Web lists-archives.com

Re: [Samba] Migration Of Records From Old Samba Domain To New One




Discoveries and insights below...

> On 2018.02.27, at 4:37 PM, Matthew Delfino via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
> Thank you for taking time to do this, Andrew. But, of course, it will be too late for me.
> 
> I’ve just returned from exile, where I went on a spirit quest of sorts. Except that, on this quest, I was obliged to keep my distance until I had found a way to export and import all users, groups and group membership from my old samba domain to my new one.
> 
> I updated schema to support Kerio Connect using ldbadd and ldbmodify.
> I queried my old domain with ldbsearch.
> I fed on berries and those fowl unfortunate enough to cross my path.
> I found and replaced in BBEdit.
> I consumed tea, earl grey, hot.
> I sorted and rearranged fields in Excel.
> I tended to my wounds with herbs.
> I shell scripted and looped through lists of data using samba-tool.
> Until finally I smote my enemy’s ruin upon the mountain side.
> 
> And today I return. Why? Because - without the help of drugs - I have a new domain on Samba 4.7.5 which parodies my old one on Samba 4.4.16.
> 
> I am Matthew the White.
> 
> And I come back to you now with this question: I imported schema from Kerio Connect (let me know if you want my notes & files for your wiki page on schema) and I need to put about six attributes worth of info into a whole bunch of user records. The samba-tool only lets me modify specific attributes - obviously none of the custom ones my schema adjustments added. I know I can manually edit records with something like this:
> 
> 	ldbedit -e vim -H /var/lib/samba/private/sam.ldb 'sAMAccountName=matthew.delfino'
> 
> And get the fields all straightened away. Or, use ADUC on Windows with Attribute Editor, if I was paid by the hour. But, if I want to script this, what are my options? In this case, would something like this work:
> 
> 	ldbmodify --url=/var/lib/samba/private/sam.ldb kerio-fields.ldif
> 
> Where kerio-fields.ldif would be an ldif file with all the kerio attributes values I want to change for each dn? Or, do you think there’s a better way?

As far as I can tell, this ldbmodify idea worked well. Again, lots of find & replacing, formatting, getting the syntax just right... and it worked. LDIF files need a lot of extra bits you don’t see in an ldapseach. This page on Oracle’s site helped:

	https://docs.oracle.com/cd/B14099_19/idmanage.1012/b15883/ldif_appendix002.htm

I had to be very careful and, when ldbmodify choked on the syntax of my file, it stopped the import without bringing anything in, which is good to know if you, dear reader, are following in my "Chester Copperpot" footsteps. That means you can try importing, watch it choke, edit the file to make it better, then try to import again until it gets through the whole ldif file. Only then will it actually import all the records.

Now on to setting up SSL on this new domain and drafting a plan to migrate all my friends and servers over to it…

> Thanks,
> Matthew
> 
>> On 2018.02.11, at 3:36 PM, Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx> wrote:
>> 
>> On Sun, 2018-02-11 at 11:01 -0600, Matthew Delfino via samba wrote:
>>> Hello from Sunny and frigidly cold Minneapolis, MN, USA!
>>> 
>>> I have a SAMBA domain with three DCs running v4.4.16 on Ubuntu Server 14.04.5 LTS (BIND9 DLZ Backend). I need to move all my records to a new domain (from DOMAIN.LOC to SAMDOM.DOMAIN.NET).
>>> 
>>> I know that it's not possible to change domains on a samba install,
>> 
>> Indeed it isn't.  However there are two ways forward:
>> 
>> As you suggest you can re-inject the objects, but it takes care.  The
>> folks at Tranquil IT have become experts at the process, and have
>> discussed their methods here in the past.
>> 
>> There is also good news because I've had a customer ask for me to
>> create an automated process for this.  I don't have a timeline yet, but
>> I wanted to mention it is on the roadmap.  
>> 
>> In this case what the customer was after is the ability to rename a
>> domain so as to create a 'lab' domain for testing, but the hope is that
>> we can make the solution general enough for domain renames (but you
>> will need to take the domain thought he rename funnel and rebuild the
>> DCs after).
>> 
>> Thanks,
>> 
>> Andrew Bartlett
>> 
>> -- 
>> Andrew Bartlett
>> https://samba.org/~abartlet/
>> Authentication Developer, Samba Team         https://samba.org
>> Samba Development and Support, Catalyst IT   
>> https://catalyst.net.nz/services/samba
>> 
>> 
>> 
>> 
>> 
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>> 
> 
> 
> 
> © 2018 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 



© 2018 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba