From 47724314d71499244d3e1f526123b5b35ec329d0 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 16 Apr 2005 19:17:42 +0000 Subject: Incorporating feedback from reviewers. (This used to be commit 2105913b8b3a84c5d080b007af9effc7af976498) --- docs/Samba-Guide/SBE-Appendix1.xml | 18 +- docs/Samba-Guide/SBE-MakingHappyUsers.xml | 161 ++++++----- docs/Samba-Guide/SBE-MigrateNT4Samba3.xml | 428 ++++++++++++++-------------- docs/Samba-Guide/SBE-SecureOfficeServer.xml | 10 +- docs/Samba-Guide/SBE-UpgradingSamba.xml | 2 +- 5 files changed, 320 insertions(+), 299 deletions(-) (limited to 'docs') diff --git a/docs/Samba-Guide/SBE-Appendix1.xml b/docs/Samba-Guide/SBE-Appendix1.xml index f30f689fbe..6ac367639a 100644 --- a/docs/Samba-Guide/SBE-Appendix1.xml +++ b/docs/Samba-Guide/SBE-Appendix1.xml @@ -615,14 +615,14 @@ M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 - Install the files shown in , , - and into the directory + Install the files shown in , , + and into the directory /etc/openldap/SambaInit/SMBLDAP-ldif-preconfig.sh. These three files are, respectively, Part A, B, and C of the SMBLDAP-ldif-preconfig.sh file. - Install the files shown in and into the directory + Install the files shown in and into the directory /etc/openldap/SambaInit/nit-ldif.pat. These two files are Part A and B, respectively, of the init-ldif.pat file. @@ -776,7 +776,7 @@ result: 0 Success - + LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part A #!/bin/bash @@ -822,7 +822,7 @@ echo - + LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part B echo -e -n "Name [$ORGNAME]: " @@ -867,7 +867,7 @@ sed "s/DOMSID/${DOMSID}/g" < $file.tmp2 > $file.tmp1 - + LDAP Pre-configuration Script: <filename>SMBLDAP-ldif-preconfig.sh</filename> &smbmdash; Part C cat >>EOL @@ -909,7 +909,7 @@ exit 0 - + LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part A dn: dc=INETDOMAIN,dc=TLDORG @@ -953,7 +953,7 @@ structuralObjectClass: sambaDomain - + LDIF Pattern File Used to Pre-configure LDAP &smbmdash; Part B dn: cn=domadmins,ou=Groups,dc=INETDOMAIN,dc=TLDORG @@ -1087,7 +1087,7 @@ want secure connections, you must configure your Apache Web server to permit con to LAM using only SSL. - + Extract the LAM package with: diff --git a/docs/Samba-Guide/SBE-MakingHappyUsers.xml b/docs/Samba-Guide/SBE-MakingHappyUsers.xml index 213d9a629c..27dfe89758 100644 --- a/docs/Samba-Guide/SBE-MakingHappyUsers.xml +++ b/docs/Samba-Guide/SBE-MakingHappyUsers.xml @@ -636,10 +636,10 @@ clients is conservative and if followed will minimize problems - but it is not a /etc/group or from the LDAP backend. This requires the use of the PADL nss_ldap toolset that integrates with the name service switcher (NSS). The same requirements exist for resolution - of the UNIX username to the UID. The relationships are demonstrated in . + of the UNIX username to the UID. The relationships are demonstrated in . - + The Interaction of LDAP, UNIX Posix Accounts and Samba Accounts UNIX-Samba-and-LDAP @@ -703,7 +703,7 @@ clients is conservative and if followed will minimize problems - but it is not a connections. - + Addition of Machines to the Domain @@ -719,7 +719,7 @@ clients is conservative and if followed will minimize problems - but it is not a - +
Current Privilege Capabilities @@ -840,7 +840,7 @@ clients is conservative and if followed will minimize problems - but it is not a - + The Local Group Policy Group Policy Objects @@ -971,11 +971,10 @@ clients is conservative and if followed will minimize problems - but it is not a suited to the printer to which the job is dispatched. - - CUPS - - Postscript - + + CUPS + Easy Software Products + Postscript The CUPS printing subsystem is capable of intelligent printing. It has the capacity to detect the data format and apply a print filter. This means that it is feasible to install on all Windows clients a single printer driver for use with all printers that are routed @@ -1000,7 +999,7 @@ clients is conservative and if followed will minimize problems - but it is not a - + Avoiding Failures &smbmdash; Solving Problems Before the Happen @@ -1023,6 +1022,7 @@ clients is conservative and if followed will minimize problems - but it is not a + LDAP New comers to Samba and LDAP seem to struggle a great deal at first. If you want advice regarding the best way to remedy LDAP and Samba problems: Avoid them like the plague! @@ -1040,11 +1040,11 @@ clients is conservative and if followed will minimize problems - but it is not a Use this resource carefully; we hope it serves you well. - - Warning: Do not be lulled into thinking that you can easily adopt the examples in this + + Do not be lulled into thinking that you can easily adopt the examples in this book and adapt them without first working through the working examples provided. A little thing over-looked can cause untold pain and may permanently tarnish your experience. - + @@ -1052,13 +1052,18 @@ clients is conservative and if followed will minimize problems - but it is not a Debugging LDAP + /etc/openldap/slapd.conf + loglevel + slapd In the example /etc/openldap/slapd.conf control file - (see ) there is an entry for loglevel 256. + (see ) there is an entry for loglevel 256. To enable logging via the syslog infrastructure it is necessary to uncomment this parameter and restart slapd. + /etc/syslog.conf + /var/log/ldaplogs LDAP log information can be directed into a file that is separate from the normal system log files by changing the /etc/syslog.conf file so it has the following contents: @@ -1073,6 +1078,10 @@ local4.* -/var/log/ldaplogs In the above case, all LDAP related logs will be directed to the file /var/log/ldaplogs. This makes it easy to track LDAP errors. + The above provides a simple example of usage that can be modified to suit + local site needs. The configuration used later in this chapter reflects such + customization with the intent that LDAP log files will be stored at a location + that meets local site needs and wishes more fully. @@ -1106,7 +1115,7 @@ logdir /data/logs - One was this can be done is by executing: + One way this can be done is by executing: &rootprompt; slapcat | grep Group | grep dn dn: ou=Groups,dc=abmas,dc=biz @@ -1128,12 +1137,32 @@ nss_base_group ou=Groups,dc=abmas,dc=biz?one The same process may be followed to determine the appropriate dn for user accounts. If the container for computer accounts is not the same as that for users (see the &smb.conf; file entry for ldap machine suffix, it may be necessary to set the - following DIT dn in the /etc/ldap.conf: + following DIT dn in the /etc/ldap.conf file: nss_base_passwd dc=abmas,dc=biz?sub This instructs LDAP to search for machine as well as user entries from the top of the DIT - down. This is inefficient, but at least should work. + down. This is inefficient, but at least should work. Note: It is possible to specify mulitple + nss_base_passwd entries in the /etc/ldap.conf file, they + will be evaluated sequentially. Let us consider an example of use where the following DIT + has been implemented: + + + + + All user accounts are stored under the DIT: ou=Users,dc=abmas,dc=biz + All user login accounts are under the DIT: ou=People,ou-Users,dc=abmas,dc=biz + All computer accounts are under the DIT: ou=Computers,ou=Users,dc=abmas,dc=biz + + + + + The appropriate multiple entry for the nss_base_passwd directive + in the /etc/ldap.conf file may be: + +nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one +nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one + @@ -1287,6 +1316,7 @@ slapd[12164]: conn=1 fd=10 closed Printers Share Point Directory Roots Profile Directories + Logon Scripts Configuration of User Rights and Privileges @@ -1345,7 +1375,7 @@ slapd[12164]: conn=1 fd=10 closed The following information applies to Samba-3.0.15 when used with the Idealx smbldap-tools scripts -version 0.8.7. If using a different version of Samba, or of the smbldap-tools tarball, please +version 0.8.8. If using a different version of Samba, or of the smbldap-tools tarball, please verify that the versions you are about to use are matching. @@ -1419,7 +1449,7 @@ verify that the versions you are about to use are matching. /etc/openldap/slapd.conf - Install the file shown in in the directory + Install the file shown in in the directory /etc/openldap. @@ -1440,7 +1470,7 @@ drwx------ 2 ldap ldap 48 Dec 15 22:11 ldap DB_CONFIG - Install the file shown in in the directory + Install the file shown in in the directory /data/ldap. In the event that this file is added after ldap has been started, it is possible to cause the new settings to take effect by shutting down the LDAP server, executing the db_recover command inside the @@ -1466,7 +1496,7 @@ local4.* -/data/ldap/log/openldap.log - + LDAP DB_CONFIG File set_cachesize 0 150000000 1 @@ -1477,7 +1507,7 @@ set_flags DB_LOG_AUTOREMOVE - + LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part A include /etc/openldap/schema/core.schema @@ -1524,7 +1554,7 @@ directory /data/ldap - + LDAP Master Configuration File &smbmdash; <filename>/etc/openldap/slapd.conf</filename> Part B # Indices to maintain @@ -1545,7 +1575,7 @@ index default sub - + PAM and NSS Client Configuration @@ -1612,12 +1642,12 @@ index default sub On the server MASSIVE, install the file shown in - into the path that was obtained from the step above. + into the path that was obtained from the step above. On the servers called BLDG1 and BLDG2, install the file shown in - into the path that was obtained from the step above. + into the path that was obtained from the step above. - + Configuration File for NSS LDAP Support &smbmdash; <filename>/etc/ldap.conf</filename> host 127.0.0.1 @@ -1643,7 +1673,7 @@ ssl off - + Configuration File for NSS LDAP Clients Support &smbmdash; <filename>/etc/ldap.conf</filename> host 172.16.0.1 @@ -1745,7 +1775,7 @@ session optional pam_mail.so - + Samba-3 PDC Configuration @@ -1762,9 +1792,9 @@ session optional pam_mail.so Configuration of PDC Called: <constant>MASSIVE</constant> - Install the files in , - , , - and into the /etc/samba/ + Install the files in , + , , + and into the /etc/samba/ directory. The three files should be added together to form the &smb.conf; master file. It is a good practice to call this file something like smb.conf.master, and then to perform all file edits @@ -1908,7 +1938,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 configuration of the LDAP server. - + LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part A Global parameters @@ -1942,7 +1972,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 /opt/IDEALX/sbin/smbldap-useradd -w "%u" - + LDAP Based &smb.conf; File, Server: MASSIVE &smbmdash; global Section: Part B scripts\logon.bat \\%L\profiles\%U @@ -1967,7 +1997,7 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 - + Install and Configure Idealx smbldap-tools Scripts @@ -1979,9 +2009,9 @@ SID for domain MASSIVE is: S-1-5-21-3504140859-1010554828-2431957765 LDAP configuration scripts. The use of these scripts will help avoid the necessity to create custom scripts. It is easy to download them from the Idealx Web Site. The tarball may - be directly downloaded + be directly downloaded for this site, also. Alternately, you may obtain the - smbldap-tools-0.8.7-3.src.rpm + smbldap-tools-0.8.8-3.src.rpm file that may be used to build an installable RPM package for your Linux system. @@ -2027,7 +2057,7 @@ change the path to them in your &smb.conf; file on the PDC (MASSIVEsmbldap-* and the configure.pl files into the /opt/IDEALX/sbin directory, as shown here: -&rootprompt; cd smbldap-tools-0.8.7/ +&rootprompt; cd smbldap-tools-0.8.8/ &rootprompt; cp smbldap-* configure.pl *pm /opt/IDEALX/sbin/ &rootprompt; cp smbldap*conf /etc/smbldap-tools/ &rootprompt; chmod 750 /opt/IDEALX/sbin/smbldap-* @@ -2072,7 +2102,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; In the event that you have elected to use the RPM package provided by Idealx, download the - source RPM smbldap-tools-0.8.7-3.src.rpm, then follow the following procedure: + source RPM smbldap-tools-0.8.8-3.src.rpm, then follow the following procedure: @@ -2080,7 +2110,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; Install the source RPM that has been downloaded as follows: -&rootprompt; rpm -i smbldap-tools-0.8.7-5.src.rpm +&rootprompt; rpm -i smbldap-tools-0.8.8-3.src.rpm @@ -2117,7 +2147,7 @@ my $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; Install the binary package by executing: -&rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.8.7-5.noarch.rpm +&rootprompt; rpm -Uvh ../RPMS/noarch/smbldap-tools-0.8.8-3.noarch.rpm @@ -2343,7 +2373,7 @@ writing new configuration file: The following steps initialize the LDAP database, and then you can add user and group accounts that Samba can use. You use the smbldap-populate to - seed the LDAP database. You then manually add the accounts shown in . + seed the LDAP database. You then manually add the accounts shown in . The list of users does not cover all 500 network users; it provides examples only. @@ -2376,7 +2406,7 @@ writing new configuration file: -
+
Abmas Network Users and Groups @@ -2523,7 +2553,7 @@ ou: idmap ldapadd If the execution of this command does not return IDMAP entries, you need to create an LDIF - template file (see ). You can add the required entries using + template file (see ). You can add the required entries using the following command: &rootprompt; ldapadd -x -D "cn=Manager,dc=abmas,dc=biz" \ @@ -2639,7 +2669,10 @@ Domain Computers:x:553: nss_ldap This demonstrates that the nss_ldap library is functioning - as it should. + as it should. If these two steps fail to produce this information refer to + for diagnostic procedures that can be followed to + isolate the cause of the problem. Procede to the next step only when the steps + above have been successfully completed. @@ -2928,7 +2961,7 @@ smb: \> q - + Printer Configuration @@ -3040,25 +3073,25 @@ application/octet-stream - + Samba-3 BDC Configuration Configuration of BDC Called: <constant>BLDG1</constant> - Install the files in , - , and + Install the files in , + , and into the /etc/samba/ directory. The three files should be added together to form the &smb.conf; file. Verify the &smb.conf; file as in step 2 of . + linkend="sbehap-massive"/>. - Carefully follow the steps outlined in , taking + Carefully follow the steps outlined in , taking particular note to install the correct ldap.conf. @@ -3259,22 +3292,22 @@ smb: \> q - + Configuration of BDC Called: <constant>BLDG2</constant> - Install the files in , - , and + Install the files in , + , and into the /etc/samba/ directory. The three files should be added together to form the &smb.conf; file. - Follow carefully the steps shown in , starting at step 2. + Follow carefully the steps shown in , starting at step 2. - + LDAP Based &smb.conf; File, Server: BLDG1 Global parameters @@ -3312,7 +3345,7 @@ smb: \> q - + LDAP Based &smb.conf; File, Server: BLDG2 Global parameters @@ -3350,7 +3383,7 @@ smb: \> q - + LDAP Based &smb.conf; File, Shares Section &smbmdash; Part A Accounting Files @@ -3381,7 +3414,7 @@ smb: \> q No - + LDAP Based &smb.conf; File, Shares Section &smbmdash; Part B Application Files @@ -3416,7 +3449,7 @@ smb: \> q root, chrisr - + LDIF IDMAP Add-On Load File &smbmdash; File: /etc/openldap/idmap.LDIF dn: ou=Idmap,dc=abmas,dc=biz @@ -3589,7 +3622,7 @@ structuralObjectClass: organizationalUnit - Assigning Domain Privileges + Assigning User Rights and Privileges The ability to perform tasks such as joining Windows clients to the domain can be assigned to @@ -3748,7 +3781,7 @@ SeDiskOperatorPrivilege - + Redirect Folders in Default System User Profile @@ -3818,7 +3851,7 @@ HKEY_LOCAL_MACHINE\Default\Software\Microsoft\Windows\ - Now follow the procedure given in . Make sure that each folder you + Now follow the procedure given in . Make sure that each folder you have redirected is in the exclusion list. diff --git a/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml b/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml index 3affe3259c..6658873602 100644 --- a/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml +++ b/docs/Samba-Guide/SBE-MigrateNT4Samba3.xml @@ -28,28 +28,19 @@ failure, and much more. - - group policies - - accounts - user - - accounts - group - - accounts - machine - + + group policies + accountsuser + accountsgroup + accountsmachine The migration from NT4 to Samba-3 can involve a number of factors, including: migration of data to another server, migration of network environment controls such as group policies, and finally migration of the users, groups, and machine accounts. - - accounts - Domain - + + accountsDomain It should be pointed out now that it is possible to migrate some systems from Windows NT4 Domain environments to a Samba-3 Domain Environment. This is certainly not possible in every case. It is possible to just migrate the Domain accounts @@ -60,26 +51,23 @@ - Assignment Tasks + Assignment Tasks - - LDAP - - ldapsam - - passdb backend - - You are about to migrate an MS Windows NT4 Domain accounts database to - a Samba-3 server. The Samba-3 server is using a - passdb backend based on LDAP. The - ldapsam is ideal because an LDAP backend can be distributed - for use with BDCs &smbmdash; generally essential for larger networks. - + + LDAP + ldapsam + passdb backend + You are about to migrate an MS Windows NT4 Domain accounts database to + a Samba-3 server. The Samba-3 server is using a + passdb backend based on LDAP. The + ldapsam is ideal because an LDAP backend can be distributed + for use with BDCs &smbmdash; generally essential for larger networks. + - - Your objective is to document the process of migrating user and group accounts - from several NT4 Domains into a single Samba-3 LDAP backend database. - + + Your objective is to document the process of migrating user and group accounts + from several NT4 Domains into a single Samba-3 LDAP backend database. + @@ -87,69 +75,49 @@ Dissection and Discussion - - snap-shot - - NT4 registry - - registry - keys - SAM - - registry - keys - SECURITY - - SAM - - Security Account Manager - SAM - + + snap-shot + NT4 registry + registrykeysSAM + registrykeysSECURITY + SAM + Security Account ManagerSAM The migration process takes a snap-shot of information that is stored in the Windows NT4 registry based accounts database. That information resides in the Security Account Manager (SAM) portion of the NT4 Registry under keys called SAM and SECURITY. - - crippled - - inoperative - + + crippled + inoperative The Windows NT4 registry keys called SAM and SECURITY are protected so that you cannot view the contents. If you change the security setting to reveal the contents under these hive keys, your Windows NT4 Domain is crippled. Do not do this unless you are willing to render your domain controller inoperative. - - migration - objectives - - disruptive - + + migrationobjectives + disruptive Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are. While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server, - that may not be a good idea from an administration perspective. Since you are going through a - certain amount of disruptive activity anyhow, why not take this as an opportunity to review - the structure of the network, how Windows clients are controlled and how they + that may not be a good idea from an administration perspective. Since the process involves going + through a certain amount of disruptive activity anyhow, why not take this as an opportunity to + review the structure of the network, how Windows clients are controlled and how they interact with the network environment. - - network - logon scripts - - profiles share - - security descriptors - + + networklogon scripts + profiles share + security descriptors MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed have done little to keep the NT4 server environment up-to-date with more recent Windows releases, particularly Windows XP Professional. The migration provides opportunity to revise and update roaming profile deployment as well as folder redirection. Given that you must port the - greater network configuration of this from the old NT4 server to the new Samba-3 server, you - also must validate the security descriptors in the profiles share as well as network logon + greater network configuration of this from the old NT4 server to the new Samba-3 server. + Do not forget to validate the security descriptors in the profiles share as well as network logon scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this as a good time to update desktop systems also. In all, the extra effort should constitute no real disruption to users, rather with due diligence and care should make their network experience @@ -157,157 +125,103 @@ - Technical Issues + Technical Issues - - strategic - active directory - Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic - element. Many sites have asked for instructions regarding merging of multiple different NT4 - Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant - added value compared with the alternative of migration to Windows Server 200x and Active - Directory. The diagram in illustrates the effect of migration - from a Windows NT4 Domain to a Samba Domain. - - - - Schematic Explaining the net rpc vampire Process - ch8-migration - - - - In any case, the migration process involves the following steps: - - - - - Prepare the target Samba-3 server. This involves configuring Samba-3 for - migration to either a tdbsam or an ldapsam backend. - - - - uppercase - - Posix - - lower-case - - Clean up the source NT4 PDC. Delete all accounts that need not be migrated. - Delete all files that should not be migrated. Where possible, change NT Group - names so there are no spaces or uppercase characters. This is important if - the target UNIX host insists on Posix compliant all lower-case user and group - names. - - - - Step through the migration process. - + + strategic + active directory + Migration of an NT4 Domain user and group database to Samba-3 involves a certain strategic + element. Many sites have asked for instructions regarding merging of multiple different NT4 + Domains into one Samba-3 LDAP database. It would appear that this is viewed as a significant + added value compared with the alternative of migration to Windows Server 200x and Active + Directory. The diagram in illustrates the effect of migration + from a Windows NT4 Domain to a Samba Domain. + - - PDC - - Remove the NT4 PDC from the network. - + + Schematic Explaining the net rpc vampire Process + ch8-migration + - - Upgrade the Samba-3 server from a BDC to a PDC, and validate all account - information. - - + + merge + passdb.tdb + If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain, + you must now dump the contents of the first migration and edit it as appropriate. Now clean + out (remove) the tdbsam backend file (passdb.tdb), or the LDAP database + files. You must start each migration with a new database into which you merge your NT4 + domains. + - merge - - passdb.tdb - - If you are wanting to merge multiple NT4 Domain account databases into one Samba Domain, - you must now dump the contents of the first migration and edit it as appropriate. Now clean - out (remove) the tdbsam backend file (passdb.tdb), or the LDAP database - files. You must start each migration with a new database into which you merge your NT4 - domains. - + dump + + At this point, you are ready to perform the second migration following the same steps as + for the first. In other words, dump the database, edit it, and then you may merge the + dump for the first and second migrations. + - dump - - At this point, you are ready to perform the second migration following the same steps as - for the first. In other words, dump the database, edit it, and then you may merge the - dump for the first and second migrations. - + LDAP + + migrate + + Domain SID + + You must be careful. If you choose to migrate to an LDAP backend, your dump file + now contains the full account information, including the Domain SID. The Domain SID for each + of the two NT4 Domains will be different. You must choose one, and change the Domain + portion of the account SIDs so that all are the same. + - - LDAP - - migrate - - Domain SID - - You must be careful. If you choose to migrate to an LDAP backend, your dump file - now contains the full account information, including the Domain SID. The Domain SID for each - of the two NT4 Domains will be different. You must choose one, and change the Domain - portion of the account SIDs so that all are the same. - + + passdb.tdb + /etc/passwd + merged + logon script + logon hours + logon machines + profile path + smbpasswd + tdbsam + LDAP backend + export + import + If you choose to use a tdbsam (passdb.tdb) backend file, your best choice + is to use pdbedit to export the contents of the tdbsam file into an + smbpasswd data file. This automatically strips out all Domain specific information, + such as logon hours, logon machines, logon script, profile path, as well as the Domain SID. + The resulting file can be easily merged with other migration attempts (each of which must start + with a clean file). It should also be noted that all users that end up in the merged smbpasswd + file must have an account in /etc/passwd. The resulting smbpasswd file + may be exported/imported into either a tdbsam (passdb.tdb), or else into + an LDAP backend. + - - passdb.tdb - - /etc/passwd - - merged - - logon script - - logon hours - - logon machines - - profile path - - smbpasswd - - tdbsam - - LDAP backend - - export - - import - - If you choose to use a tdbsam (passdb.tdb) backend file, your best choice - is to use pdbedit to export the contents of the tdbsam file into an - smbpasswd data file. This automatically strips out all Domain specific information, - such as logon hours, logon machines, logon script, profile path, as well as the Domain SID. - The resulting file can be easily merged with other migration attempts (each of which must start - with a clean file). It should also be noted that all users that end up in the merged smbpasswd - file must have an account in /etc/passwd. The resulting smbpasswd file - may be exported/imported into either a tdbsam (passdb.tdb), or else into - an LDAP backend. - + + View of Accounts in NT4 Domain User Manager + UserMgrNT4 + - - View of Accounts in NT4 Domain User Manager - UserMgrNT4 - + - + + Political Issues - - Political Issues - - - The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3 - Domain may be seen by those who had power over them as a loss of prestige or a loss of - power. The imposition of a single Domain may even be seen as a threat. So in migrating and - merging account databases, be consciously aware of the political fall-out in which you - may find yourself entangled when key staff feel a loss of prestige. - + + The merging of multiple Windows NT4 style Domains into a single LDAP-backend-based Samba-3 + Domain may be seen by those who had power over them as a loss of prestige or a loss of + power. The imposition of a single Domain may even be seen as a threat. So in migrating and + merging account databases, be consciously aware of the political fall-out in which you + may find yourself entangled when key staff feel a loss of prestige. + - - The best advice that can be given to those who set out to merge NT4 Domains into one single - Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers - greater network interoperability and manageability. - + + The best advice that can be given to those who set out to merge NT4 Domains into one single + Samba-3 Domain is to promote (sell) the action as one that reduces costs and delivers + greater network interoperability and manageability. + @@ -316,6 +230,15 @@ Implementation + + From feedback on the Samba mailing lists it would appear that most Windows NT4 migrations + to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX + server. If you contemplate doing this also, please note that the steps that follow in this + chapter assume familiarity with the information that has been previously covered in this + book. The reader is particularly encouraged to be familiar with , + and . + + You can present here the steps and example output for two NT4 to Samba-3 Domain migrations. The first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the @@ -323,6 +246,52 @@ collection of parameters are used to effect the addition of accounts into the passdb backend. + + Before proceeding to NT4 migration using either a tdbsam or ldapsam it is most strongly recommended to + review for DNS and DHCP configuration. The importance of correctly + functioning name resolution must be recognized. This applies equally for hostname as for netBIOS names + (machine names, computer names, domain names, workgroup names &smbmdash; ALL names!). + + + + The migration process involves the following steps: + + + + + Prepare the target Samba-3 server. This involves configuring Samba-3 for + migration to either a tdbsam or an ldapsam backend. + + + + uppercase + Posix + lower-case + Clean up the source NT4 PDC. Delete all accounts that need not be migrated. + Delete all files that should not be migrated. Where possible, change NT Group + names so there are no spaces or uppercase characters. This is important if + the target UNIX host insists on Posix compliant all lower-case user and group + names. + + + + Step through the migration process. + + + PDC + Remove the NT4 PDC from the network. + + + + Upgrade the Samba-3 server from a BDC to a PDC, and validate all account + information. + + + + + It may help to use the above outline as a pre-migration check-list. + + NT4 Migration Using LDAP Backend @@ -648,7 +617,14 @@ bootparams: files automount: files nis aliases: files - Note that the LDAP entris + Note that the LDAP entries have been commented out. This is deliberate. If these + entries are active (not commented out), and the /ec/ldap.conf + file has been configured, when the LDAP server is started, the process + of starting the LDAP server will cause LDAP lookups. This causes the LDAP server + slapd to hang becasue it finds port 389 open and therefore + can not gain exclusive control of it. By commenting these entries out it is possible + to avoid this grid-lock situation and thus the over-all installation and configuration + will progress more smoothly. @@ -665,12 +641,13 @@ PING transgression.terpstra-world.org (192.168.1.5) 56(84) bytes of data. 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms - Do not procede to the next step if this step fails. It is imperative that the name of the PDC + Do not proceed to the next step if this step fails. It is imperative that the name of the PDC can be resolved to its IP address. If this is broken, fix it. - Obtain the domain SID from the target NT4 domain that is being migrated to Samba-3. + Obtain the domain SID from the target NT4 domain that is being + migrated to Samba-3 by executing the following: &rootprompt; net rpc info -S TRANSGRESSION @@ -681,11 +658,12 @@ rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms configure.pl /opt/IDEALX/sbin smbldap-tools - Install the Idealx smbldap-tools software package. The resulting - perl scripts should be located in the /opt/IDEALX/sbin directory. + Install the Idealx smbldap-tools software package following + the instructions given in . The resulting perl scripts + should be located in the /opt/IDEALX/sbin directory. Change into that location, or where ever the scripts have been installed. Execute the configure.pl script to configure the Idealx package for use. - Note: Use the Domain SID obtained from the immediately prior step. The following is + Note: Use the Domain SID obtained from the step above. The following is an example configuration session: merlin:/opt/IDEALX/sbin # ./configure.pl @@ -770,8 +748,12 @@ writing new configuration file: /etc/smbldap-tools/smbldap.conf done. /etc/smbldap-tools/smbldap_bind.conf done. + sambaDomainName Note that the NT4 domain SID that was previously obtained was entered above. Also, - the sambaUnixIdPooldn object was specified as: sambaDomainName=DAMNATION + the sambaUnixIdPooldn object was specified as: sambaDomainName=DAMNATION. This is + the location into which the Idealx smbldap-tools store the next available UID/GID + information. It is also where Samba stores domain specific information such as the + next RID, the SID, and so on. @@ -1049,6 +1031,12 @@ Users (S-1-5-32-545) -> Users All user logon accounts should also function correctly. + + The configuration of Samba-3 BDC servers can be accomplised now, or at any + convenient time in the future. Please refer to the carefully detailed process + for doing this that has been outlined in . + + diff --git a/docs/Samba-Guide/SBE-SecureOfficeServer.xml b/docs/Samba-Guide/SBE-SecureOfficeServer.xml index d2e8521657..47a35fc5af 100644 --- a/docs/Samba-Guide/SBE-SecureOfficeServer.xml +++ b/docs/Samba-Guide/SBE-SecureOfficeServer.xml @@ -752,11 +752,11 @@ INTIFA="eth1" INTIFB="eth2" /sbin/depmod -a -/sbin/insmod ip_tables -/sbin/insmod ip_conntrack -/sbin/insmod ip_conntrack_ftp -/sbin/insmod iptable_nat -/sbin/insmod ip_nat_ftp +/sbin/modprobe -i ip_tables +/sbin/modprobe -i ip_conntrack +/sbin/modprobe -i ip_conntrack_ftp +/sbin/modprobe -i iptable_nat +/sbin/modprobe -i ip_nat_ftp $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT diff --git a/docs/Samba-Guide/SBE-UpgradingSamba.xml b/docs/Samba-Guide/SBE-UpgradingSamba.xml index 5f9fca2460..59468f94ec 100644 --- a/docs/Samba-Guide/SBE-UpgradingSamba.xml +++ b/docs/Samba-Guide/SBE-UpgradingSamba.xml @@ -1009,7 +1009,7 @@ the procedure outlined above. privileges In Samba-3.0.11 a new privileges interface was implemented. Please - refer to for information regarding this new + refer to for information regarding this new feature. It is not necessary to implement the privileges interface, but it is one that has been requested for several years and thus may be of interest at your site. -- cgit