diff options
author | John Terpstra <jht@samba.org> | 2005-04-13 02:26:17 +0000 |
---|---|---|
committer | Gerald W. Carter <jerry@samba.org> | 2008-04-23 08:46:25 -0500 |
commit | 6262d3083458e4fc1dfcff77e616063e4b71e477 (patch) | |
tree | ddfea67e7c0c679d69a0fea331795971cc42e58a /docs/Samba-Guide/SBE-MigrateNW4Samba3.xml | |
parent | 2b7907805aeb32775f11795b88e01721b115eafe (diff) | |
download | samba-6262d3083458e4fc1dfcff77e616063e4b71e477.tar.gz samba-6262d3083458e4fc1dfcff77e616063e4b71e477.tar.bz2 samba-6262d3083458e4fc1dfcff77e616063e4b71e477.zip |
Begin of another reorg.
(This used to be commit 131d76df85ab12f5a171120113d4dfa7ad3f2220)
Diffstat (limited to 'docs/Samba-Guide/SBE-MigrateNW4Samba3.xml')
-rw-r--r-- | docs/Samba-Guide/SBE-MigrateNW4Samba3.xml | 1599 |
1 files changed, 1599 insertions, 0 deletions
diff --git a/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml b/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml new file mode 100644 index 0000000000..883a2447a6 --- /dev/null +++ b/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml @@ -0,0 +1,1599 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<chapter id="nw4migration"> + <title>Migrating NetWare 4.11 Server to Samba-3</title> + + <para> + <indexterm><primary>Novell</primary></indexterm> + <indexterm><primary>SuSE</primary></indexterm> + <indexterm><primary>Ximian</primary></indexterm> + <indexterm><primary>FLOSS</primary><see>Free-Libre/Open Source Software</see></indexterm> + <indexterm><primary>Free-Libre/Open Source Software</primary></indexterm> + Novell is a company any seasoned IT manager has to admire. Since the acquisition of + the SuSE Linux company, the acquisition on Ximian, and other moves that are friendly + to the FLOSS (Free-Libre/Open Source Software) movement, Novell are emerging out of + a deep regression that almost saw the company disappear into obscurity. The now Linux + friendly Novell's SUSE Linux is being used as a host to which NetWare servers are being + migrated. It is in many ways ironic that Novell are today hosting NetWare on top of + Linux. At the same time older NetWare servers are still being migrated to Samba servers. + It will be interesting to see what will become of NetWare over time. + </para> + + <para> + <indexterm><primary>Red Hat</primary></indexterm> + <indexterm><primary>Debian</primary></indexterm> + <indexterm><primary>Gentoo</primary></indexterm> + <indexterm><primary>Mandrake</primary></indexterm> + Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian, + Gentoo, Mandrake, SUSE (Novell) the information in this chapter should be read with + appropriate cognizance that file locations may vary a little; even so the information + in this chapter should provide something of value. + </para> + + <para> + <indexterm><primary>migration</primary></indexterm> + This chapter was contributed by Misty Stanley-Jones, a UNIX administrator of many + years who surfaced on the Samba mailing list with a barrage of questions, and who + regularly now helps other administrators to solve thorny Samba migration questions. + </para> + + <para> + <indexterm><primary>NetWare</primary></indexterm> + <indexterm><primary>NLM</primary></indexterm> + <indexterm><primary>NetWare</primary></indexterm> + <indexterm><primary>Mars_NWE</primary></indexterm> + One wonders how many NetWare servers remain in active service. Many are being migrated + to Samba on Linux. Red Hat Linux, SUSE Linux 9.x and SUSE Linux Enterprise Server 9 are + ideal target platforms to which a NetWare server may be migrated. The migration method + of choice is much dependant on the tools that the administrator finds most natural to use. + The old-hand NetWare guru will likely want to use the tools like the NetWare NLM for + <command>rsync</command> to migrate files from the NetWare server to the Samba server. + The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare + Emulator) open source package. The MS Windows network administrator will likely make use of the + NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice, + migration will be filled with joyous and challenging moments - though probably not + concurrently. + </para> + + <para> + This chapter tells its own story, so ride along, ... maybe the information here presented + will help to smooth over a similar migration challenge in your favorite networking environment. + </para> + +<sect1> + <title>Introduction</title> + + <para> + <indexterm><primary>Novell</primary></indexterm> + Misty Stanley-Jones was recruited by Abmas Inc. to administer a network that had + not received much attention for some years and was much in need of a make-over. + As a brand-new sysadmin to this company, she inherited a very old Novell file server, + and came with a determination to change things for the better. + </para> + + <para> + A site survey turned up the following details for the old NetWare server: + </para> + + <simplelist> + <member><para>200 MHz MMX processor</para></member> + <member><para>512K RAM</para></member> + <member><para>24 GB disk space in RAID1</para></member> + <member><para>Novell 4.11 patched to service pack 7</para></member> + <member><para>60+ users</para></member> + <member><para>7 network-attached printers</para></member> + </simplelist> + + <para> + The company had outgrown this server several years ago and were dealing with + severe growing pains. Some of the problems experienced were: + </para> + + <itemizedlist> + <listitem> + <para>Very slow performance</para> + </listitem> + <listitem> + <para>Available storage hovering around the 5% range.</para> + <itemizedlist> + <listitem> + <para>Extremely slow print spooling.</para> + </listitem> + <listitem> + <para> + Users storing information on their local hard + drives, causing backup integrity problems. + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + + <para> + <indexterm><primary>payroll</primary></indexterm> + At one point disk space had filled up to 100% causing the payroll database + to become corrupt. This caused the accounting department to be down for over + a week and necessitated deployment of another file server. The replacement + server was created with very poor security and design considerations from + a discarded desktop PC. + </para> + + <sect2> + <title>Assignment Tasks</title> + + <para> + Misty has provided this summary of her migration experience in the hope + that it will help someone to avoid the challenges she faced. Perhaps her + configuration files and background will accelerate your learning as you + grapple with a similar migration challenge. + </para> + + <para> + After presenting a cost-benefit report to management, as well as an estimated + time-to-completion, approval was given proceed with the solution proposed. + The server was built from purchased components. The total project cost + was $3000. A brief description of the configuration follows: + </para> + + <simplelist> + <member> + <para>3.0 GHz P4 Processor</para> + </member> + <member> + <para>1 GB RAM</para> + </member> + <member> + <para>120 GB SATA operating system drive</para> + </member> + <member> + <para>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</para> + </member> + <member> + <para>2 x 80 GB SATA removable drives for online backup</para> + </member> + <member> + <para>A DLT drive for asynchronous offline backup</para> + </member> + <member> + <para>SUSE Linux Professional 9.2</para> + </member> + </simplelist> + + <para> + The new system has operated for six months without problems. Over the past months + much attention has been focused on cleaning up desktops and user profiles. + </para> + + </sect2> +</sect1> + +<sect1> + <title>Dissection and Discussion</title> + + <para> + <indexterm><primary>LDAP</primary></indexterm> + <indexterm><primary>e-Directory</primary></indexterm> + <indexterm><primary>authentication</primary></indexterm> + <indexterm><primary>identity management</primary></indexterm> + A decision to use LDAP was made even though I know nothing about LDAP except that + I had been reading the book <quote>LDAP System Administration</quote>, by Gerald Carter. + LDAP seemed to provide some of the functionality of Novell's e-Directory Services + and would provide centralized authentication and identity management. + </para> + + <para> + <indexterm><primary>database</primary></indexterm> + <indexterm><primary>RPM</primary></indexterm> + <indexterm><primary>tree</primary></indexterm> + Building the LDAP database took a while, and a lot of trial and error. Following + the guidance I obtained from Jerry Carter's book <quote>LDAP System + Administration</quote>, I installed OpenLDAP (from RPM; later I compiled + a more current version from source) and built my initial LDAP tree. + </para> + + <sect2> + <title>Technical Issues</title> + + <para> + <indexterm><primary>white-pages</primary></indexterm> + <indexterm><primary>inetOrgPerson</primary></indexterm> + <indexterm><primary>OpenLDAP</primary></indexterm> + <indexterm><primary>/etc/passwd</primary></indexterm> + <indexterm><primary>/etc/shadow</primary></indexterm> + <indexterm><primary>LDIF</primary></indexterm> + <indexterm><primary>IMAP</primary></indexterm> + <indexterm><primary>POP3</primary></indexterm> + <indexterm><primary>SMTP</primary></indexterm> + The first challenge was to create a company white-pages, followed by manually + entering everything from the printed company directory. This used only the inetOrgPerson + objectclass from the OpenLDAP schemas. The next step was to write a shell script which + would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename> + files on our mail server, and create a LDIF file from which the information could be + imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, + and SMTP. + </para> + + <para> + Given that a decision had been made to use Courier-IMAP the schema <quote>courier.schema</quote> + from the Courier-IMAP source tarball is ncessary to resolve Courier-specific LDAP directory + needs. + </para> + + </sect2> + +</sect1> + +<sect1> + <title>Implementation</title> + + <para> + </para> + + <sect2> + <title>NetWare Migration Using LDAP Backend</title> + + <para> + The following software must be installed on the SUSE Linux Enterprise Server to perform + this migration: + </para> + + <simplelist> + <member><para>openldap2</para></member> + <member><para>openldap2-client</para></member> + <member><para>openldap2-devel (only for Samba compilation)</para></member> + <member><para>nss_ldap</para></member> + <member><para>smbldap-tools Version 0.8.7</para></member> + <member><para>perl-ldap</para></member> + <member><para>samba-3.0.12 or later</para></member> + <member><para>samba-client-3.0.12 or later</para></member> + <member><para>samba-winbind-3.0.12 or later</para></member> + </simplelist> + + <para> + Each software application must be carefully configured in preparation for migration. + The configuration files used at Abmas are provided as a guide and should be modified + to meet needs at your site. + </para> + + <sect3> + <title>LDAP Server Configuration</title> + + <para> + The <filename>/etc/openldap/slapd.conf</filename> file Misty used is shown in <link linkend="ch8slapd"/>. + </para> + +<example id="ch8slapd"> +<title>OpenLDAP Control File &smbmdash; slapd.conf Part A</title> +<screen> +#/usr/local/etc/openldap/slapd.conf +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba.schema +include /etc/openldap/schema/dhcp.schema +include /etc/openldap/schema/misc.schema +include /etc/openldap/schema/idpool.schema +include /etc/openldap/schema/eduperson.schema +include /etc/openldap/schema/commURI.schema +include /etc/openldap/schema/local.schema +include /etc/openldap/schema/authldap.schema + +pidfile /var/run/slapd/run/slapd.pid +argsfile /var/run/slapd/run/slapd.args + +replogfile /data/ldap/log/slapd.replog + +# Load dynamic backend modules: +modulepath /usr/lib/openldap/modules + +####################################################################### +# Logging parameters +####################################################################### +loglevel 256 + +####################################################################### +# SASL and TLS options +####################################################################### +sasl-host ldap.corp.abmas.org +sasl-realm DIGEST-MD5 +sasl-secprops none +TLSCipherSuite HIGH:MEDIUM:+SSLV2 +TLSCertificateFile /etc/ssl/certs/private/abmas-cert.pem +TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem +password-hash {SSHA} +defaultsearchbase "dc=abmas,dc=biz" +</screen> +</example> + + +<example id="ch8slapd2"> +<title>OpenLDAP Control File &smbmdash; slapd.conf Part B</title> +<screen> +####################################################################### +# bdb database definitions +####################################################################### +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=manager,dc=abmas,dc=biz" +rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5 +directory /data/ldap +mode 0600 +# The following is for BDB to make it flush its data to disk every +# 500 seconds or 5kb of data +checkpoint 500 5 + +## For running slapindex +#readonly on + +## Indexes for often-requested attributes +index objectClass eq +index cn eq,sub +index sn eq,sub +index uid eq,sub +index uidNumber eq +index gidNumber eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +cachesize 2000 + +replica host=baa.corp.abmas.org:389 + suffix="dc=abmas,dc=biz" + binddn="cn=replica,dc=abmas,dc=biz" + credentials=verysecret + bindmethod=simple + tls=yes +replica host=ns.abmas.org:389 + suffix="dc=abmas,dc=biz" + binddn="cn=replica,dc=abmas,dc=biz" + credentials=verysecret + bindmethod=simple + tls=yes +</screen> +</example> + +<example id="ch8slapd3"> +<title>OpenLDAP Control File &smbmdash; slapd.conf Part C</title> +<screen> +####################################################################### +# ACL section +####################################################################### +## MOST RESTRICTIVE RULES MUST GO FIRST! + +## Users can change their own passwords. +## Nobody else can read the password +access to attrs=userPassword + by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators, \ + dc=abmas,dc=biz" write + by self write + by * auth + +## Home contact info restricted to the logged-in user +access to attrs=hometelephoneNumber,homePostalAddress,\ + mobileTelephoneNumber,pagerTelephoneNumber + by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\ + dc=abmas,dc=biz" write + by self write + by * none + +## Only admins can manage email aliases +access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz" + filter=(roleOccupant=*) + attrs=maildrop + by dnattr=roleOccupant write + by * read + +## Allow delegated management of certain aliases which are +## for mailman-style mailing lists. +access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\ + dc=abmas,dc=biz" write + by * read + +## Default to read-only access +access to * + by dn.base="cn=replica,ou=people,ou=corp,dc=abmas,dc=biz" write + by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\ + dc=abmas,dc=biz" write + by * read +access to attrs=namingcontexts + by anonymous read +</screen> +</example> + + <para> + <indexterm><primary>/etc/ldap.conf</primary></indexterm> + The <filename>/etc/ldap.conf</filename> file used is listed in <link linkend="ch8ldap"/>. + </para> + +<example id="ch8ldap"> +<title>NSS LDAP Control File &smbmdash; /etc/ldap.conf</title> +<screen> +# /etc/ldap.conf +# This file is present on every *NIX client that authenticates to LDAP. +# For me, most of the defaults are fine. There is an amazing amount of +# customization that can be done see the man page for info. + +# Your LDAP server. Must be resolvable without using LDAP. The following +# is for the LDAP server all others use the FQDN of the server +URI ldap://127.0.0.1 + +# The distinguished name of the search base. +base ou=corp,dc=abmas,dc=biz + +# The LDAP version to use (defaults to 3 if supported by client library) +ldap_version 3 + +# The distinguished name to bind to the server with if the effective +# user ID is root. Password is stored in /etc/ldap.secret (mode 600) +rootbinddn cn=Manager,dc=abmas,dc=biz + +# Filter to AND with uid=%s +pam_filter objectclass=posixAccoun + +# The user ID attribute (defaults to uid) +pam_login_attribute uid + +# Group member attribute +pam_member_attribute memberUID + +# Use the OpenLDAP password change +# extended operation to update the password. +pam_password exop + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +ssl start_tls + +tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem +... +</screen> +</example> + + <para> + The Name Server Switch control file <filename>/etc/nsswitch.conf</filename> has the following contents: +<screen> +# /etc/nsswitch.conf +# This file controls the resolve order for system databases. + +# the following two lines obviate the "+" entry in /etc/passwd and /etc/group. +passwd: files ldap +group: files ldap +shadow: files ldap +# The above are all that I store in LDAP at this point. There are +# possibilities to store hosts, services, ethers, and lots of other things. +</screen> + </para> + + <para> + <indexterm><primary>PAM</primary></indexterm> + <indexterm><primary>NSS</primary></indexterm> + In my setup, users authenticate via PAM and NSS using LDAP-based accounts. + This works out of the box with the configuration files in this chapter. It + enables you to have no local accounts for users (it is highly advisable + to have a local account for the root user). Traps for the unwary include: + </para> + + <indexterm><primary>LDAP</primary></indexterm> + <indexterm><primary>authenticate</primary></indexterm> + <indexterm><primary>DNS</primary></indexterm> + <itemizedlist> + <listitem> + <para> + If your LDAP database goes down, nobody can authenticate except for root. + </para> + </listitem> + + <listitem> + <para> + If fail-over is configured incorrectly weird behavior can occur. For example, + DNS failing to resolve. + </para> + </listitem> + </itemizedlist> + + <para> + I do have two LDAP slave servers configured. That subject is beyond the scope + of this document and steps for implementing it are well-documented. + </para> + + <para> + The following services authenticate using LDAP: + </para> + <indexterm><primary>UNIX</primary></indexterm> + <indexterm><primary>Postfix</primary></indexterm> + <indexterm><primary>Courier-IMAP</primary></indexterm> + <simplelist> + <member><para>UNIX login/ssh</para></member> + <member><para>Postfix (SMTP)</para></member> + <member><para>Courier-IMAP/IMAPS/POP3/POP3S</para></member> + </simplelist> + + <para> + <indexterm><primary>white-pages</primary></indexterm> + <indexterm><primary>Windows Address Book</primary></indexterm> + Company-wide White-Pages can be searched using a LDAP client + such as the one in the Windows Address Book. + </para> + + <para> + <indexterm><primary>LDAP</primary></indexterm> + <indexterm><primary>smbldap-tools</primary></indexterm> + Having gained a solid understanding of LDAP, and a relatively workable LDAP tree + thus far, it was time to configure Samba. I compiled the latest stable SAMBA and + also installed the latest <command>smbldap-tools</command> from + <ulink url="http://idealx.com">Idealx</ulink>. + </para> + + <para> + The Samba &smb.conf; file was configured as shown in <link linkend="ch8smbconf"/>. + </para> + +<smbconfexample id="ch8smbconf"> +<title>Samba Configuration File &smbmdash; smb.conf Part A</title> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MEGANET2</smbconfoption> +<smbconfoption name="netbios name">MASSIVE</smbconfoption> +<smbconfoption name="server string">Corp File Server</smbconfoption> +<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption> +<smbconfoption name="pam password change">Yes</smbconfoption> +<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> +<smbconfoption name="log level">1</smbconfoption> +<smbconfoption name="log file">/data/samba/log/%m.log</smbconfoption> +<smbconfoption name="name resolve order">wins host bcast</smbconfoption> +<smbconfoption name="time server">Yes</smbconfoption> +<smbconfoption name="printcap name">cups</smbconfoption> +<smbconfoption name="show add printer wizard">No</smbconfoption> +<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption> +<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption> +<smbconfoption name="add user to group script"></smbconfoption> +<member><parameter>/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</parameter></member> +<smbconfoption name="delete user from group script"></smbconfoption> +<member><parameter>/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</parameter></member> +<smbconfoption name="set primary group script"></smbconfoption> +<member><parameter>/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</parameter></member> +<smbconfoption name="add machine script">/usr/local/sbin/smbldap-useradd -w "%m"</smbconfoption> +<smbconfoption name="logon script">logon.bat</smbconfoption> +<smbconfoption name="logon path">\\%L\profiles\%U\%a</smbconfoption> +<smbconfoption name="logon drive">H:</smbconfoption> +<smbconfoption name="logon home">\\%L\%U</smbconfoption> +<smbconfoption name="domain logons">Yes</smbconfoption> +<smbconfoption name="wins support">Yes</smbconfoption> +<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption> +<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption> +<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption> +<smbconfoption name="ldap machine suffix">ou=People</smbconfoption> +<smbconfoption name="ldap passwd sync">Yes</smbconfoption> +<smbconfoption name="ldap suffix">ou=MEGANET2,dc=abmas,dc=biz</smbconfoption> +<smbconfoption name="ldap ssl">no</smbconfoption> +<smbconfoption name="ldap user suffix">ou=People</smbconfoption> +<smbconfoption name="admin users">root, "@Domain Admins"</smbconfoption> +<smbconfoption name="printer admin">"@Domain Admins"</smbconfoption> +<smbconfoption name="force printername">Yes</smbconfoption> +</smbconfexample> + +<smbconfexample id="ch8smbconf2"> +<title>Samba Configuration File &smbmdash; smb.conf Part B</title> +<smbconfsection name="[netlogon]"/> +<smbconfoption name="comment">Network logon service</smbconfoption> +<smbconfoption name="path">/data/samba/netlogon</smbconfoption> +<smbconfoption name="write list">"@Domain Admins"</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[profiles]"/> +<smbconfoption name="comment">Roaming Profile Share</smbconfoption> +<smbconfoption name="path">/data/samba/profiles/</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="profile acls">Yes</smbconfoption> +<smbconfoption name="veto files">desktop.ini</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[homes]"/> +<smbconfoption name="comment">Home Directories</smbconfoption> +<smbconfoption name="valid users">%S</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> +<smbconfoption name="veto files">desktop.ini</smbconfoption> +<smbconfoption name="hide files">desktop.ini</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[software]"/> +<smbconfoption name="comment">Software for %a computers</smbconfoption> +<smbconfoption name="path">/data/samba/shares/software/%a</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[public]"/> +<smbconfoption name="comment">Public Files</smbconfoption> +<smbconfoption name="path">/data/samba/shares/public</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[PDF]"/> +<smbconfoption name="comment">Location of documents printed to PDFCreator printer</smbconfoption> +<smbconfoption name="path">/data/samba/shares/pdf</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +</smbconfexample> + +<smbconfexample id="ch8smbconf3"> +<title>Samba Configuration File &smbmdash; smb.conf Part C</title> +<smbconfsection name="[EVERYTHING]"/> +<smbconfoption name="comment">All shares</smbconfoption> +<smbconfoption name="path">/data/samba</smbconfoption> +<smbconfoption name="valid users">"@Domain Admins"</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> + +<smbconfsection name="[CDROM]"/> +<smbconfoption name="comment">CD-ROM on MASSIVE</smbconfoption> +<smbconfoption name="path">/mnt</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[print$]"/> +<smbconfoption name="comment">Printer Drivers Share</smbconfoption> +<smbconfoption name="path">/data/samba/drivers</smbconfoption> +<smbconfoption name="write list">root</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[printers]"/> +<smbconfoption name="comment">All Printers</smbconfoption> +<smbconfoption name="path">/data/samba/spool</smbconfoption> +<smbconfoption name="create mask">0644</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[acct_hp8500]"/> +<smbconfoption name="comment">"Accounting Color Laser Printer"</smbconfoption> +<smbconfoption name="path">/data/samba/spool/private</smbconfoption> +<smbconfoption name="valid users">@acct, @acct_admin, @hr, "@Domain Admins",\</smbconfoption> +<member><parameter>@Receptionist, dwayne, terri, danae, jerry</parameter></member> +<smbconfoption name="create mask">0644</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="copy">printers</smbconfoption> + +<smbconfsection name="[plotter]"/> +<smbconfoption name="comment">Engineering Plotter</smbconfoption> +<smbconfoption name="path">/data/samba/spool</smbconfoption> +<smbconfoption name="create mask">0644</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="use client driver">Yes</smbconfoption> +<smbconfoption name="copy">printers</smbconfoption> +</smbconfexample> + +<smbconfexample id="ch8smbconf4"> +<title>Samba Configuration File &smbmdash; smb.conf Part D</title> +<smbconfsection name="[APPS]"/> +<smbconfoption name="path">/data/samba/shares/Apps</smbconfoption> +<smbconfoption name="force group">"Domain Users"</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> + +<smbconfsection name="[ACCT]"/> +<smbconfoption name="path">/data/samba/shares/Accounting</smbconfoption> +<smbconfoption name="valid users">@acct, "@Domain Admins"</smbconfoption> +<smbconfoption name="force group">acct</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0660</smbconfoption> +<smbconfoption name="directory mask">0770</smbconfoption> + +<smbconfsection name="[ACCT_ADMIN]"/> +<smbconfoption name="path">/data/samba/shares/Acct_Admin</smbconfoption> +<smbconfoption name="valid users">@”acct_admin”</smbconfoption> +<smbconfoption name="force group">acct_admin</smbconfoption> + +<smbconfsection name="[HR_PR]"/> +<smbconfoption name="path">/data/samba/shares/HR_PR</smbconfoption> +<smbconfoption name="valid users">@hr, @acct_admin</smbconfoption> +<smbconfoption name="force group">hr</smbconfoption> + +<smbconfsection name="[ENGR]"/> +<smbconfoption name="path">/data/samba/shares/Engr</smbconfoption> +<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption> +<smbconfoption name="force group">engr</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> + +<smbconfsection name="[DATA]"/> +<smbconfoption name="path">/data/samba/shares/DATA</smbconfoption> +<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption> +<smbconfoption name="force group">engr</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> +<smbconfoption name="copy">engr</smbconfoption> +</smbconfexample> + +<smbconfexample id="ch8smbconf5"> +<title>Samba Configuration File &smbmdash; smb.conf Part E</title> +<smbconfsection name="[X]"/> +<smbconfoption name="path">/data/samba/shares/X</smbconfoption> +<smbconfoption name="valid users">@engr, @acct</smbconfoption> +<smbconfoption name="force group">engr</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> +<smbconfoption name="copy">engr</smbconfoption> + +<smbconfsection name="[NETWORK]"/> +<smbconfoption name="path">/data/samba/shares/network</smbconfoption> +<smbconfoption name="valid users">"@Domain Users"</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[UTILS]"/> +<smbconfoption name="path">/data/samba/shares/Utils</smbconfoption> +<smbconfoption name="write list">"@Domain Admins"</smbconfoption> + +<smbconfsection name="[SYS]"/> +<smbconfoption name="path">/data/samba/shares/SYS</smbconfoption> +<smbconfoption name="valid users">chad</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> +</smbconfexample> + + <para> + <indexterm><primary>Qbasic</primary></indexterm> + <indexterm><primary>Rbase</primary></indexterm> + <indexterm><primary>drive letters</primary></indexterm> + Most of these shares are only used by one company group, but they are required + because of some ancient Qbasic and Rbase applications were that written expecting + their own drive letters. + </para> + + <para> + <indexterm><primary>rsync</primary></indexterm> + <indexterm><primary>rsyncd.conf</primary></indexterm> + <indexterm><primary>synchronize</primary></indexterm> + Note: During the process of building the new server, I kept data files up-to-date + with the Novell server via use of <command>rsync</command>. On a separate system (my workstation + in fact) which could be rebooted whenever necessary, I set up a mount point to the + Novell server via <command>ncpmount</command>. I then created a + <filename>rsyncd.conf</filename> to share that mount point out to my new server, + and synchronized once an hour. The script I used to synchronize is quite nice, so + I will include it in an appendix. The reason I had to have the + <command>rsync</command> daemon running on a system which could be rebooted + frequently is because <constant>ncpfs</constant> has a nasty habit of creating + stale mount points which cannot be recovered without a reboot. The reason for + hourly synchronization is because some part of the chain was very slow and + performance-heavy (whether <command>rsync</command> itself, the network, or + the Novell server I am not sure probably the Novell server). + </para> + + <para> + After Samba had been configured, I initialized the LDAP database. So the first + thing I had to do was to store the LDAP password in the Samba configuration by + issuing the command (as root): +<screen> +&rootprompt; smbpasswd -w verysecret +</screen> + where <quote>verysecret</quote> is replaced by the LDAP bind password. + </para> + +<note><para> +The Idealx smbldap-tools package can be configured using a script called +<command>configure.pl</command> that is provided as part of the tool. See Chapter 6 +for an example of its use. Many administrators, like Misty, choose to do this manually +so as to maintain greater awareness of how the tool-chain works, and possibly to avoid +undesirable actions from occurring un-noticed. +</para></note> + + <para> + Now Samba is ready for use. Now configure the smbldap-tools. There are two + relevant files, which are usually put into the directory + <filename>/etc/smbldap-tools</filename>. The main file, + <filename>smbldap.conf</filename> is shown in <link linkend="ch8ideal"/>. + </para> + +<example id="ch8ideal"> +<title>Idealx smbldap-tools Control File &smbmdash; Part A</title> +<screen> +######### +# +# located in /etc/smbldap-tools/smbldap.conf +# +############################################################################## +# +# General Configuration +# +############################################################################## + +# Put your own SID +# to obtain this number do: net getlocalsid +SID="S-1-5-21-725326080-1709766072-2910717368" + +############################################################################## +# +# LDAP Configuration +# +############################################################################## + +# Notes: to use to dual ldap servers backend for Samba, you must patch +# Samba with the dual-head patch from IDEALX. If not using this patch +# just use the same server for slaveLDAP and masterLDAP. +# Those two servers declarations can also be used when you have +# . one master LDAP server where all writing operations must be done +# . one slave LDAP server where all reading operations must be done +# (typically a replication directory) + +# Ex: slaveLDAP=127.0.0.1 +slaveLDAP="127.0.0.1" +slavePort="389" + +# Master LDAP : needed for write operations +# Ex: masterLDAP=127.0.0.1 +masterLDAP="127.0.0.1" +masterPort="389" + +# Use TLS for LDAP +# If set to 1, this option will use start_tls for connection +# (you should also used the port 389) +ldapTLS="0" + +# How to verify the server's certificate (none, optional or require) +# see "man Net::LDAP" in start_tls section for more details +verify="" +</screen> +</example> + +<example id="ch8ideal2"> +<title>Idealx smbldap-tools Control File &smbmdash; Part B</title> +<screen> +# CA certificate +# see "man Net::LDAP" in start_tls section for more details +cafile="" + certificate to use to connect to the ldap server +# see "man Net::LDAP" in start_tls section for more details +clientcert="" + +# key certificate to use to connect to the ldap server +# see "man Net::LDAP" in start_tls section for more details +clientkey="" + +# LDAP Suffix +# Ex: suffix=dc=IDEALX,dc=ORG +suffix="ou=MEGANET2,dc=abmas,dc=biz" + +# Where are stored Users +# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" +usersdn="ou=People,${suffix}" + +# Where are stored Computers +# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" +computersdn="ou=People,${suffix}" + +# Where are stored Groups +# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" +groupsdn="ou=Groups,${suffix}" + +# Where are stored Idmap entries (used if samba is a domain member server) +# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" +idmapdn="ou=Idmap,${suffix}" + +# Where to store next uidNumber and gidNumber available +sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" + +# Default scope Used +scope="sub" +</screen> +</example> + +<example id="ch8ideal3"> +<title>Idealx smbldap-tools Control File &smbmdash; Part C</title> +<screen> +# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) +hash_encrypt="MD5" + +# if hash_encrypt is set to CRYPT, you may set a salt format. +# default is "%s", but many systems will generate MD5 hashed +# passwords if you use "$1$%.8s". This parameter is optional! +crypt_salt_format="%s" + +############################################################################## +# +# Unix Accounts Configuration +# +############################################################################## + +# Login defs +# Default Login Shell +# Ex: userLoginShell="/bin/bash" +userLoginShell="/bin/false" + +# Home directory +# Ex: userHome="/home/%U" +userHome="/home/%U" + +# Gecos +userGecos="Samba User" + +# Default User (POSIX and Samba) GID +defaultUserGid="513" + +# Default Computer (Samba) GID +defaultComputerGid="515" + +# Skel dir +skeletonDir="/etc/skel" + +# Default password validation time (time in days) Comment the next line if +# you don't want password to be enable for defaultMaxPasswordAge days (be +# careful to the sambaPwdMustChange attribute's value) +defaultMaxPasswordAge="45" +</screen> +</example> + +<example id="ch8ideal4"> +<title>Idealx smbldap-tools Control File &smbmdash; Part D</title> +<screen> +############################################################################## +# +# SAMBA Configuration +# +############################################################################## + +# The UNC path to home drives location (%U username substitution) +# Ex: \\My-PDC-netbios-name\homes\%U +# Just set it to a null string if you want to use the smb.conf 'logon home' +# directive and/or disable roaming profiles +userSmbHome="" + +# The UNC path to profiles locations (%U username substitution) +# Ex: \\My-PDC-netbios-name\profiles\%U +# Just set it to a null string if you want to use the smb.conf 'logon path' +# directive and/or disable roaming profiles +userProfile="" + +# The default Home Drive Letter mapping +# (will be automatically mapped at logon time if home directory exist) +# Ex: H: for H: +userHomeDrive="" + +# The default user netlogon script name (%U username substitution) +# if not used, will be automatically username.cmd +# make sure script file is edited under dos +# Ex: %U.cmd +# userScript="startup.cmd" # make sure script file is edited under dos +userScript="" + +# Domain appended to the users "mail"-attribute +# when smbldap-useradd -M is used +mailDomain="abmas.org" + +############################################################################## +# +# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) +# +############################################################################## +# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but +# prefer Crypt::SmbHash library +with_smbpasswd="0" +smbpasswd="/usr/bin/smbpasswd" +</screen> +</example> + + <para> + <indexterm><primary>TLS</primary></indexterm> + NOTE: I chose not to take advantage of the TLS capability of this. + Eventually I may go back and tweak it. Also I chose not to take advantage + of the master/slave configuration as I heard horror stories that it was + unstable. My slave servers are replicas only. + </para> + + <para> + The <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> file is shown here: +<screen> +# smbldap_bind.conf +# +# This file simply tells smbldap-tools how to bind to your LDAP server. +# It has to be a DN with full write access to the Samba portion of +# the database. + +############################ +# Credential Configuration # +############################ +# Notes: you can specify two differents configuration if you use a +# master ldap for writing access and a slave ldap server for reading access +# By default, we will use the same DN (so it will work for standard Samba +# release) +slaveDN="cn=Manager,dc=abmas,dc=biz" +slavePw="verysecret" +masterDN="cn=Manager,dc=abmas,dc=biz" +masterPw="verysecret" +</screen> + </para> + + <para> + We can now run the <command>smbldap-populate</command> command which will populate + the LDAP tree with the appropriate default users, groups, and UID and GID pools. + It will create a user called Administrator with UID=0 and GID=0 matching the + Domain Admins group. This is fine you can still log in a root to a Windows system, + but it will break cached credentials if you need to log in as the administrator + to a system that is not on the network for whatever reason. + </para> + + <para> + After the LDAP database has been pre-loaded it is prudent to validate that the + information needed is in the LDAP directory. This can be done done by restarting + the LDAP server, then performing an LDAP search by executing: +<screen> +&rootprompt; ldapsearch -W -x -b "dc=abmas,dc=biz"\ + -D "cn=Manager,dc=abmas,dc=biz" \ + "(Objectclass=*)" +Enter LDAP Password: +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +o: abmas +dc: abmas + +# People, abmas.biz +dn: ou=People,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: People + +# Groups, abmas.biz +dn: ou=Groups,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: Groups + +# Idmap, abmas.biz +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: Idmap +... +</screen> + </para> + + <para> + <indexterm><primary>Windows</primary></indexterm> + <indexterm><primary>POSIX</primary></indexterm> + <indexterm><primary>smbldap-groupadd</primary></indexterm> + <indexterm><primary>RID</primary></indexterm> + <indexterm><primary>sambaGroupMapping</primary></indexterm> + With the LDAP directory now intialized it is time to create the Windows and POSIX + (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups. + The easiest way to do this is to use <command>smbldap-groupadd</command> command. + It will create the group with the posixGroup and sambaGroupMapping attributes, a + unique GID, and an automatically-determined RID. I learned the hard way not to + try to do this by hand. + </para> + + <para> + <indexterm><primary>group mapping</primary></indexterm> + <indexterm><primary>smbldap-groupmod</primary></indexterm> + <indexterm><primary>memberUID</primary></indexterm> + After I had my group mappings in place, I added users to the groups (the users + don't really have to exist yet). I used the <command>smbldap-groupmod</command> + command to accomplish this. It can also be done manually by adding memberUID + attributes to the group entries in LDAP. + </para> + + <para> + <indexterm><primary>sambaSamAccount</primary></indexterm> + <indexterm><primary>posixAccount</primary></indexterm> + <indexterm><primary>smbldap-usermod</primary></indexterm> + The most monumental task of all was adding the sambaSamAccount information to each + already-existent posixAccount entry. I did it one at a time as I moved people onto + the new server, by issuing the command: +<screen> +&rootprompt; smbldap-usermod -a -P username +</screen> + <indexterm><primary>NetWare</primary></indexterm> + <indexterm><primary>LDIF</primary></indexterm> + <indexterm><primary>slapcat</primary></indexterm> + I completed that step for every user after asking the person what their current + NetWare password was. The wiser way to have done it would probably be to dump the + entire database to an LDIF file. This can be done by executing: +<screen> +&rootprompt; slapcat > somefile.ldif +</screen> + <indexterm><primary>Perl</primary></indexterm> + <indexterm><primary>objectClass</primary></indexterm> + Then update the LDIF file created by using a Perl script to parse and add the + appropriate attributes and objectClasses to each entry, followed by re-importing + the entire database into the LDAP directory. + </para> + + <para> + Rebuilding of the LDAP directory can be done as follows: +<screen> +&rootprompt; rcldap stop +&rootprompt; cd /data/ldap +&rootprompt; rm *bdb _* log* +&rootprompt; su - ldap -c "slapadd -l somefile.ldif" +&rootprompt; rcldap start +</screen> + This can be done at any time and for any reason, with no harm to the database. + </para> + + <para> + So first I added a test user, of course. The LDIF for this test user looks like + this, to give you an idea: +<screen> +# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz +dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz +cn: Test User +gecos: Test User +gidNumber: 513 +givenName: Test +homeDirectory: /home/test.user +homePhone: 555 +l: Somewhere +l: ST +mail: test.user +o: Corp +objectClass: top +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: sambaSamAccount +postalCode: 12345 +sn: User +street: 10 Some St. +uid: test.user +uidNumber: 1074 +sambaLogonTime: 0 +sambaLogoffTime: 2147483647 +sambaKickoffTime: 2147483647 +sambaPwdCanChange: 0 +displayName: Samba User +sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148 +sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE +sambaAcctFlags: [U] +sambaNTPassword: D062088E99C95E37D7702287BB35E770 +sambaPwdLastSet: 1102537694 +sambaPwdMustChange: 1106425694 +userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8 +loginShell: /bin/false +</screen> + </para> + + <para> + Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain. + It worked, and the machine's account entry under ou=Computers looks like this: +<screen> +dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz +objectClass: top +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: sambaSamAccount +cn: w2kengrspare$ +sn: w2kengrspare$ +uid: w2kengrspare$ +uidNumber: 1104 +gidNumber: 515 +homeDirectory: /dev/null +loginShell: /bin/false +description: Computer +gecos: Computer +sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208 +sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031 +displayName: W2KENGRSPARE$ +sambaPwdCanChange: 1103149236 +sambaPwdMustChange: 2147483647 +sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834 +sambaPwdLastSet: 1103149236 +sambaAcctFlags: [W ] +</screen> + </para> + + <para> + <indexterm><primary>netlogon</primary></indexterm> + So now I can log in with a test user from the machine w2kengrspare. It's all fine and + good, but that user is in no groups yet so has pretty boring access. We can fix that + by writing the login script! To write the login script, I used + <ulink url="http://www.kixtart.org">Kixstart</ulink>. I used it because it will work + with every architecture of Windows, has an active and helpful user base, and was both + easier to learn and more powerful than the standard netlogon scripts I have seen. + I also did not have to do a logon script per user or per group. + </para> + + <para> + <indexterm><primary>Kixtart</primary></indexterm> + I downloaded Kixtart and put the following files in my [netlogon] share: +<screen> +KIX32.EXE +KX32.dll +KX95.dll <-- Not needed unless you are running Win9x clients. +kx16.dll <-- Probably not needed unless you are running DOS clients. +kxrpc.exe <-- Probably useless as it has to run on the server and can + only be run on NT. It's for Windows 95 to become group-aware. + We can get around the need. +</screen> + </para> + + <para> + <indexterm><primary>logon.kix</primary></indexterm> + I then wrote the <filename>logon.kix</filename> file that is shown in + <link linkend="ch8kix"/>. I chose to keep it all in one file, but it + can be split up and linked via include directives. + </para> + +<example id="ch8kix"> +<title>Kixstart Control File &smbmdash; File: logon.kix</title> +<screen> +; This script just calls the other scripts. + +; First we want to get things done for everyone. + +; Second, we do first-time login stuff. + +; Third, we go through the group-oriented scripts one at a time. + + +; We want to check for group membership here to avoid the overhead of running +; scripts which don't apply. +call "\\massive\netlogon\scripts\main.kix" +call "\\massive\netlogon\scripts\setup.kix" +IF INGROUP("MEGANET2\ACCT") + call "scripts\acct.kix" +ENDIF +IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST") +call "\\massive\netlogon\scripts\engr.kix" +ENDIF +IF INGROUP("MEGANET2\FURN") + call "\\massive\netlogon\scripts\furn.kix" +ENDIF +IF INGROUP("MEGANET2\TRUSS") + call "\\massive\netlogon\scripts\truss.kix" +ENDIF +</screen> +</example> + +<example id="ch8kix2"> +<title>Kixstart Control File &smbmdash; File: main.kix</title> +<screen> +break on + +; Choose whether to hide the login window or not +IF INGROUP("MEGANET2\Domain Admins") + USE Z: \\massive\everything + SETCONSOLE("show") +ELSE + ; Nobody cares about seeing the login script except admins + SETCONSOLE("hide") +ENDIF + +; Delete all previously connected shares +USE * /delete + +SETTITLE("Logging on @USERID to @LDOMAIN at @TIME") + +; Set the time on the workstation +$Timeserver = "\\massive" +Settime $TimeServer + +; Map the home directory +USE H: @HOMESHR ; connect to user's home share +IF @ERROR = 0 + + H: + CD @HOMEDIR ; change directory to user's home directory +ENDIF + +; Everyone gets the N drive +USE N: \\massive\network +</screen> +</example> + +<example id="ch8kix3"> +<title>Kixstart Control File &smbmdash; File: setup.kix, Part A</title> +<screen> +; My setup.kix is where all of the redirection stuff happens. Note that with +; the use of registry keys, ths only happens the first time they log in ,or if +; I delete the pertinent registry keys which triggers it to happen again: + +; Check to see if we have written the Borkholder subkey before +$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder") +IF NOT $RETURNCODE = 0 +; Add key for Borkholder-specific things on the first login + ADDKEY("HKEY_CURRENT_USER\Borkholder") + ; The following key gets deleted at the end of the first login + ADDKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN") +ENDIF + +; People with laptops need My Documents to be in their profile. People with +; desktops can have My Documents redirected to their home directory to avoid +; long delays with logging out and out-of-sync files. + +; Check to see if this is the first login -- doesn't make sense to do this +; at the very first login + +$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN") +IF NOT $RETURNCODE = 0 + +; We don't want to do this stuff for people with laptops or people in the FURN +; group. (They store their profiles in a different server) + + IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN") + $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\Borkholder\profile_copied") + +; A crude way to tell what OS our profile is for and copy the "My Documents" +; to the redirected folder on the server. It works because the profiles +; are stored as \\server\profiles\user\architecture + IF NOT $RETURNCODE = 0 + IF EXIST("\\massive\profiles\@userID\WinXP") + copy "\\massive\profiles\@userID\WinXP\My Documents\*" +"\\massive\@userID\" + ENDIF + IF EXIST("\\massive\profiles\@userID\Win2K") + copy "\\massive\profiles\@userID\Win2K\My Documents\*" +"\\massive\@userID\" + ENDIF + IF EXIST("\\massive\profiles\@userID\WinNT") + copy "\\massive\profiles\@userID\WinNT\My Documents\*" +"\\massive\@userID\" + ENDIF +</screen> +</example> + +<example id="ch8kix3b"> +<title>Kixstart Control File &smbmdash; File: setup.kix, Part B</title> +<screen> +; Now we will write the registry values to redirect the locations of "My +Documents" +; and other folders. + ADDKEY("HKEY_CURRENT_USER\Borkholder\profile_copied") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "Personal","\\massive\@userID","REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ") + IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP +Professional" + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ") + ENDIF + ENDIF + ENDIF + +; Now we will delete the FIRST_LOGIN subkey that we made before. +; Note - to run this script again you will want to delete the HKCU\Borkholder +; subkey, log out, and log back in. +$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN") +IF $RETURNVALUE = 0 + DELKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN") +ENDIF +</screen> +</example> + +<example id="ch8kix4"> +<title>Kixstart Control File &smbmdash; File: acct.kix</title> +<screen> +; And here is one group-oriented script to show what can be +; done that way: acct.kix: + +IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR") + USE I: \\MEGANET2\HR_PR +ENDIF + +; Set up printer +$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500") +IF NOT $RETURNVALUE = 0 + ADDPRINTERCONNECTION("\\massive\acct_hp8500") + SETDEFAULTPRINTER("\\massive\acct_hp8500") +ENDIF +; Set up drive mappings + USE M: \\massive\ACCT + IF INGROUP("MEGANET2\ABRA") + USE T: \\trussrv\abra + ENDIF +</screen> +</example> + + <para> + As you can see in the script, I redirect the My Documents to the user's home + share if they are not in the “Laptop” group. I also add printers on a + group-by-group basis, and if applicable I setthe group printer. For this to + be effective, the print drivers must be installed on the Samba server in the + <filename>[print$]</filename> share. Ample documentation exists about how to do that so I did not + cover it. + </para> + + <para> + I actually call this script via the logon.bat script in the [netlogon] directory: +<screen> +\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f +</screen> + I only had to fully qualify the paths for Windows 9x, as Windows NT and + greater automatically add [NETLOGON] to the path. + </para> + + <para> + Also of note for Win9x is that the drive mappings and printer setup will not + work because they rely on RPC. One merely has to put the appropriate settings + into the <filename>c:\autoexec.bat</filename> file or map the drives manually. One option would + be to check the OS as part of the Kixtart script, and if it is Win9x and if + it is the first login, copy a pre-made <filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I only + have three such machines and one is going away in the very near future, so it + was easier to do it by hand. + </para> + + <para> + <indexterm><primary>upgrade</primary></indexterm> + At this point I was able to add the users. This is the part that really falls + into “upgrade. I moved the users over one group at a time, starting with the + people who used the least amount of resources on the network. With each group + that I moved, I first logged in as a “standard” user in that group and took + careful note of their environment, mainly the printers they used, their PATH, + and what network resources they had access to (most importantly which ones + they actually needed access to). + </para> + + <para> + I would then add the user's SambaSamAccount information as mentioned earlier, + and join the computer to the domain. The very first thing I had to do was to + copy the user's profile to the new server. This was very important, and I really + struggled with the most effective way to do it. Here is the method that worked + for every one of my users on Windows NT, 2000, and XP: + </para> + + <procedure> + <step><para> + Log in as the user on the domain. This creates the local copy + of the user's profile and copies it to the server as they log out. + </para></step> + + <step><para> + Reboot the computer and log in as the local machine administrator. + </para></step> + + <step><para> + Right-click My Computer, click Properties, and navigate to the + user profiles tab (varies per version of Windows). + </para></step> + + <step><para> + Select the user's local profile <constant>(COMPUTERNAME\username)</constant>, + and click the <command>Copy To</command> button. + </para></step> + + <step><para> + In the next dialog, copy it directly to the profiles share on the + Samba server (\\PDCname\profiles\user\<architecture> in my + case). You will have had to make a connection to the share as that + user (e.g.: Windows Explorer type \\PDCname\profiles\username). + </para></step> + + <step><para> + When the copy is complete (it can take a while) log out, and log back in + as the user. All his/her settings and all contents of My Documents, + Favorites, and the registry should have been copied successfully. + </para></step> + + <step><para> + If it doesn't look right (the dead giveaway is the desktop background) + shut down the computer without logging out (power cycle) and try logging + in as the user again. If it still doesn't work, repeat the steps above. + I only had to ever repeat it once. + </para></step> + + </procedure> + + <para> + WORDS TO THE WISE: + </para> + + <itemizedlist> + <listitem><para> + If the user was anything other than a standard user on his/her system + before, you will save yourself some headaches by giving them identical + permissions (on the local machine) as their domain account, BEFORE + copying their profile over. Do this through the User Administrator + in the Control Panel, after joining the computer to the domain and + before logging as that user for the first time. Otherwise they will + have trouble with permissions on their registry keys. + </para></listitem> + + <listitem><para> + If any application was installed for the user only, rather than for + the entire system, it will probably not work without being reinstalled. + </para></listitem> + </itemizedlist> + + <para> + After all these steps are accomplished, only cleanup details are left. Make sure user's + shortcuts and “Network Places” point to the appropriate place on the new server, check + the important applications to be sure they work as expected and troubleshoot any problems + that might arise, check to be sure the user's printers are present and working. By the + way, if there are any network printers installed as system printers (the Novell way) + you will need to log in as a local administrator and delete them. + </para> + + <para> + For my non-laptop systems, I would then log in and out a couple times as the user, + to be sure that their registry settings were modified, then I was finished. + </para> + + <para> + Some compatibility issues that cropped up included: + </para> + + <para> + Blackberry client &smbmdash; It did not like having its registry settings moved around, + and had to be reinstalled. Also it needed write permissions to a portion of + the hard drive, and I had to give it those manually on the one system where + this was an issue. + </para> + + <para> + CAMedia &smbmdash; digital camera software for Canon cameras I had all kinds of trouble + with the registry. I had to use the Run as service to open the registry of + the local user while logged in as the domain user, and give the domain user + the appropriate permissions to some registry keys, then export that portion + of the registry to a file. Then as the domain user I had to import that file + into the registry. + </para> + + <para> + Crystal Reports version 7 &smbmdash; More registry problems that were solved by re-copying + the user's profile. + </para> + + <para> + Printing from legacy applications &smbmdash; I found out that Novell sent its jobs to + the printer in a raw format. CUPS sends them in Postscript by default. I had + to make a second printer definition for one printer and tell CUPS specifically + to send raw data to the printer, and assign this printer to the LPT port with + Kixtart's version of the “net use”command. + </para> + + <para> + These were all eventually solved by elbow grease, queries to the Samba mailing + list and others, and diligence. The complete migration took about 5 weeks. + My userbase is relatively small, but includes multiple versions of Windows, + multiple Linux member servers, a mechanized saw, a pen plotter, and legacy + applications written in Qbasic and R:Base, just to name a few. I actually + ended up making some of these applications work better (or work again, as + some of them had stopped functioning on the old server) because as part of + the process I had to find out how things were supposed to work. + </para> + + <para> + The one thing I have not been able to get working is a very old database that + we had around for reference purposes which uses Novell's Btrieve engine. + </para> + + <para> + As the resources compare, I went from 95% disk usage to just around 10%. + I went from a very high load on the server to an average load of between 1 + and 2 runnable processes on the server. I have improved the security and + robustness of the system. I have also implemented + <ulink url="http://www.clamav.net">ClamAV</ulink> Antivirus + which scans the entire Samba server for viruses every two hours and + quarantines them. I have found it much less problematic than our ancient + version of Norton Antivirus Corporate Edition, and much more up-to-date. + </para> + + <para> + In short, my users are much happier now that the new server is running, that + is what is important to me. + </para> + + </sect3> + + </sect2> + +</sect1> + +</chapter> + |