Maintenance Commands sam2ldif(1M)
NAME
sam2ldif - create a LDIF file containing NT Domain user
accounts to add to a LDAP database.
SYNOPSIS
sam2ldif [-I instance] [-g gid] [-h] [-c] [-b] -l logon [-p
password] [-s shell] [-t directory_path] [-u uid] [-y pass-
word] [-D domain] [-z file]
DESCRIPTION
The sam2ldif utility reads a LDAP Directory Interchance For-
mat (LDIF) template file from its default location of
/etc/opt/lanman/{instance_number}/ldif.tmpl or as specified
using the -z flag. It outputs LDIF to to a file called
/var/opt/lanman/{instance_number}/dirsync/sam2ldif.ldif
which contains an exact copy of the LDIF template for each
user in the PC NetLink SAM database, only with all fields
filled in with actual values
The sam2ldif command can only run by authenticating to the
PC NetLink machine as administrator and running the command
as superuser.
The sam2ldif application bridges Windows NT Domain services
with LDAP. Although the sam2passwd(1M) utility will syn-
chronize user accounts from PC NetLink to LDAP if LDAP is
the native Solaris name service, not all information can be
synchronized. This utility allows all information from the
NT USER_INFO_3 record to be synchronized. It is also not a
requirement that LDAP be the native Solaris name service.
The second output file
/var/opt/lanman/{instance_number}/dirsync/sam2ldif.mapunames
is a Bourne shell script that gives you the option of map-
ping NT Domain user IDs to Solaris user names, after the
Domain user accounts have been entered into a Solaris name
service. It only makes sense to run this script if LDAP is
the native Solaris name service.
By default, sam2ldif produces randomly generated eight-
character alphanumeric passwords for each user account and
writes them to the transaction log
/var/opt/lanman/{instance_number}/dirsync/sam2ldif.log. You
can override this default behavior by using the -y password
option to assign a specific password, or no password, to all
user accounts.
The PC NetLink Server HKLEY_LOCAL_MACHINE registry contains
default values for the Solaris fields generated by LDIF and
for the LDIF template file. These default registry key
value pairs are located in
/SYSTEM/CurrentControlSet/Services/AdvancedServer/UserServiceParameters
and
/SYSTEM/CurrentControlSet/Services/LanmanServer/Parameters.
An administrator can modify the default registry values or
override them with sam2ldif invocation parameters.
The following are PC NetLink key/value registry pairs:
Registry Key Default Value Description
______________________________________________________________
Exclude 0-100 pw_uid
UserComment PC NetLink user name pw_gecos
userpath c:\export\lanman pw_dir
NewUserShell /bin/false pw_shell
LDIFvariableToken % LDIF variable token
The LDIF template file should contain fields indicated by
the variable token before and after the field name. Below
is a chart of all field names supported by this utility.
For example, placing %uid% in the LDIF template file, will
cause this to be replaced by the actual user ID of a user
when sam2ldif is run.
Field name Field Type Description
_______________________________________________________________
uid Ascii NT username
passwor Ascii Password (Solaris passwd hash)
ntpassword_age Base64 NT Password age
ntpriv Base64 NT Privelige Level
nthomedir Ascii NT home directory
comment Ascii NT comment
ntflags Base64 NT flags
ntscriptpath Ascii NT script path
ntauthflags Base64 NT auth flags
ntfullname Ascii NT full name
ntusrcomment Ascii NT user comment
ntparms Base64 NT parameters
ntworkstations Ascii NT workstations
ntlastlogon Date NT last logon date stamp
ntlastlogoff Date NT last logoff date stamp
ntacctexpires Date NT account expires date stamp
ntmaxstorage Base64 NT maximum storage amount
ntunitsperweek Base64 NT units per week
ntlogonhours Base64 NT logon hours bit array
ntbadpwcount Base64 NT bad password count
ntnumlogons Base64 NT number of logons
ntlogonserver Base64 NT logon server
ntcountrycode Base64 NT country code
ntcodepage Base64 NT language code page
ntuniqueid Ascii NT unique ID number
ntprimarygroupid Ascii NT primary group ID number
ntprofile Ascii NT profile path
nthomedirdrive Ascii NT home directory drive
ntpasswordexpired Base64 NT password expired boolean
unixhomedir Ascii Unix home directory path
uidnumber Ascii Unix UID number
gidnumber Ascii Unix GID number
loginshell Ascii Unix login shell
gecos Ascii Unix gecos field
firstname Ascii NT first name
lastname Ascii NT last name
domain Ascii NT domain name
When fields are substituted with actual values from the PC
NetLink SAM database, they may have one of several types.
Ascii fields are in standard Ascii and are human readable.
Base64 fields are binary encoded fields and require a double
colon (::) in LDIF (See RFC 2849). Date fields are Ascii
strings containing the Generalized Time as specified by
X.208.
OPTIONS
The sam2ldif user account migration application supports the
following options:
-I instance
Specifies the PC NetLink instance number.
-g gid
Overrides the Solaris default group ID of 1 (for
instance, other::1:) allowing a system administrator
to specify a group ID (for instance, -g 99) for all
Solaris user accounts created by sam2ldif. You cannot
use this option with the -h option. See group(4) for
details.
-c Suppress printing header comment in LDIF output file.
This header includes the date and time that the file
was generated and the version information for sam2ldif.
-b Suppress printing lines for attributes that have no
values.
-h Displays a help message for sam2ldif.
-z file
Specifies alternate location for LDIF template file.
If this flag is not specified, the following file is
used as the template file:
/etc/opt/lanman/{instance_number}/ldif.tmpl
-l logon
Lets you log on to the domain by specifying the logon
name for a Domain Administrative account, which you
must supply for all sam2ldif operations.
-p password
Specifies a Windows NT Domain Administrative account
password, which you must supply for all sam2ldif opera-
tions. If you omit -p password, then sam2ldif prompts
for an Administrative password.
-s shell
Overrides the PC NetLink default shell value of
/bin/false stored in the PC NetLink Server registry.
This option allows a system administrator to specify a
shell (for example, -s /bin/sh) for all Solaris user
accounts created by sam2ldif. You cannot use this
option with the -h option.
-t directory_path
Overrides the PC NetLink default directory path of
c:/export/lanman in the PC NetLink Server registry,
allowing a system administrator to specify a home
directory path (for instance, -t /export/home) for all
Solaris user accounts created by sam2ldif. You cannot
use this option with the -h option.
-u uid
Overrides the PC NetLink default starting user ID. By
default, sam2ldif searches for the first unused user ID
and starts adding Solaris user accounts at that UID,
incrementing by one for each Solaris user account it
creates. The PC NetLink registry contains an Exclude
parameter where user ID ranges (for example, 0-100) can
be excluded from the search. User ID boundaries for
sam2ldif have a floor of 100 and a ceiling of LONG_MAX,
which are the user ID boundaries used in Solaris.
The -u invocation parameter overrides the sam2ldif
default starting user ID, allowing a system administra-
tor to specify a starting user ID (for instance, -u
1000), and incrementing by one for each Solaris user
account sam2ldif creates. You cannot use this option
with the -h option.
-y password
Overrides the randomly generated default eight-
character alphanumeric password and assigns a password
you specify to all user accounts being added by
sam2ldif. Specifying NULL (for instance, -y NULL)
creates accounts without passwords.
All user account passwords are written to the sam2ldif
transaction log
/var/opt/lanman/dirsync/{instance_number}/sam2ldif.log.
These passwords are readable only by the superuser.
You cannot use this option with the -h option.
-D domain
Extracts NT domain accounts from the PDC of the speci-
fied domain.
EXAMPLES
The examples below illustrate sam2ldif's usage:
# sam2ldif -l Administrator -p password
This example creates two output files,
/var/opt/lanman/dirsync/sam2ldif.ldif and
/var/opt/lanman/dirsync/sam2ldif.mapunames. The
sam2ldif.ldif output file contains NT Domain user
accounts in the form of LDIF to add into a LDAP data-
base using ldapmodify(1) or ldapadd(1).
FILES
/var/opt/lanman/{instance_number}/dirsync/sam2ldif.log
sam2ldif transaction log.
/var/opt/lanman/{instance_number}/dirsync/sam2ldif.errors
sam2ldif error log.
/var/opt/lanman/{instance_number}/dirsync/{instance_number}/sam2ldif.ldif
LDIF output containing user records extracted
from PC NetLink.
/var/opt/lanman/{instance_number}/dirsync/sam2ldif.mapunames
Bourne shell script mapping PC NetLink Server
user account IDs to Solaris user account IDs.
SEE ALSO
mapuname(1), passwd2sam(1M), sam2passwd(1M), ldif2sam(1M),
ldaplist(1), ldapmodify(1), ldapadd(1), nsswitch.conf(4)