diff options
author | Jelmer Vernooij <jelmer@samba.org> | 2003-08-13 06:07:10 +0000 |
---|---|---|
committer | Jelmer Vernooij <jelmer@samba.org> | 2003-08-13 06:07:10 +0000 |
commit | f62eaeb1a5add34ee7353d0d95db3c84a5c71c22 (patch) | |
tree | 10cf7e89e5a1ec800b7f30f731cbd4f4ebf5f13d /docs/htmldocs/NT4Migration.html | |
parent | 879573e127150d258bc7ad9526f273c9c846da99 (diff) | |
download | samba-f62eaeb1a5add34ee7353d0d95db3c84a5c71c22.tar.gz samba-f62eaeb1a5add34ee7353d0d95db3c84a5c71c22.tar.bz2 samba-f62eaeb1a5add34ee7353d0d95db3c84a5c71c22.zip |
regenerate
(This used to be commit 75a8a906e8031b50e6583f2e0354073a8aa7f5f3)
Diffstat (limited to 'docs/htmldocs/NT4Migration.html')
-rw-r--r-- | docs/htmldocs/NT4Migration.html | 178 |
1 files changed, 178 insertions, 0 deletions
diff --git a/docs/htmldocs/NT4Migration.html b/docs/htmldocs/NT4Migration.html new file mode 100644 index 0000000000..b561492644 --- /dev/null +++ b/docs/htmldocs/NT4Migration.html @@ -0,0 +1,178 @@ +<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.60.1"><link rel="home" href="samba-doc.html" title="SAMBA Project Documentation"><link rel="up" href="migration.html" title="Part IV. Migration and Updating"><link rel="previous" href="upgrading-to-3.0.html" title="Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0"><link rel="next" href="SWAT.html" title="Chapter 32. SWAT - The Samba Web Administration Tool"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 31. Migration from NT4 PDC to Samba-3 PDC</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><th width="60%" align="center">Part IV. Migration and Updating</th><td width="20%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="NT4Migration"></a>Chapter 31. Migration from NT4 PDC to Samba-3 PDC</h2></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><p class="pubdate">April 3, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><a href="NT4Migration.html#id2955644">Planning and Getting Started</a></dt><dd><dl><dt><a href="NT4Migration.html#id2955669">Objectives</a></dt><dt><a href="NT4Migration.html#id2956108">Steps In Migration Process</a></dt></dl></dd><dt><a href="NT4Migration.html#id2956323">Migration Options</a></dt><dd><dl><dt><a href="NT4Migration.html#id2956414">Planning for Success</a></dt><dt><a href="NT4Migration.html#id2956670">Samba-3 Implementation Choices</a></dt></dl></dd></dl></div><p> +This is a rough guide to assist those wishing to migrate from NT4 domain control to +Samba-3 based domain control. +</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2955644"></a>Planning and Getting Started</h2></div></div><div></div></div><p> +In the IT world there is often a saying that all problems are encountered because of +poor planning. The corollary to this saying is that not all problems can be anticipated +and planned for. Then again, good planning will anticipate most show stopper type situations. +</p><p> +Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control +environment would do well to develop a detailed migration plan. So here are a few pointers to +help migration get under way. +</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2955669"></a>Objectives</h3></div></div><div></div></div><p> +The key objective for most organisations will be to make the migration from MS Windows NT4 +to Samba-3 domain control as painless as possible. One of the challenges you may experience +in your migration process may well be one of convincing management that the new environment +should remain in place. Many who have introduced open source technologies have experienced +pressure to return to a Microsoft based platform solution at the first sign of trouble. +</p><p> +Before attempting a migration to a Samba-3 controlled network make every possible effort to +gain all-round commitment to the change. Know precisely <span class="emphasis"><em>why</em></span> the change +is important for the organisation. Possible motivations to make a change include: +</p><div class="itemizedlist"><ul type="disc"><li><p>Improve network manageability</p></li><li><p>Obtain better user level functionality</p></li><li><p>Reduce network operating costs</p></li><li><p>Reduce exposure caused by Microsoft withdrawal of NT4 support</p></li><li><p>Avoid MS License 6 implications</p></li><li><p>Reduce organisation's dependency on Microsoft</p></li></ul></div><p> +Make sure that everyone knows that Samba-3 is NOT MS Windows NT4. Samba-3 offers +an alternative solution that is both different from MS Windows NT4 and that offers +advantages compared with it. Gain recognition that Samba-3 lacks many of the +features that Microsoft has promoted as core values in migration from MS Windows NT4 to +MS Windows 2000 and beyond (with or without Active Directory services). +</p><p> +What are the features that Samba-3 can NOT provide? +</p><div class="itemizedlist"><ul type="disc"><li><p>Active Directory Server</p></li><li><p>Group Policy Objects (in Active Directory)</p></li><li><p>Machine Policy objects</p></li><li><p>Logon Scripts in Active Directory</p></li><li><p>Software Application and Access Controls in Active Directory</p></li></ul></div><p> +The features that Samba-3 DOES provide and that may be of compelling interest to your site +includes: +</p><div class="itemizedlist"><ul type="disc"><li><p>Lower Cost of Ownership</p></li><li><p>Global availability of support with no strings attached</p></li><li><p>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</p></li><li><p>Creation of on-the-fly logon scripts</p></li><li><p>Creation of on-the-fly Policy Files</p></li><li><p>Greater Stability, Reliability, Performance and Availability</p></li><li><p>Manageability via an ssh connection</p></li><li><p>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</p></li><li><p>Ability to implement a full single-sign-on architecture</p></li><li><p>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</p></li></ul></div><p> +Before migrating a network from MS Windows NT4 to Samba-3 consider all necessary factors. Users +should be educated about changes they may experience so that the change will be a welcome one +and not become an obstacle to the work they need to do. The following are factors that will +help ensure a successful migration: +</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955881"></a>Domain Layout</h4></div></div><div></div></div><p> +Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called +a secondary controller), a domain member, or as a stand-alone server. The Windows network security +domain context should be sized and scoped before implementation. Particular attention needs to be +paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). +One way in which Samba-3 differs from Microsoft technology is that if one chooses to use an LDAP +authentication backend then the same database can be used by several different domains. In a +complex organisation there can be a single LDAP database, which itself can be distributed (ie: Have +a master server and multiple slave servers) that can simultaneously serve multiple domains. +</p><p> +From a design perspective, the number of users per server, as well as the number of servers, per +domain should be scaled taking into consideration server capacity and network bandwidth. +</p><p> +A physical network segment may house several domains. Each may span multiple network segments. +Where domains span routed network segments, consider and test the performance implications of +the design and layout of a network. A Centrally located domain controller that is designed to +serve multiple routed network segments may result in severe performance problems. Check the +response time (eg: ping timing) between the remote segment and the PDC. If long (more than 100 ms) +locate a backup controller (BDC) on the remote segmanet to serve as the local authentication and +access control server. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955930"></a>Server Share and Directory Layout</h4></div></div><div></div></div><p> +There are cardinal rules to effective network design. These can not be broken with impunity. +The most important rule: Simplicity is king in every well controlled network. Every part of +the infrastructure must be managed, the more complex it is, the greater will be the demand +of keeping systems secure and functional. +</p><p> +Keep in mind the nature of how data must be share. Physical disk space layout should be considered +carefully. Some data must be backed up. The simpler the disk layout the easier it will be to +keep track of backed needs. Identify what back media will be meet needs, consider backup to tape +, CD-ROM or (DVD-ROM), or other off-line storage medium. Plan and implement for minimum +maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: +Backup and test, validate every backup, create a disaster recovery plan and prove that it works. +</p><p> +Users should be grouped according to data access control needs. File and directory access +is best controlled via group permissions and the use of the "sticky bit" on group controlled +directories may substantially avoid file access complaints from samba share users. +</p><p> +Inexperienced network administrators often attempt elaborate techniques to set access +controls on files, directories, shares, as well as in share definitions. +Keep your design and implementation simple and document your design extensively. Have others +audit your documentation. Do not create a complex mess that your successor will not understand. +Remember, job security through complex design and implementation may cause loss of operations +and downtime to users as the new administrator learns to untangle your knots. Keep access +controls simple and effective and make sure that users will never be interrupted by stupid +complexity. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2955990"></a>Logon Scripts</h4></div></div><div></div></div><p> +Logon scripts can help to ensure that all users gain share and printer connections they need. +</p><p> +Logon scripts can be created 'on-the-fly' so that all commands executed are specific to the +rights and priviliges granted to the user. The preferred controls should be affected through +group membership so that group information can be used to custom create a logon script using +the <a class="indexterm" name="id2956012"></a><i class="parameter"><tt>root preexec</tt></i> parameters to the <i class="parameter"><tt>NETLOGON</tt></i> share. +</p><p> +Some sites prefer to use a tool such as <b class="command">kixstart</b> to establish a controlled +user environment. In any case you may wish to do a google search for logon script process controls. +In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that +deals with how to add printers without user intervention via the logon script process. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956054"></a>Profile Migration/Creation</h4></div></div><div></div></div><p> +User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile +Management. +</p><p> +Profiles may also be managed using the Samba-3 tool <b class="command">profiles</b>. This tool allows +the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file +to be changed to the SID of the Samba-3 domain. +</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2956084"></a>User and Group Accounts</h4></div></div><div></div></div><p> +It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before +attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the +groups that are present on the MS Windows NT4 domain <span class="emphasis"><em>AND</em></span> to map these to +suitable Unix/Linux groups. By following this simple advice all user and group attributes +should migrate painlessly. +</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956108"></a>Steps In Migration Process</h3></div></div><div></div></div><p> +The approximate migration process is described below. +</p><div class="itemizedlist"><ul type="disc"><li><p> +You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated +</p></li><li><p> +Samba-3 set up as a DC with netlogon share, profile share, etc. Configure the <tt class="filename">smb.conf</tt> file +to fucntion as a BDC. ie: <i class="parameter"><tt>domain master = No</tt></i>. +</p></li></ul></div><div class="procedure"><p class="title"><b>Procedure 31.1. The Account Migration Process</b></p><ol type="1"><li><p>Create a BDC account for the samba server using NT Server Manager</p><ol type="a"><li><p>Samba must NOT be running</p></li></ol></li><li><p><b class="userinput"><tt>net rpc join -S <i class="replaceable"><tt>NT4PDC</tt></i> -w <i class="replaceable"><tt>DOMNAME</tt></i> -U Administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>net rpc vampire -S <i class="replaceable"><tt>NT4PDC</tt></i> -U administrator%<i class="replaceable"><tt>passwd</tt></i></tt></b></p></li><li><p><b class="userinput"><tt>pdbedit -L</tt></b></p><ol type="a"><li><p>Note - did the users migrate?</p></li></ol></li><li><p> + Now assign each of the UNIX groups to NT groups: + (Note: It may be useful to copy this text to a script called + <tt class="filename">initGroups.sh</tt>) + </p><pre class="programlisting"> +#!/bin/bash +#### Keep this as a shell script for future re-use + +# First assign well known domain global groups +net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins +net groupmap modify ntgroup="Domain Guests" unixgroup=nobody +net groupmap modify ntgroup="Domain Users" unixgroup=users + +# Now for our added domain global groups +net groupmap add ntgroup="Designers" unixgroup=designers type=d rid=3200 +net groupmap add ntgroup="Engineers" unixgroup=engineers type=d rid=3210 +net groupmap add ntgroup="QA Team" unixgroup=qateam type=d rid=3220 +</pre><p> + </p></li><li><p><b class="userinput"><tt>net groupmap list</tt></b></p><ol type="a"><li><p>Now check that all groups are recognised</p></li></ol></li></ol></div><p> +Now migrate all the profiles, then migrate all policy files. +</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2956323"></a>Migration Options</h2></div></div><div></div></div><p> +Sites that wish to migrate from MS Windows NT4 Domain Control to a Samba based solution +generally fit into three basic categories. +</p><div class="table"><a name="id2956338"></a><p class="title"><b>Table 31.1. The 3 Major Site Types</b></p><table summary="The 3 Major Site Types" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Number of Users</th><th align="justify">Description</th></tr></thead><tbody><tr><td align="left">< 50</td><td align="justify"><p>Want simple conversion with NO pain</p></td></tr><tr><td align="left">50 - 250</td><td align="justify"><p>Want new features, can manage some in-house complexity</p></td></tr><tr><td align="left">> 250</td><td align="justify"><p>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</p></td></tr></tbody></table></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956414"></a>Planning for Success</h3></div></div><div></div></div><p> +There are three basic choices for sites that intend to migrate from MS Windows NT4 +to Samba-3. +</p><div class="itemizedlist"><ul type="disc"><li><p> + Simple Conversion (total replacement) + </p></li><li><p> + Upgraded Conversion (could be one of integration) + </p></li><li><p> + Complete Redesign (completely new solution) + </p></li></ul></div><p> +Minimise down-stream problems by: +</p><div class="itemizedlist"><ul type="disc"><li><p> + Take sufficient time + </p></li><li><p> + Avoid Panic + </p></li><li><p> + Test ALL assumptions + </p></li><li><p> + Test full roll-out program, including workstation deployment + </p></li></ul></div><div class="table"><a name="id2956485"></a><p class="title"><b>Table 31.2. Nature of the Conversion Choices</b></p><table summary="Nature of the Conversion Choices" border="1"><colgroup><col align="justify"><col align="justify"><col align="justify"></colgroup><thead><tr><th align="justify">Simple</th><th align="justify">Upgraded</th><th align="justify">Redesign</th></tr></thead><tbody><tr><td align="justify"><p>Make use of minimal OS specific features</p></td><td align="justify"><p>Translate NT4 features to new host OS features</p></td><td align="justify"><p>Decide:</p></td></tr><tr><td align="justify"><p>Suck all accounts from NT4 into Samba-3</p></td><td align="justify"><p>Copy and improve:</p></td><td align="justify"><p>Authentication Regime (database location and access)</p></td></tr><tr><td align="justify"><p>Make least number of operational changes</p></td><td align="justify"><p>Make progressive improvements</p></td><td align="justify"><p>Desktop Management Methods</p></td></tr><tr><td align="justify"><p>Take least amount of time to migrate</p></td><td align="justify"><p>Minimise user impact</p></td><td align="justify"><p>Better Control of Desktops / Users</p></td></tr><tr><td align="justify"><p>Live versus Isolated Conversion</p></td><td align="justify"><p>Maximise functionality</p></td><td align="justify"><p>Identify Needs for: Manageability, Scalability, Security, Availability</p></td></tr><tr><td align="justify"><p>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</p></td><td align="justify"><p>Take advantage of lower maintenance opportunity</p></td><td align="justify"><p></p></td></tr></tbody></table></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2956670"></a>Samba-3 Implementation Choices</h3></div></div><div></div></div><div class="variablelist"><dl><dt><span class="term">Authentication database/back end:</span></dt><dd><p> + Samba-3 can use an external authentication backend: + </p><p> + </p><div class="itemizedlist"><ul type="disc"><li><p>Winbind (external Samba or NT4/200x server)</p></li><li><p>External server could use Active Directory or NT4 Domain</p></li><li><p>Can use pam_mkhomedir.so to auto-create home dirs</p></li></ul></div><p> + </p><p> + Samba-3 can use a local authentication backend: + </p><div class="itemizedlist"><ul type="disc"><li><p>smbpasswd, tdbsam, ldapsam, mysqlsam</p></li></ul></div><p> + </p></dd><dt><span class="term">Access Control Points:</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>On the Share itself - using Share ACLs</p></li><li><p>On the file system - using UNIX permissions on files and directories</p><p>Note: Can Enable Posix ACLs in file system also</p></li><li><p>Through Samba share parameters - Not recommended - except as last resort</p></li></ul></div></dd><dt><span class="term">Policies (migrate or create new ones):</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Using Group Policy Editor (NT4)</p></li><li><p>- Watch out for Tattoo effect</p></li></ul></div></dd><dt><span class="term">User and Group Profiles:</span></dt><dd><p> + Platform specific so use platform tool to change from a Local to a Roaming profile + Can use new profiles tool to change SIDs (NTUser.DAT) + </p></dd><dt><span class="term">Logon Scripts:</span></dt><dd><p> + Know how they work + </p></dd><dt><span class="term">User and Group mapping to Unix/Linux:</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>username map facility may be needed</p></li><li><p>Use 'net groupmap' to connect NT4 groups to Unix groups</p></li><li><p>Use pdbedit to set/change user configuration</p><p> + NOTE: When migrating to LDAP back, end it may be easier to dump initial + LDAP database to LDIF, then edit, then reload into LDAP + </p></li></ul></div></dd><dt><span class="term">OS specific scripts/programs may be needed:</span></dt><dd><div class="itemizedlist"><ul type="disc"><li><p>Add/Delete Users: Note OS limits on size of name + (Linux 8 chars) NT4 up to 254 chars</p></li><li><p>Add/Delete Machines: Applied only to domain members + (Note: Machine names may be limited to 16 characters)</p></li><li><p>Use 'net groupmap' to connect NT4 groups to Unix groups</p></li><li><p>Add/Delete Groups: Note OS limits on size and nature. + Linux limit is 16 char, no spaces and no upper case chars (groupadd)</p></li></ul></div></dd><dt><span class="term">Migration Tools:</span></dt><dd><p> + Domain Control (NT4 Style) Profiles, Policies, Access Controls, Security + </p><div class="itemizedlist"><ul type="disc"><li><p>Samba: net, rpcclient, smbpasswd, pdbedit, profiles</p></li><li><p>Windows: NT4 Domain User Manager, Server Manager (NEXUS)</p></li></ul></div><p> + </p></dd></dl></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrading-to-3.0.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="migration.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="SWAT.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 30. Upgrading from Samba-2.x to Samba-3.0.0 </td><td width="20%" align="center"><a accesskey="h" href="samba-doc.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 32. SWAT - The Samba Web Administration Tool</td></tr></table></div></body></html> |