From 37a6f03f3550321f96200b1357078b308a45f6cd Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 27 May 2003 13:20:26 +0000 Subject: Very large number of markup fixes, layout updates, etc. (This used to be commit 8dfbaafb843d17b865855ba1fef1e62cd38d3964) --- docs/docbook/projdoc/NT4Migration.xml | 123 ++++++++++++---------------------- 1 file changed, 41 insertions(+), 82 deletions(-) (limited to 'docs/docbook/projdoc/NT4Migration.xml') diff --git a/docs/docbook/projdoc/NT4Migration.xml b/docs/docbook/projdoc/NT4Migration.xml index 585cfe6a47..fb136760fa 100644 --- a/docs/docbook/projdoc/NT4Migration.xml +++ b/docs/docbook/projdoc/NT4Migration.xml @@ -44,26 +44,14 @@ should know precisely why the change is important for the o Possible motivations to make a change include: - - - Improve network manageability - - - Obtain better user level functionality - - - Reduce network operating costs - - - Reduce exposure caused by Microsoft withdrawal of NT4 support - - - Avoid MS License 6 implications - - - Reduce organisation's dependency on Microsoft - - + + Improve network manageability + Obtain better user level functionality + Reduce network operating costs + Reduce exposure caused by Microsoft withdrawal of NT4 support + Avoid MS License 6 implications + Reduce organisation's dependency on Microsoft + It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers @@ -77,61 +65,31 @@ MS Windows 2000 and beyond (with or without Active Directory services). What are the features that Samba-3 can NOT provide? - - - Active Directory Server - - - Group Policy Objects (in Active Direcrtory) - - - Machine Policy objects - - - Logon Scripts in Active Directorty - - - Software Application and Access Controls in Active Directory - - + + Active Directory Server + Group Policy Objects (in Active Direcrtory) + Machine Policy objects + Logon Scripts in Active Directorty + Software Application and Access Controls in Active Directory + The features that Samba-3 DOES provide and that may be of compelling interest to your site includes: - - - Lower Cost of Ownership - - - Global availability of support with no strings attached - - - Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system) - - - Creation of on-the-fly logon scripts - - - Creation of on-the-fly Policy Files - - - Greater Stability, Reliability, Performance and Availability - - - Manageability via an ssh connection - - - Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam) - - - Ability to implement a full single-signon architecture - - - Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand - - + + Lower Cost of Ownership + Global availability of support with no strings attached + Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system) + Creation of on-the-fly logon scripts + Creation of on-the-fly Policy Files + Greater Stability, Reliability, Performance and Availability + Manageability via an ssh connection + Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam) + Ability to implement a full single-signon architecture + Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand + Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are @@ -221,11 +179,11 @@ all users gain share and printer connections they need. Logon scripts can be created on-the-fly so that all commands executed are specific to the rights and privilidges granted to the user. The preferred controls should be affected through group membership so that group information can be used to custom create a logong script using -the root preexec parameters to the NETLOGON share. +the root preexec parameters to the NETLOGON share. -Some sites prefer to use a tool such as kixstart to establish a controlled +Some sites prefer to use a tool such as kixstart to establish a controlled user environment. In any case you may wish to do a google search for logon script process controls. In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that deals with how to add printers without user intervention via the logon script process. @@ -241,7 +199,7 @@ Management. -Profiles may also be managed using the Samba-3 tool profiles. This tool allows +Profiles may also be managed using the Samba-3 tool profiles. This tool allows the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file to be changed to the SID of the Samba-3 domain. @@ -283,39 +241,39 @@ Samba-3 set up as a DC with netlogon share, profile share, etc. Samba must NOT be running - rpcclient NT4PDC -U Administrator%passwd + rpcclient NT4PDC -U Administrator%passwd lsaquery Note the SID returned - net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd Note the SID - net getlocalsid + net getlocalsid Note the SID, now check that all three SIDS reported are the same! - net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd + net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd - net rpc vampire -S NT4PDC -U administrator%passwd + net rpc vampire -S NT4PDC -U administrator%passwd - pdbedit -l + pdbedit -L Note - did the users migrate? - initGrps.sh DOMNAME + initGrps.sh DOMNAME - net groupmap list + net groupmap list Now check that all groups are recognised - net rpc campire -S NT4PDC -U administrator%passwd + net rpc campire -S NT4PDC -U administrator%passwd - pdbedit -lv + pdbedit -Lv Note - check that all group membership has been migrated @@ -440,6 +398,7 @@ No matter what choice you make, the following rules will minimise down-stream pr Samba Implementation Choices + Authentication database back end Winbind (external Samba or NT4/200x server) -- cgit