summaryrefslogtreecommitdiff
path: root/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml
diff options
context:
space:
mode:
authorJohn Terpstra <jht@samba.org>2005-04-13 02:26:17 +0000
committerGerald W. Carter <jerry@samba.org>2008-04-23 08:46:25 -0500
commit6262d3083458e4fc1dfcff77e616063e4b71e477 (patch)
treeddfea67e7c0c679d69a0fea331795971cc42e58a /docs/Samba-Guide/SBE-MigrateNW4Samba3.xml
parent2b7907805aeb32775f11795b88e01721b115eafe (diff)
downloadsamba-6262d3083458e4fc1dfcff77e616063e4b71e477.tar.gz
samba-6262d3083458e4fc1dfcff77e616063e4b71e477.tar.bz2
samba-6262d3083458e4fc1dfcff77e616063e4b71e477.zip
Begin of another reorg.
(This used to be commit 131d76df85ab12f5a171120113d4dfa7ad3f2220)
Diffstat (limited to 'docs/Samba-Guide/SBE-MigrateNW4Samba3.xml')
-rw-r--r--docs/Samba-Guide/SBE-MigrateNW4Samba3.xml1599
1 files changed, 1599 insertions, 0 deletions
diff --git a/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml b/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml
new file mode 100644
index 0000000000..883a2447a6
--- /dev/null
+++ b/docs/Samba-Guide/SBE-MigrateNW4Samba3.xml
@@ -0,0 +1,1599 @@
+<?xml version="1.0" encoding="iso-8859-1"?>
+<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
+<chapter id="nw4migration">
+ <title>Migrating NetWare 4.11 Server to Samba-3</title>
+
+ <para>
+ <indexterm><primary>Novell</primary></indexterm>
+ <indexterm><primary>SuSE</primary></indexterm>
+ <indexterm><primary>Ximian</primary></indexterm>
+ <indexterm><primary>FLOSS</primary><see>Free-Libre/Open Source Software</see></indexterm>
+ <indexterm><primary>Free-Libre/Open Source Software</primary></indexterm>
+ Novell is a company any seasoned IT manager has to admire. Since the acquisition of
+ the SuSE Linux company, the acquisition on Ximian, and other moves that are friendly
+ to the FLOSS (Free-Libre/Open Source Software) movement, Novell are emerging out of
+ a deep regression that almost saw the company disappear into obscurity. The now Linux
+ friendly Novell's SUSE Linux is being used as a host to which NetWare servers are being
+ migrated. It is in many ways ironic that Novell are today hosting NetWare on top of
+ Linux. At the same time older NetWare servers are still being migrated to Samba servers.
+ It will be interesting to see what will become of NetWare over time.
+ </para>
+
+ <para>
+ <indexterm><primary>Red Hat</primary></indexterm>
+ <indexterm><primary>Debian</primary></indexterm>
+ <indexterm><primary>Gentoo</primary></indexterm>
+ <indexterm><primary>Mandrake</primary></indexterm>
+ Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian,
+ Gentoo, Mandrake, SUSE (Novell) the information in this chapter should be read with
+ appropriate cognizance that file locations may vary a little; even so the information
+ in this chapter should provide something of value.
+ </para>
+
+ <para>
+ <indexterm><primary>migration</primary></indexterm>
+ This chapter was contributed by Misty Stanley-Jones, a UNIX administrator of many
+ years who surfaced on the Samba mailing list with a barrage of questions, and who
+ regularly now helps other administrators to solve thorny Samba migration questions.
+ </para>
+
+ <para>
+ <indexterm><primary>NetWare</primary></indexterm>
+ <indexterm><primary>NLM</primary></indexterm>
+ <indexterm><primary>NetWare</primary></indexterm>
+ <indexterm><primary>Mars_NWE</primary></indexterm>
+ One wonders how many NetWare servers remain in active service. Many are being migrated
+ to Samba on Linux. Red Hat Linux, SUSE Linux 9.x and SUSE Linux Enterprise Server 9 are
+ ideal target platforms to which a NetWare server may be migrated. The migration method
+ of choice is much dependant on the tools that the administrator finds most natural to use.
+ The old-hand NetWare guru will likely want to use the tools like the NetWare NLM for
+ <command>rsync</command> to migrate files from the NetWare server to the Samba server.
+ The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare
+ Emulator) open source package. The MS Windows network administrator will likely make use of the
+ NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice,
+ migration will be filled with joyous and challenging moments - though probably not
+ concurrently.
+ </para>
+
+ <para>
+ This chapter tells its own story, so ride along, ... maybe the information here presented
+ will help to smooth over a similar migration challenge in your favorite networking environment.
+ </para>
+
+<sect1>
+ <title>Introduction</title>
+
+ <para>
+ <indexterm><primary>Novell</primary></indexterm>
+ Misty Stanley-Jones was recruited by Abmas Inc. to administer a network that had
+ not received much attention for some years and was much in need of a make-over.
+ As a brand-new sysadmin to this company, she inherited a very old Novell file server,
+ and came with a determination to change things for the better.
+ </para>
+
+ <para>
+ A site survey turned up the following details for the old NetWare server:
+ </para>
+
+ <simplelist>
+ <member><para>200 MHz MMX processor</para></member>
+ <member><para>512K RAM</para></member>
+ <member><para>24 GB disk space in RAID1</para></member>
+ <member><para>Novell 4.11 patched to service pack 7</para></member>
+ <member><para>60+ users</para></member>
+ <member><para>7 network-attached printers</para></member>
+ </simplelist>
+
+ <para>
+ The company had outgrown this server several years ago and were dealing with
+ severe growing pains. Some of the problems experienced were:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Very slow performance</para>
+ </listitem>
+ <listitem>
+ <para>Available storage hovering around the 5% range.</para>
+ <itemizedlist>
+ <listitem>
+ <para>Extremely slow print spooling.</para>
+ </listitem>
+ <listitem>
+ <para>
+ Users storing information on their local hard
+ drives, causing backup integrity problems.
+ </para>
+ </listitem>
+ </itemizedlist>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ <indexterm><primary>payroll</primary></indexterm>
+ At one point disk space had filled up to 100% causing the payroll database
+ to become corrupt. This caused the accounting department to be down for over
+ a week and necessitated deployment of another file server. The replacement
+ server was created with very poor security and design considerations from
+ a discarded desktop PC.
+ </para>
+
+ <sect2>
+ <title>Assignment Tasks</title>
+
+ <para>
+ Misty has provided this summary of her migration experience in the hope
+ that it will help someone to avoid the challenges she faced. Perhaps her
+ configuration files and background will accelerate your learning as you
+ grapple with a similar migration challenge.
+ </para>
+
+ <para>
+ After presenting a cost-benefit report to management, as well as an estimated
+ time-to-completion, approval was given proceed with the solution proposed.
+ The server was built from purchased components. The total project cost
+ was $3000. A brief description of the configuration follows:
+ </para>
+
+ <simplelist>
+ <member>
+ <para>3.0 GHz P4 Processor</para>
+ </member>
+ <member>
+ <para>1 GB RAM</para>
+ </member>
+ <member>
+ <para>120 GB SATA operating system drive</para>
+ </member>
+ <member>
+ <para>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</para>
+ </member>
+ <member>
+ <para>2 x 80 GB SATA removable drives for online backup</para>
+ </member>
+ <member>
+ <para>A DLT drive for asynchronous offline backup</para>
+ </member>
+ <member>
+ <para>SUSE Linux Professional 9.2</para>
+ </member>
+ </simplelist>
+
+ <para>
+ The new system has operated for six months without problems. Over the past months
+ much attention has been focused on cleaning up desktops and user profiles.
+ </para>
+
+ </sect2>
+</sect1>
+
+<sect1>
+ <title>Dissection and Discussion</title>
+
+ <para>
+ <indexterm><primary>LDAP</primary></indexterm>
+ <indexterm><primary>e-Directory</primary></indexterm>
+ <indexterm><primary>authentication</primary></indexterm>
+ <indexterm><primary>identity management</primary></indexterm>
+ A decision to use LDAP was made even though I know nothing about LDAP except that
+ I had been reading the book <quote>LDAP System Administration</quote>, by Gerald Carter.
+ LDAP seemed to provide some of the functionality of Novell's e-Directory Services
+ and would provide centralized authentication and identity management.
+ </para>
+
+ <para>
+ <indexterm><primary>database</primary></indexterm>
+ <indexterm><primary>RPM</primary></indexterm>
+ <indexterm><primary>tree</primary></indexterm>
+ Building the LDAP database took a while, and a lot of trial and error. Following
+ the guidance I obtained from Jerry Carter's book <quote>LDAP System
+ Administration</quote>, I installed OpenLDAP (from RPM; later I compiled
+ a more current version from source) and built my initial LDAP tree.
+ </para>
+
+ <sect2>
+ <title>Technical Issues</title>
+
+ <para>
+ <indexterm><primary>white-pages</primary></indexterm>
+ <indexterm><primary>inetOrgPerson</primary></indexterm>
+ <indexterm><primary>OpenLDAP</primary></indexterm>
+ <indexterm><primary>/etc/passwd</primary></indexterm>
+ <indexterm><primary>/etc/shadow</primary></indexterm>
+ <indexterm><primary>LDIF</primary></indexterm>
+ <indexterm><primary>IMAP</primary></indexterm>
+ <indexterm><primary>POP3</primary></indexterm>
+ <indexterm><primary>SMTP</primary></indexterm>
+ The first challenge was to create a company white-pages, followed by manually
+ entering everything from the printed company directory. This used only the inetOrgPerson
+ objectclass from the OpenLDAP schemas. The next step was to write a shell script which
+ would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
+ files on our mail server, and create a LDIF file from which the information could be
+ imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
+ and SMTP.
+ </para>
+
+ <para>
+ Given that a decision had been made to use Courier-IMAP the schema <quote>courier.schema</quote>
+ from the Courier-IMAP source tarball is ncessary to resolve Courier-specific LDAP directory
+ needs.
+ </para>
+
+ </sect2>
+
+</sect1>
+
+<sect1>
+ <title>Implementation</title>
+
+ <para>
+ </para>
+
+ <sect2>
+ <title>NetWare Migration Using LDAP Backend</title>
+
+ <para>
+ The following software must be installed on the SUSE Linux Enterprise Server to perform
+ this migration:
+ </para>
+
+ <simplelist>
+ <member><para>openldap2</para></member>
+ <member><para>openldap2-client</para></member>
+ <member><para>openldap2-devel (only for Samba compilation)</para></member>
+ <member><para>nss_ldap</para></member>
+ <member><para>smbldap-tools Version 0.8.7</para></member>
+ <member><para>perl-ldap</para></member>
+ <member><para>samba-3.0.12 or later</para></member>
+ <member><para>samba-client-3.0.12 or later</para></member>
+ <member><para>samba-winbind-3.0.12 or later</para></member>
+ </simplelist>
+
+ <para>
+ Each software application must be carefully configured in preparation for migration.
+ The configuration files used at Abmas are provided as a guide and should be modified
+ to meet needs at your site.
+ </para>
+
+ <sect3>
+ <title>LDAP Server Configuration</title>
+
+ <para>
+ The <filename>/etc/openldap/slapd.conf</filename> file Misty used is shown in <link linkend="ch8slapd"/>.
+ </para>
+
+<example id="ch8slapd">
+<title>OpenLDAP Control File &smbmdash; slapd.conf Part A</title>
+<screen>
+#/usr/local/etc/openldap/slapd.conf
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+include /etc/openldap/schema/dhcp.schema
+include /etc/openldap/schema/misc.schema
+include /etc/openldap/schema/idpool.schema
+include /etc/openldap/schema/eduperson.schema
+include /etc/openldap/schema/commURI.schema
+include /etc/openldap/schema/local.schema
+include /etc/openldap/schema/authldap.schema
+
+pidfile /var/run/slapd/run/slapd.pid
+argsfile /var/run/slapd/run/slapd.args
+
+replogfile /data/ldap/log/slapd.replog
+
+# Load dynamic backend modules:
+modulepath /usr/lib/openldap/modules
+
+#######################################################################
+# Logging parameters
+#######################################################################
+loglevel 256
+
+#######################################################################
+# SASL and TLS options
+#######################################################################
+sasl-host ldap.corp.abmas.org
+sasl-realm DIGEST-MD5
+sasl-secprops none
+TLSCipherSuite HIGH:MEDIUM:+SSLV2
+TLSCertificateFile /etc/ssl/certs/private/abmas-cert.pem
+TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem
+password-hash {SSHA}
+defaultsearchbase "dc=abmas,dc=biz"
+</screen>
+</example>
+
+
+<example id="ch8slapd2">
+<title>OpenLDAP Control File &smbmdash; slapd.conf Part B</title>
+<screen>
+#######################################################################
+# bdb database definitions
+#######################################################################
+database bdb
+suffix "dc=abmas,dc=biz"
+rootdn "cn=manager,dc=abmas,dc=biz"
+rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5
+directory /data/ldap
+mode 0600
+# The following is for BDB to make it flush its data to disk every
+# 500 seconds or 5kb of data
+checkpoint 500 5
+
+## For running slapindex
+#readonly on
+
+## Indexes for often-requested attributes
+index objectClass eq
+index cn eq,sub
+index sn eq,sub
+index uid eq,sub
+index uidNumber eq
+index gidNumber eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+cachesize 2000
+
+replica host=baa.corp.abmas.org:389
+ suffix="dc=abmas,dc=biz"
+ binddn="cn=replica,dc=abmas,dc=biz"
+ credentials=verysecret
+ bindmethod=simple
+ tls=yes
+replica host=ns.abmas.org:389
+ suffix="dc=abmas,dc=biz"
+ binddn="cn=replica,dc=abmas,dc=biz"
+ credentials=verysecret
+ bindmethod=simple
+ tls=yes
+</screen>
+</example>
+
+<example id="ch8slapd3">
+<title>OpenLDAP Control File &smbmdash; slapd.conf Part C</title>
+<screen>
+#######################################################################
+# ACL section
+#######################################################################
+## MOST RESTRICTIVE RULES MUST GO FIRST!
+
+## Users can change their own passwords.
+## Nobody else can read the password
+access to attrs=userPassword
+ by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators, \
+ dc=abmas,dc=biz" write
+ by self write
+ by * auth
+
+## Home contact info restricted to the logged-in user
+access to attrs=hometelephoneNumber,homePostalAddress,\
+ mobileTelephoneNumber,pagerTelephoneNumber
+ by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\
+ dc=abmas,dc=biz" write
+ by self write
+ by * none
+
+## Only admins can manage email aliases
+access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz"
+ filter=(roleOccupant=*)
+ attrs=maildrop
+ by dnattr=roleOccupant write
+ by * read
+
+## Allow delegated management of certain aliases which are
+## for mailman-style mailing lists.
+access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz"
+ by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\
+ dc=abmas,dc=biz" write
+ by * read
+
+## Default to read-only access
+access to *
+ by dn.base="cn=replica,ou=people,ou=corp,dc=abmas,dc=biz" write
+ by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\
+ dc=abmas,dc=biz" write
+ by * read
+access to attrs=namingcontexts
+ by anonymous read
+</screen>
+</example>
+
+ <para>
+ <indexterm><primary>/etc/ldap.conf</primary></indexterm>
+ The <filename>/etc/ldap.conf</filename> file used is listed in <link linkend="ch8ldap"/>.
+ </para>
+
+<example id="ch8ldap">
+<title>NSS LDAP Control File &smbmdash; /etc/ldap.conf</title>
+<screen>
+# /etc/ldap.conf
+# This file is present on every *NIX client that authenticates to LDAP.
+# For me, most of the defaults are fine. There is an amazing amount of
+# customization that can be done see the man page for info.
+
+# Your LDAP server. Must be resolvable without using LDAP. The following
+# is for the LDAP server all others use the FQDN of the server
+URI ldap://127.0.0.1
+
+# The distinguished name of the search base.
+base ou=corp,dc=abmas,dc=biz
+
+# The LDAP version to use (defaults to 3 if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with if the effective
+# user ID is root. Password is stored in /etc/ldap.secret (mode 600)
+rootbinddn cn=Manager,dc=abmas,dc=biz
+
+# Filter to AND with uid=%s
+pam_filter objectclass=posixAccoun
+
+# The user ID attribute (defaults to uid)
+pam_login_attribute uid
+
+# Group member attribute
+pam_member_attribute memberUID
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+pam_password exop
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+ssl start_tls
+
+tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem
+...
+</screen>
+</example>
+
+ <para>
+ The Name Server Switch control file <filename>/etc/nsswitch.conf</filename> has the following contents:
+<screen>
+# /etc/nsswitch.conf
+# This file controls the resolve order for system databases.
+
+# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+# The above are all that I store in LDAP at this point. There are
+# possibilities to store hosts, services, ethers, and lots of other things.
+</screen>
+ </para>
+
+ <para>
+ <indexterm><primary>PAM</primary></indexterm>
+ <indexterm><primary>NSS</primary></indexterm>
+ In my setup, users authenticate via PAM and NSS using LDAP-based accounts.
+ This works out of the box with the configuration files in this chapter. It
+ enables you to have no local accounts for users (it is highly advisable
+ to have a local account for the root user). Traps for the unwary include:
+ </para>
+
+ <indexterm><primary>LDAP</primary></indexterm>
+ <indexterm><primary>authenticate</primary></indexterm>
+ <indexterm><primary>DNS</primary></indexterm>
+ <itemizedlist>
+ <listitem>
+ <para>
+ If your LDAP database goes down, nobody can authenticate except for root.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ If fail-over is configured incorrectly weird behavior can occur. For example,
+ DNS failing to resolve.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ I do have two LDAP slave servers configured. That subject is beyond the scope
+ of this document and steps for implementing it are well-documented.
+ </para>
+
+ <para>
+ The following services authenticate using LDAP:
+ </para>
+ <indexterm><primary>UNIX</primary></indexterm>
+ <indexterm><primary>Postfix</primary></indexterm>
+ <indexterm><primary>Courier-IMAP</primary></indexterm>
+ <simplelist>
+ <member><para>UNIX login/ssh</para></member>
+ <member><para>Postfix (SMTP)</para></member>
+ <member><para>Courier-IMAP/IMAPS/POP3/POP3S</para></member>
+ </simplelist>
+
+ <para>
+ <indexterm><primary>white-pages</primary></indexterm>
+ <indexterm><primary>Windows Address Book</primary></indexterm>
+ Company-wide White-Pages can be searched using a LDAP client
+ such as the one in the Windows Address Book.
+ </para>
+
+ <para>
+ <indexterm><primary>LDAP</primary></indexterm>
+ <indexterm><primary>smbldap-tools</primary></indexterm>
+ Having gained a solid understanding of LDAP, and a relatively workable LDAP tree
+ thus far, it was time to configure Samba. I compiled the latest stable SAMBA and
+ also installed the latest <command>smbldap-tools</command> from
+ <ulink url="http://idealx.com">Idealx</ulink>.
+ </para>
+
+ <para>
+ The Samba &smb.conf; file was configured as shown in <link linkend="ch8smbconf"/>.
+ </para>
+
+<smbconfexample id="ch8smbconf">
+<title>Samba Configuration File &smbmdash; smb.conf Part A</title>
+<smbconfcomment>Global parameters</smbconfcomment>
+<smbconfsection name="[global]"/>
+<smbconfoption name="workgroup">MEGANET2</smbconfoption>
+<smbconfoption name="netbios name">MASSIVE</smbconfoption>
+<smbconfoption name="server string">Corp File Server</smbconfoption>
+<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption>
+<smbconfoption name="pam password change">Yes</smbconfoption>
+<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
+<smbconfoption name="log level">1</smbconfoption>
+<smbconfoption name="log file">/data/samba/log/%m.log</smbconfoption>
+<smbconfoption name="name resolve order">wins host bcast</smbconfoption>
+<smbconfoption name="time server">Yes</smbconfoption>
+<smbconfoption name="printcap name">cups</smbconfoption>
+<smbconfoption name="show add printer wizard">No</smbconfoption>
+<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption>
+<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption>
+<smbconfoption name="add user to group script"></smbconfoption>
+<member><parameter>/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</parameter></member>
+<smbconfoption name="delete user from group script"></smbconfoption>
+<member><parameter>/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</parameter></member>
+<smbconfoption name="set primary group script"></smbconfoption>
+<member><parameter>/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</parameter></member>
+<smbconfoption name="add machine script">/usr/local/sbin/smbldap-useradd -w "%m"</smbconfoption>
+<smbconfoption name="logon script">logon.bat</smbconfoption>
+<smbconfoption name="logon path">\\%L\profiles\%U\%a</smbconfoption>
+<smbconfoption name="logon drive">H:</smbconfoption>
+<smbconfoption name="logon home">\\%L\%U</smbconfoption>
+<smbconfoption name="domain logons">Yes</smbconfoption>
+<smbconfoption name="wins support">Yes</smbconfoption>
+<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
+<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
+<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption>
+<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
+<smbconfoption name="ldap passwd sync">Yes</smbconfoption>
+<smbconfoption name="ldap suffix">ou=MEGANET2,dc=abmas,dc=biz</smbconfoption>
+<smbconfoption name="ldap ssl">no</smbconfoption>
+<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
+<smbconfoption name="admin users">root, "@Domain Admins"</smbconfoption>
+<smbconfoption name="printer admin">"@Domain Admins"</smbconfoption>
+<smbconfoption name="force printername">Yes</smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch8smbconf2">
+<title>Samba Configuration File &smbmdash; smb.conf Part B</title>
+<smbconfsection name="[netlogon]"/>
+<smbconfoption name="comment">Network logon service</smbconfoption>
+<smbconfoption name="path">/data/samba/netlogon</smbconfoption>
+<smbconfoption name="write list">"@Domain Admins"</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[profiles]"/>
+<smbconfoption name="comment">Roaming Profile Share</smbconfoption>
+<smbconfoption name="path">/data/samba/profiles/</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="profile acls">Yes</smbconfoption>
+<smbconfoption name="veto files">desktop.ini</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[homes]"/>
+<smbconfoption name="comment">Home Directories</smbconfoption>
+<smbconfoption name="valid users">%S</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+<smbconfoption name="veto files">desktop.ini</smbconfoption>
+<smbconfoption name="hide files">desktop.ini</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[software]"/>
+<smbconfoption name="comment">Software for %a computers</smbconfoption>
+<smbconfoption name="path">/data/samba/shares/software/%a</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[public]"/>
+<smbconfoption name="comment">Public Files</smbconfoption>
+<smbconfoption name="path">/data/samba/shares/public</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[PDF]"/>
+<smbconfoption name="comment">Location of documents printed to PDFCreator printer</smbconfoption>
+<smbconfoption name="path">/data/samba/shares/pdf</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch8smbconf3">
+<title>Samba Configuration File &smbmdash; smb.conf Part C</title>
+<smbconfsection name="[EVERYTHING]"/>
+<smbconfoption name="comment">All shares</smbconfoption>
+<smbconfoption name="path">/data/samba</smbconfoption>
+<smbconfoption name="valid users">"@Domain Admins"</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[CDROM]"/>
+<smbconfoption name="comment">CD-ROM on MASSIVE</smbconfoption>
+<smbconfoption name="path">/mnt</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[print$]"/>
+<smbconfoption name="comment">Printer Drivers Share</smbconfoption>
+<smbconfoption name="path">/data/samba/drivers</smbconfoption>
+<smbconfoption name="write list">root</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[printers]"/>
+<smbconfoption name="comment">All Printers</smbconfoption>
+<smbconfoption name="path">/data/samba/spool</smbconfoption>
+<smbconfoption name="create mask">0644</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+
+<smbconfsection name="[acct_hp8500]"/>
+<smbconfoption name="comment">"Accounting Color Laser Printer"</smbconfoption>
+<smbconfoption name="path">/data/samba/spool/private</smbconfoption>
+<smbconfoption name="valid users">@acct, @acct_admin, @hr, "@Domain Admins",\</smbconfoption>
+<member><parameter>@Receptionist, dwayne, terri, danae, jerry</parameter></member>
+<smbconfoption name="create mask">0644</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="copy">printers</smbconfoption>
+
+<smbconfsection name="[plotter]"/>
+<smbconfoption name="comment">Engineering Plotter</smbconfoption>
+<smbconfoption name="path">/data/samba/spool</smbconfoption>
+<smbconfoption name="create mask">0644</smbconfoption>
+<smbconfoption name="printable">Yes</smbconfoption>
+<smbconfoption name="use client driver">Yes</smbconfoption>
+<smbconfoption name="copy">printers</smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch8smbconf4">
+<title>Samba Configuration File &smbmdash; smb.conf Part D</title>
+<smbconfsection name="[APPS]"/>
+<smbconfoption name="path">/data/samba/shares/Apps</smbconfoption>
+<smbconfoption name="force group">"Domain Users"</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+
+<smbconfsection name="[ACCT]"/>
+<smbconfoption name="path">/data/samba/shares/Accounting</smbconfoption>
+<smbconfoption name="valid users">@acct, "@Domain Admins"</smbconfoption>
+<smbconfoption name="force group">acct</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0660</smbconfoption>
+<smbconfoption name="directory mask">0770</smbconfoption>
+
+<smbconfsection name="[ACCT_ADMIN]"/>
+<smbconfoption name="path">/data/samba/shares/Acct_Admin</smbconfoption>
+<smbconfoption name="valid users">@”acct_admin”</smbconfoption>
+<smbconfoption name="force group">acct_admin</smbconfoption>
+
+<smbconfsection name="[HR_PR]"/>
+<smbconfoption name="path">/data/samba/shares/HR_PR</smbconfoption>
+<smbconfoption name="valid users">@hr, @acct_admin</smbconfoption>
+<smbconfoption name="force group">hr</smbconfoption>
+
+<smbconfsection name="[ENGR]"/>
+<smbconfoption name="path">/data/samba/shares/Engr</smbconfoption>
+<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption>
+<smbconfoption name="force group">engr</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+
+<smbconfsection name="[DATA]"/>
+<smbconfoption name="path">/data/samba/shares/DATA</smbconfoption>
+<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption>
+<smbconfoption name="force group">engr</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+<smbconfoption name="copy">engr</smbconfoption>
+</smbconfexample>
+
+<smbconfexample id="ch8smbconf5">
+<title>Samba Configuration File &smbmdash; smb.conf Part E</title>
+<smbconfsection name="[X]"/>
+<smbconfoption name="path">/data/samba/shares/X</smbconfoption>
+<smbconfoption name="valid users">@engr, @acct</smbconfoption>
+<smbconfoption name="force group">engr</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+<smbconfoption name="copy">engr</smbconfoption>
+
+<smbconfsection name="[NETWORK]"/>
+<smbconfoption name="path">/data/samba/shares/network</smbconfoption>
+<smbconfoption name="valid users">"@Domain Users"</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="create mask">0770</smbconfoption>
+<smbconfoption name="guest ok">Yes</smbconfoption>
+
+<smbconfsection name="[UTILS]"/>
+<smbconfoption name="path">/data/samba/shares/Utils</smbconfoption>
+<smbconfoption name="write list">"@Domain Admins"</smbconfoption>
+
+<smbconfsection name="[SYS]"/>
+<smbconfoption name="path">/data/samba/shares/SYS</smbconfoption>
+<smbconfoption name="valid users">chad</smbconfoption>
+<smbconfoption name="read only">No</smbconfoption>
+<smbconfoption name="browseable">No</smbconfoption>
+</smbconfexample>
+
+ <para>
+ <indexterm><primary>Qbasic</primary></indexterm>
+ <indexterm><primary>Rbase</primary></indexterm>
+ <indexterm><primary>drive letters</primary></indexterm>
+ Most of these shares are only used by one company group, but they are required
+ because of some ancient Qbasic and Rbase applications were that written expecting
+ their own drive letters.
+ </para>
+
+ <para>
+ <indexterm><primary>rsync</primary></indexterm>
+ <indexterm><primary>rsyncd.conf</primary></indexterm>
+ <indexterm><primary>synchronize</primary></indexterm>
+ Note: During the process of building the new server, I kept data files up-to-date
+ with the Novell server via use of <command>rsync</command>. On a separate system (my workstation
+ in fact) which could be rebooted whenever necessary, I set up a mount point to the
+ Novell server via <command>ncpmount</command>. I then created a
+ <filename>rsyncd.conf</filename> to share that mount point out to my new server,
+ and synchronized once an hour. The script I used to synchronize is quite nice, so
+ I will include it in an appendix. The reason I had to have the
+ <command>rsync</command> daemon running on a system which could be rebooted
+ frequently is because <constant>ncpfs</constant> has a nasty habit of creating
+ stale mount points which cannot be recovered without a reboot. The reason for
+ hourly synchronization is because some part of the chain was very slow and
+ performance-heavy (whether <command>rsync</command> itself, the network, or
+ the Novell server I am not sure probably the Novell server).
+ </para>
+
+ <para>
+ After Samba had been configured, I initialized the LDAP database. So the first
+ thing I had to do was to store the LDAP password in the Samba configuration by
+ issuing the command (as root):
+<screen>
+&rootprompt; smbpasswd -w verysecret
+</screen>
+ where <quote>verysecret</quote> is replaced by the LDAP bind password.
+ </para>
+
+<note><para>
+The Idealx smbldap-tools package can be configured using a script called
+<command>configure.pl</command> that is provided as part of the tool. See Chapter 6
+for an example of its use. Many administrators, like Misty, choose to do this manually
+so as to maintain greater awareness of how the tool-chain works, and possibly to avoid
+undesirable actions from occurring un-noticed.
+</para></note>
+
+ <para>
+ Now Samba is ready for use. Now configure the smbldap-tools. There are two
+ relevant files, which are usually put into the directory
+ <filename>/etc/smbldap-tools</filename>. The main file,
+ <filename>smbldap.conf</filename> is shown in <link linkend="ch8ideal"/>.
+ </para>
+
+<example id="ch8ideal">
+<title>Idealx smbldap-tools Control File &smbmdash; Part A</title>
+<screen>
+#########
+#
+# located in /etc/smbldap-tools/smbldap.conf
+#
+##############################################################################
+#
+# General Configuration
+#
+##############################################################################
+
+# Put your own SID
+# to obtain this number do: net getlocalsid
+SID="S-1-5-21-725326080-1709766072-2910717368"
+
+##############################################################################
+#
+# LDAP Configuration
+#
+##############################################################################
+
+# Notes: to use to dual ldap servers backend for Samba, you must patch
+# Samba with the dual-head patch from IDEALX. If not using this patch
+# just use the same server for slaveLDAP and masterLDAP.
+# Those two servers declarations can also be used when you have
+# . one master LDAP server where all writing operations must be done
+# . one slave LDAP server where all reading operations must be done
+# (typically a replication directory)
+
+# Ex: slaveLDAP=127.0.0.1
+slaveLDAP="127.0.0.1"
+slavePort="389"
+
+# Master LDAP : needed for write operations
+# Ex: masterLDAP=127.0.0.1
+masterLDAP="127.0.0.1"
+masterPort="389"
+
+# Use TLS for LDAP
+# If set to 1, this option will use start_tls for connection
+# (you should also used the port 389)
+ldapTLS="0"
+
+# How to verify the server's certificate (none, optional or require)
+# see "man Net::LDAP" in start_tls section for more details
+verify=""
+</screen>
+</example>
+
+<example id="ch8ideal2">
+<title>Idealx smbldap-tools Control File &smbmdash; Part B</title>
+<screen>
+# CA certificate
+# see "man Net::LDAP" in start_tls section for more details
+cafile=""
+ certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientcert=""
+
+# key certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientkey=""
+
+# LDAP Suffix
+# Ex: suffix=dc=IDEALX,dc=ORG
+suffix="ou=MEGANET2,dc=abmas,dc=biz"
+
+# Where are stored Users
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+usersdn="ou=People,${suffix}"
+
+# Where are stored Computers
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+computersdn="ou=People,${suffix}"
+
+# Where are stored Groups
+# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+groupsdn="ou=Groups,${suffix}"
+
+# Where are stored Idmap entries (used if samba is a domain member server)
+# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+idmapdn="ou=Idmap,${suffix}"
+
+# Where to store next uidNumber and gidNumber available
+sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
+
+# Default scope Used
+scope="sub"
+</screen>
+</example>
+
+<example id="ch8ideal3">
+<title>Idealx smbldap-tools Control File &smbmdash; Part C</title>
+<screen>
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
+hash_encrypt="MD5"
+
+# if hash_encrypt is set to CRYPT, you may set a salt format.
+# default is "%s", but many systems will generate MD5 hashed
+# passwords if you use "$1$%.8s". This parameter is optional!
+crypt_salt_format="%s"
+
+##############################################################################
+#
+# Unix Accounts Configuration
+#
+##############################################################################
+
+# Login defs
+# Default Login Shell
+# Ex: userLoginShell="/bin/bash"
+userLoginShell="/bin/false"
+
+# Home directory
+# Ex: userHome="/home/%U"
+userHome="/home/%U"
+
+# Gecos
+userGecos="Samba User"
+
+# Default User (POSIX and Samba) GID
+defaultUserGid="513"
+
+# Default Computer (Samba) GID
+defaultComputerGid="515"
+
+# Skel dir
+skeletonDir="/etc/skel"
+
+# Default password validation time (time in days) Comment the next line if
+# you don't want password to be enable for defaultMaxPasswordAge days (be
+# careful to the sambaPwdMustChange attribute's value)
+defaultMaxPasswordAge="45"
+</screen>
+</example>
+
+<example id="ch8ideal4">
+<title>Idealx smbldap-tools Control File &smbmdash; Part D</title>
+<screen>
+##############################################################################
+#
+# SAMBA Configuration
+#
+##############################################################################
+
+# The UNC path to home drives location (%U username substitution)
+# Ex: \\My-PDC-netbios-name\homes\%U
+# Just set it to a null string if you want to use the smb.conf 'logon home'
+# directive and/or disable roaming profiles
+userSmbHome=""
+
+# The UNC path to profiles locations (%U username substitution)
+# Ex: \\My-PDC-netbios-name\profiles\%U
+# Just set it to a null string if you want to use the smb.conf 'logon path'
+# directive and/or disable roaming profiles
+userProfile=""
+
+# The default Home Drive Letter mapping
+# (will be automatically mapped at logon time if home directory exist)
+# Ex: H: for H:
+userHomeDrive=""
+
+# The default user netlogon script name (%U username substitution)
+# if not used, will be automatically username.cmd
+# make sure script file is edited under dos
+# Ex: %U.cmd
+# userScript="startup.cmd" # make sure script file is edited under dos
+userScript=""
+
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used
+mailDomain="abmas.org"
+
+##############################################################################
+#
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+#
+##############################################################################
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer Crypt::SmbHash library
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+</screen>
+</example>
+
+ <para>
+ <indexterm><primary>TLS</primary></indexterm>
+ NOTE: I chose not to take advantage of the TLS capability of this.
+ Eventually I may go back and tweak it. Also I chose not to take advantage
+ of the master/slave configuration as I heard horror stories that it was
+ unstable. My slave servers are replicas only.
+ </para>
+
+ <para>
+ The <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> file is shown here:
+<screen>
+# smbldap_bind.conf
+#
+# This file simply tells smbldap-tools how to bind to your LDAP server.
+# It has to be a DN with full write access to the Samba portion of
+# the database.
+
+############################
+# Credential Configuration #
+############################
+# Notes: you can specify two differents configuration if you use a
+# master ldap for writing access and a slave ldap server for reading access
+# By default, we will use the same DN (so it will work for standard Samba
+# release)
+slaveDN="cn=Manager,dc=abmas,dc=biz"
+slavePw="verysecret"
+masterDN="cn=Manager,dc=abmas,dc=biz"
+masterPw="verysecret"
+</screen>
+ </para>
+
+ <para>
+ We can now run the <command>smbldap-populate</command> command which will populate
+ the LDAP tree with the appropriate default users, groups, and UID and GID pools.
+ It will create a user called Administrator with UID=0 and GID=0 matching the
+ Domain Admins group. This is fine you can still log in a root to a Windows system,
+ but it will break cached credentials if you need to log in as the administrator
+ to a system that is not on the network for whatever reason.
+ </para>
+
+ <para>
+ After the LDAP database has been pre-loaded it is prudent to validate that the
+ information needed is in the LDAP directory. This can be done done by restarting
+ the LDAP server, then performing an LDAP search by executing:
+<screen>
+&rootprompt; ldapsearch -W -x -b "dc=abmas,dc=biz"\
+ -D "cn=Manager,dc=abmas,dc=biz" \
+ "(Objectclass=*)"
+Enter LDAP Password:
+# extended LDIF
+#
+# LDAPv3
+# base &lt;dc=abmas,dc=biz&gt; with scope sub
+# filter: (ObjectClass=*)
+# requesting: ALL
+#
+
+# abmas.biz
+dn: dc=abmas,dc=biz
+objectClass: dcObject
+objectClass: organization
+o: abmas
+dc: abmas
+
+# People, abmas.biz
+dn: ou=People,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: People
+
+# Groups, abmas.biz
+dn: ou=Groups,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: Groups
+
+# Idmap, abmas.biz
+dn: ou=Idmap,dc=abmas,dc=biz
+objectClass: organizationalUnit
+ou: Idmap
+...
+</screen>
+ </para>
+
+ <para>
+ <indexterm><primary>Windows</primary></indexterm>
+ <indexterm><primary>POSIX</primary></indexterm>
+ <indexterm><primary>smbldap-groupadd</primary></indexterm>
+ <indexterm><primary>RID</primary></indexterm>
+ <indexterm><primary>sambaGroupMapping</primary></indexterm>
+ With the LDAP directory now intialized it is time to create the Windows and POSIX
+ (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups.
+ The easiest way to do this is to use <command>smbldap-groupadd</command> command.
+ It will create the group with the posixGroup and sambaGroupMapping attributes, a
+ unique GID, and an automatically-determined RID. I learned the hard way not to
+ try to do this by hand.
+ </para>
+
+ <para>
+ <indexterm><primary>group mapping</primary></indexterm>
+ <indexterm><primary>smbldap-groupmod</primary></indexterm>
+ <indexterm><primary>memberUID</primary></indexterm>
+ After I had my group mappings in place, I added users to the groups (the users
+ don't really have to exist yet). I used the <command>smbldap-groupmod</command>
+ command to accomplish this. It can also be done manually by adding memberUID
+ attributes to the group entries in LDAP.
+ </para>
+
+ <para>
+ <indexterm><primary>sambaSamAccount</primary></indexterm>
+ <indexterm><primary>posixAccount</primary></indexterm>
+ <indexterm><primary>smbldap-usermod</primary></indexterm>
+ The most monumental task of all was adding the sambaSamAccount information to each
+ already-existent posixAccount entry. I did it one at a time as I moved people onto
+ the new server, by issuing the command:
+<screen>
+&rootprompt; smbldap-usermod -a -P username
+</screen>
+ <indexterm><primary>NetWare</primary></indexterm>
+ <indexterm><primary>LDIF</primary></indexterm>
+ <indexterm><primary>slapcat</primary></indexterm>
+ I completed that step for every user after asking the person what their current
+ NetWare password was. The wiser way to have done it would probably be to dump the
+ entire database to an LDIF file. This can be done by executing:
+<screen>
+&rootprompt; slapcat &gt; somefile.ldif
+</screen>
+ <indexterm><primary>Perl</primary></indexterm>
+ <indexterm><primary>objectClass</primary></indexterm>
+ Then update the LDIF file created by using a Perl script to parse and add the
+ appropriate attributes and objectClasses to each entry, followed by re-importing
+ the entire database into the LDAP directory.
+ </para>
+
+ <para>
+ Rebuilding of the LDAP directory can be done as follows:
+<screen>
+&rootprompt; rcldap stop
+&rootprompt; cd /data/ldap
+&rootprompt; rm *bdb _* log*
+&rootprompt; su - ldap -c "slapadd -l somefile.ldif"
+&rootprompt; rcldap start
+</screen>
+ This can be done at any time and for any reason, with no harm to the database.
+ </para>
+
+ <para>
+ So first I added a test user, of course. The LDIF for this test user looks like
+ this, to give you an idea:
+<screen>
+# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
+dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
+cn: Test User
+gecos: Test User
+gidNumber: 513
+givenName: Test
+homeDirectory: /home/test.user
+homePhone: 555
+l: Somewhere
+l: ST
+mail: test.user
+o: Corp
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: sambaSamAccount
+postalCode: 12345
+sn: User
+street: 10 Some St.
+uid: test.user
+uidNumber: 1074
+sambaLogonTime: 0
+sambaLogoffTime: 2147483647
+sambaKickoffTime: 2147483647
+sambaPwdCanChange: 0
+displayName: Samba User
+sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148
+sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE
+sambaAcctFlags: [U]
+sambaNTPassword: D062088E99C95E37D7702287BB35E770
+sambaPwdLastSet: 1102537694
+sambaPwdMustChange: 1106425694
+userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8
+loginShell: /bin/false
+</screen>
+ </para>
+
+ <para>
+ Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain.
+ It worked, and the machine's account entry under ou=Computers looks like this:
+<screen>
+dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: sambaSamAccount
+cn: w2kengrspare$
+sn: w2kengrspare$
+uid: w2kengrspare$
+uidNumber: 1104
+gidNumber: 515
+homeDirectory: /dev/null
+loginShell: /bin/false
+description: Computer
+gecos: Computer
+sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208
+sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031
+displayName: W2KENGRSPARE$
+sambaPwdCanChange: 1103149236
+sambaPwdMustChange: 2147483647
+sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834
+sambaPwdLastSet: 1103149236
+sambaAcctFlags: [W ]
+</screen>
+ </para>
+
+ <para>
+ <indexterm><primary>netlogon</primary></indexterm>
+ So now I can log in with a test user from the machine w2kengrspare. It's all fine and
+ good, but that user is in no groups yet so has pretty boring access. We can fix that
+ by writing the login script! To write the login script, I used
+ <ulink url="http://www.kixtart.org">Kixstart</ulink>. I used it because it will work
+ with every architecture of Windows, has an active and helpful user base, and was both
+ easier to learn and more powerful than the standard netlogon scripts I have seen.
+ I also did not have to do a logon script per user or per group.
+ </para>
+
+ <para>
+ <indexterm><primary>Kixtart</primary></indexterm>
+ I downloaded Kixtart and put the following files in my [netlogon] share:
+<screen>
+KIX32.EXE
+KX32.dll
+KX95.dll &lt;-- Not needed unless you are running Win9x clients.
+kx16.dll &lt;-- Probably not needed unless you are running DOS clients.
+kxrpc.exe &lt;-- Probably useless as it has to run on the server and can
+ only be run on NT. It's for Windows 95 to become group-aware.
+ We can get around the need.
+</screen>
+ </para>
+
+ <para>
+ <indexterm><primary>logon.kix</primary></indexterm>
+ I then wrote the <filename>logon.kix</filename> file that is shown in
+ <link linkend="ch8kix"/>. I chose to keep it all in one file, but it
+ can be split up and linked via include directives.
+ </para>
+
+<example id="ch8kix">
+<title>Kixstart Control File &smbmdash; File: logon.kix</title>
+<screen>
+; This script just calls the other scripts.
+
+; First we want to get things done for everyone.
+
+; Second, we do first-time login stuff.
+
+; Third, we go through the group-oriented scripts one at a time.
+
+
+; We want to check for group membership here to avoid the overhead of running
+; scripts which don't apply.
+call "\\massive\netlogon\scripts\main.kix"
+call "\\massive\netlogon\scripts\setup.kix"
+IF INGROUP("MEGANET2\ACCT")
+ call "scripts\acct.kix"
+ENDIF
+IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST")
+call "\\massive\netlogon\scripts\engr.kix"
+ENDIF
+IF INGROUP("MEGANET2\FURN")
+ call "\\massive\netlogon\scripts\furn.kix"
+ENDIF
+IF INGROUP("MEGANET2\TRUSS")
+ call "\\massive\netlogon\scripts\truss.kix"
+ENDIF
+</screen>
+</example>
+
+<example id="ch8kix2">
+<title>Kixstart Control File &smbmdash; File: main.kix</title>
+<screen>
+break on
+
+; Choose whether to hide the login window or not
+IF INGROUP("MEGANET2\Domain Admins")
+ USE Z: \\massive\everything
+ SETCONSOLE("show")
+ELSE
+ ; Nobody cares about seeing the login script except admins
+ SETCONSOLE("hide")
+ENDIF
+
+; Delete all previously connected shares
+USE * /delete
+
+SETTITLE("Logging on @USERID to @LDOMAIN at @TIME")
+
+; Set the time on the workstation
+$Timeserver = "\\massive"
+Settime $TimeServer
+
+; Map the home directory
+USE H: @HOMESHR ; connect to user's home share
+IF @ERROR = 0
+
+ H:
+ CD @HOMEDIR ; change directory to user's home directory
+ENDIF
+
+; Everyone gets the N drive
+USE N: \\massive\network
+</screen>
+</example>
+
+<example id="ch8kix3">
+<title>Kixstart Control File &smbmdash; File: setup.kix, Part A</title>
+<screen>
+; My setup.kix is where all of the redirection stuff happens. Note that with
+; the use of registry keys, ths only happens the first time they log in ,or if
+; I delete the pertinent registry keys which triggers it to happen again:
+
+; Check to see if we have written the Borkholder subkey before
+$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder")
+IF NOT $RETURNCODE = 0
+; Add key for Borkholder-specific things on the first login
+ ADDKEY("HKEY_CURRENT_USER\Borkholder")
+ ; The following key gets deleted at the end of the first login
+ ADDKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
+ENDIF
+
+; People with laptops need My Documents to be in their profile. People with
+; desktops can have My Documents redirected to their home directory to avoid
+; long delays with logging out and out-of-sync files.
+
+; Check to see if this is the first login -- doesn't make sense to do this
+; at the very first login
+
+$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
+IF NOT $RETURNCODE = 0
+
+; We don't want to do this stuff for people with laptops or people in the FURN
+; group. (They store their profiles in a different server)
+
+ IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN")
+ $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\Borkholder\profile_copied")
+
+; A crude way to tell what OS our profile is for and copy the "My Documents"
+; to the redirected folder on the server. It works because the profiles
+; are stored as \\server\profiles\user\architecture
+ IF NOT $RETURNCODE = 0
+ IF EXIST("\\massive\profiles\@userID\WinXP")
+ copy "\\massive\profiles\@userID\WinXP\My Documents\*"
+"\\massive\@userID\"
+ ENDIF
+ IF EXIST("\\massive\profiles\@userID\Win2K")
+ copy "\\massive\profiles\@userID\Win2K\My Documents\*"
+"\\massive\@userID\"
+ ENDIF
+ IF EXIST("\\massive\profiles\@userID\WinNT")
+ copy "\\massive\profiles\@userID\WinNT\My Documents\*"
+"\\massive\@userID\"
+ ENDIF
+</screen>
+</example>
+
+<example id="ch8kix3b">
+<title>Kixstart Control File &smbmdash; File: setup.kix, Part B</title>
+<screen>
+; Now we will write the registry values to redirect the locations of "My
+Documents"
+; and other folders.
+ ADDKEY("HKEY_CURRENT_USER\Borkholder\profile_copied")
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User
+Shell Folders", "Personal","\\massive\@userID","REG_SZ")
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User
+Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ")
+ IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP
+Professional"
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User
+Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ")
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User
+Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ")
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
+Windows\CurrentVersion\Explorer\User
+Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ")
+ ENDIF
+ ENDIF
+ ENDIF
+
+; Now we will delete the FIRST_LOGIN subkey that we made before.
+; Note - to run this script again you will want to delete the HKCU\Borkholder
+; subkey, log out, and log back in.
+$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
+IF $RETURNVALUE = 0
+ DELKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
+ENDIF
+</screen>
+</example>
+
+<example id="ch8kix4">
+<title>Kixstart Control File &smbmdash; File: acct.kix</title>
+<screen>
+; And here is one group-oriented script to show what can be
+; done that way: acct.kix:
+
+IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR")
+ USE I: \\MEGANET2\HR_PR
+ENDIF
+
+; Set up printer
+$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500")
+IF NOT $RETURNVALUE = 0
+ ADDPRINTERCONNECTION("\\massive\acct_hp8500")
+ SETDEFAULTPRINTER("\\massive\acct_hp8500")
+ENDIF
+; Set up drive mappings
+ USE M: \\massive\ACCT
+ IF INGROUP("MEGANET2\ABRA")
+ USE T: \\trussrv\abra
+ ENDIF
+</screen>
+</example>
+
+ <para>
+ As you can see in the script, I redirect the My Documents to the user's home
+ share if they are not in the “Laptop” group. I also add printers on a
+ group-by-group basis, and if applicable I setthe group printer. For this to
+ be effective, the print drivers must be installed on the Samba server in the
+ <filename>[print$]</filename> share. Ample documentation exists about how to do that so I did not
+ cover it.
+ </para>
+
+ <para>
+ I actually call this script via the logon.bat script in the [netlogon] directory:
+<screen>
+\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f
+</screen>
+ I only had to fully qualify the paths for Windows 9x, as Windows NT and
+ greater automatically add [NETLOGON] to the path.
+ </para>
+
+ <para>
+ Also of note for Win9x is that the drive mappings and printer setup will not
+ work because they rely on RPC. One merely has to put the appropriate settings
+ into the <filename>c:\autoexec.bat</filename> file or map the drives manually. One option would
+ be to check the OS as part of the Kixtart script, and if it is Win9x and if
+ it is the first login, copy a pre-made <filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I only
+ have three such machines and one is going away in the very near future, so it
+ was easier to do it by hand.
+ </para>
+
+ <para>
+ <indexterm><primary>upgrade</primary></indexterm>
+ At this point I was able to add the users. This is the part that really falls
+ into “upgrade. I moved the users over one group at a time, starting with the
+ people who used the least amount of resources on the network. With each group
+ that I moved, I first logged in as a “standard” user in that group and took
+ careful note of their environment, mainly the printers they used, their PATH,
+ and what network resources they had access to (most importantly which ones
+ they actually needed access to).
+ </para>
+
+ <para>
+ I would then add the user's SambaSamAccount information as mentioned earlier,
+ and join the computer to the domain. The very first thing I had to do was to
+ copy the user's profile to the new server. This was very important, and I really
+ struggled with the most effective way to do it. Here is the method that worked
+ for every one of my users on Windows NT, 2000, and XP:
+ </para>
+
+ <procedure>
+ <step><para>
+ Log in as the user on the domain. This creates the local copy
+ of the user's profile and copies it to the server as they log out.
+ </para></step>
+
+ <step><para>
+ Reboot the computer and log in as the local machine administrator.
+ </para></step>
+
+ <step><para>
+ Right-click My Computer, click Properties, and navigate to the
+ user profiles tab (varies per version of Windows).
+ </para></step>
+
+ <step><para>
+ Select the user's local profile <constant>(COMPUTERNAME\username)</constant>,
+ and click the <command>Copy To</command> button.
+ </para></step>
+
+ <step><para>
+ In the next dialog, copy it directly to the profiles share on the
+ Samba server (\\PDCname\profiles\user\&lt;architecture&gt; in my
+ case). You will have had to make a connection to the share as that
+ user (e.g.: Windows Explorer type \\PDCname\profiles\username).
+ </para></step>
+
+ <step><para>
+ When the copy is complete (it can take a while) log out, and log back in
+ as the user. All his/her settings and all contents of My Documents,
+ Favorites, and the registry should have been copied successfully.
+ </para></step>
+
+ <step><para>
+ If it doesn't look right (the dead giveaway is the desktop background)
+ shut down the computer without logging out (power cycle) and try logging
+ in as the user again. If it still doesn't work, repeat the steps above.
+ I only had to ever repeat it once.
+ </para></step>
+
+ </procedure>
+
+ <para>
+ WORDS TO THE WISE:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ If the user was anything other than a standard user on his/her system
+ before, you will save yourself some headaches by giving them identical
+ permissions (on the local machine) as their domain account, BEFORE
+ copying their profile over. Do this through the User Administrator
+ in the Control Panel, after joining the computer to the domain and
+ before logging as that user for the first time. Otherwise they will
+ have trouble with permissions on their registry keys.
+ </para></listitem>
+
+ <listitem><para>
+ If any application was installed for the user only, rather than for
+ the entire system, it will probably not work without being reinstalled.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ After all these steps are accomplished, only cleanup details are left. Make sure user's
+ shortcuts and “Network Places” point to the appropriate place on the new server, check
+ the important applications to be sure they work as expected and troubleshoot any problems
+ that might arise, check to be sure the user's printers are present and working. By the
+ way, if there are any network printers installed as system printers (the Novell way)
+ you will need to log in as a local administrator and delete them.
+ </para>
+
+ <para>
+ For my non-laptop systems, I would then log in and out a couple times as the user,
+ to be sure that their registry settings were modified, then I was finished.
+ </para>
+
+ <para>
+ Some compatibility issues that cropped up included:
+ </para>
+
+ <para>
+ Blackberry client &smbmdash; It did not like having its registry settings moved around,
+ and had to be reinstalled. Also it needed write permissions to a portion of
+ the hard drive, and I had to give it those manually on the one system where
+ this was an issue.
+ </para>
+
+ <para>
+ CAMedia &smbmdash; digital camera software for Canon cameras I had all kinds of trouble
+ with the registry. I had to use the Run as service to open the registry of
+ the local user while logged in as the domain user, and give the domain user
+ the appropriate permissions to some registry keys, then export that portion
+ of the registry to a file. Then as the domain user I had to import that file
+ into the registry.
+ </para>
+
+ <para>
+ Crystal Reports version 7 &smbmdash; More registry problems that were solved by re-copying
+ the user's profile.
+ </para>
+
+ <para>
+ Printing from legacy applications &smbmdash; I found out that Novell sent its jobs to
+ the printer in a raw format. CUPS sends them in Postscript by default. I had
+ to make a second printer definition for one printer and tell CUPS specifically
+ to send raw data to the printer, and assign this printer to the LPT port with
+ Kixtart's version of the “net use”command.
+ </para>
+
+ <para>
+ These were all eventually solved by elbow grease, queries to the Samba mailing
+ list and others, and diligence. The complete migration took about 5 weeks.
+ My userbase is relatively small, but includes multiple versions of Windows,
+ multiple Linux member servers, a mechanized saw, a pen plotter, and legacy
+ applications written in Qbasic and R:Base, just to name a few. I actually
+ ended up making some of these applications work better (or work again, as
+ some of them had stopped functioning on the old server) because as part of
+ the process I had to find out how things were supposed to work.
+ </para>
+
+ <para>
+ The one thing I have not been able to get working is a very old database that
+ we had around for reference purposes which uses Novell's Btrieve engine.
+ </para>
+
+ <para>
+ As the resources compare, I went from 95% disk usage to just around 10%.
+ I went from a very high load on the server to an average load of between 1
+ and 2 runnable processes on the server. I have improved the security and
+ robustness of the system. I have also implemented
+ <ulink url="http://www.clamav.net">ClamAV</ulink> Antivirus
+ which scans the entire Samba server for viruses every two hours and
+ quarantines them. I have found it much less problematic than our ancient
+ version of Norton Antivirus Corporate Edition, and much more up-to-date.
+ </para>
+
+ <para>
+ In short, my users are much happier now that the new server is running, that
+ is what is important to me.
+ </para>
+
+ </sect3>
+
+ </sect2>
+
+</sect1>
+
+</chapter>
+