis, MN, USA!
> 
> I have a SAMBA domain with three DCs running v4.4.16 on Ubuntu Server
14.04.5 LTS (BIND9 DLZ Backend). I need to move all my records to a new domain
(from DOMAIN.LOC to SAMDOM.DOMAIN.NET).
> 
> I know that it's not possible to change domains on a samba install,
Indeed it isn't.  However there are two ways forward:

As you suggest you can re-inject the objects, but it takes care.  The
folks at Tranquil IT have become experts at the process, and have
discussed their methods here in the past.

There is also good news because I've had a customer ask for me to
create an automated process for this.  I don't have a timeline yet, but
 I wanted to mention it is on the roadmap.  

In this case what the customer was after is the ability to rename a
domain so as to create a 'lab' domain for testing, but the hope is that
we can make the solution general enough for domain renames (but you
will need to take the domain thought he rename funnel and rebuild the
DCs after).

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

Thank you for taking time to do this, Andrew. But, of course, it will be too
late for me.

I’ve just returned from exile, where I went on a spirit quest of sorts. Except
that, on this quest, I was obliged to keep my distance until I had found a way
to export and import all users, groups and group membership from my old samba
domain to my new one.
I updated schema to support Kerio Connect using ldbadd and ldbmodify.
I queried my old domain with ldbsearch.
I fed on berries and those fowl unfortunate enough to cross my path.
I found and replaced in BBEdit.
I consumed tea, earl grey, hot.
I sorted and rearranged fields in Excel.
I tended to my wounds with herbs.
I shell scripted and looped through lists of data using samba-tool.
Until finally I smote my enemy’s ruin upon the mountain side.
And today I return. Why? Because - without the help of drugs - I have a new
domain on Samba 4.7.5 which parodies my old one on Samba 4.4.16.

I am Matthew the White.

And I come back to you now with this question: I imported schema from Kerio
Connect (let me know if you want my notes & files for your wiki page on
schema) and I need to put about six attributes worth of info into a whole bunch
of user records. The samba-tool only lets me modify specific attributes -
obviously none of the custom ones my schema adjustments added. I know I can
manually edit records with something like this:

	ldbedit -e vim -H /var/lib/samba/private/sam.ldb
'sAMAccountName=matthew.delfino'

And get the fields all straightened away. Or, use ADUC on Windows with Attribute
Editor, if I was paid by the hour. But, if I want to script this, what are my
options? In this case, would something like this work:

	ldbmodify --url=/var/lib/samba/private/sam.ldb kerio-fields.ldif

Where kerio-fields.ldif would be an ldif file with all the kerio attributes
values I want to change for each dn? Or, do you think there’s a better way?

Thanks,
Matthew
> On 2018.02.11, at 3:36 PM, Andrew Bartlett via samba <samba at
lists.samba.org> wrote:
> 
> On Sun, 2018-02-11 at 11:01 -0600, Matthew Delfino via samba wrote:
>> Hello from Sunny and frigidly cold Minneapolis, MN, USA!
>> 
>> I have a SAMBA domain with three DCs running v4.4.16 on Ubuntu Server
14.04.5 LTS (BIND9 DLZ Backend). I need to move all my records to a new domain
(from DOMAIN.LOC to SAMDOM.DOMAIN.NET).
>> 
>> I know that it's not possible to change domains on a samba install,
> 
> Indeed it isn't.  However there are two ways forward:
> 
> As you suggest you can re-inject the objects, but it takes care.  The
> folks at Tranquil IT have become experts at the process, and have
> discussed their methods here in the past.
> 
> There is also good news because I've had a customer ask for me to
> create an automated process for this.  I don't have a timeline yet, but
> I wanted to mention it is on the roadmap.  
> 
> In this case what the customer was after is the ability to rename a
> domain so as to create a 'lab' domain for testing, but the hope is
that
> we can make the solution general enough for domain renames (but you
> will need to take the domain thought he rename funnel and rebuild the
> DCs after).
> 
> Thanks,
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett
> https://samba.org/~abartlet/
> Authentication Developer, Samba Team         https://samba.org
> Samba Development and Support, Catalyst IT   
> https://catalyst.net.nz/services/samba
> 
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


© 2018 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of
KNOCK, inc. This message and any attachments contain information, which is
confidential and/or privileged. If you are not the intended recipient, please
refrain from any disclosure, copying, distribution or use of this information.
Please be aware that such actions are prohibited. If you have received this
transmission in error, kindly notify the sender by e-mail. Your cooperation is
appreciated.