diff options
Diffstat (limited to 'docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml')
| -rw-r--r-- | docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml | 1798 |
1 files changed, 1798 insertions, 0 deletions
diff --git a/docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml b/docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml new file mode 100644 index 00000000000..5bf8553e5b0 --- /dev/null +++ b/docs-xml/Samba3-ByExample/SBE-MigrateNW4Samba3.xml @@ -0,0 +1,1798 @@ +<?xml version="1.0" encoding="iso-8859-1"?> +<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> +<chapter id="nw4migration"> + <title>Migrating NetWare Server to Samba-3</title> + + <para> + <indexterm><primary>Novell</primary></indexterm> + <indexterm><primary>SUSE</primary></indexterm> + Novell is a company any seasoned IT manager has to admire. It has become increasingly + Linux-friendly and is emerging out of a deep regression that almost saw the company + disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the + platform of choice to which many older NetWare servers are being migrated. + It will be interesting to see what becomes of NetWare over time. + Meanwhile, there can be no denying that Novell is a Linux company. + </para> + + <para> + <indexterm><primary>Red Hat</primary></indexterm> + <indexterm><primary>Debian</primary></indexterm> + <indexterm><primary>Gentoo</primary></indexterm> + <indexterm><primary>Mandrake</primary></indexterm> + Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian, + Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with + the knowledge that file locations may vary a little; even so, the information + in this chapter should provide something of value. + </para> + + <para> + <indexterm><primary>migration</primary></indexterm> + Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many + years who surfaced on the Samba mailing list with a barrage of questions and who + regularly helps other administrators to solve thorny Samba migration questions. + </para> + + <para> + <indexterm><primary>NetWare</primary></indexterm> + <indexterm><primary>NLM</primary></indexterm> + <indexterm><primary>NetWare</primary></indexterm> + <indexterm><primary>Mars_NWE</primary></indexterm> + One wonders how many NetWare servers remain in active service. Many are being migrated + to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are + ideal target platforms to which a NetWare server may be migrated. The migration method + of choice is much dependent on the tools that the administrator finds most natural to use. + The old-hand NetWare guru will likely want to use tools like the NetWare NLM for + <command>rsync</command> to migrate files from the NetWare server to the Samba server. + The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare + Emulator) open source package. The MS Windows network administrator will likely make use of the + NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice, + migration will be filled with joyous and challenging moments &smbmdash; though probably not + concurrently. + </para> + + <para> + The priority that Misty faced was one of migration of the data files off the NetWare 4.11 + server and onto a Samba-based Windows file and print server. This chapter does not pretend + to document all the different methods that could be used to migrate user and group accounts + off a NetWare server. Its focus is on migration of data files. + </para> + + <para> + This chapter tells its own story, so ride along. Maybe the information presented here + will help to smooth over a similar migration challenge in your favorite networking environment. + </para> + + <para> + File paths have been modified to permit use of RPM packages provided by Novell. In the + original documentation contributed by Misty, the Courier-IMAP package had been built + directly from the original source tarball. + </para> + +<sect1> + <title>Introduction</title> + + <para> + <indexterm><primary>Novell</primary></indexterm> + Misty Stanley-Jones was recruited by Abmas to administer a network that had + not received much attention for some years and was much in need of a makeover. + As a brand-new sysadmin to this company, she inherited a very old Novell file server + and came with a determination to change things for the better. + </para> + + <para> + A site survey turned up the following details for the old NetWare server: + </para> + + <simplelist> + <member><para>200 MHz MMX processor</para></member> + <member><para>512K RAM</para></member> + <member><para>24 GB disk space in RAID1</para></member> + <member><para>Novell 4.11 patched to service pack 7</para></member> + <member><para>60+ users</para></member> + <member><para>7 network-attached printers</para></member> + </simplelist> + + <para> + The company had outgrown this server several years before and was dealing with + severe growing pains. Some of the problems experienced were: + </para> + + <itemizedlist> + <listitem> + <para>Very slow performance</para> + </listitem> + <listitem> + <para>Available storage hovering around the 5% range</para> + <itemizedlist> + <listitem> + <para>Extremely slow print spooling.</para> + </listitem> + <listitem> + <para> + Users storing information on their local hard + drives, causing backup integrity problems + </para> + </listitem> + </itemizedlist> + </listitem> + </itemizedlist> + + <para> + <indexterm><primary>payroll</primary></indexterm> + At one point disk space had filled up to 100 percent, causing the payroll database + to become corrupt. This caused the accounting department to be down for over + a week and necessitated deployment of another file server. The replacement + server was created with very poor security and design considerations from + a discarded desktop PC. + </para> + + <sect2> + <title>Assignment Tasks</title> + + <para> + Misty has provided this summary of her migration experience in the hope + that it will help someone to avoid the challenges she faced. Perhaps her + configuration files and background will accelerate your learning as you + grapple with a similar migration challenge. Let there be no confusion, + the information presented in this chapter is provided to demonstrate + how Misty dealt with a particular NetWare migration requirement, and + it provides an overall approach to the implementation of a Samba-3 + environment that is significantly divergent from that presented in + <link linkend="happy"/>. + </para> + + <para> + The complete removal of all site-specific information in order to produce + a generic migration solution would rob this chapter of its character. + It should be recognized, therefore, that the examples given require + significant adaptation to suit local needs and thus + there are some gaps in the example files. That is not Misty's fault;it + is the result of treatment given to her files in an attempt to make + the overall information more useful to you. + </para> + + <para> + <indexterm><primary>cost-benefit</primary></indexterm> + After management reviewed a cost-benefit report as well as an estimated + time-to-completion, approval was given proceed with the solution proposed. + The server was built from purchased components. The total project cost + was $3,000. A brief description of the configuration follows: + </para> + + <simplelist> + <member> + <para>3.0 GHz P4 Processor</para> + </member> + <member> + <para>1 GB RAM</para> + </member> + <member> + <para>120 GB SATA operating system drive</para> + </member> + <member> + <para>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</para> + </member> + <member> + <para>2 x 80 GB SATA removable drives for online backup</para> + </member> + <member> + <para>A DLT drive for asynchronous offline backup</para> + </member> + <member> + <para>SUSE Linux Professional 9.1</para> + </member> + </simplelist> + + <para> + The new system has operated for 6 months without problems. Over the past months + much attention has been focused on cleaning up desktops and user profiles. + </para> + + </sect2> +</sect1> + +<sect1> + <title>Dissection and Discussion</title> + + <para> + <indexterm><primary>LDAP</primary></indexterm> + <indexterm><primary>e-Directory</primary></indexterm> + <indexterm><primary>authentication</primary></indexterm> + <indexterm><primary>identity management</primary></indexterm> + A decision to use LDAP was made even though I knew nothing about LDAP except that + I had been reading the book <quote>LDAP System Administration,</quote> by Gerald Carter. + LDAP seemed to provide some of the functionality of Novell's e-Directory Services + and would provide centralized authentication and identity management. + </para> + + <para> + <indexterm><primary>database</primary></indexterm> + <indexterm><primary>RPM</primary></indexterm> + <indexterm><primary>tree</primary></indexterm> + Building the LDAP database took a while and a lot of trial and error. Following + the guidance I obtained from <quote>LDAP System + Administration,</quote> I installed OpenLDAP (from RPM; later I compiled + a more current version from source) and built my initial LDAP tree. + </para> + + <sect2> + <title>Technical Issues</title> + + <para> + <indexterm><primary>white-pages</primary></indexterm> + <indexterm><primary>inetOrgPerson</primary></indexterm> + <indexterm><primary>OpenLDAP</primary></indexterm> + <indexterm><primary>/etc/passwd</primary></indexterm> + <indexterm><primary>/etc/shadow</primary></indexterm> + <indexterm><primary>LDIF</primary></indexterm> + <indexterm><primary>IMAP</primary></indexterm> + <indexterm><primary>POP3</primary></indexterm> + <indexterm><primary>SMTP</primary></indexterm> + The first challenge was to create a company white pages, followed by manually + entering everything from the printed company directory. This used only the inetOrgPerson + object class from the OpenLDAP schemas. The next step was to write a shell script that + would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename> + files on our mail server and create an LDIF file from which the information could be + imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, + and SMTP. + </para> + + <para> + Because a decision was made to use Courier-IMAP the schema <quote>authldap.schema</quote> + from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory + needs. Where the Courier-IMAP file provided by SUSE is used, this file is named + <filename>courier.schema</filename>. + </para> + + <para> + Looking back, it would have been much easier to populate the LDAP directory using a convenient + tool such as <command>phpLDAPAdmin</command> from the outset. An excessive amount of time was + spent trying to generate LDIF files that could be parsed using the <command>ldapmodify</command> + so that necessary changes could be written to the directory. This was a learning experience! + </para> + + <para> + An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to + make them work. Instead, even though it is most inelegant, I wrote a simple script that did + what I needed. It is enclosed as a simple example to demonstrate that you do not need to be + a guru to make light of otherwise painful repetition. This file is listed in <link linkend="sbeamg"/>. + </para> + +<example id="sbeamg"> +<title>A Rough Tool to Create an LDIF File from the System Account Files</title> +<screen> +#!/bin/bash + +cat /etc/passwd | while read l; do + uid=`echo $l | cut -d : -f 1` + uidNumber=`echo $l | cut -d : -f 3` + gidNumber=`echo $1 | cut -d : -f 4` + gecos=`echo $l | cut -d : -f 5` + homeDirectory=`echo $l | cut -d : -f 6` + loginShell=`echo $l | cut -d : -f 6` + userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2` + + echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com" + echo "objectClass: account" + echo "objectClass: posixAccount" + echo "cn: $gecos" + echo "uid: $uid" + echo "uidNumber: $uidNumber" + echo "gidNumber: $gidNumber" + echo "homeDirectory: $homeDirectory" + echo "loginShell: $loginShell" + echo "userPassword: $userPassword" +done +</screen> +</example> + + <note><para> + + The PADL MigrationTools are recommended for migration of the UNIX account information into + the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups, + aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text + files (or from a name service such as NIS). This too set can be obtained from the <ulink url= + "http://www.padl.com">PADL Web site</ulink>. + </para></note> + + </sect2> + +</sect1> + +<sect1> + <title>Implementation</title> + + <para> + </para> + + <sect2> + <title>NetWare Migration Using LDAP Backend</title> + + <para> + The following software must be installed on the SUSE Linux Enterprise Server to perform + this migration: + </para> + + <simplelist> + <member><para>courier-imap</para></member> + <member><para>courier-imap-ldap</para></member> + <member><para>nss_ldap</para></member> + <member><para>openldap2-client</para></member> + <member><para>openldap2-devel (only for Samba compilation)</para></member> + <member><para>openldap2</para></member> + <member><para>pam_ldap</para></member> + <member><para>samba-3.0.20 or later</para></member> + <member><para>samba-client-3.0.20 or later</para></member> + <member><para>samba-winbind-3.0.20 or later</para></member> + <member><para>smbldap-tools Version 0.9.1</para></member> + </simplelist> + + <para> + Each software application must be carefully configured in preparation for migration. + The configuration files used at Abmas are provided as a guide and should be modified + to meet needs at your site. + </para> + + <sect3> + <title>LDAP Server Configuration</title> + + <para> + The <filename>/etc/openldap/slapd.conf</filename> file Misty used is shown here: +<programlisting> +#/etc/openldap/slapd.conf +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /etc/openldap/schema/core.schema +include /etc/openldap/schema/cosine.schema +include /etc/openldap/schema/inetorgperson.schema +include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/samba3.schema +include /etc/openldap/schema/dhcp.schema +include /etc/openldap/schema/misc.schema +include /etc/openldap/schema/idpool.schema +include /etc/openldap/schema/eduperson.schema +include /etc/openldap/schema/commURI.schema +include /etc/openldap/schema/local.schema +include /etc/openldap/schema/courier.schema + +pidfile /var/run/slapd/run/slapd.pid +argsfile /var/run/slapd/run/slapd.args + +replogfile /data/ldap/log/slapd.replog + +# Load dynamic backend modules: +modulepath /usr/lib/openldap/modules + +####################################################################### +# Logging parameters +####################################################################### +loglevel 256 + +####################################################################### +# SASL and TLS options +####################################################################### +sasl-host ldap.corp.abmas.org +sasl-realm DIGEST-MD5 +sasl-secprops none +TLSCipherSuite HIGH:MEDIUM:+SSLV2 +TLSCertificateFile /etc/ssl/certs/private/abmas-cert.pem +TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem +password-hash {SSHA} +defaultsearchbase "dc=abmas,dc=biz" + +####################################################################### +# bdb database definitions +####################################################################### +database bdb +suffix "dc=abmas,dc=biz" +rootdn "cn=manager,dc=abmas,dc=biz" +rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5 +directory /data/ldap +mode 0600 +# The following is for BDB to make it flush its data to disk every +# 500 seconds or 5kb of data +checkpoint 500 5 + +## For running slapindex +#readonly on + +## Indexes for often-requested attributes +index objectClass eq +index cn eq,sub +index sn eq,sub +index uid eq,sub +index uidNumber eq +index gidNumber eq +index sambaSID eq +index sambaPrimaryGroupSID eq +index sambaDomainName eq +index default sub +cachesize 2000 + +replica host=baa.corp.abmas.org:389 + suffix="dc=abmas,dc=biz" + binddn="cn=replica,dc=abmas,dc=biz" + credentials=verysecret + bindmethod=simple + tls=yes +replica host=ns.abmas.org:389 + suffix="dc=abmas,dc=biz" + binddn="cn=replica,dc=abmas,dc=biz" + credentials=verysecret + bindmethod=simple + tls=yes + +####################################################################### +# ACL section +####################################################################### +## MOST RESTRICTIVE RULES MUST GO FIRST! +# Admins get access to everything. This way I do not have to rename. +access to * + by group/groupOfUniqueNames/uniqueMember="cn=LDAP +Administrators,ou=groups,dc=abmas,dc=biz" write + by * break + +## Users can change their own passwords. +access to +attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet, +sambaPwdMustChange,sambaPwdCanChange + by self write + by * auth + +## Home contact info restricted to the logged-in user and the HR dept +access to attrs=hometelephoneNumber,homePostalAddress, +mobileTelephoneNumber,pagerTelephoneNumber + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by self write + by * none + +## Everyone can read email aliases +access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz" + by * read + +## Only admins can manage email aliases +## If someone is the role occupant of an alias they can change it -- this +## is accomplished by the "organizationalRole" objectclass and is +## pretty cool -- like a groupOfUniqueNames but for individual +## users. +access to dn.children="ou=Email Aliases,dc=abmas,dc=biz" + by dnattr=roleOccupant write + by * read + +## Admins and HR can add and delete users +access to dn.sub="ou=people,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by * read + +## Admins and HR can add and delete bizputers +access to dn.sub="ou=bizputers,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by * read + +## Admins and HR can add and delete groups +access to dn.sub="ou=groups,dc=abmas,dc=biz" + by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, +ou=groups,dc=abmas,dc=biz" +write + by * read + +## This is used to quickly deactivate any LDAP object only +## Admins have access. +access to dn.sub="ou=inactive,dc=abmas,dc=biz" + by * none + +## This is for programs like Windows Address Book that can +## detect the default search base. +access to attrs=namingcontexts,supportedControl + by anonymous =cs + by * read + +## Default to read-only access +access to * + by dn.base="cn=replica,ou=people,dc=abmas,dc=biz" write + by * read +</programlisting> +</para> + + <para> + <indexterm><primary>/etc/ldap.conf</primary></indexterm> + The <filename>/etc/ldap.conf</filename> file used is listed in <link linkend="ch8ldap"/>. + </para> + +<example id="ch8ldap"> +<title>NSS LDAP Control File &smbmdash; /etc/ldap.conf</title> +<screen> +# /etc/ldap.conf +# This file is present on every *NIX client that authenticates to LDAP. +# For me, most of the defaults are fine. There is an amazing amount of +# customization that can be done see the man page for info. + +# Your LDAP server. Must be resolvable without using LDAP. The following +# is for the LDAP server all others use the FQDN of the server +URI ldap://127.0.0.1 + +# The distinguished name of the search base. +base ou=corp,dc=abmas,dc=biz + +# The LDAP version to use (defaults to 3 if supported by client library) +ldap_version 3 + +# The distinguished name to bind to the server with if the effective +# user ID is root. Password is stored in /etc/ldap.secret (mode 600) +rootbinddn cn=Manager,dc=abmas,dc=biz + +# Filter to AND with uid=%s +pam_filter objectclass=posixAccount + +# The user ID attribute (defaults to uid) +pam_login_attribute uid + +# Group member attribute +pam_member_attribute memberUID + +# Use the OpenLDAP password change +# extended operation to update the password. +pam_password exop + +# OpenLDAP SSL mechanism +# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 +ssl start_tls + +tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem +... +</screen> +</example> + + <para> + The NSS control file <filename>/etc/nsswitch.conf</filename> has the following contents: +<screen> +# /etc/nsswitch.conf +# This file controls the resolve order for system databases. + +# the following two lines obviate the "+" entry in /etc/passwd and /etc/group. +passwd: compat ldap +group: compat ldap +# The above are all that I store in LDAP at this point. There are +# possibilities to store hosts, services, ethers, and lots of other things. +</screen> + </para> + + <para> + <indexterm><primary>PAM</primary></indexterm> + <indexterm><primary>NSS</primary></indexterm> + In my setup, users authenticate via PAM and NSS using LDAP-based accounts. + The configuration file that controls the behavior of the PAM <command>pam_unix2</command> + module is shown in <link linkend="sbepu2"/> file. + This works out of the box with the configuration files in this chapter. It + enables you to have no local accounts for users (it is highly advisable + to have a local account for the root user). Traps for the unwary include the following: + </para> + +<example id="sbepu2"> +<title>The PAM Control File <filename>/etc/security/pam_unix2.conf</filename></title> +<screen> +# pam_unix2 config file +# +# This file contains options for the pam_unix2.so module. +# It contains a list of options for every type of management group, +# which will be used for authentication, account management and +# password management. Not all options will be used from all types of +# management groups. +# +# At first, pam_unix2 will read this file and then uses the local +# options. Not all options can be set her global. +# +# Allowed options are: +# +# debug (account, auth, password, session) +# nullok (auth) +# md5 (password / overwrites /etc/default/passwd) +# bigcrypt (password / overwrites /etc/default/passwd) +# blowfish (password / overwrites /etc/default/passwd) +# crypt_rounds=XX +# none (session) +# trace (session) +# call_modules=x,y,z (account, auth, password) +# +# Example: +# auth: nullok +# account: +# password: nullok blowfish crypt_rounds=8 +# session: none +# +auth: use_ldap +account: use_ldap +password: use_ldap +session: none +</screen> +</example> + + <indexterm><primary>LDAP</primary></indexterm> + <indexterm><primary>authenticate</primary></indexterm> + <indexterm><primary>DNS</primary></indexterm> + <itemizedlist> + <listitem> + <para> + If your LDAP database goes down, nobody can authenticate except for root. + </para> + </listitem> + + <listitem> + <para> + If failover is configured incorrectly, weird behavior can occur. For example, + DNS can fail to resolve. + </para> + </listitem> + </itemizedlist> + + <para> + I do have two LDAP slave servers configured. That subject is beyond the scope + of this document, and steps for implementing it are well documented. + </para> + + <para> + The following services authenticate using LDAP: + </para> + <indexterm><primary>UNIX</primary></indexterm> + <indexterm><primary>Postfix</primary></indexterm> + <indexterm><primary>Courier-IMAP</primary></indexterm> + <simplelist> + <member><para>UNIX login/ssh</para></member> + <member><para>Postfix (SMTP)</para></member> + <member><para>Courier-IMAP/IMAPS/POP3/POP3S</para></member> + </simplelist> + + <para> + <indexterm><primary>white-pages</primary></indexterm> + <indexterm><primary>Windows Address Book</primary></indexterm> + Companywide white pages can be searched using an LDAP client + such as the one in the Windows Address Book. + </para> + + <para> + <indexterm><primary>LDAP</primary></indexterm> + <indexterm><primary>smbldap-tools</primary></indexterm> + Having gained a solid understanding of LDAP and a relatively workable LDAP tree + thus far, it was time to configure Samba. I compiled the latest stable Samba and + also installed the latest <command>smbldap-tools</command> from + <ulink url="http://idealx.com">Idealx</ulink>. + </para> + + <para> + The Samba &smb.conf; file was configured as shown in <link linkend="ch8smbconf"/>. + </para> + +<example id="ch8smbconf"> +<title>Samba Configuration File &smbmdash; smb.conf Part A</title> +<smbconfblock> +<smbconfcomment>Global parameters</smbconfcomment> +<smbconfsection name="[global]"/> +<smbconfoption name="workgroup">MEGANET2</smbconfoption> +<smbconfoption name="netbios name">MASSIVE</smbconfoption> +<smbconfoption name="server string">Corp File Server</smbconfoption> +<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption> +<smbconfoption name="pam password change">Yes</smbconfoption> +<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> +<smbconfoption name="log level">1</smbconfoption> +<smbconfoption name="log file">/data/samba/log/%m.log</smbconfoption> +<smbconfoption name="name resolve order">wins host bcast</smbconfoption> +<smbconfoption name="time server">Yes</smbconfoption> +<smbconfoption name="printcap name">cups</smbconfoption> +<smbconfoption name="show add printer wizard">No</smbconfoption> +<smbconfoption name="cups options">Raw</smbconfoption> +<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption> +<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption> +<smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption> +<smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption> +<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption> +<smbconfoption name="add machine script">/usr/local/sbin/smbldap-useradd -w "%m"</smbconfoption> +<smbconfoption name="logon script">logon.bat</smbconfoption> +<smbconfoption name="logon path">\\%L\profiles\%U\%a</smbconfoption> +<smbconfoption name="logon drive">H:</smbconfoption> +<smbconfoption name="logon home">\\%L\%U</smbconfoption> +<smbconfoption name="domain logons">Yes</smbconfoption> +<smbconfoption name="wins support">Yes</smbconfoption> +<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption> +<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption> +<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption> +<smbconfoption name="ldap machine suffix">ou=People</smbconfoption> +<smbconfoption name="ldap passwd sync">Yes</smbconfoption> +<smbconfoption name="ldap suffix">ou=MEGANET2,dc=abmas,dc=biz</smbconfoption> +<smbconfoption name="ldap ssl">no</smbconfoption> +<smbconfoption name="ldap user suffix">ou=People</smbconfoption> +<smbconfoption name="admin users">root, "@Domain Admins"</smbconfoption> +<smbconfoption name="printer admin">"@Domain Admins"</smbconfoption> +<smbconfoption name="force printername">Yes</smbconfoption> +</smbconfblock> +</example> + +<example id="ch8smbconf2"> +<title>Samba Configuration File &smbmdash; smb.conf Part B</title> +<smbconfblock> +<smbconfsection name="[netlogon]"/> +<smbconfoption name="comment">Network logon service</smbconfoption> +<smbconfoption name="path">/data/samba/netlogon</smbconfoption> +<smbconfoption name="write list">"@Domain Admins"</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[profiles]"/> +<smbconfoption name="comment">Roaming Profile Share</smbconfoption> +<smbconfoption name="path">/data/samba/profiles/</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="profile acls">Yes</smbconfoption> +<smbconfoption name="veto files">desktop.ini</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[homes]"/> +<smbconfoption name="comment">Home Directories</smbconfoption> +<smbconfoption name="valid users">%S</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> +<smbconfoption name="veto files">desktop.ini</smbconfoption> +<smbconfoption name="hide files">desktop.ini</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[software]"/> +<smbconfoption name="comment">Software for %a computers</smbconfoption> +<smbconfoption name="path">/data/samba/shares/software/%a</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[public]"/> +<smbconfoption name="comment">Public Files</smbconfoption> +<smbconfoption name="path">/data/samba/shares/public</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[PDF]"/> +<smbconfoption name="comment">Location of documents printed to PDFCreator printer</smbconfoption> +<smbconfoption name="path">/data/samba/shares/pdf</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> +</smbconfblock> +</example> + +<example id="ch8smbconf3"> +<title>Samba Configuration File &smbmdash; smb.conf Part C</title> +<smbconfblock> +<smbconfsection name="[EVERYTHING]"/> +<smbconfoption name="comment">All shares</smbconfoption> +<smbconfoption name="path">/data/samba</smbconfoption> +<smbconfoption name="valid users">"@Domain Admins"</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> + +<smbconfsection name="[CDROM]"/> +<smbconfoption name="comment">CD-ROM on MASSIVE</smbconfoption> +<smbconfoption name="path">/mnt</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[print$]"/> +<smbconfoption name="comment">Printer Drivers Share</smbconfoption> +<smbconfoption name="path">/data/samba/drivers</smbconfoption> +<smbconfoption name="write list">root</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[printers]"/> +<smbconfoption name="comment">All Printers</smbconfoption> +<smbconfoption name="path">/data/samba/spool</smbconfoption> +<smbconfoption name="create mask">0644</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> + +<smbconfsection name="[acct_hp8500]"/> +<smbconfoption name="comment">"Accounting Color Laser Printer"</smbconfoption> +<smbconfoption name="path">/data/samba/spool/private</smbconfoption> +<smbconfoption name="valid users">@acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry</smbconfoption> +<smbconfoption name="create mask">0644</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="copy">printers</smbconfoption> + +<smbconfsection name="[plotter]"/> +<smbconfoption name="comment">Engineering Plotter</smbconfoption> +<smbconfoption name="path">/data/samba/spool</smbconfoption> +<smbconfoption name="create mask">0644</smbconfoption> +<smbconfoption name="printable">Yes</smbconfoption> +<smbconfoption name="use client driver">Yes</smbconfoption> +<smbconfoption name="copy">printers</smbconfoption> +</smbconfblock> +</example> + +<example id="ch8smbconf4"> +<title>Samba Configuration File &smbmdash; smb.conf Part D</title> +<smbconfblock> +<smbconfsection name="[APPS]"/> +<smbconfoption name="path">/data/samba/shares/Apps</smbconfoption> +<smbconfoption name="force group">"Domain Users"</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> + +<smbconfsection name="[ACCT]"/> +<smbconfoption name="path">/data/samba/shares/Accounting</smbconfoption> +<smbconfoption name="valid users">@acct, "@Domain Admins"</smbconfoption> +<smbconfoption name="force group">acct</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0660</smbconfoption> +<smbconfoption name="directory mask">0770</smbconfoption> + +<smbconfsection name="[ACCT_ADMIN]"/> +<smbconfoption name="path">/data/samba/shares/Acct_Admin</smbconfoption> +<smbconfoption name="valid users">@”acct_admin”</smbconfoption> +<smbconfoption name="force group">acct_admin</smbconfoption> + +<smbconfsection name="[HR_PR]"/> +<smbconfoption name="path">/data/samba/shares/HR_PR</smbconfoption> +<smbconfoption name="valid users">@hr, @acct_admin</smbconfoption> +<smbconfoption name="force group">hr</smbconfoption> + +<smbconfsection name="[ENGR]"/> +<smbconfoption name="path">/data/samba/shares/Engr</smbconfoption> +<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption> +<smbconfoption name="force group">engr</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> + +<smbconfsection name="[DATA]"/> +<smbconfoption name="path">/data/samba/shares/DATA</smbconfoption> +<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption> +<smbconfoption name="force group">engr</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> +<smbconfoption name="copy">engr</smbconfoption> +</smbconfblock> +</example> + +<example id="ch8smbconf5"> +<title>Samba Configuration File &smbmdash; smb.conf Part E</title> +<smbconfblock> +<smbconfsection name="[X]"/> +<smbconfoption name="path">/data/samba/shares/X</smbconfoption> +<smbconfoption name="valid users">@engr, @acct</smbconfoption> +<smbconfoption name="force group">engr</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> +<smbconfoption name="copy">engr</smbconfoption> + +<smbconfsection name="[NETWORK]"/> +<smbconfoption name="path">/data/samba/shares/network</smbconfoption> +<smbconfoption name="valid users">"@Domain Users"</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="create mask">0770</smbconfoption> +<smbconfoption name="guest ok">Yes</smbconfoption> + +<smbconfsection name="[UTILS]"/> +<smbconfoption name="path">/data/samba/shares/Utils</smbconfoption> +<smbconfoption name="write list">"@Domain Admins"</smbconfoption> + +<smbconfsection name="[SYS]"/> +<smbconfoption name="path">/data/samba/shares/SYS</smbconfoption> +<smbconfoption name="valid users">chad</smbconfoption> +<smbconfoption name="read only">No</smbconfoption> +<smbconfoption name="browseable">No</smbconfoption> +</smbconfblock> +</example> + + <para> + <indexterm><primary>Qbasic</primary></indexterm> + <indexterm><primary>Rbase</primary></indexterm> + <indexterm><primary>drive letters</primary></indexterm> + Most of these shares are only used by one company group, but they are required + because of some ancient Qbasic and Rbase applications were that written expecting + their own drive letters. + </para> + + <para> + <indexterm><primary>rsync</primary></indexterm> + <indexterm><primary>rsyncd.conf</primary></indexterm> + <indexterm><primary>synchronize</primary></indexterm> + Note: During the process of building the new server, I kept data files + up to date with the Novell server via use of <command>rsync</command>. + On a separate system (my workstation in fact), which could be rebooted + whenever necessary, I set up a mount point to the Novell server via + <command>ncpmount</command>. I then created a + <filename>rsyncd.conf</filename> to share that mount point out to my + new server, and synchronized once an hour. The script I used to synchronize + is shown in <link linkend="sbersync"/>. The files exclusion list I used + is shown in <link linkend="sbexcld"/>. The reason I had to have the + <command>rsync</command> daemon running on a system that could be + rebooted frequently is because <constant>ncpfs</constant> + (part of the MARS NetWare Emulation package) has a nasty habit of creating stale + mount points that cannot be recovered without a reboot. The reason for hourly + synchronization is because some part of the chain was very slow and + performance-heavy (whether <command>rsync</command> itself, the network, + or the Novell server, I am not sure, but it was probably the Novell server). + </para> + +<example id="sbersync"> +<title>Rsync Script</title> +<screen> +#!/bin/bash +# Part 1 - rsync the Novell directories to the new server +echo "#############################################" +echo "New sync operation starting at `date`" +if ! pgrep -fl '^rsync\> ; then + echo "Good, no rsync is running!" + echo "Synchronizing oink to BHPRO" + rsync -av --exclude-from=/root/excludes.txt +baa.corp:/BHPRO/SYS1/ /data/samba/shares/SYS1 + retval=$? + [ ${retval} = 0 ] && echo "Sync operation completed at `date`" + echo "Fixing permissions" + # I had a whole lot more permission-fixing stuff here. It got + # pared down as groups got moved over. The problem + # was that the way I was mounting the directory, everything + # was owned by the Novell administrator which translated to + # Root. This is also why I could only do one-way sync because + # I could not fix the ACLs on the Novell side. + find /data/samba/shares/Engr/ -perm +770 -exec chmod 770 {} \; + find /data/samba/shares/Engr/ ! -group engr -exec chgrp engr {} \; +else + # This rsync took ages and ages -- I had it set to run every hour but + # I needed a way to prevent it running into itself. + echo "Oh no, rsync is already running!" +echo "#############################################" +fi +</screen> +</example> + +<example id="sbexcld"> +<title>Rsync Files Exclusion List &smbmdash; <filename>/root/excludes.txt</filename></title> +<screen> +/Acct/ +/Apps/ +/DATA/ +/Engr/*.pc3 +/Engr/plotter +/Engr/APPOLO/ +/Engr/LIBRARY/ +/Home/Accounting/ +/Home/Angie/ +/Home/AngieY/ +/Home/Brandon/ +/Home/Carl/ +</screen> +</example> + + <para> + After Samba was configured, I initialized the LDAP database. The first + thing I had to do was store the LDAP password in the Samba configuration by + issuing the command (as root): +<screen> +&rootprompt; smbpasswd -w verysecret +</screen> + where <quote>verysecret</quote> is replaced by the LDAP bind password. + </para> + +<note><para> +The Idealx smbldap-tools package can be configured using a script called +<command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/> +for an example of its use. Many administrators, like Misty, choose to do this manually +so as to maintain greater awareness of how the tool-chain works and possibly to avoid +undesirable actions from occurring unnoticed. +</para></note> + + <para> + Now Samba was ready for use and it was time to configure the smbldap-tools. There are two + relevant files, which are usually put into the directory + <filename>/etc/smbldap-tools</filename>. The main file, + <filename>smbldap.conf</filename> is shown in <link linkend="ch8ideal"/>. + </para> + +<example id="ch8ideal"> +<title>Idealx smbldap-tools Control File &smbmdash; Part A</title> +<screen> +######### +# +# located in /etc/smbldap-tools/smbldap.conf +# +###################################################################### +# +# General Configuration +# +###################################################################### + +# Put your own SID +# to obtain this number do: net getlocalsid +SID="S-1-5-21-725326080-1709766072-2910717368" + +###################################################################### +# +# LDAP Configuration +# +###################################################################### + +# Notes: to use to dual ldap servers backend for Samba, you must patch +# Samba with the dual-head patch from IDEALX. If not using this patch +# just use the same server for slaveLDAP and masterLDAP. +# Those two servers declarations can also be used when you have +# . one master LDAP server where all writing operations must be done +# . one slave LDAP server where all reading operations must be done +# (typically a replication directory) + +# Ex: slaveLDAP=127.0.0.1 +slaveLDAP="127.0.0.1" +slavePort="389" + +# Master LDAP : needed for write operations +# Ex: masterLDAP=127.0.0.1 +masterLDAP="127.0.0.1" +masterPort="389" + +# Use TLS for LDAP +# If set to 1, this option will use start_tls for connection +# (you should also used the port 389) +ldapTLS="0" + +# How to verify the server's certificate (none, optional or require) +# see "man Net::LDAP" in start_tls section for more details +verify="" +</screen> +</example> + +<example id="ch8ideal2"> +<title>Idealx smbldap-tools Control File &smbmdash; Part B</title> +<screen> +# CA certificate +# see "man Net::LDAP" in start_tls section for more details +cafile="" + certificate to use to connect to the ldap server +# see "man Net::LDAP" in start_tls section for more details +clientcert="" + +# key certificate to use to connect to the ldap server +# see "man Net::LDAP" in start_tls section for more details +clientkey="" + +# LDAP Suffix +# Ex: suffix=dc=IDEALX,dc=ORG +suffix="ou=MEGANET2,dc=abmas,dc=biz" + +# Where are stored Users +# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" +usersdn="ou=People,${suffix}" + +# Where are stored Computers +# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" +computersdn="ou=People,${suffix}" + +# Where are stored Groups +# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" +groupsdn="ou=Groups,${suffix}" + +# Where are stored Idmap entries +# (used if samba is a domain member server) +# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" +idmapdn="ou=Idmap,${suffix}" + +# Where to store next uidNumber and gidNumber available +sambaUnixIdPooldn="sambaDomainName=MEGANET2,${suffix}" + +# Default scope Used +scope="sub" +</screen> +</example> + +<example id="ch8ideal3"> +<title>Idealx smbldap-tools Control File &smbmdash; Part C</title> +<screen> +# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) +hash_encrypt="MD5" + +# if hash_encrypt is set to CRYPT, you may set a salt format. +# default is "%s", but many systems will generate MD5 hashed +# passwords if you use "$1$%.8s". This parameter is optional! +crypt_salt_format="%s" + +###################################################################### +# +# Unix Accounts Configuration +# +###################################################################### + +# Login defs +# Default Login Shell +# Ex: userLoginShell="/bin/bash" +userLoginShell="/bin/false" + +# Home directory +# Ex: userHome="/home/%U" +userHome="/home/%U" + +# Gecos +userGecos="Samba User" + +# Default User (POSIX and Samba) GID +defaultUserGid="513" + +# Default Computer (Samba) GID +defaultComputerGid="515" + +# Skel dir +skeletonDir="/etc/skel" + +# Default password validation time (time in days) Comment the next +# line if you don't want password to be enable for +# defaultMaxPasswordAge days (be careful to the sambaPwdMustChange +# attribute's value) +defaultMaxPasswordAge="45" +</screen> +</example> + +<example id="ch8ideal4"> +<title>Idealx smbldap-tools Control File &smbmdash; Part D</title> +<screen> +###################################################################### +# +# SAMBA Configuration +# +###################################################################### + +# The UNC path to home drives location (%U username substitution) +# Ex: \\My-PDC-netbios-name\homes\%U +# Just set it to a null string if you want to use the smb.conf +# 'logon home' directive and/or disable roaming profiles +userSmbHome="" + +# The UNC path to profiles locations (%U username substitution) +# Ex: \\My-PDC-netbios-name\profiles\%U +# Just set it to a null string if you want to use the smb.conf +# 'logon path' directive and/or disable roaming profiles +userProfile="" + +# The default Home Drive Letter mapping +# (will be automatically mapped at logon time if home directory exist) +# Ex: H: for H: +userHomeDrive="" + +# The default user netlogon script name (%U username substitution) +# if not used, will be automatically username.cmd +# make sure script file is edited under DOS +# Ex: %U.cmd +# userScript="startup.cmd" # make sure script file is edited under DOS +userScript="" + +# Domain appended to the users "mail"-attribute +# when smbldap-useradd -M is used +mailDomain="abmas.org" + +###################################################################### +# +# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) +# +###################################################################### +# Allows not to use smbpasswd +# (if with_smbpasswd == 0 in smbldap_conf.pm) but +# prefer Crypt::SmbHash library +with_smbpasswd="0" +smbpasswd="/usr/bin/smbpasswd" +</screen> +</example> + + <para> + <indexterm><primary>TLS</primary></indexterm> + Note: I chose not to take advantage of the TLS capability of this. + Eventually I may go back and tweak it. Also, I chose not to take advantage + of the master/slave configuration as I heard horror stories that it was + unstable. My slave servers are replicas only. + </para> + + <para> + The <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> file is shown here: +<screen> +# smbldap_bind.conf +# +# This file simply tells smbldap-tools how to bind to your LDAP server. +# It has to be a DN with full write access to the Samba portion of +# the database. + +############################ +# Credential Configuration # +############################ +# Notes: you can specify two different configurations if you use a +# master ldap for writing access and a slave ldap server for reading access +# By default, we will use the same DN (so it will work for standard Samba +# release) +slaveDN="cn=Manager,dc=abmas,dc=biz" +slavePw="verysecret" +masterDN="cn=Manager,dc=abmas,dc=biz" +masterPw="verysecret" +</screen> + </para> + + <para> + The next step was to run the <command>smbldap-populate</command> command, which populates + the LDAP tree with the appropriate default users, groups, and UID and GID pools. + It creates a user called Administrator with UID=0 and GID=0 matching the + Domain Admins group. This is fine because you can still log on as root to a Windows system, + but it will break cached credentials if you need to log on as the administrator + to a system that is not on the network. + </para> + + <para> + After the LDAP database has been preloaded, it is prudent to validate that the + information needed is in the LDAP directory. This can be done done by restarting + the LDAP server, then performing an LDAP search by executing: +<screen> +&rootprompt; ldapsearch -W -x -b "dc=abmas,dc=biz"\ + -D "cn=Manager,dc=abmas,dc=biz" \ + "(Objectclass=*)" +Enter LDAP Password: +# extended LDIF +# +# LDAPv3 +# base <dc=abmas,dc=biz> with scope sub +# filter: (ObjectClass=*) +# requesting: ALL +# + +# abmas.biz +dn: dc=abmas,dc=biz +objectClass: dcObject +objectClass: organization +o: abmas +dc: abmas + +# People, abmas.biz +dn: ou=People,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: People + +# Groups, abmas.biz +dn: ou=Groups,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: Groups + +# Idmap, abmas.biz +dn: ou=Idmap,dc=abmas,dc=biz +objectClass: organizationalUnit +ou: Idmap +... +</screen> + </para> + + <para> + <indexterm><primary>Windows</primary></indexterm> + <indexterm><primary>POSIX</primary></indexterm> + <indexterm><primary>smbldap-groupadd</primary></indexterm> + <indexterm><primary>RID</primary></indexterm> + <indexterm><primary>sambaGroupMapping</primary></indexterm> + With the LDAP directory now initialized, it was time to create the Windows and POSIX + (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups. + The easiest way to do this was to use <command>smbldap-groupadd</command> command. + It creates the group with the posixGroup and sambaGroupMapping attributes, a + unique GID, and an automatically determined RID. I learned the hard way not to + try to do this by hand. + </para> + + <para> + <indexterm><primary>group mapping</primary></indexterm> + <indexterm><primary>smbldap-groupmod</primary></indexterm> + <indexterm><primary>memberUID</primary></indexterm> + After I had my group mappings in place, I added users to the groups (the users + don't really have to exist yet). I used the <command>smbldap-groupmod</command> + command to accomplish this. It can also be done manually by adding memberUID + attributes to the group entries in LDAP. + </para> + + <para> + <indexterm><primary>sambaSamAccount</primary></indexterm> + <indexterm><primary>posixAccount</primary></indexterm> + <indexterm><primary>smbldap-usermod</primary></indexterm> + The most monumental task of all was adding the sambaSamAccount information to each + already existent posixAccount entry. I did it one at a time as I moved people onto + the new server, by issuing the command: +<screen> +&rootprompt; smbldap-usermod -a -P username +</screen> + <indexterm><primary>NetWare</primary></indexterm> + <indexterm><primary>LDIF</primary></indexterm> + <indexterm><primary>slapcat</primary></indexterm> + I completed that step for every user after asking the person what his or her current + NetWare password was. The wiser way to have done it would probably have been to dump the + entire database to an LDIF file. This can be done by executing: +<screen> +&rootprompt; slapcat > somefile.ldif +</screen> + <indexterm><primary>Perl</primary></indexterm> + <indexterm><primary>objectClass</primary></indexterm> + Then update the LDIF file created by using a Perl script to parse and add the + appropriate attributes and objectClasses to each entry, followed by re-importing + the entire database into the LDAP directory. + </para> + + <para> + Rebuilding of the LDAP directory can be done as follows: +<screen> +&rootprompt; rcldap stop +&rootprompt; cd /data/ldap +&rootprompt; rm *bdb _* log* +&rootprompt; su - ldap -c "slapadd -l somefile.ldif" +&rootprompt; rcldap start +</screen> + This can be done at any time and for any reason, with no harm to the database. + </para> + + <para> + I first added a test user, of course. The LDIF for this test user looks like + this, to give you an idea: +<screen> +# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz +dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz +cn: Test User +gecos: Test User +gidNumber: 513 +givenName: Test +homeDirectory: /home/test.user +homePhone: 555 +l: Somewhere +l: ST +mail: test.user +o: Corp +objectClass: top +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: sambaSamAccount +postalCode: 12345 +sn: User +street: 10 Some St. +uid: test.user +uidNumber: 1074 +sambaLogonTime: 0 +sambaLogoffTime: 2147483647 +sambaKickoffTime: 2147483647 +sambaPwdCanChange: 0 +displayName: Samba User +sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148 +sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE +sambaAcctFlags: [U] +sambaNTPassword: D062088E99C95E37D7702287BB35E770 +sambaPwdLastSet: 1102537694 +sambaPwdMustChange: 1106425694 +userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8 +loginShell: /bin/false +</screen> + </para> + + <para> + Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain. + It worked, and the machine's account entry under ou=Computers looks like this: +<screen> +dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz +objectClass: top +objectClass: inetOrgPerson +objectClass: posixAccount +objectClass: sambaSamAccount +cn: w2kengrspare$ +sn: w2kengrspare$ +uid: w2kengrspare$ +uidNumber: 1104 +gidNumber: 515 +homeDirectory: /dev/null +loginShell: /bin/false +description: Computer +gecos: Computer +sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208 +sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031 +displayName: W2KENGRSPARE$ +sambaPwdCanChange: 1103149236 +sambaPwdMustChange: 2147483647 +sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834 +sambaPwdLastSet: 1103149236 +sambaAcctFlags: [W ] +</screen> + </para> + + <para> + <indexterm><primary>netlogon</primary></indexterm> + So now I could log on with a test user from the machine w2kengrspare. It was all well and + good, but that user was in no groups yet and so had pretty boring access. I fixed that + by writing the login script! To write the login script, I used + <ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work + with every architecture of Windows, has an active and helpful user base, and was both + easier to learn and more powerful than the standard netlogon scripts I have seen. + I also did not have to do a logon script per user or per group. + </para> + + <para> + <indexterm><primary>Kixtart</primary></indexterm> + I downloaded Kixtart and put the following files in my netlogon share: +<screen> +KIX32.EXE +KX32.dll +KX95.dll <-- Not needed unless you are running Win9x clients. +kx16.dll <-- Probably not needed unless you are running DOS clients. +kxrpc.exe <-- Probably useless as it has to run on the server and can + only be run on NT. It's for Windows 95 to become group-aware. + We can get around the need. +</screen> + </para> + + <para> + <indexterm><primary>logon.kix</primary></indexterm> + I then wrote the <filename>logon.kix</filename> file that is shown in + <link linkend="ch8kix"/>. I chose to keep it all in one file, but it + can be split up and linked via include directives. + </para> + +<example id="ch8kix"> +<title>Kixtart Control File &smbmdash; File: logon.kix</title> +<screen> +; This script just calls the other scripts. + +; First we want to get things done for everyone. + +; Second, we do first-time login stuff. + +; Third, we go through the group-oriented scripts one at a time. + + +; We want to check for group membership here to avoid the overhead of running +; scripts which don't apply. +call "\\massive\netlogon\scripts\main.kix" +call "\\massive\netlogon\scripts\setup.kix" +IF INGROUP("MEGANET2\ACCT") + call "scripts\acct.kix" +ENDIF +IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST") +call "\\massive\netlogon\scripts\engr.kix" +ENDIF +IF INGROUP("MEGANET2\FURN") + call "\\massive\netlogon\scripts\furn.kix" +ENDIF +IF INGROUP("MEGANET2\TRUSS") + call "\\massive\netlogon\scripts\truss.kix" +ENDIF +</screen> +</example> + +<example id="ch8kix2"> +<title>Kixtart Control File &smbmdash; File: main.kix</title> +<screen> +break on + +; Choose whether to hide the login window or not +IF INGROUP("MEGANET2\Domain Admins") + USE Z: \\massive\everything + SETCONSOLE("show") +ELSE + ; Nobody cares about seeing the login script except admins + SETCONSOLE("hide") +ENDIF + +; Delete all previously connected shares +USE * /delete + +SETTITLE("Logging on @USERID to @LDOMAIN at @TIME") + +; Set the time on the workstation +$Timeserver = "\\massive" +Settime $TimeServer + +; Map the home directory +USE H: @HOMESHR ; connect to user's home share +IF @ERROR = 0 + + H: + CD @HOMEDIR ; change directory to user's home directory +ENDIF + +; Everyone gets the N drive +USE N: \\massive\network +</screen> +</example> + +<example id="ch8kix3"> +<title>Kixtart Control File &smbmdash; File: setup.kix, Part A</title> +<screen> +; My setup.kix is where all of the redirection stuff happens. Note that with +; the use of registry keys, this only happens the first time they log in ,or if +; I delete the pertinent registry keys which triggers it to happen again: + +; Check to see if we have written the abmas sub-key before +$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas") +IF NOT $RETURNCODE = 0 +; Add key for abmas-specific things on the first login + ADDKEY("HKEY_CURRENT_USER\abmas") + ; The following key gets deleted at the end of the first login + ADDKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +ENDIF + +; People with laptops need My Documents to be in their profile. People with +; desktops can have My Documents redirected to their home directory to avoid +; long delays with logging out and out-of-sync files. + +; Check to see if this is the first login -- doesn't make sense to do this +; at the very first login + +$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +IF NOT $RETURNCODE = 0 + +; We don't want to do this stuff for people with laptops or people in the FURN +; group. (They store their profiles in a different server) + + IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN") + $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\abmas\profile_copied") + +; A crude way to tell what OS our profile is for and copy the "My Documents" +; to the redirected folder on the server. It works because the profiles +; are stored as \\server\profiles\user\architecture + IF NOT $RETURNCODE = 0 + IF EXIST("\\massive\profiles\@userID\WinXP") + copy "\\massive\profiles\@userID\WinXP\My Documents\*" +"\\massive\@userID\" + ENDIF + IF EXIST("\\massive\profiles\@userID\Win2K") + copy "\\massive\profiles\@userID\Win2K\My Documents\*" +"\\massive\@userID\" + ENDIF + IF EXIST("\\massive\profiles\@userID\WinNT") + copy "\\massive\profiles\@userID\WinNT\My Documents\*" +"\\massive\@userID\" + ENDIF +</screen> +</example> + +<example id="ch8kix3b"> +<title>Kixtart Control File &smbmdash; File: setup.kix, Part B</title> +<screen> +; Now we will write the registry values to redirect the locations of "My +Documents" +; and other folders. + ADDKEY("HKEY_CURRENT_USER\abmas\profile_copied") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "Personal","\\massive\@userID","REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ") + IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP +Professional" + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ") + WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ +Windows\CurrentVersion\Explorer\User +Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ") + ENDIF + ENDIF + ENDIF + +; Now we will delete the FIRST_LOGIN sub-key that we made before. +; Note - to run this script again you will want to delete the HKCU\abmas +; sub-key, log out, and log back in. +$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +IF $RETURNVALUE = 0 + DELKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") +ENDIF +</screen> +</example> + +<example id="ch8kix4"> +<title>Kixtart Control File &smbmdash; File: acct.kix</title> +<screen> +; And here is one group-oriented script to show what can be +; done that way: acct.kix: + +IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR") + USE I: \\MEGANET2\HR_PR +ENDIF + +; Set up printer +$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500") +IF NOT $RETURNVALUE = 0 + ADDPRINTERCONNECTION("\\massive\acct_hp8500") + SETDEFAULTPRINTER("\\massive\acct_hp8500") +ENDIF +; Set up drive mappings + USE M: \\massive\ACCT + IF INGROUP("MEGANET2\ABRA") + USE T: \\trussrv\abra + ENDIF +</screen> +</example> + + <para> + As you can see in the script, I redirected the My Documents to the user's home + share if he or she were not in the Laptop group. I also added printers on a + group-by-group basis, and if applicable I set the group printer. For this to + be effective, the print drivers must be installed on the Samba server in the + <filename>[print$]</filename> share. Ample documentation exists about how to + do that, so it is not covered here. + </para> + + <para> + I call this script via the logon.bat script in the [netlogon] directory: +<screen> +\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f +</screen> + I only had to fully qualify the paths for Windows 9x, as Windows NT and + greater automatically add [NETLOGON] to the path. + </para> + + <para> + Also of note for Win9x is that the drive mappings and printer setup will not + work because they rely on RPC. You merely have to put the appropriate settings + into the <filename>c:\autoexec.bat</filename> file or map the drives manually. + One option is to check the OS as part of the Kixtart script, and if it + is Win9x and is the first login, copy a premade + <filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I + have only three such machines, and one is going away in the very near future, + so it was easier to do it by hand. + </para> + + <para> + <indexterm><primary>upgrade</primary></indexterm> + At this point I was able to add the users. This is the part that really falls + into upgrade. I moved the users over one group at a time, starting with the + people who used the least amount of resources on the network. With each group + that I moved, I first logged on as a standard user in that group and took + careful note of the environment, mainly the printers he or she used, the PATH, + and what network resources he or she had access to (most importantly, which ones + the user actually needed access to). + </para> + + <para> + I then added the user's SambaSamAccount information as mentioned earlier, + and join the computer to the domain. The very first thing I had to do was to + copy the user's profile to the new server. This was very important, and I really + struggled with the most effective way to do it. Here is the method that worked + for every one of my users on Windows NT, 2000, and XP: + </para> + + <procedure> + <step><para> + Log in as the user on the domain. This creates the local copy + of the user's profile and copies it to the server as he or she logs out. + </para></step> + + <step><para> + Reboot the computer and log in as the local machine administrator. + </para></step> + + <step><para> + Right-click My Computer, click Properties, and navigate to the + user profiles tab (varies per version of Windows). + </para></step> + + <step><para> + Select the user's local profile <constant>(COMPUTERNAME\username)</constant>, + and click the <command>Copy To</command> button. + </para></step> + + <step><para> + In the next dialog, copy it directly to the profiles share on the + Samba server (in my case \\PDCname\profiles\user\<architecture>. + You will have had to make a connection to the share as that + user (e.g., Windows Explorer type \\PDCname\profiles\username). + </para></step> + + <step><para> + When the copy is complete (it can take a while) log out, and log back in + as the user. All of his or her settings and all contents of My Documents, + Favorites, and the registry should have been copied successfully. + </para></step> + + <step><para> + If it doesn't look right (the dead giveaway is the desktop background), + shut down the computer without logging out (power cycle) and try logging + in as the user again. If it still doesn't work, repeat the steps above. + I only had to ever repeat it once. + </para></step> + + </procedure> + + <para> + Words to the Wise: + </para> + + <itemizedlist> + <listitem><para> + If the user was anything other than a standard user on his or her system + before, you will save yourself some headaches by giving him or her identical + permissions (on the local machine) as his or her domain account <emphasis>before</emphasis> + copying the profile over. Do this through the User Administrator + in the Control Panel, after joining the computer to the domain and + before logging on as that user for the first time. Otherwise the user will + have trouble with permissions on his or her registry keys. + </para></listitem> + + <listitem><para> + If any application was installed for the user only, rather than for + the entire system, it will probably not work without being reinstalled. + </para></listitem> + </itemizedlist> + + <para> + After all these steps are accomplished, only cleanup details are left. Make sure user's + shortcuts and Network Places point to the appropriate place on the new server, check + the important applications to be sure they work as expected and troubleshoot any problems + that might arise, and check to be sure the user's printers are present and working. By the + way, if there are any network printers installed as system printers (the Novell way), + you will need to log in as a local administrator and delete them. + </para> + + <para> + For my non-laptop systems, I would then log in and out a couple times as the user + to be sure that his or her registry settings were modified, and then I was finished. + </para> + + <para> + Some compatibility issues that cropped up included the following: + </para> + + <para> + Blackberry client: It did not like having its registry settings moved around + and so had to be reinstalled. Also, it needed write permissions to a portion of + the hard drive, and I had to give it those manually on the one system where + this was an issue. + </para> + + <para> + CAMedia: Digital camera software for Canon cameras caused all kinds of trouble + with the registry. I had to use the Run as service to open the registry of + the local user while logged in as the domain user, and give the domain user + the appropriate permissions to some registry keys, then export that portion + of the registry to a file. Then, as the domain user, I had to import that file + into the registry. + </para> + + <para> + Crystal Reports version 7: More registry problems that were solved by recopying + the user's profile. + </para> + + <para> + Printing from legacy applications: I found out that Novell sends its jobs to + the printer in a raw format. CUPS sends them in PostScript by default. I had + to make a second printer definition for one printer and tell CUPS specifically + to send raw data to the printer, then assign this printer to the LPT port with + Kixtart's version of the net use command. + </para> + + <para> + These were all eventually solved by elbow grease, queries to the Samba mailing + list and others, and diligence. The complete migration took about 5 weeks. + My userbase is relatively small but includes multiple versions of Windows, + multiple Linux member servers, a mechanized saw, a pen plotter, and legacy + applications written in Qbasic and R:Base, just to name a few. I actually + ended up making some of these applications work better (or work again, as + some of them had stopped functioning on the old server) because as part of + the process I had to find out how things were supposed to work. + </para> + + <para> + The one thing I have not been able to get working is a very old database that + we had around for reference purposes; it uses Novell's Btrieve engine. + </para> + + <para> + As the resources compare, I went from 95 percent disk usage to just around 10 percent. + I went from a very high load on the server to an average load of between one + and two runnable processes on the server. I have improved the security and + robustness of the system. I have also implemented + <ulink url="http://www.clamav.net">ClamAV</ulink> antivirus software, + which scans the entire Samba server for viruses every 2 hours and + quarantines them. I have found it much less problematic than our ancient + version of Norton Antivirus Corporate Edition, and much more up-to-date. + </para> + + <para> + In short, my users are much happier now that the new server is running, and that + is what is important to me. + </para> + + </sect3> + + </sect2> + +</sect1> + +</chapter> + |