I managed to do migration using "classicupgrade". Doing tests with debian buster 2:4.9.4+dfsg-4. For the moment using samba internal dns and sub-domain of ad.advocap.org. Had issue forwarding dns if I used main domain. When it comes to real production will use bind that I understand better but don't want to mess with my other dns servers now. Had a w10 box join samba4 ad controller so it's a promising start :-) From w10 all looks good.. There are a number of rough edges to work out. It did not migrate a lot of attributes that are in active directory. The most important one to us is "mail" Others by ldap account manager names: User name First Name Last Name I'm sure there are others. I did full dump of samba4 ldap with ldapsearch and the attributes do not exist. They should have been migrate able. What do I do to migrate the other parameters? Does the domain administrator account give me access to everything in ldap? Lam sort of works. I'm using the domain administrator account to authenticate. Is that the correct? The lam site gives very little info on setup. Followed what I could find. At the moment just using the using the Windows module for Users and Groups Users: LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org List attributes: #givenName;#sn;#mail (None of these exist as migrated) Groups: LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org List attributes:#cn;#gidNumber;#memberUID;#description Any assistance is appreciated. They are are a lot more questions to come :-( John On 3/21/19 10:25 AM, Christian Naumer via samba wrote:> Am 21.03.19 um 15:50 schrieb John McMonagle via samba: > >> That's sounds promising >> How did you migrate your data? > > We did the "classicupgrade" as discribed in the wiki. > >> Did you need to add any schema to samba4 ad? > > No. But this depends of what you have in ldap now. Do you have dhcp-data > in there? > >> >> Were in 5 cities and some of the Internet is not 100% reliable. >> Will need samba4 in each office to make sure they can log in even if the >> Internet is down. >> How reliable is the the ad syncing? > > We have 4 DCs and never realy had a Problem. However, reading this list, > this is not always the case it seems. > > >> Does it need a lot of bandwidth? > > I can't comment on that as our DCs are at one site. > > >> One of the offices with no windows computers has slow dsl. >> >> We will have to reconfigure a lot of computers during conversion. >> I'm thinking if the openldap is not on the same server as samba4 one >> could keep both running for a few days. > > The windows machines cant go back if they once saw the AD. With the > linux servers you probably could do it. > > >> Do you think that's feasible? > > We planned very carefully. We did some test migrations of the data in > closed of VMs. Tested each service that we thought could cause problems > in that environment. > Then we migrated 2-3 days before we planned the big switch. Stopped all > password changes so that we didn't have old data. We made the rest of > the switch in one day on a week end. There were 5 Windows Server > domainmembers. About 15 Linux servers with several differnt softwares > (web app with php, cyrus, postfix, lokal auth of users, Samba member > servers, Radius, dhcp, etc). Most of them we tested before as VMs in a > closed of environment. > > >> I can see some possible issues but think they >> can be dealt with. > > Planning is everything. And testing the whole thing too. > > Regards > > Christian >-- John McMonagle IT Manager Advocap Inc.
On Thu, 4 Apr 2019 14:09:18 -0500 John McMonagle via samba <samba at lists.samba.org> wrote:> I managed to do migration using "classicupgrade". > Doing tests with debian buster 2:4.9.4+dfsg-4. > For the moment using samba internal dns and sub-domain of > ad.advocap.org. Had issue forwarding dns if I used main domain.Please define 'forwarding'. Your DC needs to be authoritative for its dns domain, so all that it should forward is anything outside its own dns domain.> It did not migrate a lot of attributes that are in active directory. > The most important one to us is "mail" > Others by ldap account manager names: > User name > First Name > Last Name > I'm sure there are others.The upgrade only migrates the attributes really required by AD, you will have to script any others you require.> Does the domain administrator account give me access to everything in > ldap?Yes> Lam sort of works. > I'm using the domain administrator account to authenticate. > Is that the correct?You can also use users that are members of 'Administrators', 'Domain Admins' or any other group you have delegated privileges to.> > The lam site gives very little info on setup.You need 'Windows (windowsUser)(*)' & 'Unix (posixAccount)' for users, 'Windows(windowsGroup)(*)' & Unix (windowsPosixGroup) for groups on the Accounts type tab you need: #sAMAccountName;#givenName;#sn;#uidNumber;#gidNumber for users #cn;#gidNumber;#member;#description for groups Rowland
Christian Naumer
2019-Apr-05 08:47 UTC
[Samba] Migration to samba4 ad and sync to openldap.
Am 04.04.19 um 21:09 schrieb John McMonagle via samba:> It did not migrate a lot of attributes that are in active directory. > The most important one to us is "mail" > Others by ldap account manager names: > User name > First Name > Last Name > I'm sure there are others.Yes as Rowland said only a minimum of attributes are transferred. We wrote a script for that. I'll add it at the end of the mail. Maybe it will help you.> > I did full dump of samba4 ldap with ldapsearch and the attributes do not > exist. > > They should have been migrate able. > What do I do to migrate the other parameters? > > Does the domain administrator account give me access to everything in ldap? > > Lam sort of works. > I'm using the domain administrator account to authenticate. > Is that the correct?Rowland already set you on the right track. IT works for us. let me know if you need more help.> > The lam site gives very little info on setup. > Followed what I could find. > At the moment just using the using the Windows module for Users and Groups > Users: > LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org > List attributes: #givenName;#sn;#mail (None of these exist as migrated) > Groups: > LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org > List attributes:#cn;#gidNumber;#memberUID;#descriptionHere is the script (A colleague wrote this. I just clean it up for posting). It queries the old LDAP Server for the required data, puts together an ldif and writes that to the AD. As we were new when we wrote this forgive us for any things done wrong or to complex :-) #!/bin/bash case $1 in get) rm -f /tmp/ldif/* FILTER="(|(cn=Users1)(cn=Users2))" FILTER="cn=Domain Users" USERS=`ldapsearch -H ldaps://oldhostname -D "cn=Admin" -w PassW0rd -b "ou=Groups,dc=domainname,dc=de" "${FILTER}" uniqueMember \ | grep -Ev "^#" \ | grep -Ew "uniqueMember" \ | sort -u \ | sort -t"," -k2 \ | sed -e "s:uniqueMember\:::g" \ | awk -F"," '{printf "%s\n", $1}'` for TAG in ${USERS} do # Doing this seperatly, you don't need to parse the output uid=`ldapsearch -H ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd uid | grep -Ew "uid" | grep -Ev "(^#|^dn:)" | sed -e "s|uid: ||g"` title=`ldapsearch -H ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd title | grep -Ew "title" | grep -Ev "(^#|^dn:)" | sed -e "s|title: ||g"` givenName=`ldapsearch -H ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd givenName | grep -Ew "givenName" | grep -Ev "(^#|^dn:)" | sed -e "s|givenName: ||g"` sn=`ldapsearch -H ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd sn | grep -Ew "sn" | grep -Ev "(^#|^dn:)" | sed -e "s|sn: ||g"` employeeType=`ldapsearch -H ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd employeeType | grep -Ew "employeeType" | grep -Ev "(^#|^dn:)" | sed -e "s|employeeType: ||g"` mail=`ldapsearch -H ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd mail | grep -Ew "mail" | grep -Ev "(^#|^dn:)" | sed -e "s|mail: ||g"` if [ -n "${uid}" ] then if [ -z "${mail}" ] then mail="${uid}@domainname.de" fi # always works cat > /tmp/ldif/${uid}.ldif << EOF dn: CN=${uid},CN=Users,dc=hq,dc=domainname,dc=de changetype: modify replace: mail mail: ${mail} - replace: givenName givenName: ${givenName} - replace: sn sn: ${sn} - replace: uid uid: ${uid} EOF # not always set if [ -n "${employeeType}" ] then cat >> /tmp/ldif/${uid}.ldif << EOF - replace: employeeType employeeType: ${employeeType} EOF fi # not always set if [ -n "${title}" ] then cat >> /tmp/ldif/${uid}.ldif << EOF - replace: title title: ${title} EOF fi fi done ;; set) for tag in /tmp/ldif/* do echo ldapmodify -c -H ldaps://newhostname.domainname.de -D "cn=Administrator,cn=Users,dc=hq,dc=domainname,dc=de" -y /etc/pwd.txt -c -f $tag done ;; *) echo Call with get or set as parameter echo get: get attributes and write to ldif file for usage with ldapmodify echo set: set attributes from ldif files exit 1 ;; esac exit 0 -- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
Hi, And if you're more into php, here is the script I created for our migration, using php. Perhaps you can adjust it for your requirements:> <?php > > ini_set('display_errors', 'Off'); > error_reporting(E_ALL); > > $samba3_server = "1.2.3.4"; > $samba3_port = 389; > $samba3_dn = 'ou=users,dc=company,dc=com'; > $samba3_filter="(uid=*)"; > $samba3_fields = array("mail", "uid"); > > $samba4_server = 'ldap://192.168.122.102'; > $samba4_user = 'Administrator at REALM.SAMBA4'; > $samba4_pass = 'very_secret'; > $samba4_port = 389; > $samba4_dn = 'CN=users,DC=company,DC=samba4'; > $samba4_fields = array("mail", "cn", "dn", "otherMailbox"); > $samba4_realm = 'realm.samba4'; > > // samba 3 init, accessed anonymously > $samba3 = ldap_connect($samba3_server, $samba3_port) > or die('Cannot Connect to $samba3_server'); > ldap_set_option($samba3, LDAP_OPT_PROTOCOL_VERSION, 3); > $samba3Bind = ldap_bind($samba3); > if (!$samba3Bind) {die('Cannot Bind to samba3');} > > // samba 4 init, bind with a password, non-ssl > $samba4 = ldap_connect($samba4_server, $samba4_port) > or die('Cannot Connect to $samba4_server'); > ldap_set_option($samba4, LDAP_OPT_PROTOCOL_VERSION, 3); > ldap_set_option($samba4, LDAP_OPT_REFERRALS, 0); > $samba4Bind = ldap_bind($samba4, $samba4_user, $samba4_pass); > if (!$samba4Bind) {die('Cannot Bind to $samba4_server');} > > $s3_search_result=ldap_search($samba3, $samba3_dn, $samba3_filter); > > $s3_count = ldap_count_entries($samba3, $s3_search_result); > echo "Total number of ldap records found: $s3_count<br />"; > > $uid = ldap_first_entry($samba3, $s3_search_result); > > //actual work is done below > while ($uid) { > $s3_uid = ldap_get_values($samba3, $uid, 'uid'); > $s3_mail = ldap_get_values($samba3, $uid, 'mail'); > $s3_homedirectory = ldap_get_values($samba3, $uid, 'homeDirectory'); > $s3_givenName = @ldap_get_values($samba3, $uid, 'givenName'); > $s3_sn = ldap_get_values($samba3, $uid, 'sn'); > $s3_description = @ldap_get_values($samba3, $uid, 'description'); > $s3_initials = @ldap_get_values($samba3, $uid, 'initials'); > $s3_sambahomepath = @ldap_get_values($samba3, $uid, 'sambaHomePath'); > $s3_sambahomedrive = @ldap_get_values($samba3, $uid, 'sambaHomedrive'); > $s3_sambalogonscript = @ldap_get_values($samba3, $uid, 'sambaLogonScript'); > $s3_gecos = @ldap_get_values($samba3, $uid, 'gecos'); > $s3_displayname = @ldap_get_values($samba3, $uid, 'displayName'); > > $hoeveel_mail = $s3_mail["count"]; > $hoeveel_uid = $s3_uid["count"]; > echo "This uid: $s3_uid[0], how many addresses defined: $hoeveel_mail | "; > > // find matching AD account > $samba4_filter="(sAMAccountName=$s3_uid[0])"; > $s4_search_result=ldap_search($samba4, $samba4_dn, $samba4_filter); > $s4_count = ldap_count_entries($samba4, $s4_search_result); > $s4_entry = ldap_get_entries($samba4, $s4_search_result); > $s4_dn = $s4_entry[0]["dn"]; > > echo " || Samba4 dn: $s4_dn | "; > > $info["otherMailbox"] = array(); > $info["mail"] = array(); > > // below we fill the $info array with values from samba3 > $info["userPrincipalName"] = ($s3_uid[0] . '@' . $samba4_realm); > $info["sn"] = $s3_sn[0]; > $info["uid"] = $s3_uid[0]; > $info["msSFU30Name"] = $s3_uid[0]; > $info["unixHomeDirectory"] = $s3_homedirectory[0]; > $info["homeDirectory"] = $s3_sambahomepath[0]; > $info["homeDrive"] = $s3_sambahomedrive[0]; > $info["scriptPath"] = $s3_sambalogonscript[0]; > // below fields are not always filled > if(isset($s3_givenName[0])) { $info["givenName"] = $s3_givenName[0]; } > if(isset($s3_initials[0])) { $info["initials"] = $s3_initials[0]; } > if(isset($s3_mail[0])) { $info["mail"] = $s3_mail[0]; } > if(isset($s3_description[0])) { $info["description"] = $s3_description[0]; } > if(isset($s3_gecos[0])) { $info["gecos"] = $s3_gecos[0]; } > if(isset($s3_displayname[0])) { $info["displayName"] = $s3_displayname[0]; } > > echo "Has the following additional mail fields: "; > for ($i=1; $i < $hoeveel_mail; $i++) { > echo ($i. ": ") . $s3_mail[$i]. ", "; > $info["otherMailbox"][$i-1] = $s3_mail[$i]; > } > echo "<br />"; > > // put $info array in the AD > ldap_mod_replace($samba4, $s4_dn, $info); > > // and proceed with the next samba3 record > $uid = ldap_next_entry($samba3, $uid); > } > > ldap_close($samba4); > ldap_close($samba3); > > ?>
On 4/5/19 3:47 AM, Christian Naumer via samba wrote:> Am 04.04.19 um 21:09 schrieb John McMonagle via samba: >> It did not migrate a lot of attributes that are in active directory. >> The most important one to us is "mail" >> Others by ldap account manager names: >> User name >> First Name >> Last Name >> I'm sure there are others. > > Yes as Rowland said only a minimum of attributes are transferred. > We wrote a script for that. I'll add it at the end of the mail. Maybe it > will help you. > >> >> I did full dump of samba4 ldap with ldapsearch and the attributes do not >> exist. >> >> They should have been migrate able. >> What do I do to migrate the other parameters? >> >> Does the domain administrator account give me access to everything in ldap? >> >> Lam sort of works. >> I'm using the domain administrator account to authenticate. >> Is that the correct? > > Rowland already set you on the right track. IT works for us. let me know > if you need more help. > >> >> The lam site gives very little info on setup. >> Followed what I could find. >> At the moment just using the using the Windows module for Users and Groups >> Users: >> LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org >> List attributes: #givenName;#sn;#mail (None of these exist as migrated) >> Groups: >> LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org >> List attributes:#cn;#gidNumber;#memberUID;#description > > > > > Here is the script (A colleague wrote this. I just clean it up for > posting). It queries the old LDAP Server for the required data, puts > together an ldif and writes that to the AD. As we were new when we wrote > this forgive us for any things done wrong or to complex :-) >Thanks Christian That looks like an easy way to get the attributes for a few users so I can continue my tests. Found a couple more possibilities. This is a patch someone made to the classic migration. https://gist.github.com/jtyocum/f19533448b94012d3722 It's a little old but hopefully the code has not changed much. https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory That looks really interesting but I've had no luck getting a lsc.xml file that it will except.> > #!/bin/bash > > case $1 in > get) > rm -f /tmp/ldif/* > > FILTER="(|(cn=Users1)(cn=Users2))" > FILTER="cn=Domain Users" > USERS=`ldapsearch -H ldaps://oldhostname -D "cn=Admin" > -w PassW0rd -b "ou=Groups,dc=domainname,dc=de" "${FILTER}" uniqueMember \ > | grep -Ev "^#" \ > | grep -Ew "uniqueMember" \ > | sort -u \ > | sort -t"," -k2 \ > | sed -e "s:uniqueMember\:::g" \ > | awk -F"," '{printf "%s\n", $1}'` > > for TAG in ${USERS} > do > # Doing this seperatly, you don't need to parse > the output > uid=`ldapsearch -H > ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd uid | > grep -Ew "uid" | grep -Ev "(^#|^dn:)" | sed -e "s|uid: ||g"` > title=`ldapsearch -H > ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd title | > grep -Ew "title" | grep -Ev "(^#|^dn:)" | sed -e "s|title: ||g"` > givenName=`ldapsearch -H ldaps://oldhostname > -D "cn=Admin" "${TAG}" -w PassW0rd givenName | grep -Ew "givenName" > | grep -Ev "(^#|^dn:)" | sed -e "s|givenName: ||g"` > sn=`ldapsearch -H > ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd sn | > grep -Ew "sn" | grep -Ev "(^#|^dn:)" | sed -e "s|sn: ||g"` > employeeType=`ldapsearch -H ldaps://oldhostname > -D "cn=Admin" "${TAG}" -w PassW0rd employeeType | grep -Ew > "employeeType" | grep -Ev "(^#|^dn:)" | sed -e "s|employeeType: ||g"` > mail=`ldapsearch -H > ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd mail | > grep -Ew "mail" | grep -Ev "(^#|^dn:)" | sed -e "s|mail: ||g"` > > if [ -n "${uid}" ] > then > if [ -z "${mail}" ] > then > mail="${uid}@domainname.de" > fi > > # always works > cat > /tmp/ldif/${uid}.ldif << EOF > dn: CN=${uid},CN=Users,dc=hq,dc=domainname,dc=de > changetype: modify > replace: mail > mail: ${mail} > - > replace: givenName > givenName: ${givenName} > - > replace: sn > sn: ${sn} > - > replace: uid > uid: ${uid} > EOF > # not always set > if [ -n "${employeeType}" ] > then > cat >> /tmp/ldif/${uid}.ldif << EOF > - > replace: employeeType > employeeType: ${employeeType} > EOF > fi > > # not always set > if [ -n "${title}" ] > then > cat >> /tmp/ldif/${uid}.ldif << EOF > - > replace: title > title: ${title} > EOF > fi > fi > done > ;; > > set) > for tag in /tmp/ldif/* > do > echo ldapmodify -c -H > ldaps://newhostname.domainname.de -D > "cn=Administrator,cn=Users,dc=hq,dc=domainname,dc=de" -y /etc/pwd.txt -c > -f $tag > done > ;; > > *) > echo Call with get or set as parameter > echo get: get attributes and write to ldif file for > usage with ldapmodify > echo set: set attributes from ldif files > exit 1 > ;; > esac > > exit 0 >-- John McMonagle IT Manager Advocap Inc.
On 4/4/19 3:18 PM, Rowland Penny via samba wrote:> On Thu, 4 Apr 2019 14:09:18 -0500 > John McMonagle via samba <samba at lists.samba.org> wrote: > >> I managed to do migration using "classicupgrade". >> Doing tests with debian buster 2:4.9.4+dfsg-4. >> For the moment using samba internal dns and sub-domain of >> ad.advocap.org. Had issue forwarding dns if I used main domain. > > Please define 'forwarding'. Your DC needs to be authoritative for its > dns domain, so all that it should forward is anything outside its own > dns domain.For this test the samba4 ad controller is ad.advocap.org. Everything else is advocap.org. put this in smb.conf pointing to one of our internal dns controllers. dns forwarder = 192.168.2.1 I assume if I have bind use samba I can have bind push out the samba created records to the other dns servers. At that point all the dns servers have the same information and they are all authoritative for the domain. At as this is just a testing phase I doesn't want to tamper with my other dns servers. At the moment mostly concerned with the ldap and kerberos parts and how to get that working with the linux parts. In the end all the internal dns may be on samba4 ad directory boxes but that will take a long time.> >> It did not migrate a lot of attributes that are in active directory. >> The most important one to us is "mail" >> Others by ldap account manager names: >> User name >> First Name >> Last Name >> I'm sure there are others. > > The upgrade only migrates the attributes really required by AD, you > will have to script any others you require. > >> Does the domain administrator account give me access to everything in >> ldap? > > Yes > >> Lam sort of works. >> I'm using the domain administrator account to authenticate. >> Is that the correct? > > You can also use users that are members of 'Administrators', 'Domain > Admins' or any other group you have delegated privileges to. > >> >> The lam site gives very little info on setup. > > You need 'Windows (windowsUser)(*)' & 'Unix (posixAccount)' for users, > 'Windows(windowsGroup)(*)' & Unix (windowsPosixGroup) for groups > > on the Accounts type tab you need: > > #sAMAccountName;#givenName;#sn;#uidNumber;#gidNumber for users > > #cn;#gidNumber;#member;#description for groups > > Rowland >-- John McMonagle IT Manager Advocap Inc.