diff options
Diffstat (limited to 'docs/docbook/projdoc/NT4Migration.sgml')
-rw-r--r-- | docs/docbook/projdoc/NT4Migration.sgml | 474 |
1 files changed, 441 insertions, 33 deletions
diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 1f7371de36..60d9f121f4 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -15,80 +15,488 @@ Samba-3 based domain control. <title>Planning and Getting Started</title> <para> -You must use at least the following ... +In the IT world there is often a saying that all problems are encountered because of +poor planning. The corrollary to this saying is that not all problems can be anticpated +and planned for. Then again, good planning will anticpate most show stopper type situations. +</para> + +<para> +Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control +environment would do well to develop a detailed migration plan. So here are a few pointers to +help migration get under way. </para> <sect2> <title>Objectives</title> <para> -Blah blah objectives here. +The key objective for most organisations will be to make the migration from MS Windows NT4 +to Samba-3 domain control as painless as possible. One of the challenges you may experience +in your migration process may well be one of convincing management that the new environment +should remain in place. Many who have introduced open source technologies have experienced +pressure to return to a Microsoft based platform solution at the first sign of trouble. </para> -</sect2> -<sect2> -<title>Steps In Migration Process</title> +<para> +It is strongly advised that before attempting a migration to a Samba-3 controlled network +that every possible effort be made to gain all-round commitment to the change. Firstly, you +should know precisely <emphasis>why</emphasis> the change is important for the organisation. +Possible motivations to make a change include: +</para> + +<itemizedlist> +<listitem> + <para>Improve network manageability</para> +</listitem> +<listitem> + <para>Obtain better user level functionality</para> +</listitem> +<listitem> + <para>Reduce network operating costs</para> +</listitem> +<listitem> + <para>Reduce exposure caused by Microsoft withdrawal of NT4 support</para> +</listitem> +<listitem> + <para>Avoid MS License 6 implications</para> +</listitem> +<listitem> + <para>Reduce organisation's dependency on Microsoft</para> +</listitem> +</itemizedlist> <para> -This is not a definitive ste-by-step process yet - just a place holder so the info -is not lost. +It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers +an alternative solution that is both different from MS Windows NT4 and that offers some +advantages compared with it. It should also be recognised that Samba-3 lacks many of the +features that Microsoft has promoted as core values in migration from MS Windows NT4 to +MS Windows 2000 and beyond (with or without Active Directory services). +</para> -1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated +<para> +What are the features that Samba-3 can NOT provide? +</para> -2. Samba-3 set up as a DC with netlogon share, profile share, etc. +<itemizedlist> +<listitem> + <para>Active Directory Server<para> +</listitem> +<listitem> + <para>Group Policy Objects (in Active Direcrtory)<para> +</listitem> +<listitem> + <para>Machine Policy objects<para> +</listitem> +<listitem> + <para>Logon Scripts in Active Directorty<para> +</listitem> +<listitem> + <para>Software Application and Access Controls in Active Directory<para> +</listitem> +</itemizedlist> -3. Process: - a. Create a BDC account for the samba server using NT Server Manager - - Samba must NOT be running +<para> +The features that Samba-3 DOES provide and that may be of compelling interest to your site +includes: +</para> - b. rpcclient NT4PDC -U Administrator%passwd - lsaquery +<itemizedlist> +<listitem> + <para>Lower Cost of Ownership</para> +</listitem> +<listitem> + <para>Global availability of support with no strings attached</para> +</listitem> +<listitem> + <para>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</para> +</listitem> +<listitem> + <para>Creation of on-the-fly logon scripts</para> +</listitem> +<listitem> + <para>Creation of on-the-fly Policy Files</para> +</listitem> +<listitem> + <para>Greater Stability, Reliability, Performance and Availability</para> +</listitem> +<listitem> + <para>Manageability via an ssh connection</para> +</listitem> +<listitem> + <para>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</para> +</listitem> +<listitem> + <para>Ability to implement a full single-signon architecture</para> +</listitem> +<listitem> + <para>Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand</para> +</listitem> +</itemizedlist> - Note the SID returned by step b. +<para> +Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are +considered. Users should be educated about changes they may experience so that the change will be a +welcome one and not become an obstacle to the work they need to do. The following are some of the +factors that will go into a successful migration: +</para> - c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd +<sect3> +<title>Domain Layout</title> - Note the SID in step c. +<para> +Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called +a secondary controller), a domain member, or as a stand-alone server. The Windows network security +domain context should be sized and scoped before implementation. Particular attention needs to be +paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). +It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one +chooses to use an LDAP authentication backend then the same database can be used by several different +domains. This means that in a complex organisation there can be a single LDAP database, that itself +can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed). +</para> - d. net getlocalsid +<para> +It is recommended that from a design perspective, the number of users per server, as well as the number +of servers, per domain should be scaled according to needs and should also consider server capacity +and network bandwidth. +</para> - Note the SID, now check that all three SIDS reported are the same! +<para> +A physical network segment may house several domains, each of which may span multiple network segments. +Where domains span routed network segments it is most advisable to consider and test the performance +implications of the design and layout of a network. A Centrally located domain controller that is being +designed to serve mulitple routed network segments may result in severe performance problems if the +response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations +where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as +the local authentication and access control server. +</para> +</sect3> - e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd +<sect3> +<title>Server Share and Directory Layout</title> - f. net rpc vampire -S NT4PDC -U administrator%passwd +<para> +There are few cardinal rules to effective network design that can be broken with impunity. +The most important rule of effective network management is that simplicity is king in every +well controlled network. Every part of the infrastructure must be managed, the more complex +it is, the greater will be the demand of keeping systems secure and functional. +</para> - g. pdbedit -l +<para> +The nature of the data that must be stored needs to be born in mind when deciding how many +shares must be created. The physical disk space layout should also be taken into account +when designing where share points will be created. Keep in mind that all data needs to be +backed up, thus the simpler the disk layout the easier it will be to keep track of what must +be backed up to tape or other off-line storage medium. Always plan and implement for minimum +maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: +Backup and test, validate every backup, create a disaster recovery plan and prove that it works. +</para> - Note - did the users migrate? +<para> +Users should be grouped according to data access control needs. File and directory access +is best controlled via group permissions and the use of the "sticky bit" on group controlled +directories may substantially avoid file access complaints from samba share users. +</para> - h. initGrps.sh DOMNAME +<para> +Many network administrators who are new to the game will attempt to use elaborate techniques +to set access controls, on files, directories, shares, as well as in share definitions. +There is the ever present danger that that administrator's successor will not understand the +complex mess that has been inherited. Remember, apparent job security through complex design +and implementation may ultimately cause loss of operations and downtime to users as the new +administrator learns to untangle your web. Keep access controls simple and effective and +make sure that users will never be interrupted by the stupidity of complexity. +</para> +</sect3> - i. smbgroupedit -v +<sect3> +<title>Logon Scripts</title> - Now check that all groups are recognised +<para> +Please refer to the section of this document on Advanced Network Adminsitration for information +regarding the network logon script options for Samba-3. Logon scripts can help to ensure that +all users gain share and printer connections they need. +</para> - j. net rpc campire -S NT4PDC -U administrator%passwd +<para> +Logon scripts can be created on-the-fly so that all commands executed are specific to the +rights and privilidges granted to the user. The preferred controls should be affected through +group membership so that group information can be used to custom create a logong script using +the <filename>root preexec</filename> parameters to the <filename>NETLOGON</filename> share. +</para> + +<para> +Some sites prefer to use a tool such as <filename>kixstart</filename> to establish a controlled +user environment. In any case you may wish to do a google search for logon script process controls. +In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that +deals with how to add printers without user intervention via the logon script process. +</para> +</sect3> + +<sect3> +<title>Profile Migration/Creation</title> - k. pdbedit -lv +<para> +User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile +Management. +</para> - Note - check that all group membership has been migrated. +<para> +Profiles may also be managed using the Samba-3 tool <filename>profiles</filename>. This tool allows +the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file +to be changed to the SID of the Samba-3 domain. +</para> +</sect3> +<sect3> +<title>User and Group Accounts</title> -Now it is time to migrate all the profiles, then migrate all policy files. +<para> +It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before +attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the +groups that are present on the MS Windows NT4 domain <emphasis>AND</emphasis> to connect these to +suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes +should migrate painlessly. +</para> +</sect3> + +</sect2> -Moe later. +<sect2> +<title>Steps In Migration Process</title> + +<para> +The approximate migration process is described below. +</para> + +<itemizedlist> +<listitem><para> +You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated +</para></listitem> + +<listitem><para> +Samba-3 set up as a DC with netlogon share, profile share, etc. +</para></listitem> +</itemizedlist> + +<procedure><title>The Account Migration Process</title> + <step><para>Create a BDC account for the samba server using NT Server Manager</para> + <substeps><step><para>Samba must NOT be running</para></step></substeps></step> + + <step> + <para>rpcclient NT4PDC -U Administrator%passwd</para> + <substeps><step><para>lsaquery</para></step> + <step><para>Note the SID returned</para></step> + </substeps> + </step> + + <step><para>net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd</para> + <substeps><step><para>Note the SID</para></step></substeps> + </step> + + <step><para>net getlocalsid</para> + <substeps> + <step><para>Note the SID, now check that all three SIDS reported are the same!</para></step> + </substeps> + </step> + + <step><para>net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd</para></step> + + <step><para>net rpc vampire -S NT4PDC -U administrator%passwd</para></step> + + <step><para>pdbedit -l</para> + <substeps><step><para>Note - did the users migrate?</para></step></substeps> + </step> + + <step><para>initGrps.sh DOMNAME</para></step> + + <step><para>smbgroupedit -v</para> + <substeps><step><para>Now check that all groups are recognised</para></step></substeps> + </step> + + <step><para>net rpc campire -S NT4PDC -U administrator%passwd</para></step> + + <step><para>pdbedit -lv</para> + <substeps><step> + <para>Note - check that all group membership has been migrated</para> + </step></substeps> + </step> +</procedure> + +<para> +Now it is time to migrate all the profiles, then migrate all policy files. +More later. </para> </sect2> </sect1> <sect1> -<title>Managing Samba-3 Domain Control</title> +<title>Migration Options</title> <para> -Lots of blah blah here. +Based on feedback from many sites as well as from actual installation and maintenance +experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba +based solution fit into three basic categories. +</para> + +<table frame="all"><title>The 3 Major Site Types</title> +<tgroup cols="2" align="center"> + <thead> + <row><entry align="center">Number of Users</entry><entry>Description</entry></row> + </thead> + <tbody> + <row><entry align="center">< 50</entry><entry><para>Want simple conversion with NO pain</para></entry></row> + <row><entry align="center">50 - 250</entry><entry><para>Want new features, can manage some in-house complexity</para></entry></row> + <row><entry align="center">> 250</entry><entry><para>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</para></entry></row> + </tbody> +</tgroup> +</table> + +<sect2> +<title>Planning for Success</title> + +<para> +There are three basic choices for sites that intend to migrate from MS Windwows NT4 +to Samba-3. +</para> + +<itemizedlist> + <listitem><para> + Simple Conversion (total replacement) + </para></listitem> + + <listitem><para> + Upgraded Conversion (could be one of integration) + </para></listitem> + + <listitem><para> + Complete Redesign (completely new solution) + </para></listitem> +</itemizedlist> + +<para> +No matter what choice you make, the following rules will minimise down-stream problems: +</para> + +<itemizedlist> + <listitem><para> + Take sufficient time + </para></listitem> + + <listitem><para> + Avoid Panic + </para></listitem> + + <listitem><para> + Test ALL assumptions + </para></listitem> + + <listitem><para> + Test full roll-out program, including workstation deployment + </para></listitem> +</itemizedlist> + +<table frame="top"><title>Nature of the Conversion Choices</title> +<tgroup cols="3" align="center"> + <thead> + <row><entry>Simple</entry><entry>Upgraded</entry><entry>Redesign</entry></row> + </thead> + <tbody> + <row> + <entry><para>Make use of minimal OS specific features</para></entry> + <entry><para>Translate NT4 features to new host OS features</para></entry> + <entry><para>Decide:</para></entry> + </row> + <row> + <entry><para>Suck all accounts from NT4 into Samba-3</para></entry> + <entry><para>Copy and improve:</para></entry> + <entry><para>Authentication Regime (database location and access)</para></entry> + </row> + <row> + <entry><para>Make least number of operational changes</para></entry> + <entry><para>Make progressive improvements</para></entry> + <entry><para>Desktop Management Methods</para></entry> + </row> + <row> + <entry><para>Take least amount of time to migrate</para></entry> + <entry><para>Minimise user impact</para></entry> + <entry><para>Better Control of Desktops / Users</para></entry> + </row> + <row> + <entry><para>Live versus Isolated Conversion</para></entry> + <entry><para>Maximise functionality</para></entry> + <entry><para>Identify Needs for: Manageability, Scalability, Security, Availability</para></entry> + </row> + <row> + <entry><para>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</para></entry> + <entry><para>Take advantage of lower maintenance opportunity</para></entry> + <entry><para></para></entry> + </row> + </tbody> +</tgroup> +</table> +</sect2> + +<sect2> +<title>Samba Implementation Choices</title> + +<para><programlisting> +Authentication database back end + Winbind (external Samba or NT4/200x server) + Can use pam_mkhomedir.so to auto-create home dirs + External server could use Active Directory or NT4 Domain + +Database type + smbpasswd, tdbsam, ldapsam, MySQLsam + +Access Control Points + On the Share itself (Use NT4 Server Manager) + On the file system + Unix permissions on files and directories + Posix ACLs enablement in file system? + Through Samba share parameters + Not recommended - except as only resort + +Policies (migrate or create new ones) + Group Policy Editor (NT4) + Watch out for Tattoo effect + +User and Group Profiles + Platform specific so use platform tool to change from a Local to a Roaming profile + Can use new profiles tool to change SIDs (NTUser.DAT) + +Logon Scripts (Know how they work) + +User and Group mapping to Unix/Linux + username map facility may be needed + Use smbgroupedit to connect NT4 groups to Unix groups + Use pdbedit to set/change user configuration +NOTE: +If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP + + OS specific scripts / programs may be needed + Add / delete Users + Note OS limits on size of name (Linux 8 chars) + NT4 up to 254 chars + Add / delete machines + Applied only to domain members (note up to 16 chars) + Add / delete Groups + Note OS limits on size and nature + Linux limit is 16 char, no spaces and no upper case chars (groupadd) + +Migration Tools + Domain Control (NT4 Style) + Profiles, Policies, Access Controls, Security + +Migration Tools + Samba: net, rpcclient, smbpasswd, pdbedit, smbgroupedit, profiles + Windows: NT4 Domain User Manager, Server Manager (NEXUS) + +Authentication + New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam) +</programlisting> </para> </sect1> + </chapter> |