Rowland Penny
2021-Aug-25 09:06 UTC
[Samba] how to populate Samba AD DC with groups and users?
On Wed, 2021-08-25 at 10:16 +0200, Franta Hanzlik wrote:> Hi Rowland, > > thanks for Your valuable advice! > When please You still can: > > Dne 2021-08-25 08:47, Rowland Penny via samba napsal: > > On Wed, 2021-08-25 at 03:08 +0200, Franta Hanzl?k via samba wrote: > ... > > > 3) Use ldbsearch to dump the AD DC groups and users (except > > > system/builtin) > > > to an LDIF file from the old DC, exclude unnecessary attributes > > > from > > > them, > > > and modify them for ldbadd and add them to the new one. > > > This seems like a better way, but what attributes will be needed > > > in > > > the file to import into the new DC? > > > And what about Unix attributes (home directory, UID / GID, etc.)? > > > > A method based on the above is probably the best way to go, but > > beware, > > you will not be able to extract any passwords. > > Passwords is not possible to extract? > When I did dump from old 4.0.4 DC as: > > ldbsearch -H > /usr/local/samba/private/sam.ldb.d/DC\=OURAD\,DC\=SKOLA\,DC\=CZ.ldb > '(sAMAccountType=805306368)' > > (it seems as sAMAccountType=805306368 return user accounts, > sAMAccountType=268435456 group objects, 536870912 are > special/builtin > groups, and 805306369 are computer accounts) > > I got also attribute 'unicodePwd:: iJhulVWNcy4NiOaOPOoO6g=='You are lucky, if you dump the AD database, you now do not get the unicodePwd attribute. You can get the password, but only ON a Samba DC and by explicitly asking for it, you can then set it after creating or modifying a user.> - and I was hoping that these attributes would also be written to > the new > AD using ldbadd and that it would behave like user passwords (or > maybe more > like their hashes - after base64 decoding I get a 16 byte binary > value). > Do you think that this conversion and writing of the password/hash is > not > possible?It is, to encode the password to add to AD, you would use this: UNICODEPW=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) This would provide the password you could add with this ldif: dn: cn=username,cn=Users,dc=samdom,dc=example,dc=com changetype: modify replace: unicodePwd unicodePwd:: $UNICODEPW> I don't mind using samba-tool, on the contrary, I welcome it if it > canwrite valid user or group data. I was rather surprised that I didn't> findany examples of how to set up groups and users, and maybe some advice> andtricks around it. But maybe I was just looking wrong, my English is> lousy.There is no difference on how to set up users & groups on Samba AD than Windows AD, and there is lots of documentation out there about Windows AD. Rowland