Bug 194 - convertSambaAcount script produces ldif that cannot be loaded in LDAP
convertSambaAcount script produces ldif that cannot be loaded in LDAP
Product: Samba 3.0
Classification: Unclassified
Component: Upgrade
Other other
: P2 normal
: none
Assigned To: Gerald (Jerry) Carter
Depends on:
  Show dependency treegraph
Reported: 2003-06-27 12:01 UTC by Kristis Makris
Modified: 2005-08-24 10:22 UTC (History)
0 users

See Also:

Now also converting attributes that have 0 set as a value (213 bytes, patch)
2003-06-27 12:20 UTC, Kristis Makris
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kristis Makris 2003-06-27 12:01:33 UTC
This is related to the convertSambaAcount script in samba3.0.0beta1. After
trying to add back in LDAP the new LDIF file produced by this script (using the
new samba.schema that comes in with samba3.0.0.beta1) ldap_add complained with
the following error message:

# ldapadd -v -x -w secret  -D "cn=root,dc=datasoft,dc=com"  -h ebola -f new_ldif

adding new entry "uid=root, ou=Users, dc=datasoft, dc=com"
ldap_add: Undefined attribute type
	additional info: logontime: attribute type undefined

Diffing the old and new ldif files I noticed this:

 dn: uid=root, ou=Users, dc=datasoft, dc=com
 cn: root
-objectClass: sambaAccount
-objectClass: posixAccount
-objectClass: top
-objectClass: qmailUser
+objectclass: posixAccount
+objectclass: top
+objectclass: qmailUser
+objectclass: sambaSamAccount
 uid: root
-pwdLastSet: 1050948491
-logonTime: 0
-logoffTime: 0
-kickoffTime: 0
-pwdCanChange: 1050948491
-displayName: Samba System Administrator
+logontime: 0
+logofftime: 0

"logonTime" simply changed to "logontime", instead of "SambaLogonTime", which is
the new AttributeType name in the samba3.0.0beta1 ldap schema.

The old ldif was dumped out of an LDAP database used in support of
samba3-alpha23. I don't know if the convertSambaAccount script changed between
samba3-alpha24 and samba3.0.0.beta1
Comment 1 Kristis Makris 2003-06-27 12:13:28 UTC
It looks like this happens with all attributes that contain a value of 0. 

# grep -i ": 0" /tmp/old_ldif |more
logonTime: 0
logoffTime: 0
kickoffTime: 0
uidNumber: 0
gidNumber: 0
pwdLastSet: 0
logonTime: 0
pwdCanChange: 0

Comment 2 Kristis Makris 2003-06-27 12:20:42 UTC
Created attachment 37 [details]
Now also converting attributes that have 0 set as a value

This patch now takes into account attributes  that have 0 set as a value.
Comment 3 Kristis Makris 2003-06-27 12:22:07 UTC
Now I get this error message:

adding new entry "cn=admin,ou=Groups,dc=datasoft,dc=com"
ldap_add: Undefined attribute type
	additional info: ntsid: attribute type undefined
Comment 4 Kristis Makris 2003-06-27 12:24:30 UTC
This is the ldfi entry for which the ldapadd operation failed:

dn: cn=smbhosts,ou=Groups,dc=datasoft,dc=com
objectclass: posixGroup
objectclass: top
objectclass: sambaGroupMapping
cn: smbhosts
ntsid: S-1-5-21-1264390313-3394352946-2369289212-11035
ntgrouptype: 2
displayname: smbhosts
description: Local Unix group
gidnumber: 5017

I am guessing ntsid is mapped to something else now, and the mapping is missing
in the script.
Comment 5 Kristis Makris 2003-06-27 12:33:39 UTC
It looks like the script only converts sambaAccounts and not sambaGroupMappings.
ntsid should be mapped to SambaSID. ntgroupType should also be mapped to

Manually replacing the above accounttype names in the new_ldif resulted in an
ldif file that LDAP was able to load.
Comment 6 Andrew Bartlett 2003-06-28 07:34:11 UTC
The older 3.0 cvs installations issue has been addressed by a patch by
vorlon@debian.org, which is in CVS and will be in beta2.
Comment 7 Kristis Makris 2003-06-30 08:56:52 UTC
Thanks Andrew. It would be nice if a bug was written against his patch. I
wouldn't have had to open a new one.
Comment 8 Gerald (Jerry) Carter 2003-06-30 22:02:24 UTC
marking as fixed.  current version of the script in SAMBA_3_0
seems to address all the issues reported here.
Comment 9 Gerald (Jerry) Carter 2005-02-07 08:39:01 UTC
originally reported against 3.0.0beta1.  CLeaning out 
non-production release versions.
Comment 10 Gerald (Jerry) Carter 2005-08-24 10:22:35 UTC
sorry for the same, cleaning up the database to prevent unecessary reopens of bugs.