Migrating from OSX Open Directory to UCS


#1

Hello,
Tried to search but not finding anything that helps.
Want to move my company from an Apple OSX Open Directory to UCS.

I want to control what User ID and GUID number a user is assigned when a domain user signs in to OS X (MacOS).
The same user is always assigned the same numbers, so I think there is an entry or calculation making the numbers.
If I view the USC server with AD Explorer on a Windows computer I see a “Generated-UID” field with the number I want to change.
But it is not editable I think it’s being generated based on something else in the LDAP but I’m not sure what.
The Generated UID is also visible but not modifiable in OSX Directory Utility.
I can not find any “Generated UID” field in LDAP backups or with ldapsearch.

No users are currently added to the UCS server, so I can try any suggestions.

Here are some example numbers generated on OSX computer:
Generated UID: 28406CF2-7B57-45DF-8CDC-6693D3F4A797
User ID: 675310834 (I know the User ID is calculated from the Generated UID)

for the following UCS user record:
dn: uid=jeremym,cn=users,dc=business,dc=intranet
uid: jeremym
krb5PrincipalName: jeremym@business.INTRANET
objectClass: krb5KDCEntry
objectClass: person
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: organizationalPerson
objectClass: univentionPWHistory
objectClass: univentionMail
objectClass: univentionSAMLEnabled
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: posixAccount
objectClass: univentionObject
uidNumber: 2013
sambaAcctFlags: [U ]
sambaPasswordHistory: 472206091917239F0F540BF960B541EDD44B69E9856D04B33E22C8
28C572F674
krb5MaxLife: 86400
shadowLastChange: 17112
cn: Jeremy M
title: Mr
userPassword:: e2NyeXB0fSQ2JDdELnFraDIxLzRFY0NxQ3okWmtKcGRvVTE0WWIuZ3Yuek1DL
kFrcXl1OUs3SmpUdXkwcVFpZURaZnhGMDFldVFOakc1c0JkUkZhTUVCc1FQdnZlVzk2dFZNNVNC
TEVGR0xoUVlXTS4=
krb5Key:: MEmhIzAhoAMCARChGgQYRsK6v55b30YsjNaDrkDZB1Q4uhVMFV5FoiIwIKADAgEDoR
kEF0RJR0lDVVQuSU5UUkFORVRqZXJlbXlt
krb5Key:: MDmhEzARoAMCAQKhCgQIjKJD8urqcNyiIjAgoAMCAQOhGQQXRElHSUNVVC5JTlRSQU
5FVGplcmVteW0=
krb5Key:: MEGhGzAZoAMCARGhEgQQY/nql7ZJcsdpGg4PH3IQcKIiMCCgAwIBA6EZBBdESUdJQ1
VULklOVFJBTkVUamVyZW15bQ==
krb5Key:: MDmhEzARoAMCAQGhCgQIjKJD8urqcNyiIjAgoAMCAQOhGQQXRElHSUNVVC5JTlRSQU
5FVGplcmVteW0=
krb5Key:: MFGhKzApoAMCARKhIgQg+mLa/K7fYYGH3rOFNs/ZfQFFYCWzoWgkSPPnAETfjiSiIj
AgoAMCAQOhGQQXRElHSUNVVC5JTlRSQU5FVGplcmVteW0=
krb5Key:: MEGhGzAZoAMCARehEgQQt3xRN1daTW9ZbCdGljTgL6IiMCCgAwIBA6EZBBdESUdJQ1
VULklOVFJBTkVUamVyZW15bQ==
krb5Key:: MDmhEzARoAMCAQOhCgQIjKJD8urqcNyiIjAgoAMCAQOhGQQXRElHSUNVVC5JTlRSQU
5FVGplcmVteW0=
sambaMungedDial: bQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB
kAAEAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAFAB
oACAABAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZ
wBGAGwAYQBnAHMAMQAwMDAwMDEwMA==
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
sambaPwdLastSet: 1478538175
sambaNTPassword: B77C5137575A4D6F596C27469634E02F
displayName: Jeremy M
gecos: Jeremy M
sn: M
pwhistory: $6$rfRqcllGMI6LVoQv$OQ8jgXsaK20pngrTZeXX740vx8NEVCD7Y2iJ/Jra8YQz5
XJBIzA974yN3kE/D9CUNLhqYTkxsvnDvqOjO/2wN1
homeDirectory: /home/jeremym
givenName: Jeremy
structuralObjectClass: inetOrgPerson
entryUUID: c549bd1c-3957-1036-9f35-99309fee0b52
creatorsName: uid=Administrator,cn=users,dc=business,dc=intranet
createTimestamp: 20161107170255Z
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-1597692167-2089646934-193821172-513
sambaSID: S-1-5-21-1597692167-2089646934-193821172-11220
entryCSN: 20161110214517.003784Z#000000#000#000000
modifiersName: uid=patrickf,cn=users,dc=business,dc=intranet
modifyTimestamp: 20161110214517Z


#2

Hello,

why do you need to control the UID/GID numbers? If you create a user via the UMC the uid is generated automatically. You could control the uid when creating users via UDM (example):

udm users/user create --position CN=Users,$(ucr get ldap/base)
–set username=foobar –set uidNumber=11140
–set primaryGroup=“CN=Domain Users,CN=Groups,DC=foo,DC=bar”
–set groups=“cn=Domain Users,cn=Groups,$(ucr get ldap/base)”
–set firstname=“Email” --set lastname=“foobar” --set password=XXXXX
–set mailPrimaryAddress=foobar@mail.domain --set description=""
–set displayName=“Email foobar” --set title=""
–option person --option posix --option mail
–set sambaRID=11140
–set homedrive=I: --set sambahome=’\server\homes\foobar’
–set profilepath=’\server\Profiles\foobar’ --set scriptpath=logon.bat
–option samba

Regards,
Jens Thorp-Hansen


#3

Thanks for the reply, It’s the GeneratedUID or UniqueID I need to change to resolve my issue with macOS computers.
The basic problem is that is not a field in the LDAP and I can’t find where it is coming from or being stored.

Here are some screen shots from both Windows AD Explorer and the Apple Directory Utility that show the values I need to control
and the matching user entry from an LDAP backup that does not show those values any where.

I know the the Apple UniqueID is generated from the GeneratedUID/ObjectGUID number (first 8 characters converted to base 10 from Hex).
but I can’t figure out where the GeneratedUID/ObjectGUID is coming from and why the entryUUID is not being used or shown.

LDAP entry from UCS server:
dn: uid=johnd,cn=users,dc=digicut,dc=intranet
uid: johnd
krb5PrincipalName: johnd(at)DIGICUT(period)INTRANET
objectClass: krb5KDCEntry
objectClass: person
objectClass: automount
objectClass: top
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: organizationalPerson
objectClass: univentionPWHistory
objectClass: univentionMail
objectClass: univentionSAMLEnabled
objectClass: shadowAccount
objectClass: krb5Principal
objectClass: posixAccount
objectClass: univentionObject
uidNumber: 2018
sambaAcctFlags: [U ]
sambaPasswordHistory: B12F96F5DDFF12EEF6D2D704866FD0ED1033A868AA07848C6A555E
CB2F3B64B5
krb5MaxLife: 86400
shadowLastChange: 17116
cn: John Doe
title: mr
userPassword:: e2NyeXB0fSQ2JFZSc1QvVTBjbmNWVDhzQUIkdkZIMEdJdWllallJaDFiSDFGc
09RbUdpNGZIRDJkN1ZuNGt4SWplWEdmSGJhN3VGVC5Hc2s4Vm1MQmJJVWQwQ0JUZnpLNW0uL0NQ
TkNud0xaRjJXQS8=
krb5Key:: MDehEzARoAMCAQGhCgQIitpooZ5205GiIDAeoAMCAQOhFwQVRElHSUNVVC5JTlRSQU
5FVGpvaG5k
krb5Key:: MEehIzAhoAMCARChGgQY/TSiH4PfLJKPyP6P2pd1gFH9fENY2irpoiAwHqADAgEDoR
cEFURJR0lDVVQuSU5UUkFORVRqb2huZA==
krb5Key:: MD+hGzAZoAMCARehEgQQayw7+MxBkC6OPHROr/3RxKIgMB6gAwIBA6EXBBVESUdJQ1
VULklOVFJBTkVUam9obmQ=
krb5Key:: ME+hKzApoAMCARKhIgQgnp8mx4yOWM+e6BEn0wM+b+DUIk0hILJ7DxutjBNWbz2iID
AeoAMCAQOhFwQVRElHSUNVVC5JTlRSQU5FVGpvaG5k
krb5Key:: MDehEzARoAMCAQKhCgQIitpooZ5205GiIDAeoAMCAQOhFwQVRElHSUNVVC5JTlRSQU
5FVGpvaG5k
krb5Key:: MD+hGzAZoAMCARGhEgQQMA+/yubTxr6gN0XXRFifHKIgMB6gAwIBA6EXBBVESUdJQ1
VULklOVFJBTkVUam9obmQ=
krb5Key:: MDehEzARoAMCAQOhCgQIitpooZ5205GiIDAeoAMCAQOhFwQVRElHSUNVVC5JTlRSQU
5FVGpvaG5k
sambaMungedDial: bQAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB
kAAEAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAUAAFAB
oACAABAEMAdAB4AEMAZgBnAFAAcgBlAHMAZQBuAHQANTUxZTBiYjAYAAgAAQBDAHQAeABDAGYAZ
wBGAGwAYQBnAHMAMQAwMDAwMDEwMA==
krb5MaxRenew: 604800
krb5KeyVersionNumber: 1
loginShell: /bin/bash
univentionObjectType: users/user
krb5KDCFlags: 126
sambaPwdLastSet: 1478878444
sambaNTPassword: 6B2C3BF8CC41902E8E3C744EAFFDD1C4
displayName: John Doe
gecos: John Doe
sn: Doe
pwhistory: $6$bFItaokIVkIzwyFn$p.RHDrOS/Vx1tWbq/nEctpidp6ipAM/G2DmOPE7bGPVR4
WINV9nw.qrEvu8zxvYK2VCSf325lIYcjeEdMD9Hs.
homeDirectory: /home/johnd
givenName: John
structuralObjectClass: inetOrgPerson
entryUUID: 0562c4d2-3c70-1036-8cce-d3767e29879c
creatorsName: uid=patrickf,cn=users,dc=digicut,dc=intranet
createTimestamp: 20161111153404Z
gidNumber: 5001
sambaPrimaryGroupSID: S-1-5-21-1597692167-2089646934-193821172-513
sambaSID: S-1-5-21-1597692167-2089646934-193821172-1126
entryCSN: 20161111153409.301445Z#000000#000#000000
modifiersName: cn=admin,dc=digicut,dc=intranet
modifyTimestamp: 20161111153409Z

Apple LDAP Viewer:

Windows AD Viewer:


#4
# univention-ldapsearch uid=johnd

does not show the entryuuid - for this you need to use:

# univention-ldapsearch uid=johnd entryUUID

Did that help? At the moment I am sure you cannot change the EntryUUID of an existing user. I am unsure what exactly you try to accomplish, maybe there is an easier way insted of messing with UIDs?

Kind Regards,
Jens


#5

Thanks for the helpful command and usage of it.
That command (# univention-ldapsearch uid=johnd entryUUID)
returns the same entryUUID as the ldap dump (as expected).
It’s the ObjectGUID for the user that I need to control.
The ObjectGUID is not shown in LDAP, only in Active Directory viewers.

I am guessing that the ObjectGUID is calculated from either the entryUUID
or the SambaSID or is stored elsewhere by the Samba4 AD service.

The reason I am trying to control the ObjectGUID
is to keep user permissions the same for Domain Users on macOS. (previously OSX)
Otherwise we will have to backup, format and restore all our employee computers
because they won’t have access to their Home folder, after binding to UCS.


#6

okay - I understand what you want to do. You try to find an AD attribute (ObjectGuid) in the LDAP because you see a mapping between an Apple Attribute with the AD ObjectGuid, is that right? You want (hope) that there is a similiar “ObjectGuid” Attribute in the Univention LDAP, so you can map your Apple Attribute directly to the Univention LDAP (by manipulating the LDAP ID that it is the same as the Apple Attribute). Unfortunatly, I do not know if such a mapping is possible.

Can you not connect your employee clients to a univention server, let it create homes and then copy the files over to the new homes? Wouldnt that be easier then your ID mapping and accomplish the same?


#7

I think you understand what I am trying to do :).

The home folders on the employee computers would conflict (same name).
So we have to delete the old user first. So we have to backup off computer and then selectively restore the backup.
If possible it would be much easier to match the field as we add the users to UCS,
then just unbind from current Open Directory and then rebind to UCS.

This is purely a one time migration issue, but would be helpful information for
anyone moving from Open Directory (or another OpenLDAP) server.


#8

Yes, if the homes are at the same path. You could work around this.

[quote]If possible it would be much easier to match the field as we add the users to UCS,
then just unbind from current Open Directory and then rebind to UCS.[/quote]

Okay I think I understood: You have homes that are “marked via the apple generated UID” for a specific user and you want to create a new UCS user that has the same mark and then just uses the old folder so you have less hassle with the migration. I do not think that is possible - that would a patchwork-solution even in a LDAP to LDAP area. In my opinion, it would be way safer and much easier to just backup the homes and restore them in the newly created homefolders.

I am sorry I cannot help with your idea.

[quote]This is purely a one time migration issue, but would be helpful information for
anyone moving from Open Directory (or another OpenLDAP) server.[/quote]

I think there is a misconception here. Open Directory is not the same as OpenLDAP. OpenLDap is used in UCS, Open Directory is the “Apple Open Directory” implementation. The used attributes and migration ways can differ quite massivly. The helpful information in this specific case would be: do not do it - do it easier and reliable.

Kind regards,
Jens Thorp-Hansen


#9

I appreciate all your help with this and insight.
I am investigating this issue largely to try to help others who I think will soon
be moving away from Open Directory and migration to UCS seems like a great replacement.
Open Directory is largely based on OpenLDAP but that is NOT the issue.

The issue I have is that the macOS (OSX) sees the UCS as a Active Directory Server
and as such is using a ID field NOT contained in LDAP.
The macOS is using the ObjectGUID and I would like to learn how that ID is generated if possible.

Thanks again for all your help and time so far.


#10

Maybe this gives some more insight:

https://www.experts-exchange.com/questions/26853879/Change-User’s-GUID-objectGUID.html
https://www.quora.com/Where-exactly-is-objectSID-and-objectGUID-generated-in-Active-Directory

These are links to microsoft ressources, but they address the general idea of GUIDs.
I still think, that manipulation GUIDs is patchwork at best and possibly dangerous for the domain at worst, so would not recommend doing that.


#11

I had looked over both those links before.
First is the most promising, saying that it is possible with an LDAP editor,
that has been fruitless for me since the ObjectGUID is not stored there
and I can’t find any description of how it is generated from the data in LDAP.

The second is a good description of the the different purposes of SID
and ObjectGUID and a warning about changing them in a running environment.

I am trying to find a way to set the ObjectGUID, to AVOID all the issues created when they are changed.
It’s a matter of perspective, I am not trying to change existing ObjectGUIDs,
I am trying to keep the same ones to avoid all the issues that changing them creates.

Do you know where the ObjectGUID is stored on the UCS server?


#12

the ObjectGUID can only be seen using the univention-s4search (with installed Samba4 - App-Center: Active Directory Domain Controller). Example:

root@ucs-1380:~# univention-s4search cn=administrator objectGUID
# record 1
dn: CN=Administrator,CN=Users,DC=acheron,DC=intranet
objectGUID: aa8f7bdb-65cb-4a95-a361-71f844e1af86

#13

Great, thanks!
(sudo /usr/sbin/univention-s4search cn=johnd objectGUID)
First time I’ve been able to get the UCS to report the same value as the clients reported.
Is there a way to control that value at user creation or modify it?
And is that value backed up anywhere on a single UCS setup or is a backup server required?

Thanks again for all your help on this.


#14

I know of no way to control it at the creation, but you could modify it (and quite possibly break the user) via ldbedit: https://wiki.samba.org/index.php/LDB
Unfortunatly I do not understand your backup question completely. The user with his objectGUID is replicated among the samba4 servers. If you want a backup of the userobject: that is automatically done every night into /var/univention-backup/samba/ - there you can find a backup of all that is samba.


#15

Thanks again good to finally know the objectGUID is stored in the sam.tdb file and is stored in the files we are backing up.
Unsurprisingly the ldbedit command will not allow you to save changes to the objectGUID.
So I will either have to find an over ride or admit defeat.

Thank you again for all your help on this, I believe any future efforts are outside the scope of UCS and more to do with Samba4.
So I will not bug you any more on this…One final thought
An import app for Open Directory, like the one you have for Active Directory Takeover
would be very helpfully for anyone coming from Open Directory.
It could be a pretty generic tool designed to work with OpenLDAP servers
and just need to import User and Group information.

Thanks again,
Hopefully our discussion will save others time later as more move away from Open Directory.