Transfer accounts from Samba to Windows
Top  Previous  Next


The below script copies user account properties and passwords from Samba server to Windows server, thus enabling users to log on to a Windows server with their old Samba server user name and password.

·Properties transferred in the example are first name, initials, last name, email address, phone number, account name and password hash.  
·It is easy to transfer other properties by minor modifications to the script, the "ListOfProperties" parameter in the "Data.Get.LD.Find" command contains source properties and each "AD.Account.SetProperty" command contains a property to be written.  
·Extract accounts from a single container, a container including subcontainers, or all accounts in a group, by modifying parameters for the "Data.Get.LD.Find" command.  
·Write accounts to any destination container.  

Requirements
Local machine (where AdmWin executable runs)
·A locally installed SSL certificate for Linux.  

Linux source server
·Linux server with OpenLDAP 2.0 or higher, configured to accept SSL connections on port 636.  
·Samba 3.0 (script can be modified for Samba 2.2.x; replace "sambaNTPassword" with "ntPassword" in the "ListOfProperties" parameter fort the "Data.Get.LD.Find" command.  
·Full administrative privileges, superuser "rootdn" enabled in slapd.conf, user name and password in LDAdminAccount and LDAdminPW variables in [Settings].  

Windows destination server
·Windows server 2000 or 2003 with Active Directory (script can be modified for NT4; replace "AD.Account.Create" and "AD.Account.SetProperty" with "Account.Create")  
·Full administrative privileges, log on as domain administrator for target domain on local machine (where Admwin executable runs)  

Script
Tip

[Settings_Begin]
BatchSettings.Delimiter=,
BatchSettings.MarkerCol=18
BatchSettings.MarkersAutoRemove=Yes

// Linux source LDAP path
SET LDDomainPath=dc=com/dc=my-domain
// Linux source LDAP server, SSL must be enabled on port 636, a SSL certificate must be installed locally
SET LDServer=ldap3.my-domain.com
// Linux LDAP superuser admin account (declared in the OpenLDAP server configuration file slapd.conf on the row that begins with "rootdn")
// You may need to re-enable the rootdn user since this user normally is disabled due to security reasons
SET LDAdminAccount=%LDDomainPath%/cn=ldapman
SET LDAdminPW=Password

SET LDOU=People
SET LDOUPath=%LDDomainPath%
///ou=%LDOU%
SET LDGroup=MyGroup
SET LDGroupPath=%LDOUPath%/cn=%LDGroup%

// Windows destination domain path
SET ADDomainPath=dc=com/dc=acme/dc=d31
SET ADContainer=cn=Users
SET ADContainerPath=%ADDomainPath%/%ADContainer%

// Windows data columns, must match those in Data.Get.LD.Find
SET Email=%col3%
SET FirstName=%col4%
SET Initials=%col5%
SET LastName=%col6%
SET Phone=%col7%
SET CommonName=%col8%
SET samAccountName=%col8%
// AD.Account.Create sets a temporary password, overwritten by Account.Edit.PasswordHashes / NTPasswordHash
SET Password=adko_-09-ic"Bb
SET NTPasswordHash=%col10%
SET UserPrincipalName=%col8%@d31.acme.com

// Characters for Data.Column.Check commands
SET Charset=0123456789abcdefghjijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVXYZ@.
SET HexCharset=0123456789ABCDEF
[Settings_End]

// NetBIOS Name of Windows Server to copy password hashes to
[Machines_Begin]
\\MAIN04      NT PDC    
[Machines_End]

[Init_Batch_Begin]
// Get data from LD   
Lin.DS.Logon %LDServer%, %LDAdminAccount%, %LDAdminPW%   
Data.Get.LD.Find %LDOUPath%, (objectClass=posixAccount), yes, ldpath§1§mail§3§givenName§4§Initials§5§sn§6§homePhone§7§uid§8§sambaNTPassword§10§   
// Check that email, first name and last name exists and contains valid characters
Data.Column.Check 3, User_ChrLen, %Charset%, 1, 30   
Data.Column.Check 4, User_ChrLen, %Charset%, 1, 30   
Data.Column.Check 6, User_ChrLen, %Charset%, 1, 30   
// Check that all accounts has password hashes   
Data.Column.Check 10, User_ChrLen, %HexCharset%, 32, 32   
// Check for dupcliate Windows account names   
Data.Column.DupeCheck 8,CN,%ADDomainPath%,FindDuplicates   
Data.Show Transfer all these accounts?   
[Init_Batch_End]

[Batch_Begin]
Data.Loop   
 AD.Account.Create %ADContainerPath%, %CommonName%, %SamAccountName%, %Password%   
 AD.Account.SetProperty "%ADContainerPath%/cn=%CommonName%", UserPrincipalName, %UserPrincipalName%   
 AD.Account.SetProperty "%ADContainerPath%/cn=%CommonName%", FirstName, %FirstName%   
 AD.Account.SetProperty "%ADContainerPath%/cn=%CommonName%", Initials, %Initials%   
 AD.Account.SetProperty "%ADContainerPath%/cn=%CommonName%", LastName, %LastName%   
 AD.Account.SetProperty "%ADContainerPath%/cn=%CommonName%", AccountDisabled, No   
 AD.Account.SetProperty "%ADContainerPath%/cn=%CommonName%", TelephoneHome, %Phone%   
 AD.Account.SetProperty "%ADContainerPath%/cn=%CommonName%", EmailAddress, %Email%   
 Account.Edit.PasswordHashes %ServerName%, %SamAccountName%, INACTIVE, %NTPasswordHash%   
Data.EndLoop   
[Batch_End]


[Data_Begin]
[Data_End]