Table of Contents
This is a rough guide to assist those wishing to migrate from NT4 domain control to Samba-3 based domain control.
In the IT world there is often a saying that all problems are encountered because of poor planning. The corollary to this saying is that not all problems can be anticipated and planned for. Then again, good planning will anticipate most show stopper type situations.
Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control environment would do well to develop a detailed migration plan. So here are a few pointers to help migration get under way.
The key objective for most organisations will be to make the migration from MS Windows NT4 to Samba-3 domain control as painless as possible. One of the challenges you may experience in your migration process may well be one of convincing management that the new environment should remain in place. Many who have introduced open source technologies have experienced pressure to return to a Microsoft based platform solution at the first sign of trouble.
Before attempting a migration to a Samba-3 controlled network make every possible effort to gain all-round commitment to the change. Know precisely why the change is important for the organisation. Possible motivations to make a change include:
Improve network manageability
Obtain better user level functionality
Reduce network operating costs
Reduce exposure caused by Microsoft withdrawal of NT4 support
Avoid MS License 6 implications
Reduce organisation's dependency on Microsoft
Make sure that everyone knows that Samba-3 is NOT MS Windows NT4. Samba-3 offers an alternative solution that is both different from MS Windows NT4 and that offers advantages compared with it. Gain recognition that Samba-3 lacks many of the features that Microsoft has promoted as core values in migration from MS Windows NT4 to MS Windows 2000 and beyond (with or without Active Directory services).
What are the features that Samba-3 can NOT provide?
Active Directory Server
Group Policy Objects (in Active Directory)
Machine Policy objects
Logon Scripts in Active Directory
Software Application and Access Controls in Active Directory
The features that Samba-3 DOES provide and that may be of compelling interest to your site includes:
Lower Cost of Ownership
Global availability of support with no strings attached
Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system)
Creation of on-the-fly logon scripts
Creation of on-the-fly Policy Files
Greater Stability, Reliability, Performance and Availability
Manageability via an ssh connection
Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam)
Ability to implement a full single-sign-on architecture
Ability to distribute authentication systems for absolute minimum wide area network bandwidth demand
Before migrating a network from MS Windows NT4 to Samba-3 consider all necessary factors. Users should be educated about changes they may experience so that the change will be a welcome one and not become an obstacle to the work they need to do. The following are factors that will help ensure a successful migration:
Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called a secondary controller), a domain member, or as a stand-alone server. The Windows network security domain context should be sized and scoped before implementation. Particular attention needs to be paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). One way in which Samba-3 differs from Microsoft technology is that if one chooses to use an LDAP authentication backend then the same database can be used by several different domains. In a complex organisation there can be a single LDAP database, which itself can be distributed (ie: Have a master server and multiple slave servers) that can simultaneously serve multiple domains.
From a design perspective, the number of users per server, as well as the number of servers, per domain should be scaled taking into consideration server capacity and network bandwidth.
A physical network segment may house several domains. Each may span multiple network segments. Where domains span routed network segments, consider and test the performance implications of the design and layout of a network. A Centrally located domain controller that is designed to serve multiple routed network segments may result in severe performance problems. Check the response time (eg: ping timing) between the remote segment and the PDC. If long (more than 100 ms) locate a backup controller (BDC) on the remote segmanet to serve as the local authentication and access control server.
There are cardinal rules to effective network design. These can not be broken with impunity. The most important rule: Simplicity is king in every well controlled network. Every part of the infrastructure must be managed, the more complex it is, the greater will be the demand of keeping systems secure and functional.
Keep in mind the nature of how data must be share. Physical disk space layout should be considered carefully. Some data must be backed up. The simpler the disk layout the easier it will be to keep track of backed needs. Identify what back media will be meet needs, consider backup to tape , CD-ROM or (DVD-ROM), or other off-line storage medium. Plan and implement for minimum maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: Backup and test, validate every backup, create a disaster recovery plan and prove that it works.
Users should be grouped according to data access control needs. File and directory access is best controlled via group permissions and the use of the "sticky bit" on group controlled directories may substantially avoid file access complaints from samba share users.
Inexperienced network administrators often attempt elaborate techniques to set access controls on files, directories, shares, as well as in share definitions. Keep your design and implementation simple and document your design extensively. Have others audit your documentation. Do not create a complex mess that your successor will not understand. Remember, job security through complex design and implementation may cause loss of operations and downtime to users as the new administrator learns to untangle your knots. Keep access controls simple and effective and make sure that users will never be interrupted by stupid complexity.
Logon scripts can help to ensure that all users gain share and printer connections they need.
Logon scripts can be created 'on-the-fly' so that all commands executed are specific to the rights and priviliges granted to the user. The preferred controls should be affected through group membership so that group information can be used to custom create a logon script using the root preexec parameters to the NETLOGON share.
Some sites prefer to use a tool such as kixstart to establish a controlled user environment. In any case you may wish to do a google search for logon script process controls. In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that deals with how to add printers without user intervention via the logon script process.
User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile Management.
Profiles may also be managed using the Samba-3 tool profiles. This tool allows the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file to be changed to the SID of the Samba-3 domain.
It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the groups that are present on the MS Windows NT4 domain AND to map these to suitable Unix/Linux groups. By following this simple advice all user and group attributes should migrate painlessly.
The approximate migration process is described below.
You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated
Samba-3 set up as a DC with netlogon share, profile share, etc. Configure the smb.conf file to fucntion as a BDC. ie: domain master = No.
Procedure 31.1. The Account Migration Process
Create a BDC account for the samba server using NT Server Manager
Samba must NOT be running
net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd
net rpc vampire -S NT4PDC -U administrator%passwd
pdbedit -L
Note - did the users migrate?
Now assign each of the UNIX groups to NT groups: (Note: It may be useful to copy this text to a script called initGroups.sh)
#!/bin/bash #### Keep this as a shell script for future re-use # First assign well known domain global groups net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmins net groupmap modify ntgroup="Domain Guests" unixgroup=nobody net groupmap modify ntgroup="Domain Users" unixgroup=users # Now for our added domain global groups net groupmap add ntgroup="Designers" unixgroup=designers type=d rid=3200 net groupmap add ntgroup="Engineers" unixgroup=engineers type=d rid=3210 net groupmap add ntgroup="QA Team" unixgroup=qateam type=d rid=3220
net groupmap list
Now check that all groups are recognised
Now migrate all the profiles, then migrate all policy files.
Sites that wish to migrate from MS Windows NT4 Domain Control to a Samba based solution generally fit into three basic categories.
Table 31.1. The 3 Major Site Types
| Number of Users | Description |
|---|---|
| < 50 | Want simple conversion with NO pain |
| 50 - 250 | Want new features, can manage some in-house complexity |
| > 250 | Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas |
There are three basic choices for sites that intend to migrate from MS Windows NT4 to Samba-3.
Simple Conversion (total replacement)
Upgraded Conversion (could be one of integration)
Complete Redesign (completely new solution)
Minimise down-stream problems by:
Take sufficient time
Avoid Panic
Test ALL assumptions
Test full roll-out program, including workstation deployment
Table 31.2. Nature of the Conversion Choices
| Simple | Upgraded | Redesign |
|---|---|---|
Make use of minimal OS specific features | Translate NT4 features to new host OS features | Decide: |
Suck all accounts from NT4 into Samba-3 | Copy and improve: | Authentication Regime (database location and access) |
Make least number of operational changes | Make progressive improvements | Desktop Management Methods |
Take least amount of time to migrate | Minimise user impact | Better Control of Desktops / Users |
Live versus Isolated Conversion | Maximise functionality | Identify Needs for: Manageability, Scalability, Security, Availability |
Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out) | Take advantage of lower maintenance opportunity |
Samba-3 can use an external authentication backend:
Winbind (external Samba or NT4/200x server)
External server could use Active Directory or NT4 Domain
Can use pam_mkhomedir.so to auto-create home dirs
Samba-3 can use a local authentication backend:
smbpasswd, tdbsam, ldapsam, mysqlsam
On the Share itself - using Share ACLs
On the file system - using UNIX permissions on files and directories
Note: Can Enable Posix ACLs in file system also
Through Samba share parameters - Not recommended - except as last resort
Using Group Policy Editor (NT4)
- Watch out for Tattoo effect
Platform specific so use platform tool to change from a Local to a Roaming profile Can use new profiles tool to change SIDs (NTUser.DAT)
Know how they work
username map facility may be needed
Use 'net groupmap' to connect NT4 groups to Unix groups
Use pdbedit to set/change user configuration
NOTE: When migrating to LDAP back, end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP
Add/Delete Users: Note OS limits on size of name (Linux 8 chars) NT4 up to 254 chars
Add/Delete Machines: Applied only to domain members (Note: Machine names may be limited to 16 characters)
Use 'net groupmap' to connect NT4 groups to Unix groups
Add/Delete Groups: Note OS limits on size and nature. Linux limit is 16 char, no spaces and no upper case chars (groupadd)
Domain Control (NT4 Style) Profiles, Policies, Access Controls, Security
Samba: net, rpcclient, smbpasswd, pdbedit, profiles
Windows: NT4 Domain User Manager, Server Manager (NEXUS)