Moving docs tree to docs-xml to make room for generated docs in the release tarball.

(This used to be commit 9f672c26d63955f613088489c6efbdc08b5b2d14)

1 files changed, 1798 insertions, 0 deletions

diff --git a/docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml b/docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml
new file mode 100644
index 0000000000..5bf8553e5b
--- /dev/null
+++ b/docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml
@@ -0,0 +1,1798 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<chapter id="nw4migration">
+  <title>Migrating NetWare Server to Samba-3</title>
+
+	<para>
+	<indexterm><primary>Novell</primary></indexterm>
+	<indexterm><primary>SUSE</primary></indexterm>
+	Novell is a company any seasoned IT manager has to admire. It has become increasingly
+	Linux-friendly and is emerging out of a deep regression that almost saw the company
+	disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the
+	platform of choice to which many older NetWare servers are being migrated. 
+	It will be interesting to see what becomes of NetWare over time.
+	Meanwhile, there can be no denying that Novell is a Linux company.
+	</para>
+
+	<para>
+	<indexterm><primary>Red Hat</primary></indexterm>
+	<indexterm><primary>Debian</primary></indexterm>
+	<indexterm><primary>Gentoo</primary></indexterm>
+	<indexterm><primary>Mandrake</primary></indexterm>
+	Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian,
+	Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with
+	the knowledge that file locations may vary a little; even so, the information
+	in this chapter should provide something of value.
+	</para>
+
+	<para>
+	<indexterm><primary>migration</primary></indexterm>
+	Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many
+	years who surfaced on the Samba mailing list with a barrage of questions and who
+	regularly helps other administrators to solve thorny Samba migration questions.
+	</para>
+
+	<para>
+	<indexterm><primary>NetWare</primary></indexterm>
+	<indexterm><primary>NLM</primary></indexterm>
+	<indexterm><primary>NetWare</primary></indexterm>
+	<indexterm><primary>Mars_NWE</primary></indexterm>
+	One wonders how many NetWare servers remain in active service. Many are being migrated
+	to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are
+	ideal target platforms to which a NetWare server may be migrated. The migration method
+	of choice is much dependent on the tools that the administrator finds most natural to use.
+	The old-hand NetWare guru will likely want to use tools like the NetWare NLM for
+	<command>rsync</command> to migrate files from the NetWare server to the Samba server.
+	The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare
+	Emulator) open source package. The MS Windows network administrator will likely make use of the
+	NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice,
+	migration will be filled with joyous and challenging moments &smbmdash; though probably not
+	concurrently.
+	</para>
+
+	<para>
+	The priority that Misty faced was one of migration of the data files off the NetWare 4.11
+	server and onto a Samba-based Windows file and print server. This chapter does not pretend
+	to document all the different methods that could be used to migrate user and group accounts
+	off a NetWare server. Its focus is on migration of data files.
+	</para>
+
+	<para>
+	This chapter tells its own story, so ride along. Maybe the information presented here
+	will help to smooth over a similar migration challenge in your favorite networking environment.
+	</para>
+
+	<para>
+	File paths have been modified to permit use of RPM packages provided by Novell. In the
+	original documentation contributed by Misty, the Courier-IMAP package had been built
+	directly from the original source tarball.
+	</para>
+
+<sect1>
+	<title>Introduction</title>
+
+	<para>
+	<indexterm><primary>Novell</primary></indexterm>
+	Misty Stanley-Jones was recruited by Abmas to administer a network that had
+	not received much attention for some years and was much in need of a makeover.
+	As a brand-new sysadmin to this company, she inherited a very old Novell file server
+	and came with a determination to change things for the better.
+	</para>
+
+	<para>
+	A site survey turned up the following details for the old NetWare server:
+	</para>
+
+	<simplelist>
+		<member><para>200 MHz MMX processor</para></member>
+		<member><para>512K RAM</para></member>
+		<member><para>24 GB disk space in RAID1</para></member>
+		<member><para>Novell 4.11 patched to service pack 7</para></member>
+		<member><para>60+ users</para></member>
+		<member><para>7 network-attached printers</para></member>
+	</simplelist>
+
+	<para>
+	The company had outgrown this server several years before and was dealing with
+	severe growing pains. Some of the problems experienced were:
+	</para>
+		
+	<itemizedlist>
+		<listitem>
+			<para>Very slow performance</para>
+		</listitem>
+		<listitem>
+			<para>Available storage hovering around the 5% range</para>
+			<itemizedlist>
+				<listitem>
+					<para>Extremely slow print spooling.</para>
+				</listitem>
+				<listitem>
+					<para>
+					Users storing information on their local hard
+					drives, causing backup integrity problems
+					</para>
+				</listitem>
+			</itemizedlist>
+		</listitem>
+	  </itemizedlist>
+
+	<para>
+	<indexterm><primary>payroll</primary></indexterm>
+	At one point disk space had filled up to 100 percent, causing the payroll database
+	to become corrupt. This caused the accounting department to be down for over
+	a week and necessitated deployment of another file server. The replacement
+	server was created with very poor security and design considerations from
+	a discarded desktop PC.
+	</para>
+
+	<sect2>
+		<title>Assignment Tasks</title>
+
+	<para>
+	Misty has provided this summary of her migration experience in the hope
+	that it will help someone to avoid the challenges she faced. Perhaps her
+	configuration files and background will accelerate your learning as you
+	grapple with a similar migration challenge. Let there be no confusion,
+	the information presented in this chapter is provided to demonstrate
+	how Misty dealt with a particular NetWare migration requirement, and
+	it provides an overall approach to the implementation of a Samba-3
+	environment that is significantly divergent from that presented in
+	<link linkend="happy"/>.
+	</para>
+
+	<para>
+	The complete removal of all site-specific information in order to produce	
+	a generic migration solution would rob this chapter of its character.
+	It should be recognized, therefore, that the examples given require
+	significant adaptation to suit local needs and thus
+	there are some gaps in the example files. That is not Misty's fault;it
+	is the result of treatment given to her files in an attempt to make
+	the overall information more useful to you.
+	</para>
+
+	<para>
+	<indexterm><primary>cost-benefit</primary></indexterm>
+	After management reviewed a cost-benefit report as well as an estimated
+	time-to-completion, approval was given proceed with the solution proposed.
+	The server was built from purchased components. The total project cost
+	was $3,000. A brief description of the configuration follows:
+	</para>
+
+	<simplelist>
+		<member>
+			<para>3.0 GHz P4 Processor</para>
+		</member>
+		<member>
+			<para>1 GB RAM</para>
+		</member>
+		<member>
+			<para>120 GB SATA operating system drive</para>
+		</member>
+		<member>
+			<para>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</para>
+		</member>
+		<member>
+			<para>2 x 80 GB SATA removable drives for online backup</para>
+		</member>
+		<member>
+			<para>A DLT drive for asynchronous offline backup</para>
+		</member>
+		<member>
+			<para>SUSE Linux Professional 9.1</para>
+		</member>
+	</simplelist>
+
+	<para>
+	The new system has operated for 6 months without problems. Over the past months
+	much attention has been focused on cleaning up desktops and user profiles.
+	</para>
+
+	</sect2>
+</sect1>
+
+<sect1>
+	<title>Dissection and Discussion</title>
+
+	<para>
+	<indexterm><primary>LDAP</primary></indexterm>
+	<indexterm><primary>e-Directory</primary></indexterm>
+	<indexterm><primary>authentication</primary></indexterm>
+	<indexterm><primary>identity management</primary></indexterm>
+	A decision to use LDAP was made even though I knew nothing about LDAP except that
+	I had been reading the book <quote>LDAP System Administration,</quote> by Gerald Carter.
+	LDAP seemed to provide some of the functionality of Novell's e-Directory Services
+	and would provide centralized authentication and identity management.
+	</para>
+
+	<para>
+	<indexterm><primary>database</primary></indexterm>
+	<indexterm><primary>RPM</primary></indexterm>
+	<indexterm><primary>tree</primary></indexterm>
+	Building the LDAP database took a while and a lot of trial and error. Following
+	the guidance I obtained from <quote>LDAP System 
+	Administration,</quote> I installed OpenLDAP (from RPM; later I compiled
+	a more current version from source) and built my initial LDAP tree.
+	</para>
+
+	<sect2>
+	<title>Technical Issues</title>
+
+	<para>
+	<indexterm><primary>white-pages</primary></indexterm>
+	<indexterm><primary>inetOrgPerson</primary></indexterm>
+	<indexterm><primary>OpenLDAP</primary></indexterm>
+	<indexterm><primary>/etc/passwd</primary></indexterm>
+	<indexterm><primary>/etc/shadow</primary></indexterm>
+	<indexterm><primary>LDIF</primary></indexterm>
+	<indexterm><primary>IMAP</primary></indexterm>
+	<indexterm><primary>POP3</primary></indexterm>
+	<indexterm><primary>SMTP</primary></indexterm>
+	The first challenge was to create a company white pages, followed by manually
+	entering everything from the printed company directory. This used only the inetOrgPerson
+	object class from the OpenLDAP schemas. The next step was to write a shell script that
+	would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
+	files on our mail server and create an LDIF file from which the information could be
+	imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
+	and SMTP.
+	</para>
+
+	<para>
+	Because a decision was made to use Courier-IMAP the schema <quote>authldap.schema</quote>
+	from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory
+	needs. Where the Courier-IMAP file provided by SUSE is used, this file is named
+	<filename>courier.schema</filename>.
+	</para>
+
+	<para>
+	Looking back, it would have been much easier to populate the LDAP directory using a convenient
+	tool such as <command>phpLDAPAdmin</command> from the outset. An excessive amount of time was
+	spent trying to generate LDIF files that could be parsed using the <command>ldapmodify</command>
+	so that necessary changes could be written to the directory. This was a learning experience!
+	</para>
+
+	<para>
+	An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to
+	make them work. Instead, even though it is most inelegant, I wrote a simple script that did
+	what I needed. It is enclosed as a simple example to demonstrate that you do not need to be
+	a guru to make light of otherwise painful repetition. This file is listed in <link linkend="sbeamg"/>.
+	</para>
+
+<example id="sbeamg">
+<title>A Rough Tool to Create an LDIF File from the System Account Files</title>
+<screen>
+#!/bin/bash
+
+cat /etc/passwd | while read l; do
+  uid=`echo $l | cut -d : -f 1`
+  uidNumber=`echo $l | cut -d : -f 3`
+  gidNumber=`echo $1 | cut -d : -f 4`
+  gecos=`echo $l | cut -d : -f 5`
+  homeDirectory=`echo $l | cut -d : -f 6`
+  loginShell=`echo $l | cut -d : -f 6`
+  userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2`
+
+  echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com"
+  echo "objectClass: account"
+  echo "objectClass: posixAccount"
+  echo "cn: $gecos"
+  echo "uid: $uid"
+  echo "uidNumber: $uidNumber"
+  echo "gidNumber: $gidNumber"
+  echo "homeDirectory: $homeDirectory"
+  echo "loginShell: $loginShell"
+  echo "userPassword: $userPassword"
+done
+</screen>
+</example>
+
+	<note><para>
+	
+	The PADL MigrationTools are recommended for migration of the UNIX account information into
+	the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups,
+	aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text
+	files (or from a name service such as NIS). This too set can be obtained from the <ulink url=
+	"http://www.padl.com">PADL Web site</ulink>.
+	</para></note>
+
+	</sect2>
+
+</sect1>
+
+<sect1>
+	<title>Implementation</title>
+
+	<para>
+	</para>
+
+	<sect2>
+	<title>NetWare Migration Using LDAP Backend</title>
+
+	<para>
+	The following software must be installed on the SUSE Linux Enterprise Server to perform
+	this migration:
+	</para>
+
+	<simplelist>
+		<member><para>courier-imap</para></member>
+		<member><para>courier-imap-ldap</para></member>
+		<member><para>nss_ldap</para></member>
+		<member><para>openldap2-client</para></member>
+		<member><para>openldap2-devel (only for Samba compilation)</para></member>
+		<member><para>openldap2</para></member>
+		<member><para>pam_ldap</para></member>
+		<member><para>samba-3.0.20 or later</para></member>
+		<member><para>samba-client-3.0.20 or later</para></member>
+		<member><para>samba-winbind-3.0.20 or later</para></member>
+		<member><para>smbldap-tools Version 0.9.1</para></member>
+	</simplelist>
+
+	<para>
+	Each software application must be carefully configured in preparation for migration.
+	The configuration files used at Abmas are provided as a guide and should be modified
+	to meet needs at your site.
+	</para>
+
+	<sect3>
+	<title>LDAP Server Configuration</title>
+
+	<para>
+	The <filename>/etc/openldap/slapd.conf</filename> file Misty used is shown here:
+<programlisting>
+#/etc/openldap/slapd.conf
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include   /etc/openldap/schema/core.schema
+include   /etc/openldap/schema/cosine.schema
+include   /etc/openldap/schema/inetorgperson.schema
+include   /etc/openldap/schema/nis.schema
+include   /etc/openldap/schema/samba3.schema
+include   /etc/openldap/schema/dhcp.schema
+include   /etc/openldap/schema/misc.schema
+include   /etc/openldap/schema/idpool.schema
+include   /etc/openldap/schema/eduperson.schema
+include   /etc/openldap/schema/commURI.schema
+include   /etc/openldap/schema/local.schema
+include   /etc/openldap/schema/courier.schema
+
+pidfile   /var/run/slapd/run/slapd.pid
+argsfile  /var/run/slapd/run/slapd.args
+
+replogfile  /data/ldap/log/slapd.replog
+
+# Load dynamic backend modules:
+modulepath  /usr/lib/openldap/modules
+
+#######################################################################
+# Logging parameters
+#######################################################################
+loglevel 256
+
+#######################################################################
+# SASL and TLS options
+#######################################################################
+sasl-host     ldap.corp.abmas.org
+sasl-realm    DIGEST-MD5
+sasl-secprops   none
+TLSCipherSuite HIGH:MEDIUM:+SSLV2
+TLSCertificateFile    /etc/ssl/certs/private/abmas-cert.pem
+TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem
+password-hash   {SSHA}
+defaultsearchbase "dc=abmas,dc=biz"
+
+#######################################################################
+# bdb database definitions
+#######################################################################
+database          bdb
+suffix            "dc=abmas,dc=biz"
+rootdn            "cn=manager,dc=abmas,dc=biz"
+rootpw            {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5
+directory         /data/ldap
+mode    0600
+# The following is for BDB to make it flush its data to disk every
+# 500 seconds or 5kb of data
+checkpoint 500 5
+
+## For running slapindex
+#readonly on
+
+## Indexes for often-requested attributes
+index   objectClass             eq
+index   cn                      eq,sub
+index   sn                      eq,sub
+index   uid                     eq,sub
+index   uidNumber               eq
+index   gidNumber               eq
+index   sambaSID                eq
+index   sambaPrimaryGroupSID    eq
+index   sambaDomainName         eq
+index   default                 sub
+cachesize 2000
+
+replica         host=baa.corp.abmas.org:389
+                suffix="dc=abmas,dc=biz"
+                binddn="cn=replica,dc=abmas,dc=biz"
+                credentials=verysecret
+                bindmethod=simple
+                tls=yes
+replica         host=ns.abmas.org:389
+                suffix="dc=abmas,dc=biz"
+                binddn="cn=replica,dc=abmas,dc=biz"
+                credentials=verysecret
+                bindmethod=simple
+                tls=yes
+
+#######################################################################
+# ACL section
+#######################################################################
+## MOST RESTRICTIVE RULES MUST GO FIRST!
+# Admins get access to everything. This way I do not have to rename.
+access to *
+  by group/groupOfUniqueNames/uniqueMember="cn=LDAP
+Administrators,ou=groups,dc=abmas,dc=biz" write
+  by * break
+
+## Users can change their own passwords. 
+access to 
+attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,
+sambaPwdMustChange,sambaPwdCanChange
+  by self write
+  by * auth
+
+## Home contact info restricted to the logged-in user and the HR dept
+access to attrs=hometelephoneNumber,homePostalAddress,
+mobileTelephoneNumber,pagerTelephoneNumber
+  by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
+ou=groups,dc=abmas,dc=biz" 
+write
+  by self write
+  by * none
+
+## Everyone can read email aliases
+access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz"
+  by * read
+
+## Only admins can manage email aliases
+## If someone is the role occupant of an alias they can change it -- this
+## is accomplished by the "organizationalRole" objectclass and is
+## pretty cool -- like a groupOfUniqueNames but for individual
+## users.
+access to dn.children="ou=Email Aliases,dc=abmas,dc=biz"
+  by dnattr=roleOccupant write
+  by * read
+
+## Admins and HR can add and delete users
+access to dn.sub="ou=people,dc=abmas,dc=biz"
+  by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
+ou=groups,dc=abmas,dc=biz" 
+write
+  by * read
+
+## Admins and HR can add and delete bizputers
+access to dn.sub="ou=bizputers,dc=abmas,dc=biz"
+  by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
+ou=groups,dc=abmas,dc=biz" 
+write
+  by * read
+
+## Admins and HR can add and delete groups
+access to dn.sub="ou=groups,dc=abmas,dc=biz"
+  by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
+ou=groups,dc=abmas,dc=biz" 
+write
+  by * read
+
+## This is used to quickly deactivate any LDAP object only 
+##  Admins have access.
+access to dn.sub="ou=inactive,dc=abmas,dc=biz"
+  by * none
+
+## This is for programs like Windows Address Book that can 
+## detect the default search base.
+access to attrs=namingcontexts,supportedControl
+  by anonymous =cs
+  by * read
+
+## Default to read-only access
+access to *
+  by dn.base="cn=replica,ou=people,dc=abmas,dc=biz" write
+  by * read
+</programlisting>
+</para>
+
+	<para>
+	<indexterm><primary>/etc/ldap.conf</primary></indexterm>
+	The <filename>/etc/ldap.conf</filename> file used is listed in <link linkend="ch8ldap"/>.
+	</para>
+
+<example id="ch8ldap">
+<title>NSS LDAP Control File &smbmdash; /etc/ldap.conf</title>
+<screen>
+# /etc/ldap.conf
+# This file is present on every *NIX client that authenticates to LDAP.
+# For me, most of the defaults are fine. There is an amazing amount of
+# customization that can be done see the man page for info.
+
+# Your LDAP server. Must be resolvable without using LDAP. The following
+# is for the LDAP server all others use the FQDN of the server
+URI ldap://127.0.0.1
+
+# The distinguished name of the search base.
+base ou=corp,dc=abmas,dc=biz
+
+# The LDAP version to use (defaults to 3 if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with if the effective
+# user ID is root. Password is stored in /etc/ldap.secret (mode 600)
+rootbinddn cn=Manager,dc=abmas,dc=biz
+
+# Filter to AND with uid=%s
+pam_filter objectclass=posixAccount
+
+# The user ID attribute (defaults to uid)
+pam_login_attribute uid
+
+# Group member attribute
+pam_member_attribute memberUID
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+pam_password exop
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+ssl start_tls
+
+tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem
+...
+</screen>
+</example>
+
+	<para>
+	The NSS control file <filename>/etc/nsswitch.conf</filename> has the following contents:
+<screen>
+# /etc/nsswitch.conf
+# This file controls the resolve order for system databases.
+
+# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
+passwd:   compat ldap
+group:    compat ldap
+# The above are all that I store in LDAP at this point. There are 
+# possibilities to store hosts, services, ethers, and lots of other things.
+</screen>
+	</para>
+
+	<para>
+	<indexterm><primary>PAM</primary></indexterm>
+	<indexterm><primary>NSS</primary></indexterm>
+	In my setup, users authenticate via PAM and NSS using LDAP-based accounts.
+	The configuration file that controls the behavior of the PAM <command>pam_unix2</command>
+	module is shown in <link linkend="sbepu2"/> file.
+	This works out of the box with the configuration files in this chapter. It
+	enables you to have no local accounts for users (it is highly advisable 
+	to have a local account for the root user).  Traps for the unwary include the following:
+	</para>
+
+<example id="sbepu2">
+<title>The PAM Control File <filename>/etc/security/pam_unix2.conf</filename></title>
+<screen>
+# pam_unix2 config file
+#
+# This file contains options for the pam_unix2.so module.
+# It contains a list of options for every type of management group,
+# which will be used for authentication, account management and
+# password management. Not all options will be used from all types of
+# management groups.
+#
+# At first, pam_unix2 will read this file and then uses the local
+# options. Not all options can be set her global.
+#
+# Allowed options are:
+#
+# debug                 (account, auth, password, session)
+# nullok                (auth)
+# md5                   (password / overwrites /etc/default/passwd)
+# bigcrypt              (password / overwrites /etc/default/passwd)
+# blowfish              (password / overwrites /etc/default/passwd)
+# crypt_rounds=XX
+# none                  (session)
+# trace                 (session)
+# call_modules=x,y,z    (account, auth, password)
+#
+#  Example:
+#  auth:        nullok
+#  account:
+#  password:    nullok blowfish crypt_rounds=8
+#  session:     none
+#
+auth: use_ldap
+account: use_ldap
+password: use_ldap
+session: none
+</screen>
+</example>
+
+	<indexterm><primary>LDAP</primary></indexterm>
+	<indexterm><primary>authenticate</primary></indexterm>
+	<indexterm><primary>DNS</primary></indexterm>
+	<itemizedlist>
+		<listitem>
+			<para>
+			If your LDAP database goes down, nobody can authenticate except for root.
+			</para>
+		</listitem>
+
+		<listitem>
+			<para>
+			If failover is configured incorrectly, weird behavior can occur. For example, 
+			DNS can fail to resolve.
+			</para>
+		</listitem>
+	</itemizedlist>
+
+	<para>
+	I do have two LDAP slave servers configured. That subject is beyond the scope
+	of this document, and steps for implementing it are well documented.
+	</para>
+
+	<para>
+	The following services authenticate using LDAP:
+	</para>
+	<indexterm><primary>UNIX</primary></indexterm>
+	<indexterm><primary>Postfix</primary></indexterm>
+	<indexterm><primary>Courier-IMAP</primary></indexterm>
+	<simplelist>
+		<member><para>UNIX login/ssh</para></member>
+		<member><para>Postfix (SMTP)</para></member>
+		<member><para>Courier-IMAP/IMAPS/POP3/POP3S</para></member>
+	</simplelist>
+
+	<para>
+	<indexterm><primary>white-pages</primary></indexterm>
+	<indexterm><primary>Windows Address Book</primary></indexterm>
+	Companywide white pages can be searched using an LDAP client
+	such as the one in the Windows Address Book.
+	</para>
+
+	<para>
+	<indexterm><primary>LDAP</primary></indexterm>
+	<indexterm><primary>smbldap-tools</primary></indexterm>
+	Having gained a solid understanding of LDAP and a relatively workable LDAP tree
+	thus far, it was time to configure Samba. I compiled the latest stable Samba and
+	also installed the latest <command>smbldap-tools</command> from 
+	<ulink url="http://idealx.com">Idealx</ulink>.
+	</para>
+
+	<para>
+	The Samba &smb.conf; file was configured as shown in <link linkend="ch8smbconf"/>.
+	</para>
+
+<example id="ch8smbconf">
+<title>Samba Configuration File &smbmdash; smb.conf Part A</title>
+<smbconfblock>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">MEGANET2</smbconfoption>
+<smbconfoption name="netbios name">MASSIVE</smbconfoption>
+<smbconfoption name="server string">Corp File Server</smbconfoption>
+<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption>
+<smbconfoption name="pam password change">Yes</smbconfoption>
+<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
+<smbconfoption name="log level">1</smbconfoption>
+<smbconfoption name="log file">/data/samba/log/%m.log</smbconfoption>
+<smbconfoption name="name resolve order">wins host bcast</smbconfoption>
+<smbconfoption name="time server">Yes</smbconfoption>
+<smbconfoption name="printcap name">cups</smbconfoption>
+<smbconfoption name="show add printer wizard">No</smbconfoption>
+<smbconfoption name="cups options">Raw</smbconfoption>
+<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption>
+<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption>
+<smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption>
+<smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption>
+<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption>
+<smbconfoption name="add machine script">/usr/local/sbin/smbldap-useradd -w "%m"</smbconfoption>
+<smbconfoption name="logon script">logon.bat</smbconfoption>
+<smbconfoption name="logon path">\\%L\profiles\%U\%a</smbconfoption>
+<smbconfoption name="logon drive">H:</smbconfoption>
+<smbconfoption name="logon home">\\%L\%U</smbconfoption>
+<smbconfoption name="domain logons">Yes</smbconfoption>
+<smbconfoption name="wins support">Yes</smbconfoption>
+<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
+<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
+<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption>
+<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
+<smbconfoption name="ldap passwd sync">Yes</smbconfoption>
+<smbconfoption name="ldap suffix">ou=MEGANET2,dc=abmas,dc=biz</smbconfoption>
+<smbconfoption name="ldap ssl">no</smbconfoption>
+<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
+<smbconfoption name="admin users">root, "@Domain Admins"</smbconfoption>
+<smbconfoption name="printer admin">"@Domain Admins"</smbconfoption>
+<smbconfoption name="force printername">Yes</smbconfoption>
+</smbconfblock>
+</example>
+
+<example id="ch8smbconf2">
+<title>Samba Configuration File &smbmdash; smb.conf Part B</title>
+<smbconfblock>
+<smbconfsection name="[netlogon]"/>
+<smbconfoption name="comment">Network logon service</smbconfoption>
+<smbconfoption name="path">/data/samba/netlogon</smbconfoption>
+<smbconfoption name="write list">"@Domain Admins"</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[profiles]"/>
+<smbconfoption name="comment">Roaming Profile Share</smbconfoption>
+<smbconfoption name="path">/data/samba/profiles/</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="profile acls">Yes</smbconfoption>
+<smbconfoption name="veto files">desktop.ini</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[homes]"/>
+<smbconfoption name="comment">Home Directories</smbconfoption>
+<smbconfoption name="valid users">%S</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+<smbconfoption name="veto files">desktop.ini</smbconfoption>
+<smbconfoption name="hide files">desktop.ini</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[software]"/>
+<smbconfoption name="comment">Software for %a computers</smbconfoption>
+<smbconfoption name="path">/data/samba/shares/software/%a</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[public]"/>
+<smbconfoption name="comment">Public Files</smbconfoption>
+<smbconfoption name="path">/data/samba/shares/public</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[PDF]"/>
+<smbconfoption name="comment">Location of documents printed to PDFCreator printer</smbconfoption>
+<smbconfoption name="path">/data/samba/shares/pdf</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+</smbconfblock>
+</example>
+
+<example id="ch8smbconf3">
+<title>Samba Configuration File &smbmdash; smb.conf Part C</title>
+<smbconfblock>
+<smbconfsection name="[EVERYTHING]"/>
+<smbconfoption name="comment">All shares</smbconfoption>
+<smbconfoption name="path">/data/samba</smbconfoption>
+<smbconfoption name="valid users">"@Domain Admins"</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[CDROM]"/>
+<smbconfoption name="comment">CD-ROM on MASSIVE</smbconfoption>
+<smbconfoption name="path">/mnt</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[print$]"/>
+<smbconfoption name="comment">Printer Drivers Share</smbconfoption>
+<smbconfoption name="path">/data/samba/drivers</smbconfoption>
+<smbconfoption name="write list">root</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[printers]"/>
+<smbconfoption name="comment">All Printers</smbconfoption>
+<smbconfoption name="path">/data/samba/spool</smbconfoption>
+<smbconfoption name="create mask">0644</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[acct_hp8500]"/>
+<smbconfoption name="comment">"Accounting Color Laser Printer"</smbconfoption>
+<smbconfoption name="path">/data/samba/spool/private</smbconfoption>
+<smbconfoption name="valid users">@acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry</smbconfoption>
+<smbconfoption name="create mask">0644</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="copy">printers</smbconfoption>
+
+<smbconfsection name="[plotter]"/>
+<smbconfoption name="comment">Engineering Plotter</smbconfoption>
+<smbconfoption name="path">/data/samba/spool</smbconfoption>
+<smbconfoption name="create mask">0644</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="use client driver">Yes</smbconfoption>
+<smbconfoption name="copy">printers</smbconfoption>
+</smbconfblock>
+</example>
+
+<example id="ch8smbconf4">
+<title>Samba Configuration File &smbmdash; smb.conf Part D</title>
+<smbconfblock>
+<smbconfsection name="[APPS]"/>
+<smbconfoption name="path">/data/samba/shares/Apps</smbconfoption>
+<smbconfoption name="force group">"Domain Users"</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[ACCT]"/>
+<smbconfoption name="path">/data/samba/shares/Accounting</smbconfoption>
+<smbconfoption name="valid users">@acct, "@Domain Admins"</smbconfoption>
+<smbconfoption name="force group">acct</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0660</smbconfoption>
+<smbconfoption name="directory mask">0770</smbconfoption>
+
+<smbconfsection name="[ACCT_ADMIN]"/>
+<smbconfoption name="path">/data/samba/shares/Acct_Admin</smbconfoption>
+<smbconfoption name="valid users">@”acct_admin”</smbconfoption>
+<smbconfoption name="force group">acct_admin</smbconfoption>
+
+<smbconfsection name="[HR_PR]"/>
+<smbconfoption name="path">/data/samba/shares/HR_PR</smbconfoption>
+<smbconfoption name="valid users">@hr, @acct_admin</smbconfoption>
+<smbconfoption name="force group">hr</smbconfoption>
+
+<smbconfsection name="[ENGR]"/>
+<smbconfoption name="path">/data/samba/shares/Engr</smbconfoption>
+<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption>
+<smbconfoption name="force group">engr</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+
+<smbconfsection name="[DATA]"/>
+<smbconfoption name="path">/data/samba/shares/DATA</smbconfoption>
+<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption>
+<smbconfoption name="force group">engr</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+<smbconfoption name="copy">engr</smbconfoption>
+</smbconfblock>
+</example>
+
+<example id="ch8smbconf5">
+<title>Samba Configuration File &smbmdash; smb.conf Part E</title>
+<smbconfblock>
+<smbconfsection name="[X]"/>
+<smbconfoption name="path">/data/samba/shares/X</smbconfoption>
+<smbconfoption name="valid users">@engr, @acct</smbconfoption>
+<smbconfoption name="force group">engr</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+<smbconfoption name="copy">engr</smbconfoption>
+
+<smbconfsection name="[NETWORK]"/>
+<smbconfoption name="path">/data/samba/shares/network</smbconfoption>
+<smbconfoption name="valid users">"@Domain Users"</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[UTILS]"/>
+<smbconfoption name="path">/data/samba/shares/Utils</smbconfoption>
+<smbconfoption name="write list">"@Domain Admins"</smbconfoption>
+
+<smbconfsection name="[SYS]"/>
+<smbconfoption name="path">/data/samba/shares/SYS</smbconfoption>
+<smbconfoption name="valid users">chad</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+</smbconfblock>
+</example>
+
+	<para>
+	<indexterm><primary>Qbasic</primary></indexterm>
+	<indexterm><primary>Rbase</primary></indexterm>
+	<indexterm><primary>drive letters</primary></indexterm>
+	Most of these shares are only used by one company group, but they are required
+	because of some ancient Qbasic and Rbase applications were that written expecting
+	their own drive letters.
+	</para>
+
+	<para>
+	<indexterm><primary>rsync</primary></indexterm>
+	<indexterm><primary>rsyncd.conf</primary></indexterm>
+	<indexterm><primary>synchronize</primary></indexterm>
+	Note: During the process of building the new server, I kept data files
+	up to date with the Novell server via use of <command>rsync</command>. 
+	On a separate system (my workstation in fact), which could be rebooted
+	whenever necessary, I set up a mount point to the Novell server via
+	<command>ncpmount</command>. I then created a
+	<filename>rsyncd.conf</filename> to share that mount point out to my
+	new server, and synchronized once an hour. The script I used to synchronize
+	is shown in <link linkend="sbersync"/>. The files exclusion list I used
+	is shown in <link linkend="sbexcld"/>.  The reason I had to have the
+	<command>rsync</command> daemon running on a system that could be
+	rebooted frequently is because <constant>ncpfs</constant>
+	(part of the MARS NetWare Emulation package) has a nasty habit of creating stale
+	mount points that cannot be recovered without a reboot. The reason for hourly
+	synchronization is because some part of the chain was very slow and
+	performance-heavy (whether <command>rsync</command> itself, the network,
+	or the Novell server, I am not sure, but it was probably the Novell server).
+	</para>
+
+<example id="sbersync">
+<title>Rsync Script</title>
+<screen>
+#!/bin/bash
+# Part 1 - rsync the Novell directories to the new server
+echo "#############################################"
+echo "New sync operation starting at `date`"
+if ! pgrep -fl '^rsync\&gt; ; then
+        echo "Good, no rsync is running!"
+  echo "Synchronizing oink to BHPRO"
+        rsync -av --exclude-from=/root/excludes.txt 
+baa.corp:/BHPRO/SYS1/ /data/samba/shares/SYS1
+        retval=$?
+        [ ${retval} = 0 ] &amp;&amp; echo "Sync operation completed at `date`"
+        echo "Fixing permissions"
+        # I had a whole lot more permission-fixing stuff here.  It got
+        # pared down as groups got moved over.  The problem
+        # was that the way I was mounting the directory, everything
+        # was owned by the Novell administrator which translated to
+        # Root.  This is also why I could only do one-way sync because
+        # I could not fix the ACLs on the Novell side.
+        find /data/samba/shares/Engr/ -perm +770 -exec chmod 770 {} \;
+        find /data/samba/shares/Engr/ ! -group engr -exec chgrp engr {} \;
+else
+        # This rsync took ages and ages -- I had it set to run every hour but
+        # I needed a way to prevent it running into itself.
+        echo "Oh no, rsync is already running!"
+echo "#############################################"
+fi
+</screen>
+</example>
+
+<example id="sbexcld">
+<title>Rsync Files Exclusion List &smbmdash; <filename>/root/excludes.txt</filename></title>
+<screen>
+/Acct/
+/Apps/
+/DATA/
+/Engr/*.pc3
+/Engr/plotter
+/Engr/APPOLO/
+/Engr/LIBRARY/
+/Home/Accounting/
+/Home/Angie/
+/Home/AngieY/
+/Home/Brandon/
+/Home/Carl/
+</screen>
+</example>
+
+	<para>
+	After Samba was configured, I initialized the LDAP database. The first
+	thing I had to do was store the LDAP password in the Samba configuration by
+	issuing the command (as root):
+<screen>
+&rootprompt; smbpasswd -w verysecret
+</screen>
+	where <quote>verysecret</quote> is replaced by the LDAP bind password.
+	</para>
+
+<note><para>
+The Idealx smbldap-tools package can be configured using a script called 
+<command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/>
+for an example of its use. Many administrators, like Misty, choose to do this manually
+so as to maintain greater awareness of how the tool-chain works and possibly to avoid
+undesirable actions from occurring unnoticed.
+</para></note>
+
+	<para>
+	Now Samba was ready for use and it was time to configure the smbldap-tools. There are two
+	relevant files, which are usually put into the directory
+	<filename>/etc/smbldap-tools</filename>. The main file,
+	<filename>smbldap.conf</filename> is shown in <link linkend="ch8ideal"/>.
+	</para>
+
+<example id="ch8ideal">
+<title>Idealx smbldap-tools Control File &smbmdash; Part A</title>
+<screen>
+#########
+#
+# located in /etc/smbldap-tools/smbldap.conf
+#
+######################################################################
+#
+# General Configuration
+#
+######################################################################
+
+# Put your own SID
+# to obtain this number do: net getlocalsid
+SID="S-1-5-21-725326080-1709766072-2910717368"
+
+######################################################################
+#
+# LDAP Configuration
+#
+######################################################################
+
+# Notes: to use to dual ldap servers backend for Samba, you must patch
+# Samba with the dual-head patch from IDEALX. If not using this patch
+# just use the same server for slaveLDAP and masterLDAP.
+# Those two servers declarations can also be used when you have
+# . one master LDAP server where all writing operations must be done
+# . one slave LDAP server where all reading operations must be done
+#   (typically a replication directory)
+
+# Ex: slaveLDAP=127.0.0.1
+slaveLDAP="127.0.0.1"
+slavePort="389"
+
+# Master LDAP : needed for write operations
+# Ex: masterLDAP=127.0.0.1
+masterLDAP="127.0.0.1"
+masterPort="389"
+
+# Use TLS for LDAP
+# If set to 1, this option will use start_tls for connection
+# (you should also used the port 389)
+ldapTLS="0"
+
+# How to verify the server's certificate (none, optional or require)
+# see "man Net::LDAP" in start_tls section for more details
+verify=""
+</screen>
+</example>
+
+<example id="ch8ideal2">
+<title>Idealx smbldap-tools Control File &smbmdash; Part B</title>
+<screen>
+# CA certificate
+# see "man Net::LDAP" in start_tls section for more details
+cafile=""
+ certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientcert=""
+
+# key certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientkey=""
+
+# LDAP Suffix
+# Ex: suffix=dc=IDEALX,dc=ORG
+suffix="ou=MEGANET2,dc=abmas,dc=biz"
+
+# Where are stored Users
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+usersdn="ou=People,${suffix}"
+
+# Where are stored Computers
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+computersdn="ou=People,${suffix}"
+
+# Where are stored Groups
+# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+groupsdn="ou=Groups,${suffix}"
+
+# Where are stored Idmap entries
+# (used if samba is a domain member server)
+# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+idmapdn="ou=Idmap,${suffix}"
+
+# Where to store next uidNumber and gidNumber available
+sambaUnixIdPooldn="sambaDomainName=MEGANET2,${suffix}"
+
+# Default scope Used
+scope="sub"
+</screen>
+</example>
+
+<example id="ch8ideal3">
+<title>Idealx smbldap-tools Control File &smbmdash; Part C</title>
+<screen>
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
+hash_encrypt="MD5"
+
+# if hash_encrypt is set to CRYPT, you may set a salt format.
+# default is "%s", but many systems will generate MD5 hashed
+# passwords if you use "$1$%.8s". This parameter is optional!
+crypt_salt_format="%s"
+
+######################################################################
+#
+# Unix Accounts Configuration
+#
+######################################################################
+
+# Login defs
+# Default Login Shell
+# Ex: userLoginShell="/bin/bash"
+userLoginShell="/bin/false"
+
+# Home directory
+# Ex: userHome="/home/%U"
+userHome="/home/%U"
+
+# Gecos
+userGecos="Samba User"
+
+# Default User (POSIX and Samba) GID
+defaultUserGid="513"
+
+# Default Computer (Samba) GID
+defaultComputerGid="515"
+
+# Skel dir
+skeletonDir="/etc/skel"
+
+# Default password validation time (time in days) Comment the next
+# line if you don't want password to be enable for
+# defaultMaxPasswordAge days (be careful to the sambaPwdMustChange
+# attribute's value)
+defaultMaxPasswordAge="45"
+</screen>
+</example>
+
+<example id="ch8ideal4">
+<title>Idealx smbldap-tools Control File &smbmdash; Part D</title>
+<screen>
+######################################################################
+#
+# SAMBA Configuration
+#
+######################################################################
+
+# The UNC path to home drives location (%U username substitution)
+# Ex: \\My-PDC-netbios-name\homes\%U
+# Just set it to a null string if you want to use the smb.conf
+# 'logon home' directive and/or disable roaming profiles
+userSmbHome=""
+
+# The UNC path to profiles locations (%U username substitution)
+# Ex: \\My-PDC-netbios-name\profiles\%U
+# Just set it to a null string if you want to use the smb.conf
+# 'logon path' directive and/or disable roaming profiles
+userProfile=""
+
+# The default Home Drive Letter mapping
+# (will be automatically mapped at logon time if home directory exist)
+# Ex: H: for H:
+userHomeDrive=""
+
+# The default user netlogon script name (%U username substitution)
+# if not used, will be automatically username.cmd
+# make sure script file is edited under DOS
+# Ex: %U.cmd
+# userScript="startup.cmd" # make sure script file is edited under DOS
+userScript=""
+
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used
+mailDomain="abmas.org"
+
+######################################################################
+#
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+#
+######################################################################
+# Allows not to use smbpasswd
+# (if with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer Crypt::SmbHash library
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+</screen>
+</example>
+
+	<para>
+	<indexterm><primary>TLS</primary></indexterm>
+	Note: I chose not to take advantage of the TLS capability of this. 
+	Eventually I may go back and tweak it.  Also, I chose not to take advantage
+	of the master/slave configuration as I heard horror stories that it was
+	unstable.  My slave servers are replicas only.
+	</para>
+
+	<para>
+	The <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> file is shown here:
+<screen>
+# smbldap_bind.conf
+#
+# This file simply tells smbldap-tools how to bind to your LDAP server.
+# It has to be a DN with full write access to the Samba portion of
+# the database.
+
+############################
+# Credential Configuration #
+############################
+# Notes: you can specify two different configurations if you use a
+# master ldap for writing access and a slave ldap server for reading access
+# By default, we will use the same DN (so it will work for standard Samba
+# release)
+slaveDN="cn=Manager,dc=abmas,dc=biz"
+slavePw="verysecret"
+masterDN="cn=Manager,dc=abmas,dc=biz"
+masterPw="verysecret"
+</screen>
+	</para>
+
+	<para>
+	The next step was to run the <command>smbldap-populate</command> command, which populates
+	the LDAP tree with the appropriate default users, groups, and UID and GID pools.
+	It creates a user called Administrator with UID=0 and GID=0 matching the
+	Domain Admins group. This is fine because you can still log on as root to a Windows system,
+	but it will break cached credentials if you need to log on as the administrator
+	to a system that is not on the network.
+	</para>
+
+	<para>
+	After the LDAP database has been preloaded, it is prudent to validate that the
+	information needed is in the LDAP directory. This can be done done by restarting
+	the LDAP server, then performing an LDAP search by executing:
+<screen>
+&rootprompt; ldapsearch -W -x -b "dc=abmas,dc=biz"\
+	 -D "cn=Manager,dc=abmas,dc=biz" \
+	"(Objectclass=*)"
+Enter LDAP Password:
+# extended LDIF
+#
+# LDAPv3
+# base &lt;dc=abmas,dc=biz&gt; with scope sub
+# filter: (ObjectClass=*)
+# requesting: ALL
+#
+
+# abmas.biz
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+o: abmas
+dc: abmas
+
+# People, abmas.biz
+dn: ou=People,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: People
+
+# Groups, abmas.biz
+dn: ou=Groups,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: Groups
+
+# Idmap, abmas.biz
+dn: ou=Idmap,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: Idmap
+...
+</screen>
+	</para>
+
+	<para>
+	<indexterm><primary>Windows</primary></indexterm>
+	<indexterm><primary>POSIX</primary></indexterm>
+	<indexterm><primary>smbldap-groupadd</primary></indexterm>
+	<indexterm><primary>RID</primary></indexterm>
+	<indexterm><primary>sambaGroupMapping</primary></indexterm>
+	With the LDAP directory now initialized, it was time to create the Windows and POSIX
+	(UNIX) group accounts as well as the mappings from Windows groups to UNIX groups.
+	The easiest way to do this was to use <command>smbldap-groupadd</command> command.
+	It creates the group with the posixGroup and sambaGroupMapping attributes, a
+	unique GID, and an automatically determined RID. I learned the hard way not to
+	try to do this by hand.
+	</para>
+
+	<para>
+	<indexterm><primary>group mapping</primary></indexterm>
+	<indexterm><primary>smbldap-groupmod</primary></indexterm>
+	<indexterm><primary>memberUID</primary></indexterm>
+	After I had my group mappings in place, I added users to the groups (the users
+	don't really have to exist yet). I used the <command>smbldap-groupmod</command>
+	command to accomplish this. It can also be done manually by adding memberUID
+	attributes to the group entries in LDAP.
+	</para>
+
+	<para>
+	<indexterm><primary>sambaSamAccount</primary></indexterm>
+	<indexterm><primary>posixAccount</primary></indexterm>
+	<indexterm><primary>smbldap-usermod</primary></indexterm>
+	The most monumental task of all was adding the sambaSamAccount information to each
+	already existent posixAccount entry.  I did it one at a time as I moved people onto
+	the new server, by issuing the command:
+<screen>
+&rootprompt; smbldap-usermod -a -P username
+</screen>
+	<indexterm><primary>NetWare</primary></indexterm>
+	<indexterm><primary>LDIF</primary></indexterm>
+	<indexterm><primary>slapcat</primary></indexterm>
+	I completed that step for every user after asking the person what his or her current
+	NetWare password was. The wiser way to have done it would probably have been to dump the
+	entire database to an LDIF file. This can be done by executing:
+<screen>
+&rootprompt; slapcat &gt; somefile.ldif
+</screen>
+	<indexterm><primary>Perl</primary></indexterm>
+	<indexterm><primary>objectClass</primary></indexterm>
+	Then update the LDIF file created by using a Perl script to parse and add the
+	appropriate attributes and objectClasses to each entry, followed by re-importing
+	the entire database into the LDAP directory. 
+	</para>
+
+	<para>
+	Rebuilding of the LDAP directory can be done as follows:
+<screen>
+&rootprompt; rcldap stop
+&rootprompt; cd /data/ldap
+&rootprompt; rm *bdb _* log*
+&rootprompt; su - ldap -c "slapadd -l somefile.ldif"
+&rootprompt; rcldap start
+</screen>
+	This can be done at any time and for any reason, with no harm to the database.
+	</para>
+
+	<para>
+	I first added a test user, of course. The LDIF for this test user looks like
+	this, to give you an idea:
+<screen>
+# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
+dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
+cn: Test User
+gecos: Test User
+gidNumber: 513
+givenName: Test
+homeDirectory: /home/test.user
+homePhone: 555
+l: Somewhere
+l: ST
+mail: test.user
+o: Corp
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: sambaSamAccount
+postalCode: 12345
+sn: User
+street: 10 Some St.
+uid: test.user
+uidNumber: 1074
+sambaLogonTime: 0
+sambaLogoffTime: 2147483647
+sambaKickoffTime: 2147483647
+sambaPwdCanChange: 0
+displayName: Samba User
+sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148
+sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE
+sambaAcctFlags: [U]
+sambaNTPassword: D062088E99C95E37D7702287BB35E770
+sambaPwdLastSet: 1102537694
+sambaPwdMustChange: 1106425694
+userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8
+loginShell: /bin/false
+</screen>
+	</para>
+
+	<para>
+	Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain.
+	It worked, and the machine's account entry under ou=Computers looks like this:
+<screen>
+dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: sambaSamAccount
+cn: w2kengrspare$
+sn: w2kengrspare$
+uid: w2kengrspare$
+uidNumber: 1104
+gidNumber: 515
+homeDirectory: /dev/null
+loginShell: /bin/false
+description: Computer
+gecos: Computer
+sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208
+sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031
+displayName: W2KENGRSPARE$
+sambaPwdCanChange: 1103149236
+sambaPwdMustChange: 2147483647
+sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834
+sambaPwdLastSet: 1103149236
+sambaAcctFlags: [W          ]
+</screen>
+	</para>
+
+	<para>
+	<indexterm><primary>netlogon</primary></indexterm>
+	So now I could log on with a test user from the machine w2kengrspare. It was all well and
+	good, but that user was in no groups yet and so had pretty boring access.  I fixed that
+	by writing the login script! To write the login script, I used
+	<ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work
+	with every architecture of Windows, has an active and helpful user base, and was both
+	easier to learn and more powerful than the standard netlogon scripts I have seen.
+	I also did not have to do a logon script per user or per group.
+	</para>
+
+	<para>
+	<indexterm><primary>Kixtart</primary></indexterm>
+	I downloaded Kixtart and put the following files in my netlogon share:
+<screen>
+KIX32.EXE
+KX32.dll
+KX95.dll  &lt;-- Not needed unless you are running Win9x clients.
+kx16.dll  &lt;-- Probably not needed unless you are running DOS clients.
+kxrpc.exe &lt;-- Probably useless as it has to run on the server and can
+          only be run on NT.  It's for Windows 95 to become group-aware.
+          We can get around the need.
+</screen>
+	</para>
+
+	<para>
+	<indexterm><primary>logon.kix</primary></indexterm>
+	I then wrote the <filename>logon.kix</filename> file that is shown in
+	<link linkend="ch8kix"/>. I chose to keep it all in one file, but it
+	can be split up and linked via include directives.
+	</para>
+
+<example id="ch8kix">
+<title>Kixtart Control File &smbmdash; File: logon.kix</title>
+<screen>
+; This script just calls the other scripts.
+
+; First we want to get things done for everyone.
+
+; Second, we do first-time login stuff.
+
+; Third, we go through the group-oriented scripts one at a time.
+
+
+; We want to check for group membership here to avoid the overhead of running
+; scripts which don't apply.
+call "\\massive\netlogon\scripts\main.kix"
+call "\\massive\netlogon\scripts\setup.kix"
+IF INGROUP("MEGANET2\ACCT")
+  call "scripts\acct.kix"
+ENDIF
+IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST")
+call "\\massive\netlogon\scripts\engr.kix"
+ENDIF
+IF INGROUP("MEGANET2\FURN")
+  call "\\massive\netlogon\scripts\furn.kix"
+ENDIF
+IF INGROUP("MEGANET2\TRUSS")
+  call "\\massive\netlogon\scripts\truss.kix"
+ENDIF
+</screen>
+</example>
+
+<example id="ch8kix2">
+<title>Kixtart Control File &smbmdash; File: main.kix</title>
+<screen>
+break on
+
+; Choose whether to hide the login window or not
+IF INGROUP("MEGANET2\Domain Admins")
+  USE Z: \\massive\everything
+  SETCONSOLE("show")
+ELSE
+  ; Nobody cares about seeing the login script except admins
+  SETCONSOLE("hide")
+ENDIF
+
+; Delete all previously connected shares
+USE * /delete
+
+SETTITLE("Logging on @USERID to @LDOMAIN at @TIME")
+
+; Set the time on the workstation
+$Timeserver = "\\massive"
+Settime $TimeServer
+
+; Map the home directory
+USE H: @HOMESHR ; connect to user's home share
+IF @ERROR = 0
+
+  H:
+  CD @HOMEDIR ; change directory to user's home directory
+ENDIF
+
+; Everyone gets the N drive
+USE N: \\massive\network
+</screen>
+</example>
+
+<example id="ch8kix3">
+<title>Kixtart Control File &smbmdash; File: setup.kix, Part A</title>
+<screen>
+; My setup.kix is where all of the redirection stuff happens.  Note that with 
+; the use of registry keys, this only happens the first time they log in ,or if 
+; I delete the pertinent registry keys which triggers it to happen again:
+
+; Check to see if we have written the abmas sub-key before
+$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas")
+IF NOT $RETURNCODE = 0
+; Add key for abmas-specific things on the first login
+  ADDKEY("HKEY_CURRENT_USER\abmas")
+  ; The following key gets deleted at the end of the first login
+  ADDKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
+ENDIF
+
+; People with laptops need My Documents to be in their profile.  People with
+; desktops can have My Documents redirected to their home directory to avoid
+; long delays with logging out and out-of-sync files.
+
+; Check to see if this is the first login -- doesn't make sense to do this
+; at the very first login
+
+$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
+IF NOT $RETURNCODE = 0
+
+; We don't want to do this stuff for people with laptops or people in the FURN
+; group.  (They store their profiles in a different server)
+
+  IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN")
+    $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\abmas\profile_copied")
+
+; A  crude way to tell what OS our profile is for and copy the "My Documents"
+; to the redirected folder on the server.  It works because the profiles
+; are stored as \\server\profiles\user\architecture
+    IF NOT $RETURNCODE = 0
+      IF EXIST("\\massive\profiles\@userID\WinXP")
+        copy "\\massive\profiles\@userID\WinXP\My Documents\*" 
+"\\massive\@userID\"
+      ENDIF
+      IF EXIST("\\massive\profiles\@userID\Win2K")
+        copy "\\massive\profiles\@userID\Win2K\My Documents\*" 
+"\\massive\@userID\"
+      ENDIF
+      IF EXIST("\\massive\profiles\@userID\WinNT")
+        copy "\\massive\profiles\@userID\WinNT\My Documents\*" 
+"\\massive\@userID\"
+      ENDIF
+</screen>
+</example>
+
+<example id="ch8kix3b">
+<title>Kixtart Control File &smbmdash; File: setup.kix, Part B</title>
+<screen>
+; Now we will write the registry values to redirect the locations of "My 
+Documents"
+; and other folders.
+      ADDKEY("HKEY_CURRENT_USER\abmas\profile_copied")
+      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User 
+Shell Folders", "Personal","\\massive\@userID","REG_SZ")
+      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User 
+Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ")
+      IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP
+Professional"
+      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User 
+Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ")
+      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User 
+Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ")
+      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User 
+Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ")
+      ENDIF
+    ENDIF
+  ENDIF
+
+; Now we will delete the FIRST_LOGIN sub-key that we made before.
+; Note - to run this script again you will want to delete the HKCU\abmas
+; sub-key, log out, and log back in.
+$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
+IF $RETURNVALUE = 0
+  DELKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
+ENDIF
+</screen>
+</example>
+
+<example id="ch8kix4">
+<title>Kixtart Control File &smbmdash; File: acct.kix</title>
+<screen>
+; And here is one group-oriented script to show what can be
+; done that way: acct.kix:
+
+IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR")
+  USE I: \\MEGANET2\HR_PR
+ENDIF
+
+; Set up printer
+$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500")
+IF NOT $RETURNVALUE = 0
+  ADDPRINTERCONNECTION("\\massive\acct_hp8500")
+  SETDEFAULTPRINTER("\\massive\acct_hp8500")
+ENDIF
+; Set up drive mappings
+  USE M: \\massive\ACCT
+  IF INGROUP("MEGANET2\ABRA")
+    USE T: \\trussrv\abra
+  ENDIF
+</screen>
+</example>
+
+	<para>
+	As you can see in the script, I redirected the My Documents to the user's home
+	share if he or she were not in the Laptop group. I also added printers on a
+	group-by-group basis, and if applicable I set the group printer. For this to
+	be effective, the print drivers must be installed on the Samba server in the
+	<filename>[print$]</filename> share. Ample documentation exists about how to
+	do that, so it is not covered here.
+	</para>
+
+	<para>
+	I call this script via the logon.bat script in the [netlogon] directory:
+<screen>
+\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f
+</screen>
+	I only had to fully qualify the paths for Windows 9x, as Windows NT and
+	greater automatically add [NETLOGON] to the path.
+	</para>
+
+	<para>
+	Also of note for Win9x is that the drive mappings and printer setup will not
+	work because they rely on RPC. You merely have to put the appropriate settings
+	into the <filename>c:\autoexec.bat</filename> file or map the drives manually.
+	One option is to check the OS as part of the Kixtart script, and if it
+	is Win9x and is the first login, copy a premade
+	<filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I
+	have only three such machines, and one is going away in the very near future,
+	so it was easier to do it by hand.
+	</para>
+
+	<para>
+	<indexterm><primary>upgrade</primary></indexterm>
+	At this point I was able to add the users. This is the part that really falls
+	into upgrade. I moved the users over one group at a time, starting with the
+	people who used the least amount of resources on the network. With each group
+	that I moved, I first logged on as a standard user in that group and took
+	careful note of the environment, mainly the printers he or she used, the PATH,
+	and what network resources he or she had access to (most importantly, which ones
+	the user actually needed access to).
+	</para>
+
+	<para>
+	I then added the user's SambaSamAccount information as mentioned earlier,
+	and join the computer to the domain. The very first thing I had to do was to
+	copy the user's profile to the new server. This was very important, and I really
+	struggled with the most effective way to do it.  Here is the method that worked
+	for every one of my users on Windows NT, 2000, and XP:
+	</para>
+
+	<procedure>
+		<step><para>
+			Log in as the user on the domain. This creates the local copy
+			of the user's profile and copies it to the server as he or she logs out.
+		</para></step>
+
+		<step><para>
+			Reboot the computer and log in as the local machine administrator.
+		</para></step>
+
+		<step><para>
+			Right-click My Computer, click Properties, and navigate to the
+			user profiles tab (varies per version of Windows).
+		</para></step>
+
+		<step><para>
+			Select the user's local profile <constant>(COMPUTERNAME\username)</constant>,
+			and click the <command>Copy To</command> button.
+		</para></step>
+
+		<step><para>
+			In the next dialog, copy it directly to the profiles share on the
+			Samba server (in my case \\PDCname\profiles\user\&lt;architecture&gt;.
+			You will have had to make a connection to the share as that
+			user (e.g., Windows Explorer type \\PDCname\profiles\username).
+		</para></step>
+
+		<step><para>
+			When the copy is complete (it can take a while) log out, and log back in
+			as the user. All of his or her settings and all contents of My Documents,
+			Favorites, and the registry should have been copied successfully.
+		</para></step>
+
+		<step><para>
+			If it doesn't look right (the dead giveaway is the desktop background),
+			shut down the computer without logging out (power cycle) and try logging
+			in as the user again. If it still doesn't work, repeat the steps above.
+			I only had to ever repeat it once.
+		</para></step>
+
+	</procedure>
+
+	<para>
+	Words to the Wise:
+	</para>
+
+	<itemizedlist>
+		<listitem><para>
+			If the user was anything other than a standard user on his or her system
+			before, you will save yourself some headaches by giving him or her identical
+			permissions (on the local machine) as his or her domain account <emphasis>before</emphasis>
+			copying the profile over. Do this through the User Administrator
+			in the Control Panel, after joining the computer to the domain and
+			before logging on as that user for the first time. Otherwise the user will
+			have trouble with permissions on his or her registry keys.
+		</para></listitem>
+
+		<listitem><para>
+			If any application was installed for the user only, rather than for
+			the entire system, it will probably not work without being reinstalled.
+		</para></listitem>
+	</itemizedlist>
+
+	<para>
+	After all these steps are accomplished, only cleanup details are left. Make sure user's
+	shortcuts and Network Places point to the appropriate place on the new server, check
+	the important applications to be sure they work as expected and troubleshoot any problems
+	that might arise, and check to be sure the user's printers are present and working. By the
+	way, if there are any network printers installed as system printers (the Novell way),
+	you will need to log in as a local administrator and delete them.
+	</para>
+
+	<para>
+	For my non-laptop systems, I would then log in and out a couple times as the user
+	to be sure that his or her registry settings were modified, and then I was finished.
+	</para>
+
+	<para>
+	Some compatibility issues that cropped up included the following:
+	</para>
+
+	<para>
+	Blackberry client: It did not like having its registry settings moved around
+	and so had to be reinstalled. Also, it needed write permissions to a portion of
+	the hard drive, and I had to give it those manually on the one system where
+	this was an issue.
+	</para>
+
+	<para>
+	CAMedia: Digital camera software for Canon cameras caused all kinds of trouble
+	with the registry. I had to use the Run as service to open the registry of
+	the local user while logged in as the domain user, and give the domain user
+	the appropriate permissions to some registry keys, then export that portion
+	of the registry to a file. Then, as the domain user, I had to import that file
+	into the registry.
+	</para>
+
+	<para>
+	Crystal Reports version 7: More registry problems that were solved by recopying
+	the user's profile.
+	</para>
+
+	<para>
+	Printing from legacy applications: I found out that Novell sends its jobs to
+	the printer in a raw format. CUPS sends them in PostScript by default. I had
+	to make a second printer definition for one printer and tell CUPS specifically
+	to send raw data to the printer, then assign this printer to the LPT port with
+	Kixtart's version of the net use command.
+	</para>
+
+	<para>
+	These were all eventually solved by elbow grease, queries to the Samba mailing
+	list and others, and diligence. The complete migration took about 5 weeks.
+	My userbase is relatively small but includes multiple versions of Windows,
+	multiple Linux member servers, a mechanized saw, a pen plotter, and legacy
+	applications written in Qbasic and R:Base, just to name a few. I actually
+	ended up making some of these applications work better (or work again, as
+	some of them had stopped functioning on the old server) because as part of
+	the process I had to find out how things were supposed to work.
+	</para>
+
+	<para>
+	The one thing I have not been able to get working is a very old database that
+	we had around for reference purposes; it uses Novell's Btrieve engine.
+	</para>
+
+	<para>
+	As the resources compare, I went from 95 percent disk usage to just around 10 percent.
+	I went from a very high load on the server to an average load of between one
+	and two runnable processes on the server. I have improved the security and
+	robustness of the system. I have also implemented
+	<ulink url="http://www.clamav.net">ClamAV</ulink> antivirus software,
+	which scans the entire Samba server for viruses every 2 hours and
+	quarantines them. I have found it much less problematic than our ancient
+	version of Norton Antivirus Corporate Edition, and much more up-to-date.
+	</para>
+
+	<para>
+	In short, my users are much happier now that the new server is running, and that
+	is what is important to me.
+	</para>
+
+	</sect3>
+
+	</sect2>
+
+</sect1>
+
+</chapter>
+