From 3291b9290dbedc77b1fae9d8e13fd86d60c0afc2 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 19 Apr 2003 22:32:53 +0000 Subject: Updates and additions. (This used to be commit 9b35377f0cf5022519385a2b70237c05c7978158) --- docs/docbook/projdoc/NT4Migration.sgml | 233 +++++++++++++++++++++++++++++---- 1 file changed, 208 insertions(+), 25 deletions(-) (limited to 'docs/docbook/projdoc/NT4Migration.sgml') diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 3640c78942..6e40709081 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -74,70 +74,253 @@ MS Windows 2000 and beyond (with or without Active Directory services). -What are the features the Samba-3 can NOT provide? +What are the features that Samba-3 can NOT provide? - - Active Directory Server - Group Policy Objects (in Active Direcrtory) - Machine Policy objects - Logon Scripts in Active Directorty - Software Application and Access Controls in Active Directory - + + + Active Directory Server + + + Group Policy Objects (in Active Direcrtory) + + + Machine Policy objects + + + Logon Scripts in Active Directorty + + + Software Application and Access Controls in Active Directory + + + + +The features that Samba-3 DOES provide and that may be of compelling interest to your site +includes: + + + + + Lower Cost of Ownership + + + Global availability of support with no strings attached + + + Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system) + + + Creation of on-the-fly logon scripts + + + Creation of on-the-fly Policy Files + + + Greater Stability, Reliability, Performance and Availability + + + Manageability via an ssh connection + + + Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam) + + + Ability to implement a full single-signon architecture + + + Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand + + + + +Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are +considered. Users should be educated about changes they may experience so that the change will be a +welcome one and not become an obstacle to the work they need to do. The following are some of the +factors that will go into a successful migration: + + + +Domain Layout + + +Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called +a secondary controller), a domain member, or as a stand-alone server. The Windows network security +domain context should be sized and scoped before implementation. Particular attention needs to be +paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). +It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one +chooses to use an LDAP authentication backend then the same database can be used by several different +domains. This means that in a complex organisation there can be a single LDAP database, that itself +can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed). + + + +It is recommended that from a design perspective, the number of users per server, as well as the number +of servers, per domain should be scaled according to needs and should also consider server capacity +and network bandwidth. + + + +A physical network segment may house several domains, each of which may span multiple network segments. +Where domains span routed network segments it is most advisable to consider and test the performance +implications of the design and layout of a network. A Centrally located domain controller that is being +designed to server mulitple route network segments may result in severe performance problems if the +response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations +where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as +the local authentication and access control server. + + + + +Server Share and Directory Layout + + +There are few cardinal rules to effective network design that can be broken with impunity. +The most important rule of effective network management is that simplicity is king in every +well controlled network. Every part of the infrastructure must be managed, the more complex +it is, the greater will be the demand of keeping systems secure and functional. + + + +The nature of the data that must be stored needs to be born in mind when deciding how many +shares must be created. The physical disk space layout should also be taken into account +when designing where share points will be created. Keep in mind that all data needs to be +backed up, thus the simpler the disk layout the easier it will be to keep track of what must +be backed up to tape or other off-line storage medium. Always plan and implement for minimum +maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: +Backup and test, validate every backup, create a disaster recovery plan and prove that it works. + + + +Users should be grouped according to data access control needs. File and directory access +is best controlled via group permissions and the use of the "sticky bit" on group controlled +directories may substantially avoid file access complaints from samba share users. + + + +Many network administrators who are new to the game will attempt to use elaborate techniques +to set access controls, on files, directories, shares, as well as in share definitions. +There is the ever present danger that that administrator's successor will not understand the +complex mess that has been inherited. Remember, apparent job security through complex design +and implementation may ultimately cause loss of operations and downtime to users as the new +administrator learns to untangle your web. Keep access controls simple and effective and +make sure that users will never be interrupted by the stupidity of complexity. + + + + +Logon Scripts + + +Please refer to the section of this document on Advanced Network Adminsitration for information +regarding the network logon script options for Samba-3. Logon scripts can help to ensure that +all users gain share and printer connections they need. + + + +Logon scripts can be created on-the-fly so that all commands executed are specific to the +rights and privilidges granted to the user. The preferred controls should be affected through +group membership so that group information can be used to custom create a logong script using +the root preexec parameters to the NETLOGON share. + + + +Some sites prefer to use a tool such as kixstart to establish a controlled +user environment. In any case you may wish to do a google search for logon script process controls. +In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that +deals with how to add printers without user intervention via the logon script process. + + + + +Profile Migration/Creation + + +User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile +Management. + + + +Profiles may also be managed using the Samba-3 tool profiles. This tool allows +the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file +to be changed to the SID of the Samba-3 domain. + + + + +User and Group Accounts + + +It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before + attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the +groups that are present on the MS Windows NT4 domain AND to connect these to +suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes +should migrate painlessly. + + + Steps In Migration Process This is not a definitive ste-by-step process yet - just a place holder so the info is not lost. + -1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + + +You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + -2. Samba-3 set up as a DC with netlogon share, profile share, etc. + +Samba-3 set up as a DC with netlogon share, profile share, etc. + + -3. Process: - a. Create a BDC account for the samba server using NT Server Manager + +Process: + Create a BDC account for the samba server using NT Server Manager - Samba must NOT be running - b. rpcclient NT4PDC -U Administrator%passwd + rpcclient NT4PDC -U Administrator%passwd lsaquery Note the SID returned by step b. - c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd Note the SID in step c. - d. net getlocalsid + net getlocalsid Note the SID, now check that all three SIDS reported are the same! - e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd + net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd - f. net rpc vampire -S NT4PDC -U administrator%passwd + net rpc vampire -S NT4PDC -U administrator%passwd - g. pdbedit -l + pdbedit -l Note - did the users migrate? - h. initGrps.sh DOMNAME + initGrps.sh DOMNAME - i. smbgroupedit -v + smbgroupedit -v Now check that all groups are recognised - j. net rpc campire -S NT4PDC -U administrator%passwd + net rpc campire -S NT4PDC -U administrator%passwd - k. pdbedit -lv + pdbedit -lv Note - check that all group membership has been migrated. + - + Now it is time to migrate all the profiles, then migrate all policy files. - -Moe later. +More later. -- cgit