So when you run pdbedit -Lv for a user, is the "Unix user" name is an
account in ldap? If that is the case, then you probably just want to
have a script that runs that runs thru a list of user names and they
runs ldapmodify to add the appropriate samba attributes. In theory
you can use pdbedit to export the data, then change the backend, then
import it back. I found that didn't quite work.
I had originally used nis backend for unix accounts and TBD backend for
samba. I moved from NIS to LDAP for unix accounts. Then when I added a
BDC I moved the samba data into ldap. I had used smbpasswd to dump
the data to a text file, then wrote a perl script to parse the file into
user name, samba SID, and samba password and then rewrite it into an
ldapmodify ldif file. I used this file to update the existing LDAP
accounts.
You MAYBE can use smbpasswd or pdbedit to create the samba accounts in
LDAP but I suspect that either it won't preserve the existing password
OR it may refuse to create the account.
On 11/30/12 12:38, Brian Gold wrote:
On 2012-11-30 11:15 am, Gaiseric Vandal wrote:
No, you wouldn't sync passwords to TDB. Does your LDAP entry for
each user currently have a SambaSID value? Also, when you type
"pdbedit -Lv someuser" you should see the unix account for the user.
The unix account is either explicitly created (e.g. in /etc/passwd or
ldap or nis) or dynamically created by winbind.
No, currently our users do not have SambaSID values in ldap.
# pdbedit -Lv someuser
Unix username: someuser
NT username: someuser
Account Flags: [U ]
User SID: S-1-5-21-xxxxx
Primary Group SID: S-1-5-21-xxx
Full Name: Some User
Home Directory: \\someserver\users\someuser
HomeDir Drive: X:
Logon Script: logon.bat
Profile Path:
Domain: SOMEDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: 0
Kickoff time: 0
Password last set: Fri, 30 Sep 2011 09:40:43 EDT
Password can change: Fri, 30 Sep 2011 09:40:43 EDT
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
#
Assuming you are not using winbind to allocate uid's and gid's for
samba users, your LDAP user entry will eventually look something like
dn: uid=someuser,ou=someou,ou=people,o=yourdomain.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Some User
gidNumber: xx
homeDirectory: /home/someuser
sambaSID: S-1-5-21-xxxx
sn: UserLastName
uid: someuser
uidNumber: 123
displayName: Some User
gecos: Some User
givenName: Some User
loginShell: /bin/tcsh
sambaAcctFlags: [UX ]
sambaHomeDrive: X:
sambaHomePath: \\someserver\users\someuser
sambaLogonScript: logon.bat
sambaNTPassword: xxxxxxxxxxxxxxxxxxxx
sambaPasswordHistory:
000000000000000000000000000000000000000000000000000000
0000000000
sambaPwdLastSet: 1291843237
st: xxxxxx
street: xxxxxxxxx
telephoneNumber: xxxxxxxxx
userPassword:: xxxxxxxxxxxx
Although the login script and network home directory probably not
relevant in a non-DC setup.
We are not using winbind at all currently.
Here is a sample user's ldap data:
dn: uid=tstaff,ou=people,dc=simons-rock,dc=edu
uid: tstaff
sn: Staff
uinSR: tstaff-false
givenName: Test
genderSR: m
loginShell: /bin/false
cn: Test Staff
gecos: Test Staff
mailSR: test...@simons-rock.edu
homeDirectory: /home/testaff
objectClass: person
objectClass: top
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: personSR
objectClass: extensibleObject
objectClass: posixAccount
objectClass: shadowAccount
shadowLastChange: 11551
shadowWarning: 7
gidNumber: 100
shadowMax: 99999
uidNumber: 7391
mail: test...@simons-rock.edu
groupSR: staff
groupSR: hidden
employeeNumber: 991991991
sambaNTPassword: REDACTED
sambaPwdLastSet: 1354296936
userPassword:: REDACTED
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
