Transfer accounts from Samba to Samba
Top  Previous  Next


The below script copies user account properties and passwords from one Samba server to another, thus enabling users to log on to a new Samba server with their old user name and password. The script is much like the script in the above "Transfer accounts from Linux to Linux" example, the only difference is the properties that are transferred.

·Properties transferred in the example are first name, initials, last name, email address, phone number, account name and password hash.  
·It is easy to transfer other properties by minor modifications to the script, the "ListOfProperties" parameter in the "Data.Get.LD.Find" command contains source properties and each "Lin.DS.Op.SetProperty" command contains a property to be written.  
·Extract accounts from a single container, a container including subcontainers, or all accounts in a group, by modifying parameters for the "Data.Get.LD.Find" command.  
·Write accounts to any destination container.  

Requirements
Local machine (where AdmWin executable runs)
·A locally installed SSL certificate for each Linux server  

Both servers
·Linux server with OpenLDAP 2.0 or higher, configured to accept SSL connections on port 636.  
·Full administrative privileges, superuser "rootdn" enabled in slapd.conf  
·Samba 3.0 (script can be modified for Samba 2.2.x, see below)  

Source server
·User name and password for superuser "rootdn" in SrcLDAdminAccount and SrcLDAdminPW variables in [Settings]  
·To modify script for Samba 2.2.x; replace "sambaNTPassword" with "ntPassword" in the "SearchFilter" and "ListOfProperties" parameters for the "Data.Get.LD.Find" command.  

Destination server
·User name and password for superuser "rootdn" in DstLDAdminAccount and DstLDAdminPW variables in [Settings]  
·To modify script for Samba 2.2.x; find the "Lin.DS.Op.SetProperty" command that contains the attribute "sambaNTPasswordHash" and replace with the attribute "ntPasswordHash".  

Script
Tip

[Settings_Begin]
BatchSettings.Delimiter=TAB
BatchSettings.MarkerCol=12
// Characters for Data.Column.Check commands
SET Charset=0123456789abcdefghjijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVXYZ@.
SET HexCharset=0123456789ABCDEF

// Linux source LDAP server, SSL enabled on port 636, SSL certificate installed locally
SET SrcLDServer=ldap3.my-domain.com
SET SrcLDDomainPath=dc=com/dc=my-domain
// Linux source LDAP superuser admin account (declared in the OpenLDAP server configuration file slapd.conf on the row that begins with "rootdn")
// You may need to re-enable the rootdn user since this user normally is disabled due to security reasons
SET SrcLDAdminAccount=%SrcLDDomainPath%/cn=ldapman
SET SrcLDAdminPW=Password
// Linux source LDAP path
SET SrcLDOUPath=%SrcLDDomainPath%/ou=People

// [Data] section columns, must match those in Data.Get.LD.Find
SET Email=%col3%
SET FirstName=%col4%
SET Initials=%col5%
SET LastName=%col6%
SET Phone=%col7%
SET CommonName=%col8%
SET AccountName=%col8%
SET sambaNTPasswordHash=%col10%

// Linux destination LDAP server, SSL enabled on port 636, SSL certificate installed locally
SET DstLDServer=slapd.site2.com
SET DstLDDomainPath=dc=site
// Linux LDAP superuser admin account (declared in the OpenLDAP server configuration file slapd.conf on the row that begins with "rootdn")
// You may need to re-enable the rootdn user since this user normally is disabled due to security reasons
SET DstLDAdminAccount=%DstLDDomainPath%/cn=administrator
SET DstLDAdminPW=Password
// Linux destination paths
SET DstLDOUPath=%DstLDDomainPath%/ou=People
SET DstLDAccountPath=%DstLDOUPath%/uid=%AccountName%

SET HomeRoot=/home
SET HomeDirectory=%HomeRoot%/%AccountName%
[Settings_End]

[Init_Batch_Begin]
// Logon to Source Linux server, fill [Data] section with properties and passwords   
Lin.DS.Logon %SrcLDServer%, %SrcLDAdminAccount%, %SrcLDAdminPW%   
Data.Get.LD.Find %SrcLDOUPath%, (&(objectClass=posixAccount)(sambaNTPassword=*)), yes, ldpath§1§mail§3§givenName§4§Initials§5§sn§6§homePhone§7§uid§8§sambaNTPassword§10§
// Check that email, first name and last name exists and contains valid characters   
Data.Column.Check 3, User_ChrLen, %Charset%, 1, 30   
Data.Column.Check 4, User_ChrLen, %Charset%, 1, 30   
Data.Column.Check 6, User_ChrLen, %Charset%, 1, 30   
// Check that all accounts has password hashes   
Data.Column.Check 10, User_ChrLen, %HexCharset%, 32, 32   
Data.Show Transfer all these accounts?   
[Init_Batch_End]

[Batch_Begin]
// Logon to Destination Linux LDAP server   
Lin.DS.Logon %DstLDServer%, %DstLDAdminAccount%, %DstLDAdminPW%   
Data.Loop   
 // Create account   
 Lin.DS.Op.Init Create, %DstLDAccountPath%   
 Lin.DS.Op.SetProperty objectClass, inetOrgPerson§posixAccount§sambaSamAccount§      
 Lin.DS.Op.SetProperty cn, %AccountName%   
 Lin.DS.Op.SetProperty uid, %AccountName%   
 Lin.DS.Op.SetProperty mail, %Email%   
 Lin.DS.Op.SetProperty givenName, %FirstName%   
 Lin.DS.Op.SetProperty initials, %Initials%   
 Lin.DS.Op.SetProperty sn, %LastName%   
 Lin.DS.Op.SetProperty uidNumber, Auto   
 Lin.DS.Op.SetProperty homeDirectory, %HomeDirectory%   
 // Below group must be created before script runs   
 Lin.DS.Op.SetProperty gidNumber, MyGroup   
 Lin.DS.Op.SetProperty gecos, %AccountName%   
 Lin.DS.Op.SetProperty sambaSID, Auto   
 Lin.DS.Op.SetProperty sambaNTPasswordHash, %sambaNTPasswordHash%   
 // Ignore LMpassword - only NT clients or higher will log on   
 // Lin.DS.Op.SetProperty sambaLMPassword, %Password%   
 Lin.DS.Op.SetProperty sambaPrimaryGroupSID, Domain Users   
 Lin.DS.Op.SetProperty sambaAcctFlags, [U]   
 Lin.DS.Op.Commit   
Data.EndLoop   
[Batch_End]

[Data_Begin]
[Data_End]