Re: [Samba] net rpc vampire not working
On Sunday 04 December 2005 18:25, Del wrote: > > Use > > http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html > > Thanks, that is a great help. I have it working now. > > > I would recommend that the user is familiar with setup, usage, > > maintenance of LDAP prior to doing this. > > Oh, LDAP is no problem. I'm the author of the LdapImport scripts > which some of you may have seen > > http://wiki.babel.com.au/index.php?area=Linux_Projects&page=LdapImport > > The problem I was having was correct configuration of samba prior to > running net rpc vampire. > > Just some notes on the migration guide above that you might want to > incorporate into a later edition: > > -- > > example 9.1: "security = user" is missing? Is this intentional? > the "configure.pl" script from smbldap-tools adds it to smb.conf > in any case. > > May be useful to mention extending the LDAP schema before attempting > any of this, e.g. with the samba.schema file. > > Before Step 7: You can't run ./configure.pl in the smbldap-tools directory > unless samba is running. So you need to do "service smb start" or > your OS equivalent first. In fact, before doing that you need to > inform samba of your LDAP bind DN password using: > > smbpasswd -w > > Step 8: Since you need to start samba before you run ./configure.pl, and > since samba tries to connect to the LDAP server when it starts, you > will need to start LDAP before you start samba. So this probably belongs > around step 4 or 5. > > Step 10: You need to do this before starting Samba, so again this needs > to happen earlier than step 7. > > Step 11: Also, starting Samba will attempt to populate the LDAP directory. > On Fedora Directory Server (and in fact any non-OpenLDAP server) you may > hit troubles doing this because the entries aren't formatted correctly > with the "top" objectClass (on OpenLDAP this parent object class is added > automatically). To fix this, what I did was: > > cd /opt/IDEALX/sbin > /smbldap-populate -e /root/LDAP/smb-populate.ldif. > vi /root/LDAP/smb-populate.ldif > > Change the last LDIF entry in this file to include "objectClass: top" > > ldapadd -x -c -D 'cn=Directory Manager' -W -f /root/LDAP/smb-populate.ldif > > .. and you will need to supply your root DN password to the above command.. > > Step 12: This should not actually be necessary on non-OpenLDAP servers. A > running LDAP server will notice that its directory has been populated. It > is, however, the case that the OpenLDAP directory is completely empty after > installation so you may need to do this. > > Step 14: It might be useful to test this using: > > net rpc testjoin > > Step 17: This seems to take a long time. Expect that -- nothing happens > in the log file for a few seconds at least, don't panic. > > -- > Del Del, I will review your comments when I get an opportunity. If I recall correctly, Chapter 9 does say that you need to create a fully functional server per the example of chapter 5 before attempting to perform vapire migration. One of the key challenges of prescriptive guidance documentation is the fact that most people want to short-circuit the learning process ignoring the fact that every short-cut has consequences. :-) - John T. -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, 2 Ed., ISBN: 0131882228 Samba-3 by Example, 2 Ed., ISBN: 0131882221X Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire not working
I actually fooled with your LdapImport and didn't get it to work straight away and for the most part, I didn't have much of an issue with conversion from openldap slapcat output. Yeah, I haven't had enough different systems to test LdapImport on thoroughly. It works for me in most places but it's definitely best at doing LDAP -> LDAP not so much at anything else -> LDAP. But I'm slowly hacking away at the various bugs and things, trying to make it more useable. Any bug reports are appreciated of course, as other people have systems they can test on that I can't. I also see the need to use groupOfUniqueNames but I haven't figured that one out either but I'm working on it. groupOfUniqueNames is a nice idea and very neat but in the end the IETF RFC standards maintainers didn't go with it. So the very few systems that support it are likely to end up being orphaned in doing so. The only reason I made any use of it at all is because (a) directory administrator handles it, and (b) it works on Linux using the PADL software and (c) it's interesting. There is no real compelling reason to do it other than that it's interesting. I could make better use of my time by writing some useful code. -- Del -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire not working
On Mon, 2005-12-05 at 12:25 +1100, Del wrote: > > Use > > http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html > > Thanks, that is a great help. I have it working now. thought so - the detailed walk through used to be in the 'How-To' and gove moved to the 'by example' and whatever was left in the 'How-To' seems to be incomplete - as I looked at your link, I could see that some of the important stuff wasn't there but enough detail was there to make you think you could try it. > > > I would recommend that the user is familiar with setup, usage, > > maintenance of LDAP prior to doing this. > > Oh, LDAP is no problem. I'm the author of the LdapImport scripts > which some of you may have seen > > http://wiki.babel.com.au/index.php?area=Linux_Projects&page=LdapImport > > The problem I was having was correct configuration of samba prior to > running net rpc vampire. obviously - I thought the complete walk through was probably the thing that you really needed to see. I actually fooled with your LdapImport and didn't get it to work straight away and for the most part, I didn't have much of an issue with conversion from openldap slapcat output. Still trying to get my head around fedora-ds ACI's ;-) I also see the need to use groupOfUniqueNames but I haven't figured that one out either but I'm working on it. Thanks Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire not working
Use http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html Thanks, that is a great help. I have it working now. I would recommend that the user is familiar with setup, usage, maintenance of LDAP prior to doing this. Oh, LDAP is no problem. I'm the author of the LdapImport scripts which some of you may have seen http://wiki.babel.com.au/index.php?area=Linux_Projects&page=LdapImport The problem I was having was correct configuration of samba prior to running net rpc vampire. Just some notes on the migration guide above that you might want to incorporate into a later edition: -- example 9.1: "security = user" is missing? Is this intentional? the "configure.pl" script from smbldap-tools adds it to smb.conf in any case. May be useful to mention extending the LDAP schema before attempting any of this, e.g. with the samba.schema file. Before Step 7: You can't run ./configure.pl in the smbldap-tools directory unless samba is running. So you need to do "service smb start" or your OS equivalent first. In fact, before doing that you need to inform samba of your LDAP bind DN password using: smbpasswd -w Step 8: Since you need to start samba before you run ./configure.pl, and since samba tries to connect to the LDAP server when it starts, you will need to start LDAP before you start samba. So this probably belongs around step 4 or 5. Step 10: You need to do this before starting Samba, so again this needs to happen earlier than step 7. Step 11: Also, starting Samba will attempt to populate the LDAP directory. On Fedora Directory Server (and in fact any non-OpenLDAP server) you may hit troubles doing this because the entries aren't formatted correctly with the "top" objectClass (on OpenLDAP this parent object class is added automatically). To fix this, what I did was: cd /opt/IDEALX/sbin ./smbldap-populate -e /root/LDAP/smb-populate.ldif vi /root/LDAP/smb-populate.ldif Change the last LDIF entry in this file to include "objectClass: top" ldapadd -x -c -D 'cn=Directory Manager' -W -f /root/LDAP/smb-populate.ldif ... and you will need to supply your root DN password to the above command. Step 12: This should not actually be necessary on non-OpenLDAP servers. A running LDAP server will notice that its directory has been populated. It is, however, the case that the OpenLDAP directory is completely empty after installation so you may need to do this. Step 14: It might be useful to test this using: net rpc testjoin Step 17: This seems to take a long time. Expect that -- nothing happens in the log file for a few seconds at least, don't panic. -- Del -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] net rpc vampire not working
On Mon, 2005-12-05 at 08:31 +1100, Del wrote: > Hi, > > Can someone help me get "net rpc vampire" in one of its forms working. > > The objective is to migrate from an NT4 PDC to a SAMBA 3.0 PDC using > LDAP as a back end. I am trying to migrate the user and machine accounts > across in a lab environment, separate from the main network (I have > replicated the PDC to do this). > > I have samba-3.0.20b built from the samba team source RPM on Fedora > Core 3, and I'm trying to follow the steps here: > > http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html > that isn't a complete walk through and is probably leaving out some details that you probably didn't know were necessary. Use http://www.samba.org/samba/docs/man/Samba-Guide/ntmigration.html which is much more complete of a walk-through. I would recommend that the user is familiar with setup, usage, maintenance of LDAP prior to doing this. Oh - yes, the net rpc vampire indeed works, I've done it a few times - going back to 3.0.0 (and it worked then) and I doubt they've broken it in the interim. The steps are very important. Not understanding LDAP makes it extremely difficult to do. Get practiced at backing up your LDAP db and restoring as the vampire process takes a number of practice runs to get it right. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] net rpc vampire not working
Hi, Can someone help me get "net rpc vampire" in one of its forms working. The objective is to migrate from an NT4 PDC to a SAMBA 3.0 PDC using LDAP as a back end. I am trying to migrate the user and machine accounts across in a lab environment, separate from the main network (I have replicated the PDC to do this). I have samba-3.0.20b built from the samba team source RPM on Fedora Core 3, and I'm trying to follow the steps here: http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html also here: http://samba.idealx.org/smbldap-howto.en.html (section 11.1) I have seen the problems listed here: http://lists.samba.org/archive/samba/2004-June/088448.html http://lists.samba.org/archive/samba/2004-July/089147.html and I'm getting the same thing happening to me. I have also tried using "net rpc vampire ldif" with similar results: I started by creating a samba server and setting it up as a BDC: [global] workgroup = MYDOMAIN netbios name = MYSAMBASERVER server string = Samba Server security = domain encrypt passwords = Yes password server = MYPDC log file = /var/log/samba/%m.log max log size = 0 name resolve order = host wins bcast socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = No domain master = False dns proxy = No wins server = 192.168.1.1 winbind uid = 1-2 winbind gid = 1-2 winbind separator = + create mask = 0777 directory mask = 0777 hosts allow = 192.168. 127. printing = lprng oplocks = No follow symlinks = No idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 template shell = /bin/false winbind use default domain = no Then I added the following parts to smb.conf to give it the LDAP information: ldap suffix = dc=debortoli,dc=local ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups Join the domain: net rpc join -U Administrator%PASSWORD service smb start I can verify the domain is joined by using: net rpc testjoin Also, I can see all of the accounts using winbind: service winbind start getent passwd However from this point on nothing in "net rpc vampire" works. net rpc vampire ldif ./vampire.ldif fails with: Could not retrieve domain trust secret net rpc vampire ldif ./vampire.ldif -S MYPDC -U Administrator%PASSWORD fails with: Cannot import users from DBW at this time, as the current domain: FC3-DBW-3: S-1-5-21-92691229-39247329-4222772032 conflicts with the remote domain DBW: S-1-5-21-423981254-716712060-315576832 This is a suggested fix: * http://lists.samba.org/archive/samba/2004-July/089148.html but it fails like this: # net setlocalsid S-1-5-21-423981254-716712060-315576832 # net rpc vampire ldif Cannot import users from FC3-DBW-3 at this time, as the current domain: FC3-DBW-3: S-1-5-21-423981254-716712060-315576832 conflicts with the remote domain FC3-DBW-3: S-1-5-21-92691229-39247329-4222772032 Alternatively, running this: net rpc vampire ldif ./vampire.ldif -S MYPDC -U Administrator%PASSWORD ... results in an empty ./vampire.ldif file, and two files /tmp/add.ldif and /tmp/mod.ldif. /tmp/mod.ldif is empty and /tmp/add.ldif contains the base LDAP structure but no users other than "root" and "nobody". I have tried the http://samba.idealx.org/smbldap-howto.en.html method (making samba a PDC, stopping the other PDC, restarting samba, etc) but that fails as well with just about the same error messages as above. Is there any way of getting this net rpc vampire tool to work? Has anyone had any success with it? What entries do I need in smb.conf etc to get things working? -- Del -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba