| 1 | <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 10. Migrating NetWare Server to Samba-3</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="ntmigration.html" title="Chapter 9. Migrating NT4 Domain to Samba-3"><link rel="next" href="RefSection.html" title="Part III. Reference Section"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 10. Migrating NetWare Server to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ntmigration.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="RefSection.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter 10. Migrating NetWare Server to Samba-3"><div class="titlepage"><div><div><h2 class="title"><a name="nw4migration"></a>Chapter 10. Migrating NetWare Server to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="nw4migration.html#id373183">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id373282">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id373359">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id373431">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id373599">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id373608">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></div><p> | 
|---|
| 2 | <a class="indexterm" name="id373052"></a> | 
|---|
| 3 | <a class="indexterm" name="id373059"></a> | 
|---|
| 4 | Novell is a company any seasoned IT manager has to admire. It has become increasingly | 
|---|
| 5 | Linux-friendly and is emerging out of a deep regression that almost saw the company | 
|---|
| 6 | disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the | 
|---|
| 7 | platform of choice to which many older NetWare servers are being migrated. | 
|---|
| 8 | It will be interesting to see what becomes of NetWare over time. | 
|---|
| 9 | Meanwhile, there can be no denying that Novell is a Linux company. | 
|---|
| 10 | </p><p> | 
|---|
| 11 | <a class="indexterm" name="id373073"></a> | 
|---|
| 12 | <a class="indexterm" name="id373080"></a> | 
|---|
| 13 | <a class="indexterm" name="id373087"></a> | 
|---|
| 14 | <a class="indexterm" name="id373093"></a> | 
|---|
| 15 | Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian, | 
|---|
| 16 | Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with | 
|---|
| 17 | the knowledge that file locations may vary a little; even so, the information | 
|---|
| 18 | in this chapter should provide something of value. | 
|---|
| 19 | </p><p> | 
|---|
| 20 | <a class="indexterm" name="id373106"></a> | 
|---|
| 21 | Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many | 
|---|
| 22 | years who surfaced on the Samba mailing list with a barrage of questions and who | 
|---|
| 23 | regularly helps other administrators to solve thorny Samba migration questions. | 
|---|
| 24 | </p><p> | 
|---|
| 25 | <a class="indexterm" name="id373118"></a> | 
|---|
| 26 | <a class="indexterm" name="id373125"></a> | 
|---|
| 27 | <a class="indexterm" name="id373132"></a> | 
|---|
| 28 | <a class="indexterm" name="id373139"></a> | 
|---|
| 29 | One wonders how many NetWare servers remain in active service. Many are being migrated | 
|---|
| 30 | to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are | 
|---|
| 31 | ideal target platforms to which a NetWare server may be migrated. The migration method | 
|---|
| 32 | of choice is much dependent on the tools that the administrator finds most natural to use. | 
|---|
| 33 | The old-hand NetWare guru will likely want to use tools like the NetWare NLM for | 
|---|
| 34 | <code class="literal">rsync</code> to migrate files from the NetWare server to the Samba server. | 
|---|
| 35 | The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare | 
|---|
| 36 | Emulator) open source package. The MS Windows network administrator will likely make use of the | 
|---|
| 37 | NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice, | 
|---|
| 38 | migration will be filled with joyous and challenging moments  though probably not | 
|---|
| 39 | concurrently. | 
|---|
| 40 | </p><p> | 
|---|
| 41 | The priority that Misty faced was one of migration of the data files off the NetWare 4.11 | 
|---|
| 42 | server and onto a Samba-based Windows file and print server. This chapter does not pretend | 
|---|
| 43 | to document all the different methods that could be used to migrate user and group accounts | 
|---|
| 44 | off a NetWare server. Its focus is on migration of data files. | 
|---|
| 45 | </p><p> | 
|---|
| 46 | This chapter tells its own story, so ride along. Maybe the information presented here | 
|---|
| 47 | will help to smooth over a similar migration challenge in your favorite networking environment. | 
|---|
| 48 | </p><p> | 
|---|
| 49 | File paths have been modified to permit use of RPM packages provided by Novell. In the | 
|---|
| 50 | original documentation contributed by Misty, the Courier-IMAP package had been built | 
|---|
| 51 | directly from the original source tarball. | 
|---|
| 52 | </p><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id373183"></a>Introduction</h2></div></div></div><p> | 
|---|
| 53 | <a class="indexterm" name="id373190"></a> | 
|---|
| 54 | Misty Stanley-Jones was recruited by Abmas to administer a network that had | 
|---|
| 55 | not received much attention for some years and was much in need of a makeover. | 
|---|
| 56 | As a brand-new sysadmin to this company, she inherited a very old Novell file server | 
|---|
| 57 | and came with a determination to change things for the better. | 
|---|
| 58 | </p><p> | 
|---|
| 59 | A site survey turned up the following details for the old NetWare server: | 
|---|
| 60 | </p><table border="0" summary="Simple list" class="simplelist"><tr><td>200 MHz MMX processor</td></tr><tr><td>512K RAM</td></tr><tr><td>24 GB disk space in RAID1</td></tr><tr><td>Novell 4.11 patched to service pack 7</td></tr><tr><td>60+ users</td></tr><tr><td>7 network-attached printers</td></tr></table><p> | 
|---|
| 61 | The company had outgrown this server several years before and was dealing with | 
|---|
| 62 | severe growing pains. Some of the problems experienced were: | 
|---|
| 63 | </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Very slow performance</p></li><li class="listitem"><p>Available storage hovering around the 5% range</p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>Extremely slow print spooling.</p></li><li class="listitem"><p> | 
|---|
| 64 | Users storing information on their local hard | 
|---|
| 65 | drives, causing backup integrity problems | 
|---|
| 66 | </p></li></ul></div></li></ul></div><p> | 
|---|
| 67 | <a class="indexterm" name="id373272"></a> | 
|---|
| 68 | At one point disk space had filled up to 100 percent, causing the payroll database | 
|---|
| 69 | to become corrupt. This caused the accounting department to be down for over | 
|---|
| 70 | a week and necessitated deployment of another file server. The replacement | 
|---|
| 71 | server was created with very poor security and design considerations from | 
|---|
| 72 | a discarded desktop PC. | 
|---|
| 73 | </p><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id373282"></a>Assignment Tasks</h3></div></div></div><p> | 
|---|
| 74 | Misty has provided this summary of her migration experience in the hope | 
|---|
| 75 | that it will help someone to avoid the challenges she faced. Perhaps her | 
|---|
| 76 | configuration files and background will accelerate your learning as you | 
|---|
| 77 | grapple with a similar migration challenge. Let there be no confusion, | 
|---|
| 78 | the information presented in this chapter is provided to demonstrate | 
|---|
| 79 | how Misty dealt with a particular NetWare migration requirement, and | 
|---|
| 80 | it provides an overall approach to the implementation of a Samba-3 | 
|---|
| 81 | environment that is significantly divergent from that presented in | 
|---|
| 82 | <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a>. | 
|---|
| 83 | </p><p> | 
|---|
| 84 | The complete removal of all site-specific information in order to produce | 
|---|
| 85 | a generic migration solution would rob this chapter of its character. | 
|---|
| 86 | It should be recognized, therefore, that the examples given require | 
|---|
| 87 | significant adaptation to suit local needs and thus | 
|---|
| 88 | there are some gaps in the example files. That is not Misty's fault;it | 
|---|
| 89 | is the result of treatment given to her files in an attempt to make | 
|---|
| 90 | the overall information more useful to you. | 
|---|
| 91 | </p><p> | 
|---|
| 92 | <a class="indexterm" name="id373311"></a> | 
|---|
| 93 | After management reviewed a cost-benefit report as well as an estimated | 
|---|
| 94 | time-to-completion, approval was given proceed with the solution proposed. | 
|---|
| 95 | The server was built from purchased components. The total project cost | 
|---|
| 96 | was $3,000. A brief description of the configuration follows: | 
|---|
| 97 | </p><table border="0" summary="Simple list" class="simplelist"><tr><td> | 
|---|
| 98 | 3.0 GHz P4 Processor | 
|---|
| 99 | </td></tr><tr><td> | 
|---|
| 100 | 1 GB RAM | 
|---|
| 101 | </td></tr><tr><td> | 
|---|
| 102 | 120 GB SATA operating system drive | 
|---|
| 103 | </td></tr><tr><td> | 
|---|
| 104 | 4 x 80 GB SATA data drives (RAID5 240 GB capacity) | 
|---|
| 105 | </td></tr><tr><td> | 
|---|
| 106 | 2 x 80 GB SATA removable drives for online backup | 
|---|
| 107 | </td></tr><tr><td> | 
|---|
| 108 | A DLT drive for asynchronous offline backup | 
|---|
| 109 | </td></tr><tr><td> | 
|---|
| 110 | SUSE Linux Professional 9.1 | 
|---|
| 111 | </td></tr></table><p> | 
|---|
| 112 | The new system has operated for 6 months without problems. Over the past months | 
|---|
| 113 | much attention has been focused on cleaning up desktops and user profiles. | 
|---|
| 114 | </p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id373359"></a>Dissection and Discussion</h2></div></div></div><p> | 
|---|
| 115 | <a class="indexterm" name="id373367"></a> | 
|---|
| 116 | <a class="indexterm" name="id373374"></a> | 
|---|
| 117 | <a class="indexterm" name="id373381"></a> | 
|---|
| 118 | <a class="indexterm" name="id373388"></a> | 
|---|
| 119 | A decision to use LDAP was made even though I knew nothing about LDAP except that | 
|---|
| 120 | I had been reading the book <span class="quote">“<span class="quote">LDAP System Administration,</span>”</span> by Gerald Carter. | 
|---|
| 121 | LDAP seemed to provide some of the functionality of Novell's e-Directory Services | 
|---|
| 122 | and would provide centralized authentication and identity management. | 
|---|
| 123 | </p><p> | 
|---|
| 124 | <a class="indexterm" name="id373404"></a> | 
|---|
| 125 | <a class="indexterm" name="id373411"></a> | 
|---|
| 126 | <a class="indexterm" name="id373417"></a> | 
|---|
| 127 | Building the LDAP database took a while and a lot of trial and error. Following | 
|---|
| 128 | the guidance I obtained from <span class="quote">“<span class="quote">LDAP System | 
|---|
| 129 | Administration,</span>”</span> I installed OpenLDAP (from RPM; later I compiled | 
|---|
| 130 | a more current version from source) and built my initial LDAP tree. | 
|---|
| 131 | </p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id373431"></a>Technical Issues</h3></div></div></div><p> | 
|---|
| 132 | <a class="indexterm" name="id373439"></a> | 
|---|
| 133 | <a class="indexterm" name="id373446"></a> | 
|---|
| 134 | <a class="indexterm" name="id373452"></a> | 
|---|
| 135 | <a class="indexterm" name="id373459"></a> | 
|---|
| 136 | <a class="indexterm" name="id373466"></a> | 
|---|
| 137 | <a class="indexterm" name="id373473"></a> | 
|---|
| 138 | <a class="indexterm" name="id373480"></a> | 
|---|
| 139 | <a class="indexterm" name="id373486"></a> | 
|---|
| 140 | <a class="indexterm" name="id373493"></a> | 
|---|
| 141 | The first challenge was to create a company white pages, followed by manually | 
|---|
| 142 | entering everything from the printed company directory. This used only the inetOrgPerson | 
|---|
| 143 | object class from the OpenLDAP schemas. The next step was to write a shell script that | 
|---|
| 144 | would look at the <code class="filename">/etc/passwd</code> and <code class="filename">/etc/shadow</code> | 
|---|
| 145 | files on our mail server and create an LDIF file from which the information could be | 
|---|
| 146 | imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, | 
|---|
| 147 | and SMTP. | 
|---|
| 148 | </p><p> | 
|---|
| 149 | Because a decision was made to use Courier-IMAP the schema <span class="quote">“<span class="quote">authldap.schema</span>”</span> | 
|---|
| 150 | from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory | 
|---|
| 151 | needs. Where the Courier-IMAP file provided by SUSE is used, this file is named | 
|---|
| 152 | <code class="filename">courier.schema</code>. | 
|---|
| 153 | </p><p> | 
|---|
| 154 | Looking back, it would have been much easier to populate the LDAP directory using a convenient | 
|---|
| 155 | tool such as <code class="literal">phpLDAPAdmin</code> from the outset. An excessive amount of time was | 
|---|
| 156 | spent trying to generate LDIF files that could be parsed using the <code class="literal">ldapmodify</code> | 
|---|
| 157 | so that necessary changes could be written to the directory. This was a learning experience! | 
|---|
| 158 | </p><p> | 
|---|
| 159 | An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to | 
|---|
| 160 | make them work. Instead, even though it is most inelegant, I wrote a simple script that did | 
|---|
| 161 | what I needed. It is enclosed as a simple example to demonstrate that you do not need to be | 
|---|
| 162 | a guru to make light of otherwise painful repetition. This file is listed in <a class="link" href="nw4migration.html#sbeamg" title="Example 10.1. A Rough Tool to Create an LDIF File from the System Account Files">“A Rough Tool to Create an LDIF File from the System Account Files”</a>. | 
|---|
| 163 | </p><div class="example"><a name="sbeamg"></a><p class="title"><b>Example 10.1. A Rough Tool to Create an LDIF File from the System Account Files</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 164 | #!/bin/bash | 
|---|
| 165 |  | 
|---|
| 166 | cat /etc/passwd | while read l; do | 
|---|
| 167 | uid=`echo $l | cut -d : -f 1` | 
|---|
| 168 | uidNumber=`echo $l | cut -d : -f 3` | 
|---|
| 169 | gidNumber=`echo $1 | cut -d : -f 4` | 
|---|
| 170 | gecos=`echo $l | cut -d : -f 5` | 
|---|
| 171 | homeDirectory=`echo $l | cut -d : -f 6` | 
|---|
| 172 | loginShell=`echo $l | cut -d : -f 6` | 
|---|
| 173 | userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2` | 
|---|
| 174 |  | 
|---|
| 175 | echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com" | 
|---|
| 176 | echo "objectClass: account" | 
|---|
| 177 | echo "objectClass: posixAccount" | 
|---|
| 178 | echo "cn: $gecos" | 
|---|
| 179 | echo "uid: $uid" | 
|---|
| 180 | echo "uidNumber: $uidNumber" | 
|---|
| 181 | echo "gidNumber: $gidNumber" | 
|---|
| 182 | echo "homeDirectory: $homeDirectory" | 
|---|
| 183 | echo "loginShell: $loginShell" | 
|---|
| 184 | echo "userPassword: $userPassword" | 
|---|
| 185 | done | 
|---|
| 186 | </pre></div></div><br class="example-break"><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> | 
|---|
| 187 |  | 
|---|
| 188 | The PADL MigrationTools are recommended for migration of the UNIX account information into | 
|---|
| 189 | the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups, | 
|---|
| 190 | aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text | 
|---|
| 191 | files (or from a name service such as NIS). This too set can be obtained from the <a class="ulink" href="http://www.padl.com" target="_top">PADL Web site</a>. | 
|---|
| 192 | </p></div></div></div><div class="sect1" title="Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id373599"></a>Implementation</h2></div></div></div><p> | 
|---|
| 193 | </p><div class="sect2" title="NetWare Migration Using LDAP Backend"><div class="titlepage"><div><div><h3 class="title"><a name="id373608"></a>NetWare Migration Using LDAP Backend</h3></div></div></div><p> | 
|---|
| 194 | The following software must be installed on the SUSE Linux Enterprise Server to perform | 
|---|
| 195 | this migration: | 
|---|
| 196 | </p><table border="0" summary="Simple list" class="simplelist"><tr><td>courier-imap</td></tr><tr><td>courier-imap-ldap</td></tr><tr><td>nss_ldap</td></tr><tr><td>openldap2-client</td></tr><tr><td>openldap2-devel (only for Samba compilation)</td></tr><tr><td>openldap2</td></tr><tr><td>pam_ldap</td></tr><tr><td>samba-3.0.20 or later</td></tr><tr><td>samba-client-3.0.20 or later</td></tr><tr><td>samba-winbind-3.0.20 or later</td></tr><tr><td>smbldap-tools Version 0.9.1</td></tr></table><p> | 
|---|
| 197 | Each software application must be carefully configured in preparation for migration. | 
|---|
| 198 | The configuration files used at Abmas are provided as a guide and should be modified | 
|---|
| 199 | to meet needs at your site. | 
|---|
| 200 | </p><div class="sect3" title="LDAP Server Configuration"><div class="titlepage"><div><div><h4 class="title"><a name="id373667"></a>LDAP Server Configuration</h4></div></div></div><p> | 
|---|
| 201 | The <code class="filename">/etc/openldap/slapd.conf</code> file Misty used is shown here: | 
|---|
| 202 | </p><pre class="programlisting"> | 
|---|
| 203 | #/etc/openldap/slapd.conf | 
|---|
| 204 | # | 
|---|
| 205 | # See slapd.conf(5) for details on configuration options. | 
|---|
| 206 | # This file should NOT be world readable. | 
|---|
| 207 | # | 
|---|
| 208 | include   /etc/openldap/schema/core.schema | 
|---|
| 209 | include   /etc/openldap/schema/cosine.schema | 
|---|
| 210 | include   /etc/openldap/schema/inetorgperson.schema | 
|---|
| 211 | include   /etc/openldap/schema/nis.schema | 
|---|
| 212 | include   /etc/openldap/schema/samba3.schema | 
|---|
| 213 | include   /etc/openldap/schema/dhcp.schema | 
|---|
| 214 | include   /etc/openldap/schema/misc.schema | 
|---|
| 215 | include   /etc/openldap/schema/idpool.schema | 
|---|
| 216 | include   /etc/openldap/schema/eduperson.schema | 
|---|
| 217 | include   /etc/openldap/schema/commURI.schema | 
|---|
| 218 | include   /etc/openldap/schema/local.schema | 
|---|
| 219 | include   /etc/openldap/schema/courier.schema | 
|---|
| 220 |  | 
|---|
| 221 | pidfile   /var/run/slapd/run/slapd.pid | 
|---|
| 222 | argsfile  /var/run/slapd/run/slapd.args | 
|---|
| 223 |  | 
|---|
| 224 | replogfile  /data/ldap/log/slapd.replog | 
|---|
| 225 |  | 
|---|
| 226 | # Load dynamic backend modules: | 
|---|
| 227 | modulepath  /usr/lib/openldap/modules | 
|---|
| 228 |  | 
|---|
| 229 | ####################################################################### | 
|---|
| 230 | # Logging parameters | 
|---|
| 231 | ####################################################################### | 
|---|
| 232 | loglevel 256 | 
|---|
| 233 |  | 
|---|
| 234 | ####################################################################### | 
|---|
| 235 | # SASL and TLS options | 
|---|
| 236 | ####################################################################### | 
|---|
| 237 | sasl-host     ldap.corp.abmas.org | 
|---|
| 238 | sasl-realm    DIGEST-MD5 | 
|---|
| 239 | sasl-secprops   none | 
|---|
| 240 | TLSCipherSuite HIGH:MEDIUM:+SSLV2 | 
|---|
| 241 | TLSCertificateFile    /etc/ssl/certs/private/abmas-cert.pem | 
|---|
| 242 | TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem | 
|---|
| 243 | password-hash   {SSHA} | 
|---|
| 244 | defaultsearchbase "dc=abmas,dc=biz" | 
|---|
| 245 |  | 
|---|
| 246 | ####################################################################### | 
|---|
| 247 | # bdb database definitions | 
|---|
| 248 | ####################################################################### | 
|---|
| 249 | database          bdb | 
|---|
| 250 | suffix            "dc=abmas,dc=biz" | 
|---|
| 251 | rootdn            "cn=manager,dc=abmas,dc=biz" | 
|---|
| 252 | rootpw            {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5 | 
|---|
| 253 | directory         /data/ldap | 
|---|
| 254 | mode    0600 | 
|---|
| 255 | # The following is for BDB to make it flush its data to disk every | 
|---|
| 256 | # 500 seconds or 5kb of data | 
|---|
| 257 | checkpoint 500 5 | 
|---|
| 258 |  | 
|---|
| 259 | ## For running slapindex | 
|---|
| 260 | #readonly on | 
|---|
| 261 |  | 
|---|
| 262 | ## Indexes for often-requested attributes | 
|---|
| 263 | index   objectClass             eq | 
|---|
| 264 | index   cn                      eq,sub | 
|---|
| 265 | index   sn                      eq,sub | 
|---|
| 266 | index   uid                     eq,sub | 
|---|
| 267 | index   uidNumber               eq | 
|---|
| 268 | index   gidNumber               eq | 
|---|
| 269 | index   sambaSID                eq | 
|---|
| 270 | index   sambaPrimaryGroupSID    eq | 
|---|
| 271 | index   sambaDomainName         eq | 
|---|
| 272 | index   default                 sub | 
|---|
| 273 | cachesize 2000 | 
|---|
| 274 |  | 
|---|
| 275 | replica         host=baa.corp.abmas.org:389 | 
|---|
| 276 | suffix="dc=abmas,dc=biz" | 
|---|
| 277 | binddn="cn=replica,dc=abmas,dc=biz" | 
|---|
| 278 | credentials=verysecret | 
|---|
| 279 | bindmethod=simple | 
|---|
| 280 | tls=yes | 
|---|
| 281 | replica         host=ns.abmas.org:389 | 
|---|
| 282 | suffix="dc=abmas,dc=biz" | 
|---|
| 283 | binddn="cn=replica,dc=abmas,dc=biz" | 
|---|
| 284 | credentials=verysecret | 
|---|
| 285 | bindmethod=simple | 
|---|
| 286 | tls=yes | 
|---|
| 287 |  | 
|---|
| 288 | ####################################################################### | 
|---|
| 289 | # ACL section | 
|---|
| 290 | ####################################################################### | 
|---|
| 291 | ## MOST RESTRICTIVE RULES MUST GO FIRST! | 
|---|
| 292 | # Admins get access to everything. This way I do not have to rename. | 
|---|
| 293 | access to * | 
|---|
| 294 | by group/groupOfUniqueNames/uniqueMember="cn=LDAP | 
|---|
| 295 | Administrators,ou=groups,dc=abmas,dc=biz" write | 
|---|
| 296 | by * break | 
|---|
| 297 |  | 
|---|
| 298 | ## Users can change their own passwords. | 
|---|
| 299 | access to | 
|---|
| 300 | attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet, | 
|---|
| 301 | sambaPwdMustChange,sambaPwdCanChange | 
|---|
| 302 | by self write | 
|---|
| 303 | by * auth | 
|---|
| 304 |  | 
|---|
| 305 | ## Home contact info restricted to the logged-in user and the HR dept | 
|---|
| 306 | access to attrs=hometelephoneNumber,homePostalAddress, | 
|---|
| 307 | mobileTelephoneNumber,pagerTelephoneNumber | 
|---|
| 308 | by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, | 
|---|
| 309 | ou=groups,dc=abmas,dc=biz" | 
|---|
| 310 | write | 
|---|
| 311 | by self write | 
|---|
| 312 | by * none | 
|---|
| 313 |  | 
|---|
| 314 | ## Everyone can read email aliases | 
|---|
| 315 | access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz" | 
|---|
| 316 | by * read | 
|---|
| 317 |  | 
|---|
| 318 | ## Only admins can manage email aliases | 
|---|
| 319 | ## If someone is the role occupant of an alias they can change it -- this | 
|---|
| 320 | ## is accomplished by the "organizationalRole" objectclass and is | 
|---|
| 321 | ## pretty cool -- like a groupOfUniqueNames but for individual | 
|---|
| 322 | ## users. | 
|---|
| 323 | access to dn.children="ou=Email Aliases,dc=abmas,dc=biz" | 
|---|
| 324 | by dnattr=roleOccupant write | 
|---|
| 325 | by * read | 
|---|
| 326 |  | 
|---|
| 327 | ## Admins and HR can add and delete users | 
|---|
| 328 | access to dn.sub="ou=people,dc=abmas,dc=biz" | 
|---|
| 329 | by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, | 
|---|
| 330 | ou=groups,dc=abmas,dc=biz" | 
|---|
| 331 | write | 
|---|
| 332 | by * read | 
|---|
| 333 |  | 
|---|
| 334 | ## Admins and HR can add and delete bizputers | 
|---|
| 335 | access to dn.sub="ou=bizputers,dc=abmas,dc=biz" | 
|---|
| 336 | by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, | 
|---|
| 337 | ou=groups,dc=abmas,dc=biz" | 
|---|
| 338 | write | 
|---|
| 339 | by * read | 
|---|
| 340 |  | 
|---|
| 341 | ## Admins and HR can add and delete groups | 
|---|
| 342 | access to dn.sub="ou=groups,dc=abmas,dc=biz" | 
|---|
| 343 | by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, | 
|---|
| 344 | ou=groups,dc=abmas,dc=biz" | 
|---|
| 345 | write | 
|---|
| 346 | by * read | 
|---|
| 347 |  | 
|---|
| 348 | ## This is used to quickly deactivate any LDAP object only | 
|---|
| 349 | ##  Admins have access. | 
|---|
| 350 | access to dn.sub="ou=inactive,dc=abmas,dc=biz" | 
|---|
| 351 | by * none | 
|---|
| 352 |  | 
|---|
| 353 | ## This is for programs like Windows Address Book that can | 
|---|
| 354 | ## detect the default search base. | 
|---|
| 355 | access to attrs=namingcontexts,supportedControl | 
|---|
| 356 | by anonymous =cs | 
|---|
| 357 | by * read | 
|---|
| 358 |  | 
|---|
| 359 | ## Default to read-only access | 
|---|
| 360 | access to * | 
|---|
| 361 | by dn.base="cn=replica,ou=people,dc=abmas,dc=biz" write | 
|---|
| 362 | by * read | 
|---|
| 363 | </pre><p> | 
|---|
| 364 | </p><p> | 
|---|
| 365 | <a class="indexterm" name="id373778"></a> | 
|---|
| 366 | The <code class="filename">/etc/ldap.conf</code> file used is listed in <a class="link" href="nw4migration.html#ch8ldap" title="Example 10.2. NSS LDAP Control File /etc/ldap.conf">“NSS LDAP Control File  /etc/ldap.conf”</a>. | 
|---|
| 367 | </p><div class="example"><a name="ch8ldap"></a><p class="title"><b>Example 10.2. NSS LDAP Control File  /etc/ldap.conf</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 368 | # /etc/ldap.conf | 
|---|
| 369 | # This file is present on every *NIX client that authenticates to LDAP. | 
|---|
| 370 | # For me, most of the defaults are fine. There is an amazing amount of | 
|---|
| 371 | # customization that can be done see the man page for info. | 
|---|
| 372 |  | 
|---|
| 373 | # Your LDAP server. Must be resolvable without using LDAP. The following | 
|---|
| 374 | # is for the LDAP server all others use the FQDN of the server | 
|---|
| 375 | URI ldap://127.0.0.1 | 
|---|
| 376 |  | 
|---|
| 377 | # The distinguished name of the search base. | 
|---|
| 378 | base ou=corp,dc=abmas,dc=biz | 
|---|
| 379 |  | 
|---|
| 380 | # The LDAP version to use (defaults to 3 if supported by client library) | 
|---|
| 381 | ldap_version 3 | 
|---|
| 382 |  | 
|---|
| 383 | # The distinguished name to bind to the server with if the effective | 
|---|
| 384 | # user ID is root. Password is stored in /etc/ldap.secret (mode 600) | 
|---|
| 385 | rootbinddn cn=Manager,dc=abmas,dc=biz | 
|---|
| 386 |  | 
|---|
| 387 | # Filter to AND with uid=%s | 
|---|
| 388 | pam_filter objectclass=posixAccount | 
|---|
| 389 |  | 
|---|
| 390 | # The user ID attribute (defaults to uid) | 
|---|
| 391 | pam_login_attribute uid | 
|---|
| 392 |  | 
|---|
| 393 | # Group member attribute | 
|---|
| 394 | pam_member_attribute memberUID | 
|---|
| 395 |  | 
|---|
| 396 | # Use the OpenLDAP password change | 
|---|
| 397 | # extended operation to update the password. | 
|---|
| 398 | pam_password exop | 
|---|
| 399 |  | 
|---|
| 400 | # OpenLDAP SSL mechanism | 
|---|
| 401 | # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 | 
|---|
| 402 | ssl start_tls | 
|---|
| 403 |  | 
|---|
| 404 | tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem | 
|---|
| 405 | ... | 
|---|
| 406 | </pre></div></div><br class="example-break"><p> | 
|---|
| 407 | The NSS control file <code class="filename">/etc/nsswitch.conf</code> has the following contents: | 
|---|
| 408 | </p><pre class="screen"> | 
|---|
| 409 | # /etc/nsswitch.conf | 
|---|
| 410 | # This file controls the resolve order for system databases. | 
|---|
| 411 |  | 
|---|
| 412 | # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. | 
|---|
| 413 | passwd:   compat ldap | 
|---|
| 414 | group:    compat ldap | 
|---|
| 415 | # The above are all that I store in LDAP at this point. There are | 
|---|
| 416 | # possibilities to store hosts, services, ethers, and lots of other things. | 
|---|
| 417 | </pre><p> | 
|---|
| 418 | </p><p> | 
|---|
| 419 | <a class="indexterm" name="id373848"></a> | 
|---|
| 420 | <a class="indexterm" name="id373854"></a> | 
|---|
| 421 | In my setup, users authenticate via PAM and NSS using LDAP-based accounts. | 
|---|
| 422 | The configuration file that controls the behavior of the PAM <code class="literal">pam_unix2</code> | 
|---|
| 423 | module is shown in <a class="link" href="nw4migration.html#sbepu2" title="Example 10.3. The PAM Control File /etc/security/pam_unix2.conf">“The PAM Control File /etc/security/pam_unix2.conf”</a> file. | 
|---|
| 424 | This works out of the box with the configuration files in this chapter. It | 
|---|
| 425 | enables you to have no local accounts for users (it is highly advisable | 
|---|
| 426 | to have a local account for the root user).  Traps for the unwary include the following: | 
|---|
| 427 | </p><div class="example"><a name="sbepu2"></a><p class="title"><b>Example 10.3. The PAM Control File <code class="filename">/etc/security/pam_unix2.conf</code></b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 428 | # pam_unix2 config file | 
|---|
| 429 | # | 
|---|
| 430 | # This file contains options for the pam_unix2.so module. | 
|---|
| 431 | # It contains a list of options for every type of management group, | 
|---|
| 432 | # which will be used for authentication, account management and | 
|---|
| 433 | # password management. Not all options will be used from all types of | 
|---|
| 434 | # management groups. | 
|---|
| 435 | # | 
|---|
| 436 | # At first, pam_unix2 will read this file and then uses the local | 
|---|
| 437 | # options. Not all options can be set her global. | 
|---|
| 438 | # | 
|---|
| 439 | # Allowed options are: | 
|---|
| 440 | # | 
|---|
| 441 | # debug                 (account, auth, password, session) | 
|---|
| 442 | # nullok                (auth) | 
|---|
| 443 | # md5                   (password / overwrites /etc/default/passwd) | 
|---|
| 444 | # bigcrypt              (password / overwrites /etc/default/passwd) | 
|---|
| 445 | # blowfish              (password / overwrites /etc/default/passwd) | 
|---|
| 446 | # crypt_rounds=XX | 
|---|
| 447 | # none                  (session) | 
|---|
| 448 | # trace                 (session) | 
|---|
| 449 | # call_modules=x,y,z    (account, auth, password) | 
|---|
| 450 | # | 
|---|
| 451 | #  Example: | 
|---|
| 452 | #  auth:        nullok | 
|---|
| 453 | #  account: | 
|---|
| 454 | #  password:    nullok blowfish crypt_rounds=8 | 
|---|
| 455 | #  session:     none | 
|---|
| 456 | # | 
|---|
| 457 | auth: use_ldap | 
|---|
| 458 | account: use_ldap | 
|---|
| 459 | password: use_ldap | 
|---|
| 460 | session: none | 
|---|
| 461 | </pre></div></div><br class="example-break"><a class="indexterm" name="id373906"></a><a class="indexterm" name="id373913"></a><a class="indexterm" name="id373920"></a><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> | 
|---|
| 462 | If your LDAP database goes down, nobody can authenticate except for root. | 
|---|
| 463 | </p></li><li class="listitem"><p> | 
|---|
| 464 | If failover is configured incorrectly, weird behavior can occur. For example, | 
|---|
| 465 | DNS can fail to resolve. | 
|---|
| 466 | </p></li></ul></div><p> | 
|---|
| 467 | I do have two LDAP slave servers configured. That subject is beyond the scope | 
|---|
| 468 | of this document, and steps for implementing it are well documented. | 
|---|
| 469 | </p><p> | 
|---|
| 470 | The following services authenticate using LDAP: | 
|---|
| 471 | </p><a class="indexterm" name="id373952"></a><a class="indexterm" name="id373959"></a><a class="indexterm" name="id373966"></a><table border="0" summary="Simple list" class="simplelist"><tr><td>UNIX login/ssh</td></tr><tr><td>Postfix (SMTP)</td></tr><tr><td>Courier-IMAP/IMAPS/POP3/POP3S</td></tr></table><p> | 
|---|
| 472 | <a class="indexterm" name="id373991"></a> | 
|---|
| 473 | <a class="indexterm" name="id373998"></a> | 
|---|
| 474 | Companywide white pages can be searched using an LDAP client | 
|---|
| 475 | such as the one in the Windows Address Book. | 
|---|
| 476 | </p><p> | 
|---|
| 477 | <a class="indexterm" name="id374009"></a> | 
|---|
| 478 | <a class="indexterm" name="id374016"></a> | 
|---|
| 479 | Having gained a solid understanding of LDAP and a relatively workable LDAP tree | 
|---|
| 480 | thus far, it was time to configure Samba. I compiled the latest stable Samba and | 
|---|
| 481 | also installed the latest <code class="literal">smbldap-tools</code> from | 
|---|
| 482 | <a class="ulink" href="http://idealx.com" target="_top">Idealx</a>. | 
|---|
| 483 | </p><p> | 
|---|
| 484 | The Samba <code class="filename">smb.conf</code> file was configured as shown in <a class="link" href="nw4migration.html#ch8smbconf" title="Example 10.4. Samba Configuration File smb.conf Part A">“Samba Configuration File  smb.conf Part A”</a>. | 
|---|
| 485 | </p><div class="example"><a name="ch8smbconf"></a><p class="title"><b>Example 10.4. Samba Configuration File  smb.conf Part A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id374082"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id374094"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id374105"></a><em class="parameter"><code>server string = Corp File Server</code></em></td></tr><tr><td><a class="indexterm" name="id374117"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id374128"></a><em class="parameter"><code>pam password change = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id374140"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id374152"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id374163"></a><em class="parameter"><code>log file = /data/samba/log/%m.log</code></em></td></tr><tr><td><a class="indexterm" name="id374175"></a><em class="parameter"><code>name resolve order = wins host bcast</code></em></td></tr><tr><td><a class="indexterm" name="id374186"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id374198"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id374209"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id374221"></a><em class="parameter"><code>cups options = Raw</code></em></td></tr><tr><td><a class="indexterm" name="id374232"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id374244"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id374256"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id374268"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id374280"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id374292"></a><em class="parameter"><code>add machine script = /usr/local/sbin/smbldap-useradd -w "%m"</code></em></td></tr><tr><td><a class="indexterm" name="id374304"></a><em class="parameter"><code>logon script = logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id374316"></a><em class="parameter"><code>logon path = \\%L\profiles\%U\%a</code></em></td></tr><tr><td><a class="indexterm" name="id374328"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id374339"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id374350"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id374362"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id374373"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id374385"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id374397"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id374408"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id374420"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id374431"></a><em class="parameter"><code>ldap suffix = ou=MEGANET2,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id374443"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id374455"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id374466"></a><em class="parameter"><code>admin users = root, "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id374478"></a><em class="parameter"><code>printer admin = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id374489"></a><em class="parameter"><code>force printername = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf2"></a><p class="title"><b>Example 10.5. Samba Configuration File  smb.conf Part B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id374528"></a><em class="parameter"><code>comment = Network logon service</code></em></td></tr><tr><td><a class="indexterm" name="id374540"></a><em class="parameter"><code>path = /data/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id374551"></a><em class="parameter"><code>write list = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id374563"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id374583"></a><em class="parameter"><code>comment = Roaming Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id374595"></a><em class="parameter"><code>path = /data/samba/profiles/</code></em></td></tr><tr><td><a class="indexterm" name="id374607"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id374618"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id374630"></a><em class="parameter"><code>veto files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id374641"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id374662"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id374673"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id374685"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id374696"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id374708"></a><em class="parameter"><code>veto files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id374719"></a><em class="parameter"><code>hide files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id374731"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[software]</code></em></td></tr><tr><td><a class="indexterm" name="id374751"></a><em class="parameter"><code>comment = Software for %a computers</code></em></td></tr><tr><td><a class="indexterm" name="id374763"></a><em class="parameter"><code>path = /data/samba/shares/software/%a</code></em></td></tr><tr><td><a class="indexterm" name="id374774"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id374795"></a><em class="parameter"><code>comment = Public Files</code></em></td></tr><tr><td><a class="indexterm" name="id374806"></a><em class="parameter"><code>path = /data/samba/shares/public</code></em></td></tr><tr><td><a class="indexterm" name="id374818"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id374829"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[PDF]</code></em></td></tr><tr><td><a class="indexterm" name="id374850"></a><em class="parameter"><code>comment = Location of documents printed to PDFCreator printer</code></em></td></tr><tr><td><a class="indexterm" name="id374862"></a><em class="parameter"><code>path = /data/samba/shares/pdf</code></em></td></tr><tr><td><a class="indexterm" name="id374873"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf3"></a><p class="title"><b>Example 10.6. Samba Configuration File  smb.conf Part C</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[EVERYTHING]</code></em></td></tr><tr><td><a class="indexterm" name="id374912"></a><em class="parameter"><code>comment = All shares</code></em></td></tr><tr><td><a class="indexterm" name="id374923"></a><em class="parameter"><code>path = /data/samba</code></em></td></tr><tr><td><a class="indexterm" name="id374934"></a><em class="parameter"><code>valid users = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id374946"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[CDROM]</code></em></td></tr><tr><td><a class="indexterm" name="id374966"></a><em class="parameter"><code>comment = CD-ROM on MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id374978"></a><em class="parameter"><code>path = /mnt</code></em></td></tr><tr><td><a class="indexterm" name="id374990"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id375010"></a><em class="parameter"><code>comment = Printer Drivers Share</code></em></td></tr><tr><td><a class="indexterm" name="id375022"></a><em class="parameter"><code>path = /data/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id375033"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id375045"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id375065"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id375076"></a><em class="parameter"><code>path = /data/samba/spool</code></em></td></tr><tr><td><a class="indexterm" name="id375088"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id375100"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id375111"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[acct_hp8500]</code></em></td></tr><tr><td><a class="indexterm" name="id375131"></a><em class="parameter"><code>comment = "Accounting Color Laser Printer"</code></em></td></tr><tr><td><a class="indexterm" name="id375143"></a><em class="parameter"><code>path = /data/samba/spool/private</code></em></td></tr><tr><td><a class="indexterm" name="id375155"></a><em class="parameter"><code>valid users = @acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry</code></em></td></tr><tr><td><a class="indexterm" name="id375167"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id375178"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id375190"></a><em class="parameter"><code>copy = printers</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[plotter]</code></em></td></tr><tr><td><a class="indexterm" name="id375210"></a><em class="parameter"><code>comment = Engineering Plotter</code></em></td></tr><tr><td><a class="indexterm" name="id375222"></a><em class="parameter"><code>path = /data/samba/spool</code></em></td></tr><tr><td><a class="indexterm" name="id375233"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id375245"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id375256"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id375268"></a><em class="parameter"><code>copy = printers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf4"></a><p class="title"><b>Example 10.7. Samba Configuration File  smb.conf Part D</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[APPS]</code></em></td></tr><tr><td><a class="indexterm" name="id375307"></a><em class="parameter"><code>path = /data/samba/shares/Apps</code></em></td></tr><tr><td><a class="indexterm" name="id375318"></a><em class="parameter"><code>force group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id375330"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ACCT]</code></em></td></tr><tr><td><a class="indexterm" name="id375350"></a><em class="parameter"><code>path = /data/samba/shares/Accounting</code></em></td></tr><tr><td><a class="indexterm" name="id375362"></a><em class="parameter"><code>valid users = @acct, "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id375373"></a><em class="parameter"><code>force group = acct</code></em></td></tr><tr><td><a class="indexterm" name="id375385"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id375396"></a><em class="parameter"><code>create mask = 0660</code></em></td></tr><tr><td><a class="indexterm" name="id375408"></a><em class="parameter"><code>directory mask = 0770</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ACCT_ADMIN]</code></em></td></tr><tr><td><a class="indexterm" name="id375428"></a><em class="parameter"><code>path = /data/samba/shares/Acct_Admin</code></em></td></tr><tr><td><a class="indexterm" name="id375440"></a><em class="parameter"><code>valid users = @"acct_admin"</code></em></td></tr><tr><td><a class="indexterm" name="id375451"></a><em class="parameter"><code>force group = acct_admin</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[HR_PR]</code></em></td></tr><tr><td><a class="indexterm" name="id375472"></a><em class="parameter"><code>path = /data/samba/shares/HR_PR</code></em></td></tr><tr><td><a class="indexterm" name="id375484"></a><em class="parameter"><code>valid users = @hr, @acct_admin</code></em></td></tr><tr><td><a class="indexterm" name="id375495"></a><em class="parameter"><code>force group = hr</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ENGR]</code></em></td></tr><tr><td><a class="indexterm" name="id375516"></a><em class="parameter"><code>path = /data/samba/shares/Engr</code></em></td></tr><tr><td><a class="indexterm" name="id375527"></a><em class="parameter"><code>valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</code></em></td></tr><tr><td><a class="indexterm" name="id375539"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id375550"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id375562"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[DATA]</code></em></td></tr><tr><td><a class="indexterm" name="id375582"></a><em class="parameter"><code>path = /data/samba/shares/DATA</code></em></td></tr><tr><td><a class="indexterm" name="id375594"></a><em class="parameter"><code>valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</code></em></td></tr><tr><td><a class="indexterm" name="id375606"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id375617"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id375629"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id375640"></a><em class="parameter"><code>copy = engr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf5"></a><p class="title"><b>Example 10.8. Samba Configuration File  smb.conf Part E</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[X]</code></em></td></tr><tr><td><a class="indexterm" name="id375679"></a><em class="parameter"><code>path = /data/samba/shares/X</code></em></td></tr><tr><td><a class="indexterm" name="id375690"></a><em class="parameter"><code>valid users = @engr, @acct</code></em></td></tr><tr><td><a class="indexterm" name="id375702"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id375713"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id375725"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id375736"></a><em class="parameter"><code>copy = engr</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[NETWORK]</code></em></td></tr><tr><td><a class="indexterm" name="id375757"></a><em class="parameter"><code>path = /data/samba/shares/network</code></em></td></tr><tr><td><a class="indexterm" name="id375768"></a><em class="parameter"><code>valid users = "@Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id375780"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id375791"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id375803"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[UTILS]</code></em></td></tr><tr><td><a class="indexterm" name="id375823"></a><em class="parameter"><code>path = /data/samba/shares/Utils</code></em></td></tr><tr><td><a class="indexterm" name="id375835"></a><em class="parameter"><code>write list = "@Domain Admins"</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[SYS]</code></em></td></tr><tr><td><a class="indexterm" name="id375855"></a><em class="parameter"><code>path = /data/samba/shares/SYS</code></em></td></tr><tr><td><a class="indexterm" name="id375867"></a><em class="parameter"><code>valid users = chad</code></em></td></tr><tr><td><a class="indexterm" name="id375878"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id375890"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><p> | 
|---|
| 486 | <a class="indexterm" name="id375905"></a> | 
|---|
| 487 | <a class="indexterm" name="id375911"></a> | 
|---|
| 488 | <a class="indexterm" name="id375918"></a> | 
|---|
| 489 | Most of these shares are only used by one company group, but they are required | 
|---|
| 490 | because of some ancient Qbasic and Rbase applications were that written expecting | 
|---|
| 491 | their own drive letters. | 
|---|
| 492 | </p><p> | 
|---|
| 493 | <a class="indexterm" name="id375930"></a> | 
|---|
| 494 | <a class="indexterm" name="id375937"></a> | 
|---|
| 495 | <a class="indexterm" name="id375944"></a> | 
|---|
| 496 | Note: During the process of building the new server, I kept data files | 
|---|
| 497 | up to date with the Novell server via use of <code class="literal">rsync</code>. | 
|---|
| 498 | On a separate system (my workstation in fact), which could be rebooted | 
|---|
| 499 | whenever necessary, I set up a mount point to the Novell server via | 
|---|
| 500 | <code class="literal">ncpmount</code>. I then created a | 
|---|
| 501 | <code class="filename">rsyncd.conf</code> to share that mount point out to my | 
|---|
| 502 | new server, and synchronized once an hour. The script I used to synchronize | 
|---|
| 503 | is shown in <a class="link" href="nw4migration.html#sbersync" title="Example 10.9. Rsync Script">“Rsync Script”</a>. The files exclusion list I used | 
|---|
| 504 | is shown in <a class="link" href="nw4migration.html#sbexcld" title="Example 10.10. Rsync Files Exclusion List /root/excludes.txt">“Rsync Files Exclusion List  /root/excludes.txt”</a>.  The reason I had to have the | 
|---|
| 505 | <code class="literal">rsync</code> daemon running on a system that could be | 
|---|
| 506 | rebooted frequently is because <code class="constant">ncpfs</code> | 
|---|
| 507 | (part of the MARS NetWare Emulation package) has a nasty habit of creating stale | 
|---|
| 508 | mount points that cannot be recovered without a reboot. The reason for hourly | 
|---|
| 509 | synchronization is because some part of the chain was very slow and | 
|---|
| 510 | performance-heavy (whether <code class="literal">rsync</code> itself, the network, | 
|---|
| 511 | or the Novell server, I am not sure, but it was probably the Novell server). | 
|---|
| 512 | </p><div class="example"><a name="sbersync"></a><p class="title"><b>Example 10.9. Rsync Script</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 513 | #!/bin/bash | 
|---|
| 514 | # Part 1 - rsync the Novell directories to the new server | 
|---|
| 515 | echo "#############################################" | 
|---|
| 516 | echo "New sync operation starting at `date`" | 
|---|
| 517 | if ! pgrep -fl '^rsync\> ; then | 
|---|
| 518 | echo "Good, no rsync is running!" | 
|---|
| 519 | echo "Synchronizing oink to BHPRO" | 
|---|
| 520 | rsync -av --exclude-from=/root/excludes.txt | 
|---|
| 521 | baa.corp:/BHPRO/SYS1/ /data/samba/shares/SYS1 | 
|---|
| 522 | retval=$? | 
|---|
| 523 | [ ${retval} = 0 ] && echo "Sync operation completed at `date`" | 
|---|
| 524 | echo "Fixing permissions" | 
|---|
| 525 | # I had a whole lot more permission-fixing stuff here.  It got | 
|---|
| 526 | # pared down as groups got moved over.  The problem | 
|---|
| 527 | # was that the way I was mounting the directory, everything | 
|---|
| 528 | # was owned by the Novell administrator which translated to | 
|---|
| 529 | # Root.  This is also why I could only do one-way sync because | 
|---|
| 530 | # I could not fix the ACLs on the Novell side. | 
|---|
| 531 | find /data/samba/shares/Engr/ -perm +770 -exec chmod 770 {} \; | 
|---|
| 532 | find /data/samba/shares/Engr/ ! -group engr -exec chgrp engr {} \; | 
|---|
| 533 | else | 
|---|
| 534 | # This rsync took ages and ages -- I had it set to run every hour but | 
|---|
| 535 | # I needed a way to prevent it running into itself. | 
|---|
| 536 | echo "Oh no, rsync is already running!" | 
|---|
| 537 | echo "#############################################" | 
|---|
| 538 | fi | 
|---|
| 539 | </pre></div></div><br class="example-break"><div class="example"><a name="sbexcld"></a><p class="title"><b>Example 10.10. Rsync Files Exclusion List  <code class="filename">/root/excludes.txt</code></b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 540 | /Acct/ | 
|---|
| 541 | /Apps/ | 
|---|
| 542 | /DATA/ | 
|---|
| 543 | /Engr/*.pc3 | 
|---|
| 544 | /Engr/plotter | 
|---|
| 545 | /Engr/APPOLO/ | 
|---|
| 546 | /Engr/LIBRARY/ | 
|---|
| 547 | /Home/Accounting/ | 
|---|
| 548 | /Home/Angie/ | 
|---|
| 549 | /Home/AngieY/ | 
|---|
| 550 | /Home/Brandon/ | 
|---|
| 551 | /Home/Carl/ | 
|---|
| 552 | </pre></div></div><br class="example-break"><p> | 
|---|
| 553 | After Samba was configured, I initialized the LDAP database. The first | 
|---|
| 554 | thing I had to do was store the LDAP password in the Samba configuration by | 
|---|
| 555 | issuing the command (as root): | 
|---|
| 556 | </p><pre class="screen"> | 
|---|
| 557 | <code class="prompt">root# </code> smbpasswd -w verysecret | 
|---|
| 558 | </pre><p> | 
|---|
| 559 | where <span class="quote">“<span class="quote">verysecret</span>”</span> is replaced by the LDAP bind password. | 
|---|
| 560 | </p><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> | 
|---|
| 561 | The Idealx smbldap-tools package can be configured using a script called | 
|---|
| 562 | <code class="literal">configure.pl</code> that is provided as part of the tool. See <a class="link" href="happy.html" title="Chapter 5. Making Happy Users">“Making Happy Users”</a> | 
|---|
| 563 | for an example of its use. Many administrators, like Misty, choose to do this manually | 
|---|
| 564 | so as to maintain greater awareness of how the tool-chain works and possibly to avoid | 
|---|
| 565 | undesirable actions from occurring unnoticed. | 
|---|
| 566 | </p></div><p> | 
|---|
| 567 | Now Samba was ready for use and it was time to configure the smbldap-tools. There are two | 
|---|
| 568 | relevant files, which are usually put into the directory | 
|---|
| 569 | <code class="filename">/etc/smbldap-tools</code>. The main file, | 
|---|
| 570 | <code class="filename">smbldap.conf</code> is shown in <a class="link" href="nw4migration.html#ch8ideal" title="Example 10.11. Idealx smbldap-tools Control File Part A">“Idealx smbldap-tools Control File  Part A”</a>. | 
|---|
| 571 | </p><div class="example"><a name="ch8ideal"></a><p class="title"><b>Example 10.11. Idealx smbldap-tools Control File  Part A</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 572 | ######### | 
|---|
| 573 | # | 
|---|
| 574 | # located in /etc/smbldap-tools/smbldap.conf | 
|---|
| 575 | # | 
|---|
| 576 | ###################################################################### | 
|---|
| 577 | # | 
|---|
| 578 | # General Configuration | 
|---|
| 579 | # | 
|---|
| 580 | ###################################################################### | 
|---|
| 581 |  | 
|---|
| 582 | # Put your own SID | 
|---|
| 583 | # to obtain this number do: net getlocalsid | 
|---|
| 584 | SID="S-1-5-21-725326080-1709766072-2910717368" | 
|---|
| 585 |  | 
|---|
| 586 | ###################################################################### | 
|---|
| 587 | # | 
|---|
| 588 | # LDAP Configuration | 
|---|
| 589 | # | 
|---|
| 590 | ###################################################################### | 
|---|
| 591 |  | 
|---|
| 592 | # Notes: to use to dual ldap servers backend for Samba, you must patch | 
|---|
| 593 | # Samba with the dual-head patch from IDEALX. If not using this patch | 
|---|
| 594 | # just use the same server for slaveLDAP and masterLDAP. | 
|---|
| 595 | # Those two servers declarations can also be used when you have | 
|---|
| 596 | # . one master LDAP server where all writing operations must be done | 
|---|
| 597 | # . one slave LDAP server where all reading operations must be done | 
|---|
| 598 | #   (typically a replication directory) | 
|---|
| 599 |  | 
|---|
| 600 | # Ex: slaveLDAP=127.0.0.1 | 
|---|
| 601 | slaveLDAP="127.0.0.1" | 
|---|
| 602 | slavePort="389" | 
|---|
| 603 |  | 
|---|
| 604 | # Master LDAP : needed for write operations | 
|---|
| 605 | # Ex: masterLDAP=127.0.0.1 | 
|---|
| 606 | masterLDAP="127.0.0.1" | 
|---|
| 607 | masterPort="389" | 
|---|
| 608 |  | 
|---|
| 609 | # Use TLS for LDAP | 
|---|
| 610 | # If set to 1, this option will use start_tls for connection | 
|---|
| 611 | # (you should also used the port 389) | 
|---|
| 612 | ldapTLS="0" | 
|---|
| 613 |  | 
|---|
| 614 | # How to verify the server's certificate (none, optional or require) | 
|---|
| 615 | # see "man Net::LDAP" in start_tls section for more details | 
|---|
| 616 | verify="" | 
|---|
| 617 | </pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal2"></a><p class="title"><b>Example 10.12. Idealx smbldap-tools Control File  Part B</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 618 | # CA certificate | 
|---|
| 619 | # see "man Net::LDAP" in start_tls section for more details | 
|---|
| 620 | cafile="" | 
|---|
| 621 | certificate to use to connect to the ldap server | 
|---|
| 622 | # see "man Net::LDAP" in start_tls section for more details | 
|---|
| 623 | clientcert="" | 
|---|
| 624 |  | 
|---|
| 625 | # key certificate to use to connect to the ldap server | 
|---|
| 626 | # see "man Net::LDAP" in start_tls section for more details | 
|---|
| 627 | clientkey="" | 
|---|
| 628 |  | 
|---|
| 629 | # LDAP Suffix | 
|---|
| 630 | # Ex: suffix=dc=IDEALX,dc=ORG | 
|---|
| 631 | suffix="ou=MEGANET2,dc=abmas,dc=biz" | 
|---|
| 632 |  | 
|---|
| 633 | # Where are stored Users | 
|---|
| 634 | # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" | 
|---|
| 635 | usersdn="ou=People,${suffix}" | 
|---|
| 636 |  | 
|---|
| 637 | # Where are stored Computers | 
|---|
| 638 | # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" | 
|---|
| 639 | computersdn="ou=People,${suffix}" | 
|---|
| 640 |  | 
|---|
| 641 | # Where are stored Groups | 
|---|
| 642 | # Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" | 
|---|
| 643 | groupsdn="ou=Groups,${suffix}" | 
|---|
| 644 |  | 
|---|
| 645 | # Where are stored Idmap entries | 
|---|
| 646 | # (used if samba is a domain member server) | 
|---|
| 647 | # Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" | 
|---|
| 648 | idmapdn="ou=Idmap,${suffix}" | 
|---|
| 649 |  | 
|---|
| 650 | # Where to store next uidNumber and gidNumber available | 
|---|
| 651 | sambaUnixIdPooldn="sambaDomainName=MEGANET2,${suffix}" | 
|---|
| 652 |  | 
|---|
| 653 | # Default scope Used | 
|---|
| 654 | scope="sub" | 
|---|
| 655 | </pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal3"></a><p class="title"><b>Example 10.13. Idealx smbldap-tools Control File  Part C</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 656 | # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) | 
|---|
| 657 | hash_encrypt="MD5" | 
|---|
| 658 |  | 
|---|
| 659 | # if hash_encrypt is set to CRYPT, you may set a salt format. | 
|---|
| 660 | # default is "%s", but many systems will generate MD5 hashed | 
|---|
| 661 | # passwords if you use "$1$%.8s". This parameter is optional! | 
|---|
| 662 | crypt_salt_format="%s" | 
|---|
| 663 |  | 
|---|
| 664 | ###################################################################### | 
|---|
| 665 | # | 
|---|
| 666 | # Unix Accounts Configuration | 
|---|
| 667 | # | 
|---|
| 668 | ###################################################################### | 
|---|
| 669 |  | 
|---|
| 670 | # Login defs | 
|---|
| 671 | # Default Login Shell | 
|---|
| 672 | # Ex: userLoginShell="/bin/bash" | 
|---|
| 673 | userLoginShell="/bin/false" | 
|---|
| 674 |  | 
|---|
| 675 | # Home directory | 
|---|
| 676 | # Ex: userHome="/home/%U" | 
|---|
| 677 | userHome="/home/%U" | 
|---|
| 678 |  | 
|---|
| 679 | # Gecos | 
|---|
| 680 | userGecos="Samba User" | 
|---|
| 681 |  | 
|---|
| 682 | # Default User (POSIX and Samba) GID | 
|---|
| 683 | defaultUserGid="513" | 
|---|
| 684 |  | 
|---|
| 685 | # Default Computer (Samba) GID | 
|---|
| 686 | defaultComputerGid="515" | 
|---|
| 687 |  | 
|---|
| 688 | # Skel dir | 
|---|
| 689 | skeletonDir="/etc/skel" | 
|---|
| 690 |  | 
|---|
| 691 | # Default password validation time (time in days) Comment the next | 
|---|
| 692 | # line if you don't want password to be enable for | 
|---|
| 693 | # defaultMaxPasswordAge days (be careful to the sambaPwdMustChange | 
|---|
| 694 | # attribute's value) | 
|---|
| 695 | defaultMaxPasswordAge="45" | 
|---|
| 696 | </pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal4"></a><p class="title"><b>Example 10.14. Idealx smbldap-tools Control File  Part D</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 697 | ###################################################################### | 
|---|
| 698 | # | 
|---|
| 699 | # SAMBA Configuration | 
|---|
| 700 | # | 
|---|
| 701 | ###################################################################### | 
|---|
| 702 |  | 
|---|
| 703 | # The UNC path to home drives location (%U username substitution) | 
|---|
| 704 | # Ex: \\My-PDC-netbios-name\homes\%U | 
|---|
| 705 | # Just set it to a null string if you want to use the smb.conf | 
|---|
| 706 | # 'logon home' directive and/or disable roaming profiles | 
|---|
| 707 | userSmbHome="" | 
|---|
| 708 |  | 
|---|
| 709 | # The UNC path to profiles locations (%U username substitution) | 
|---|
| 710 | # Ex: \\My-PDC-netbios-name\profiles\%U | 
|---|
| 711 | # Just set it to a null string if you want to use the smb.conf | 
|---|
| 712 | # 'logon path' directive and/or disable roaming profiles | 
|---|
| 713 | userProfile="" | 
|---|
| 714 |  | 
|---|
| 715 | # The default Home Drive Letter mapping | 
|---|
| 716 | # (will be automatically mapped at logon time if home directory exist) | 
|---|
| 717 | # Ex: H: for H: | 
|---|
| 718 | userHomeDrive="" | 
|---|
| 719 |  | 
|---|
| 720 | # The default user netlogon script name (%U username substitution) | 
|---|
| 721 | # if not used, will be automatically username.cmd | 
|---|
| 722 | # make sure script file is edited under DOS | 
|---|
| 723 | # Ex: %U.cmd | 
|---|
| 724 | # userScript="startup.cmd" # make sure script file is edited under DOS | 
|---|
| 725 | userScript="" | 
|---|
| 726 |  | 
|---|
| 727 | # Domain appended to the users "mail"-attribute | 
|---|
| 728 | # when smbldap-useradd -M is used | 
|---|
| 729 | mailDomain="abmas.org" | 
|---|
| 730 |  | 
|---|
| 731 | ###################################################################### | 
|---|
| 732 | # | 
|---|
| 733 | # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) | 
|---|
| 734 | # | 
|---|
| 735 | ###################################################################### | 
|---|
| 736 | # Allows not to use smbpasswd | 
|---|
| 737 | # (if with_smbpasswd == 0 in smbldap_conf.pm) but | 
|---|
| 738 | # prefer Crypt::SmbHash library | 
|---|
| 739 | with_smbpasswd="0" | 
|---|
| 740 | smbpasswd="/usr/bin/smbpasswd" | 
|---|
| 741 | </pre></div></div><br class="example-break"><p> | 
|---|
| 742 | <a class="indexterm" name="id376262"></a> | 
|---|
| 743 | Note: I chose not to take advantage of the TLS capability of this. | 
|---|
| 744 | Eventually I may go back and tweak it.  Also, I chose not to take advantage | 
|---|
| 745 | of the master/slave configuration as I heard horror stories that it was | 
|---|
| 746 | unstable.  My slave servers are replicas only. | 
|---|
| 747 | </p><p> | 
|---|
| 748 | The <code class="filename">/etc/smbldap-tools/smbldap_bind.conf</code> file is shown here: | 
|---|
| 749 | </p><pre class="screen"> | 
|---|
| 750 | # smbldap_bind.conf | 
|---|
| 751 | # | 
|---|
| 752 | # This file simply tells smbldap-tools how to bind to your LDAP server. | 
|---|
| 753 | # It has to be a DN with full write access to the Samba portion of | 
|---|
| 754 | # the database. | 
|---|
| 755 |  | 
|---|
| 756 | ############################ | 
|---|
| 757 | # Credential Configuration # | 
|---|
| 758 | ############################ | 
|---|
| 759 | # Notes: you can specify two different configurations if you use a | 
|---|
| 760 | # master ldap for writing access and a slave ldap server for reading access | 
|---|
| 761 | # By default, we will use the same DN (so it will work for standard Samba | 
|---|
| 762 | # release) | 
|---|
| 763 | slaveDN="cn=Manager,dc=abmas,dc=biz" | 
|---|
| 764 | slavePw="verysecret" | 
|---|
| 765 | masterDN="cn=Manager,dc=abmas,dc=biz" | 
|---|
| 766 | masterPw="verysecret" | 
|---|
| 767 | </pre><p> | 
|---|
| 768 | </p><p> | 
|---|
| 769 | The next step was to run the <code class="literal">smbldap-populate</code> command, which populates | 
|---|
| 770 | the LDAP tree with the appropriate default users, groups, and UID and GID pools. | 
|---|
| 771 | It creates a user called Administrator with UID=0 and GID=0 matching the | 
|---|
| 772 | Domain Admins group. This is fine because you can still log on as root to a Windows system, | 
|---|
| 773 | but it will break cached credentials if you need to log on as the administrator | 
|---|
| 774 | to a system that is not on the network. | 
|---|
| 775 | </p><p> | 
|---|
| 776 | After the LDAP database has been preloaded, it is prudent to validate that the | 
|---|
| 777 | information needed is in the LDAP directory. This can be done done by restarting | 
|---|
| 778 | the LDAP server, then performing an LDAP search by executing: | 
|---|
| 779 | </p><pre class="screen"> | 
|---|
| 780 | <code class="prompt">root# </code> ldapsearch -W -x -b "dc=abmas,dc=biz"\ | 
|---|
| 781 | -D "cn=Manager,dc=abmas,dc=biz" \ | 
|---|
| 782 | "(Objectclass=*)" | 
|---|
| 783 | Enter LDAP Password: | 
|---|
| 784 | # extended LDIF | 
|---|
| 785 | # | 
|---|
| 786 | # LDAPv3 | 
|---|
| 787 | # base <dc=abmas,dc=biz> with scope sub | 
|---|
| 788 | # filter: (ObjectClass=*) | 
|---|
| 789 | # requesting: ALL | 
|---|
| 790 | # | 
|---|
| 791 |  | 
|---|
| 792 | # abmas.biz | 
|---|
| 793 | dn: dc=abmas,dc=biz | 
|---|
| 794 | objectClass: dcObject | 
|---|
| 795 | objectClass: organization | 
|---|
| 796 | o: abmas | 
|---|
| 797 | dc: abmas | 
|---|
| 798 |  | 
|---|
| 799 | # People, abmas.biz | 
|---|
| 800 | dn: ou=People,dc=abmas,dc=biz | 
|---|
| 801 | objectClass: organizationalUnit | 
|---|
| 802 | ou: People | 
|---|
| 803 |  | 
|---|
| 804 | # Groups, abmas.biz | 
|---|
| 805 | dn: ou=Groups,dc=abmas,dc=biz | 
|---|
| 806 | objectClass: organizationalUnit | 
|---|
| 807 | ou: Groups | 
|---|
| 808 |  | 
|---|
| 809 | # Idmap, abmas.biz | 
|---|
| 810 | dn: ou=Idmap,dc=abmas,dc=biz | 
|---|
| 811 | objectClass: organizationalUnit | 
|---|
| 812 | ou: Idmap | 
|---|
| 813 | ... | 
|---|
| 814 | </pre><p> | 
|---|
| 815 | </p><p> | 
|---|
| 816 | <a class="indexterm" name="id376336"></a> | 
|---|
| 817 | <a class="indexterm" name="id376343"></a> | 
|---|
| 818 | <a class="indexterm" name="id376350"></a> | 
|---|
| 819 | <a class="indexterm" name="id376357"></a> | 
|---|
| 820 | <a class="indexterm" name="id376363"></a> | 
|---|
| 821 | With the LDAP directory now initialized, it was time to create the Windows and POSIX | 
|---|
| 822 | (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups. | 
|---|
| 823 | The easiest way to do this was to use <code class="literal">smbldap-groupadd</code> command. | 
|---|
| 824 | It creates the group with the posixGroup and sambaGroupMapping attributes, a | 
|---|
| 825 | unique GID, and an automatically determined RID. I learned the hard way not to | 
|---|
| 826 | try to do this by hand. | 
|---|
| 827 | </p><p> | 
|---|
| 828 | <a class="indexterm" name="id376383"></a> | 
|---|
| 829 | <a class="indexterm" name="id376389"></a> | 
|---|
| 830 | <a class="indexterm" name="id376396"></a> | 
|---|
| 831 | After I had my group mappings in place, I added users to the groups (the users | 
|---|
| 832 | don't really have to exist yet). I used the <code class="literal">smbldap-groupmod</code> | 
|---|
| 833 | command to accomplish this. It can also be done manually by adding memberUID | 
|---|
| 834 | attributes to the group entries in LDAP. | 
|---|
| 835 | </p><p> | 
|---|
| 836 | <a class="indexterm" name="id376414"></a> | 
|---|
| 837 | <a class="indexterm" name="id376421"></a> | 
|---|
| 838 | <a class="indexterm" name="id376428"></a> | 
|---|
| 839 | The most monumental task of all was adding the sambaSamAccount information to each | 
|---|
| 840 | already existent posixAccount entry.  I did it one at a time as I moved people onto | 
|---|
| 841 | the new server, by issuing the command: | 
|---|
| 842 | </p><pre class="screen"> | 
|---|
| 843 | <code class="prompt">root# </code> smbldap-usermod -a -P username | 
|---|
| 844 | </pre><p> | 
|---|
| 845 | <a class="indexterm" name="id376448"></a> | 
|---|
| 846 | <a class="indexterm" name="id376455"></a> | 
|---|
| 847 | <a class="indexterm" name="id376462"></a> | 
|---|
| 848 | I completed that step for every user after asking the person what his or her current | 
|---|
| 849 | NetWare password was. The wiser way to have done it would probably have been to dump the | 
|---|
| 850 | entire database to an LDIF file. This can be done by executing: | 
|---|
| 851 | </p><pre class="screen"> | 
|---|
| 852 | <code class="prompt">root# </code> slapcat > somefile.ldif | 
|---|
| 853 | </pre><p> | 
|---|
| 854 | <a class="indexterm" name="id376483"></a> | 
|---|
| 855 | <a class="indexterm" name="id376490"></a> | 
|---|
| 856 | Then update the LDIF file created by using a Perl script to parse and add the | 
|---|
| 857 | appropriate attributes and objectClasses to each entry, followed by re-importing | 
|---|
| 858 | the entire database into the LDAP directory. | 
|---|
| 859 | </p><p> | 
|---|
| 860 | Rebuilding of the LDAP directory can be done as follows: | 
|---|
| 861 | </p><pre class="screen"> | 
|---|
| 862 | <code class="prompt">root# </code> rcldap stop | 
|---|
| 863 | <code class="prompt">root# </code> cd /data/ldap | 
|---|
| 864 | <code class="prompt">root# </code> rm *bdb _* log* | 
|---|
| 865 | <code class="prompt">root# </code> su - ldap -c "slapadd -l somefile.ldif" | 
|---|
| 866 | <code class="prompt">root# </code> rcldap start | 
|---|
| 867 | </pre><p> | 
|---|
| 868 | This can be done at any time and for any reason, with no harm to the database. | 
|---|
| 869 | </p><p> | 
|---|
| 870 | I first added a test user, of course. The LDIF for this test user looks like | 
|---|
| 871 | this, to give you an idea: | 
|---|
| 872 | </p><pre class="screen"> | 
|---|
| 873 | # Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz | 
|---|
| 874 | dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz | 
|---|
| 875 | cn: Test User | 
|---|
| 876 | gecos: Test User | 
|---|
| 877 | gidNumber: 513 | 
|---|
| 878 | givenName: Test | 
|---|
| 879 | homeDirectory: /home/test.user | 
|---|
| 880 | homePhone: 555 | 
|---|
| 881 | l: Somewhere | 
|---|
| 882 | l: ST | 
|---|
| 883 | mail: test.user | 
|---|
| 884 | o: Corp | 
|---|
| 885 | objectClass: top | 
|---|
| 886 | objectClass: inetOrgPerson | 
|---|
| 887 | objectClass: posixAccount | 
|---|
| 888 | objectClass: sambaSamAccount | 
|---|
| 889 | postalCode: 12345 | 
|---|
| 890 | sn: User | 
|---|
| 891 | street: 10 Some St. | 
|---|
| 892 | uid: test.user | 
|---|
| 893 | uidNumber: 1074 | 
|---|
| 894 | sambaLogonTime: 0 | 
|---|
| 895 | sambaLogoffTime: 2147483647 | 
|---|
| 896 | sambaKickoffTime: 2147483647 | 
|---|
| 897 | sambaPwdCanChange: 0 | 
|---|
| 898 | displayName: Samba User | 
|---|
| 899 | sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148 | 
|---|
| 900 | sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE | 
|---|
| 901 | sambaAcctFlags: [U] | 
|---|
| 902 | sambaNTPassword: D062088E99C95E37D7702287BB35E770 | 
|---|
| 903 | sambaPwdLastSet: 1102537694 | 
|---|
| 904 | sambaPwdMustChange: 1106425694 | 
|---|
| 905 | userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8 | 
|---|
| 906 | loginShell: /bin/false | 
|---|
| 907 | </pre><p> | 
|---|
| 908 | </p><p> | 
|---|
| 909 | Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain. | 
|---|
| 910 | It worked, and the machine's account entry under ou=Computers looks like this: | 
|---|
| 911 | </p><pre class="screen"> | 
|---|
| 912 | dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz | 
|---|
| 913 | objectClass: top | 
|---|
| 914 | objectClass: inetOrgPerson | 
|---|
| 915 | objectClass: posixAccount | 
|---|
| 916 | objectClass: sambaSamAccount | 
|---|
| 917 | cn: w2kengrspare$ | 
|---|
| 918 | sn: w2kengrspare$ | 
|---|
| 919 | uid: w2kengrspare$ | 
|---|
| 920 | uidNumber: 1104 | 
|---|
| 921 | gidNumber: 515 | 
|---|
| 922 | homeDirectory: /dev/null | 
|---|
| 923 | loginShell: /bin/false | 
|---|
| 924 | description: Computer | 
|---|
| 925 | gecos: Computer | 
|---|
| 926 | sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208 | 
|---|
| 927 | sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031 | 
|---|
| 928 | displayName: W2KENGRSPARE$ | 
|---|
| 929 | sambaPwdCanChange: 1103149236 | 
|---|
| 930 | sambaPwdMustChange: 2147483647 | 
|---|
| 931 | sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834 | 
|---|
| 932 | sambaPwdLastSet: 1103149236 | 
|---|
| 933 | sambaAcctFlags: [W          ] | 
|---|
| 934 | </pre><p> | 
|---|
| 935 | </p><p> | 
|---|
| 936 | <a class="indexterm" name="id376575"></a> | 
|---|
| 937 | So now I could log on with a test user from the machine w2kengrspare. It was all well and | 
|---|
| 938 | good, but that user was in no groups yet and so had pretty boring access.  I fixed that | 
|---|
| 939 | by writing the login script! To write the login script, I used | 
|---|
| 940 | <a class="ulink" href="http://www.kixtart.org" target="_top">Kixtart</a> because it will work | 
|---|
| 941 | with every architecture of Windows, has an active and helpful user base, and was both | 
|---|
| 942 | easier to learn and more powerful than the standard netlogon scripts I have seen. | 
|---|
| 943 | I also did not have to do a logon script per user or per group. | 
|---|
| 944 | </p><p> | 
|---|
| 945 | <a class="indexterm" name="id376595"></a> | 
|---|
| 946 | I downloaded Kixtart and put the following files in my netlogon share: | 
|---|
| 947 | </p><pre class="screen"> | 
|---|
| 948 | KIX32.EXE | 
|---|
| 949 | KX32.dll | 
|---|
| 950 | KX95.dll  <-- Not needed unless you are running Win9x clients. | 
|---|
| 951 | kx16.dll  <-- Probably not needed unless you are running DOS clients. | 
|---|
| 952 | kxrpc.exe <-- Probably useless as it has to run on the server and can | 
|---|
| 953 | only be run on NT.  It's for Windows 95 to become group-aware. | 
|---|
| 954 | We can get around the need. | 
|---|
| 955 | </pre><p> | 
|---|
| 956 | </p><p> | 
|---|
| 957 | <a class="indexterm" name="id376618"></a> | 
|---|
| 958 | I then wrote the <code class="filename">logon.kix</code> file that is shown in | 
|---|
| 959 | <a class="link" href="nw4migration.html#ch8kix" title="Example 10.15. Kixtart Control File File: logon.kix">“Kixtart Control File  File: logon.kix”</a>. I chose to keep it all in one file, but it | 
|---|
| 960 | can be split up and linked via include directives. | 
|---|
| 961 | </p><div class="example"><a name="ch8kix"></a><p class="title"><b>Example 10.15. Kixtart Control File  File: logon.kix</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 962 | ; This script just calls the other scripts. | 
|---|
| 963 |  | 
|---|
| 964 | ; First we want to get things done for everyone. | 
|---|
| 965 |  | 
|---|
| 966 | ; Second, we do first-time login stuff. | 
|---|
| 967 |  | 
|---|
| 968 | ; Third, we go through the group-oriented scripts one at a time. | 
|---|
| 969 |  | 
|---|
| 970 |  | 
|---|
| 971 | ; We want to check for group membership here to avoid the overhead of running | 
|---|
| 972 | ; scripts which don't apply. | 
|---|
| 973 | call "\\massive\netlogon\scripts\main.kix" | 
|---|
| 974 | call "\\massive\netlogon\scripts\setup.kix" | 
|---|
| 975 | IF INGROUP("MEGANET2\ACCT") | 
|---|
| 976 | call "scripts\acct.kix" | 
|---|
| 977 | ENDIF | 
|---|
| 978 | IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST") | 
|---|
| 979 | call "\\massive\netlogon\scripts\engr.kix" | 
|---|
| 980 | ENDIF | 
|---|
| 981 | IF INGROUP("MEGANET2\FURN") | 
|---|
| 982 | call "\\massive\netlogon\scripts\furn.kix" | 
|---|
| 983 | ENDIF | 
|---|
| 984 | IF INGROUP("MEGANET2\TRUSS") | 
|---|
| 985 | call "\\massive\netlogon\scripts\truss.kix" | 
|---|
| 986 | ENDIF | 
|---|
| 987 | </pre></div></div><br class="example-break"><div class="example"><a name="ch8kix2"></a><p class="title"><b>Example 10.16. Kixtart Control File  File: main.kix</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 988 | break on | 
|---|
| 989 |  | 
|---|
| 990 | ; Choose whether to hide the login window or not | 
|---|
| 991 | IF INGROUP("MEGANET2\Domain Admins") | 
|---|
| 992 | USE Z: \\massive\everything | 
|---|
| 993 | SETCONSOLE("show") | 
|---|
| 994 | ELSE | 
|---|
| 995 | ; Nobody cares about seeing the login script except admins | 
|---|
| 996 | SETCONSOLE("hide") | 
|---|
| 997 | ENDIF | 
|---|
| 998 |  | 
|---|
| 999 | ; Delete all previously connected shares | 
|---|
| 1000 | USE * /delete | 
|---|
| 1001 |  | 
|---|
| 1002 | SETTITLE("Logging on @USERID to @LDOMAIN at @TIME") | 
|---|
| 1003 |  | 
|---|
| 1004 | ; Set the time on the workstation | 
|---|
| 1005 | $Timeserver = "\\massive" | 
|---|
| 1006 | Settime $TimeServer | 
|---|
| 1007 |  | 
|---|
| 1008 | ; Map the home directory | 
|---|
| 1009 | USE H: @HOMESHR ; connect to user's home share | 
|---|
| 1010 | IF @ERROR = 0 | 
|---|
| 1011 |  | 
|---|
| 1012 | H: | 
|---|
| 1013 | CD @HOMEDIR ; change directory to user's home directory | 
|---|
| 1014 | ENDIF | 
|---|
| 1015 |  | 
|---|
| 1016 | ; Everyone gets the N drive | 
|---|
| 1017 | USE N: \\massive\network | 
|---|
| 1018 | </pre></div></div><br class="example-break"><div class="example"><a name="ch8kix3"></a><p class="title"><b>Example 10.17. Kixtart Control File  File: setup.kix, Part A</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 1019 | ; My setup.kix is where all of the redirection stuff happens.  Note that with | 
|---|
| 1020 | ; the use of registry keys, this only happens the first time they log in ,or if | 
|---|
| 1021 | ; I delete the pertinent registry keys which triggers it to happen again: | 
|---|
| 1022 |  | 
|---|
| 1023 | ; Check to see if we have written the abmas sub-key before | 
|---|
| 1024 | $RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas") | 
|---|
| 1025 | IF NOT $RETURNCODE = 0 | 
|---|
| 1026 | ; Add key for abmas-specific things on the first login | 
|---|
| 1027 | ADDKEY("HKEY_CURRENT_USER\abmas") | 
|---|
| 1028 | ; The following key gets deleted at the end of the first login | 
|---|
| 1029 | ADDKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") | 
|---|
| 1030 | ENDIF | 
|---|
| 1031 |  | 
|---|
| 1032 | ; People with laptops need My Documents to be in their profile.  People with | 
|---|
| 1033 | ; desktops can have My Documents redirected to their home directory to avoid | 
|---|
| 1034 | ; long delays with logging out and out-of-sync files. | 
|---|
| 1035 |  | 
|---|
| 1036 | ; Check to see if this is the first login -- doesn't make sense to do this | 
|---|
| 1037 | ; at the very first login | 
|---|
| 1038 |  | 
|---|
| 1039 | $RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") | 
|---|
| 1040 | IF NOT $RETURNCODE = 0 | 
|---|
| 1041 |  | 
|---|
| 1042 | ; We don't want to do this stuff for people with laptops or people in the FURN | 
|---|
| 1043 | ; group.  (They store their profiles in a different server) | 
|---|
| 1044 |  | 
|---|
| 1045 | IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN") | 
|---|
| 1046 | $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\abmas\profile_copied") | 
|---|
| 1047 |  | 
|---|
| 1048 | ; A  crude way to tell what OS our profile is for and copy the "My Documents" | 
|---|
| 1049 | ; to the redirected folder on the server.  It works because the profiles | 
|---|
| 1050 | ; are stored as \\server\profiles\user\architecture | 
|---|
| 1051 | IF NOT $RETURNCODE = 0 | 
|---|
| 1052 | IF EXIST("\\massive\profiles\@userID\WinXP") | 
|---|
| 1053 | copy "\\massive\profiles\@userID\WinXP\My Documents\*" | 
|---|
| 1054 | "\\massive\@userID\" | 
|---|
| 1055 | ENDIF | 
|---|
| 1056 | IF EXIST("\\massive\profiles\@userID\Win2K") | 
|---|
| 1057 | copy "\\massive\profiles\@userID\Win2K\My Documents\*" | 
|---|
| 1058 | "\\massive\@userID\" | 
|---|
| 1059 | ENDIF | 
|---|
| 1060 | IF EXIST("\\massive\profiles\@userID\WinNT") | 
|---|
| 1061 | copy "\\massive\profiles\@userID\WinNT\My Documents\*" | 
|---|
| 1062 | "\\massive\@userID\" | 
|---|
| 1063 | ENDIF | 
|---|
| 1064 | </pre></div></div><br class="example-break"><div class="example"><a name="ch8kix3b"></a><p class="title"><b>Example 10.18. Kixtart Control File  File: setup.kix, Part B</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 1065 | ; Now we will write the registry values to redirect the locations of "My | 
|---|
| 1066 | Documents" | 
|---|
| 1067 | ; and other folders. | 
|---|
| 1068 | ADDKEY("HKEY_CURRENT_USER\abmas\profile_copied") | 
|---|
| 1069 | WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ | 
|---|
| 1070 | Windows\CurrentVersion\Explorer\User | 
|---|
| 1071 | Shell Folders", "Personal","\\massive\@userID","REG_SZ") | 
|---|
| 1072 | WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ | 
|---|
| 1073 | Windows\CurrentVersion\Explorer\User | 
|---|
| 1074 | Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ") | 
|---|
| 1075 | IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP | 
|---|
| 1076 | Professional" | 
|---|
| 1077 | WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ | 
|---|
| 1078 | Windows\CurrentVersion\Explorer\User | 
|---|
| 1079 | Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ") | 
|---|
| 1080 | WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ | 
|---|
| 1081 | Windows\CurrentVersion\Explorer\User | 
|---|
| 1082 | Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ") | 
|---|
| 1083 | WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ | 
|---|
| 1084 | Windows\CurrentVersion\Explorer\User | 
|---|
| 1085 | Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ") | 
|---|
| 1086 | ENDIF | 
|---|
| 1087 | ENDIF | 
|---|
| 1088 | ENDIF | 
|---|
| 1089 |  | 
|---|
| 1090 | ; Now we will delete the FIRST_LOGIN sub-key that we made before. | 
|---|
| 1091 | ; Note - to run this script again you will want to delete the HKCU\abmas | 
|---|
| 1092 | ; sub-key, log out, and log back in. | 
|---|
| 1093 | $RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") | 
|---|
| 1094 | IF $RETURNVALUE = 0 | 
|---|
| 1095 | DELKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") | 
|---|
| 1096 | ENDIF | 
|---|
| 1097 | </pre></div></div><br class="example-break"><div class="example"><a name="ch8kix4"></a><p class="title"><b>Example 10.19. Kixtart Control File  File: acct.kix</b></p><div class="example-contents"><pre class="screen"> | 
|---|
| 1098 | ; And here is one group-oriented script to show what can be | 
|---|
| 1099 | ; done that way: acct.kix: | 
|---|
| 1100 |  | 
|---|
| 1101 | IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR") | 
|---|
| 1102 | USE I: \\MEGANET2\HR_PR | 
|---|
| 1103 | ENDIF | 
|---|
| 1104 |  | 
|---|
| 1105 | ; Set up printer | 
|---|
| 1106 | $RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500") | 
|---|
| 1107 | IF NOT $RETURNVALUE = 0 | 
|---|
| 1108 | ADDPRINTERCONNECTION("\\massive\acct_hp8500") | 
|---|
| 1109 | SETDEFAULTPRINTER("\\massive\acct_hp8500") | 
|---|
| 1110 | ENDIF | 
|---|
| 1111 | ; Set up drive mappings | 
|---|
| 1112 | USE M: \\massive\ACCT | 
|---|
| 1113 | IF INGROUP("MEGANET2\ABRA") | 
|---|
| 1114 | USE T: \\trussrv\abra | 
|---|
| 1115 | ENDIF | 
|---|
| 1116 | </pre></div></div><br class="example-break"><p> | 
|---|
| 1117 | As you can see in the script, I redirected the My Documents to the user's home | 
|---|
| 1118 | share if he or she were not in the Laptop group. I also added printers on a | 
|---|
| 1119 | group-by-group basis, and if applicable I set the group printer. For this to | 
|---|
| 1120 | be effective, the print drivers must be installed on the Samba server in the | 
|---|
| 1121 | <code class="filename">[print$]</code> share. Ample documentation exists about how to | 
|---|
| 1122 | do that, so it is not covered here. | 
|---|
| 1123 | </p><p> | 
|---|
| 1124 | I call this script via the logon.bat script in the [netlogon] directory: | 
|---|
| 1125 | </p><pre class="screen"> | 
|---|
| 1126 | \\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f | 
|---|
| 1127 | </pre><p> | 
|---|
| 1128 | I only had to fully qualify the paths for Windows 9x, as Windows NT and | 
|---|
| 1129 | greater automatically add [NETLOGON] to the path. | 
|---|
| 1130 | </p><p> | 
|---|
| 1131 | Also of note for Win9x is that the drive mappings and printer setup will not | 
|---|
| 1132 | work because they rely on RPC. You merely have to put the appropriate settings | 
|---|
| 1133 | into the <code class="filename">c:\autoexec.bat</code> file or map the drives manually. | 
|---|
| 1134 | One option is to check the OS as part of the Kixtart script, and if it | 
|---|
| 1135 | is Win9x and is the first login, copy a premade | 
|---|
| 1136 | <code class="filename">autoexec.bat</code> to the <code class="filename">C:</code> drive. I | 
|---|
| 1137 | have only three such machines, and one is going away in the very near future, | 
|---|
| 1138 | so it was easier to do it by hand. | 
|---|
| 1139 | </p><p> | 
|---|
| 1140 | <a class="indexterm" name="id376842"></a> | 
|---|
| 1141 | At this point I was able to add the users. This is the part that really falls | 
|---|
| 1142 | into upgrade. I moved the users over one group at a time, starting with the | 
|---|
| 1143 | people who used the least amount of resources on the network. With each group | 
|---|
| 1144 | that I moved, I first logged on as a standard user in that group and took | 
|---|
| 1145 | careful note of the environment, mainly the printers he or she used, the PATH, | 
|---|
| 1146 | and what network resources he or she had access to (most importantly, which ones | 
|---|
| 1147 | the user actually needed access to). | 
|---|
| 1148 | </p><p> | 
|---|
| 1149 | I then added the user's SambaSamAccount information as mentioned earlier, | 
|---|
| 1150 | and join the computer to the domain. The very first thing I had to do was to | 
|---|
| 1151 | copy the user's profile to the new server. This was very important, and I really | 
|---|
| 1152 | struggled with the most effective way to do it.  Here is the method that worked | 
|---|
| 1153 | for every one of my users on Windows NT, 2000, and XP: | 
|---|
| 1154 | </p><div class="procedure"><ol class="procedure" type="1"><li class="step" title="Step 1"><p> | 
|---|
| 1155 | Log in as the user on the domain. This creates the local copy | 
|---|
| 1156 | of the user's profile and copies it to the server as he or she logs out. | 
|---|
| 1157 | </p></li><li class="step" title="Step 2"><p> | 
|---|
| 1158 | Reboot the computer and log in as the local machine administrator. | 
|---|
| 1159 | </p></li><li class="step" title="Step 3"><p> | 
|---|
| 1160 | Right-click My Computer, click Properties, and navigate to the | 
|---|
| 1161 | user profiles tab (varies per version of Windows). | 
|---|
| 1162 | </p></li><li class="step" title="Step 4"><p> | 
|---|
| 1163 | Select the user's local profile <code class="constant">(COMPUTERNAME\username)</code>, | 
|---|
| 1164 | and click the <code class="literal">Copy To</code> button. | 
|---|
| 1165 | </p></li><li class="step" title="Step 5"><p> | 
|---|
| 1166 | In the next dialog, copy it directly to the profiles share on the | 
|---|
| 1167 | Samba server (in my case \\PDCname\profiles\user\<architecture>. | 
|---|
| 1168 | You will have had to make a connection to the share as that | 
|---|
| 1169 | user (e.g., Windows Explorer type \\PDCname\profiles\username). | 
|---|
| 1170 | </p></li><li class="step" title="Step 6"><p> | 
|---|
| 1171 | When the copy is complete (it can take a while) log out, and log back in | 
|---|
| 1172 | as the user. All of his or her settings and all contents of My Documents, | 
|---|
| 1173 | Favorites, and the registry should have been copied successfully. | 
|---|
| 1174 | </p></li><li class="step" title="Step 7"><p> | 
|---|
| 1175 | If it doesn't look right (the dead giveaway is the desktop background), | 
|---|
| 1176 | shut down the computer without logging out (power cycle) and try logging | 
|---|
| 1177 | in as the user again. If it still doesn't work, repeat the steps above. | 
|---|
| 1178 | I only had to ever repeat it once. | 
|---|
| 1179 | </p></li></ol></div><p> | 
|---|
| 1180 | Words to the Wise: | 
|---|
| 1181 | </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p> | 
|---|
| 1182 | If the user was anything other than a standard user on his or her system | 
|---|
| 1183 | before, you will save yourself some headaches by giving him or her identical | 
|---|
| 1184 | permissions (on the local machine) as his or her domain account <span class="emphasis"><em>before</em></span> | 
|---|
| 1185 | copying the profile over. Do this through the User Administrator | 
|---|
| 1186 | in the Control Panel, after joining the computer to the domain and | 
|---|
| 1187 | before logging on as that user for the first time. Otherwise the user will | 
|---|
| 1188 | have trouble with permissions on his or her registry keys. | 
|---|
| 1189 | </p></li><li class="listitem"><p> | 
|---|
| 1190 | If any application was installed for the user only, rather than for | 
|---|
| 1191 | the entire system, it will probably not work without being reinstalled. | 
|---|
| 1192 | </p></li></ul></div><p> | 
|---|
| 1193 | After all these steps are accomplished, only cleanup details are left. Make sure user's | 
|---|
| 1194 | shortcuts and Network Places point to the appropriate place on the new server, check | 
|---|
| 1195 | the important applications to be sure they work as expected and troubleshoot any problems | 
|---|
| 1196 | that might arise, and check to be sure the user's printers are present and working. By the | 
|---|
| 1197 | way, if there are any network printers installed as system printers (the Novell way), | 
|---|
| 1198 | you will need to log in as a local administrator and delete them. | 
|---|
| 1199 | </p><p> | 
|---|
| 1200 | For my non-laptop systems, I would then log in and out a couple times as the user | 
|---|
| 1201 | to be sure that his or her registry settings were modified, and then I was finished. | 
|---|
| 1202 | </p><p> | 
|---|
| 1203 | Some compatibility issues that cropped up included the following: | 
|---|
| 1204 | </p><p> | 
|---|
| 1205 | Blackberry client: It did not like having its registry settings moved around | 
|---|
| 1206 | and so had to be reinstalled. Also, it needed write permissions to a portion of | 
|---|
| 1207 | the hard drive, and I had to give it those manually on the one system where | 
|---|
| 1208 | this was an issue. | 
|---|
| 1209 | </p><p> | 
|---|
| 1210 | CAMedia: Digital camera software for Canon cameras caused all kinds of trouble | 
|---|
| 1211 | with the registry. I had to use the Run as service to open the registry of | 
|---|
| 1212 | the local user while logged in as the domain user, and give the domain user | 
|---|
| 1213 | the appropriate permissions to some registry keys, then export that portion | 
|---|
| 1214 | of the registry to a file. Then, as the domain user, I had to import that file | 
|---|
| 1215 | into the registry. | 
|---|
| 1216 | </p><p> | 
|---|
| 1217 | Crystal Reports version 7: More registry problems that were solved by recopying | 
|---|
| 1218 | the user's profile. | 
|---|
| 1219 | </p><p> | 
|---|
| 1220 | Printing from legacy applications: I found out that Novell sends its jobs to | 
|---|
| 1221 | the printer in a raw format. CUPS sends them in PostScript by default. I had | 
|---|
| 1222 | to make a second printer definition for one printer and tell CUPS specifically | 
|---|
| 1223 | to send raw data to the printer, then assign this printer to the LPT port with | 
|---|
| 1224 | Kixtart's version of the net use command. | 
|---|
| 1225 | </p><p> | 
|---|
| 1226 | These were all eventually solved by elbow grease, queries to the Samba mailing | 
|---|
| 1227 | list and others, and diligence. The complete migration took about 5 weeks. | 
|---|
| 1228 | My userbase is relatively small but includes multiple versions of Windows, | 
|---|
| 1229 | multiple Linux member servers, a mechanized saw, a pen plotter, and legacy | 
|---|
| 1230 | applications written in Qbasic and R:Base, just to name a few. I actually | 
|---|
| 1231 | ended up making some of these applications work better (or work again, as | 
|---|
| 1232 | some of them had stopped functioning on the old server) because as part of | 
|---|
| 1233 | the process I had to find out how things were supposed to work. | 
|---|
| 1234 | </p><p> | 
|---|
| 1235 | The one thing I have not been able to get working is a very old database that | 
|---|
| 1236 | we had around for reference purposes; it uses Novell's Btrieve engine. | 
|---|
| 1237 | </p><p> | 
|---|
| 1238 | As the resources compare, I went from 95 percent disk usage to just around 10 percent. | 
|---|
| 1239 | I went from a very high load on the server to an average load of between one | 
|---|
| 1240 | and two runnable processes on the server. I have improved the security and | 
|---|
| 1241 | robustness of the system. I have also implemented | 
|---|
| 1242 | <a class="ulink" href="http://www.clamav.net" target="_top">ClamAV</a> antivirus software, | 
|---|
| 1243 | which scans the entire Samba server for viruses every 2 hours and | 
|---|
| 1244 | quarantines them. I have found it much less problematic than our ancient | 
|---|
| 1245 | version of Norton Antivirus Corporate Edition, and much more up-to-date. | 
|---|
| 1246 | </p><p> | 
|---|
| 1247 | In short, my users are much happier now that the new server is running, and that | 
|---|
| 1248 | is what is important to me. | 
|---|
| 1249 | </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ntmigration.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="RefSection.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 9. Migrating NT4 Domain to Samba-3 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Part III. Reference Section</td></tr></table></div></body></html> | 
|---|