samba ldap howto.pdf
Vista previa de texto
The SAMBA-LDAP-PDC Howto
Revision : 1.24
• ¡user¿ is the user-name on Microsoft Windows NT,
• ¡id¿ is the Microsoft Windows NT RID (Relative ID), the last 32 bits of the Microsoft
Windows NT user SID;
• ¡lanman pw¿ is the LANMAN password hash (see below);
• ¡NT pw¿ is the Microsoft Windows NT password hash (md4 in fact). If the user has
no password, the entry will be dumped as NO PASSWORD*****. If the entry is
disabled or invalid, these are dumped as 32 ’*’ characters;
• ¡comment¿ is the concatenation of the user full name on Microsoft Windows NT and the
description field in the Microsoft Windows NT user-manager program;
• ¡homedir¿ cannot contain ’:’ as this character is used as field separators. All ’:’ characters after drive letter are dumped as ’ ’ .
pwdump dumps users and machine accounts (machine accounts use the ’$’ character at the
end of their name).
Populating the LDAP directory with accounts Using the SAM output, we have to use
the smbldap-migrate-accounts.pl tool (part of the smbldap-tools) to update the LDAP
repository (smbldap-tools must be correctly configured at this time).
Basically, smbldap-migrate-accounts.pl take a ’pwdump’ flat file to update the master
LDAP repository using the following parameters:
• -a : process only people, ignore computers,
• -w : process only computers, ignore persons,
• -A opts: a string containing arguments to pass verbatim to smbldap-useradd when
adding users, eg ”-m -x”. You don’t have to specify -a in this string,
• -W opts: a string containing arguments to pass verbatim to smbldap-useradd when
adding computers, eg ”-m -x”. You don’t have to specify -w in this string,
• -C : if NT account not found in LDAP, don’t create it and log it to stdout (default is
to create the account),
• -U : if NT account found in LDAP, don’t update it and log it to stdout (default is to
update the account).
For example, if you want to create initial entries to the LDAP repository, and if you think
your PDC is the most up to date source of information, just issue the following command :
smbldap-migrate-accounts.pl < pwdump-file.txt
page 43/56