From 3291b9290dbedc77b1fae9d8e13fd86d60c0afc2 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 19 Apr 2003 22:32:53 +0000 Subject: Updates and additions. (This used to be commit 9b35377f0cf5022519385a2b70237c05c7978158) --- docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 15 ++ docs/docbook/projdoc/NT4Migration.sgml | 233 ++++++++++++++++++++++--- docs/docbook/projdoc/passdb.sgml | 33 +++- 3 files changed, 248 insertions(+), 33 deletions(-) (limited to 'docs') diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml index 138095e02c..dc2a78f5a6 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -269,8 +269,23 @@ Those wishing to use more elaborate or capable logon processing system should ch http://www.craigelachie.org/rhacer/ntlogon http://www.kixtart.org + http://support.microsoft.com/default.asp?scid=kb;en-us;189105 + +Adding printers without user intervention + + +Printers may be added automatically during logon script processing through the use of: + + + rundll32 printui.dll,PrintUIEntry /? + + +See the documentation in the Microsoft knowledgebase article no: 189105 referred to above. + + + diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 3640c78942..6e40709081 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -74,70 +74,253 @@ MS Windows 2000 and beyond (with or without Active Directory services). -What are the features the Samba-3 can NOT provide? +What are the features that Samba-3 can NOT provide? - - Active Directory Server - Group Policy Objects (in Active Direcrtory) - Machine Policy objects - Logon Scripts in Active Directorty - Software Application and Access Controls in Active Directory - + + + Active Directory Server + + + Group Policy Objects (in Active Direcrtory) + + + Machine Policy objects + + + Logon Scripts in Active Directorty + + + Software Application and Access Controls in Active Directory + + + + +The features that Samba-3 DOES provide and that may be of compelling interest to your site +includes: + + + + + Lower Cost of Ownership + + + Global availability of support with no strings attached + + + Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system) + + + Creation of on-the-fly logon scripts + + + Creation of on-the-fly Policy Files + + + Greater Stability, Reliability, Performance and Availability + + + Manageability via an ssh connection + + + Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam) + + + Ability to implement a full single-signon architecture + + + Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand + + + + +Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are +considered. Users should be educated about changes they may experience so that the change will be a +welcome one and not become an obstacle to the work they need to do. The following are some of the +factors that will go into a successful migration: + + + +Domain Layout + + +Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called +a secondary controller), a domain member, or as a stand-alone server. The Windows network security +domain context should be sized and scoped before implementation. Particular attention needs to be +paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). +It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one +chooses to use an LDAP authentication backend then the same database can be used by several different +domains. This means that in a complex organisation there can be a single LDAP database, that itself +can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed). + + + +It is recommended that from a design perspective, the number of users per server, as well as the number +of servers, per domain should be scaled according to needs and should also consider server capacity +and network bandwidth. + + + +A physical network segment may house several domains, each of which may span multiple network segments. +Where domains span routed network segments it is most advisable to consider and test the performance +implications of the design and layout of a network. A Centrally located domain controller that is being +designed to server mulitple route network segments may result in severe performance problems if the +response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations +where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as +the local authentication and access control server. + + + + +Server Share and Directory Layout + + +There are few cardinal rules to effective network design that can be broken with impunity. +The most important rule of effective network management is that simplicity is king in every +well controlled network. Every part of the infrastructure must be managed, the more complex +it is, the greater will be the demand of keeping systems secure and functional. + + + +The nature of the data that must be stored needs to be born in mind when deciding how many +shares must be created. The physical disk space layout should also be taken into account +when designing where share points will be created. Keep in mind that all data needs to be +backed up, thus the simpler the disk layout the easier it will be to keep track of what must +be backed up to tape or other off-line storage medium. Always plan and implement for minimum +maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: +Backup and test, validate every backup, create a disaster recovery plan and prove that it works. + + + +Users should be grouped according to data access control needs. File and directory access +is best controlled via group permissions and the use of the "sticky bit" on group controlled +directories may substantially avoid file access complaints from samba share users. + + + +Many network administrators who are new to the game will attempt to use elaborate techniques +to set access controls, on files, directories, shares, as well as in share definitions. +There is the ever present danger that that administrator's successor will not understand the +complex mess that has been inherited. Remember, apparent job security through complex design +and implementation may ultimately cause loss of operations and downtime to users as the new +administrator learns to untangle your web. Keep access controls simple and effective and +make sure that users will never be interrupted by the stupidity of complexity. + + + + +Logon Scripts + + +Please refer to the section of this document on Advanced Network Adminsitration for information +regarding the network logon script options for Samba-3. Logon scripts can help to ensure that +all users gain share and printer connections they need. + + + +Logon scripts can be created on-the-fly so that all commands executed are specific to the +rights and privilidges granted to the user. The preferred controls should be affected through +group membership so that group information can be used to custom create a logong script using +the root preexec parameters to the NETLOGON share. + + + +Some sites prefer to use a tool such as kixstart to establish a controlled +user environment. In any case you may wish to do a google search for logon script process controls. +In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that +deals with how to add printers without user intervention via the logon script process. + + + + +Profile Migration/Creation + + +User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile +Management. + + + +Profiles may also be managed using the Samba-3 tool profiles. This tool allows +the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file +to be changed to the SID of the Samba-3 domain. + + + + +User and Group Accounts + + +It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before + attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the +groups that are present on the MS Windows NT4 domain AND to connect these to +suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes +should migrate painlessly. + + + Steps In Migration Process This is not a definitive ste-by-step process yet - just a place holder so the info is not lost. + -1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + + +You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + -2. Samba-3 set up as a DC with netlogon share, profile share, etc. + +Samba-3 set up as a DC with netlogon share, profile share, etc. + + -3. Process: - a. Create a BDC account for the samba server using NT Server Manager + +Process: + Create a BDC account for the samba server using NT Server Manager - Samba must NOT be running - b. rpcclient NT4PDC -U Administrator%passwd + rpcclient NT4PDC -U Administrator%passwd lsaquery Note the SID returned by step b. - c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd Note the SID in step c. - d. net getlocalsid + net getlocalsid Note the SID, now check that all three SIDS reported are the same! - e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd + net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd - f. net rpc vampire -S NT4PDC -U administrator%passwd + net rpc vampire -S NT4PDC -U administrator%passwd - g. pdbedit -l + pdbedit -l Note - did the users migrate? - h. initGrps.sh DOMNAME + initGrps.sh DOMNAME - i. smbgroupedit -v + smbgroupedit -v Now check that all groups are recognised - j. net rpc campire -S NT4PDC -U administrator%passwd + net rpc campire -S NT4PDC -U administrator%passwd - k. pdbedit -lv + pdbedit -lv Note - check that all group membership has been migrated. + - + Now it is time to migrate all the profiles, then migrate all policy files. - -Moe later. +More later. diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 0de0376df8..776c79f095 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -341,8 +341,9 @@ include: The second item can be accomplished by using LDAP NSS and PAM modules. LGPL versions of these libraries can be obtained from PADL Software -(http://www.padl.com/). However, -the details of configuring these packages are beyond the scope of this document. +(http://www.padl.com/). More +information about the configuration of these packages may be found at "LDAP, +System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS". @@ -375,7 +376,7 @@ Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in -objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL +objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top AUXILIARY DESC 'Samba Account' MUST ( uid $ rid ) MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ @@ -476,6 +477,11 @@ index rid eq ##index gidNumber eq ##index cn eq ##index memberUid eq + +# (both fetched via ldapsearch): +index primaryGroupID eq +index displayName pres,eq + @@ -485,16 +491,20 @@ index rid eq The following parameters are available in smb.conf only with --with-ldapsam -was included with compiling Samba. +was included when compiling Samba. + passdb backend [ldapsam|ldapsam_nua]:url ldap ssl - ldap server ldap admin dn ldap suffix ldap filter ldap port + ldap machine suffix + ldap user suffix + ldap delete dn + @@ -521,13 +531,20 @@ use with an LDAP directory could appear as # changes, this password will need to be reset. ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org" - # specify the LDAP server's hostname (defaults to locahost) - ldap server = ahab.samba.org - # Define the SSL option when connecting to the directory # ('off', 'start tls', or 'on' (default)) ldap ssl = start tls + passdb backend ldapsam:ldap://ahab.samba.org + + # smbpasswd -x delete the entire dn-entry + ldap delete dn = no + + # the machine and user suffix added to the base suffix + # wrote WITHOUT quotes. NULL siffixes by default + ldap user suffix = ou=People + ldap machine suffix = ou=Systems + # define the port to use in the LDAP session (defaults to 636 when # "ldap ssl = on") ldap port = 389 -- cgit