Click here for information in German. // Für Informationen auf Deutsch hier klicken.
verdigado can help you with migrations from Univention Corporate Server to Samba and Keycloak.
We can recommend to operate a Samba server in combination with Keycloak, because it is easier to integrate into server orchestration tools. Also, Keycloak provides sufficient functionality to manage users within the Samba Active Directory.
IT-professionals may want to read our guide to migrate data into clean Active Directory structures. If you need any assistance on this task, please feel free to contact us. We offer professional support for individual migrations.
Migration guide
We only want to migrate the username, sn, givenName, displayName and mail attributes while keeping the objectUUID. Also, group memberships should be migrated.
One major caveat along the way was to import the entryUUID of UCS into the objectUUID attribute of Samba. samba-tool has no parameter to set the objectGUID for a new user. A possible workaround is to use ldbmodify to import the user objects first. ldbmodify is available in the ldb-tools package on Debian based distributions.
The import assumes that the Samba server has already been provisioned with
samba-tool domain provisionThe following script can be used to export the data in two files:
#!/bin/bash
UIDS=$(slapcat -a "(mail=*)" | grep uid: | sed "s/uid: //")
while IFS= read -r USERUID; do
echo "Exporting '$USERUID'"
USER_DATA=$(slapcat -a "(uid=$USERUID)")
USER_DN=$(echo "$USER_DATA" | grep "dn: " | sed "s/dn: //")
USER_GUID=$(echo "$USER_DATA" | grep "entryUUID: " | sed "s/entryUUID: //")
USER_MAIL=$(echo "$USER_DATA" | grep -E "^mail:" | sed "s/^mail://")
USER_FIRST_NAME=$(echo "$USER_DATA" | grep "givenName:" | sed "s/^givenName://")
USER_LAST_NAME=$(echo "$USER_DATA" | grep "sn:" | sed "s/^sn://")
USER_DISPLAY_NAME=$(echo "$USER_DATA" | grep "displayName:" | sed "s/^displayName://")
USER_NTHASH=$(echo "$USER_DATA" | grep "sambaNTPassword: " | sed "s/sambaNTPassword: //")
echo "Writing $USER_DN"
echo "dn: CN=$USERUID,CN=Users,DC=example,DC=com" >> /root/users.ldif
echo "changetype: add" >> /root/users.ldif
echo "objectclass: user" >> /root/users.ldif
echo "objectGUID: $USER_GUID" >> /root/users.ldif
echo "sAMAccountName: $USERUID" >> /root/users.ldif
echo "mail:$USER_MAIL" >> /root/users.ldif
echo "displayName:$USER_DISPLAY_NAME" >> /root/users.ldif
echo "sn:$USER_LAST_NAME" >> /root/users.ldif
echo "givenName:$USER_FIRST_NAME" >> /root/users.ldif
echo "" >> /root/users.ldif
MEMBERSHIPS=$(echo "$USER_DATA" | grep "memberOf: " | sed "s/memberOf: //" | sed "s/cn=//" | cut -d ',' -f 1)
while IFS= read -r MEMBERSHIP; do
echo "samba-tool group addmembers '$MEMBERSHIP' $USERUID" >> /root/import.sh
done <<< "$MEMBERSHIPS"
echo "pdbedit -u $USERUID --set-nt-hash $USER_NTHASH" >> /root/import.sh
done <<< "$UIDS"
EXPORT_GROUPS=$(slapcat -a "(objectClass=posixGroup)" | grep "cn: " | sed "s/cn: //")
while IFS= read -r GROUPCN; do
if [ "$GROUPCN" = "Domain Users" ] || [ "$GROUPCN" = "Domain Admins" ] || [ "$GROUPCN" = "Domain Guests" ] || [ "$GROUPCN" = "Domain Controllers" ] || [ "$GROUPCN" = "Windows Hosts" ] || [ "$GROUPCN" = "DC Backup Hosts" ] || [ "$GROUPCN" = "DC Slave Hosts" ] || [ "$GROUPCN" = "Computers" ] || [ "$GROUPCN" = "Printer-Admins" ] || [ "$GROUPCN" = "Slave Join" ] || [ "$GROUPCN" = "Backup Join" ] ; then
continue
fi
GROUP_DATA=$(slapcat -a "(cn=$GROUPCN)")
GROUP_UUID=$(echo "$GROUP_DATA" | grep "entryUUID: " | sed "s/entryUUID: //")
echo "Writing $GROUPCN"
echo "dn: CN=$GROUPCN,CN=Users,DC=example,DC=com" >> /root/users.ldif
echo "changetype: add" >> /root/users.ldif
echo "objectClass: top" >> /root/users.ldif
echo "objectClass: group" >> /root/users.ldif
echo "cn: $GROUPCN" >> /root/users.ldif
echo "name: $GROUPCN" >> /root/users.ldif
echo "objectGUID: $GROUP_UUID" >> /root/users.ldif
echo "sAMAccountName: $GROUPCN" >> /root/users.ldif
echo "" >> /root/users.ldif
done <<< "$EXPORT_GROUPS"
Now copy the created users.ldif and import.sh files into the /root directory of your new Samba server. To import the data into Samba, first import the user objects with ldbmodify:
ldbmodify -H tdb:///var/lib/samba/private/sam.ldb /root/users.ldif --relaxFinally set the group memberships and password hashes with executing the import.sh:
bash /root/import.shWe hope the script serves you well. We are happy to receive feedback via technik@verdigado.com with the subject “Feedback UCS / Keycloak”.
Support
If you have any questions on this topic or if you need professional support, just let us know. You can contact us via E-Mail: support@verdigado.com or phone: +49 (0)30 629339080 for a quote on professional support.
Our products and services
Feel free to take a look at our products and services. We host high-performance websites based on TYPO3 and WordPress and provide you with a variety of useful team tools that will boost your digital collaboration. We can provide you with cloud data storage, team password managers, video conferencing systems, wikis, ticket systems and much more. Further information.
Migriert von Univention Corporate Server zu Samba/Keycloak
verdigado unterstützt euch bei Migrationen von Univention Corporate Server auf Samba und Keycloak.
Aus unserer Sicht macht es Sinn, einen Samba-Server in Kombination mit Keycloak zu betreiben, da er sich leichter in eine Server-Orchestrierung integrieren lässt. Außerdem bietet Keycloak ausreichend Funktionalität, um BenutzerInnen innerhalb des Samba Active Directory zu verwalten.
IT-ExpertInnen können mithilfe unseres Scripts Daten in saubere Active Directory-Strukturen überführen. Wer Fragen hat oder sich Unterstützung wünscht, kann uns gerne kontaktieren. Wir bieten professionellen Support für eure individuellen Migrationen an.
Anleitung
Wir wollen nur die Attribute username, sn, givenName, displayName und mail migrieren und dabei die objectUUID beibehalten. Auch die Gruppenmitgliedschaften (groupmemberships) sollen migriert werden.
Eine große Schwierigkeit auf diesem Weg war, die entryUUID von UCS in das objectUUID-Attribut von Samba zu importieren. samba-tool hat keinen Parameter, um die objectGUID für einen neuen Benutzer zu setzen. Ein möglicher Workaround ist die Verwendung von ldbmodify, um die Benutzerobjekte zuerst zu importieren. ldbmodify ist im Paket ldb-tools auf Debian-basierten Distributionen verfügbar.
Der Import geht davon aus, dass der Samba-Server bereits eingerichtet wurde mit
samba-tool domain provisionDas folgende Skript kann verwendet werden, um die Daten in zwei Dateien zu exportieren:
#!/bin/bash
UIDS=$(slapcat -a "(mail=*)" | grep uid: | sed "s/uid: //")
while IFS= read -r USERUID; do
echo "Exporting '$USERUID'"
USER_DATA=$(slapcat -a "(uid=$USERUID)")
USER_DN=$(echo "$USER_DATA" | grep "dn: " | sed "s/dn: //")
USER_GUID=$(echo "$USER_DATA" | grep "entryUUID: " | sed "s/entryUUID: //")
USER_MAIL=$(echo "$USER_DATA" | grep -E "^mail:" | sed "s/^mail://")
USER_FIRST_NAME=$(echo "$USER_DATA" | grep "givenName:" | sed "s/^givenName://")
USER_LAST_NAME=$(echo "$USER_DATA" | grep "sn:" | sed "s/^sn://")
USER_DISPLAY_NAME=$(echo "$USER_DATA" | grep "displayName:" | sed "s/^displayName://")
USER_NTHASH=$(echo "$USER_DATA" | grep "sambaNTPassword: " | sed "s/sambaNTPassword: //")
echo "Writing $USER_DN"
echo "dn: CN=$USERUID,CN=Users,DC=example,DC=com" >> /root/users.ldif
echo "changetype: add" >> /root/users.ldif
echo "objectclass: user" >> /root/users.ldif
echo "objectGUID: $USER_GUID" >> /root/users.ldif
echo "sAMAccountName: $USERUID" >> /root/users.ldif
echo "mail:$USER_MAIL" >> /root/users.ldif
echo "displayName:$USER_DISPLAY_NAME" >> /root/users.ldif
echo "sn:$USER_LAST_NAME" >> /root/users.ldif
echo "givenName:$USER_FIRST_NAME" >> /root/users.ldif
echo "" >> /root/users.ldif
MEMBERSHIPS=$(echo "$USER_DATA" | grep "memberOf: " | sed "s/memberOf: //" | sed "s/cn=//" | cut -d ',' -f 1)
while IFS= read -r MEMBERSHIP; do
echo "samba-tool group addmembers '$MEMBERSHIP' $USERUID" >> /root/import.sh
done <<< "$MEMBERSHIPS"
echo "pdbedit -u $USERUID --set-nt-hash $USER_NTHASH" >> /root/import.sh
done <<< "$UIDS"
EXPORT_GROUPS=$(slapcat -a "(objectClass=posixGroup)" | grep "cn: " | sed "s/cn: //")
while IFS= read -r GROUPCN; do
if [ "$GROUPCN" = "Domain Users" ] || [ "$GROUPCN" = "Domain Admins" ] || [ "$GROUPCN" = "Domain Guests" ] || [ "$GROUPCN" = "Domain Controllers" ] || [ "$GROUPCN" = "Windows Hosts" ] || [ "$GROUPCN" = "DC Backup Hosts" ] || [ "$GROUPCN" = "DC Slave Hosts" ] || [ "$GROUPCN" = "Computers" ] || [ "$GROUPCN" = "Printer-Admins" ] || [ "$GROUPCN" = "Slave Join" ] || [ "$GROUPCN" = "Backup Join" ] ; then
continue
fi
GROUP_DATA=$(slapcat -a "(cn=$GROUPCN)")
GROUP_UUID=$(echo "$GROUP_DATA" | grep "entryUUID: " | sed "s/entryUUID: //")
echo "Writing $GROUPCN"
echo "dn: CN=$GROUPCN,CN=Users,DC=example,DC=com" >> /root/users.ldif
echo "changetype: add" >> /root/users.ldif
echo "objectClass: top" >> /root/users.ldif
echo "objectClass: group" >> /root/users.ldif
echo "cn: $GROUPCN" >> /root/users.ldif
echo "name: $GROUPCN" >> /root/users.ldif
echo "objectGUID: $GROUP_UUID" >> /root/users.ldif
echo "sAMAccountName: $GROUPCN" >> /root/users.ldif
echo "" >> /root/users.ldif
done <<< "$EXPORT_GROUPS"
Kopiere nun die erstellten Dateien users.ldif und import.sh in das /root-Verzeichnis deines neuen Samba-Servers. Um die Daten in Samba zu importieren, importiere zunächst die user objects mit ldbmodify:
ldbmodify -H tdb:///var/lib/samba/private/sam.ldb /root/users.ldif --relaxZum Schluss setzen Sie die group memberships und Passwort-Hashes mit der Ausführung der import.sh:
bash /root/import.sh
Wir hoffen, das Script leistet euch gute Dienste. Sendet uns gerne Feedback an technik@verdigado.com mit dem Betreff “Feedback UCS / Keycloak”.
Support
Wenn ihr Fragen habt oder euch professionelle Unterstützung benötigt, sprecht uns einfach an. ir erstellen euch gerne ein individuelles Angebot. Ihr erreicht unser Support-Team per E-Mail an support@verdigado.com oder telefonisch unter +49 (0)30 6293390 80 (erreichbar montags bis freitags von 9 bis 17 Uhr).
Weitere interessante Angebote der verdigado
Werft auch gerne einen Blick auf unser weiteres Angebot. Wir hosten leistungsstarke Webseiten auf Basis von TYPO3 und WordPress, und bieten eine ganze Reihe nützlicher Team Tools an, die eure digitale Zusammenarbeit deutlich vereinfachen können. Bei uns bekommt ihr Cloud-Datenspeicher, Team-Passwortmanager, Videokonferenzsysteme, Wikis, Ticket-Systeme und vieles mehr. Weitere Informationen.