summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/Samba-Guide/Chap08b-MigrateNW4Samba3.xml1174
1 files changed, 1173 insertions, 1 deletions
diff --git a/docs/Samba-Guide/Chap08b-MigrateNW4Samba3.xml b/docs/Samba-Guide/Chap08b-MigrateNW4Samba3.xml
index fa97121bb5..f4f9d1ae42 100644
--- a/docs/Samba-Guide/Chap08b-MigrateNW4Samba3.xml
+++ b/docs/Samba-Guide/Chap08b-MigrateNW4Samba3.xml
@@ -104,7 +104,7 @@
<title>Assignment Tasks</title>
<para>
- Kristal tells her own story in the following words:
+ Kristal's story sis encapsulated in this chapter.
</para>
<para>
@@ -138,6 +138,9 @@
</member>
</simplelist>
+ <para>
+ The new system has been operating for six months without problems.
+ </para>
</sect2>
</sect1>
@@ -187,6 +190,1175 @@
<para>
</para>
+ <para>
+ The following software must be installed on the SUSE Linux Enterprise Server to perform
+ this migration:
+ </para>
+
+ <simplelist>
+ <member><para>openldap2</para></member>
+ <member><para>openldap2-client</para></member>
+ <member><para>openldap2-devel (only for Samba compilation)</para></member>
+ <member><para>nss_ldap</para></member>
+ <member><para>smbldap-tools Version 0.8.7</para></member>
+ <member><para>perl-ldap</para></member>
+ <member><para>samba-3.0.12 or later</para></member>
+ <member><para>samba-client-3.0.12 or later</para></member>
+ <member><para>samba-winbind-3.0.12 or later</para></member>
+ </simplelist>
+
+ <para>
+ Each software application must be carefully configured in preparation for migration.
+ The configuration used at BabbleOrg are provided as a guide and should be modified
+ to meet needs at your site.
+ </para>
+
+ <sect3>
+ <title>LDAP Server Configuration</title>
+
+ <para>
+ The <filename>/etc/openldap/slapd.conf</filename> Kristal used is shown here:
+<screen>
+#/usr/local/etc/openldap/slapd.conf
+#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include /usr/local/etc/openldap/schema/core.schema
+include /usr/local/etc/openldap/schema/cosine.schema
+include /usr/local/etc/openldap/schema/inetorgperson.schema
+include /usr/local/etc/openldap/schema/nis.schema
+include /usr/local/etc/openldap/schema/samba.schema
+include /usr/local/etc/openldap/schema/dhcp.schema
+include /usr/local/etc/openldap/schema/misc.schema
+include /usr/local/etc/openldap/schema/idpool.schema
+include /usr/local/etc/openldap/schema/eduperson.schema
+include /usr/local/etc/openldap/schema/commURI.schema
+include /usr/local/etc/openldap/schema/local.schema
+include /usr/local/etc/openldap/schema/authldap.schema
+
+pidfile /var/run/slapd/run/slapd.pid
+argsfile /var/run/slapd/run/slapd.args
+
+replogfile /var/log/ldap/slapd.replog
+
+# Load dynamic backend modules:
+modulepath /usr/lib/openldap/modules
+
+#######################################################################
+# Logging parameters
+#######################################################################
+loglevel 256
+#######################################################################
+# SASL and TLS options
+#######################################################################
+sasl-host ldap.corp.borkholder.com
+sasl-realm DIGEST-MD5
+sasl-secprops none
+TLSCipherSuite HIGH:MEDIUM:+SSLV2
+TLSCertificateFile /usr/local/etc/openldap/bork-cert.pem
+TLSCertificateKeyFile /usr/local/etc/openldap/bork-key.pem
+password-hash {SSHA}
+defaultsearchbase "dc=borkholder,dc=com"
+
+#######################################################################
+# bdb database definitions
+#######################################################################
+database bdb
+suffix "dc=borkholder,dc=com"
+rootdn "cn=manager,dc=borkholder,dc=com"
+rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5
+directory /var/lib/ldap/borkholder.com
+mode 0600
+# The following is for BDB to make it flush its data to disk every
+# 500 seconds or 5kb of data
+checkpoint 500 5
+
+## For running slapindex
+#readonly on
+
+## Indexes for often-requested attributes
+index objectClass eq
+index cn eq,sub
+index sn eq,sub
+index uid eq,sub
+index uidNumber eq
+index gidNumber eq
+index memberUID eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+cachesize 2000
+
+replica host=baa.corp.borkholder.com:389
+ suffix="dc=borkholder,dc=com"
+ binddn="cn=replica,dc=borkholder,dc=com"
+ credentials=verysecret
+ bindmethod=simple
+ tls=yes
+replica host=ns.borkholder.com:389
+ suffix="dc=borkholder,dc=com"
+ binddn="cn=replica,dc=borkholder,dc=com"
+ credentials=verysecret
+ bindmethod=simple
+ tls=yes
+
+#######################################################################
+# ACL section
+#######################################################################
+## MOST RESTRICTIVE RULES MUST GO FIRST!
+
+## Users can change their own passwords. Nobody else can read the password
+access to attrs=userPassword
+ by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,dc=borkholder,dc=com" write
+ by self write
+ by * auth
+
+## Home contact info restricted to the logged-in user
+access to attrs=hometelephoneNumber,homePostalAddress,mobileTelephoneNumber,pagerTelephoneNumber
+ by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,dc=borkholder,dc=com" write
+ by self write
+ by * none
+
+## Only admins can manage email aliases
+access to dn.sub="ou=Email Aliases,dc=borkholder,dc=com"
+ filter=(roleOccupant=*)
+ attrs=maildrop
+ by dnattr=roleOccupant write
+ by * read
+
+## Allow delegated management of certain aliases which are for mailman-style
+## mailing lists.
+access to dn.sub="ou=Email Aliases,dc=borkholder,dc=com"
+ by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,dc=borkholder,dc=com" write
+ by * read
+
+## Default to read-only access
+access to *
+ by dn.base="cn=replica,ou=people,ou=corp,dc=borkholder,dc=com" write
+ by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,dc=borkholder,dc=com" write
+ by * read
+access to attrs=namingcontexts
+ by anonymous read
+</screen>
+ </para>
+
+ <para>
+ The <filename>/etc/ldap.conf</filename> file used is listed here:
+<screen>
+# /etc/ldap.conf
+# This file is present on every *NIX client that authenticates to LDAP.
+# For me, most of the defaults are fine. There is an amazing amount of customization
+# that can be done – see the man page for info.
+
+# Your LDAP server. Must be resolvable without using LDAP.
+# The following is for the LDAP server – all others use the FQDN of the server
+URI ldap://127.0.0.1
+
+# The distinguished name of the search base.
+base ou=corp,dc=borkholder,dc=com
+
+# The LDAP version to use (defaults to 3
+# if supported by client library)
+ldap_version 3
+
+# The distinguished name to bind to the server with
+# if the effective user ID is root. Password is
+# stored in /etc/ldap.secret (mode 600)
+rootbinddn cn=Manager,dc=borkholder,dc=com
+
+# Filter to AND with uid=%s
+pam_filter objectclass=posixAccoun
+
+# The user ID attribute (defaults to uid)
+pam_login_attribute uid
+
+# Group member attribute
+pam_member_attribute memberUID
+
+# Use the OpenLDAP password change
+# extended operation to update the password.
+pam_password exop
+
+# OpenLDAP SSL mechanism
+# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
+ssl start_tls
+
+tls_cacertfile /etc/openldap/bork-cert.pem
+...
+</screen>
+ </para>
+
+ <para>
+ The Name Server Switch control file has the following contents:
+<screen>
+# /etc/nsswitch.conf
+# This file controls the resolve order for system databases.
+
+# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
+passwd: files ldap
+group: files ldap
+shadow: files ldap
+# The above are all that I store in LDAP at this point. There are possibilities to store
+# hosts, services, ethers, and lots of other things.
+</screen>
+ </para>
+
+ <para>
+ In my setup, users authenticate via PAM and NSS using LDAP-based accounts.
+ This works out of the box with the configuration files in this chapter. It
+ enables you to have no local accounts for users (it is highly advisable
+ to have a local account for the root user). Gotchas include:
+ </para>
+
+ <itemizedlist>
+ <listitem>
+ <para>
+ If your LDAP database goes down, nobody can authenticate except for root.
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ If failover is configured incorrectly weird behavior can occur. For example,
+ DNS failing to resolve.
+ </para>
+ </listitem>
+ </itemizedlist>
+
+ <para>
+ I do have two LDAP slave servers configured. That subject is beyond the scope
+ of this document and steps for implementing it are well-documented.
+ </para>
+
+ <para>
+ The following services authenticate using LDAP:
+ <simplelist>
+ <member><para>UNIX login/ssh</para></member>
+ <member><para>Postfix (SMTP)</para></member>
+ <member><para>Courier-IMAP/IMAPS/POP3/POP3S</para></member>
+ </simplelist>
+ </para>
+
+ <para>
+ Company-wide White-Pages can be searched using a LDAP client
+ such as the one in the Windows Address Book.
+ </para>
+
+ <para>
+ Having gained a solid understanding of LDAP, and a relatively workable LDAP tree
+ thus far, it was time to configure Samba. I compiled the latest stable SAMBA and
+ also installed the latest <command>smbldap-tools</command> from
+ <ulink url="http://idealx.com">Idealx</ulink>.
+ </para>
+
+ <para>
+ The Samba &smb.conf; file was configured as shown here:
+<screen>
+# Global parameters
+[global]
+ workgroup = CORP
+ netbios name = CORPSRV
+ server string = Corp File Server
+ passdb backend = ldapsam:ldap://localhost
+ pam password change = Yes
+ username map = /usr/local/samba/lib/smbusers
+ log level = 5
+ log file = /data/samba/log/%m.log
+ name resolve order = bcast wins lmhosts host
+ time server = Yes
+ deadtime = 60
+ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
+ printcap cache time = 60
+ printcap name = cups
+ show add printer wizard = No
+ add user script = /usr/local/sbin/smbldap-useradd -m "%u"
+ add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
+ add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
+ delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
+ set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
+ add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
+ logon script = logon.bat
+ logon path = \\%L\profiles\%U\%a
+ logon drive = H:
+ logon home = \\%L\%U
+ domain logons = Yes
+ os level = 100
+ preferred master = Yes
+ domain master = Yes
+ wins support = Yes
+ ldap admin dn = cn=Manager,dc=borkholder,dc=com
+ ldap group suffix = ou=Groups
+ ldap idmap suffix = ou=People
+ ldap machine suffix = ou=Computers
+ ldap passwd sync = Yes
+ ldap suffix = ou=CORP,dc=borkholder,dc=com
+ ldap ssl = no
+ ldap user suffix = ou=People
+ remote announce = 192.168.2.255/CORP
+ remote browse sync = 192.168.2.255
+ admin users = root, "@Domain Admins"
+ printer admin = "@Domain Admins"
+ force printername = Yes
+ preexec = /bin/echo %u at %m connected to //%L/%S on %T >>/tmp/smblog
+
+[netlogon]
+ comment = Network logon service
+ path = /data/samba/netlogon
+ write list = "@Domain Admins"
+ guest ok = Yes
+
+[profiles]
+ comment = Roaming Profile Share
+ path = /data/samba/profiles/
+ read only = No
+ profile acls = Yes
+ veto files = desktop.ini
+ browseable = No
+
+[homes]
+ comment = Home Directories
+ valid users = %S
+ read only = No
+ create mask = 0770
+ veto files = desktop.ini
+ hide files = desktop.ini
+ browseable = No
+
+[software]
+ comment = Software for %a computers
+ path = /data/samba/shares/software/%a
+ guest ok = Yes
+
+[public]
+ comment = Public Files
+ path = /data/samba/shares/public
+ read only = No
+ guest ok = Yes
+
+[PDF]
+ comment = Location of documents printed to PDFCreator printer
+ path = /data/samba/shares/pdf
+ guest ok = Yes
+
+[EVERYTHING]
+ comment = All shares
+ path = /data/samba
+ valid users = "@Domain Admins"
+ read only = No
+
+[CDROM]
+ comment = CD-ROM on CORPSRV
+ path = /mnt
+ guest ok = Yes
+
+[print$]
+ comment = Printer Drivers Share
+ path = /data/samba/drivers
+ write list = root
+ browseable = No
+
+[printers]
+ comment = All Printers
+ path = /data/samba/spool
+ create mask = 0644
+ printable = Yes
+ browseable = No
+
+[acct_hp8500]
+ comment = "Accounting Color Laser Printer"
+ path = /data/samba/spool/private
+ valid users = @acct, @acct_admin, @hr, "@Domain Admins", @Receptionist, dwayne, terri, danae, jerry
+ create mask = 0644
+ printable = Yes
+ copy = printers
+
+[plotter]
+ comment = Engineering Plotter
+ path = /data/samba/spool
+ create mask = 0644
+ printable = Yes
+ use client driver = Yes
+ copy = printers
+
+[APPS]
+ path = /data/samba/shares/Apps
+ force group = "Domain Users"
+ read only = No
+
+[ACCT]
+ path = /data/samba/shares/Accounting
+ valid users = @acct, "@Domain Admins"
+ force group = acct
+ read only = No
+ create mask = 0660
+ directory mask = 0770
+
+[ACCT_ADMIN]
+ path = /data/samba/shares/Acct_Admin
+ valid users = @”acct_admin”
+ force group = acct_admin
+
+[HR_PR]
+ path = /data/samba/shares/HR_PR
+ valid users = @hr, @acct_admin
+ force group = hr
+
+[ENGR]
+ path = /data/samba/shares/Engr
+ valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri
+ force group = engr
+ read only = No
+ create mask = 0770
+
+[DATA]
+ path = /data/samba/shares/DATA
+ valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri
+ force group = engr
+ read only = No
+ create mask = 0770
+ copy = engr
+
+[X]
+ path = /data/samba/shares/X
+ valid users = @engr, @acct
+ force group = engr
+ read only = No
+ create mask = 0770
+ copy = engr
+
+[NETWORK]
+ path = /data/samba/shares/network
+ valid users = "@Domain Users"
+ read only = No
+ create mask = 0770
+ guest ok = Yes
+
+[UTILS]
+ path = /data/samba/shares/Utils
+ write list = "@Domain Admins"
+
+[SYS]
+ path = /data/samba/shares/SYS
+ valid users = chad
+ read only = No
+ browseable = No
+</screen>
+ </para>
+
+ <para>
+ Most of these shares are only used by one company group, but they are required
+ because of some ancient Qbasic and Rbase applications were that written expecting
+ their own drive lettes.
+ </para>
+
+ <para>
+ One note: During the process of building the new server, I kept it up-to-date
+ with the Novell server via use of rsync. On a separate system (my workstation
+ in fact) which could be rebooted whenever necessary, I set up a mount point to the
+ Novell server via ncpmount. I then created a rsyncd.conf to share that mount point
+ out to my new server, and synchronized once an hour. The script I used to synchronize
+ is quite nice, so I will include it in an appendix. The reason I had to have the
+ rsync daemon running on a system which could be rebooted frequently is because ncpfs
+ has a nasty habit of creating stale mountpoints which cannot be recovered without
+ a reboot. The reason I only synchronized once an hour is because some part of the
+ chain was very slow and performance-heavy (whether rsync itself, the network, or
+ the Novell server I am not sure – probably the Novell server).
+ </para>
+
+ <para>
+ Anyway, after I had Samba configured, I had to put the information that was necessary
+ into the LDAP database. So the first thing I had to do was to store the LDAP password
+ in the Samba configuration by issuing the command (as root):
+<screen>
+&rootprompt; smbpasswd –-w verysecret
+</screen>
+ where “verysecret” is replaced by my LDAP bind password, of course.
+ </para>
+
+ <para>
+ Now Samba is good, I need to configure smbldap-tools. There are two relevant files,
+ which are usually put into /etc/smbldap-tools. The main one is smbldap.conf. Mine
+ is shown below:
+<screen>
+##############################################################################
+#
+# General Configuration
+#
+##############################################################################
+
+# Put your own SID
+# to obtain this number do: net getlocalsid
+SID="S-1-5-21-725326080-1709766072-2910717368"
+
+##############################################################################
+#
+# LDAP Configuration
+#
+##############################################################################
+
+# Notes: to use to dual ldap servers backend for Samba, you must patch
+# Samba with the dual-head patch from IDEALX. If not using this patch
+# just use the same server for slaveLDAP and masterLDAP.
+# Those two servers declarations can also be used when you have
+# . one master LDAP server where all writing operations must be done
+# . one slave LDAP server where all reading operations must be done
+# (typically a replication directory)
+
+# Ex: slaveLDAP=127.0.0.1
+slaveLDAP="127.0.0.1"
+slavePort="389"
+
+# Master LDAP : needed for write operations
+# Ex: masterLDAP=127.0.0.1
+masterLDAP="127.0.0.1"
+masterPort="389"
+
+# Use TLS for LDAP
+# If set to 1, this option will use start_tls for connection
+# (you should also used the port 389)
+ldapTLS="0"
+
+# How to verify the server's certificate (none, optional or require)
+# see "man Net::LDAP" in start_tls section for more details
+verify=""
+
+# CA certificate
+# see "man Net::LDAP" in start_tls section for more details
+cafile=""
+ certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientcert=""
+
+# key certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientkey=""
+
+# LDAP Suffix
+# Ex: suffix=dc=IDEALX,dc=ORG
+suffix="ou=CORP,dc=borkholder,dc=com"
+
+# Where are stored Users
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+usersdn="ou=People,${suffix}"
+
+# Where are stored Computers
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+computersdn="ou=Computers,${suffix}"
+
+# Where are stored Groups
+# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+groupsdn="ou=Groups,${suffix}"
+# Where are stored Idmap entries (used if samba is a domain member server)
+# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+idmapdn="ou=People,${suffix}"
+
+# Where to store next uidNumber and gidNumber available
+sambaUnixIdPooldn="ou=People,${suffix}"
+
+# Default scope Used
+scope="sub"
+
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
+hash_encrypt="SSHA"
+
+# if hash_encrypt is set to CRYPT, you may set a salt format.
+# default is "%s", but many systems will generate MD5 hashed
+# passwords if you use "$1$%.8s". This parameter is optional!
+crypt_salt_format="%s"
+##############################################################################
+#
+# Unix Accounts Configuration
+#
+##############################################################################
+
+# Login defs
+# Default Login Shell
+# Ex: userLoginShell="/bin/bash"
+userLoginShell="/bin/false"
+
+# Home directory
+# Ex: userHome="/home/%U"
+userHome="/home/%U"
+
+# Gecos
+userGecos="Samba User"
+
+# Default User (POSIX and Samba) GID
+defaultUserGid="513"
+
+# Default Computer (Samba) GID
+defaultComputerGid="515"
+
+# Skel dir
+skeletonDir="/etc/skel"
+
+# Default password validation time (time in days) Comment the next line if
+# you don't want password to be enable for defaultMaxPasswordAge days (be
+# careful to the sambaPwdMustChange attribute's value)
+defaultMaxPasswordAge="45"
+
+
+##############################################################################
+#
+# SAMBA Configuration
+#
+##############################################################################
+
+# The UNC path to home drives location (%U username substitution)
+# Ex: \\My-PDC-netbios-name\homes\%U
+# Just set it to a null string if you want to use the smb.conf 'logon home'
+# directive and/or disable roaming profiles
+userSmbHome=""
+
+# The UNC path to profiles locations (%U username substitution)
+# Ex: \\My-PDC-netbios-name\profiles\%U
+# Just set it to a null string if you want to use the smb.conf 'logon path'
+# directive and/or disable roaming profiles
+userProfile=""
+
+# The default Home Drive Letter mapping
+# (will be automatically mapped at logon time if home directory exist)
+# Ex: H: for H:
+userHomeDrive=""
+
+# The default user netlogon script name (%U username substitution)
+# if not used, will be automatically username.cmd
+# make sure script file is edited under dos
+# Ex: %U.cmd
+# userScript="startup.cmd" # make sure script file is edited under dos
+userScript=""
+
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used
+mailDomain="borkholder.com"
+
+##############################################################################
+#
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+#
+##############################################################################
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer Crypt::SmbHash library
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+</screen>
+ </para>
+
+ <para>
+ NOTES: I chose not to take advantage of the TLS capability of this.
+ Eventually I may go back and tweak it. Also I chose not to take advantage
+ of the master/slave configuration as I heard horror stories that it was
+ unstable. My slave servers are replicas only, as it is.
+ </para>
+
+ <para>
+ The /etc/smbldap-tools/smbldap_bind.conf file is shown here:
+<screen>
+# smbldap_bind.conf
+# This file simply tells smbldap-tools how to bind to your LDAP server. It has to be
+# a DN with full write access to the Samba portion of the database.
+
+############################
+# Credential Configuration #
+############################
+# Notes: you can specify two differents configuration if you use a
+# master ldap for writing access and a slave ldap server for reading access
+# By default, we will use the same DN (so it will work for standard Samba
+# release)
+slaveDN="cn=Manager,dc=borkholder,dc=com"
+slavePw="verysecret"
+masterDN="cn=Manager,dc=borkholder,dc=com"
+masterPw="verysecret”
+</screen>
+ </para>
+
+ <para>
+ We can now run the “smbldap-populate” command which will populate our LDAP tree
+ with the appropriate default users, groups, and UID and GID pools. It will create
+ a user called Administrator with UID nf 0 and GID matching the Domain Admins group.
+ This is fine you can still log in a root to a Windows system, but it will break
+ cached credentials if you need to log in as the administrator to a system that
+ is not on the network for whatever reason. If smbldap-populate works, then you
+ will see the entries in your LDAP database. If not, look in your LDAP logs to see
+ what is wrong.
+ </para>
+
+ <para>
+ The next thing is to add group mappings to LDAP. The easiest way to do this is
+ to use “smbldap-groupadd” command. It will create the group with the posixGroup
+ and sambaGroupMapping attributes, a unique GID, and an automatically-determined
+ RID. I learned the hard way not to try to do this by hand.
+ </para>
+
+ <para>
+ After I had my group mappings in place, I added users to the groups (the users
+ don't really have to exist yet or have Samba information in their Dns yet). I used
+ the “smbldap-groupmod” command to accomplish this. It can also be done manually by
+ adding “memberUID” atttributes to the group entries in LDAP.
+ </para>
+
+ <para>
+ The most monumental task of all was adding the sambaSamAccount information to each
+ already-existent posixAccount entry. I did it one at a time as I moved people onto
+ the new server, by issuing the command “smbldap-usermod -a -P username” after asking
+ the person what their current Novell password was. The wiser way to have done it
+ would probably be to dump the entire database to an LDIF file (by using “slapcat &gt;
+ somefile.ldif” command, using a Perl script to parse and add the appropriate
+ attributes and objectClasses to each entry, and re-importing the entire database
+ from that file by shutting down the database, moving the physical database files
+ out of the way, and issuing the command “slapadd -l somefile.ldif”. This can be
+ done at any time and for any reason, with no harm to the database.
+ </para>
+
+ <para>
+ So first I added a test user, of course. The LDIF for this test user looks like
+ this, to give you an idea:
+<screen>
+# Entry 1: cn=Test User,ou=people,ou=corp,dc=borkholder,dc=com
+dn:cn=Test User,ou=people,ou=corp,dc=borkholder,dc=com
+cn: Test User
+gecos: Test User
+gidNumber: 513
+givenName: Test
+homeDirectory: /home/test.user
+homePhone: 555
+l: Somewhere
+l: ST
+mail: test.user
+o: Corp
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: sambaSamAccount
+postalCode: 12345
+sn: User
+street: 10 Some St.
+uid: test.user
+uidNumber: 1074
+sambaLogonTime: 0
+sambaLogoffTime: 2147483647
+sambaKickoffTime: 2147483647
+sambaPwdCanChange: 0
+displayName: Samba User
+sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148
+sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE
+sambaAcctFlags: [U]
+sambaNTPassword: D062088E99C95E37D7702287BB35E770
+sambaPwdLastSet: 1102537694
+sambaPwdMustChange: 1106425694
+userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8
+loginShell: /bin/false
+</screen>
+ </para>
+
+ <para>
+ Then I went over to a spare Windows NT machine and joined it to the CORP domain.
+ It worked, and the machine's account entry under OU=COMPUTERS looks like this:
+<screen>
+dn:uid=w2kengrspare$,ou=Computers,ou=CORP,dc=borkholder,dc=com
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: sambaSamAccount
+cn: w2kengrspare$
+sn: w2kengrspare$
+uid: w2kengrspare$
+uidNumber: 1104
+gidNumber: 515
+homeDirectory: /dev/null
+loginShell: /bin/false
+description: Computer
+gecos: Computer
+sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208
+sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031
+displayName: W2KENGRSPARE$
+sambaPwdCanChange: 1103149236
+sambaPwdMustChange: 2147483647
+sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834
+sambaPwdLastSet: 1103149236
+sambaAcctFlags: [W ]
+</screen>
+ </para>
+
+ <para>
+ So now I can log in with test.user from the machine w2kengrspare. It's all fine and
+ good, but that user is in no groups yet so has pretty boring access. We can fix that
+ by writing the login script! To write the login script, I used Kixtart
+ (http://www.kixtart.org). I used it because it will work with every architecture of
+ Windows, has an active and helpful user base, and was both easier to learn and more
+ powerful than the standard netlogon scripts I have seen. I also did not have to do a
+ logon script per user or per group.
+ </para>
+
+ <para>
+ I downloaded Kixtart and put the following files in my [netlogon] share:
+<screen>
+KIX32.EXE
+KX32.dll
+KX95.dll &lt;-- Not needed unless you are running Win9x clients.
+kx16.dll &lt;-- Probably not needed unless you are running DOS clients.
+kxrpc.exe &lt;-- Probably useless as it has to run on the server and can only be run on NT.
+ It's for Windows 95 to become group-aware. We can get around the need.
+</screen>
+ </para>
+
+ <para>
+ I then wrote the folloowing logon.kix file. I chose to keep it all in one file,
+ but it can be split up and linked via include directives.
+<screen>
+break on
+
+$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder")
+IF NOT $RETURNCODE = 0
+; Add key for Borkholder-specific things on the first login
+ ADDKEY("HKEY_CURRENT_USER\Borkholder")
+ ; The following key gets deleted at the end of the first login
+ ADDKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
+ENDIF
+
+SETTITLE("Logging on @USERID to @LDOMAIN at @TIME")
+
+; Set the time on the workstation
+$Timeserver = "\\corpsrv"
+Settime $TimeServer
+
+
+; Make sure they don't get someone else's home directory
+USE H: /DELETE
+
+; We need the home directory set up for the rest of the script to work
+USE H: @HOMESHR ; connect to user's home share
+IF @ERROR = 0
+ H:
+ CD @HOMEDIR ; change directory to user's home directory
+ENDIF
+
+; People with laptops need My Documents to be in their profile. People with
+; desktops can have My Documents redirected to their home directory to avoid
+; long delays with logging out and out-of-sync files.
+; The way that profiles are stored (per architecture) is taken advantage of here.
+
+; Check to see if this is the first login -- doesn't make sense to do this
+; at the very first login
+
+$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
+IF NOT $RETURNCODE = 0
+
+ IF NOT INGROUP("CORPSRV\Laptop")
+ $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\Borkholder\profile_copied")
+ IF NOT $RETURNCODE = 0
+ IF EXIST("\\corpsrv\profiles\@userID\WinXP")
+ copy "\\corpsrv\profiles\@userID\WinXP\My Documents\*" "\\corpsrv\@userID\"
+ ENDIF
+ IF EXIST("\\corpsrv\profiles\@userID\Win2K")
+ copy "\\corpsrv\profiles\@userID\Win2K\My Documents\*" "\\corpsrv\@userID\"
+ ENDIF
+ IF EXIST("\\corpsrv\profiles\@userID\WinNT")
+ copy "\\corpsrv\profiles\@userID\WinNT\My Documents\*" "\\corpsrv\@userID\"
+ ENDIF
+
+ ADDKEY("HKEY_CURRENT_USER\Borkholder\profile_copied")
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
+User Shell Folders", "Personal","\\corpsrv\@userID","REG_SZ")
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
+User Shell Folders", "My Pictures", "\\corpsrv\@userID\My Pictures", "REG_SZ")
+ IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP Professio
+nal"
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
+User Shell Folders", "My Videos", "\\corpsrv\@userID\My Videos", "REG_SZ")
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
+User Shell Folders", "My Music", "\\corpsrv\@userID\My Music", "REG_SZ")
+ WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
+User Shell Folders", "My eBooks", "\\corpsrv\@userID\My eBooks", "REG_SZ")
+ ENDIF
+ $SELECTION =MESSAGEBOX("Changes were made to your registry. You must now log out
+.Please save any open files and click OK", "Log Out Necessary", 0)
+ IF $SELECTION = 1
+ IF $SELECTION = 1
+ LOGOFF(Force)
+ ENDIF
+ ENDIF
+ ENDIF
+ENDIF
+
+IF INGROUP("CORP\Domain Admins")
+ USE Z: \\corpsrv\everything
+ SETCONSOLE("show")
+ELSE
+ ; Nobody cares about seeing the login script except admins
+ SETCONSOLE("hide")
+ENDIF
+
+
+IF INGROUP("CORPSRV\Acct_Admin","CORPSRV\HR")
+ USE I: \\CORP\HR_PR
+ ; Eventually ABRA mapping will be here
+ENDIF
+
+IF INGROUP("CORP\Acct")
+; Set up printer
+$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,corpsrv,acct_hp8500")
+IF NOT $RETURNVALUE = 0
+ ADDPRINTERCONNECTION("\\corpsrv\acct_hp8500")
+ SETDEFAULTPRINTER("\\corpsrv\acct_hp8500")
+ENDIF
+; Set up drive mappings
+ USE M: \\corpsrv\ACCT
+
+ENDIF
+
+IF INGROUP("CORP\Engr","CORP\Truss","CORP\Receptionist")
+$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\Printers\,,corpsrv,engr_hp1300")
+IF NOT $RETURNVALUE = 0
+ ADDPRINTERCONNECTION("\\corpsrv\engr_hp1300")
+ENDIF
+USE LPT3: "\\corpsrv\engr_legacy_printer"
+; Make sure the user can run MATLIST -- they need a .get file and it gets
+; created automatically if they don't have one (copied from one that works)
+ IF NOT EXIST("\\corpsrv\data\batch\paths\@USERID.get")
+ copy \\corpsrv\data\batch\paths\jenny.get \\corpsrv\data\batch\paths\@USERID.get
+ ENDIF
+
+; The program was written to use a variable that exists in Novell but not NT, so we set it here
+ SET "LINAME=@USERID"
+ ? "LINAME set to @USERID" ; for MATLIST program -- look in %L\DATA\BATCH\PATHS\username.get
+
+; Set up drive mappings here (X will go away eventually)
+ USE L: \\corpsrv\engr
+ USE G: \\corpsrv\apps
+ USE Q: \\corpsrv\data
+ USE U: \\corpsrv\utils
+ use X: \\corpsrv\X
+
+;SET "PATH=L:\ENGINEER\MATLST;u:;h:;g:\ifsapp\runtime;c:\orawin95\bin;%PATH%;"
+ENDIF
+
+IF INGROUP("CORP\Truss")
+ ; Don't set up a default printer, they choose which one they want
+ $RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\Printers\Connections\,,corpsrv,truss_hp4")
+ IF NOT $RETURNVALUE = 0
+ ADDPRINTERCONNECTION("\\corpsrv\truss_hp4")
+ ENDIF
+ $RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\Printers\Connections\,,corpsrv,truss_hp5n")
+ IF NOT $RETURNVALUE = 0
+ ADDPRINTERCONNECTION("\\corpsrv\truss_hp5n")
+ ENDIF
+ $RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\Printers\Connections\,,corpsrv,truss_hp4050")
+ IF NOT $RETURNVALUE = 0
+ ADDPRINTERCONNECTION("\\corpsrv\truss_hp4050")
+ ENDIF
+
+ENDIF
+
+; Everyone gets the N drive
+USE N: \\corpsrv\network
+
+$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
+IF $RETURNVALUE = 0
+ DELKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
+ENDIF
+</screen>
+
+ <para>
+ As you can see in the script, I redirect the My Documents to the user's home
+ share if they are not in the “Laptop” group. I also add printers on a
+ group-by-group basis, and if applicable I setthe group printer. For this to
+ be effective, the print drivers must be installed on the Samba server in the
+ [print$] share. Ample documentation exists about how to do that so I did not
+ cover it.
+ </para>
+
+ <para>
+ I actually call this script via the logon.bat script in the [netlogon] directory:
+<screen>
+\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f
+</screen>
+ I only had to fully qualify the paths for Windows 9x, as Windows NT and
+ greater automatically add [NETLOGON] to the path.
+ </para>
+
+ <para>
+ Also of note for Win9x is that the drive mappings and printer setup will not
+ work because they rely on RPC. One merely has to put the appropriate settings
+ into the c:\autoexec.bat file or map the drives manually. One option would
+ be to check the OS as part of the Kixtart script, and if it is Win9x and if
+ it is the first login, copy a pre-made autoexec.bat to the C: drive. I only
+ have three such machines and one is going away in the very near future, so it
+ was easier to do it by hand.
+ </para>
+
+ <para>
+ At this point I was able to add the users. This is the part that really falls
+ into “upgrade. I moved the users over one group at a time, starting with the
+ people who used the least amount of resources on the network. With each group
+ that I moved, I first logged in as a “standard” user in that group and took
+ careful note of their environment, mainly the printers they used, their PATH,
+ and what network resources they had access to (most importantly which ones
+ they actually needed access to).
+ </para>
+
+ <para>
+ I would then add the user's SambaSamAccount information as mentioned earlier,
+ and join the computer to the domain. The very first thing I had to do was to
+ copy the user's profile to the new server. This was very important, and I really
+ struggled with the most effective way to do it. Here is the method that worked
+ for every one of my users on Windows NT, 2000, and XP:
+ </para>
+
+ <procedure>
+ <step><para>
+ Log in as the user on the domain. This creates the local copy
+ of the user's profile and copies it to the server as they log out.
+ </para></step>
+
+ <step><para>
+ Reboot the computer and log in as the LOCAL administrator.
+ </para></step>
+
+ <step><para>
+ Right-click My Computer, click Properties, and navigate to the
+ appropriate tab which perttains to user profiles (varies per
+ version of Windows).
+ </para></step>
+
+ <step><para>
+ Select the user's LOCAL profile (COMPUTERNAME\username), and
+ click the “Copy To” button.
+ </para></step>
+
+ <step><para>
+ In the next dialog, copy it to“C:\Documents and Settings\username.DOMAIN
+ (could be username.000, username.001, it seems to depend with no rhyme
+ or reason. If unsure, use Windows Explorer to view the permissions on
+ the directories. This one will be owned by DOMAIN\user) or in the case
+ of Windows NT, C:\WINNT\PROFILES\user.DOMAIN. In the very rare case
+ that such a directory was notcreated (this happened two times out of
+ about 60), copy it directly to the domain share
+ (\\PDCname\profiles\user\&lt;architecture&gt; in my case) where profiles are
+ stored. You will have to have made a connection to the share as that
+ user already (in Windows Explorer type \\PDCname\profiles\username or
+ the appropriate thing for your setup, and when prompted for a
+ username/password use the one of the user whose profile you are copying).
+ </para></step>
+
+ <step><para>
+ When the copy is complete (it can take a while) log out, and log back in
+ as the user. All his/her settings and all contents of My Documents,
+ Favorites, and the registry should have been copied successfully.
+ </para></step>
+
+ <step><para>
+ If it doesn't look right (the dead giveaway is the desktop background)
+ shut down the computer without logging out (powercycle) and try logging
+ in as the user again. If it still doesn't work, repeat the steps above.
+ I only had to ever repeat it once.
+ </para></step>
+
+ </procedure>
+
+ <para>
+ WORDS TO THE WISE:
+ </para>
+
+ <itemizedlist>
+ <listitem><para>
+ If the user was anything other than a standard user on his/her system
+ before, you will save yourself some headaches by giving them identical
+ permissions (on the local machine) as their domain account, BEFORE
+ copying their profile over. Do this through the User Administrator
+ in the Control Panel, after joining the computer to the domain and
+ before logging as that user for the first time. Otherwise they will
+ have trouble with permissions on their registry keys.
+ </para></listitem>
+
+ <listitem><para>
+ If any application was installed for the user only, rather than for
+ the entire system, it will probably not work without being reinstalled.
+ </para></listitem>
+ </itemizedlist>
+
+ <para>
+ After all these steps are accomplished, only cleanup details are left. Make sure user's
+ shortcuts and “Network Places” point to the appropriate place on the new server, check
+ the important applications to be sure they work as expected and troubleshoot any problems
+ that might arise, check to be sure the user's printers are present and working. By the
+ way, if there are any network printers installed as system printers (the Novell way)
+ you will need to log in as a local administrator and delete them.
+ </para>
+
+ <para>
+ For my non-laptop systems, I would then log in and out a couple times as the user,
+ to be sure that their registry settings were modified, then I was finished.
+ </para>
+
+ <para>
+ Some compatibility issues that cropped up included:
+ </para>
+
+ <para>
+ Blackberry client – It did not like having its registry settings moved around,
+ and had to be reinstalled. Also it needed write permissions to a portion of
+ the hard drive, and I had to give it those manually on the one system where
+ this was an issue.
+ </para>
+ CAMedia digital camera software for Canon cameras I had all kinds of trouble
+ with the registry. I had to use the “Runas” service to open the registry of
+ the local user while logged in as the domain user, and give the domain user
+ the appropriate permissions to some registry keys, then export that portion
+ of the registry to a file. Then as the domain user I had to import that file
+ into the registry.
+ </para>
+
+ <para>
+ Crystal Reports version 7 More registry problems that were solved by re-copying
+ the user's profile.
+ </para>
+
+ <para>
+ Printing from legacy applications I found out that Novell sent its jobs to
+ the printer in a raw format. CUPS sends them in Postscript by default. I had
+ to make a second printer definition forone printer and tell CUPS specifically
+ to send raw data to the printer, and assign this printer to the LPT port with
+ Kixtart's version of the “net use” command.
+ </para>
+
+ <para>
+ These were all eventually solved by elbow grease, queries to the Samba mailing
+ list and others, and diligence. I started transferring users to the new server
+ just before Thanksgiving, and by Decembe 29 I had every user transferred over.
+ My userbase is relatively small, but includes multiple versions of Windows,
+ multiple Linux member servers, a mechanized saw, a pen plotter, and legacy
+ applications written in Qbasic and R:Base, just to name a few. I actually
+ ended up making some of these applications work better (or work again, as
+ some of them had stopped functioning on the oldserver) because as part of
+ the process I had to find out how things were supposed to work.
+ </para>
+
+ <para>
+ The one thing I have not been able to get working is a very old database that
+ we had around for reference purposes which uses Novell's Btrieve engine.
+ </para>
+
+ <para>
+ As the resources compare, I went from 95% disk usage to just around 10%.
+ I went from a very high load on the server to an average load of between 1
+ and 2 runnable processes on the server. I have improved the security and
+ robustness of the system. I have also implemented ClamAV Autivirus
+ (http://www.clamav.net) which scans the entire Samba server for viruses
+ every two hours and quarantines them. I have found it much less problematic
+ than our ancient version of Norton Antivirus Corporate Edition, and much
+ ore up-to-date.
+ </para>
+
+ <para>
+ In short, my users are much happier with the new server, and I was told
+ several times that the transition was amazingly smooth
+ </para>
+
+ </sect3>
+
</sect2>
</sect1>