Migrate from LDAP to AD

Hi all,

I am looking at AD installation.

To install AD I have to uninstall LDAP. The users are saved in some directories because if you reinstall LDAP, the users are still there.

If I install AD then the users are not incorporated in AD.

Is there a way to export the users with their mails etc before deleting LDAP and after installing AD, how to import those in AD?

Michel-André

2 Likes

Users and groups are exported on removal of account provider:

/var/lib/nethserver/backup/users.tsv
/var/lib/nethserver/backup/accounts.tsv

http://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-sssd.html#nethserver-sssd-remove-provider

There are scripts to import users/groups to AD:

http://docs.nethserver.org/en/v7/accounts.html#import-and-delete-accounts-from-plain-text-files

http://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-sssd.html#account-import-scripts

The mails are kept after deleting a user and I assume even after removing the account provider.
They’re located in /var/lib/nethserver/vmail/.

If you don’t change the domain name from LDAP to AD the users should get the mails they had with LDAP.
If you change the domain name you have to move the mails from /var/lib/nethserver/vmail/USER@OLDDOMAIN/Maildir/ to /var/lib/nethserver/vmail/USER@NEWDOMAIN/Maildir/.

I recommend to do a backup in case something fails.

5 Likes

Hi Markus,

You are still THE greatest!

All is working.
The users/groups are in AD now.

Importing users gave an error with admin as it is still there in AD. Same with admins group.

The emails are there, and after importing users, they can read their emails without problem. I din’t have to import mails. I think it is because when installing AD, I used the original domain name as the AD domain so AD didn’t have to create a new folder for emails.

Thank you again,

Michel-André

2 Likes

Hi all,

All is running in a virtual machine.

In my above reply, I had only one user: michelandre. I didn’t import groups as there was none.

I added a few users (toto, titi and tata) in LDAP and connected to Webmail for each one as to create their mail directory. They send a short message to root. All was working correctly.

I added 3 new groups as to test the importation of groups.

I uninstalled LDAP.

I installed AD keeping the same domain name as the one in LDAP.

image

IMPORTING USERS

# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_users /var/lib/nethserver/backup/users.tsv

[INFO] imported titi as titi@micronator-dev.org
[ERROR] Account `admin` user-create event failed.
[INFO] imported michelandre as michelandre@micronator-dev.org
[INFO] imported tata as tata@micronator-dev.org
[INFO] imported toto as toto@micronator-dev.org
#

The error with admin is normal as it is already in AD.

# ls -als /var/lib/nethserver/home

total 0
0 drwxr-xr-x. 2 root root 6 Mar 4 2019 .
0 drwxr-xr-x. 12 root root 155 Apr 19 16:13 ..
#

Normal as the users are stored in AD.

IMPORTING GROUPS

The recommended way as of: http://docs.nethserver.org/en/v7/accounts.html#import-and-delete-accounts-from-plain-text-files

# /usr/share/doc/nethserver-sssd-`rpm --query --qf "%{VERSION}" nethserver-sssd`/scripts/import_groups /var/lib/nethserver/backup/groups.tsv

[ERROR] Account `titi` group-create event failed.
[ERROR] Account `tata` group-create event failed.
[ERROR] Account `toto` group-create event failed.
[ERROR] Account `domain admins` group-create event failed.
[root@tchana ~]#

Another way

# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_groups /var/lib/nethserver/backup/groups.tsv

[ERROR] Account `titi` group-create event failed.
[ERROR] Account `tata` group-create event failed.
[ERROR] Account `toto` group-create event failed.
[ERROR] Account `domain admins` group-create event failed.
#

I have to give the users new passwords so that they can access their emails.
That should be painful if a have hundreds of users…

# ls -als /var/lib/nethserver/vmail

total 4
0 drwx------ 10 vmail vmail 253 Oct 14 11:35 .
0 drwxr-xr-x. 12 root root 155 Apr 19 16:13 ..
0 drwx------ 3 vmail vmail 21 Apr 19 15:55 admin@micronator-dev.org
0 drwx------ 3 vmail vmail 21 Apr 19 15:55 michelandre@micronator-dev.org
0 drwx------ 3 vmail vmail 21 Jan 8 2019 root
4 -rw------- 1 vmail vmail 73 Oct 14 11:35 shared-mailboxes.db
0 drwx------ 3 vmail vmail 21 Oct 14 11:35 tata@micronator-dev.org
0 drwx------ 3 vmail vmail 21 Oct 14 11:35 titi@micronator-dev.org
0 drwx------ 3 vmail vmail 21 Oct 14 11:34 toto@micronator-dev.org
0 drwx------ 3 vmail vmail 21 Jan 8 2019 vmail
0 drwx------ 3 vmail vmail 21 Apr 19 16:00 vmail@micronator-dev.org
#

For the importation of groups, where I went wrong?

Michel-André

For me the import of groups is working. You have to import the users first.

/usr/share/doc/nethserver-sssd-`rpm --query --qf "%{VERSION}" nethserver-sssd`/scripts/import_users /var/lib/nethserver/backup/users.tsv
/usr/share/doc/nethserver-sssd-`rpm --query --qf "%{VERSION}" nethserver-sssd`/scripts/import_groups /var/lib/nethserver/backup/groups.tsv
# su - admin
Creating home directory for admin@micronator-dev.org.

After a minute, I had to send a [CTL] + [C] because the prompt didn’t come back.

^CInterrupt
#

Re-issued the command.

# su - admin
Last login: Mon Oct 14 16:45:45 EDT 2019 on pts/0
$


$  /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_groups /var/lib/nethserver/backup/groups.tsv
[INFO] imported 'titi' with members 'tata titi'
[INFO] imported 'tata' with members 'tata'
[INFO] imported 'toto' with members 'tata titi toto'
[INFO] imported 'domain admins' with members 'admin michelandre'
$

Michel-André

1 Like

Hi Markus,

I imported the users before the groups.

Michel-André

Hm, now it seems to work but it should work as root too.
The error ([ERROR] Account 'toto' group-create event failed.) is also triggered if the group is already present.

Hi Markus,

As root, when I imported the users, it gave ERROR on admin. As you wrote for groups, if it already exists, it gives ERROR.

But, as admin, when I imported groups, it imported ‘domain admins’ without ERROR even if the ‘domain admins’ already existed. Plus, I added already michelandre to the group ‘domain admins’.

...
[INFO] imported 'domain admins' with members 'admin michelandre'
...

I will start all over again and let you know.

Michel-André

The passwords set after the import are the random ones in the users.tsv file.

Thanks for your work and feedback!

admin is almighty…

[admin@micronator-dev.org@tchana ~]$ /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_users  \
>                  /var/lib/nethserver/backup/users.tsv
[INFO] imported titi as titi@micronator-dev.org
[INFO] imported admin as admin@micronator-dev.org
[INFO] imported michelandre as michelandre@micronator-dev.org
[INFO] imported tata as tata@micronator-dev.org
[INFO] imported toto as toto@micronator-dev.org
[admin@micronator-dev.org@tchana ~]$
[admin@micronator-dev.org@tchana ~]$
[admin@micronator-dev.org@tchana ~]$
[admin@micronator-dev.org@tchana ~]$
[admin@micronator-dev.org@tchana ~]$ /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_users                   /var/lib/nethserver/backup/users.tsv
[INFO] imported titi as titi@micronator-dev.org
[INFO] imported admin as admin@micronator-dev.org
[INFO] imported michelandre as michelandre@micronator-dev.org
[INFO] imported tata as tata@micronator-dev.org
[INFO] imported toto as toto@micronator-dev.org
[admin@micronator-dev.org@tchana ~]$

admin is so powerfull that it can import twice or as many times as you want.

The users are there and only once.

But the groups toto, titi and tata are not… and I am sure I created them in LDAP.

[admin@micronator-dev.org@tchana ~]$ cat /var/lib/nethserver/backup/groups.tsv
titi    tata    titi
tata    tata
toto    tata    titi    toto
domain admins   admin   michelandre
[admin@micronator-dev.org@tchana ~]$

Very strange…

Michel-André

You are using same user and group names. Could this be the problem?

admin can import groups as many times as I want.

In RedHat i.e CentOS, when you create a user, the system also creates a group with the same name?

With AD

# ls -als /var/lib/nethserver/home/toto
total 12
0 drwx------  2 toto@micronator-dev.org domain users@micronator-dev.org  62 Oct 14 16:50 .
0 drwxr-xr-x. 6 root                    root                             55 Oct 14 16:56 ..
4 -rw-------  1 toto@micronator-dev.org domain users@micronator-dev.org  18 Oct 14 16:50 .bash_logout
4 -rw-------  1 toto@micronator-dev.org domain users@micronator-dev.org 193 Oct 14 16:50 .bash_profile
4 -rw-------  1 toto@micronator-dev.org domain users@micronator-dev.org 231 Oct 14 16:50 .bashrc
#

I will check that when I will finish the start over.

Michel-André

That’s right but in AD it’s not allowed.

https://social.technet.microsoft.com/Forums/en-US/a55a0244-8def-40b4-9535-653f1aeaed11/could-we-have-same-names-for-user-and-groups-in-active-directory?forum=winserverDS

1 Like

In AD, it looks like all users belong to users group.

Michel-André

Hi Markus,

I restored the VM at the point where I added users and groups within LDAP.
I added a new group with a new name different from all users and groups.
I added toto and michelandre to that group.

Uninstalled LDAP, installed AD with the same domain name as the one in LDAP.
Added a password to both admin.
Added remote shell to admin.

su to admin

[root@tchana ~]# su - admin
Creating home directory for admin@micronator-dev.org.
[admin@micronator-dev.org@tchana ~]$

This time, su to admin didn’t hang.

Importing users. (No ERROR even if admin already exists)

[admin@micronator-dev.org@tchana ~]$ /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_users  /var/lib/nethserver/backup/users.tsv
[INFO] imported titi as titi@micronator-dev.org
[INFO] imported admin as admin@micronator-dev.org
[INFO] imported michelandre as michelandre@micronator-dev.org
[INFO] imported tata as tata@micronator-dev.org
[INFO] imported toto as toto@micronator-dev.org
[admin@micronator-dev.org@tchana ~]$

Importing groups. (No ERROR even if ‘domain admins’ already exists)

[admin@micronator-dev.org@tchana ~]$ /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_groups   /var/lib/nethserver/backup/groups.tsv
[INFO] imported 'titi' with members 'tata titi'
[INFO] imported 'groupe-nom-seul' with members 'michelandre toto'
[INFO] imported 'tata' with members 'tata'
[INFO] imported 'toto' with members 'tata titi toto'
[INFO] imported 'domain admins' with members 'admin michelandre'
[admin@micronator-dev.org@tchana ~]$

New group: ‘groupe-nom-seul’

After importing users and groups, they didn’t appear in the GUI so I logout of the GUI and login back to GUI with admin. Same thing: no imported users nor groups.

Worse: when I tried to su to toto to create his home dir, he doesn’t exist…

Exit su from admin.

[admin@micronator-dev.org@tchana ~]$ exit
logout
[root@tchana ~]#

Trying su to toto -> user toto does not exist

[root@tchana ~]# su - toto
su: user toto does not exist
[root@tchana ~]#

Again su to admin, maybe he will be able to su to toto.

[root@tchana ~]# su - admin
Last login: Mon Oct 14 18:45:51 EDT 2019 on pts/0
[admin@micronator-dev.org@tchana ~]$

No luck

[admin@micronator-dev.org@tchana ~]$ su - toto
su: user toto does not exist
[admin@micronator-dev.org@tchana ~]$

Reboot and same thing; no new users/groups.

I will take a break of a few hours,

Michel-André

You are absolutely right.

Groups and members.

# cat /var/lib/nethserver/backup/groups.tsv
titi    tata    titi
not-a-user-name     michelandre     tata    titi    toto
tata    tata
toto    tata    titi    toto
domain admins   admin   michelandre
#

Importing groups

# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_groups  /var/lib/nethserver/backup/groups.tsv
[ERROR] Account ` **titi** ` group-create event failed.
[INFO] imported 'not-a-user-name' with members 'michelandre tata titi toto'
[ERROR] Account ` **tata** ` group-create event failed.
[ERROR] Account ` **toto** ` group-create event failed.
[ERROR] Account ` **domain** **admins** ` group-create event failed.
#

NOTE: Users who were in the domain admins group are not imported, they must be put back to this group.

Importing groups again -> they all failed because not-a-user-name is already in AD and the other group names are names of users.

# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_groups  /var/lib/nethserver/backup/groups.tsv
[ERROR] Account `titi` group-create event failed.
[ERROR] Account `sans-membre` group-create event failed.
[ERROR] Account `tata` group-create event failed.
[ERROR] Account `toto` group-create event failed.
[ERROR] Account `domain admins` group-create event failed.
#

User root can now su to toto without problem.

# su toto
$

Thank you so much again Markus,

Michel-André

P.S. Michel-André didn’t want to write that the NICs of the VM were not in “Promiscuous mode”.
P.P.S. I didn’t write the P.S., it’s the newbee inside me that wrote it when I was outside for a walk.

2 Likes

Hi all,

When I installed AD, I choose the DNS domain name: mn-dev.org (same as the one in LDAP) and NetBIOS domain name: MN-DEV.

I imported the users and the groups. I didn’t have to import the emails because the server kept the same domain name.

I finally got LAM working.

I also installed RSAT on a Win-8.1 Pro which I joined to the AD NetBIOS domain name: MN-DEV.

With RSAT, I created a Group Policy for the network drive: Home -> H with the path: \\name-of-server\%LogonName%@mn-dev.org

I can see this Policy in LAM.

When Administrator login to Win-8.1, the Policy runs correctly and he can see the mapped drive H:\ and he can go into it.

Toto didn’t see the H:\ drive. So at the server for the home folder of Toto, I changed owner:group:

chown -R toto@mn-dev.org:"domain users@mn-dev.org" toto

# ls -als /var/lib/nethserver/home/
total 0
0 drwxr-xr-x.  6 toto@mn-dev.org          domain users@mn-dev.org  70 Oct 28 16:34 .
0 drwxr-xr-x. 14 root                             root                            187 Oct 24 16:12 ..
0 drwx------   2 administrator@mn-dev.org domain users@mn-dev.org  62 Oct 28 16:34 administrator
0 drwx------   2                             1001                            1000  83 Oct 20 18:02 michelandre
0 drwx------   2                             1003                            1000  83 Oct 20 18:02 titi
0 drwx------   2 toto@mn-dev.org          domain users@mn-dev.org  83 Oct 20 18:01 toto
#

Toto logout/login, and now Toto has his drive H:\

After installation of AD, it looks like the users have their home directory with user-id:group-id ???

Question 1:
If I have hundreds of users, how to have the home folder the right owner:group?

Question 2:
I made errors importing users and groups?

# man import_users
No manual entry for import_users

All suggestions appreciated,

Michel-André