mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
655cd95f00
References are kept where the version number makes sense in the context. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
1788 lines
68 KiB
XML
1788 lines
68 KiB
XML
<?xml version="1.0" encoding="iso-8859-1"?>
|
|
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
|
|
<chapter id="ntmigration">
|
|
<title>Migrating NT4 Domain to Samba</title>
|
|
|
|
<para>
|
|
Ever since Microsoft announced that it was discontinuing support for Windows
|
|
NT4, Samba users started to ask for detailed instructions on how to migrate
|
|
from NT4 to Samba. This chapter provides background information that should
|
|
meet these needs.
|
|
</para>
|
|
|
|
<para>
|
|
One wonders how many NT4 systems will be left in service by the time you read this
|
|
book though.
|
|
</para>
|
|
|
|
<sect1>
|
|
<title>Introduction</title>
|
|
|
|
<para><indexterm>
|
|
<primary>migration</primary>
|
|
</indexterm>
|
|
Network administrators who want to migrate off a Windows NT4 environment know
|
|
one thing with certainty. They feel that NT4 has been abandoned, and they want
|
|
to update. The desire to get off NT4 and to not adopt Windows 200x and Active
|
|
Directory is driven by a mixture of concerns over complexity, cost, fear of
|
|
failure, and much more.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>group policies</primary></indexterm>
|
|
<indexterm><primary>accounts</primary><secondary>user</secondary></indexterm>
|
|
<indexterm><primary>accounts</primary><secondary>group</secondary></indexterm>
|
|
<indexterm><primary>accounts</primary><secondary>machine</secondary></indexterm>
|
|
The migration from NT4 to Samba can involve a number of factors, including
|
|
migration of data to another server, migration of network environment controls
|
|
such as group policies, and migration of the users, groups, and machine
|
|
accounts.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>accounts</primary><secondary>Domain</secondary></indexterm>
|
|
It should be pointed out now that it is possible to migrate some systems from
|
|
a Windows NT4 domain environment to a Samba domain environment. This is certainly
|
|
not possible in every case. It is possible to just migrate the domain accounts
|
|
to Samba and then to switch machines, but as a hands-off transition, this is more
|
|
the exception than the rule. Most systems require some tweaking after
|
|
migration before an environment that is acceptable for immediate use
|
|
is obtained.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Assignment Tasks</title>
|
|
|
|
<para>
|
|
<indexterm><primary>LDAP</primary></indexterm>
|
|
<indexterm><primary>ldapsam</primary></indexterm>
|
|
<indexterm><primary>passdb backend</primary></indexterm>
|
|
You are about to migrate an MS Windows NT4 domain accounts database to
|
|
a Samba server. The Samba-3 server is using a
|
|
<parameter>passdb backend</parameter> based on LDAP. The
|
|
<constant>ldapsam</constant> is ideal because an LDAP backend can be distributed
|
|
for use with BDCs &smbmdash; generally essential for larger networks.
|
|
</para>
|
|
|
|
<para>
|
|
Your objective is to document the process of migrating user and group accounts
|
|
from several NT4 domains into a single Samba LDAP backend database.
|
|
</para>
|
|
|
|
</sect2>
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Dissection and Discussion</title>
|
|
|
|
<para>
|
|
<indexterm><primary>snap-shot</primary></indexterm>
|
|
<indexterm><primary>NT4 registry</primary></indexterm>
|
|
<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SAM</tertiary></indexterm>
|
|
<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SECURITY</tertiary></indexterm>
|
|
<indexterm><primary>SAM</primary></indexterm>
|
|
<indexterm><primary>Security Account Manager</primary><see>SAM</see></indexterm>
|
|
The migration process takes a snapshot of information that is stored in the
|
|
Windows NT4 registry-based accounts database. That information resides in
|
|
the Security Account Manager (SAM) portion of the NT4 registry under keys called
|
|
<constant>SAM</constant> and <constant>SECURITY</constant>.
|
|
</para>
|
|
|
|
<warning><para>
|
|
<indexterm><primary>crippled</primary></indexterm>
|
|
<indexterm><primary>inoperative</primary></indexterm>
|
|
The Windows NT4 registry keys called <constant>SAM</constant> and <constant>SECURITY</constant>
|
|
are protected so that you cannot view the contents. If you change the security setting
|
|
to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not
|
|
do this unless you are willing to render your domain controller inoperative.
|
|
</para></warning>
|
|
|
|
<para>
|
|
<indexterm><primary>migration</primary><secondary>objectives</secondary></indexterm>
|
|
<indexterm><primary>disruptive</primary></indexterm>
|
|
Before commencing an NT4 to Samba migration, you should consider what your objectives are.
|
|
While in some cases it is possible simply to migrate an NT4 domain to a single Samba server,
|
|
that may not be a good idea from an administration perspective. Since the process involves going
|
|
through a certain amount of disruptive activity anyhow, why not take this opportunity to
|
|
review the structure of the network, how Windows clients are controlled and how they
|
|
interact with the network environment.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>network</primary><secondary>logon scripts</secondary></indexterm>
|
|
<indexterm><primary>profiles share</primary></indexterm>
|
|
<indexterm><primary>security descriptors</primary></indexterm>
|
|
MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed
|
|
have done little to keep the NT4 server environment up to date with more recent Windows releases,
|
|
particularly Windows XP Professional. The migration provides opportunity to revise and update
|
|
roaming profile deployment as well as folder redirection. Given that you must port the
|
|
greater network configuration of this from the old NT4 server to the new Samba server.
|
|
Do not forget to validate the security descriptors in the profiles share as well as network logon
|
|
scripts. Feedback from sites that are migrating to Samba suggests that many are using this
|
|
as a good time to update desktop systems also. In all, the extra effort should constitute no
|
|
real disruption to users, but rather, with due diligence and care, should make their network experience
|
|
a much happier one.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>Technical Issues</title>
|
|
|
|
<para>
|
|
<indexterm><primary>strategic</primary></indexterm>
|
|
<indexterm><primary>active directory</primary></indexterm>
|
|
Migration of an NT4 domain user and group database to Samba involves a certain strategic
|
|
element. Many sites have asked for instructions regarding merging of multiple NT4
|
|
domains into one Samba LDAP database. It seems that this is viewed as a significant
|
|
added value compared with the alternative of migration to Windows Server 200x and Active
|
|
Directory. The diagram in <link linkend="ch8-migration"/> illustrates the effect of migration
|
|
from a Windows NT4 domain to a Samba domain.
|
|
</para>
|
|
|
|
<figure id="ch8-migration">
|
|
<title>Schematic Explaining the <command>net rpc vampire</command> Process</title>
|
|
<imagefile scale="55">ch8-migration</imagefile>
|
|
</figure>
|
|
|
|
<para>
|
|
<indexterm><primary>merge</primary></indexterm>
|
|
<indexterm><primary>passdb.tdb</primary></indexterm>
|
|
If you want to merge multiple NT4 domain account databases into one Samba domain,
|
|
you must now dump the contents of the first migration and edit it as appropriate. Now clean
|
|
out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>) or the LDAP database
|
|
files. You must start each migration with a new database into which you merge your NT4
|
|
domains.
|
|
</para>
|
|
|
|
<para><indexterm>
|
|
<primary>dump</primary>
|
|
</indexterm>
|
|
At this point, you are ready to perform the second migration, following the same steps as
|
|
for the first. In other words, dump the database, edit it, and then you may merge the
|
|
dump for the first and second migrations.
|
|
</para>
|
|
|
|
<para><indexterm>
|
|
<primary>LDAP</primary>
|
|
</indexterm><indexterm>
|
|
<primary>migrate</primary>
|
|
</indexterm><indexterm>
|
|
<primary>Domain SID</primary>
|
|
</indexterm>
|
|
You must be careful. If you choose to migrate to an LDAP backend, your dump file
|
|
now contains the full account information, including the domain SID. The domain SID for each
|
|
of the two NT4 domains will be different. You must choose one and change the domain
|
|
portion of the account SIDs so that all are the same.
|
|
</para>
|
|
|
|
<para>
|
|
<indexterm><primary>passdb.tdb</primary></indexterm>
|
|
<indexterm><primary>/etc/passwd</primary></indexterm>
|
|
<indexterm><primary>merged</primary></indexterm>
|
|
<indexterm><primary>logon script</primary></indexterm>
|
|
<indexterm><primary>logon hours</primary></indexterm>
|
|
<indexterm><primary>logon machines</primary></indexterm>
|
|
<indexterm><primary>profile path</primary></indexterm>
|
|
<indexterm><primary>smbpasswd</primary></indexterm>
|
|
<indexterm><primary>tdbsam</primary></indexterm>
|
|
<indexterm><primary>LDAP backend</primary></indexterm>
|
|
<indexterm><primary>export</primary></indexterm>
|
|
<indexterm><primary>import</primary></indexterm>
|
|
If you choose to use a tdbsam (<filename>passdb.tdb</filename>) backend file, your best choice
|
|
is to use <command>pdbedit</command> to export the contents of the tdbsam file into an
|
|
smbpasswd data file. This automatically strips out all domain-specific information,
|
|
such as logon hours, logon machines, logon script, profile path, as well as the domain SID.
|
|
The resulting file can be easily merged with other migration attempts (each of which must start
|
|
with a clean file). It should also be noted that all users who end up in the merged smbpasswd
|
|
file must have an account in <filename>/etc/passwd</filename>. The resulting smbpasswd file
|
|
may be exported or imported into either a tdbsam (<filename>passdb.tdb</filename>) or
|
|
an LDAP backend.
|
|
</para>
|
|
|
|
<figure id="NT4DUM">
|
|
<title>View of Accounts in NT4 Domain User Manager</title>
|
|
<imagefile scale="50">UserMgrNT4</imagefile>
|
|
</figure>
|
|
|
|
</sect2>
|
|
|
|
|
|
<sect2>
|
|
<title>Political Issues</title>
|
|
|
|
<para>
|
|
The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba
|
|
domain may be seen by those who had power over them as a loss of prestige or a loss of
|
|
power. The imposition of a single domain may even be seen as a threat. So in migrating and
|
|
merging account databases, be consciously aware of the political fall-out in which you
|
|
may find yourself entangled when key staff feel a loss of prestige.
|
|
</para>
|
|
|
|
<para>
|
|
The best advice that can be given to those who set out to merge NT4 domains into a single
|
|
Samba domain is to promote (sell) the action as one that reduces costs and delivers
|
|
greater network interoperability and manageability.
|
|
</para>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Implementation</title>
|
|
|
|
<para>
|
|
From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations
|
|
to Samba are being performed using a new server or a new installation of a Linux or UNIX
|
|
server. If you contemplate doing this, please note that the steps that follow in this
|
|
chapter assume familiarity with the information that has been previously covered in this
|
|
book. You are particularly encouraged to be familiar with <link linkend="secure"/>,
|
|
<link linkend="Big500users"/> and <link linkend="happy"/>.
|
|
</para>
|
|
|
|
<para>
|
|
We present here the steps and example output for two NT4 to Samba domain migrations. The
|
|
first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the
|
|
scripts you specify in the &smb.conf; file for the <parameter>add user script</parameter>
|
|
collection of parameters are used to effect the addition of accounts into the passdb backend.
|
|
</para>
|
|
|
|
<para>
|
|
Before proceeding to NT4 migration using either a tdbsam or ldapsam, it is most strongly recommended to
|
|
review <link linkend="ch5-dnshcp-setup"/> for DNS and DHCP configuration. The importance of correctly
|
|
functioning name resolution must be recognized. This applies equally for both hostname and NetBIOS names
|
|
(machine names, computer names, domain names, workgroup names &smbmdash; ALL names!).
|
|
</para>
|
|
|
|
<para>
|
|
The migration process involves the following steps:
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
Prepare the target Samba server. This involves configuring Samba-3 for
|
|
migration to either a tdbsam or an ldapsam backend.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
<indexterm><primary>uppercase</primary></indexterm>
|
|
<indexterm><primary>Posix</primary></indexterm>
|
|
<indexterm><primary>lower-case</primary></indexterm>
|
|
Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
|
|
Delete all files that should not be migrated. Where possible, change NT group
|
|
names so there are no spaces or uppercase characters. This is important if
|
|
the target UNIX host insists on POSIX-compliant all lowercase user and group
|
|
names.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Step through the migration process.
|
|
</para></listitem>
|
|
|
|
<listitem><para><indexterm><primary>PDC</primary></indexterm>
|
|
Remove the NT4 PDC from the network.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Upgrade the Samba server from a BDC to a PDC, and validate all account
|
|
information.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
<para>
|
|
It may help to use the above outline as a pre-migration checklist.
|
|
</para>
|
|
|
|
<sect2>
|
|
<title>NT4 Migration Using LDAP Backend</title>
|
|
|
|
<para>
|
|
In this example, the migration is of an NT4 PDC to a Samba PDC with an LDAP backend. The accounts about
|
|
to be migrated are shown in <link linkend="NT4DUM"/>. In this example use is made of the
|
|
smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend.
|
|
Four scripts are essential to the migration process. Other scripts will be required
|
|
for daily management, but these are not critical to migration. The critical scripts are dependant
|
|
on which passdb backend is being used. Refer to <link linkend="ch8-vampire"/> to see which scripts
|
|
must be provided so that the migration process can complete.
|
|
</para>
|
|
|
|
<para>
|
|
Verify that you have correctly specified in the &smb.conf; file the scripts and arguments
|
|
that should be passed to them before attempting to perform the account migration. Note also
|
|
that the deletion scripts must be commented out during migration. These should be uncommented
|
|
following successful migration of the NT4 Domain accounts.
|
|
</para>
|
|
|
|
<warning><para>
|
|
Under absolutely no circumstances should the Samba daemons be started until instructed to do so.
|
|
Delete the <filename>/etc/samba/secrets.tdb</filename> file and all Samba control tdb files
|
|
before commencing the following configuration steps.
|
|
</para></warning>
|
|
|
|
<table id="ch8-vampire">
|
|
<title>Samba &smb.conf; Scripts Essential to Samba Operation</title>
|
|
<tgroup cols="3">
|
|
<colspec align="left"/>
|
|
<colspec align="center"/>
|
|
<colspec align="center"/>
|
|
<thead>
|
|
<row>
|
|
<entry>Entity</entry>
|
|
<entry>ldapsam Script</entry>
|
|
<entry>tdbsam Script</entry>
|
|
</row>
|
|
</thead>
|
|
<tbody>
|
|
<row>
|
|
<entry>Add User Accounts</entry>
|
|
<entry>smbldap-useradd</entry>
|
|
<entry>useradd</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Delete User Accounts</entry>
|
|
<entry>smbldap-userdel</entry>
|
|
<entry>userdel</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Add Group Accounts</entry>
|
|
<entry>smbldap-groupadd</entry>
|
|
<entry>groupadd</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Delete Group Accounts</entry>
|
|
<entry>smbldap-groupdel</entry>
|
|
<entry>groupdel</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Add User to Group</entry>
|
|
<entry>smbldap-groupmod</entry>
|
|
<entry>usermod (See Note)</entry>
|
|
</row>
|
|
<row>
|
|
<entry>Add Machine Accounts</entry>
|
|
<entry>smbldap-useradd</entry>
|
|
<entry>useradd</entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</table>
|
|
|
|
<note><para>
|
|
<indexterm><primary>usermod</primary></indexterm>
|
|
<indexterm><primary>groupmem</primary></indexterm>
|
|
<indexterm><primary>smbldap-tools</primary></indexterm>
|
|
The UNIX/Linux <command>usermod</command> utility does not permit simple user addition to (or deletion
|
|
of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this
|
|
capability, you must create your own tool to do this. Alternately, you can search the Web
|
|
to locate a utility called <command>groupmem</command> (by George Kraft) that provides this functionality.
|
|
The <command>groupmem</command> utility was contributed to the shadow package but has not surfaced
|
|
in the formal commands provided by Linux distributions (March 2004).
|
|
</para></note>
|
|
|
|
<note><para>
|
|
<indexterm><primary>tdbdump</primary></indexterm>
|
|
The <command>tdbdump</command> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your
|
|
Linux distribution, you will need to build this yourself or else forgo its use.
|
|
</para></note>
|
|
|
|
<para>
|
|
<indexterm><primary>User Manager</primary></indexterm>
|
|
Before starting the migration, all dead accounts were removed from the NT4 domain using the User Manager for Domains.
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>User Migration Steps</title>
|
|
|
|
<step><para>
|
|
Configure the Samba &smb.conf; file to create a BDC. An example configuration is
|
|
given in <link linkend="sbent4smb"/>.
|
|
The delete scripts are commented out so that during the process of migration
|
|
no account information can be deleted.
|
|
</para></step>
|
|
|
|
<example id="sbent4smb">
|
|
<title>NT4 Migration Samba Server <filename>smb.conf</filename> &smbmdash; Part: A</title>
|
|
<smbconfblock>
|
|
<smbconfsection name="[global]"/>
|
|
<smbconfoption name="workgroup">DAMNATION</smbconfoption>
|
|
<smbconfoption name="netbios name">MERLIN</smbconfoption>
|
|
<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption>
|
|
<smbconfoption name="log level">1</smbconfoption>
|
|
<smbconfoption name="syslog">0</smbconfoption>
|
|
<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
|
|
<smbconfoption name="max log size">0</smbconfoption>
|
|
<smbconfoption name="smb ports">139 445</smbconfoption>
|
|
<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
|
|
<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m '%u'</smbconfoption>
|
|
<smbconfoption name="#delete user script">/opt/IDEALX/sbin/smbldap-userdel '%u'</smbconfoption>
|
|
<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd '%g'</smbconfoption>
|
|
<smbconfoption name="#delete group script">/opt/IDEALX/sbin/smbldap-groupdel '%g'</smbconfoption>
|
|
<smbconfoption name="add user to group script">/opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</smbconfoption>
|
|
<smbconfoption name="#delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</smbconfoption>
|
|
<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</smbconfoption>
|
|
<smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w '%u'</smbconfoption>
|
|
<smbconfoption name="logon script">scripts\logon.cmd</smbconfoption>
|
|
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
|
|
<smbconfoption name="logon home">\\%L\%U</smbconfoption>
|
|
<smbconfoption name="logon drive">X:</smbconfoption>
|
|
<smbconfoption name="domain logons">Yes</smbconfoption>
|
|
<smbconfoption name="domain master">No</smbconfoption>
|
|
<smbconfoption name="#wins support">Yes</smbconfoption>
|
|
<smbconfoption name="wins server">192.168.123.124</smbconfoption>
|
|
<smbconfoption name="ldap admin dn">cn=Manager,dc=terpstra-world,dc=org</smbconfoption>
|
|
<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
|
|
<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
|
|
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="ldap passwd sync">Yes</smbconfoption>
|
|
<smbconfoption name="ldap suffix">dc=terpstra-world,dc=org</smbconfoption>
|
|
<smbconfoption name="ldap ssl">no</smbconfoption>
|
|
<smbconfoption name="ldap timeout">20</smbconfoption>
|
|
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
|
|
<smbconfoption name="idmap backend">ldap:ldap://localhost</smbconfoption>
|
|
<smbconfoption name="idmap uid">15000-20000</smbconfoption>
|
|
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
|
|
<smbconfoption name="winbind nested groups">Yes</smbconfoption>
|
|
<smbconfoption name="ea support">Yes</smbconfoption>
|
|
<smbconfoption name="map acl inherit">Yes</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<example id="sbent4smb2">
|
|
<title>NT4 Migration Samba Server <filename>smb.conf</filename> &smbmdash; Part: B</title>
|
|
<smbconfblock>
|
|
<smbconfsection name="[apps]"/>
|
|
<smbconfoption name="comment">Application Data</smbconfoption>
|
|
<smbconfoption name="path">/data/home/apps</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
|
|
<smbconfsection name="[homes]"/>
|
|
<smbconfoption name="comment">Home Directories</smbconfoption>
|
|
<smbconfoption name="path">/home/users/%U/Documents</smbconfoption>
|
|
<smbconfoption name="valid users">%S</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
|
|
<smbconfsection name="[printers]"/>
|
|
<smbconfoption name="comment">SMB Print Spool</smbconfoption>
|
|
<smbconfoption name="path">/var/spool/samba</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
<smbconfoption name="printable">Yes</smbconfoption>
|
|
<smbconfoption name="use client driver">No</smbconfoption>
|
|
<smbconfoption name="browseable">No</smbconfoption>
|
|
|
|
<smbconfsection name="[netlogon]"/>
|
|
<smbconfoption name="comment">Network Logon Service</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
|
|
<smbconfoption name="guest ok">Yes</smbconfoption>
|
|
<smbconfoption name="locking">No</smbconfoption>
|
|
|
|
<smbconfsection name="[profiles]"/>
|
|
<smbconfoption name="comment">Profile Share</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="profile acls">Yes</smbconfoption>
|
|
|
|
<smbconfsection name="[profdata]"/>
|
|
<smbconfoption name="comment">Profile Data Share</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
|
|
<smbconfoption name="read only">No</smbconfoption>
|
|
<smbconfoption name="profile acls">Yes</smbconfoption>
|
|
|
|
<smbconfsection name="[print$]"/>
|
|
<smbconfoption name="comment">Printer Drivers</smbconfoption>
|
|
<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
|
|
</smbconfblock>
|
|
</example>
|
|
|
|
<step><para>
|
|
<indexterm><primary>slapd.conf</primary></indexterm>
|
|
Configure OpenLDAP in preparation for the migration. An example
|
|
<filename>sladp.conf</filename> file is shown in <link linkend="sbentslapd"/>.
|
|
The <constant>rootpw</constant> value is an encrypted password string that can
|
|
be obtained by executing the <command>slappasswd</command> command.
|
|
</para></step>
|
|
|
|
<example id="sbentslapd">
|
|
<title>NT4 Migration LDAP Server Configuration File: <filename>/etc/openldap/slapd.conf</filename> &smbmdash; Part A</title>
|
|
<screen>
|
|
include /etc/openldap/schema/core.schema
|
|
include /etc/openldap/schema/cosine.schema
|
|
include /etc/openldap/schema/inetorgperson.schema
|
|
include /etc/openldap/schema/nis.schema
|
|
include /etc/openldap/schema/samba3.schema
|
|
|
|
pidfile /var/run/slapd/slapd.pid
|
|
argsfile /var/run/slapd/slapd.args
|
|
|
|
access to dn.base=""
|
|
by self write
|
|
by * auth
|
|
|
|
access to attr=userPassword
|
|
by self write
|
|
by * auth
|
|
|
|
access to attr=shadowLastChange
|
|
by self write
|
|
by * read
|
|
|
|
access to *
|
|
by * read
|
|
by anonymous auth
|
|
</screen>
|
|
</example>
|
|
|
|
<example id="sbentslapd2">
|
|
<title>NT4 Migration LDAP Server Configuration File: <filename>/etc/openldap/slapd.conf</filename> &smbmdash; Part B</title>
|
|
<screen>
|
|
#loglevel 256
|
|
|
|
#schemacheck on
|
|
idletimeout 30
|
|
#backend bdb
|
|
database bdb
|
|
checkpoint 1024 5
|
|
cachesize 10000
|
|
|
|
suffix "dc=terpstra-world,dc=org"
|
|
rootdn "cn=Manager,dc=terpstra-world,dc=org"
|
|
|
|
# rootpw = not24get
|
|
rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
|
|
|
|
directory /var/lib/ldap
|
|
|
|
# Indices to maintain
|
|
index objectClass eq
|
|
index cn pres,sub,eq
|
|
index sn pres,sub,eq
|
|
index uid pres,sub,eq
|
|
index displayName pres,sub,eq
|
|
index uidNumber eq
|
|
index gidNumber eq
|
|
index memberUID eq
|
|
index sambaSID eq
|
|
index sambaPrimaryGroupSID eq
|
|
index sambaDomainName eq
|
|
index default sub
|
|
</screen>
|
|
</example>
|
|
|
|
<step><para>
|
|
<indexterm><primary>nss_ldap</primary></indexterm>
|
|
<indexterm><primary>/etc/ldap.conf</primary></indexterm>
|
|
Install the PADL <command>nss_ldap</command> tool set, then configure the <filename>/etc/ldap.conf</filename>
|
|
as shown in <link linkend="sbrntldapconf"/>.
|
|
</para></step>
|
|
|
|
<example id="sbrntldapconf">
|
|
<title>NT4 Migration NSS LDAP File: <filename>/etc/ldap.conf</filename></title>
|
|
<screen>
|
|
host 127.0.0.1
|
|
|
|
base dc=terpstra-world,dc=org
|
|
|
|
ldap_version 3
|
|
|
|
binddn cn=Manager,dc=terpstra-world,dc=org
|
|
bindpw not24get
|
|
|
|
pam_password exop
|
|
|
|
nss_base_passwd ou=People,dc=terpstra-world,dc=org?one
|
|
nss_base_shadow ou=People,dc=terpstra-world,dc=org?one
|
|
nss_base_group ou=Groups,dc=terpstra-world,dc=org?one
|
|
|
|
ssl off
|
|
</screen>
|
|
</example>
|
|
|
|
<step><para>
|
|
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
|
|
Edit the <filename>/etc/nsswitch.conf</filename> file so it has the entries shown
|
|
in <link linkend="sbentnss"/>. Note that the LDAP entries have been commented out.
|
|
This is deliberate. If these entries are active (not commented out), and the
|
|
<filename>/etc/ldap.conf</filename> file has been configured, when the LDAP server
|
|
is started, the process of starting the LDAP server will cause LDAP lookups. This
|
|
causes the LDAP server <command>slapd</command> to hang because it finds port 389
|
|
open and therefore cannot gain exclusive control of it. By commenting these entries
|
|
out, it is possible to avoid this gridlock situation and thus the overall
|
|
installation and configuration will progress more smoothly.
|
|
</para></step>
|
|
|
|
<example id="sbentnss">
|
|
<title>NT4 Migration NSS Control File: <filename>/etc/nsswitch.conf</filename> (Stage:1)</title>
|
|
<screen>
|
|
passwd: files #ldap
|
|
shadow: files #ldap
|
|
group: files #ldap
|
|
|
|
hosts: files dns wins
|
|
networks: files dns
|
|
|
|
services: files
|
|
protocols: files
|
|
rpc: files
|
|
ethers: files
|
|
netmasks: files
|
|
netgroup: files
|
|
publickey: files
|
|
|
|
bootparams: files
|
|
automount: files nis
|
|
aliases: files
|
|
#passwd_compat: ldap #Not needed.
|
|
#group_compat: ldap #Not needed.
|
|
</screen>
|
|
</example>
|
|
|
|
<step><para>
|
|
Validate the the target NT4 PDC name is being correctly resolved to its IP address by
|
|
executing the following:
|
|
<screen>
|
|
&rootprompt; ping transgression
|
|
PING transgression.terpstra-world.org (192.168.1.5) 56(84) bytes of data.
|
|
64 bytes from (192.168.1.5): icmp_seq=1 ttl=128 time=0.159 ms
|
|
64 bytes from (192.168.1.5): icmp_seq=2 ttl=128 time=0.192 ms
|
|
64 bytes from (192.168.1.5): icmp_seq=3 ttl=128 time=0.141 ms
|
|
|
|
--- transgression.terpstra-world.org ping statistics ---
|
|
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
|
|
rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms
|
|
</screen>
|
|
Do not proceed to the next step if this step fails. It is imperative that the name of the PDC
|
|
can be resolved to its IP address. If this is broken, fix it.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Pull the domain SID from the NT4 domain that is being migrated as follows:
|
|
<screen>
|
|
&rootprompt; net rpc getsid -S TRANGRESSION -U Administrator%not24get
|
|
Storing SID S-1-5-21-1385457007-882775198-1210191635 \
|
|
for Domain DAMNATION in secrets.tdb
|
|
</screen>
|
|
</para>
|
|
|
|
<para>
|
|
Another way to obtain the domain SID from the target NT4 domain that is being
|
|
migrated to Samba is by executing the following:
|
|
<screen>
|
|
&rootprompt; net rpc info -S TRANSGRESSION
|
|
</screen>
|
|
If this method is used, do not forget to store the SID obtained into the
|
|
<filename>secrets.tdb</filename> file. This can be done by executing:
|
|
<screen>
|
|
&rootprompt; net setlocalsid S-1-5-21-1385457007-882775198-1210191635
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>Idealx</primary></indexterm>
|
|
<indexterm><primary>configure.pl</primary></indexterm>
|
|
<indexterm><primary>/opt/IDEALX/sbin</primary></indexterm>
|
|
<indexterm><primary>smbldap-tools</primary></indexterm>
|
|
Install the Idealx <command>smbldap-tools</command> software package, following
|
|
the instructions given in <link linkend="sbeidealx"/>. The resulting perl scripts
|
|
should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
|
|
Change into that location, or wherever the scripts have been installed. Execute the
|
|
<filename>configure.pl</filename> script to configure the Idealx package for use.
|
|
Note: Use the domain SID obtained from the step above. The following is
|
|
an example configuration session:
|
|
<screen>
|
|
&rootprompt; ./configure.pl
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
smbldap-tools script configuration
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Before starting, check
|
|
. if your samba controller is up and running.
|
|
. if the domain SID is defined
|
|
(you can get it with the 'net getlocalsid')
|
|
|
|
. you can leave the configuration using the Crtl-c key combination
|
|
. empty value can be set with the "." character
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Looking for configuration files...
|
|
|
|
Samba Config File Location [/etc/samba/smb.conf] >
|
|
smbldap Config file Location (global parameters)
|
|
[/etc/smbldap-tools/smbldap.conf] >
|
|
smbldap Config file Location (bind parameters)
|
|
[/etc/smbldap-tools/smbldap_bind.conf] >
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
Let's start configuring the smbldap-tools scripts ...
|
|
|
|
. workgroup name: name of the domain Samba act as a PDC
|
|
workgroup name [DAMNATION] >
|
|
. netbios name: netbios name of the samba controller
|
|
netbios name [MERLIN] >
|
|
. logon drive: local path to which the home directory
|
|
will be connected (for NT Workstations). Ex: 'H:'
|
|
logon drive [X:] > H:
|
|
. logon home: home directory location (for Win95/98 or NT Workstation)
|
|
(use %U as username) Ex:'\\MERLIN\home\%U'
|
|
logon home (leave blank if you don't want homeDirectory)
|
|
[\\MERLIN\home\%U] > \\%L\%U
|
|
. logon path: directory where roaming profiles are stored.
|
|
Ex:'\\MERLIN\profiles\%U'
|
|
logon path (leave blank if you don't want roaming profile)
|
|
[\\MERLIN\profiles\%U] > \\%L\profiles\%U
|
|
. home directory prefix (use %U as username) [/home/%U] >
|
|
/home/users/%U
|
|
. default user netlogon script (use %U as username)
|
|
[%U.cmd] > scripts\logon.cmd
|
|
default password validation time (time in days) [45] > 180
|
|
. ldap suffix [dc=terpstra-world,dc=org] >
|
|
. ldap group suffix [ou=Groups] >
|
|
. ldap user suffix [ou=People] >
|
|
. ldap machine suffix [ou=People] >
|
|
. Idmap suffix [ou=Idmap] >
|
|
. sambaUnixIdPooldn: object where you want to store the next uidNumber
|
|
and gidNumber available for new users and groups
|
|
sambaUnixIdPooldn object (relative to ${suffix})
|
|
[sambaDomainName=DAMNATION] >
|
|
. ldap master server:
|
|
IP address or DNS name of the master (writable) ldap server
|
|
ldap master server [] > 127.0.0.1
|
|
. ldap master port [389] >
|
|
. ldap master bind dn [cn=Manager,dc=terpstra-world,dc=org] >
|
|
. ldap master bind password [] >
|
|
. ldap slave server: IP address or DNS name of the slave ldap server:
|
|
can also be the master one
|
|
ldap slave server [] > 127.0.0.1
|
|
. ldap slave port [389] >
|
|
. ldap slave bind dn [cn=Manager,dc=terpstra-world,dc=org] >
|
|
. ldap slave bind password [] >
|
|
. ldap tls support (1/0) [0] >
|
|
. SID for domain DAMNATION: SID of the domain
|
|
(can be obtained with 'net getlocalsid MERLIN')
|
|
SID for domain DAMNATION []
|
|
> S-1-5-21-1385457007-882775198-1210191635
|
|
. unix password encryption: encryption used for unix passwords
|
|
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
|
|
. default user gidNumber [513] >
|
|
. default computer gidNumber [515] >
|
|
. default login shell [/bin/bash] >
|
|
. default domain name to append to mail address [] >
|
|
terpstra-world.org
|
|
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
|
|
backup old configuration files:
|
|
/etc/smbldap-tools/smbldap.conf->
|
|
/etc/smbldap-tools/smbldap.conf.old
|
|
/etc/smbldap-tools/smbldap_bind.conf->
|
|
/etc/smbldap-tools/smbldap_bind.conf.old
|
|
writing new configuration file:
|
|
/etc/smbldap-tools/smbldap.conf done.
|
|
/etc/smbldap-tools/smbldap_bind.conf done.
|
|
</screen>
|
|
<indexterm><primary>sambaDomainName</primary></indexterm>
|
|
<indexterm><primary>NextFreeUnixId</primary></indexterm>
|
|
<indexterm><primary>updating smbldap-tools</primary></indexterm>
|
|
<indexterm><primary>smbldap-tools updating</primary></indexterm>
|
|
Note that the NT4 domain SID that was previously obtained was entered above. Also,
|
|
the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is
|
|
the location into which the Idealx smbldap-tools store the next available UID/GID
|
|
information. It is also where Samba stores domain specific information such as the
|
|
next RID, the SID, and so on. In older version of the smbldap-tools this information
|
|
was stored in the sambaUnixIdPooldn DIT location cn=NextFreeUnixId. Where smbldap-tools
|
|
are being upgraded to version 0.9.1 it is appropriate to update this to the new location
|
|
only if the directory information is also relocated.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Start the LDAP server using the system interface script. On Novell SLES9
|
|
this is done as shown here:
|
|
<screen>
|
|
&rootprompt; rcldap start
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Edit the <filename>/etc/nsswitch.conf</filename> file so it has the entries shown in
|
|
<link linkend="sbentnss2"/>. Note that the LDAP entries have now been uncommented.
|
|
</para></step>
|
|
|
|
<example id="sbentnss2">
|
|
<title>NT4 Migration NSS Control File: <filename>/etc/nsswitch.conf</filename> (Stage:2)</title>
|
|
<screen>
|
|
passwd: files ldap
|
|
shadow: files ldap
|
|
group: files ldap
|
|
|
|
hosts: files dns wins
|
|
networks: files dns
|
|
|
|
services: files
|
|
protocols: files
|
|
rpc: files
|
|
ethers: files
|
|
netmasks: files
|
|
netgroup: files
|
|
publickey: files
|
|
|
|
bootparams: files
|
|
automount: files nis
|
|
aliases: files
|
|
#passwd_compat: ldap #Not needed.
|
|
#group_compat: ldap #Not needed.
|
|
</screen>
|
|
</example>
|
|
|
|
<step><para>
|
|
The LDAP management password must be installed into the <filename>secrets.tdb</filename>
|
|
file as follows:
|
|
<screen>
|
|
&rootprompt; smbpasswd -w not24get
|
|
Setting stored password for
|
|
"cn=Manager,dc=terpstra-world,dc=org" in secrets.tdb
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Populate the LDAP directory as shown here:
|
|
<screen>
|
|
&rootprompt; /opt/IDEALX/sbin/smbldap-populate -a root -k 0 -m 0
|
|
Using workgroup name from sambaUnixIdPooldn (smbldap.conf):
|
|
sambaDomainName=DAMNATION
|
|
Using builtin directory structure
|
|
adding new entry: dc=terpstra-world,dc=org
|
|
adding new entry: ou=People,dc=terpstra-world,dc=org
|
|
adding new entry: ou=Groups,dc=terpstra-world,dc=org
|
|
entry ou=People,dc=terpstra-world,dc=org already exist.
|
|
adding new entry: ou=Idmap,dc=terpstra-world,dc=org
|
|
adding new entry: sambaDomainName=DAMNATION,dc=terpstra-world,dc=org
|
|
adding new entry: uid=root,ou=People,dc=terpstra-world,dc=org
|
|
adding new entry: uid=nobody,ou=People,dc=terpstra-world,dc=org
|
|
adding new entry: cn=Domain Admins,ou=Groups,dc=terpstra-world,dc=org
|
|
adding new entry: cn=Domain Users,ou=Groups,dc=terpstra-world,dc=org
|
|
adding new entry: cn=Domain Guests,ou=Groups,dc=terpstra-world,dc=org
|
|
adding new entry: cn=Domain Computers,ou=Groups,dc=terpstra-world,dc=org
|
|
adding new entry: cn=Administrators,ou=Groups,dc=terpstra-world,dc=org
|
|
adding new entry: cn=Print Operators,ou=Groups,dc=terpstra-world,dc=org
|
|
adding new entry: cn=Backup Operators,ou=Groups,dc=terpstra-world,dc=org
|
|
adding new entry: cn=Replicators,ou=Groups,dc=terpstra-world,dc=org
|
|
</screen>
|
|
The script tries to add the ou=People container twice, hence the error message.
|
|
This is expected behavior.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>Novell SUSE SLES 9</primary></indexterm>
|
|
Restart the LDAP server following initialization of the LDAP directory. Execute the
|
|
system control script provided on your system. The following steps can be used on
|
|
Novell SUSE SLES 9:
|
|
<screen>
|
|
&rootprompt; rcldap restart
|
|
&rootprompt; chkconfig ldap on
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Verify that the new user accounts that have been added to the LDAP directory can be
|
|
resolved as follows:
|
|
<screen>
|
|
&rootprompt; getent passwd
|
|
...
|
|
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
|
|
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
|
|
news:x:9:13:News system:/etc/news:/bin/bash
|
|
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
|
|
+::0:0:::
|
|
root:x:0:0:Netbios Domain Administrator:/home/users/root:/bin/false
|
|
nobody:x:999:514:nobody:/dev/null:/bin/false
|
|
</screen>
|
|
Now repeat this for the group accounts as shown here:
|
|
<screen>
|
|
&rootprompt; getent group
|
|
...
|
|
nobody:x:65533:
|
|
nogroup:x:65534:nobody
|
|
users:x:100:
|
|
+::0:
|
|
Domain Admins:x:512:root
|
|
Domain Users:x:513:
|
|
Domain Guests:x:514:
|
|
Domain Computers:x:515:
|
|
Administrators:x:544:
|
|
Print Operators:x:550:
|
|
Backup Operators:x:551:
|
|
Replicators:x:552:
|
|
</screen>
|
|
In both cases the LDAP accounts follow the <quote>+::0:</quote> entry.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Now it is time to join the Samba BDC to the target NT4 domain that is being
|
|
migrated to Samba by executing the following:
|
|
<screen>
|
|
&rootprompt; net rpc join -S TRANSGRESSION -U Administrator%not24get
|
|
merlin:/opt/IDEALX/sbin # net rpc join -S TRANSGRESSION \
|
|
-U Administrator%not24get
|
|
Joined domain DAMNATION.
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Set the new domain administrator (root) password for both UNIX and Windows as shown here:
|
|
<screen>
|
|
&rootprompt; /opt/IDEALX/sbin/smbldap-passwd root
|
|
Changing password for root
|
|
New password : ********
|
|
Retype new password : ********
|
|
</screen>
|
|
Note: During account migration, the Windows Administrator account will not be migrated
|
|
to the Samba server.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Now validate that these accounts can be resolved using Samba's tools as
|
|
shown here for user accounts:
|
|
<screen>
|
|
&rootprompt; pdbedit -Lw
|
|
root:0:84B0D8E14D158FF8417EAF50CFAC29C3:
|
|
AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-425F6467:
|
|
nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
|
|
NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000:
|
|
</screen>
|
|
Now complete the following step to validate that group account mappings have
|
|
been correctly set:
|
|
<screen>
|
|
&rootprompt; net groupmap list
|
|
Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512)
|
|
-> Domain Admins
|
|
Domain Users (S-1-5-21-1385457007-882775198-1210191635-513)
|
|
-> Domain Users
|
|
Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514)
|
|
-> Domain Guests
|
|
Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515)
|
|
-> Domain Computers
|
|
Administrators (S-1-5-32-544) -> Administrators
|
|
Print Operators (S-1-5-32-550) -> Print Operators
|
|
Backup Operators (S-1-5-32-551) -> Backup Operators
|
|
Replicators (S-1-5-32-552) -> Replicators
|
|
</screen>
|
|
These are the expected results for a correctly configured system.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Commence migration as shown here:
|
|
<screen>
|
|
&rootprompt; net rpc vampire -S TRANSGRESSION \
|
|
-U Administrator%not24get > /tmp/vampire.log 2>1
|
|
</screen>
|
|
Check the vampire log to confirm that only expected errors have been
|
|
reported. See <link linkend="sbevam1"/>.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The migration of user accounts can be quickly validated as follows:
|
|
<screen>
|
|
&rootprompt; pdbedit -Lw
|
|
root:0:84B0D8E14D158FF8417EAF50CFAC29C3:...
|
|
nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:...
|
|
Administrator:0:84B0D8E14D158FF8417EAF50CFAC29C3:...
|
|
Guest:1:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:...
|
|
TRANSGRESSION$:2:CC044B748CEE294CE76B6B0D1B86C1A8:...
|
|
IUSR_TRANSGRESSION:3:64046AC81B056C375F9537FC409085F8:...
|
|
MIDEARTH$:4:E93186E5819706D2AAD3B435B51404EE:...
|
|
atrickhoffer:5:DC08CFE0C12B2867352502E32A407F23:...
|
|
barryf:6:B829BCDE01FF24376E45D5F10408CFBD:...
|
|
fsellerby:7:6A97CBEBE8F9826B417EAF50CFAC29C3:...
|
|
gdaison:8:48F6A8C8A900024351DA8C2061C5F1D3:...
|
|
hrambotham:9:7330D9EA0964465EAAD3B435B51404EE:...
|
|
jrhapsody:10:ACBA7D207E2BA35D9BD41A26B01626BD:...
|
|
maryk:11:293B5A4CA41F6CA1A7D80430B8342B73:...
|
|
jacko:12:8E8982D86BD037C364BBD09A598E07AD:...
|
|
bridge:13:0D2CA7D2BE67FE2193BE3A377C968336:...
|
|
sharpec:14:8841A75CAC19D2855D8B73B1F4D430F8:...
|
|
jimbo:15:6E8BDC904FD9EC5C17306D272A9441BB:...
|
|
dhenwick:16:D1694A03C33584BDAAD3B435B51404EE:...
|
|
dork:17:69E2D19E69A593D5AAD3B435B51404EE:...
|
|
blue:18:E355EBF9559979FEAAD3B435B51404EE:...
|
|
billw:19:EE35C3481CF7F7DB484448BC86A641A5:...
|
|
rfreshmill:20:7EC033B58661B60CAAD3B435B51404EE:...
|
|
MAGGOT$:21:A3B9334765AD30F7AAD3B435B51404EE:...
|
|
TRENTWARE$:22:1D92C8DD5E7F0DDF93BE3A377C968336:...
|
|
MORTON$:23:89342E69DCA9D3F8AAD3B435B51404EE:...
|
|
NARM$:24:2B93E2D1D25448BDAAD3B435B51404EE:...
|
|
LAPDOG$:25:14AA535885120943AAD3B435B51404EE:...
|
|
SCAVENGER$:26:B6288EB6D147B56F8963805A19B0ED49:...
|
|
merlin$:27:820C50523F368C54AB9D85AE603AD09D:...
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The mapping of UNIX and Windows groups can be validated as show here:
|
|
<screen>
|
|
&rootprompt; net groupmap list
|
|
Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512)
|
|
-> Domain Admins
|
|
Domain Users (S-1-5-21-1385457007-882775198-1210191635-513)
|
|
-> Domain Users
|
|
Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514)
|
|
-> Domain Guests
|
|
Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515)
|
|
-> Domain Computers
|
|
Administrators (S-1-5-32-544) -> Administrators
|
|
Print Operators (S-1-5-32-550) -> Print Operators
|
|
Backup Operators (S-1-5-32-551) -> Backup Operators
|
|
Replicator (S-1-5-32-552) -> Replicators
|
|
Engineers (S-1-5-21-1385457007-882775198-1210191635-1020) -> Engineers
|
|
Marketoids (S-1-5-21-1385457007-882775198-1210191635-1022) -> Marketoids
|
|
Gnomes (S-1-5-21-1385457007-882775198-1210191635-1023) -> Gnomes
|
|
Catalyst (S-1-5-21-1385457007-882775198-1210191635-1024) -> Catalyst
|
|
Recieving (S-1-5-21-1385457007-882775198-1210191635-1025) -> Recieving
|
|
Rubberboot (S-1-5-21-1385457007-882775198-1210191635-1026) -> Rubberboot
|
|
Sales (S-1-5-21-1385457007-882775198-1210191635-1027) -> Sales
|
|
Accounting (S-1-5-21-1385457007-882775198-1210191635-1028) -> Accounting
|
|
Shipping (S-1-5-21-1385457007-882775198-1210191635-1029) -> Shipping
|
|
Account Operators (S-1-5-32-548) -> Account Operators
|
|
Guests (S-1-5-32-546) -> Guests
|
|
Server Operators (S-1-5-32-549) -> Server Operators
|
|
Users (S-1-5-32-545) -> Users
|
|
</screen>
|
|
It is of vital importance that the domain SID portions of all group
|
|
accounts are identical.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The final responsibility in the migration process is to create identical
|
|
shares and printing resources on the new Samba server, copy all data
|
|
across, set up privileges, and set share and file/directory access controls.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
<indexterm><primary>domain master</primary></indexterm>
|
|
<indexterm><primary>PDC</primary></indexterm>
|
|
Edit the &smb.conf; file to reset the parameter
|
|
<smbconfoption name="domain master">Yes</smbconfoption> so that
|
|
the Samba server functions as a PDC for the purpose of migration.
|
|
Also, uncomment the deletion scripts so they will now be fully functional,
|
|
enable the <parameter>wins support = yes</parameter> parameter and
|
|
comment out the <parameter>wins server</parameter>. Validate the configuration
|
|
with the <command>testparm</command> utility as shown here:
|
|
<screen>
|
|
&rootprompt; testparm
|
|
Load smb config files from /etc/samba/smb.conf
|
|
Processing section "[apps]"
|
|
Processing section "[media]"
|
|
Processing section "[homes]"
|
|
Processing section "[printers]"
|
|
Processing section "[netlogon]"
|
|
Processing section "[profiles]"
|
|
Processing section "[profdata]"
|
|
Processing section "[print$]"
|
|
Loaded services file OK.
|
|
Server role: ROLE_DOMAIN_PDC
|
|
Press enter to see a dump of your service definitions
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Now shut down the old NT4 PDC. Only when the old NT4 PDC and all
|
|
NT4 BDCs have been shut down can the Samba PDC be started.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
All workstations should function as they did with the old NT4 PDC. All
|
|
interdomain trust accounts should remain in place and fully functional.
|
|
All machine accounts and user logon accounts should also function correctly.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
The configuration of Samba BDC servers can be accomplished now or at any
|
|
convenient time in the future. Please refer to the carefully detailed process
|
|
for doing so is outlined in <link linkend="sbehap-bldg1"/>.
|
|
</para></step>
|
|
|
|
</procedure>
|
|
|
|
<sect3 id="sbevam1">
|
|
<title>Migration Log Validation</title>
|
|
|
|
<para>
|
|
The following <filename>vampire.log</filename> file is typical of a valid migration.
|
|
<screen>
|
|
adding user Administrator to group Domain Admins
|
|
adding user atrickhoffer to group Engineers
|
|
adding user dhenwick to group Engineers
|
|
adding user dork to group Engineers
|
|
adding user rfreshmill to group Marketoids
|
|
adding user jacko to group Gnomes
|
|
adding user jimbo to group Gnomes
|
|
adding user maryk to group Gnomes
|
|
adding user gdaison to group Gnomes
|
|
adding user dhenwick to group Catalyst
|
|
adding user jacko to group Catalyst
|
|
adding user jacko to group Recieving
|
|
adding user blue to group Recieving
|
|
adding user hrambotham to group Rubberboot
|
|
adding user billw to group Sales
|
|
adding user bridge to group Sales
|
|
adding user jrhapsody to group Sales
|
|
adding user maryk to group Sales
|
|
adding user rfreshmill to group Sales
|
|
adding user fsellerby to group Sales
|
|
adding user sharpec to group Sales
|
|
adding user jimbo to group Accounting
|
|
adding user gdaison to group Accounting
|
|
adding user jacko to group Shipping
|
|
adding user blue to group Shipping
|
|
Fetching DOMAIN database
|
|
Creating unix group: 'Engineers'
|
|
Creating unix group: 'Marketoids'
|
|
Creating unix group: 'Gnomes'
|
|
Creating unix group: 'Catalyst'
|
|
Creating unix group: 'Recieving'
|
|
Creating unix group: 'Rubberboot'
|
|
Creating unix group: 'Sales'
|
|
Creating unix group: 'Accounting'
|
|
Creating unix group: 'Shipping'
|
|
Creating account: Administrator
|
|
Creating account: Guest
|
|
Creating account: TRANSGRESSION$
|
|
Creating account: IUSR_TRANSGRESSION
|
|
Creating account: MIDEARTH$
|
|
Creating account: atrickhoffer
|
|
Creating account: barryf
|
|
Creating account: fsellerby
|
|
Creating account: gdaison
|
|
Creating account: hrambotham
|
|
Creating account: jrhapsody
|
|
Creating account: maryk
|
|
Creating account: jacko
|
|
Creating account: bridge
|
|
Creating account: sharpec
|
|
Creating account: jimbo
|
|
Creating account: dhenwick
|
|
Creating account: dork
|
|
Creating account: blue
|
|
Creating account: billw
|
|
Creating account: rfreshmill
|
|
Creating account: MAGGOT$
|
|
Creating account: TRENTWARE$
|
|
Creating account: MORTON$
|
|
Creating account: NARM$
|
|
Creating account: LAPDOG$
|
|
Creating account: SCAVENGER$
|
|
Creating account: merlin$
|
|
Group members of Domain Admins: Administrator,
|
|
Group members of Domain Users: Administrator(primary),
|
|
TRANSGRESSION$(primary),IUSR_TRANSGRESSION(primary),
|
|
MIDEARTH$(primary),atrickhoffer(primary),barryf(primary),
|
|
fsellerby(primary),gdaison(primary),hrambotham(primary),
|
|
jrhapsody(primary),maryk(primary),jacko(primary),bridge(primary),
|
|
sharpec(primary),jimbo(primary),dhenwick(primary),dork(primary),
|
|
blue(primary),billw(primary),rfreshmill(primary),MAGGOT$(primary),
|
|
TRENTWARE$(primary),MORTON$(primary),NARM$(primary),
|
|
LAPDOG$(primary),SCAVENGER$(primary),merlin$(primary),
|
|
Group members of Domain Guests: Guest(primary),
|
|
Group members of Engineers: atrickhoffer,dhenwick,dork,
|
|
Group members of Marketoids: rfreshmill,
|
|
Group members of Gnomes: jacko,jimbo,maryk,gdaison,
|
|
Group members of Catalyst: dhenwick,jacko,
|
|
Group members of Recieving: jacko,blue,
|
|
Group members of Rubberboot: hrambotham,
|
|
Group members of Sales: billw,bridge,jrhapsody,maryk,
|
|
rfreshmill,fsellerby,sharpec,
|
|
Group members of Accounting: jimbo,gdaison,
|
|
Group members of Shipping: jacko,blue,
|
|
Fetching BUILTIN database
|
|
skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain)
|
|
Creating unix group: 'Account Operators'
|
|
Creating unix group: 'Guests'
|
|
Creating unix group: 'Server Operators'
|
|
Creating unix group: 'Users'
|
|
</screen>
|
|
</para>
|
|
|
|
</sect3>
|
|
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>NT4 Migration Using tdbsam Backend</title>
|
|
|
|
<para>
|
|
In this example, we change the domain name of the NT4 server from
|
|
<constant>DRUGPREP</constant> to <constant>MEGANET</constant> prior to the use
|
|
of the vampire (migration) tool. This migration process makes use of Linux system tools
|
|
(like <command>useradd</command>) to add the accounts that are migrated into the
|
|
UNIX/Linux <filename>/etc/passwd</filename> and <filename>/etc/group</filename>
|
|
databases. These entries must therefore be present, and correct options specified,
|
|
in your &smb.conf; file, or else the migration does not work as it should.
|
|
</para>
|
|
|
|
<procedure>
|
|
<title>Migration Steps Using tdbsam</title>
|
|
|
|
<step><para>
|
|
Prepare a Samba server precisely per the instructions shown in <link linkend="Big500users"/>.
|
|
Set the workgroup name to <constant>MEGANET</constant>.
|
|
</para></step>
|
|
|
|
<step><para><indexterm>
|
|
<primary>domain master</primary>
|
|
</indexterm><indexterm>
|
|
<primary>BDC</primary>
|
|
</indexterm>
|
|
Edit the &smb.conf; file to temporarily change the parameter
|
|
<smbconfoption name="domain master">No</smbconfoption> so
|
|
the Samba server functions as a BDC for the purpose of migration.
|
|
</para></step>
|
|
|
|
<step><para>
|
|
Start Samba as you have done previously.
|
|
</para></step>
|
|
|
|
<step><para><indexterm>
|
|
<primary>net</primary>
|
|
<secondary>rpc</secondary>
|
|
<tertiary>join</tertiary>
|
|
</indexterm>
|
|
Join the NT4 Domain as a BDC, as shown here:
|
|
<screen>
|
|
&rootprompt; net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get
|
|
Joined domain MEGANET.
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para><indexterm>
|
|
<primary>net</primary>
|
|
<secondary>rpc</secondary>
|
|
<tertiary>vampire</tertiary>
|
|
</indexterm>
|
|
You may vampire the accounts from the NT4 PDC by executing the command, as shown here:
|
|
<screen>
|
|
&rootprompt; net rpc vampire -S oldnt4pdc -U Administrator%not24get
|
|
Fetching DOMAIN database
|
|
SAM_DELTA_DOMAIN_INFO not handled
|
|
Creating unix group: 'Domain Admins'
|
|
Creating unix group: 'Domain Users'
|
|
Creating unix group: 'Domain Guests'
|
|
Creating unix group: 'Engineers'
|
|
Creating unix group: 'Marketoids'
|
|
Creating unix group: 'Account Operators'
|
|
Creating unix group: 'Administrators'
|
|
Creating unix group: 'Backup Operators'
|
|
Creating unix group: 'Guests'
|
|
Creating unix group: 'Print Operators'
|
|
Creating unix group: 'Replicator'
|
|
Creating unix group: 'Server Operators'
|
|
Creating unix group: 'Users'
|
|
Creating account: Administrator
|
|
Creating account: Guest
|
|
Creating account: oldnt4pdc$
|
|
Creating account: jacko
|
|
Creating account: maryk
|
|
Creating account: bridge
|
|
Creating account: sharpec
|
|
Creating account: jimbo
|
|
Creating account: dhenwick
|
|
Creating account: dork
|
|
Creating account: blue
|
|
Creating account: billw
|
|
Creating account: massive$
|
|
Group members of Engineers: Administrator,
|
|
sharpec(primary),bridge,billw(primary),dhenwick
|
|
Group members of Marketoids: Administrator,jacko(primary),
|
|
maryk(primary),jimbo,blue(primary),dork(primary)
|
|
Creating unix group: 'Gnomes'
|
|
Fetching BUILTIN database
|
|
SAM_DELTA_DOMAIN_INFO not handled
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para><indexterm>
|
|
<primary>pdbedit</primary>
|
|
</indexterm>
|
|
At this point, we can validate our migration. Let's look at the accounts
|
|
in the form in which they are seen in a smbpasswd file. This achieves that:
|
|
<screen>
|
|
&rootprompt; pdbedit -Lw
|
|
Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3:
|
|
AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[UX ]:LCT-3DF7AA9F:
|
|
jimbo:512:6E9A2A51F64A1BD5C187B8085FE1D9DF:
|
|
CDF7E305E639966E489A0CEFB95EE5E0:[UX ]:LCT-3E9362BC:
|
|
sharpec:511:E4301A7CD8FDD1EC6BBF9BC19CDF8151:
|
|
7000255938831D5B948C95C1931534C5:[UX ]:LCT-3E8B42C4:
|
|
dhenwick:513:DCD8886141E3F892AAD3B435B51404EE:
|
|
2DB36465949CB938DD98C312EFDC2639:[UX ]:LCT-3E939F41:
|
|
bridge:510:3FE6873A43101B46417EAF50CFAC29C3:
|
|
891741F481AF111B4CAA09A94016BD01:[UX ]:LCT-3E8B4291:
|
|
blue:515:256D41D2559BB3D2AAD3B435B51404EE:
|
|
9CCADDA4F7D281DD0FAD321478C6F971:[UX ]:LCT-3E939FDC:
|
|
diamond$:517:6C8E7B64EDCDBC4218B6345447A4454B:
|
|
3323AC63C666CFAACB60C13F65D54E9A:[S ]:LCT-00000000:
|
|
oldnt4pdc$:507:3E39430CDCABB5B09ED320D0448AE568:
|
|
95DBAF885854A919C7C7E671060478B9:[S ]:LCT-3DF7AA9F:
|
|
Guest:506:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
|
|
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DUX ]:LCT-3E93A008:
|
|
billw:516:85380CA7C21B6EBE168C8150662AF11B:
|
|
5D7478508293709937E55FB5FBA14C17:[UX ]:LCT-3FED7CA1:
|
|
dork:514:78C70DDEC35A35B5AAD3B435B51404EE:
|
|
0AD886E015AC595EC0AF40E6C9689E1A:[UX ]:LCT-3E939F9A:
|
|
jacko:508:BC472F3BF9A0A5F63832C92FC614B7D1:
|
|
0C6822AAF85E86600A40DC73E40D06D5:[UX ]:LCT-3E8B4242:
|
|
maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C:
|
|
CF271B744F7A55AFDA277FF88D80C527:[UX ]:LCT-3E8B4270:
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para><indexterm>
|
|
<primary>pdbedit</primary>
|
|
</indexterm>
|
|
An expanded view of a user account entry shows more of what was
|
|
obtained from the NT4 PDC:
|
|
<screen>
|
|
sleeth:~ # pdbedit -Lv maryk
|
|
Unix username: maryk
|
|
NT username: maryk
|
|
Account Flags: [UX ]
|
|
User SID: S-1-5-21-1988699175-926296742-1295600288-1003
|
|
Primary Group SID: S-1-5-21-1988699175-926296742-1295600288-1007
|
|
Full Name: Mary Kathleen
|
|
Home Directory: \\diamond\maryk
|
|
HomeDir Drive: X:
|
|
Logon Script: scripts\logon.bat
|
|
Profile Path: \\diamond\profiles\maryk
|
|
Domain: MEGANET
|
|
Account desc: Peace Maker
|
|
Workstations:
|
|
Munged dial:
|
|
Logon time: 0
|
|
Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
|
|
Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
|
|
Password last set: Wed, 02 Apr 2003 13:05:04 GMT
|
|
Password can change: 0
|
|
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
|
|
</screen>
|
|
</para></step>
|
|
|
|
<step><para><indexterm>
|
|
<primary>net</primary>
|
|
<secondary>group</secondary>
|
|
</indexterm>
|
|
The following command lists the long names of the groups that have been
|
|
imported (vampired) from the NT4 PDC:
|
|
<screen>
|
|
&rootprompt; net group -l -Uroot%not24get -Smassive
|
|
|
|
Group name Comment
|
|
-----------------------------
|
|
Engineers Snake Oil Engineers
|
|
Marketoids Untrustworthy Hype Vendors
|
|
Gnomes Plain Vanilla Garden Gnomes
|
|
Replicator Supports file replication in a domain
|
|
Guests Users granted guest access to the computer/domain
|
|
Administrators Members can fully administer the computer/domain
|
|
Users Ordinary users
|
|
</screen>
|
|
Everything looks well and in order.
|
|
</para></step>
|
|
|
|
<step><para><indexterm>
|
|
<primary>domain master</primary>
|
|
</indexterm><indexterm>
|
|
<primary>PDC</primary>
|
|
</indexterm>
|
|
Edit the &smb.conf; file to reset the parameter
|
|
<smbconfoption name="domain master">Yes</smbconfoption> so
|
|
the Samba server functions as a PDC for the purpose of migration.
|
|
</para></step>
|
|
</procedure>
|
|
</sect2>
|
|
|
|
<sect2>
|
|
<title>Key Points Learned</title>
|
|
|
|
<para>
|
|
Migration of an NT4 PDC database to a Samba PDC is possible.
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
<listitem><para>
|
|
An LDAP backend is a suitable vehicle for NT4 migrations.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
A tdbsam backend can be used to perform a migration.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
Multiple NT4 domains can be merged into a single Samba
|
|
domain.
|
|
</para></listitem>
|
|
|
|
<listitem><para>
|
|
The net Samba domain most likely requires some
|
|
administration and updating before going live.
|
|
</para></listitem>
|
|
</itemizedlist>
|
|
|
|
</sect2>
|
|
|
|
</sect1>
|
|
|
|
<sect1>
|
|
<title>Questions and Answers</title>
|
|
|
|
<para>
|
|
</para>
|
|
|
|
<qandaset defaultlabel="chap08qa" type="number">
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para><indexterm>
|
|
<primary>clean database</primary>
|
|
</indexterm>
|
|
Why must I start each migration with a clean database?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para><indexterm>
|
|
<primary>merge</primary>
|
|
</indexterm>
|
|
This is a recommendation that permits the data from each NT4 domain to
|
|
be kept separate until you are ready to merge them. Also, if you do not start with a clean database,
|
|
you may find errors due to users or groups from multiple domains having the
|
|
same name but different SIDs. It is better to permit each migration to complete
|
|
without undue errors and then to handle the merging of vampired data under
|
|
proper supervision.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para><indexterm>
|
|
<primary>Domain SID</primary>
|
|
</indexterm>
|
|
Is it possible to set my domain SID to anything I like?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para><indexterm>
|
|
<primary>auto-generated SID</primary>
|
|
</indexterm><indexterm>
|
|
<primary>SID</primary>
|
|
</indexterm><indexterm>
|
|
<primary>Domain SID</primary>
|
|
</indexterm>
|
|
Yes, so long as the SID you create has the same structure as an autogenerated SID.
|
|
The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where
|
|
the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why
|
|
would you really want to create your own SID? I cannot think of a good reason.
|
|
You may want to set the SID to one that is already in use somewhere on your network,
|
|
but that is a little different from straight out creating your own domain SID.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para><indexterm>
|
|
<primary>/etc/passwd</primary>
|
|
</indexterm><indexterm>
|
|
<primary>/etc/group</primary>
|
|
</indexterm><indexterm>
|
|
<primary>tdbsam</primary>
|
|
</indexterm><indexterm>
|
|
<primary>passdb backend</primary>
|
|
</indexterm><indexterm>
|
|
<primary>accounts</primary>
|
|
<secondary>user</secondary>
|
|
</indexterm><indexterm>
|
|
<primary>accounts</primary>
|
|
<secondary>group</secondary>
|
|
</indexterm><indexterm>
|
|
<primary>accounts</primary>
|
|
<secondary>Domain</secondary>
|
|
</indexterm>
|
|
When using a tdbsam passdb backend, why must I have all domain user and group accounts
|
|
in <filename>/etc/passwd</filename> and <filename>/etc/group</filename>?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para><indexterm>
|
|
<primary>UID</primary>
|
|
</indexterm><indexterm>
|
|
<primary>GID</primary>
|
|
</indexterm><indexterm>
|
|
<primary>smbpasswd</primary>
|
|
</indexterm><indexterm>
|
|
<primary>/etc/passwd</primary>
|
|
</indexterm><indexterm>
|
|
<primary>Posix</primary>
|
|
</indexterm><indexterm>
|
|
<primary>LDAP database</primary>
|
|
</indexterm>
|
|
Samba must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba
|
|
does not fabricate the UNIX IDs from thin air, but rather requires them to be located
|
|
in a suitable place.
|
|
</para>
|
|
|
|
<para>
|
|
When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the
|
|
UID of each account is taken together with the account information in the
|
|
<filename>/etc/passwd</filename>, and both sets of data are used to create the account
|
|
entry in the LDAP database.
|
|
</para>
|
|
|
|
<para>
|
|
If you elect to create the POSIX account also, the entire UNIX account is copied to the
|
|
LDAP backend. The same occurs with NT groups and UNIX groups. At the conclusion of
|
|
migration to the LDAP database, the accounts may be removed from the UNIX database files.
|
|
In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in
|
|
LDAP, require UIDs/GIDs.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para><indexterm>
|
|
<primary>validate</primary>
|
|
</indexterm><indexterm>
|
|
<primary>connectivity</primary>
|
|
</indexterm><indexterm>
|
|
<primary>migration</primary>
|
|
</indexterm>
|
|
Why did you validate connectivity before attempting migration?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
Access validation before attempting to migrate NT4 domain accounts helps to pinpoint
|
|
potential problems that may otherwise affect or impede account migration. I am always
|
|
mindful of the 4 P's of migration: Planning Prevents Poor Performance.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
How would you merge 10 tdbsam-based domains into an LDAP database?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para><indexterm>
|
|
<primary>risk</primary>
|
|
</indexterm><indexterm>
|
|
<primary>dump</primary>
|
|
</indexterm><indexterm>
|
|
<primary>tdbsam</primary>
|
|
</indexterm><indexterm>
|
|
<primary>Samba Domain</primary>
|
|
</indexterm><indexterm>
|
|
<primary>UID</primary>
|
|
</indexterm><indexterm>
|
|
<primary>GID</primary>
|
|
</indexterm><indexterm>
|
|
<primary>pdbedit</primary>
|
|
</indexterm><indexterm>
|
|
<primary>transfer</primary>
|
|
</indexterm><indexterm>
|
|
<primary>smbpasswd</primary>
|
|
</indexterm><indexterm>
|
|
<primary>LDAP</primary>
|
|
</indexterm><indexterm>
|
|
<primary>tool</primary>
|
|
</indexterm>
|
|
If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of
|
|
accounts that have the same UNIX identifier (UID/GID). This means that you almost
|
|
certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd
|
|
file format and then manually edit all records to ensure that each has a unique UID. Each
|
|
file can then be imported a number of ways. You can use the <command>pdbedit</command> tool
|
|
to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to
|
|
tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that
|
|
you have migrated before handing over access to a user. After all, too many users with a bad
|
|
migration experience may threaten your career.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para><indexterm>
|
|
<primary>machine accounts</primary>
|
|
</indexterm><indexterm>
|
|
<primary>accounts</primary>
|
|
<secondary>machine</secondary>
|
|
</indexterm>
|
|
I want to change my domain name after I migrate all accounts from an NT4 domain to a
|
|
Samba domain. Does it make any sense to migrate the machine accounts in that case?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para><indexterm>
|
|
<primary>registry</primary>
|
|
</indexterm><indexterm>
|
|
<primary>un-join</primary>
|
|
</indexterm><indexterm>
|
|
<primary>rejoin</primary>
|
|
</indexterm><indexterm>
|
|
<primary>tattooing</primary>
|
|
</indexterm>
|
|
I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries
|
|
on each Windows NT4 and upward client that have a tattoo of the old domain name. If you
|
|
unjoin the domain and then rejoin the newly renamed Samba domain, you can be certain to avoid
|
|
this tattooing effect.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para><indexterm>
|
|
<primary>multiple group mappings</primary>
|
|
</indexterm>
|
|
After merging multiple NT4 domains into a Samba domain, I lost all multiple group mappings. Why?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para><indexterm>
|
|
<primary>/etc/passwd</primary>
|
|
</indexterm><indexterm>
|
|
<primary>/etc/group</primary>
|
|
</indexterm>
|
|
Samba currently does not implement multiple group membership internally. If you use the Windows
|
|
NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group
|
|
membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend,
|
|
then multiple group membership is handled through the UNIX groups file. When you dump the user
|
|
accounts, no group account information is provided. When you edit (change) UIDs and GIDs in each
|
|
file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <filename>/etc/passwd</filename>
|
|
and <filename>/etc/group</filename> information also. That is where the multiple group information
|
|
is most closely at your fingertips.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para>
|
|
How can I reset group membership after loading the account information into the LDAP database?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para><indexterm>
|
|
<primary>SRVTOOLS.EXE</primary>
|
|
</indexterm>
|
|
You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The
|
|
installation file is called <filename>SRVTOOLS.EXE</filename>.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para><indexterm>
|
|
<primary>group names</primary>
|
|
</indexterm>
|
|
What are the limits or constraints that apply to group names?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para><indexterm>
|
|
<primary>limit</primary>
|
|
</indexterm><indexterm>
|
|
<primary>shadow-utils</primary>
|
|
</indexterm><indexterm>
|
|
<primary>groupadd</primary>
|
|
</indexterm><indexterm>
|
|
<primary>groupdel</primary>
|
|
</indexterm><indexterm>
|
|
<primary>groupmod</primary>
|
|
</indexterm><indexterm>
|
|
<primary>account names</primary>
|
|
</indexterm>
|
|
A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group
|
|
name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows
|
|
groups can contain upper- and lowercase characters, as well as spaces.
|
|
Many UNIX system do not permit the use of uppercase characters, and some do not permit the
|
|
space character either. A number of systems (i.e., Linux) work fine with both uppercase
|
|
and space characters in group names, but the shadow-utils package that provides the group
|
|
control functions (<command>groupadd</command>, <command>groupmod</command>, <command>groupdel</command>, and so on) do not permit them.
|
|
Also, a number of UNIX systems management tools enforce their own particular interpretation
|
|
of the POSIX standards and likewise do not permit uppercase or space characters in group
|
|
or user account names. You have to experiment with your system to find what its
|
|
peculiarities are.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
<qandaentry>
|
|
<question>
|
|
|
|
<para><indexterm>
|
|
<primary>vampire</primary>
|
|
</indexterm>
|
|
My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba
|
|
LDAP backend system using the vampire process?
|
|
</para>
|
|
|
|
</question>
|
|
<answer>
|
|
|
|
<para>
|
|
UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux
|
|
kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs,
|
|
you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned
|
|
integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts.
|
|
Please check this carefully before you attempt to effect a migration using the vampire process.
|
|
</para>
|
|
|
|
<para><indexterm>
|
|
<primary>Migration speed</primary>
|
|
</indexterm>
|
|
Migration speed depends much on the processor speed, the network speed, disk I/O capability, and
|
|
LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP
|
|
to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts
|
|
per minute. Migration would obviously go much faster if LDAP mirroring were turned off during the migration.
|
|
</para>
|
|
|
|
</answer>
|
|
</qandaentry>
|
|
|
|
</qandaset>
|
|
|
|
</sect1>
|
|
|
|
</chapter>
|
|
|