diff options
-rw-r--r-- | docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 15 | ||||
-rw-r--r-- | docs/docbook/projdoc/NT4Migration.sgml | 233 | ||||
-rw-r--r-- | docs/docbook/projdoc/passdb.sgml | 33 |
3 files changed, 248 insertions, 33 deletions
diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml index 138095e02c..dc2a78f5a6 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -269,8 +269,23 @@ Those wishing to use more elaborate or capable logon processing system should ch <simplelist> <member>http://www.craigelachie.org/rhacer/ntlogon</member> <member>http://www.kixtart.org</member> + <member>http://support.microsoft.com/default.asp?scid=kb;en-us;189105</member> </simplelist> +<sect2> +<title>Adding printers without user intervention</title> + +<para> +Printers may be added automatically during logon script processing through the use of: + +<programlisting> + rundll32 printui.dll,PrintUIEntry /? +</programlisting> + +See the documentation in the Microsoft knowledgebase article no: 189105 referred to above. +</para> +</sect2> + </sect1> </chapter> diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 3640c78942..6e40709081 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -74,70 +74,253 @@ MS Windows 2000 and beyond (with or without Active Directory services). </para> <para> -What are the features the Samba-3 can NOT provide? +What are the features that Samba-3 can NOT provide? </para> -<simplelist> - <member>Active Directory Server</member> - <member>Group Policy Objects (in Active Direcrtory)</member> - <member>Machine Policy objects</member> - <member>Logon Scripts in Active Directorty</member> - <member>Software Application and Access Controls in Active Directory</member> -</simplelist> +<itemizedlist> +<listitem> + <para>Active Directory Server<para> +</listitem> +<listitem> + <para>Group Policy Objects (in Active Direcrtory)<para> +</listitem> +<listitem> + <para>Machine Policy objects<para> +</listitem> +<listitem> + <para>Logon Scripts in Active Directorty<para> +</listitem> +<listitem> + <para>Software Application and Access Controls in Active Directory<para> +</listitem> +</itemizedlist> + +<para> +The features that Samba-3 DOES provide and that may be of compelling interest to your site +includes: +</para> + +<itemizedlist> +<listitem> + <para>Lower Cost of Ownership</para> +</listitem> +<listitem> + <para>Global availability of support with no strings attached</para> +</listitem> +<listitem> + <para>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</para> +</listitem> +<listitem> + <para>Creation of on-the-fly logon scripts</para> +</listitem> +<listitem> + <para>Creation of on-the-fly Policy Files</para> +</listitem> +<listitem> + <para>Greater Stability, Reliability, Performance and Availability</para> +</listitem> +<listitem> + <para>Manageability via an ssh connection</para> +</listitem> +<listitem> + <para>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</para> +</listitem> +<listitem> + <para>Ability to implement a full single-signon architecture</para> +</listitem> +<listitem> + <para>Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand</para> +</listitem> +</itemizedlist> + +<para> +Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are +considered. Users should be educated about changes they may experience so that the change will be a +welcome one and not become an obstacle to the work they need to do. The following are some of the +factors that will go into a successful migration: +</para> + +<sect3> +<title>Domain Layout</title> + +<para> +Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called +a secondary controller), a domain member, or as a stand-alone server. The Windows network security +domain context should be sized and scoped before implementation. Particular attention needs to be +paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). +It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one +chooses to use an LDAP authentication backend then the same database can be used by several different +domains. This means that in a complex organisation there can be a single LDAP database, that itself +can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed). +</para> + +<para> +It is recommended that from a design perspective, the number of users per server, as well as the number +of servers, per domain should be scaled according to needs and should also consider server capacity +and network bandwidth. +</para> + +<para> +A physical network segment may house several domains, each of which may span multiple network segments. +Where domains span routed network segments it is most advisable to consider and test the performance +implications of the design and layout of a network. A Centrally located domain controller that is being +designed to server mulitple route network segments may result in severe performance problems if the +response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations +where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as +the local authentication and access control server. +</para> +</sect3> + +<sect3> +<title>Server Share and Directory Layout</title> + +<para> +There are few cardinal rules to effective network design that can be broken with impunity. +The most important rule of effective network management is that simplicity is king in every +well controlled network. Every part of the infrastructure must be managed, the more complex +it is, the greater will be the demand of keeping systems secure and functional. +</para> + +<para> +The nature of the data that must be stored needs to be born in mind when deciding how many +shares must be created. The physical disk space layout should also be taken into account +when designing where share points will be created. Keep in mind that all data needs to be +backed up, thus the simpler the disk layout the easier it will be to keep track of what must +be backed up to tape or other off-line storage medium. Always plan and implement for minimum +maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: +Backup and test, validate every backup, create a disaster recovery plan and prove that it works. +</para> + +<para> +Users should be grouped according to data access control needs. File and directory access +is best controlled via group permissions and the use of the "sticky bit" on group controlled +directories may substantially avoid file access complaints from samba share users. +</para> + +<para> +Many network administrators who are new to the game will attempt to use elaborate techniques +to set access controls, on files, directories, shares, as well as in share definitions. +There is the ever present danger that that administrator's successor will not understand the +complex mess that has been inherited. Remember, apparent job security through complex design +and implementation may ultimately cause loss of operations and downtime to users as the new +administrator learns to untangle your web. Keep access controls simple and effective and +make sure that users will never be interrupted by the stupidity of complexity. +</para> +</sect3> + +<sect3> +<title>Logon Scripts</title> + +<para> +Please refer to the section of this document on Advanced Network Adminsitration for information +regarding the network logon script options for Samba-3. Logon scripts can help to ensure that +all users gain share and printer connections they need. +</para> + +<para> +Logon scripts can be created on-the-fly so that all commands executed are specific to the +rights and privilidges granted to the user. The preferred controls should be affected through +group membership so that group information can be used to custom create a logong script using +the <filename>root preexec</filename> parameters to the <filename>NETLOGON</filename> share. +</para> + +<para> +Some sites prefer to use a tool such as <filename>kixstart</filename> to establish a controlled +user environment. In any case you may wish to do a google search for logon script process controls. +In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that +deals with how to add printers without user intervention via the logon script process. +</para> +</sect3> + +<sect3> +<title>Profile Migration/Creation</title> + +<para> +User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile +Management. +</para> + +<para> +Profiles may also be managed using the Samba-3 tool <filename>profiles</filename>. This tool allows +the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file +to be changed to the SID of the Samba-3 domain. +</para> +</sect3> + +<sect3> +<title>User and Group Accounts</title> + +<para> +It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before + attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the +groups that are present on the MS Windows NT4 domain <ephasis>AND</emphasis> to connect these to +suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes +should migrate painlessly. +</para> +</sect3> </sect2> + <sect2> <title>Steps In Migration Process</title> <para> This is not a definitive ste-by-step process yet - just a place holder so the info is not lost. +</para> -1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated +<itemizedlist> +<listitem><para> +You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated +</para></listitem> -2. Samba-3 set up as a DC with netlogon share, profile share, etc. +<listitem><para> +Samba-3 set up as a DC with netlogon share, profile share, etc. +</para></listitem> +</itemizedlist> -3. Process: - a. Create a BDC account for the samba server using NT Server Manager +<para><programlisting> +Process: + Create a BDC account for the samba server using NT Server Manager - Samba must NOT be running - b. rpcclient NT4PDC -U Administrator%passwd + rpcclient NT4PDC -U Administrator%passwd lsaquery Note the SID returned by step b. - c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd Note the SID in step c. - d. net getlocalsid + net getlocalsid Note the SID, now check that all three SIDS reported are the same! - e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd + net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd - f. net rpc vampire -S NT4PDC -U administrator%passwd + net rpc vampire -S NT4PDC -U administrator%passwd - g. pdbedit -l + pdbedit -l Note - did the users migrate? - h. initGrps.sh DOMNAME + initGrps.sh DOMNAME - i. smbgroupedit -v + smbgroupedit -v Now check that all groups are recognised - j. net rpc campire -S NT4PDC -U administrator%passwd + net rpc campire -S NT4PDC -U administrator%passwd - k. pdbedit -lv + pdbedit -lv Note - check that all group membership has been migrated. +</programlisting></para> - +<para> Now it is time to migrate all the profiles, then migrate all policy files. - -Moe later. +More later. </para> </sect2> diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 0de0376df8..776c79f095 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -341,8 +341,9 @@ include: <para> The second item can be accomplished by using LDAP NSS and PAM modules. LGPL versions of these libraries can be obtained from PADL Software -(<ulink url="http://www.padl.com/">http://www.padl.com/</ulink>). However, -the details of configuring these packages are beyond the scope of this document. +(<ulink url="http://www.padl.com/">http://www.padl.com/</ulink>). More +information about the configuration of these packages may be found at "LDAP, +System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS". </para> </sect2> @@ -375,7 +376,7 @@ Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in </para> <para><programlisting> -objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL +objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top AUXILIARY DESC 'Samba Account' MUST ( uid $ rid ) MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ @@ -476,6 +477,11 @@ index rid eq ##index gidNumber eq ##index cn eq ##index memberUid eq + +# (both fetched via ldapsearch): +index primaryGroupID eq +index displayName pres,eq + </programlisting></para> </sect3> @@ -485,16 +491,20 @@ index rid eq <para> The following parameters are available in smb.conf only with <parameter>--with-ldapsam</parameter> -was included with compiling Samba. +was included when compiling Samba. </para> <itemizedlist> + <listitem><para><ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend [ldapsam|ldapsam_nua]:url</ulink></para></listitem> <listitem><para><ulink url="smb.conf.5.html#LDAPSSL">ldap ssl</ulink></para></listitem> - <listitem><para><ulink url="smb.conf.5.html#LDAPSERVER">ldap server</ulink></para></listitem> <listitem><para><ulink url="smb.conf.5.html#LDAPADMINDN">ldap admin dn</ulink></para></listitem> <listitem><para><ulink url="smb.conf.5.html#LDAPSUFFIX">ldap suffix</ulink></para></listitem> <listitem><para><ulink url="smb.conf.5.html#LDAPFILTER">ldap filter</ulink></para></listitem> <listitem><para><ulink url="smb.conf.5.html#LDAPPORT">ldap port</ulink></para></listitem> + <listitem><para><ulink url="smb.conf.5.html#LDAPMACHINSUFFIX">ldap machine suffix</ulink></para></listitem> + <listitem><para><ulink url="smb.conf.5.html#LDAPUSERSUFFIX">ldap user suffix</ulink></para></listitem> + <listitem><para><ulink url="smb.conf.5.html#LDAPDELETEDN">ldap delete dn</ulink></para></listitem> + </itemizedlist> <para> @@ -521,13 +531,20 @@ use with an LDAP directory could appear as # changes, this password will need to be reset. ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org" - # specify the LDAP server's hostname (defaults to locahost) - ldap server = ahab.samba.org - # Define the SSL option when connecting to the directory # ('off', 'start tls', or 'on' (default)) ldap ssl = start tls + passdb backend ldapsam:ldap://ahab.samba.org + + # smbpasswd -x delete the entire dn-entry + ldap delete dn = no + + # the machine and user suffix added to the base suffix + # wrote WITHOUT quotes. NULL siffixes by default + ldap user suffix = ou=People + ldap machine suffix = ou=Systems + # define the port to use in the LDAP session (defaults to 636 when # "ldap ssl = on") ldap port = 389 |