1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
|
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
<chapter id="nw4migration">
<title>Migrating NetWare Server to Samba-3</title>
<para>
<indexterm><primary>Novell</primary></indexterm>
<indexterm><primary>SUSE</primary></indexterm>
Novell is a company any seasoned IT manager has to admire. It has become increasingly
Linux-friendly and is emerging out of a deep regression that almost saw the company
disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the
platform of choice to which many older NetWare servers are being migrated.
It will be interesting to see what becomes of NetWare over time.
Meanwhile, there can be no denying that Novell is a Linux company.
</para>
<para>
<indexterm><primary>Red Hat</primary></indexterm>
<indexterm><primary>Debian</primary></indexterm>
<indexterm><primary>Gentoo</primary></indexterm>
<indexterm><primary>Mandrake</primary></indexterm>
Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian,
Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with
the knowledge that file locations may vary a little; even so, the information
in this chapter should provide something of value.
</para>
<para>
<indexterm><primary>migration</primary></indexterm>
Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many
years who surfaced on the Samba mailing list with a barrage of questions and who
regularly now helps other administrators to solve thorny Samba migration questions.
</para>
<para>
<indexterm><primary>NetWare</primary></indexterm>
<indexterm><primary>NLM</primary></indexterm>
<indexterm><primary>NetWare</primary></indexterm>
<indexterm><primary>Mars_NWE</primary></indexterm>
One wonders how many NetWare servers remain in active service. Many are being migrated
to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are
ideal target platforms to which a NetWare server may be migrated. The migration method
of choice is much dependent on the tools that the administrator finds most natural to use.
The old-hand NetWare guru will likely want to use tools like the NetWare NLM for
<command>rsync</command> to migrate files from the NetWare server to the Samba server.
The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare
Emulator) open source package. The MS Windows network administrator will likely make use of the
NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice,
migration will be filled with joyous and challenging moments &smbmdash; though probably not
concurrently.
</para>
<para>
The priority that Misty faced was one of migration of the data files off the NetWare 4.11
server and onto a Samba-ased Windows file and print server. This chapter does not pretend
to document all the different methods that could be used to migrate user and group accounts
off a NetWare server. Its focus is on migration of data files.
</para>
<para>
This chapter tells its own story, so ride along. Maybe the information presented here
will help to smooth over a similar migration challenge in your favorite networking environment.
</para>
<para>
File paths have been modified to permit use of RPM packages provided by Novell. In the
original documentation contributed by Misty, the Courier-IMAP package had been built
directly from the original source tarball.
</para>
<sect1>
<title>Introduction</title>
<para>
<indexterm><primary>Novell</primary></indexterm>
Misty Stanley-Jones was recruited by Abmas to administer a network that had
not received much attention for some years and was much in need of a makeover.
As a brand-new sysadmin to this company, she inherited a very old Novell file server
and came with a determination to change things for the better.
</para>
<para>
A site survey turned up the following details for the old NetWare server:
</para>
<simplelist>
<member><para>200 MHz MMX processor</para></member>
<member><para>512K RAM</para></member>
<member><para>24 GB disk space in RAID1</para></member>
<member><para>Novell 4.11 patched to service pack 7</para></member>
<member><para>60+ users</para></member>
<member><para>7 network-attached printers</para></member>
</simplelist>
<para>
The company had outgrown this server several years before and was dealing with
severe growing pains. Some of the problems experienced were:
</para>
<itemizedlist>
<listitem>
<para>Very slow performance</para>
</listitem>
<listitem>
<para>Available storage hovering around the 5% range</para>
<itemizedlist>
<listitem>
<para>Extremely slow print spooling.</para>
</listitem>
<listitem>
<para>
Users storing information on their local hard
drives, causing backup integrity problems
</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
<para>
<indexterm><primary>payroll</primary></indexterm>
At one point disk space had filled up to 100 percent, causing the payroll database
to become corrupt. This caused the accounting department to be down for over
a week and necessitated deployment of another file server. The replacement
server was created with very poor security and design considerations from
a discarded desktop PC.
</para>
<sect2>
<title>Assignment Tasks</title>
<para>
Misty has provided this summary of her migration experience in the hope
that it will help someone to avoid the challenges she faced. Perhaps her
configuration files and background will accelerate your learning as you
grapple with a similar migration challenge. Let there be no confusion,
the information presented in this chapter is provided to demonstrate
how Misty dealt with a particular NetWare migration requirement, and
it provides an overall approach to the implementation of a Samba-3
environment that is significantly divergent from that presented in
<link linkend="happy"/>.
</para>
<para>
The complete removal of all site-specific information in order to produce
a generic migration solution would rob this chapter of its character.
It should be recognized, therefore, that the examples given require
significant adaptation to suit local needs and thus
there are some gaps in the example files. That is not Misty's fault;it
is the result of treatment given to her files in an attempt to make
the overall information more useful to you.
</para>
<para>
<indexterm><primary>cost-benefit</primary></indexterm>
After management reviewed a cost-benefit report as well as an estimated
time-to-completion, approval was given proceed with the solution proposed.
The server was built from purchased components. The total project cost
was $3,000. A brief description of the configuration follows:
</para>
<simplelist>
<member>
<para>3.0 GHz P4 Processor</para>
</member>
<member>
<para>1 GB RAM</para>
</member>
<member>
<para>120 GB SATA operating system drive</para>
</member>
<member>
<para>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</para>
</member>
<member>
<para>2 x 80 GB SATA removable drives for online backup</para>
</member>
<member>
<para>A DLT drive for asynchronous offline backup</para>
</member>
<member>
<para>SUSE Linux Professional 9.1</para>
</member>
</simplelist>
<para>
The new system has operated for 6 months without problems. Over the past months
much attention has been focused on cleaning up desktops and user profiles.
</para>
</sect2>
</sect1>
<sect1>
<title>Dissection and Discussion</title>
<para>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>e-Directory</primary></indexterm>
<indexterm><primary>authentication</primary></indexterm>
<indexterm><primary>identity management</primary></indexterm>
A decision to use LDAP was made even though I knew nothing about LDAP except that
I had been reading the book <quote>LDAP System Administration,</quote> by Gerald Carter.
LDAP seemed to provide some of the functionality of Novell's e-Directory Services
and would provide centralized authentication and identity management.
</para>
<para>
<indexterm><primary>database</primary></indexterm>
<indexterm><primary>RPM</primary></indexterm>
<indexterm><primary>tree</primary></indexterm>
Building the LDAP database took a while and a lot of trial and error. Following
the guidance I obtained from <quote>LDAP System
Administration,</quote> I installed OpenLDAP (from RPM; later I compiled
a more current version from source) and built my initial LDAP tree.
</para>
<sect2>
<title>Technical Issues</title>
<para>
<indexterm><primary>white-pages</primary></indexterm>
<indexterm><primary>inetOrgPerson</primary></indexterm>
<indexterm><primary>OpenLDAP</primary></indexterm>
<indexterm><primary>/etc/passwd</primary></indexterm>
<indexterm><primary>/etc/shadow</primary></indexterm>
<indexterm><primary>LDIF</primary></indexterm>
<indexterm><primary>IMAP</primary></indexterm>
<indexterm><primary>POP3</primary></indexterm>
<indexterm><primary>SMTP</primary></indexterm>
The first challenge was to create a company white pages, followed by manually
entering everything from the printed company directory. This used only the inetOrgPerson
object class from the OpenLDAP schemas. The next step was to write a shell script that
would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
files on our mail server and create a LDIF file from which the information could be
imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
and SMTP.
</para>
<para>
Because a decision was made to use Courier-IMAP the schema <quote>authldap.schema</quote>
from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory
needs. Where the Courier-IMAP file provided by SUSE is used, this file is named
<filename>courier.schema</filename>.
</para>
<para>
Looking back, it would have been much easier to populate the LDAP directory using a convenient
tool such as <command>phpLDAPAdmin</command> from the outset. An excessive amount of time was
spent trying to generate LDIF files that could be parsed using the <command>ldapmodify</command>
so that necessary changes could be written to the directory. This was a learning experience!
</para>
<para>
An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to
make them work. Instead, even though it is most inelegant, I wrote a simple script that did
what I needed. It is enclosed as a simple example to demonstrate that you do not need to be
a guru to make light of otherwise painful repetition. This file is listed in <link linkend="sbeamg"/>.
</para>
<example id="sbeamg">
<title>A Rough Tool to Create an LDIF File from the System Account Files</title>
<screen>
#!/bin/bash
cat /etc/passwd | while read l; do
uid=`echo $l | cut -d : -f 1`
uidNumber=`echo $l | cut -d : -f 3`
gidNumber=`echo $1 | cut -d : -f 4`
gecos=`echo $l | cut -d : -f 5`
homeDirectory=`echo $l | cut -d : -f 6`
loginShell=`echo $l | cut -d : -f 6`
userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2`
echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com"
echo "objectClass: account"
echo "objectClass: posixAccount"
echo "cn: $gecos"
echo "uid: $uid"
echo "uidNumber: $uidNumber"
echo "gidNumber: $gidNumber"
echo "homeDirectory: $homeDirectory"
echo "loginShell: $loginShell"
echo "userPassword: $userPassword"
done
</screen>
</example>
<note><para>
The PADL MigrationTools are recommended for migration of the UNIX account information into
the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups,
aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text
files (or from a name service such as NIS). This too set can be obtained from the <ulink url=
"http://www.padl.com">PADL Web site</ulink>.
</para></note>
</sect2>
</sect1>
<sect1>
<title>Implementation</title>
<para>
</para>
<sect2>
<title>NetWare Migration Using LDAP Backend</title>
<para>
The following software must be installed on the SUSE Linux Enterprise Server to perform
this migration:
</para>
<simplelist>
<member><para>courier-imap</para></member>
<member><para>courier-imap-ldap</para></member>
<member><para>nss_ldap</para></member>
<member><para>openldap2-client</para></member>
<member><para>openldap2-devel (only for Samba compilation)</para></member>
<member><para>openldap2</para></member>
<member><para>pam_ldap</para></member>
<member><para>samba-3.0.20 or later</para></member>
<member><para>samba-client-3.0.20 or later</para></member>
<member><para>samba-winbind-3.0.20 or later</para></member>
<member><para>smbldap-tools Version 0.8.8</para></member>
</simplelist>
<para>
Each software application must be carefully configured in preparation for migration.
The configuration files used at Abmas are provided as a guide and should be modified
to meet needs at your site.
</para>
<sect3>
<title>LDAP Server Configuration</title>
<para>
The <filename>/etc/openldap/slapd.conf</filename> file Misty used is shown here:
<programlisting>
#/etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/dhcp.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/idpool.schema
include /etc/openldap/schema/eduperson.schema
include /etc/openldap/schema/commURI.schema
include /etc/openldap/schema/local.schema
include /etc/openldap/schema/courier.schema
pidfile /var/run/slapd/run/slapd.pid
argsfile /var/run/slapd/run/slapd.args
replogfile /data/ldap/log/slapd.replog
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
#######################################################################
# Logging parameters
#######################################################################
loglevel 256
#######################################################################
# SASL and TLS options
#######################################################################
sasl-host ldap.corp.abmas.org
sasl-realm DIGEST-MD5
sasl-secprops none
TLSCipherSuite HIGH:MEDIUM:+SSLV2
TLSCertificateFile /etc/ssl/certs/private/abmas-cert.pem
TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem
password-hash {SSHA}
defaultsearchbase "dc=abmas,dc=biz"
#######################################################################
# bdb database definitions
#######################################################################
database bdb
suffix "dc=abmas,dc=biz"
rootdn "cn=manager,dc=abmas,dc=biz"
rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5
directory /data/ldap
mode 0600
# The following is for BDB to make it flush its data to disk every
# 500 seconds or 5kb of data
checkpoint 500 5
## For running slapindex
#readonly on
## Indexes for often-requested attributes
index objectClass eq
index cn eq,sub
index sn eq,sub
index uid eq,sub
index uidNumber eq
index gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
cachesize 2000
replica host=baa.corp.abmas.org:389
suffix="dc=abmas,dc=biz"
binddn="cn=replica,dc=abmas,dc=biz"
credentials=verysecret
bindmethod=simple
tls=yes
replica host=ns.abmas.org:389
suffix="dc=abmas,dc=biz"
binddn="cn=replica,dc=abmas,dc=biz"
credentials=verysecret
bindmethod=simple
tls=yes
#######################################################################
# ACL section
#######################################################################
## MOST RESTRICTIVE RULES MUST GO FIRST!
# Admins get access to everything. This way I do not have to rename.
access to *
by group/groupOfUniqueNames/uniqueMember="cn=LDAP
Administrators,ou=groups,dc=abmas,dc=biz" write
by * break
## Users can change their own passwords.
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,
sambaPwdMustChange,sambaPwdCanChange
by self write
by * auth
## Home contact info restricted to the logged-in user and the HR dept
access to attrs=hometelephoneNumber,homePostalAddress,
mobileTelephoneNumber,pagerTelephoneNumber
by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
ou=groups,dc=abmas,dc=biz"
write
by self write
by * none
## Everyone can read email aliases
access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz"
by * read
## Only admins can manage email aliases
## If someone is the role occupant of an alias they can change it -- this
## is accomplished by the "organizationalRole" objectclass and is
## pretty cool -- like a groupOfUniqueNames but for individual
## users.
access to dn.children="ou=Email Aliases,dc=abmas,dc=biz"
by dnattr=roleOccupant write
by * read
## Admins and HR can add and delete users
access to dn.sub="ou=people,dc=abmas,dc=biz"
by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
ou=groups,dc=abmas,dc=biz"
write
by * read
## Admins and HR can add and delete bizputers
access to dn.sub="ou=bizputers,dc=abmas,dc=biz"
by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
ou=groups,dc=abmas,dc=biz"
write
by * read
## Admins and HR can add and delete groups
access to dn.sub="ou=groups,dc=abmas,dc=biz"
by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
ou=groups,dc=abmas,dc=biz"
write
by * read
## This is used to quickly deactivate any LDAP object only Admins have access.
access to dn.sub="ou=inactive,dc=abmas,dc=biz"
by * none
## This is for programs like Windows Address Book that can
## detect the default search base.
access to attrs=namingcontexts,supportedControl
by anonymous =cs
by * read
## Default to read-only access
access to *
by dn.base="cn=replica,ou=people,dc=abmas,dc=biz" write
by * read
</programlisting>
</para>
<para>
<indexterm><primary>/etc/ldap.conf</primary></indexterm>
The <filename>/etc/ldap.conf</filename> file used is listed in <link linkend="ch8ldap"/>.
</para>
<example id="ch8ldap">
<title>NSS LDAP Control File &smbmdash; /etc/ldap.conf</title>
<screen>
# /etc/ldap.conf
# This file is present on every *NIX client that authenticates to LDAP.
# For me, most of the defaults are fine. There is an amazing amount of
# customization that can be done see the man page for info.
# Your LDAP server. Must be resolvable without using LDAP. The following
# is for the LDAP server all others use the FQDN of the server
URI ldap://127.0.0.1
# The distinguished name of the search base.
base ou=corp,dc=abmas,dc=biz
# The LDAP version to use (defaults to 3 if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with if the effective
# user ID is root. Password is stored in /etc/ldap.secret (mode 600)
rootbinddn cn=Manager,dc=abmas,dc=biz
# Filter to AND with uid=%s
pam_filter objectclass=posixAccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
# Group member attribute
pam_member_attribute memberUID
# Use the OpenLDAP password change
# extended operation to update the password.
pam_password exop
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem
...
</screen>
</example>
<para>
The NSS control file <filename>/etc/nsswitch.conf</filename> has the following contents:
<screen>
# /etc/nsswitch.conf
# This file controls the resolve order for system databases.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: compat ldap
group: compat ldap
# The above are all that I store in LDAP at this point. There are
# possibilities to store hosts, services, ethers, and lots of other things.
</screen>
</para>
<para>
<indexterm><primary>PAM</primary></indexterm>
<indexterm><primary>NSS</primary></indexterm>
In my setup, users authenticate via PAM and NSS using LDAP-based accounts.
The configuration file that controls the behavior of the PAM <command>pam_unix2</command>
module is shown in <link linkend="sbepu2"/> file.
This works out of the box with the configuration files in this chapter. It
enables you to have no local accounts for users (it is highly advisable
to have a local account for the root user). Traps for the unwary include the following:
</para>
<example id="sbepu2">
<title>The PAM Control File <filename>/etc/security/pam_unix2.conf</filename></title>
<screen>
# pam_unix2 config file
#
# This file contains options for the pam_unix2.so module.
# It contains a list of options for every type of management group,
# which will be used for authentication, account management and
# password management. Not all options will be used from all types of
# management groups.
#
# At first, pam_unix2 will read this file and then uses the local
# options. Not all options can be set her global.
#
# Allowed options are:
#
# debug (account, auth, password, session)
# nullok (auth)
# md5 (password / overwrites /etc/default/passwd)
# bigcrypt (password / overwrites /etc/default/passwd)
# blowfish (password / overwrites /etc/default/passwd)
# crypt_rounds=XX
# none (session)
# trace (session)
# call_modules=x,y,z (account, auth, password)
#
# Example:
# auth: nullok
# account:
# password: nullok blowfish crypt_rounds=8
# session: none
#
auth: use_ldap
account: use_ldap
password: use_ldap
session: none
</screen>
</example>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>authenticate</primary></indexterm>
<indexterm><primary>DNS</primary></indexterm>
<itemizedlist>
<listitem>
<para>
If your LDAP database goes down, nobody can authenticate except for root.
</para>
</listitem>
<listitem>
<para>
If failover is configured incorrectly, weird behavior can occur. For example,
DNS can fail to resolve.
</para>
</listitem>
</itemizedlist>
<para>
I do have two LDAP slave servers configured. That subject is beyond the scope
of this document, and steps for implementing it are well documented.
</para>
<para>
The following services authenticate using LDAP:
</para>
<indexterm><primary>UNIX</primary></indexterm>
<indexterm><primary>Postfix</primary></indexterm>
<indexterm><primary>Courier-IMAP</primary></indexterm>
<simplelist>
<member><para>UNIX login/ssh</para></member>
<member><para>Postfix (SMTP)</para></member>
<member><para>Courier-IMAP/IMAPS/POP3/POP3S</para></member>
</simplelist>
<para>
<indexterm><primary>white-pages</primary></indexterm>
<indexterm><primary>Windows Address Book</primary></indexterm>
Companywide white pages can be searched using an LDAP client
such as the one in the Windows Address Book.
</para>
<para>
<indexterm><primary>LDAP</primary></indexterm>
<indexterm><primary>smbldap-tools</primary></indexterm>
Having gained a solid understanding of LDAP and a relatively workable LDAP tree
thus far, it was time to configure Samba. I compiled the latest stable Samba and
also installed the latest <command>smbldap-tools</command> from
<ulink url="http://idealx.com">Idealx</ulink>.
</para>
<para>
The Samba &smb.conf; file was configured as shown in <link linkend="ch8smbconf"/>.
</para>
<example id="ch8smbconf">
<title>Samba Configuration File &smbmdash; smb.conf Part A</title>
<smbconfblock>
<smbconfcomment>Global parameters</smbconfcomment>
<smbconfsection name="[global]"/>
<smbconfoption name="workgroup">MEGANET2</smbconfoption>
<smbconfoption name="netbios name">MASSIVE</smbconfoption>
<smbconfoption name="server string">Corp File Server</smbconfoption>
<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption>
<smbconfoption name="pam password change">Yes</smbconfoption>
<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption>
<smbconfoption name="log level">1</smbconfoption>
<smbconfoption name="log file">/data/samba/log/%m.log</smbconfoption>
<smbconfoption name="name resolve order">wins host bcast</smbconfoption>
<smbconfoption name="time server">Yes</smbconfoption>
<smbconfoption name="printcap name">cups</smbconfoption>
<smbconfoption name="show add printer wizard">No</smbconfoption>
<smbconfoption name="cups options">Raw</smbconfoption>
<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption>
<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption>
<smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption>
<smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption>
<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption>
<smbconfoption name="add machine script">/usr/local/sbin/smbldap-useradd -w "%m"</smbconfoption>
<smbconfoption name="logon script">logon.bat</smbconfoption>
<smbconfoption name="logon path">\\%L\profiles\%U\%a</smbconfoption>
<smbconfoption name="logon drive">H:</smbconfoption>
<smbconfoption name="logon home">\\%L\%U</smbconfoption>
<smbconfoption name="domain logons">Yes</smbconfoption>
<smbconfoption name="wins support">Yes</smbconfoption>
<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption>
<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption>
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
<smbconfoption name="ldap passwd sync">Yes</smbconfoption>
<smbconfoption name="ldap suffix">ou=MEGANET2,dc=abmas,dc=biz</smbconfoption>
<smbconfoption name="ldap ssl">no</smbconfoption>
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
<smbconfoption name="admin users">root, "@Domain Admins"</smbconfoption>
<smbconfoption name="printer admin">"@Domain Admins"</smbconfoption>
<smbconfoption name="force printername">Yes</smbconfoption>
</smbconfblock>
</example>
<example id="ch8smbconf2">
<title>Samba Configuration File &smbmdash; smb.conf Part B</title>
<smbconfblock>
<smbconfsection name="[netlogon]"/>
<smbconfoption name="comment">Network logon service</smbconfoption>
<smbconfoption name="path">/data/samba/netlogon</smbconfoption>
<smbconfoption name="write list">"@Domain Admins"</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfsection name="[profiles]"/>
<smbconfoption name="comment">Roaming Profile Share</smbconfoption>
<smbconfoption name="path">/data/samba/profiles/</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="profile acls">Yes</smbconfoption>
<smbconfoption name="veto files">desktop.ini</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
<smbconfsection name="[homes]"/>
<smbconfoption name="comment">Home Directories</smbconfoption>
<smbconfoption name="valid users">%S</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="create mask">0770</smbconfoption>
<smbconfoption name="veto files">desktop.ini</smbconfoption>
<smbconfoption name="hide files">desktop.ini</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
<smbconfsection name="[software]"/>
<smbconfoption name="comment">Software for %a computers</smbconfoption>
<smbconfoption name="path">/data/samba/shares/software/%a</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfsection name="[public]"/>
<smbconfoption name="comment">Public Files</smbconfoption>
<smbconfoption name="path">/data/samba/shares/public</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfsection name="[PDF]"/>
<smbconfoption name="comment">Location of documents printed to PDFCreator printer</smbconfoption>
<smbconfoption name="path">/data/samba/shares/pdf</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
</smbconfblock>
</example>
<example id="ch8smbconf3">
<title>Samba Configuration File &smbmdash; smb.conf Part C</title>
<smbconfblock>
<smbconfsection name="[EVERYTHING]"/>
<smbconfoption name="comment">All shares</smbconfoption>
<smbconfoption name="path">/data/samba</smbconfoption>
<smbconfoption name="valid users">"@Domain Admins"</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfsection name="[CDROM]"/>
<smbconfoption name="comment">CD-ROM on MASSIVE</smbconfoption>
<smbconfoption name="path">/mnt</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfsection name="[print$]"/>
<smbconfoption name="comment">Printer Drivers Share</smbconfoption>
<smbconfoption name="path">/data/samba/drivers</smbconfoption>
<smbconfoption name="write list">root</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
<smbconfsection name="[printers]"/>
<smbconfoption name="comment">All Printers</smbconfoption>
<smbconfoption name="path">/data/samba/spool</smbconfoption>
<smbconfoption name="create mask">0644</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
<smbconfsection name="[acct_hp8500]"/>
<smbconfoption name="comment">"Accounting Color Laser Printer"</smbconfoption>
<smbconfoption name="path">/data/samba/spool/private</smbconfoption>
<smbconfoption name="valid users">@acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry</smbconfoption>
<smbconfoption name="create mask">0644</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="copy">printers</smbconfoption>
<smbconfsection name="[plotter]"/>
<smbconfoption name="comment">Engineering Plotter</smbconfoption>
<smbconfoption name="path">/data/samba/spool</smbconfoption>
<smbconfoption name="create mask">0644</smbconfoption>
<smbconfoption name="printable">Yes</smbconfoption>
<smbconfoption name="use client driver">Yes</smbconfoption>
<smbconfoption name="copy">printers</smbconfoption>
</smbconfblock>
</example>
<example id="ch8smbconf4">
<title>Samba Configuration File &smbmdash; smb.conf Part D</title>
<smbconfblock>
<smbconfsection name="[APPS]"/>
<smbconfoption name="path">/data/samba/shares/Apps</smbconfoption>
<smbconfoption name="force group">"Domain Users"</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfsection name="[ACCT]"/>
<smbconfoption name="path">/data/samba/shares/Accounting</smbconfoption>
<smbconfoption name="valid users">@acct, "@Domain Admins"</smbconfoption>
<smbconfoption name="force group">acct</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="create mask">0660</smbconfoption>
<smbconfoption name="directory mask">0770</smbconfoption>
<smbconfsection name="[ACCT_ADMIN]"/>
<smbconfoption name="path">/data/samba/shares/Acct_Admin</smbconfoption>
<smbconfoption name="valid users">@”acct_admin”</smbconfoption>
<smbconfoption name="force group">acct_admin</smbconfoption>
<smbconfsection name="[HR_PR]"/>
<smbconfoption name="path">/data/samba/shares/HR_PR</smbconfoption>
<smbconfoption name="valid users">@hr, @acct_admin</smbconfoption>
<smbconfoption name="force group">hr</smbconfoption>
<smbconfsection name="[ENGR]"/>
<smbconfoption name="path">/data/samba/shares/Engr</smbconfoption>
<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption>
<smbconfoption name="force group">engr</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="create mask">0770</smbconfoption>
<smbconfsection name="[DATA]"/>
<smbconfoption name="path">/data/samba/shares/DATA</smbconfoption>
<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption>
<smbconfoption name="force group">engr</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="create mask">0770</smbconfoption>
<smbconfoption name="copy">engr</smbconfoption>
</smbconfblock>
</example>
<example id="ch8smbconf5">
<title>Samba Configuration File &smbmdash; smb.conf Part E</title>
<smbconfblock>
<smbconfsection name="[X]"/>
<smbconfoption name="path">/data/samba/shares/X</smbconfoption>
<smbconfoption name="valid users">@engr, @acct</smbconfoption>
<smbconfoption name="force group">engr</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="create mask">0770</smbconfoption>
<smbconfoption name="copy">engr</smbconfoption>
<smbconfsection name="[NETWORK]"/>
<smbconfoption name="path">/data/samba/shares/network</smbconfoption>
<smbconfoption name="valid users">"@Domain Users"</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="create mask">0770</smbconfoption>
<smbconfoption name="guest ok">Yes</smbconfoption>
<smbconfsection name="[UTILS]"/>
<smbconfoption name="path">/data/samba/shares/Utils</smbconfoption>
<smbconfoption name="write list">"@Domain Admins"</smbconfoption>
<smbconfsection name="[SYS]"/>
<smbconfoption name="path">/data/samba/shares/SYS</smbconfoption>
<smbconfoption name="valid users">chad</smbconfoption>
<smbconfoption name="read only">No</smbconfoption>
<smbconfoption name="browseable">No</smbconfoption>
</smbconfblock>
</example>
<para>
<indexterm><primary>Qbasic</primary></indexterm>
<indexterm><primary>Rbase</primary></indexterm>
<indexterm><primary>drive letters</primary></indexterm>
Most of these shares are only used by one company group, but they are required
because of some ancient Qbasic and Rbase applications were that written expecting
their own drive letters.
</para>
<para>
<indexterm><primary>rsync</primary></indexterm>
<indexterm><primary>rsyncd.conf</primary></indexterm>
<indexterm><primary>synchronize</primary></indexterm>
Note: During the process of building the new server, I kept data files
up to date with the Novell server via use of <command>rsync</command>.
On a separate system (my workstation in fact), which could be rebooted
whenever necessary, I set up a mount point to the Novell server via
<command>ncpmount</command>. I then created a
<filename>rsyncd.conf</filename> to share that mount point out to my
new server, and synchronized once an hour. The script I used to synchronize
is shown in <link linkend="sbersync"/>. The files exclusion list I used
is shown in <link linkend="sbexcld"/>. The reason I had to have the
<command>rsync</command> daemon running on a system that could be
rebooted frequently is because <constant>ncpfs</constant>
(part of the MARS NetWare Emulation package) has a nasty habit of creating stale
mount points that cannot be recovered without a reboot. The reason for hourly
synchronization is because some part of the chain was very slow and
performance-heavy (whether <command>rsync</command> itself, the network,
or the Novell server, I am not sure, but it was probably the Novell server).
</para>
<example id="sbersync">
<title>Rsync Script</title>
<screen>
#!/bin/bash
# Part 1 - rsync the Novell directories to the new server
echo "#############################################"
echo "New sync operation starting at `date`"
if ! pgrep -fl '^rsync\> ; then
echo "Good, no rsync is running!"
echo "Synchronizing oink to BHPRO"
rsync -av --exclude-from=/root/excludes.txt
baa.corp:/BHPRO/SYS1/ /data/samba/shares/SYS1
retval=$?
[ ${retval} = 0 ] && echo "Sync operation completed at `date`"
echo "Fixing permissions"
# I had a whole lot more permission-fixing stuff here. It got
# pared down as groups got moved over. The problem
# was that the way I was mounting the directory, everything
# was owned by the Novell administrator which translated to
# Root. This is also why I could only do one-way sync because
# I could not fix the ACLs on the Novell side.
find /data/samba/shares/Engr/ -perm +770 -exec chmod 770 {} \;
find /data/samba/shares/Engr/ ! -group engr -exec chgrp engr {} \;
else
# This rsync took ages and ages -- I had it set to run every hour but
# I needed a way to prevent it running into itself.
echo "Oh no, rsync is already running!"
echo "#############################################"
fi
</screen>
</example>
<example id="sbexcld">
<title>Rsync Files Exclusion List &smbmdash; <filename>/root/excludes.txt</filename></title>
<screen>
/Acct/
/Apps/
/DATA/
/Engr/*.pc3
/Engr/plotter
/Engr/APPOLO/
/Engr/LIBRARY/
/Home/Accounting/
/Home/Angie/
/Home/AngieY/
/Home/Brandon/
/Home/Carl/
</screen>
</example>
<para>
After Samba was configured, I initialized the LDAP database. The first
thing I had to do was store the LDAP password in the Samba configuration by
issuing the command (as root):
<screen>
&rootprompt; smbpasswd -w verysecret
</screen>
where <quote>verysecret</quote> is replaced by the LDAP bind password.
</para>
<note><para>
The Idealx smbldap-tools package can be configured using a script called
<command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/>
for an example of its use. Many administrators, like Misty, choose to do this manually
so as to maintain greater awareness of how the tool-chain works and possibly to avoid
undesirable actions from occurring un-noticed.
</para></note>
<para>
Now Samba was ready for use and it was time to configure the smbldap-tools. There are two
relevant files, which are usually put into the directory
<filename>/etc/smbldap-tools</filename>. The main file,
<filename>smbldap.conf</filename> is shown in <link linkend="ch8ideal"/>.
</para>
<example id="ch8ideal">
<title>Idealx smbldap-tools Control File &smbmdash; Part A</title>
<screen>
#########
#
# located in /etc/smbldap-tools/smbldap.conf
#
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID
# to obtain this number do: net getlocalsid
SID="S-1-5-21-725326080-1709766072-2910717368"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify=""
</screen>
</example>
<example id="ch8ideal2">
<title>Idealx smbldap-tools Control File &smbmdash; Part B</title>
<screen>
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile=""
certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert=""
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey=""
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="ou=MEGANET2,dc=abmas,dc=biz"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=People,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=People,${suffix}"
# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
# Default scope Used
scope="sub"
</screen>
</example>
<example id="ch8ideal3">
<title>Idealx smbldap-tools Control File &smbmdash; Part C</title>
<screen>
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="MD5"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/false"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="Samba User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
</screen>
</example>
<example id="ch8ideal4">
<title>Idealx smbldap-tools Control File &smbmdash; Part D</title>
<screen>
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
userSmbHome=""
# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
userProfile=""
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive=""
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under DOS
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under DOS
userScript=""
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
mailDomain="abmas.org"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
</screen>
</example>
<para>
<indexterm><primary>TLS</primary></indexterm>
Note: I chose not to take advantage of the TLS capability of this.
Eventually I may go back and tweak it. Also, I chose not to take advantage
of the master/slave configuration as I heard horror stories that it was
unstable. My slave servers are replicas only.
</para>
<para>
The <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> file is shown here:
<screen>
# smbldap_bind.conf
#
# This file simply tells smbldap-tools how to bind to your LDAP server.
# It has to be a DN with full write access to the Samba portion of
# the database.
############################
# Credential Configuration #
############################
# Notes: you can specify two different configurations if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Manager,dc=abmas,dc=biz"
slavePw="verysecret"
masterDN="cn=Manager,dc=abmas,dc=biz"
masterPw="verysecret"
</screen>
</para>
<para>
The next step was to run the <command>smbldap-populate</command> command, which populates
the LDAP tree with the appropriate default users, groups, and UID and GID pools.
It creates a user called Administrator with UID=0 and GID=0 matching the
Domain Admins group. This is fine because you can still log on a root to a Windows system,
but it will break cached credentials if you need to log on as the administrator
to a system that is not on the network.
</para>
<para>
After the LDAP database has been preloaded, it is prudent to validate that the
information needed is in the LDAP directory. This can be done done by restarting
the LDAP server, then performing an LDAP search by executing:
<screen>
&rootprompt; ldapsearch -W -x -b "dc=abmas,dc=biz"\
-D "cn=Manager,dc=abmas,dc=biz" \
"(Objectclass=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=abmas,dc=biz> with scope sub
# filter: (ObjectClass=*)
# requesting: ALL
#
# abmas.biz
dn: dc=abmas,dc=biz
objectClass: dcObject
objectClass: organization
o: abmas
dc: abmas
# People, abmas.biz
dn: ou=People,dc=abmas,dc=biz
objectClass: organizationalUnit
ou: People
# Groups, abmas.biz
dn: ou=Groups,dc=abmas,dc=biz
objectClass: organizationalUnit
ou: Groups
# Idmap, abmas.biz
dn: ou=Idmap,dc=abmas,dc=biz
objectClass: organizationalUnit
ou: Idmap
...
</screen>
</para>
<para>
<indexterm><primary>Windows</primary></indexterm>
<indexterm><primary>POSIX</primary></indexterm>
<indexterm><primary>smbldap-groupadd</primary></indexterm>
<indexterm><primary>RID</primary></indexterm>
<indexterm><primary>sambaGroupMapping</primary></indexterm>
With the LDAP directory now initialized, it was time to create the Windows and POSIX
(UNIX) group accounts as well as the mappings from Windows groups to UNIX groups.
The easiest way to do this was to use <command>smbldap-groupadd</command> command.
It creates the group with the posixGroup and sambaGroupMapping attributes, a
unique GID, and an automatically determined RID. I learned the hard way not to
try to do this by hand.
</para>
<para>
<indexterm><primary>group mapping</primary></indexterm>
<indexterm><primary>smbldap-groupmod</primary></indexterm>
<indexterm><primary>memberUID</primary></indexterm>
After I had my group mappings in place, I added users to the groups (the users
don't really have to exist yet). I used the <command>smbldap-groupmod</command>
command to accomplish this. It can also be done manually by adding memberUID
attributes to the group entries in LDAP.
</para>
<para>
<indexterm><primary>sambaSamAccount</primary></indexterm>
<indexterm><primary>posixAccount</primary></indexterm>
<indexterm><primary>smbldap-usermod</primary></indexterm>
The most monumental task of all was adding the sambaSamAccount information to each
already existent posixAccount entry. I did it one at a time as I moved people onto
the new server, by issuing the command:
<screen>
&rootprompt; smbldap-usermod -a -P username
</screen>
<indexterm><primary>NetWare</primary></indexterm>
<indexterm><primary>LDIF</primary></indexterm>
<indexterm><primary>slapcat</primary></indexterm>
I completed that step for every user after asking the person what his or her current
NetWare password was. The wiser way to have done it would probably have been to dump the
entire database to an LDIF file. This can be done by executing:
<screen>
&rootprompt; slapcat > somefile.ldif
</screen>
<indexterm><primary>Perl</primary></indexterm>
<indexterm><primary>objectClass</primary></indexterm>
Then update the LDIF file created by using a Perl script to parse and add the
appropriate attributes and objectClasses to each entry, followed by re-importing
the entire database into the LDAP directory.
</para>
<para>
Rebuilding of the LDAP directory can be done as follows:
<screen>
&rootprompt; rcldap stop
&rootprompt; cd /data/ldap
&rootprompt; rm *bdb _* log*
&rootprompt; su - ldap -c "slapadd -l somefile.ldif"
&rootprompt; rcldap start
</screen>
This can be done at any time and for any reason, with no harm to the database.
</para>
<para>
I first added a test user, of course. The LDIF for this test user looks like
this, to give you an idea:
<screen>
# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
cn: Test User
gecos: Test User
gidNumber: 513
givenName: Test
homeDirectory: /home/test.user
homePhone: 555
l: Somewhere
l: ST
mail: test.user
o: Corp
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
postalCode: 12345
sn: User
street: 10 Some St.
uid: test.user
uidNumber: 1074
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: Samba User
sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148
sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: D062088E99C95E37D7702287BB35E770
sambaPwdLastSet: 1102537694
sambaPwdMustChange: 1106425694
userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8
loginShell: /bin/false
</screen>
</para>
<para>
Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain.
It worked, and the machine's account entry under ou=Computers looks like this:
<screen>
dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
cn: w2kengrspare$
sn: w2kengrspare$
uid: w2kengrspare$
uidNumber: 1104
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208
sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031
displayName: W2KENGRSPARE$
sambaPwdCanChange: 1103149236
sambaPwdMustChange: 2147483647
sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834
sambaPwdLastSet: 1103149236
sambaAcctFlags: [W ]
</screen>
</para>
<para>
<indexterm><primary>netlogon</primary></indexterm>
So now I could log on with a test user from the machine w2kengrspare. It was all fine and
good, but that user was in no groups yet and so had pretty boring access. I fixed that
by writing the login script! To write the login script, I used
<ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work
with every architecture of Windows, has an active and helpful user base, and was both
easier to learn and more powerful than the standard netlogon scripts I have seen.
I also did not have to do a logon script per user or per group.
</para>
<para>
<indexterm><primary>Kixtart</primary></indexterm>
I downloaded Kixtart and put the following files in my netlogon share:
<screen>
KIX32.EXE
KX32.dll
KX95.dll <-- Not needed unless you are running Win9x clients.
kx16.dll <-- Probably not needed unless you are running DOS clients.
kxrpc.exe <-- Probably useless as it has to run on the server and can
only be run on NT. It's for Windows 95 to become group-aware.
We can get around the need.
</screen>
</para>
<para>
<indexterm><primary>logon.kix</primary></indexterm>
I then wrote the <filename>logon.kix</filename> file that is shown in
<link linkend="ch8kix"/>. I chose to keep it all in one file, but it
can be split up and linked via include directives.
</para>
<example id="ch8kix">
<title>Kixtart Control File &smbmdash; File: logon.kix</title>
<screen>
; This script just calls the other scripts.
; First we want to get things done for everyone.
; Second, we do first-time login stuff.
; Third, we go through the group-oriented scripts one at a time.
; We want to check for group membership here to avoid the overhead of running
; scripts which don't apply.
call "\\massive\netlogon\scripts\main.kix"
call "\\massive\netlogon\scripts\setup.kix"
IF INGROUP("MEGANET2\ACCT")
call "scripts\acct.kix"
ENDIF
IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST")
call "\\massive\netlogon\scripts\engr.kix"
ENDIF
IF INGROUP("MEGANET2\FURN")
call "\\massive\netlogon\scripts\furn.kix"
ENDIF
IF INGROUP("MEGANET2\TRUSS")
call "\\massive\netlogon\scripts\truss.kix"
ENDIF
</screen>
</example>
<example id="ch8kix2">
<title>Kixtart Control File &smbmdash; File: main.kix</title>
<screen>
break on
; Choose whether to hide the login window or not
IF INGROUP("MEGANET2\Domain Admins")
USE Z: \\massive\everything
SETCONSOLE("show")
ELSE
; Nobody cares about seeing the login script except admins
SETCONSOLE("hide")
ENDIF
; Delete all previously connected shares
USE * /delete
SETTITLE("Logging on @USERID to @LDOMAIN at @TIME")
; Set the time on the workstation
$Timeserver = "\\massive"
Settime $TimeServer
; Map the home directory
USE H: @HOMESHR ; connect to user's home share
IF @ERROR = 0
H:
CD @HOMEDIR ; change directory to user's home directory
ENDIF
; Everyone gets the N drive
USE N: \\massive\network
</screen>
</example>
<example id="ch8kix3">
<title>Kixtart Control File &smbmdash; File: setup.kix, Part A</title>
<screen>
; My setup.kix is where all of the redirection stuff happens. Note that with
; the use of registry keys, this only happens the first time they log in ,or if
; I delete the pertinent registry keys which triggers it to happen again:
; Check to see if we have written the abmas sub-key before
$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas")
IF NOT $RETURNCODE = 0
; Add key for abmas-specific things on the first login
ADDKEY("HKEY_CURRENT_USER\abmas")
; The following key gets deleted at the end of the first login
ADDKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
ENDIF
; People with laptops need My Documents to be in their profile. People with
; desktops can have My Documents redirected to their home directory to avoid
; long delays with logging out and out-of-sync files.
; Check to see if this is the first login -- doesn't make sense to do this
; at the very first login
$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
IF NOT $RETURNCODE = 0
; We don't want to do this stuff for people with laptops or people in the FURN
; group. (They store their profiles in a different server)
IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN")
$RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\abmas\profile_copied")
; A crude way to tell what OS our profile is for and copy the "My Documents"
; to the redirected folder on the server. It works because the profiles
; are stored as \\server\profiles\user\architecture
IF NOT $RETURNCODE = 0
IF EXIST("\\massive\profiles\@userID\WinXP")
copy "\\massive\profiles\@userID\WinXP\My Documents\*"
"\\massive\@userID\"
ENDIF
IF EXIST("\\massive\profiles\@userID\Win2K")
copy "\\massive\profiles\@userID\Win2K\My Documents\*"
"\\massive\@userID\"
ENDIF
IF EXIST("\\massive\profiles\@userID\WinNT")
copy "\\massive\profiles\@userID\WinNT\My Documents\*"
"\\massive\@userID\"
ENDIF
</screen>
</example>
<example id="ch8kix3b">
<title>Kixtart Control File &smbmdash; File: setup.kix, Part B</title>
<screen>
; Now we will write the registry values to redirect the locations of "My
Documents"
; and other folders.
ADDKEY("HKEY_CURRENT_USER\abmas\profile_copied")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\User
Shell Folders", "Personal","\\massive\@userID","REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\User
Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ")
IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP
Professional"
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\User
Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\User
Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ")
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\User
Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ")
ENDIF
ENDIF
ENDIF
; Now we will delete the FIRST_LOGIN sub-key that we made before.
; Note - to run this script again you will want to delete the HKCU\abmas
; sub-key, log out, and log back in.
$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
IF $RETURNVALUE = 0
DELKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
ENDIF
</screen>
</example>
<example id="ch8kix4">
<title>Kixtart Control File &smbmdash; File: acct.kix</title>
<screen>
; And here is one group-oriented script to show what can be
; done that way: acct.kix:
IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR")
USE I: \\MEGANET2\HR_PR
ENDIF
; Set up printer
$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500")
IF NOT $RETURNVALUE = 0
ADDPRINTERCONNECTION("\\massive\acct_hp8500")
SETDEFAULTPRINTER("\\massive\acct_hp8500")
ENDIF
; Set up drive mappings
USE M: \\massive\ACCT
IF INGROUP("MEGANET2\ABRA")
USE T: \\trussrv\abra
ENDIF
</screen>
</example>
<para>
As you can see in the script, I redirected the My Documents to the user's home
share if he or she were not in the Laptop group. I also added printers on a
group-by-group basis, and if applicable I set the group printer. For this to
be effective, the print drivers must be installed on the Samba server in the
<filename>[print$]</filename> share. Ample documentation exists about how to
do that, so it is not covered here.
</para>
<para>
I call this script via the logon.bat script in the [netlogon] directory:
<screen>
\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f
</screen>
I only had to fully qualify the paths for Windows 9x, as Windows NT and
greater automatically add [NETLOGON] to the path.
</para>
<para>
Also of note for Win9x is that the drive mappings and printer setup will not
work because they rely on RPC. You merely have to put the appropriate settings
into the <filename>c:\autoexec.bat</filename> file or map the drives manually.
One option is to check the OS as part of the Kixtart script, and if it
is Win9x and is the first login, copy a premade
<filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I
have onlythree such machines, and one is going away in the very near future,
so it was easier to do it by hand.
</para>
<para>
<indexterm><primary>upgrade</primary></indexterm>
At this point I was able to add the users. This is the part that really falls
into upgrade. I moved the users over one group at a time, starting with the
people who used the least amount of resources on the network. With each group
that I moved, I first logged on as a standard user in that group and took
careful note of the environment, mainly the printers he or she used, the PATH,
and what network resources he or she had access to (most importantly, which ones
the user actually needed access to).
</para>
<para>
I then added the user's SambaSamAccount information as mentioned earlier,
and join the computer to the domain. The very first thing I had to do was to
copy the user's profile to the new server. This was very important, and I really
struggled with the most effective way to do it. Here is the method that worked
for every one of my users on Windows NT, 2000, and XP:
</para>
<procedure>
<step><para>
Log in as the user on the domain. This creates the local copy
of the user's profile and copies it to the server as he or she logs out.
</para></step>
<step><para>
Reboot the computer and log in as the local machine administrator.
</para></step>
<step><para>
Right-click My Computer, click Properties, and navigate to the
user profiles tab (varies per version of Windows).
</para></step>
<step><para>
Select the user's local profile <constant>(COMPUTERNAME\username)</constant>,
and click the <command>Copy To</command> button.
</para></step>
<step><para>
In the next dialog, copy it directly to the profiles share on the
Samba server (\\PDCname\profiles\user\<architecture> in my
case). You will have had to make a connection to the share as that
user (e.g., Windows Explorer type \\PDCname\profiles\username).
</para></step>
<step><para>
When the copy is complete (it can take a while) log out, and log back in
as the user. All of his or her settings and all contents of My Documents,
Favorites, and the registry should have been copied successfully.
</para></step>
<step><para>
If it doesn't look right (the dead giveaway is the desktop background),
shut down the computer without logging out (power cycle) and try logging
in as the user again. If it still doesn't work, repeat the steps above.
I only had to ever repeat it once.
</para></step>
</procedure>
<para>
Words to the Wise:
</para>
<itemizedlist>
<listitem><para>
If the user was anything other than a standard user on his or her system
before, you will save yourself some headaches by giving him or her identical
permissions (on the local machine) as his or her domain account <emphasis>before</emphasis>
copying the profile over. Do this through the User Administrator
in the Control Panel, after joining the computer to the domain and
before logging on as that user for the first time. Otherwise the user will
have trouble with permissions on his or her registry keys.
</para></listitem>
<listitem><para>
If any application was installed for the user only, rather than for
the entire system, it will probably not work without being reinstalled.
</para></listitem>
</itemizedlist>
<para>
After all these steps are accomplished, only cleanup details are left. Make sure user's
shortcuts and Network Places point to the appropriate place on the new server, check
the important applications to be sure they work as expected and troubleshoot any problems
that might arise, and check to be sure the user's printers are present and working. By the
way, if there are any network printers installed as system printers (the Novell way),
you will need to log in as a local administrator and delete them.
</para>
<para>
For my non-laptop systems, I would then log in and out a couple times as the user
to be sure that his or her registry settings were modified, and then I was finished.
</para>
<para>
Some compatibility issues that cropped up included the following:
</para>
<para>
Blackberry client: It did not like having its registry settings moved around
and so had to be reinstalled. Also, it needed write permissions to a portion of
the hard drive, and I had to give it those manually on the one system where
this was an issue.
</para>
<para>
CAMedia: Digital camera software for Canon cameras caused all kinds of trouble
with the registry. I had to use the Run as service to open the registry of
the local user while logged in as the domain user, and give the domain user
the appropriate permissions to some registry keys, then export that portion
of the registry to a file. Then, as the domain user, I had to import that file
into the registry.
</para>
<para>
Crystal Reports version 7: More registry problems that were solved by recopying
the user's profile.
</para>
<para>
Printing from legacy applications: I found out that Novell sends its jobs to
the printer in a raw format. CUPS sends them in PostScript by default. I had
to make a second printer definition for one printer and tell CUPS specifically
to send raw data to the printer, then assign this printer to the LPT port with
Kixtart's version of the net use command.
</para>
<para>
These were all eventually solved by elbow grease, queries to the Samba mailing
list and others, and diligence. The complete migration took about 5 weeks.
My userbase is relatively small but includes multiple versions of Windows,
multiple Linux member servers, a mechanized saw, a pen plotter, and legacy
applications written in Qbasic and R:Base, just to name a few. I actually
ended up making some of these applications work better (or work again, as
some of them had stopped functioning on the old server) because as part of
the process I had to find out how things were supposed to work.
</para>
<para>
The one thing I have not been able to get working is a very old database that
we had around for reference purposes; it uses Novell's Btrieve engine.
</para>
<para>
As the resources compare, I went from 95 percent disk usage to just around 10 percent.
I went from a very high load on the server to an average load of between one
and two runnable processes on the server. I have improved the security and
robustness of the system. I have also implemented
<ulink url="http://www.clamav.net">ClamAV</ulink> antivirus software,
which scans the entire Samba server for viruses every 2 hours and
quarantines them. I have found it much less problematic than our ancient
version of Norton Antivirus Corporate Edition, and much more up-to-date.
</para>
<para>
In short, my users are much happier now that the new server is running, and that
is what is important to me.
</para>
</sect3>
</sect2>
</sect1>
</chapter>
|