Table of Contents
This is a rough guide to assist those wishing to migrate from NT4 domain control to Samba-3 based domain control.
In the IT world there is often a saying that all problems are encountered because of poor planning. The corrollary to this saying is that not all problems can be anticpated and planned for. Then again, good planning will anticpate most show stopper type situations.
Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control environment would do well to develop a detailed migration plan. So here are a few pointers to help migration get under way.
The key objective for most organisations will be to make the migration from MS Windows NT4 to Samba-3 domain control as painless as possible. One of the challenges you may experience in your migration process may well be one of convincing management that the new environment should remain in place. Many who have introduced open source technologies have experienced pressure to return to a Microsoft based platform solution at the first sign of trouble.
It is strongly advised that before attempting a migration to a Samba-3 controlled network that every possible effort be made to gain all-round commitment to the change. Firstly, you should know precisely why the change is important for the organisation. Possible motivations to make a change include:
Improve network manageability |
Obtain better user level functionality |
Reduce network operating costs |
Reduce exposure caused by Microsoft withdrawal of NT4 support |
Avoid MS License 6 implications |
Reduce organisation's dependency on Microsoft |
It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers an alternative solution that is both different from MS Windows NT4 and that offers some advantages compared with it. It should also be recognised that Samba-3 lacks many of the features that Microsoft has promoted as core values in migration from MS Windows NT4 to MS Windows 2000 and beyond (with or without Active Directory services).
What are the features that Samba-3 can NOT provide?
Active Directory Server |
Group Policy Objects (in Active Direcrtory) |
Machine Policy objects |
Logon Scripts in Active Directorty |
Software Application and Access Controls in Active Directory |
The features that Samba-3 DOES provide and that may be of compelling interest to your site includes:
Lower Cost of Ownership |
Global availability of support with no strings attached |
Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system) |
Creation of on-the-fly logon scripts |
Creation of on-the-fly Policy Files |
Greater Stability, Reliability, Performance and Availability |
Manageability via an ssh connection |
Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam) |
Ability to implement a full single-signon architecture |
Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand |
Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are considered. Users should be educated about changes they may experience so that the change will be a welcome one and not become an obstacle to the work they need to do. The following are some of the factors that will go into a successful migration:
Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called a secondary controller), a domain member, or as a stand-alone server. The Windows network security domain context should be sized and scoped before implementation. Particular attention needs to be paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one chooses to use an LDAP authentication backend then the same database can be used by several different domains. This means that in a complex organisation there can be a single LDAP database, that itself can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed).
It is recommended that from a design perspective, the number of users per server, as well as the number of servers, per domain should be scaled according to needs and should also consider server capacity and network bandwidth.
A physical network segment may house several domains, each of which may span multiple network segments. Where domains span routed network segments it is most advisable to consider and test the performance implications of the design and layout of a network. A Centrally located domain controller that is being designed to serve mulitple routed network segments may result in severe performance problems if the response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as the local authentication and access control server.
There are few cardinal rules to effective network design that can be broken with impunity. The most important rule of effective network management is that simplicity is king in every well controlled network. Every part of the infrastructure must be managed, the more complex it is, the greater will be the demand of keeping systems secure and functional.
The nature of the data that must be stored needs to be born in mind when deciding how many shares must be created. The physical disk space layout should also be taken into account when designing where share points will be created. Keep in mind that all data needs to be backed up, thus the simpler the disk layout the easier it will be to keep track of what must be backed up to tape or other off-line storage medium. Always plan and implement for minimum maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
Users should be grouped according to data access control needs. File and directory access is best controlled via group permissions and the use of the "sticky bit" on group controlled directories may substantially avoid file access complaints from samba share users.
Many network administrators who are new to the game will attempt to use elaborate techniques to set access controls, on files, directories, shares, as well as in share definitions. There is the ever present danger that that administrator's successor will not understand the complex mess that has been inherited. Remember, apparent job security through complex design and implementation may ultimately cause loss of operations and downtime to users as the new administrator learns to untangle your web. Keep access controls simple and effective and make sure that users will never be interrupted by the stupidity of complexity.
Please refer to the section of this document on Advanced Network Adminsitration for information regarding the network logon script options for Samba-3. Logon scripts can help to ensure that all users gain share and printer connections they need.
Logon scripts can be created on-the-fly so that all commands executed are specific to the rights and privilidges granted to the user. The preferred controls should be affected through group membership so that group information can be used to custom create a logong script using the root preexec parameters to the NETLOGON share.
Some sites prefer to use a tool such as kixstart to establish a controlled user environment. In any case you may wish to do a google search for logon script process controls. In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that deals with how to add printers without user intervention via the logon script process.
User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile Management.
Profiles may also be managed using the Samba-3 tool profiles. This tool allows the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file to be changed to the SID of the Samba-3 domain.
It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the groups that are present on the MS Windows NT4 domain AND to connect these to suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes should migrate painlessly.
The approximate migration process is described below.
You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
Samba-3 set up as a DC with netlogon share, profile share, etc.
Procedure 31.1. The Account Migration Process
Create a BDC account for the samba server using NT Server Manager
Samba must NOT be running
rpcclient NT4PDC -U Administrator%passwd
lsaquery
Note the SID returned
net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd
Note the SID
net getlocalsid
Note the SID, now check that all three SIDS reported are the same!
net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
net rpc vampire -S NT4PDC -U administrator%passwd
pdbedit -L
Note - did the users migrate?
initGrps.sh DOMNAME
net groupmap list
Now check that all groups are recognised
net rpc campire -S NT4PDC -U administrator%passwd
pdbedit -Lv
Note - check that all group membership has been migrated
Now it is time to migrate all the profiles, then migrate all policy files. More later.
Based on feedback from many sites as well as from actual installation and maintenance experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba based solution fit into three basic categories.
Table 31.1. The 3 Major Site Types
Number of Users | Description |
---|---|
< 50 | Want simple conversion with NO pain |
50 - 250 | Want new features, can manage some in-house complexity |
> 250 | Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas |
There are three basic choices for sites that intend to migrate from MS Windwows NT4 to Samba-3.
Simple Conversion (total replacement)
Upgraded Conversion (could be one of integration)
Complete Redesign (completely new solution)
No matter what choice you make, the following rules will minimise down-stream problems:
Take sufficient time
Avoid Panic
Test ALL assumptions
Test full roll-out program, including workstation deployment
Table 31.2. Nature of the Conversion Choices
Simple | Upgraded | Redesign |
---|---|---|
Make use of minimal OS specific features | Translate NT4 features to new host OS features | Decide: |
Suck all accounts from NT4 into Samba-3 | Copy and improve: | Authentication Regime (database location and access) |
Make least number of operational changes | Make progressive improvements | Desktop Management Methods |
Take least amount of time to migrate | Minimise user impact | Better Control of Desktops / Users |
Live versus Isolated Conversion | Maximise functionality | Identify Needs for: Manageability, Scalability, Security, Availability |
Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out) | Take advantage of lower maintenance opportunity |
Authentication database back end Winbind (external Samba or NT4/200x server) Can use pam_mkhomedir.so to auto-create home dirs External server could use Active Directory or NT4 Domain Database type smbpasswd, tdbsam, ldapsam, MySQLsam Access Control Points On the Share itself (Use NT4 Server Manager) On the file system Unix permissions on files and directories Posix ACLs enablement in file system? Through Samba share parameters Not recommended - except as only resort Policies (migrate or create new ones) Group Policy Editor (NT4) Watch out for Tattoo effect User and Group Profiles Platform specific so use platform tool to change from a Local to a Roaming profile Can use new profiles tool to change SIDs (NTUser.DAT) Logon Scripts (Know how they work) User and Group mapping to Unix/Linux username map facility may be needed Use 'net groupmap' to connect NT4 groups to Unix groups Use pdbedit to set/change user configuration NOTE: If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP OS specific scripts / programs may be needed Add / delete Users Note OS limits on size of name (Linux 8 chars) NT4 up to 254 chars Add / delete machines Applied only to domain members (note up to 16 chars) Add / delete Groups Note OS limits on size and nature Linux limit is 16 char, no spaces and no upper case chars (groupadd) Migration Tools Domain Control (NT4 Style) Profiles, Policies, Access Controls, Security Migration Tools Samba: net, rpcclient, smbpasswd, pdbedit, profiles Windows: NT4 Domain User Manager, Server Manager (NEXUS) Authentication New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam)