summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--docs/docbook/projdoc/AdvancedNetworkAdmin.sgml15
-rw-r--r--docs/docbook/projdoc/NT4Migration.sgml233
-rw-r--r--docs/docbook/projdoc/passdb.sgml33
3 files changed, 248 insertions, 33 deletions
diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml
index 138095e02c..dc2a78f5a6 100644
--- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml
+++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml
@@ -269,8 +269,23 @@ Those wishing to use more elaborate or capable logon processing system should ch
<simplelist>
<member>http://www.craigelachie.org/rhacer/ntlogon</member>
<member>http://www.kixtart.org</member>
+ <member>http://support.microsoft.com/default.asp?scid=kb;en-us;189105</member>
</simplelist>
+<sect2>
+<title>Adding printers without user intervention</title>
+
+<para>
+Printers may be added automatically during logon script processing through the use of:
+
+<programlisting>
+ rundll32 printui.dll,PrintUIEntry /?
+</programlisting>
+
+See the documentation in the Microsoft knowledgebase article no: 189105 referred to above.
+</para>
+</sect2>
+
</sect1>
</chapter>
diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml
index 3640c78942..6e40709081 100644
--- a/docs/docbook/projdoc/NT4Migration.sgml
+++ b/docs/docbook/projdoc/NT4Migration.sgml
@@ -74,70 +74,253 @@ MS Windows 2000 and beyond (with or without Active Directory services).
</para>
<para>
-What are the features the Samba-3 can NOT provide?
+What are the features that Samba-3 can NOT provide?
</para>
-<simplelist>
- <member>Active Directory Server</member>
- <member>Group Policy Objects (in Active Direcrtory)</member>
- <member>Machine Policy objects</member>
- <member>Logon Scripts in Active Directorty</member>
- <member>Software Application and Access Controls in Active Directory</member>
-</simplelist>
+<itemizedlist>
+<listitem>
+ <para>Active Directory Server<para>
+</listitem>
+<listitem>
+ <para>Group Policy Objects (in Active Direcrtory)<para>
+</listitem>
+<listitem>
+ <para>Machine Policy objects<para>
+</listitem>
+<listitem>
+ <para>Logon Scripts in Active Directorty<para>
+</listitem>
+<listitem>
+ <para>Software Application and Access Controls in Active Directory<para>
+</listitem>
+</itemizedlist>
+
+<para>
+The features that Samba-3 DOES provide and that may be of compelling interest to your site
+includes:
+</para>
+
+<itemizedlist>
+<listitem>
+ <para>Lower Cost of Ownership</para>
+</listitem>
+<listitem>
+ <para>Global availability of support with no strings attached</para>
+</listitem>
+<listitem>
+ <para>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</para>
+</listitem>
+<listitem>
+ <para>Creation of on-the-fly logon scripts</para>
+</listitem>
+<listitem>
+ <para>Creation of on-the-fly Policy Files</para>
+</listitem>
+<listitem>
+ <para>Greater Stability, Reliability, Performance and Availability</para>
+</listitem>
+<listitem>
+ <para>Manageability via an ssh connection</para>
+</listitem>
+<listitem>
+ <para>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</para>
+</listitem>
+<listitem>
+ <para>Ability to implement a full single-signon architecture</para>
+</listitem>
+<listitem>
+ <para>Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand</para>
+</listitem>
+</itemizedlist>
+
+<para>
+Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are
+considered. Users should be educated about changes they may experience so that the change will be a
+welcome one and not become an obstacle to the work they need to do. The following are some of the
+factors that will go into a successful migration:
+</para>
+
+<sect3>
+<title>Domain Layout</title>
+
+<para>
+Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called
+a secondary controller), a domain member, or as a stand-alone server. The Windows network security
+domain context should be sized and scoped before implementation. Particular attention needs to be
+paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs).
+It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one
+chooses to use an LDAP authentication backend then the same database can be used by several different
+domains. This means that in a complex organisation there can be a single LDAP database, that itself
+can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed).
+</para>
+
+<para>
+It is recommended that from a design perspective, the number of users per server, as well as the number
+of servers, per domain should be scaled according to needs and should also consider server capacity
+and network bandwidth.
+</para>
+
+<para>
+A physical network segment may house several domains, each of which may span multiple network segments.
+Where domains span routed network segments it is most advisable to consider and test the performance
+implications of the design and layout of a network. A Centrally located domain controller that is being
+designed to server mulitple route network segments may result in severe performance problems if the
+response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations
+where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as
+the local authentication and access control server.
+</para>
+</sect3>
+
+<sect3>
+<title>Server Share and Directory Layout</title>
+
+<para>
+There are few cardinal rules to effective network design that can be broken with impunity.
+The most important rule of effective network management is that simplicity is king in every
+well controlled network. Every part of the infrastructure must be managed, the more complex
+it is, the greater will be the demand of keeping systems secure and functional.
+</para>
+
+<para>
+The nature of the data that must be stored needs to be born in mind when deciding how many
+shares must be created. The physical disk space layout should also be taken into account
+when designing where share points will be created. Keep in mind that all data needs to be
+backed up, thus the simpler the disk layout the easier it will be to keep track of what must
+be backed up to tape or other off-line storage medium. Always plan and implement for minimum
+maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance:
+Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
+</para>
+
+<para>
+Users should be grouped according to data access control needs. File and directory access
+is best controlled via group permissions and the use of the "sticky bit" on group controlled
+directories may substantially avoid file access complaints from samba share users.
+</para>
+
+<para>
+Many network administrators who are new to the game will attempt to use elaborate techniques
+to set access controls, on files, directories, shares, as well as in share definitions.
+There is the ever present danger that that administrator's successor will not understand the
+complex mess that has been inherited. Remember, apparent job security through complex design
+and implementation may ultimately cause loss of operations and downtime to users as the new
+administrator learns to untangle your web. Keep access controls simple and effective and
+make sure that users will never be interrupted by the stupidity of complexity.
+</para>
+</sect3>
+
+<sect3>
+<title>Logon Scripts</title>
+
+<para>
+Please refer to the section of this document on Advanced Network Adminsitration for information
+regarding the network logon script options for Samba-3. Logon scripts can help to ensure that
+all users gain share and printer connections they need.
+</para>
+
+<para>
+Logon scripts can be created on-the-fly so that all commands executed are specific to the
+rights and privilidges granted to the user. The preferred controls should be affected through
+group membership so that group information can be used to custom create a logong script using
+the <filename>root preexec</filename> parameters to the <filename>NETLOGON</filename> share.
+</para>
+
+<para>
+Some sites prefer to use a tool such as <filename>kixstart</filename> to establish a controlled
+user environment. In any case you may wish to do a google search for logon script process controls.
+In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that
+deals with how to add printers without user intervention via the logon script process.
+</para>
+</sect3>
+
+<sect3>
+<title>Profile Migration/Creation</title>
+
+<para>
+User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile
+Management.
+</para>
+
+<para>
+Profiles may also be managed using the Samba-3 tool <filename>profiles</filename>. This tool allows
+the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file
+to be changed to the SID of the Samba-3 domain.
+</para>
+</sect3>
+
+<sect3>
+<title>User and Group Accounts</title>
+
+<para>
+It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before
+ attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the
+groups that are present on the MS Windows NT4 domain <ephasis>AND</emphasis> to connect these to
+suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes
+should migrate painlessly.
+</para>
+</sect3>
</sect2>
+
<sect2>
<title>Steps In Migration Process</title>
<para>
This is not a definitive ste-by-step process yet - just a place holder so the info
is not lost.
+</para>
-1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
+<itemizedlist>
+<listitem><para>
+You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
+</para></listitem>
-2. Samba-3 set up as a DC with netlogon share, profile share, etc.
+<listitem><para>
+Samba-3 set up as a DC with netlogon share, profile share, etc.
+</para></listitem>
+</itemizedlist>
-3. Process:
- a. Create a BDC account for the samba server using NT Server Manager
+<para><programlisting>
+Process:
+ Create a BDC account for the samba server using NT Server Manager
- Samba must NOT be running
- b. rpcclient NT4PDC -U Administrator%passwd
+ rpcclient NT4PDC -U Administrator%passwd
lsaquery
Note the SID returned by step b.
- c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd
+ net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd
Note the SID in step c.
- d. net getlocalsid
+ net getlocalsid
Note the SID, now check that all three SIDS reported are the same!
- e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
+ net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
- f. net rpc vampire -S NT4PDC -U administrator%passwd
+ net rpc vampire -S NT4PDC -U administrator%passwd
- g. pdbedit -l
+ pdbedit -l
Note - did the users migrate?
- h. initGrps.sh DOMNAME
+ initGrps.sh DOMNAME
- i. smbgroupedit -v
+ smbgroupedit -v
Now check that all groups are recognised
- j. net rpc campire -S NT4PDC -U administrator%passwd
+ net rpc campire -S NT4PDC -U administrator%passwd
- k. pdbedit -lv
+ pdbedit -lv
Note - check that all group membership has been migrated.
+</programlisting></para>
-
+<para>
Now it is time to migrate all the profiles, then migrate all policy files.
-
-Moe later.
+More later.
</para>
</sect2>
diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml
index 0de0376df8..776c79f095 100644
--- a/docs/docbook/projdoc/passdb.sgml
+++ b/docs/docbook/projdoc/passdb.sgml
@@ -341,8 +341,9 @@ include:
<para>
The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
versions of these libraries can be obtained from PADL Software
-(<ulink url="http://www.padl.com/">http://www.padl.com/</ulink>). However,
-the details of configuring these packages are beyond the scope of this document.
+(<ulink url="http://www.padl.com/">http://www.padl.com/</ulink>). More
+information about the configuration of these packages may be found at "LDAP,
+System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS".
</para>
</sect2>
@@ -375,7 +376,7 @@ Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in
</para>
<para><programlisting>
-objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
+objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top AUXILIARY
DESC 'Samba Account'
MUST ( uid $ rid )
MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
@@ -476,6 +477,11 @@ index rid eq
##index gidNumber eq
##index cn eq
##index memberUid eq
+
+# (both fetched via ldapsearch):
+index primaryGroupID eq
+index displayName pres,eq
+
</programlisting></para>
</sect3>
@@ -485,16 +491,20 @@ index rid eq
<para>
The following parameters are available in smb.conf only with <parameter>--with-ldapsam</parameter>
-was included with compiling Samba.
+was included when compiling Samba.
</para>
<itemizedlist>
+ <listitem><para><ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend [ldapsam|ldapsam_nua]:url</ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#LDAPSSL">ldap ssl</ulink></para></listitem>
- <listitem><para><ulink url="smb.conf.5.html#LDAPSERVER">ldap server</ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#LDAPADMINDN">ldap admin dn</ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#LDAPSUFFIX">ldap suffix</ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#LDAPFILTER">ldap filter</ulink></para></listitem>
<listitem><para><ulink url="smb.conf.5.html#LDAPPORT">ldap port</ulink></para></listitem>
+ <listitem><para><ulink url="smb.conf.5.html#LDAPMACHINSUFFIX">ldap machine suffix</ulink></para></listitem>
+ <listitem><para><ulink url="smb.conf.5.html#LDAPUSERSUFFIX">ldap user suffix</ulink></para></listitem>
+ <listitem><para><ulink url="smb.conf.5.html#LDAPDELETEDN">ldap delete dn</ulink></para></listitem>
+
</itemizedlist>
<para>
@@ -521,13 +531,20 @@ use with an LDAP directory could appear as
# changes, this password will need to be reset.
ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
- # specify the LDAP server's hostname (defaults to locahost)
- ldap server = ahab.samba.org
-
# Define the SSL option when connecting to the directory
# ('off', 'start tls', or 'on' (default))
ldap ssl = start tls
+ passdb backend ldapsam:ldap://ahab.samba.org
+
+ # smbpasswd -x delete the entire dn-entry
+ ldap delete dn = no
+
+ # the machine and user suffix added to the base suffix
+ # wrote WITHOUT quotes. NULL siffixes by default
+ ldap user suffix = ou=People
+ ldap machine suffix = ou=Systems
+
# define the port to use in the LDAP session (defaults to 636 when
# "ldap ssl = on")
ldap port = 389