Enhancement #1657

Feature #1660: Migrate NethService to NethServer

Migrate samba SAM DB in LDAP

Added by Davide Principi over 8 years ago. Updated over 8 years ago.

Status:CLOSEDStart date:02/15/2013
Priority:NormalDue date:02/25/2013
Assignee:-% Done:

100%

Category:nethserver-samba
Target version:v6.4-alpha2
Resolution: NEEDINFO:

Description

Migrate
  • NT password hashes into sambaNTPassword LDAP field
  • @sambaSID@s
  • machine accounts
  • Domain SID
  • idmaps

Related issues

Related to NethServer 6 - Enhancement #1655: Users and groups migration script CLOSED 02/13/2013 02/14/2013
Related to NethServer 6 - Enhancement #7: Refactor smb.conf template CLOSED 02/21/2013 02/21/2013

Associated revisions

Revision 20f07680
Added by Davide Principi over 8 years ago

nethserver-samba-migrate action: import Workgroup and ServerRole props and signal nethserver-samba-save event. Refs #1657

Revision 01b1e269
Added by Davide Principi over 8 years ago

nethserver-samba-migrate action: plugged into migration-import event. Refs #1657

Revision bca94a23
Added by Davide Principi over 8 years ago

smb.conf: use ou=People LDAP branch to store machine accounts. This makes machine accounts visible to libuser. Refs #1657

Revision a671b11a
Added by Davide Principi over 8 years ago

smb.conf: log level set to default value 0, to silence pdbedit debug messages. Refs #1657

Revision 42c4c3fa
Added by Davide Principi over 8 years ago

user-create-unix action: small var assignment-and-check refactor. Refs #1657

Revision b94b4bd0
Added by Davide Principi over 8 years ago

user-create-unix action: removed some default props setting: (PasswordSet, AllowRSSH VPNClientAccess). Refs #1657

Revision 09c75119
Added by Davide Principi over 8 years ago

user-create-unix action: a wrong shell executable does not make the action fail. Only warning message is produced. Refs #1657

Revision 2073eb3e
Added by Davide Principi over 8 years ago

group-create-unix action: default user uid is set the same as gid. Refs #1657

Revision 1cfed6f9
Added by Davide Principi over 8 years ago

nethserver-samba-sam-conf: perl syntax fix. Refs #1657

Revision 1975b99e
Added by Davide Principi over 8 years ago

nethserver-samba-machine-create action: create machine account preserving Uid prop and setting primary group to domcomputers. Refs #1657

Revision b02e94dc
Added by Davide Principi over 8 years ago

nethserver-samba-migrate action: migrate users, groups and machines. Refs #1657

Revision bad63545
Added by Davide Principi over 8 years ago

nethserver-samba-migrate: act on a standard backup dataset as stated in #1660. Refs #1657

Revision 0c035088
Added by Davide Principi over 8 years ago

nethserver-samba-migrate action: restored secrets.tdb default path under /var/lib/samba/private/. Refs #7, #1657

Revision d977567d
Added by Davide Principi over 8 years ago

nethserver-samba-migrate action: set a netbios alias with old PDC name in smb.conf. Refs #1657

Revision 8e70b09c
Added by Davide Principi over 8 years ago

/etc/hosts template: expand smb{NetbiosAliasList} prop during nethserver-samba-migrate action. Refs #1657

Revision 4e856319
Added by Davide Principi over 8 years ago

/etc/hosts: fixed 01netbios_aliases perl syntax. Refs #1657

Revision 7ca5c089
Added by Davide Principi over 8 years ago

configuration DB migrate (30nethserver-samba-workgroup): set workgroup uppercase. Refs #1657

Revision a2b4ece8
Added by Davide Principi over 8 years ago

nethserver-samba-migrate action: use concrete DB implementations, otherwise some methods (get_value) are not implemented. Refs #1657

Revision 383994c3
Added by Davide Principi over 8 years ago

nethserver-samba-migrate action: clean up previous LDAP sambaDomain objects. Refs #1657

Revision 0bc5f03c
Added by Davide Principi over 8 years ago

nethserver-samba-migrate: warn if a null LDIF entry is returned. Dont know exactly why this should happen... Refs #1657

Revision 6fad79dc
Added by Davide Principi over 8 years ago

nethserver-samba-migrate action: Insert user name ids in upper/lower/mixed case as ldb3search (and what else?) normalizes them. Refs #1637

Revision eb332170
Added by Davide Principi over 8 years ago

nethserver-samba-migrate action: stop services before start migrating. SID fails to be initialized properly from secrets.tdb if services are running. Refs #1657

Revision dc088807
Added by Davide Principi over 8 years ago

nethserver-samba-user-modify: fixed Disabled flag logic. Refs #1657

Revision cc4d09d3
Added by Davide Principi over 8 years ago

NethServer::Migrate (parseGroup): read the unix group database from the given file. Refs #1657

Revision e682637b
Added by Davide Principi over 8 years ago

/etc/hosts template: add lowercase hostname to localhost alias list. Refs #1657

Revision 46e9b7a1
Added by Davide Principi over 8 years ago

nethserver-samba-migrate-sam action: added getStaticGroupDb($) function to calculate group RIDs by the algorithmic method. Refs #1657

Revision 6c99ea50
Added by Davide Principi over 8 years ago

nethserver-samba-migrate-sam action: set Samba=enabled on user records. Refs #1657

History

#1 Updated by Davide Principi over 8 years ago

  • Subject changed from Migrate samba passwords in LDAP to Migrate samba SAM DB in LDAP
  • Description updated (diff)
  • Estimated time changed from 4.00 to 24.00

#2 Updated by Davide Principi over 8 years ago

  • Description updated (diff)

#3 Updated by Davide Principi over 8 years ago

  • Status changed from ON_DEV to ON_QA
  • % Done changed from 10 to 70

After SAM DB migration clients seems to require the old PDC server name pointing to the new PDC IP address.

As workaround I set an host alias with the old PDC name.

#4 Updated by Davide Principi over 8 years ago

  • Tracker changed from Feature to Enhancement
  • Parent task set to #1660

#5 Updated by Davide Principi over 8 years ago

  • Due date changed from 02/15/2013 to 02/25/2013

#6 Updated by Davide Principi over 8 years ago

To resume SAM from a complete backup the following informations are needed:

  • Domain name (smb.conf)
  • Domain SID (secrets.tdb)
  • User and machine account RIDs (smbpasswd database)
  • Group RIDs (group_mapping.ldb)
  • Unix/Samba group mappings (winbindd_idmap.tdb,group_mapping.ldb)
Tools to extract the needed informations
  • testparm (smb.conf)
  • tdbtool (secrets.tdb)
  • pdbedit (smbpasswd)
  • ldb3search (group_mapping.ldb)
  • net idmap dump (winbindd_idmap.tdb,group_mapping.ldb)

#7 Updated by Davide Principi over 8 years ago

  • Status changed from ON_QA to CLOSED
  • % Done changed from 70 to 100

#8 Updated by Davide Principi over 8 years ago

Stopped smb, nmb, winbind before starting migration action.

If the services are started just before the net getdomainsid command it seems that the domain record in secrets.tdb is not considered for LDAP sambaDomain entry initialization. The machine SID prefix is used instead.

This does not occur if the services are stopped. Don't know exactly what is the reason behind this.

#9 Updated by Davide Principi over 8 years ago

  • Status changed from CLOSED to ON_DEV
  • % Done changed from 100 to 90

var/lib/samba/group_mapping.ldb is not available in NethService backup. The gid-rid association is stored there, but we also know that gids are calculated by a simple formula

  rid = algorithmicRidBase + 1 + (gid*2)

It should not be an issue to assume all rids had been calculated by that formula: only ldap smbpasswd backends generate rids sequentially, smbpasswd and tdb backends use the formula.

See Samba Identity Mapping.

#10 Updated by Davide Principi over 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 90 to 100

#11 Updated by Davide Principi over 8 years ago

  • Status changed from MODIFIED to ON_DEV
  • % Done changed from 100 to 80

TODO: set Samba=enabled in user records

#12 Updated by Davide Principi over 8 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 80 to 100

#13 Updated by Davide Principi over 8 years ago

  • Status changed from MODIFIED to CLOSED

#14 Updated by Davide Principi over 8 years ago

State set to closed on NethServer 6.4 alpha2 release

Also available in: Atom PDF