Transfer accounts from Windows to Samba
Top  Previous  Next


The below script copies user account properties and passwords from Windows server to Samba server, thus enabling users to log on to a Samba server with their old Windows server user name and password.

·Properties transferred in the example are first name, initials, last name, email address, phone number, account name and password hash.  
·It is easy to transfer other properties by minor modifications to the script, the "ListOfProperties" parameter for the "Data.Get.AD" command contains source properties and each "Lin.DS.Op.SetProperty" command contains a property to be written.  
·Extract accounts from a single container, a container including subcontainers, or all accounts in a group, by modifying parameters for the "Data.Get.AD" command.  
·Write accounts to any destination container or use the "Data.Get.AD" command "Container" property to recreate the structure from the source server.  

Requirements
Local machine (where AdmWin executable runs)
·A locally installed SSL certificate for Linux.  

Windows source server
·Windows server 2000 or 2003 with Active Directory (script can be modified for NT4; replace "Data.Get.AD" with "Data.Get.SAM")  
·Full administrative privileges, log on as domain administrator for source domain on local machine (where Admwin executable runs).  

Linux destination server
·Linux server with OpenLDAP 2.0 or higher, configured to accept SSL connections on port 636  
·Samba 3.0 (script can be modified for Samba 2.2.x; find the "Lin.DS.Op.SetProperty" command that contains the attribute "sambaNTPasswordHash" and replace with the attribute "ntPasswordHash").  
·Full administrative privileges, superuser "rootdn" enabled in slapd.conf, user name and password in LDAdminAccount and LDAdminPW variables in [Settings].  

Script
Tip

[Settings_Begin]
BatchSettings.Delimiter=,
BatchSettings.MarkerCol=18
BatchSettings.MarkersAutoRemove=Yes

// Windows source domain path
SET ADDomainPath=dc=com/dc=acme/dc=d41
SET ADContainer=cn=Users
SET ADContainerPath=%ADDomainPath%/%ADContainer%
// NetBIOS Name of Windows Server to extract passwords from
SET WinNetBIOSName=\\SRV03

// Linux destination LDAP path
SET LDDomainPath=dc=com/dc=my-domain
// Linux destination LDAP server, SSL must be enabled on port 636, a SSL certificate must be installed locally
SET LDServer=ldap3.my-domain.com
// Linux LDAP superuser admin account (declared in the OpenLDAP server configuration file slapd.conf on the row that begins with "rootdn")
// You may need to re-enable the rootdn user since this user normally is disabled due to security reasons
SET LDAdminAccount=%LDDomainPath%/cn=ldapman
SET LDAdminPW=Password

SET LDOU=People
SET LDOUPath=%LDDomainPath%/ou=%LDOU%
SET LDGroup=MyGroup
SET LDGroupPath=%LDOUPath%/cn=%LDGroup%

// Linux / Samba data columns, must match Data.Get.AD / Data.Get.SAM.PasswordHashes
SET Email=%col3%
SET FirstName=%col4%
SET Initials=%col5%
SET LastName=%col6%
SET Phone=%col7%
SET FullName=%FirstName% %LastName%

SET AccountName=%col8%
SET sambaNTPasswordHash=%col10%
Set LDAccountPath=%LDOUPath%/uid=%AccountName%

SET HomeRoot=/home
SET HomeDirectory=%HomeRoot%/%AccountName%
SET Charset=0123456789abcdefghjijklmnopqrstuvwzyzABCDEFGHIJKLMNOPQRSTUVXYZ@.
SET HexCharset=0123456789ABCDEF
[Settings_End]

[Init_Batch_Begin]
// Get data from AD   
Data.Get.AD Container,%ADContainerPath%,User,Yes,ADpath§1§mail§3§givenName§4§Initials§5§sn§6§telephoneNumber§7§samAccountName§8§   
// Get passwords, notice first number must be same as samAccountName destination column in above command   
Data.Get.SAM.PasswordHashes %WinNetBIOSName%,8,9,10
Data.Column.Check 3, User_ChrLen, %Charset%, 1, 30   
Data.Column.Check 4, User_ChrLen, %Charset%, 1, 30   
Data.Column.Check 6, User_ChrLen, %Charset%, 1, 30   
// Check that all accounts has password hashes   
Data.Column.Check 10, User_ChrLen, %HexCharset%, 32, 32   
Data.Show Transfer all these accounts?   
[Init_Batch_End]

[Batch_Begin]
// Log on to Linux LDAP server   
Lin.DS.Logon %LDServer%, %LDAdminAccount%, %LDAdminPW%   
Data.Loop   
 // Create account   
 Lin.DS.Op.Init Create, %LDAccountPath%   
 Lin.DS.Op.SetProperty objectClass, inetOrgPerson§posixAccount§sambaSamAccount§      
 Lin.DS.Op.SetProperty cn, %AccountName%   
 Lin.DS.Op.SetProperty uid, %AccountName%   
 Lin.DS.Op.SetProperty mail, %Email%   
 Lin.DS.Op.SetProperty givenName, %FirstName%   
 Lin.DS.Op.SetProperty initials, %Initials%
 Lin.DS.Op.SetProperty sn, %LastName%   
 Lin.DS.Op.SetProperty uidNumber, Auto   
 Lin.DS.Op.SetProperty homeDirectory, %HomeDirectory%   
 Lin.DS.Op.SetProperty gidNumber, MyGroup   
 Lin.DS.Op.SetProperty gecos, %AccountName%   
 Lin.DS.Op.SetProperty sambaSID, Auto   
 Lin.DS.Op.SetProperty sambaNTPasswordHash, %sambaNTPasswordHash%   
 // Ignore LMpassword - only NT clients or higher will log on
 // Lin.DS.Op.SetProperty sambaLMPassword, %Password%   
 Lin.DS.Op.SetProperty sambaPrimaryGroupSID, Domain Users   
 Lin.DS.Op.SetProperty sambaAcctFlags, [U]   
 Lin.DS.Op.Commit   
Data.EndLoop   
[Batch_End]

[Data_Begin]
[Data_End]