diff options
Diffstat (limited to 'docs/docbook/projdoc/NT4Migration.sgml')
| -rw-r--r-- | docs/docbook/projdoc/NT4Migration.sgml | 507 |
1 files changed, 0 insertions, 507 deletions
diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml deleted file mode 100644 index 733d1f75ae..0000000000 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ /dev/null @@ -1,507 +0,0 @@ -<chapter id="NT4Migration"> -<chapterinfo> - &author.jht; - <pubdate>April 3, 2003</pubdate> -</chapterinfo> - -<title>Migration from NT4 PDC to Samba-3 PDC</title> - -<para> -This is a rough guide to assist those wishing to migrate from NT4 domain control to -Samba-3 based domain control. -</para> - -<sect1> -<title>Planning and Getting Started</title> - -<para> -In the IT world there is often a saying that all problems are encountered because of -poor planning. The corrollary to this saying is that not all problems can be anticpated -and planned for. Then again, good planning will anticpate most show stopper type situations. -</para> - -<para> -Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control -environment would do well to develop a detailed migration plan. So here are a few pointers to -help migration get under way. -</para> - -<sect2> -<title>Objectives</title> - -<para> -The key objective for most organisations will be to make the migration from MS Windows NT4 -to Samba-3 domain control as painless as possible. One of the challenges you may experience -in your migration process may well be one of convincing management that the new environment -should remain in place. Many who have introduced open source technologies have experienced -pressure to return to a Microsoft based platform solution at the first sign of trouble. -</para> - -<para> -It is strongly advised that before attempting a migration to a Samba-3 controlled network -that every possible effort be made to gain all-round commitment to the change. Firstly, you -should know precisely <emphasis>why</emphasis> the change is important for the organisation. -Possible motivations to make a change include: -</para> - -<itemizedlist> -<listitem> - <para>Improve network manageability</para> -</listitem> -<listitem> - <para>Obtain better user level functionality</para> -</listitem> -<listitem> - <para>Reduce network operating costs</para> -</listitem> -<listitem> - <para>Reduce exposure caused by Microsoft withdrawal of NT4 support</para> -</listitem> -<listitem> - <para>Avoid MS License 6 implications</para> -</listitem> -<listitem> - <para>Reduce organisation's dependency on Microsoft</para> -</listitem> -</itemizedlist> - -<para> -It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers -an alternative solution that is both different from MS Windows NT4 and that offers some -advantages compared with it. It should also be recognised that Samba-3 lacks many of the -features that Microsoft has promoted as core values in migration from MS Windows NT4 to -MS Windows 2000 and beyond (with or without Active Directory services). -</para> - -<para> -What are the features that Samba-3 can NOT provide? -</para> - -<itemizedlist> -<listitem> - <para>Active Directory Server</para> -</listitem> -<listitem> - <para>Group Policy Objects (in Active Direcrtory)</para> -</listitem> -<listitem> - <para>Machine Policy objects</para> -</listitem> -<listitem> - <para>Logon Scripts in Active Directorty</para> -</listitem> -<listitem> - <para>Software Application and Access Controls in Active Directory</para> -</listitem> -</itemizedlist> - -<para> -The features that Samba-3 DOES provide and that may be of compelling interest to your site -includes: -</para> - -<itemizedlist> -<listitem> - <para>Lower Cost of Ownership</para> -</listitem> -<listitem> - <para>Global availability of support with no strings attached</para> -</listitem> -<listitem> - <para>Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)</para> -</listitem> -<listitem> - <para>Creation of on-the-fly logon scripts</para> -</listitem> -<listitem> - <para>Creation of on-the-fly Policy Files</para> -</listitem> -<listitem> - <para>Greater Stability, Reliability, Performance and Availability</para> -</listitem> -<listitem> - <para>Manageability via an ssh connection</para> -</listitem> -<listitem> - <para>Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)</para> -</listitem> -<listitem> - <para>Ability to implement a full single-signon architecture</para> -</listitem> -<listitem> - <para>Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand</para> -</listitem> -</itemizedlist> - -<para> -Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are -considered. Users should be educated about changes they may experience so that the change will be a -welcome one and not become an obstacle to the work they need to do. The following are some of the -factors that will go into a successful migration: -</para> - -<sect3> -<title>Domain Layout</title> - -<para> -Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called -a secondary controller), a domain member, or as a stand-alone server. The Windows network security -domain context should be sized and scoped before implementation. Particular attention needs to be -paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). -It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one -chooses to use an LDAP authentication backend then the same database can be used by several different -domains. This means that in a complex organisation there can be a single LDAP database, that itself -can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed). -</para> - -<para> -It is recommended that from a design perspective, the number of users per server, as well as the number -of servers, per domain should be scaled according to needs and should also consider server capacity -and network bandwidth. -</para> - -<para> -A physical network segment may house several domains, each of which may span multiple network segments. -Where domains span routed network segments it is most advisable to consider and test the performance -implications of the design and layout of a network. A Centrally located domain controller that is being -designed to serve mulitple routed network segments may result in severe performance problems if the -response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations -where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as -the local authentication and access control server. -</para> -</sect3> - -<sect3> -<title>Server Share and Directory Layout</title> - -<para> -There are few cardinal rules to effective network design that can be broken with impunity. -The most important rule of effective network management is that simplicity is king in every -well controlled network. Every part of the infrastructure must be managed, the more complex -it is, the greater will be the demand of keeping systems secure and functional. -</para> - -<para> -The nature of the data that must be stored needs to be born in mind when deciding how many -shares must be created. The physical disk space layout should also be taken into account -when designing where share points will be created. Keep in mind that all data needs to be -backed up, thus the simpler the disk layout the easier it will be to keep track of what must -be backed up to tape or other off-line storage medium. Always plan and implement for minimum -maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: -Backup and test, validate every backup, create a disaster recovery plan and prove that it works. -</para> - -<para> -Users should be grouped according to data access control needs. File and directory access -is best controlled via group permissions and the use of the "sticky bit" on group controlled -directories may substantially avoid file access complaints from samba share users. -</para> - -<para> -Many network administrators who are new to the game will attempt to use elaborate techniques -to set access controls, on files, directories, shares, as well as in share definitions. -There is the ever present danger that that administrator's successor will not understand the -complex mess that has been inherited. Remember, apparent job security through complex design -and implementation may ultimately cause loss of operations and downtime to users as the new -administrator learns to untangle your web. Keep access controls simple and effective and -make sure that users will never be interrupted by the stupidity of complexity. -</para> -</sect3> - -<sect3> -<title>Logon Scripts</title> - -<para> -Please refer to the section of this document on Advanced Network Adminsitration for information -regarding the network logon script options for Samba-3. Logon scripts can help to ensure that -all users gain share and printer connections they need. -</para> - -<para> -Logon scripts can be created on-the-fly so that all commands executed are specific to the -rights and privilidges granted to the user. The preferred controls should be affected through -group membership so that group information can be used to custom create a logong script using -the <filename>root preexec</filename> parameters to the <filename>NETLOGON</filename> share. -</para> - -<para> -Some sites prefer to use a tool such as <filename>kixstart</filename> to establish a controlled -user environment. In any case you may wish to do a google search for logon script process controls. -In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that -deals with how to add printers without user intervention via the logon script process. -</para> -</sect3> - -<sect3> -<title>Profile Migration/Creation</title> - -<para> -User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile -Management. -</para> - -<para> -Profiles may also be managed using the Samba-3 tool <filename>profiles</filename>. This tool allows -the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file -to be changed to the SID of the Samba-3 domain. -</para> -</sect3> - -<sect3> -<title>User and Group Accounts</title> - -<para> -It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before -attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the -groups that are present on the MS Windows NT4 domain <emphasis>AND</emphasis> to connect these to -suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes -should migrate painlessly. -</para> -</sect3> - -</sect2> - -<sect2> -<title>Steps In Migration Process</title> - -<para> -The approximate migration process is described below. -</para> - -<itemizedlist> -<listitem><para> -You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated -</para></listitem> - -<listitem><para> -Samba-3 set up as a DC with netlogon share, profile share, etc. -</para></listitem> -</itemizedlist> - -<procedure><title>The Account Migration Process</title> - <step><para>Create a BDC account for the samba server using NT Server Manager</para> - <substeps><step><para>Samba must NOT be running</para></step></substeps></step> - - <step> - <para>rpcclient NT4PDC -U Administrator%passwd</para> - <substeps><step><para>lsaquery</para></step> - <step><para>Note the SID returned</para></step> - </substeps> - </step> - - <step><para>net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd</para> - <substeps><step><para>Note the SID</para></step></substeps> - </step> - - <step><para>net getlocalsid</para> - <substeps> - <step><para>Note the SID, now check that all three SIDS reported are the same!</para></step> - </substeps> - </step> - - <step><para>net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd</para></step> - - <step><para>net rpc vampire -S NT4PDC -U administrator%passwd</para></step> - - <step><para>pdbedit -l</para> - <substeps><step><para>Note - did the users migrate?</para></step></substeps> - </step> - - <step><para>initGrps.sh DOMNAME</para></step> - - <step><para>net groupmap list</para> - <substeps><step><para>Now check that all groups are recognised</para></step></substeps> - </step> - - <step><para>net rpc campire -S NT4PDC -U administrator%passwd</para></step> - - <step><para>pdbedit -lv</para> - <substeps><step> - <para>Note - check that all group membership has been migrated</para> - </step></substeps> - </step> -</procedure> - -<para> -Now it is time to migrate all the profiles, then migrate all policy files. -More later. -</para> - -</sect2> -</sect1> - -<sect1> -<title>Migration Options</title> - -<para> -Based on feedback from many sites as well as from actual installation and maintenance -experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba -based solution fit into three basic categories. -</para> - -<table frame="all"><title>The 3 Major Site Types</title> -<tgroup cols="2" align="center"> - <thead> - <row><entry align="center">Number of Users</entry><entry>Description</entry></row> - </thead> - <tbody> - <row><entry align="center">< 50</entry><entry><para>Want simple conversion with NO pain</para></entry></row> - <row><entry align="center">50 - 250</entry><entry><para>Want new features, can manage some in-house complexity</para></entry></row> - <row><entry align="center">> 250</entry><entry><para>Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas</para></entry></row> - </tbody> -</tgroup> -</table> - -<sect2> -<title>Planning for Success</title> - -<para> -There are three basic choices for sites that intend to migrate from MS Windwows NT4 -to Samba-3. -</para> - -<itemizedlist> - <listitem><para> - Simple Conversion (total replacement) - </para></listitem> - - <listitem><para> - Upgraded Conversion (could be one of integration) - </para></listitem> - - <listitem><para> - Complete Redesign (completely new solution) - </para></listitem> -</itemizedlist> - -<para> -No matter what choice you make, the following rules will minimise down-stream problems: -</para> - -<itemizedlist> - <listitem><para> - Take sufficient time - </para></listitem> - - <listitem><para> - Avoid Panic - </para></listitem> - - <listitem><para> - Test ALL assumptions - </para></listitem> - - <listitem><para> - Test full roll-out program, including workstation deployment - </para></listitem> -</itemizedlist> - -<table frame="top"><title>Nature of the Conversion Choices</title> -<tgroup cols="3" align="center"> - <thead> - <row><entry>Simple</entry><entry>Upgraded</entry><entry>Redesign</entry></row> - </thead> - <tbody> - <row> - <entry><para>Make use of minimal OS specific features</para></entry> - <entry><para>Translate NT4 features to new host OS features</para></entry> - <entry><para>Decide:</para></entry> - </row> - <row> - <entry><para>Suck all accounts from NT4 into Samba-3</para></entry> - <entry><para>Copy and improve:</para></entry> - <entry><para>Authentication Regime (database location and access)</para></entry> - </row> - <row> - <entry><para>Make least number of operational changes</para></entry> - <entry><para>Make progressive improvements</para></entry> - <entry><para>Desktop Management Methods</para></entry> - </row> - <row> - <entry><para>Take least amount of time to migrate</para></entry> - <entry><para>Minimise user impact</para></entry> - <entry><para>Better Control of Desktops / Users</para></entry> - </row> - <row> - <entry><para>Live versus Isolated Conversion</para></entry> - <entry><para>Maximise functionality</para></entry> - <entry><para>Identify Needs for: Manageability, Scalability, Security, Availability</para></entry> - </row> - <row> - <entry><para>Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out)</para></entry> - <entry><para>Take advantage of lower maintenance opportunity</para></entry> - <entry><para></para></entry> - </row> - </tbody> -</tgroup> -</table> -</sect2> - -<sect2> -<title>Samba Implementation Choices</title> - -<para><programlisting> -Authentication database back end - Winbind (external Samba or NT4/200x server) - Can use pam_mkhomedir.so to auto-create home dirs - External server could use Active Directory or NT4 Domain - -Database type - smbpasswd, tdbsam, ldapsam, MySQLsam - -Access Control Points - On the Share itself (Use NT4 Server Manager) - On the file system - Unix permissions on files and directories - Posix ACLs enablement in file system? - Through Samba share parameters - Not recommended - except as only resort - -Policies (migrate or create new ones) - Group Policy Editor (NT4) - Watch out for Tattoo effect - -User and Group Profiles - Platform specific so use platform tool to change from a Local - to a Roaming profile Can use new profiles tool to change SIDs - (NTUser.DAT) - -Logon Scripts (Know how they work) - -User and Group mapping to Unix/Linux - username map facility may be needed - Use 'net groupmap' to connect NT4 groups to Unix groups - Use pdbedit to set/change user configuration -NOTE: -If migrating to LDAP back end it may be easier to dump initial LDAP database -to LDIF, then edit, then reload into LDAP - - OS specific scripts / programs may be needed - Add / delete Users - Note OS limits on size of name (Linux 8 chars) - NT4 up to 254 chars - Add / delete machines - Applied only to domain members (note up to 16 chars) - Add / delete Groups - Note OS limits on size and nature - Linux limit is 16 char, - no spaces and no upper case chars (groupadd) - -Migration Tools - Domain Control (NT4 Style) - Profiles, Policies, Access Controls, Security - -Migration Tools - Samba: net, rpcclient, smbpasswd, pdbedit, profiles - Windows: NT4 Domain User Manager, Server Manager (NEXUS) - -Authentication - New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam) -</programlisting> -</para> - -</sect2> - -</sect1> - -</chapter> |