samba - Jul 2021 - Importing standalone users into Active Directory

I've done a lot of Googling but haven't found the answer to this yet.

I have a standalone Samba server I want to add to my Samba4 Active
Directory domain. However, the standalone server has about 300 Samba user
accounts in its local tdbsam database that I need to retain. As I see it,
there are two possibilities:

1. Import the tdbsam accounts into Active Directory. This would be my first
choice.
    - I've found information on importing tdb files from NT4-style domains
to new AD domains using samba-tool, but nothing about taking users from a
standalone server and inserting them into an existing AD.
   - I looked into pdbedit but it doesn't seem to have AD as one of its
backend options (or maybe I'm just missing it.)

2. Have Samba authenticate against the TDB file when it can't find an AD
account for a user.
   - Researching this led me to references to the command "auth
method",
which looked promising, but it was removed in 2017.

Has anyone faced this problem, and found a good solution? I really don't
want to have to continue to maintain this server as a standalone one, but
getting 300 people to all set new passwords simultaneously is not going to
happen.

-- 
David Brodbeck (they/them)
System Administrator, Department of Mathematics
University of California, Santa Barbara

On Thu, 2021-07-29 at 12:18 -0700, David Brodbeck via samba
wrote:
> I've done a lot of Googling but haven't found the answer to this
yet.
> 
> I have a standalone Samba server I want to add to my Samba4 Active
> Directory domain. However, the standalone server has about 300 Samba
> user
> accounts in its local tdbsam database that I need to retain. As I see
> it,
> there are two possibilities:
> 
> 1. Import the tdbsam accounts into Active Directory. This would be my
> first
> choice.
>     - I've found information on importing tdb files from NT4-style
> domains
> to new AD domains using samba-tool, but nothing about taking users
> from a
> standalone server and inserting them into an existing AD.
>    - I looked into pdbedit but it doesn't seem to have AD as one of
> its
> backend options (or maybe I'm just missing it.)
> 
> 2. Have Samba authenticate against the TDB file when it can't find an
> AD
> account for a user.
>    - Researching this led me to references to the command "auth
> method",
> which looked promising, but it was removed in 2017.
> 
> Has anyone faced this problem, and found a good solution? I really
> don't
> want to have to continue to maintain this server as a standalone one,
> but
> getting 300 people to all set new passwords simultaneously is not
> going to
> happen.
> 
You can output the samba database with:

pdbedit -L -w

This will produce output like this:

sorce:500:508818B733CE64BEAAD3B435B51404EE:
            D2A2418EFC466A8A0F6B1DBB5C3DB80C:
            [UX         ]:LCT-00000000:
samba:45:0F2B255F7B67A7A9AAD3B435B51404EE:
            BC281CE3F53B6A5146629CD4751D3490:
            [UX         ]:LCT-3BFA1E8D:

See 'man pdbedit' for more information

You can then parse that for the data you require and use it to create
your users in AD, though you will have 'crack' the NT hash

Rowland