Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: bertalanimre on July 07, 2014, 09:29:14 am
-
Hy,
THe question is obvious. I'm planing to install a server with around 50-60 users. When I add all of them then I would like to make a kind of backup in case if I have to re install it. I saw a few topics about it, but haven't tried them yet. Can you please provide me the best way to export, then later import the users? Obviously the domain name / mail address would stay the same. I just don't want hours to be taken only by adding the users one by one all the time when I have to. A nice script to add them from a cvs file would be very nice for example. But please excuse me and my newbieness. I'm not that familiar with servers and server methods yet.
Bert
-
A script to import users from CSV is located here:-
http://doc.zentyal.org/en/appendix-c.html
however it doesn't work for 3.5 yet. I have been messing with it but simply can't get it to work. Worked fine on 3.4.
Dave
-
Damn, I'M using 3.5 since it is based on the 14.04 and not the 13.10. I'm searching for a good 3rd party software ATM.
-
For 3.5
Make a file called users.csv
jfoo,John,Foo,password,
jbar,Jack,Bar,password,
fart,Fred,Art,password,
dick,Dave,Ick,password,
sudo bash bulkusers
bulkusers script
#!/bin/bash
INPUT=users.csv
OLDIFS=$IFS
IFS=,
[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
while read username givenname surname password
do
echo "$username $givenname $surname $password"
samba-tool user add "$username" "$password" --given-name="$givenname" --surname="$surname"
done < $INPUT
IFS=OLDIFS
samba-tool user add -h will give a full list of parameters
also you can use ldbmodify and this could add any other ldap info that samba-tool doesn't provide for.
Here example setting mail address.
#!/bin/bash
LDIF=my.ldif
INPUT=users.csv
OLDIFS=$IFS
IFS=,
[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
while read username givenname surname password
do
rm /tmp/$LDIF
echo "$username $givenname $surname $password"
samba-tool user add "$username" "$password" --given-name="$givenname" --surname="$surname"
echo "dn: CN="$givenname" "$surname",CN=Users,DC=office,DC=zentyal,DC=lan
changetype: modify
add: mail
mail: "$username"@zentyal.lan" > /tmp/$LDIF
ldbmodify -H /var/lib/samba/private/sam.ldb -b DC=office,DC=zentyal,DC=lan /tmp/$LDIF
rm /tmp/$LDIF
done < $INPUT
IFS=OLDIFS
You will have to edit the base DN, from my test install to however you have set yours "DC=office,DC=zentyal,DC=lan" my test fqdn is zent1.office.zentyal.lan realm is office.zentyal.lan.
-
Wow! really useful! is there any way to automatically enable the openchange account when the email is created?
I have set the option to automatically create openchange account under user templates but creating a user this way does not enable the openchange account.
Also i have just enabled the openchange account on a couple of imported users and the password from the csv does not work, i have had to manually change the password to be able to login.
-
I would of said essentially yes.
But I am rather surprised that you cannot logon.
legacyExchangeDN: /o=Office/ou=First Administrative Group/cn=Recipients/cn=d
ick
proxyAddresses: =EX:/o=Office/ou=First Administrative Group/cn=Recipients/cn
=dick
proxyAddresses: SMTP:dick@office.zentyal.lan
proxyAddresses: smtp:postmaster@office.zentyal.lan
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=dick
homeMDB: CN=Mailbox Store (ZENT1),CN=First Storage Group,CN=InformationStore
,CN=ZENT1,CN=Servers,CN=First Administrative Group,CN=Administrative Groups
,CN=Office,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=office,DC=
zentyal,DC=lan
homeMTA: CN=Mailbox Store (ZENT1),CN=First Storage Group,CN=InformationStore
,CN=ZENT1,CN=Servers,CN=First Administrative Group,CN=Administrative Groups
,CN=Office,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=office,DC=
zentyal,DC=lan
mailNickname: dick
msExchUserAccountControl: 0
Thats the gubbins that OpenChange adds. So yes it would be possible.
-
initially i had a "," at the end of the line in the csv so i removed that, double checked the password it was saying on the console when it was creating the user and that was correct. Only thing i can think of is something to do with the CRLF at the end of the line, so i edited the file in nano with no new line after one single record and the password still didn't work.
-
Really strange Dave.
Just tried it myself and logged on.
The comma at the end seemed to be needed and I used that exact format saved in nano.
Top tip download the 32 bit version of Apache Directory Studio.
It was a gotcha for me as I tried to install the 64bit version but the java client is actually 32bit.
Point it at your server IP have a look at the two images attached.
Make sure your firewall is allowing ldap :389
samba-tool domain passwordsettings set --complexity=off
samba-tool domain passwordsettings set --min-pwd-length=5
If samba-tool user setpassword username doesn't work I give in?
I think zentyal have already turned off password complexity and set a minimum length, but hey give it a try.
samba-tool user setpassword Administrator
-
Interestingly i ran the samba-tool user add command line manually and the password worked! (had to manually create the mail account and openchange account though)
has to be something to do with my CSV. I changed the echo line to:-
echo "$username..$givenname..$surname..$password..Ends"
and it echoed only to the end of the password, didn't put ..Ends on the echo. Strange as the password is only 8 letters and a number, nothing complex.
-
End should be there, must be a hidden carridge return or something.
Strange rather than copy and paste anything from here either try the two attachments or recreate in nano.
I keep getting similar problems as with using putty and wordpad the windows encoding isn't the same and often scripts go awry.
I will have a go at an openchange example
I think the editor in webmin is a better option than putty.
Bulkusers2 should give the openchange details. Havent tried it to be honest
Install Apache directory studio create a user with Zentyal that is openchange enabled.
create a user with samba-tool user add browse the directory and add any attributes that might be missing from bulkusers2.
http://support.microsoft.com/kb/296479
msExchUserAccountControlAttribute Syntax: single-valued integer
The msExchUserAccountControl attribute is used by the information store to determine whether to use the objectSid or the msExchMasterAccountSid when setting or reading information store permissions. This attribute has two possible values:
0: This is an enabled user
2: This is a disabled user
-
Yep that certainly sorted the password problem.
I normally use Notepad++ for this kind of work but the CSV was exported from our exchange server so could have had some strange chars in it somewhere.
the second script isn't working yet
ERR: (No such object) "Unable to find GUID for DN CN=Mailbox Store (Zentyal),CN=First Storage Group,CN=InformationStore,CN=Zentyal,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=Office,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mycohens,DC=net
" on DN CN=Abdenour Khalfaoui,CN=Users,DC=mycohens,DC=net at block before line 19
is the first storage group the OpenChange organisation name? if so mines "First Organization"
-
Called it office in the example.
Tried to unprovision and reinstall Openchange to see if there is any difference in Openchange 3.5.1
Don't unprovision as things don't go well. Even tried removing modules and reinstalling.
-
Not good.
I provisioned everything in 3.5 then upgraded to 3.51
-
Ok, i changed office to First Organization and it completed without errors :) but didn't enable openchange :(
-
dave stuck at the moment as nothing to look at but a deadchange :)
Create a couple of users with samba-tool and zentyal some enabled and some not with openchange.
Have a browse with Apache Directory Studio.
Right click and bring up the properties menu and enable "fetch operational attributes"
Probably we are just short of a few attributes.
With ObjectClasses the LDBmodify needs to be like so.
add:objectclass
objectclass: posixGroup
Have browse as must of missed something somewhere.
I am blind until I set up a test VM again.
-
Ok, no probs. (I have a snapshot to revert too and have had to rebuild too often:))
I'm finishing for the day soon. hopefully will have chance to play tomorrow.
-
Think I got it.
Only thing strange was I had to do it in two sweeps.
Add the objectclass then the attributes.
-
Wohoooo!!! that worked perfectly, thanks for all your help. I seriously need to bet to grips with bask and samba scripting.
When i get some spare time i need to look into script adding contact records. Again in 3.4 i had this sorted but doesn't work at all in 3.5 :(
-
Bash and shell (sh) are basic command line interpreters for linux and because they are the most basic I used those without the zentyal object model deliberately.
That should always for unless the schema requirements change.
Zentyal uses perl which is a great tool and way more powerful than bash or sh.
I guess I could of used the Zentyal perl object model but my perl isn't great but I have found the object model changes before I seem to get to grips with things.
If we create a file users.csv and then a series of contact lists username.csv where username is a user contained in users.csv.
Would that be a good way to go?
Also could just create a script to add contacts to a user at any time.
Stuart.
-
Yep, my Perl is also very bad (I mainly use batch files and VBScript with a little bit of powershell)
I have a separate contacts.csv that i used to import contact records into LDAP so they were available as a global address list for all users. My plan was to have the script to drop all contact records and recreate them from a CSV (CSV is an export of users from our seperate MS Exchange environment)
-
If you log into any connected windows client as an admin you can still run your vb scripts against Zentyal.
I haven't tried this and keep meaning to its in a every growing list of bookmarks.
http://windowsitpro.com/powershell/top-10-active-directory-tasks-solved-powershell
http://www.vbsedit.com/scripts/ad/
This is been my main argument for Samba4 and Linux as an extensible platform, its opensource and generally open for any client and method.
Sometimes the main downfall of Linux and opensource is due to us, as all these options cause confusion.
Bahaa! in my best sheep voice of the M$ world as it would seem being led breeds a certain level of success.
-
very true. Only problem with that is i would need to setup a VM specifically to add to the Zentyal domain and install the exchange powershell add-on onto it, assuming openchange supports exchange powershell (already have a script to add exchange contacts:))
-
I presumed when you mentioned vbscript you would have a windows client.
I am sort of platform agnostic it is what ever does the job.
The linux way works as well so all good.
I opened up sogo and tried to add some contacts so I could find where they are in the directory.
(It doesn't seem to work)
I never got round to trying Outlook.
You managed to add to the global contact or make shared contacts?
Its been over ten years since I worked with Exchange and I can't remember very much.
-
Yes i use windows client but on different domain:(
I had a script similar to the one i attached at the beginning that added users.
Modification: Attach script
-
Hi,
Me too, I'm trying to import users in bulk.
I tried to manually add some users with samba-tool to test if that works and for samba it worked. I saw those users in "samba-tool user list".
Then I went to the zentyal-website. The users are there, but I when I select a group to add those users, they're not in the drop-down list.
So my question : using your script, are the imported users visible in the group-management part, could you check please ?
Another problem : the home-directory of that new user does not exist, how do you create that ? I can manually create the directory, but I can't set the ownership with chown. Do I have to use some parameter with chown to get the user and group from the AD ?
-
I haven't checked to be honest but the home directory should get created when you logon.
If not there is something wrong with the file permissions.
https://wiki.samba.org/index.php/Setting_up_a_home_share
homeDirectory: \\zent1.OFFICE.ZENTYAL.LAN\Administrator
homeDrive: H:
Missed those out from the LDIF
/etc/zentyal/sids-to-hide.regex
Contains a list of all groups and users to hide from the user manager
I don't seem to have a problem with groups though.
There is another thing and its the PosixAccount.
To be honest I am totally confused to what zentyal are doing here.
gentent passwd uid and the gid and group ranges is confusing.
Also --use-rfc2307 is enabled but the attributes by zentyal are not used.
As said I am confused by the zentyal attributes and methods?
https://wiki.samba.org/index.php/Using_RFC2307_on_a_Samba_DC
-
Didn't think this topic will be so "crowded", but I'm glad we are trying to solve it. :)
I'm also trying the import/export with Apaches directory studio and somehow the export is fine ( I think ), but non-stop getting the following error message at import:
"Error while importing LDIF. The primary group isn't settable on add operations."
Did you experience this error if yes, what was the sollution to it?
-
https://forum.zentyal.org/index.php/topic,22477.msg86568.html#msg86568
Has a bulkusers3 script that will create users for you.
It needs to be edited as two attributes where missing.
homeDirectory: \\zent1.OFFICE.ZENTYAL.LAN\Administrator
homeDrive: H:
Which need editing to your own requirements
I am finding Apache Directory Studio absolutely indispensable for browsing and copying ldif files.
Had a few problems adding and editing so been using the cli and ldbedit with the scripts supplied.
-
Hophophop!
I've found a 3rd party that works like a charm.
Softterra LDAP Administrator can easily export and later import the users without errors.
Upside is:
It will save the OpenChange status + mail address + home directory path as well
Downside:
Passwords has to be reset to all users
home folders has to be created in advance ( tho I didn't tested it yet with exporting from 1 server and importing to another )
Softterra is not a free software... U have to buy it
-
Please don't buy it as it will not work.
I am trying to save you the expenditure.
The bulkusers script works because it uses samba-tool to start the initial AD user.
It then merely adds the extra to the ldap.
You can't just copy and paste.
-
I see your point Stuart and I'm gonna try it as soon as it is possible for me, but right now I needed an ASAP sollution and the trial version of the LDAP Administrator did the trick. It was as simple as I wrote it. I just made a filter to export all the users who had the mail=*@#####.## in LDIF. I checked the file with Notepad++ and looked pretty nice. Imported the file to the server with the same app and suprisingly it was a 99,99% success. If the export is only to have a backup and you're gonna import the users to a server with the same setup, I think it works fine.
But I'm deffinetly going to try the bulk user thingy. THanks a lot! Shall I mark the topic solved?
-
Please try it by all means anyway you wish.
Maybe read this first though.
https://wiki.samba.org/index.php/Samba4/LDBIntro
Have a read of the hidden / operational attributes that are not available by ldap.
-
the hidden attribute examples are in Zentyal as well? Can you specify me a few hidden attribute for a user with mail address and OpenChange? Because I think I've found a way to view them in the LDAP Administrator.
(http://kepfeltoltes.hu/140715/K_pkiv_g_s_www.kepfeltoltes.hu_.jpg)
-
ntSecurityDescriptor is probably the most important but its not a case of just copying and pasting.
Try it but its a ntSecurityDescriptor with a plethora of information from that specific domain.
Maybe you can but I will be very surprised.
I am presuming you will need to create the user on the new domain and then copy the user attributes. I don't think copying and pasting ntSecurityDescriptors from one domain to another might be a good idea.
Its not the fact they are hidden but that they are operational attributes but try and report how things go on.