Migrating Existing Samba Users to Verify Privilege Server Suite

This section describes how to migrate an existing user population from Samba servers to the integrated Verify Privilege Server Suite.

The information in this section is relevant to computers with the core Verify Privilege Server Suite components installed and for which you created a Verify Privilege Server Suite zone. These instructions do not apply to computers with Verify Privilege Server Suite Express installed or computers that are joined through Auto Zone. If you are using Verify Privilege Server Suite Express or if you have joined a computer using workstation mode, it is not possible to migrate existing Samba UID and GID settings.

Migrating UNIX Profiles to Active Directory

If your current environment includes Samba servers that are joined to the Active Directory domain as member servers and existing Windows users access the data on those servers, you may want to migrate those existing users to Verify Privilege Server Suite to rationalize UIDs and GIDs and manage all of your network’s conflicting identities in a single, centralized ID repository.

Migrate your Samba users to Active Directory, as explained in this section, before integrating Samba and Authentication Service as explained in Running the adbindproxy.pl Script.

There are two ways to migrate your UNIX profiles to Active Directory:

  • If winbind is currently configured in your /etc/nsswitch.conf file, you need to run the getent command to retrieve the user information.
  • If you do not have winbind configured in your /etc/nsswitch.conf file, then run the adbindproxy perl script to migrate the users. See the instructions below.

Migrating Users if Winbind is Configured in /etc/nsswitch.conf

To save the winbind information to a file:

  1. If winbind is currently configured in your /etc/nsswitch.conf file, run the following commands to save the information to a file before installing the adbindproxy package:

    getent passwd | grep -v -f /etc/passwd > /tmp/passwd.winbind

    getent group | grep -v -f /etc/group > /tmp/group.winbind

  2. Move the exported files to a computer where you have installed the Access Manager console.

  3. In the Access Manager console, use the Import from UNIX wizard to import the users and groups (with their existing UID and GID mappings) into the zone.

    For more information on importing existing user and group information and mapping information to Active Directory, see the “Importing existing users and groups” chapter in the Administrator’s Guide for Linux and UNIX.

Migrating Users with the adbindproxy perl Script

If winbind is not currently configured in your /etc/nsswitch.conf file, follow the steps below after you’ve installed the adbindproxy package.

This script gets the UID andGID files from Samba. You then import them into Active Directory.

To migrate UNIX user profiles to Active Directory using the adbindproxy.pl script:

  1. Identify the Samba servers you want to update to integrate with Verify Privilege Server Suite.

  2. On each of the Samba servers to be updated, locate the winbindd_idmap.tdb file and create a backup copy of the file.

    1. To locate the winbindd_idmap.tdb file, you can run a command similar to the following to view details about the Samba build:

      /CurrentSambaBInaryPath/smbd -b |grep -i lockdir

    2. In the output, you should see a line similar to the following that indicates the location of the winbind_idmap.tdb file:

      LOCKDIR: /var/lib/samba

  3. Make a backup copy of the winbindd_idmap.tdb file.

    For example:

    cp /var/lib/samba/winbind_idmap.tdb /tmp/winbind_idmap.tdb.pre_adbindproxybackup

  4. Run the adbindproxy.pl script with the following options to generate the export files.

    perl /usr/share/centrifydc/bin/adbindproxy.pl --export --groupFile filename --userFile filename --tdbFile filename

    See Using adbindproxy.pl for details about the command-line parameters for adbindproxy.pl.

    When you run these adbindproxy.pl options it generates export files for the users and the groups that are currently known by the Samba server. By default, these files are created as:

    /var/centrify/samba/passwd

    /var/centrify/samba/group

  5. Move the exported files to a computer where you have installed the Access Manager console.

  6. In the Access Manager console, use the Import from UNIX wizard to import the users and groups (with their existing UID and GID mappings) into the zone.

    For more information on importing existing user and group information and mapping information to Active Directory, see the “Importing existing users and groups” chapter in the Administrator’s Guide for Linux and UNIX.

Migrating Samba Servers to Verify Privilege Server Suite Zones

Samba generates UIDs and GIDs based on a range of values that have been defined for a specific server. In most cases, a user who has accessed two different Samba servers is likely to have two different UIDs: for example, a user could have UID 6003 on the server mission and UID 9778 on the server dolores.

Therefore, in an initial migration of existing users, each Samba server must join the Active Directory domain in separate Verify Privilege Server Suite Zones to accommodate the different UIDs and GIDs users and groups may have.

If you want users to have consistent GIDs and UIDs, then you need to put the Samba servers in the same zone.