diff options
Diffstat (limited to 'docs/Samba-Guide/SBE-MigrateNT4Samba3.xml')
-rw-r--r-- | docs/Samba-Guide/SBE-MigrateNT4Samba3.xml | 1224 |
1 files changed, 1224 insertions, 0 deletions
diff --git a/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml b/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml new file mode 100644 index 0000000000..75a0213ade --- /dev/null +++ b/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml @@ -0,0 +1,1224 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<chapter id="migration"> + <title>Migrating NT4 Domain to Samba-3</title> + + <para> + Ever since Microsoft announced that they are discontinuing support for Windows + NT4, Samba users started to ask for detailed instructions for how to migrate + from NT4 to Samba-3. This chapter provides background information that should + meet these needs. + </para> + + <para> + One wonders how many NT4 systems will be left in service by the time you read this + book though. + </para> + +<sect1> + <title>Introduction</title> + + <para><indexterm> + <primary>migration</primary> + </indexterm> + Network administrators who want to migrate off a Windows NT4 environment know + one thing with certainty. They feel that NT4 has been abandoned and they want + to update. The desire to get off NT4 and to not adopt Windows 200x and Active + Directory is driven by a mixture of concerns over complexity, cost, fear of + failure, and much more. + </para> + + <para><indexterm> + <primary>group policies</primary> + </indexterm><indexterm> + <primary>accounts</primary> + <secondary>user</secondary> + </indexterm><indexterm> + <primary>accounts</primary> + <secondary>group</secondary> + </indexterm><indexterm> + <primary>accounts</primary> + <secondary>machine</secondary> + </indexterm> + The migration from NT4 to Samba-3 can involve a number of factors, including: + migration of data to another server, migration of network environment controls + such as group policies, and finally migration of the users, groups, and machine + accounts. + </para> + + <para><indexterm> + <primary>accounts</primary> + <secondary>Domain</secondary> + </indexterm> + It should be pointed out now that it is possible to migrate some systems from + Windows NT4 Domain environments to a Samba-3 Domain Environment. This is certainly + not possible in every case. It is possible to just migrate the Domain accounts + to Samba-3 and then to switch machines, but as a hands-off transition, this is more + an exception than the rule. Most systems require some tweaking and adjusting + following migration before an environment that is acceptable for immediate use + is obtained. + </para> + + <sect2> + <title>Assignment Tasks</title> + + <para><indexterm> + <primary>LDAP</primary> + </indexterm><indexterm> + <primary>ldapsam</primary> + </indexterm><indexterm> + <primary>passdb backend</primary> + </indexterm> + You are about to migrate an MS Windows NT4 Domain accounts database to + a Samba-3 server. The Samba-3 server is using a + <parameter>passdb backend</parameter> based on LDAP. The + <constant>ldapsam</constant> is ideal because an LDAP backend can be distributed + for use with BDCs &smbmdash; generally essential for larger networks. + </para> + + <para> + Your objective is to document the process of migrating user and group accounts + from several NT4 Domains into a single Samba-3 LDAP backend database. + </para> + + </sect2> +</sect1> + +<sect1> + <title>Dissection and Discussion</title> + + <para><indexterm> + <primary>snap-shot</primary> + </indexterm><indexterm> + <primary>NT4 registry</primary> + </indexterm><indexterm> + <primary>registry</primary> + <secondary>keys</secondary> + <tertiary>SAM</tertiary> + </indexterm><indexterm> + <primary>registry</primary> + <secondary>keys</secondary> + <tertiary>SECURITY</tertiary> + </indexterm><indexterm> + <primary>SAM</primary> + </indexterm><indexterm> + <primary>Security Account Manager</primary> + <see>SAM</see> + </indexterm> + The migration process takes a snap-shot of information that is stored in the + Windows NT4 registry based accounts database. That information resides in + the Security Account Manager (SAM) portion of the NT4 Registry under keys called + <constant>SAM</constant> and <constant>SECURITY</constant>. + </para> + + <warning><para><indexterm> + <primary>crippled</primary> + </indexterm><indexterm> + <primary>inoperative</primary> + </indexterm> + The Windows NT4 registry keys called <constant>SAM</constant> and <constant>SECURITY</constant> + are protected so that you cannot view the contents. If you change the security setting + to reveal the contents under these hive keys, your Windows NT4 Domain is crippled. Do not + do this unless you are willing to render your domain controller inoperative. + </para></warning> + + <para><indexterm> + <primary>migration</primary> + <secondary>objectives</secondary> + </indexterm><indexterm> + <primary>disruptive</primary> + </indexterm> + Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are. + While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server, + that may not be a good idea from an administration perspective. Since you are going through a + certain amount of disruptive activity anyhow, why not take this as an opportunity to review + the structure of the network, how Windows clients are controlled and how they + interact with the network environment. + </para> + + <para><indexterm> + <primary>network</primary> + <secondary>logon scripts</secondary> + </indexterm><indexterm> + <primary>profiles share</primary> + </indexterm><indexterm> + <primary>security descriptors</primary> + </indexterm> + MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed + have done little to keep the NT4 server environment up-to-date with more recent Windows releases, + particularly Windows XP Professional. The migration provides opportunity to revise and update + roaming profile deployment as well as folder redirection. Given that you must port the + greater network configuration of this from the old NT4 server to the new Samba-3 server, you + also must validate the security descriptors in the profiles share as well as network logon + scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this + as a good time to update desktop systems also. In all, the extra effort should constitute no + real disruption to users, rather with due diligence and care should make their network experience + a much happier one. + </para> + + <sect2> + <title>Technical Issues</title> + + <para><indexterm> + <primary>strategic</primary> + </indexterm> + Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic + element. Many sites have asked for instructions regarding merging of multiple different NT4 + Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant + added value compared with the alternative of migration to Windows Server 200x and Active + Directory. The diagram in <link linkend="ch8-migration"/> illustrates the effect of migration + from a Windows NT4 Domain to a Samba Domain. + </para> + + <image id="ch8-migration"> + <imagedescription>Schematic Explaining the <command>net rpc vampire</command> Process</imagedescription> + <imagefile scale="55">ch8-migration</imagefile> + </image> + + <para> + In any case, the migration process involves the following steps: + </para> + + <itemizedlist> + <listitem><para> + Prepare the target Samba-3 server. This involves configuring Samba-3 for + migration to either a tdbsam or an ldapsam backend. + </para></listitem> + + <listitem><para><indexterm> + <primary>uppercase</primary> + </indexterm><indexterm> + <primary>Posix</primary> + </indexterm><indexterm> + <primary>lower-case</primary> + </indexterm> + Clean up the source NT4 PDC. Delete all accounts that need not be migrated. + Delete all files that should not be migrated. Where possible, change NT Group + names so there are no spaces or uppercase characters. This is important if + the target UNIX host insists on Posix compliant all lower-case user and group + names. + </para></listitem> + + <listitem><para> + Step through the migration process. + </para></listitem> + + <listitem><para><indexterm> + <primary>PDC</primary> + </indexterm> + Remove the NT4 PDC from the network. + </para></listitem> + + <listitem><para> + Upgrade the Samba-3 server from a BDC to a PDC, and validate all account + information. + </para></listitem> + </itemizedlist> + + <para><indexterm> + <primary>merge</primary> + </indexterm><indexterm> + <primary>passdb.tdb</primary> + </indexterm> + If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain, + you must now dump the contents of the first migration and edit it as appropriate. Now clean + out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>), or the LDAP database + files. You must start each migration with a new database into which you merge your NT4 + domains. + </para> + + <para><indexterm> + <primary>dump</primary> + </indexterm> + At this point, you are ready to perform the second migration following the same steps as + for the first. In other words, dump the database, edit it, and then you may merge the + dump for the first and second migrations. + </para> + + <para><indexterm> + <primary>LDAP</primary> + </indexterm><indexterm> + <primary>migrate</primary> + </indexterm><indexterm> + <primary>Domain SID</primary> + </indexterm> + You must be careful. If you choose to migrate to an LDAP backend, your dump file + now contains the full account information, including the Domain SID. The Domain SID for each + of the two NT4 Domains will be different. You must choose one, and change the Domain + portion of the account SIDs so that all are the same. + </para> + + <para><indexterm> + <primary>passdb.tdb</primary> + </indexterm><indexterm> + <primary>/etc/passwd</primary> + </indexterm><indexterm> + <primary>merged</primary> + </indexterm><indexterm> + <primary>logon script</primary> + </indexterm><indexterm> + <primary>logon hours</primary> + </indexterm><indexterm> + <primary>logon machines</primary> + </indexterm><indexterm> + <primary>profile path</primary> + </indexterm><indexterm> + <primary>smbpasswd</primary> + </indexterm><indexterm> + <primary>tdbsam</primary> + </indexterm><indexterm> + <primary>LDAP backend</primary> + </indexterm><indexterm> + <primary>export</primary> + </indexterm><indexterm> + <primary>import</primary> + </indexterm> + If you choose to use a tdbsam (<filename>passdb.tdb</filename>) backend file, your best choice + is to use <command>pdbedit</command> to export the contents of the tdbsam file into an + smbpasswd data file. This automatically strips out all Domain specific information, + such as logon hours, logon machines, logon script, profile path, as well as the Domain SID. + The resulting file can be easily merged with other migration attempts (each of which must start + with a clean file). It should also be noted that all users that end up in the merged smbpasswd + file must have an account in <filename>/etc/passwd</filename>. The resulting smbpasswd file + may be exported/imported into either a tdbsam (<filename>passdb.tdb</filename>), or else into + an LDAP backend. + </para> + + <image id="NT4DUM"> + <imagedescription>View of Accounts in NT4 Domain User Manager</imagedescription> + <imagefile scale="50">UserMgrNT4</imagefile> + </image> + + </sect2> + + + <sect2> + <title>Political Issues</title> + + <para> + The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3 + Domain may be seen by those who had power over them as a loss of prestige or a loss of + power. The imposition of a single Domain may even be seen as a threat. So in migrating and + merging account databases, be consciously aware of the political fall-out in which you + may find yourself entangled when key staff feel a loss of prestige. + </para> + + <para> + The best advice that can be given to those who set out to merge NT4 Domains into one single + Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers + greater network interoperability and manageability. + </para> + + </sect2> + +</sect1> + +<sect1> + <title>Implementation</title> + + <para> + You can present here the steps and example output for two NT4 to Samba-3 Domain migrations. The + first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the + scripts you specify in the &smb.conf; file for the <parameter>add user script</parameter> + collection of parameters are used to effect the addition of accounts into the passdb backend. + </para> + + <sect2> + <title>NT4 Migration Using LDAP Backend</title> + + <para> + In this instance, you migrate an NT4 PDC to an LDAP backend. The accounts you are about + to migrate are shown in <link linkend="NT4DUM"/>. In this example you make use of the + smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend. + Four scripts are essential to the migration process. There are other scripts that will be required + for daily management, but these are not critical to migration. The critical scripts are dependant + on which passdb backend is being used. Refer to <link linkend="ch8-vampire"/> to see which scripts + must be provided so that the migration process can complete. + </para> + + <para> + Do verify that you have correctly specified in the &smb.conf; file the scripts, and arguments + that should be passed to them, before attempting to perform the account migration. + </para> + + <table id="ch8-vampire"> + <title>Samba &smb.conf; Scripts Essential to Migration</title> + <tgroup cols="3"> + <colspec align="left"/> + <colspec align="center"/> + <colspec align="center"/> + <thead> + <row> + <entry>Entity</entry> + <entry>ldapsam Script</entry> + <entry>tdbsam Script</entry> + </row> + </thead> + <tbody> + <row> + <entry>Add User Accounts</entry> + <entry>smbldap-useradd</entry> + <entry>useradd</entry> + </row> + <row> + <entry>Delete User Accounts</entry> + <entry>smbldap-userdel</entry> + <entry>userdel</entry> + </row> + <row> + <entry>Add Group Accounts</entry> + <entry>smbldap-groupadd</entry> + <entry>groupadd</entry> + </row> + <row> + <entry>Delete Group Accounts</entry> + <entry>smbldap-groupdel</entry> + <entry>groupdel</entry> + </row> + <row> + <entry>Add User to Group</entry> + <entry>smbldap-groupmod</entry> + <entry>usermod (See Note)</entry> + </row> + <row> + <entry>Add Machine Accounts</entry> + <entry>smbldap-useradd</entry> + <entry>useradd</entry> + </row> + </tbody> + </tgroup> + </table> + + <note><para> + The UNIX/Linux <command>usermod</command> utility does not permit simple user addition to (or deletion + of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this + capability you will need to create your own tool to do this. Alternately, you can search the web + to locate a utility called <command>groupmem</command> (by George Kraft) that provides this functionality. + The <command>groupmem</command> utility was contributed to the shadow package but has not surfaced + in the formal commands provided by Linux distributions (March 2004). + </para></note> + + <para> + Before starting the migration, all dead accounts were removed using the User Manager for Domains. + </para> + + <procedure> + <step><para> + Install and configure the Samba-3 server precisely as shown in Chapter 6 for the server + called <constant>MASSIVE</constant>. The Domain name <constant>MEGANET</constant> must + match that of the NT4 Domain from which you are about to migrate. Do not execute any Samba + executables at this time, the appropriate time to do so is indicated below. + </para></step> + + <step><para><indexterm> + <primary>domain master</primary> + </indexterm><indexterm> + <primary>BDC</primary> + </indexterm> + Edit the &smb.conf; file to temporarily change the parameter + <smbconfoption name="domain master">No</smbconfoption> so + the Samba server functions as a BDC for the purpose of migration. Also, temporarily + (only during domain account migration) comment out the lines that specify deletion + scripts (delete user script, etc.). + </para></step> + + <step><para><indexterm> + <primary>preload.LDIF</primary> + </indexterm> + Create a file called <filename>preload.LDIF</filename> as shown in <link linkend="ch8-LDIF"/>. + Edit the contents so that the domain name and SID are correct for the site being installed. + </para></step> + + <step><para><indexterm> + <primary>slapadd</primary> + </indexterm> + Preload the LDAP database so it is ready to receive the information from the NT4 PDC. + This pre-loads the LDAP directory with the top-level information, as well as the + top level containers for user, group, computer, and domain account data. Execute the + instruction shown here: +<screen> +&rootprompt; slapadd -v -l preload.LDIF +added: "dc=abmas,dc=biz" (00000001) +added: "ou=People,dc=abmas,dc=biz" (00000002) +added: "ou=Groups,dc=abmas,dc=biz" (00000003) +added: "ou=Idmap,dc=abmas,dc=biz" (00000004) +added: "sambaDomainName=MEGANET,dc=abmas,dc=biz" (00000005) +</screen> + </para></step> + + <step><para> + Start the LDAP server. + </para></step> + + <step><para><indexterm> + <primary>ping</primary> + </indexterm> + Verify that the NT4 PDC can be reached: +<screen> +&rootprompt; ping nt4s +PING nt4s.abmas.biz (192.168.2.250) 56(84) bytes of data. +64 bytes from NT4S (192.168.2.250): icmp_seq=1 ttl=128 time=10.2 ms +64 bytes from NT4S (192.168.2.250): icmp_seq=2 ttl=128 time=0.518 ms +64 bytes from NT4S (192.168.2.250): icmp_seq=3 ttl=128 time=0.578 ms + +--- nt4s.abmas.biz ping statistics --- +3 packets transmitted, 3 received, 0% packet loss, time 2003ms +rtt min/avg/max/mdev = 0.518/3.773/10.223/4.560 ms +</screen> + It can. Great. + </para></step> + + <step><para><indexterm> + <primary>smbclient</primary> + </indexterm> + Validate that the resources on the NT4 PDC can be listed: +<screen> +&rootprompt; smbclient -L nt4s -UAdministrator%not24get + + Sharename Type Comment + --------- ---- ------- + NETLOGON Disk Logon server share + IPC$ IPC Remote IPC + UserProfiles Disk All Network User Profiles + + Server Comment + --------- ------- + NT4S + + Workgroup Master + --------- ------- + MEGANET NT4S +</screen> + This looks good. + </para></step> + + <step><para><indexterm> + <primary>Domain SID</primary> + </indexterm><indexterm> + <primary>net</primary> + <secondary>rpc</secondary> + <tertiary>getsid</tertiary> + </indexterm> + At this point, it is necessary to fetch the Domain SID from the NT4 PDC and + apply that to the Samba-3 BDC (soon to be PDC): +<screen> +&rootprompt; net rpc getsid -S NT4S -W MEGANET +Storing SID S-1-5-21-1988699175-926296742-1295600288 for + Domain MEGANET in secrets.tdb +</screen> + Done. + </para></step> + + <step><para><indexterm> + <primary>secrets.tdb</primary> + </indexterm><indexterm> + <primary>validate</primary> + </indexterm><indexterm> + <primary>tdbdump</primary> + </indexterm> + At this point, you can validate that the information is correct in the + <filename>secrets.tdb</filename> file, as shown here: +<screen> +&rootprompt; tdbdump /etc/samba/secrets.tdb +{ +key = "SECRETS/SID/MASSIVE" +data = "\01\04\00\00\00\00\00\05\15\00\00\00'$\89v\A6*67\A0J9M\ +00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\ +00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00" +} +{ +key = "SECRETS/LDAP_BIND_PW/cn=Manager,dc=abmas,dc=biz" +data = "not24get\00" +} +</screen> + This has returned the information expected. + </para></step> + +<note><para> +The <command>tdbdump</command> utility is a utility that you can build from the Samba source +code tree. Not all Linux binary distributions include this tool. If it is missing from your +Linux distribution you will need to build this yourself, or else for-go its use. +</para></note> + + <step><para><indexterm> + <primary>net</primary> + <secondary>rpc</secondary> + <tertiary>join</tertiary> + </indexterm> + We are ready to join the NT4 Domain as a BDC by executing the following: +<screen> +&rootprompt; net rpc join -S NT4S -W MEGANET -U Administrator%not24get +Joined domain MEGANET. +</screen> + Done. + </para></step> + + <step><para><indexterm> + <primary>net</primary> + <secondary>rpc</secondary> + <tertiary>vampire</tertiary> + </indexterm> + The Samba-3 BDC is now ready to receive the NT4 PDC accounts database, as shown here: +<screen> +&rootprompt; net rpc vampire -S NT4S +Fetching DOMAIN database +SAM_DELTA_DOMAIN_INFO not handled +Creating account: Administrator +Creating account: Guest +Creating account: NT4S$ +Creating account: massive$ +Creating account: barryf +Creating account: gdaison +Creating account: atrikhoffer +Creating account: hramsbotham +Creating account: fsellerby +Creating account: jrhapsody +Group members of Domain Admins: +Group members of Domain Users: NT4S$(primary),massive$(primary), +Group members of Domain Guests: nobody(primary), +Group members of rubberboot: +Group members of engineers: +Group members of accounting: +Group members of catalyst: +Group members of shipping: +Group members of receiving: +Group members of marketiod: +Group members of sales: +Fetching BUILTIN database +SAM_DELTA_DOMAIN_INFO not handled +</screen> + </para></step> + + <step><para><indexterm> + <primary>domain master</primary> + </indexterm><indexterm> + <primary>PDC</primary> + </indexterm> + Edit the &smb.conf; file to reset the parameter + <smbconfoption name="domain master">Yes</smbconfoption> so that + the Samba server functions as a PDC for the purpose of migration. + </para></step> + </procedure> + +<example id ="ch8-LDIF"> +<title>LDAP Preload LDIF file &smbmdash; <filename>preload.LDIF</filename></title> +<screen> +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +dc: abmas +o: Abmas Demo +description: POSIX and Samba LDAP Identity Database + +dn: ou=People,dc=abmas,dc=biz +objectClass: top +objectClass: organizationalUnit +ou: People + +dn: ou=Groups,dc=abmas,dc=biz +objectClass: top +objectClass: organizationalUnit +ou: Groups + +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: top +objectClass: organizationalUnit +ou: Idmap + +dn: sambaDomainName=MEGANET2,dc=abmas,dc=biz +objectClass: sambaDomain +objectClass: sambaUnixIdPool +sambaDomainName: MEGANET +sambaSID: S-1-5-21-1988699175-926296742-1295600288 +uidNumber: 1000 +gidNumber: 1000 +</screen> +</example> + + </sect2> + + <sect2> + <title>NT4 Migration Using tdbsam Backend</title> + + <para> + In this example, you have chosen to change the Domain name of the NT4 server from + <constant>DRUGPREP</constant> to <constant>MEGANET</constant> prior to the use + of the vampire (migration) tool. This migration process makes use of Linux system tools + (like <command>useradd</command>) to add the accounts that are migrated into the + UNIX/Linux <filename>/etc/passwd</filename>, and <filename>/etc/group</filename> + databases. These entries must therefore be present, and correct options specified, + in your &smb.conf; file or else the migration does not work as it should. + </para> + + <procedure> + <step><para> + Prepare a Samba-3 server precisely per the instructions shown in Chapter 5. + Set the workgroup name to <constant>MEGANET</constant>. + </para></step> + + <step><para><indexterm> + <primary>domain master</primary> + </indexterm><indexterm> + <primary>BDC</primary> + </indexterm> + Edit the &smb.conf; file to temporarily change the parameter + <smbconfoption name="domain master">No</smbconfoption> so + the Samba server functions as a BDC for the purpose of migration. + </para></step> + + <step><para> + Start Samba as you have done previously. + </para></step> + + <step><para><indexterm> + <primary>net</primary> + <secondary>rpc</secondary> + <tertiary>join</tertiary> + </indexterm> + Join the NT4 Domain as a BDC, as shown here: +<screen> +&rootprompt; net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get +Joined domain MEGANET. +</screen> + </para></step> + + <step><para><indexterm> + <primary>net</primary> + <secondary>rpc</secondary> + <tertiary>vampire</tertiary> + </indexterm> + You may vampire the accounts from the NT4 PDC by executing the command, as shown here: +<screen> +&rootprompt; net rpc vampire -S oldnt4pdc -U Administrator%not24get +Fetching DOMAIN database +SAM_DELTA_DOMAIN_INFO not handled +Creating unix group: 'Domain Admins' +Creating unix group: 'Domain Users' +Creating unix group: 'Domain Guests' +Creating unix group: 'Engineers' +Creating unix group: 'Marketoids' +Creating unix group: 'Account Operators' +Creating unix group: 'Administrators' +Creating unix group: 'Backup Operators' +Creating unix group: 'Guests' +Creating unix group: 'Print Operators' +Creating unix group: 'Replicator' +Creating unix group: 'Server Operators' +Creating unix group: 'Users' +Creating account: Administrator +Creating account: Guest +Creating account: oldnt4pdc$ +Creating account: jacko +Creating account: maryk +Creating account: bridge +Creating account: sharpec +Creating account: jimbo +Creating account: dhenwick +Creating account: dork +Creating account: blue +Creating account: billw +Creating account: massive$ +Group members of Engineers: Administrator, + sharpec(primary),bridge,billw(primary),dhenwick +Group members of Marketoids: Administrator,jacko(primary), + maryk(primary),jimbo,blue(primary),dork(primary) +Creating unix group: 'Gnomes' +Fetching BUILTIN database +SAM_DELTA_DOMAIN_INFO not handled +</screen> + </para></step> + + <step><para><indexterm> + <primary>pdbedit</primary> + </indexterm> + At this point, we can validate our migration. Let's look at the accounts + in the form as they would be seen in a smbpasswd file. This achieves that: +<screen> +&rootprompt; pdbedit -Lw +Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3: + AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[UX ]:LCT-3DF7AA9F: +jimbo:512:6E9A2A51F64A1BD5C187B8085FE1D9DF: + CDF7E305E639966E489A0CEFB95EE5E0:[UX ]:LCT-3E9362BC: +sharpec:511:E4301A7CD8FDD1EC6BBF9BC19CDF8151: + 7000255938831D5B948C95C1931534C5:[UX ]:LCT-3E8B42C4: +dhenwick:513:DCD8886141E3F892AAD3B435B51404EE: + 2DB36465949CB938DD98C312EFDC2639:[UX ]:LCT-3E939F41: +bridge:510:3FE6873A43101B46417EAF50CFAC29C3: + 891741F481AF111B4CAA09A94016BD01:[UX ]:LCT-3E8B4291: +blue:515:256D41D2559BB3D2AAD3B435B51404EE: + 9CCADDA4F7D281DD0FAD321478C6F971:[UX ]:LCT-3E939FDC: +diamond$:517:6C8E7B64EDCDBC4218B6345447A4454B: + 3323AC63C666CFAACB60C13F65D54E9A:[S ]:LCT-00000000: +oldnt4pdc$:507:3E39430CDCABB5B09ED320D0448AE568: + 95DBAF885854A919C7C7E671060478B9:[S ]:LCT-3DF7AA9F: +Guest:506:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DUX ]:LCT-3E93A008: +billw:516:85380CA7C21B6EBE168C8150662AF11B: + 5D7478508293709937E55FB5FBA14C17:[UX ]:LCT-3FED7CA1: +dork:514:78C70DDEC35A35B5AAD3B435B51404EE: + 0AD886E015AC595EC0AF40E6C9689E1A:[UX ]:LCT-3E939F9A: +jacko:508:BC472F3BF9A0A5F63832C92FC614B7D1: + 0C6822AAF85E86600A40DC73E40D06D5:[UX ]:LCT-3E8B4242: +maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C: + CF271B744F7A55AFDA277FF88D80C527:[UX ]:LCT-3E8B4270: +</screen> + </para></step> + + <step><para><indexterm> + <primary>pdbedit</primary> + </indexterm> + An expanded view of a user account entry shows more of what was + obtained from the NT4 PDC: +<screen> +sleeth:~ # pdbedit -Lv maryk +Unix username: maryk +NT username: maryk +Account Flags: [UX ] +User SID: S-1-5-21-1988699175-926296742-1295600288-1003 +Primary Group SID: S-1-5-21-1988699175-926296742-1295600288-1007 +Full Name: Mary Kathleen +Home Directory: \\diamond\maryk +HomeDir Drive: X: +Logon Script: scripts\logon.bat +Profile Path: \\diamond\profiles\maryk +Domain: MEGANET +Account desc: Peace Maker +Workstations: +Munged dial: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT +Password last set: Wed, 02 Apr 2003 13:05:04 GMT +Password can change: 0 +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +</screen> + </para></step> + + <step><para><indexterm> + <primary>net</primary> + <secondary>group</secondary> + </indexterm> + And this command lists the long names of the groups that have been + imported (vampired) from the NT4 PDC: +<screen> +&rootprompt; net group -l -Uroot%not24get -Smassive + +Group name Comment +----------------------------- +Engineers Snake Oil Engineers +Marketoids Untrustworthy Hype Vendors +Gnomes Plain Vanilla Garden Gnomes +Replicator Supports file replication in a domain +Guests Users granted guest access to the computer/domain +Administrators Members can fully administer the computer/domain +Users Ordinary users +</screen> + Everything looks well and in order. + </para></step> + + <step><para><indexterm> + <primary>domain master</primary> + </indexterm><indexterm> + <primary>PDC</primary> + </indexterm> + Edit the &smb.conf; file to reset the parameter + <smbconfoption name="domain master">Yes</smbconfoption> so + the Samba server functions as a PDC for the purpose of migration. + </para></step> + </procedure> + </sect2> + + <sect2> + <title>Key Points Learned</title> + + <para> + Migration of an NT4 PDC database to a Samba-3 PDC is possible. + </para> + + <itemizedlist> + <listitem><para> + An LDAP backend is a suitable vehicle for NT4 migrations. + </para></listitem> + + <listitem><para> + A tdbsam backend can be used to perform a migration. + </para></listitem> + + <listitem><para> + Multiple NT4 Domains can be merged into a single Samba-3 + Domain. + </para></listitem> + + <listitem><para> + The net Samba-3 Domain most likely requires some + administration and updating before going live. + </para></listitem> + </itemizedlist> + + </sect2> + +</sect1> + +<sect1> + <title>Questions and Answers</title> + + <para> + </para> + + <qandaset defaultlabel="chap08qa" type="number"> + <qandaentry> + <question> + + <para><indexterm> + <primary>clean database</primary> + </indexterm> + Why must I start each migration with a clean database? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>merge</primary> + </indexterm> + This is a recommendation that permits the data from each NT4 Domain to + be kept separate until you are ready to merge them. Also, if you do not do this, + you may find errors due to users or groups from multiple Domains having the + same name, but different SIDs. It is better to permit each migration to complete + without undue errors and then to handle the merging of vampired data under + proper supervision. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>Domain SID</primary> + </indexterm> + Is it possible to set my Domain SID to anything I like? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>auto-generated SID</primary> + </indexterm><indexterm> + <primary>SID</primary> + </indexterm><indexterm> + <primary>Domain SID</primary> + </indexterm> + Yes, so long as the SID you create has the same structure as an auto-generated SID. + The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where + the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why + would you really want to create your own SID? I cannot think of a good reason. + You may want to set the SID to one that is already in use somewhere on your network, + but that is a little different from straight out creating your own Domain SID. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>/etc/passwd</primary> + </indexterm><indexterm> + <primary>/etc/group</primary> + </indexterm><indexterm> + <primary>tdbsam</primary> + </indexterm><indexterm> + <primary>passdb backend</primary> + </indexterm><indexterm> + <primary>accounts</primary> + <secondary>user</secondary> + </indexterm><indexterm> + <primary>accounts</primary> + <secondary>group</secondary> + </indexterm><indexterm> + <primary>accounts</primary> + <secondary>Domain</secondary> + </indexterm> + When using a tdbsam passdb backend, why must I have all Domain user and group accounts + in <filename>/etc/passwd</filename> and <filename>/etc/group</filename>? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>UID</primary> + </indexterm><indexterm> + <primary>GID</primary> + </indexterm><indexterm> + <primary>smbpasswd</primary> + </indexterm><indexterm> + <primary>/etc/passwd</primary> + </indexterm><indexterm> + <primary>Posix</primary> + </indexterm><indexterm> + <primary>LDAP database</primary> + </indexterm> + Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba + does not fabricate the UNIX IDs from thin air, but rather requires them to be located + in a suitable place. + </para> + + <para> + When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the + UID of each account is taken together with the account information in the + <filename>/etc/passwd</filename> and both sets of data are used to create the account + entrt in the LDAP database. + </para> + + <para> + If you elect to create the Posix account also, the entire UNIX account is copied to the + LDAP backend. The same occurs with NT groups and UNIX groups. At the conclusion of + migration to the LDAP database, the accounts may be removed from the UNIX database files. + In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in + LDAP, require UIDs/GIDs. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>validate</primary> + </indexterm><indexterm> + <primary>connectivity</primary> + </indexterm><indexterm> + <primary>migration</primary> + </indexterm> + Why did you validate connectivity before attempting migration? + </para> + + </question> + <answer> + + <para> + Access validation before attempting to migrate NT4 Domain accounts helps to pin-point + potential problems that may otherwise affect or impede account migration. I am always + mindful of the 4P's of migration &smbmdash; Planning Prevents Poor Performance. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + How would you merge 10 tdbsam-based domains into an LDAP database? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>risk</primary> + </indexterm><indexterm> + <primary>dump</primary> + </indexterm><indexterm> + <primary>tdbsam</primary> + </indexterm><indexterm> + <primary>Samba Domain</primary> + </indexterm><indexterm> + <primary>UID</primary> + </indexterm><indexterm> + <primary>GID</primary> + </indexterm><indexterm> + <primary>pdbedit</primary> + </indexterm><indexterm> + <primary>transfer</primary> + </indexterm><indexterm> + <primary>smbpasswd</primary> + </indexterm><indexterm> + <primary>LDAP</primary> + </indexterm><indexterm> + <primary>tool</primary> + </indexterm> + If you have 10 tdbsam Samba Domains, there is considerable risk that there are a number of + accounts that have the same UNIX identifier (UID/GID). This means that you almost + certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd + file format and then manually edit all records to ensure that each has a unique UID. Each + file can then be imported a number of ways. You can use the <command>pdbedit</command> tool, + to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to + tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that + you have migrated before handing over access to a user. After all, too many users with a bad + migration experience may threaten your career. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>machine accounts</primary> + </indexterm><indexterm> + <primary>accounts</primary> + <secondary>machine</secondary> + </indexterm> + I want to change my Domain name after I migrate all accounts from an NT4 Domain to a + Samba-3 Domain. Does it make any sense to migrate the machine accounts in that case? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>registry</primary> + </indexterm><indexterm> + <primary>un-join</primary> + </indexterm><indexterm> + <primary>rejoin</primary> + </indexterm><indexterm> + <primary>tattooing</primary> + </indexterm> + I would recommend not. The machine accounts should still work, but there are registry entries + on each Windows NT4 and upward client that have a tattoo of the old domain name. If you + un-join the domain and then rejoin the newly renamed Samba-3 Domain, you can be certain to avoid + this tattooing effect. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>multiple group mappings</primary> + </indexterm> + After merging multiple NT4 Domains into a Samba-3 Domain, I lost all multiple group mappings. Why? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>/etc/passwd</primary> + </indexterm><indexterm> + <primary>/etc/group</primary> + </indexterm> + Samba-3 currently does not implement multiple group membership internally. If you use the Windows + NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group + membership is stored in the Posix groups area. If you use either tdbsam or smbpasswd backend, + then multiple group membership is handled through the UNIX groups file. When you dump the user + accounts no group account information is provided. When you edit (change) UIDs and GIDs in each + file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <filename>/etc/passwd</filename> + and <filename>/etc/group</filename> information also. That is where the multiple group information + is most closely at your fingertips. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para> + How can I reset group membership after loading the account information into the LDAP database? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>SRVTOOLS.EXE</primary> + </indexterm> + You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The + installation file is called <filename>SRVTOOLS.EXE</filename>. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>group names</primary> + </indexterm> + What are the limits or constraints that apply to group names? + </para> + + </question> + <answer> + + <para><indexterm> + <primary>limit</primary> + </indexterm><indexterm> + <primary>shadow-utils</primary> + </indexterm><indexterm> + <primary>groupadd</primary> + </indexterm><indexterm> + <primary>groupdel</primary> + </indexterm><indexterm> + <primary>groupmod</primary> + </indexterm><indexterm> + <primary>account names</primary> + </indexterm> + A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group + name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows + groups can contain upper- and lower-case characters, as well as spaces. + Many UNIX system do not permit the use of upper-case characters, and some do not permit the + space character either. A number of systems (i.e., Linux) work fine with both upper-case + and space characters in group names, but the shadow-utils package that provides the group + control functions (<command>groupadd, groupmod, groupdel</command>, and so on) do not permit them. + Also, a number of UNIX systems management tools enforce their own particular interpretation + of the Posix standards, and likewise do not permit upper-case or space characters in group + or user account names. You have to experiment with your system to find what its + peculiarities are. + </para> + + </answer> + </qandaentry> + + <qandaentry> + <question> + + <para><indexterm> + <primary>vampire</primary> + </indexterm> + My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3 + LDAP backend system using the vampire process? + </para> + + </question> + <answer> + + <para> + UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux + kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs, + you would not be able to migrate 323,000 accounts because this number can not fit into a 16-bit unsigned + integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts. + Please check this carefully before you attempt to effect a migration using the vampire process. + </para> + + <para><indexterm> + <primary>Migration speed</primary> + </indexterm> + Migration speed depends much on the processor speed, the network speed, disk I/O capability, and + LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory, that was mirroring LDAP + to a second identical system over 1 gigabit ethernet, I was able to migrate around 180 user accounts + per minute. Migration would obviously go much faster if LDAP mirroring is turned off during the migration. + </para> + + </answer> + </qandaentry> + + </qandaset> + +</sect1> + +</chapter> + |