1<?xml version="1.0" encoding="iso-8859-1"?> 2<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc"> 3<chapter id="nw4migration"> 4 <title>Migrating NetWare Server to Samba-3</title> 5 6 <para> 7 <indexterm><primary>Novell</primary></indexterm> 8 <indexterm><primary>SUSE</primary></indexterm> 9 Novell is a company any seasoned IT manager has to admire. It has become increasingly 10 Linux-friendly and is emerging out of a deep regression that almost saw the company 11 disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the 12 platform of choice to which many older NetWare servers are being migrated. 13 It will be interesting to see what becomes of NetWare over time. 14 Meanwhile, there can be no denying that Novell is a Linux company. 15 </para> 16 17 <para> 18 <indexterm><primary>Red Hat</primary></indexterm> 19 <indexterm><primary>Debian</primary></indexterm> 20 <indexterm><primary>Gentoo</primary></indexterm> 21 <indexterm><primary>Mandrake</primary></indexterm> 22 Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian, 23 Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with 24 the knowledge that file locations may vary a little; even so, the information 25 in this chapter should provide something of value. 26 </para> 27 28 <para> 29 <indexterm><primary>migration</primary></indexterm> 30 Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many 31 years who surfaced on the Samba mailing list with a barrage of questions and who 32 regularly helps other administrators to solve thorny Samba migration questions. 33 </para> 34 35 <para> 36 <indexterm><primary>NetWare</primary></indexterm> 37 <indexterm><primary>NLM</primary></indexterm> 38 <indexterm><primary>NetWare</primary></indexterm> 39 <indexterm><primary>Mars_NWE</primary></indexterm> 40 One wonders how many NetWare servers remain in active service. Many are being migrated 41 to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are 42 ideal target platforms to which a NetWare server may be migrated. The migration method 43 of choice is much dependent on the tools that the administrator finds most natural to use. 44 The old-hand NetWare guru will likely want to use tools like the NetWare NLM for 45 <command>rsync</command> to migrate files from the NetWare server to the Samba server. 46 The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare 47 Emulator) open source package. The MS Windows network administrator will likely make use of the 48 NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice, 49 migration will be filled with joyous and challenging moments &smbmdash; though probably not 50 concurrently. 51 </para> 52 53 <para> 54 The priority that Misty faced was one of migration of the data files off the NetWare 4.11 55 server and onto a Samba-based Windows file and print server. This chapter does not pretend 56 to document all the different methods that could be used to migrate user and group accounts 57 off a NetWare server. Its focus is on migration of data files. 58 </para> 59 60 <para> 61 This chapter tells its own story, so ride along. Maybe the information presented here 62 will help to smooth over a similar migration challenge in your favorite networking environment. 63 </para> 64 65 <para> 66 File paths have been modified to permit use of RPM packages provided by Novell. In the 67 original documentation contributed by Misty, the Courier-IMAP package had been built 68 directly from the original source tarball. 69 </para> 70 71<sect1> 72 <title>Introduction</title> 73 74 <para> 75 <indexterm><primary>Novell</primary></indexterm> 76 Misty Stanley-Jones was recruited by Abmas to administer a network that had 77 not received much attention for some years and was much in need of a makeover. 78 As a brand-new sysadmin to this company, she inherited a very old Novell file server 79 and came with a determination to change things for the better. 80 </para> 81 82 <para> 83 A site survey turned up the following details for the old NetWare server: 84 </para> 85 86 <simplelist> 87 <member>200 MHz MMX processor</member> 88 <member>512K RAM</member> 89 <member>24 GB disk space in RAID1</member> 90 <member>Novell 4.11 patched to service pack 7</member> 91 <member>60+ users</member> 92 <member>7 network-attached printers</member> 93 </simplelist> 94 95 <para> 96 The company had outgrown this server several years before and was dealing with 97 severe growing pains. Some of the problems experienced were: 98 </para> 99 100 <itemizedlist> 101 <listitem> 102 <para>Very slow performance</para> 103 </listitem> 104 <listitem> 105 <para>Available storage hovering around the 5% range</para> 106 <itemizedlist> 107 <listitem> 108 <para>Extremely slow print spooling.</para> 109 </listitem> 110 <listitem> 111 <para> 112 Users storing information on their local hard 113 drives, causing backup integrity problems 114 </para> 115 </listitem> 116 </itemizedlist> 117 </listitem> 118 </itemizedlist> 119 120 <para> 121 <indexterm><primary>payroll</primary></indexterm> 122 At one point disk space had filled up to 100 percent, causing the payroll database 123 to become corrupt. This caused the accounting department to be down for over 124 a week and necessitated deployment of another file server. The replacement 125 server was created with very poor security and design considerations from 126 a discarded desktop PC. 127 </para> 128 129 <sect2> 130 <title>Assignment Tasks</title> 131 132 <para> 133 Misty has provided this summary of her migration experience in the hope 134 that it will help someone to avoid the challenges she faced. Perhaps her 135 configuration files and background will accelerate your learning as you 136 grapple with a similar migration challenge. Let there be no confusion, 137 the information presented in this chapter is provided to demonstrate 138 how Misty dealt with a particular NetWare migration requirement, and 139 it provides an overall approach to the implementation of a Samba-3 140 environment that is significantly divergent from that presented in 141 <link linkend="happy"/>. 142 </para> 143 144 <para> 145 The complete removal of all site-specific information in order to produce 146 a generic migration solution would rob this chapter of its character. 147 It should be recognized, therefore, that the examples given require 148 significant adaptation to suit local needs and thus 149 there are some gaps in the example files. That is not Misty's fault;it 150 is the result of treatment given to her files in an attempt to make 151 the overall information more useful to you. 152 </para> 153 154 <para> 155 <indexterm><primary>cost-benefit</primary></indexterm> 156 After management reviewed a cost-benefit report as well as an estimated 157 time-to-completion, approval was given proceed with the solution proposed. 158 The server was built from purchased components. The total project cost 159 was $3,000. A brief description of the configuration follows: 160 </para> 161 162 <simplelist> 163 <member> 164 3.0 GHz P4 Processor 165 </member> 166 <member> 167 1 GB RAM 168 </member> 169 <member> 170 120 GB SATA operating system drive 171 </member> 172 <member> 173 4 x 80 GB SATA data drives (RAID5 240 GB capacity) 174 </member> 175 <member> 176 2 x 80 GB SATA removable drives for online backup 177 </member> 178 <member> 179 A DLT drive for asynchronous offline backup 180 </member> 181 <member> 182 SUSE Linux Professional 9.1 183 </member> 184 </simplelist> 185 186 <para> 187 The new system has operated for 6 months without problems. Over the past months 188 much attention has been focused on cleaning up desktops and user profiles. 189 </para> 190 191 </sect2> 192</sect1> 193 194<sect1> 195 <title>Dissection and Discussion</title> 196 197 <para> 198 <indexterm><primary>LDAP</primary></indexterm> 199 <indexterm><primary>e-Directory</primary></indexterm> 200 <indexterm><primary>authentication</primary></indexterm> 201 <indexterm><primary>identity management</primary></indexterm> 202 A decision to use LDAP was made even though I knew nothing about LDAP except that 203 I had been reading the book <quote>LDAP System Administration,</quote> by Gerald Carter. 204 LDAP seemed to provide some of the functionality of Novell's e-Directory Services 205 and would provide centralized authentication and identity management. 206 </para> 207 208 <para> 209 <indexterm><primary>database</primary></indexterm> 210 <indexterm><primary>RPM</primary></indexterm> 211 <indexterm><primary>tree</primary></indexterm> 212 Building the LDAP database took a while and a lot of trial and error. Following 213 the guidance I obtained from <quote>LDAP System 214 Administration,</quote> I installed OpenLDAP (from RPM; later I compiled 215 a more current version from source) and built my initial LDAP tree. 216 </para> 217 218 <sect2> 219 <title>Technical Issues</title> 220 221 <para> 222 <indexterm><primary>white-pages</primary></indexterm> 223 <indexterm><primary>inetOrgPerson</primary></indexterm> 224 <indexterm><primary>OpenLDAP</primary></indexterm> 225 <indexterm><primary>/etc/passwd</primary></indexterm> 226 <indexterm><primary>/etc/shadow</primary></indexterm> 227 <indexterm><primary>LDIF</primary></indexterm> 228 <indexterm><primary>IMAP</primary></indexterm> 229 <indexterm><primary>POP3</primary></indexterm> 230 <indexterm><primary>SMTP</primary></indexterm> 231 The first challenge was to create a company white pages, followed by manually 232 entering everything from the printed company directory. This used only the inetOrgPerson 233 object class from the OpenLDAP schemas. The next step was to write a shell script that 234 would look at the <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename> 235 files on our mail server and create an LDIF file from which the information could be 236 imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, 237 and SMTP. 238 </para> 239 240 <para> 241 Because a decision was made to use Courier-IMAP the schema <quote>authldap.schema</quote> 242 from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory 243 needs. Where the Courier-IMAP file provided by SUSE is used, this file is named 244 <filename>courier.schema</filename>. 245 </para> 246 247 <para> 248 Looking back, it would have been much easier to populate the LDAP directory using a convenient 249 tool such as <command>phpLDAPAdmin</command> from the outset. An excessive amount of time was 250 spent trying to generate LDIF files that could be parsed using the <command>ldapmodify</command> 251 so that necessary changes could be written to the directory. This was a learning experience! 252 </para> 253 254 <para> 255 An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to 256 make them work. Instead, even though it is most inelegant, I wrote a simple script that did 257 what I needed. It is enclosed as a simple example to demonstrate that you do not need to be 258 a guru to make light of otherwise painful repetition. This file is listed in <link linkend="sbeamg"/>. 259 </para> 260 261<example id="sbeamg"> 262<title>A Rough Tool to Create an LDIF File from the System Account Files</title> 263<screen> 264#!/bin/bash 265 266cat /etc/passwd | while read l; do 267 uid=`echo $l | cut -d : -f 1` 268 uidNumber=`echo $l | cut -d : -f 3` 269 gidNumber=`echo $1 | cut -d : -f 4` 270 gecos=`echo $l | cut -d : -f 5` 271 homeDirectory=`echo $l | cut -d : -f 6` 272 loginShell=`echo $l | cut -d : -f 6` 273 userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2` 274 275 echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com" 276 echo "objectClass: account" 277 echo "objectClass: posixAccount" 278 echo "cn: $gecos" 279 echo "uid: $uid" 280 echo "uidNumber: $uidNumber" 281 echo "gidNumber: $gidNumber" 282 echo "homeDirectory: $homeDirectory" 283 echo "loginShell: $loginShell" 284 echo "userPassword: $userPassword" 285done 286</screen> 287</example> 288 289 <note><para> 290 291 The PADL MigrationTools are recommended for migration of the UNIX account information into 292 the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups, 293 aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text 294 files (or from a name service such as NIS). This too set can be obtained from the <ulink url= 295 "http://www.padl.com">PADL Web site</ulink>. 296 </para></note> 297 298 </sect2> 299 300</sect1> 301 302<sect1> 303 <title>Implementation</title> 304 305 <para> 306 </para> 307 308 <sect2> 309 <title>NetWare Migration Using LDAP Backend</title> 310 311 <para> 312 The following software must be installed on the SUSE Linux Enterprise Server to perform 313 this migration: 314 </para> 315 316 <simplelist> 317 <member>courier-imap</member> 318 <member>courier-imap-ldap</member> 319 <member>nss_ldap</member> 320 <member>openldap2-client</member> 321 <member>openldap2-devel (only for Samba compilation)</member> 322 <member>openldap2</member> 323 <member>pam_ldap</member> 324 <member>samba-3.0.20 or later</member> 325 <member>samba-client-3.0.20 or later</member> 326 <member>samba-winbind-3.0.20 or later</member> 327 <member>smbldap-tools Version 0.9.1</member> 328 </simplelist> 329 330 <para> 331 Each software application must be carefully configured in preparation for migration. 332 The configuration files used at Abmas are provided as a guide and should be modified 333 to meet needs at your site. 334 </para> 335 336 <sect3> 337 <title>LDAP Server Configuration</title> 338 339 <para> 340 The <filename>/etc/openldap/slapd.conf</filename> file Misty used is shown here: 341<programlisting> 342#/etc/openldap/slapd.conf 343# 344# See slapd.conf(5) for details on configuration options. 345# This file should NOT be world readable. 346# 347include /etc/openldap/schema/core.schema 348include /etc/openldap/schema/cosine.schema 349include /etc/openldap/schema/inetorgperson.schema 350include /etc/openldap/schema/nis.schema 351include /etc/openldap/schema/samba3.schema 352include /etc/openldap/schema/dhcp.schema 353include /etc/openldap/schema/misc.schema 354include /etc/openldap/schema/idpool.schema 355include /etc/openldap/schema/eduperson.schema 356include /etc/openldap/schema/commURI.schema 357include /etc/openldap/schema/local.schema 358include /etc/openldap/schema/courier.schema 359 360pidfile /var/run/slapd/run/slapd.pid 361argsfile /var/run/slapd/run/slapd.args 362 363replogfile /data/ldap/log/slapd.replog 364 365# Load dynamic backend modules: 366modulepath /usr/lib/openldap/modules 367 368####################################################################### 369# Logging parameters 370####################################################################### 371loglevel 256 372 373####################################################################### 374# SASL and TLS options 375####################################################################### 376sasl-host ldap.corp.abmas.org 377sasl-realm DIGEST-MD5 378sasl-secprops none 379TLSCipherSuite HIGH:MEDIUM:+SSLV2 380TLSCertificateFile /etc/ssl/certs/private/abmas-cert.pem 381TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem 382password-hash {SSHA} 383defaultsearchbase "dc=abmas,dc=biz" 384 385####################################################################### 386# bdb database definitions 387####################################################################### 388database bdb 389suffix "dc=abmas,dc=biz" 390rootdn "cn=manager,dc=abmas,dc=biz" 391rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5 392directory /data/ldap 393mode 0600 394# The following is for BDB to make it flush its data to disk every 395# 500 seconds or 5kb of data 396checkpoint 500 5 397 398## For running slapindex 399#readonly on 400 401## Indexes for often-requested attributes 402index objectClass eq 403index cn eq,sub 404index sn eq,sub 405index uid eq,sub 406index uidNumber eq 407index gidNumber eq 408index sambaSID eq 409index sambaPrimaryGroupSID eq 410index sambaDomainName eq 411index default sub 412cachesize 2000 413 414replica host=baa.corp.abmas.org:389 415 suffix="dc=abmas,dc=biz" 416 binddn="cn=replica,dc=abmas,dc=biz" 417 credentials=verysecret 418 bindmethod=simple 419 tls=yes 420replica host=ns.abmas.org:389 421 suffix="dc=abmas,dc=biz" 422 binddn="cn=replica,dc=abmas,dc=biz" 423 credentials=verysecret 424 bindmethod=simple 425 tls=yes 426 427####################################################################### 428# ACL section 429####################################################################### 430## MOST RESTRICTIVE RULES MUST GO FIRST! 431# Admins get access to everything. This way I do not have to rename. 432access to * 433 by group/groupOfUniqueNames/uniqueMember="cn=LDAP 434Administrators,ou=groups,dc=abmas,dc=biz" write 435 by * break 436 437## Users can change their own passwords. 438access to 439attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet, 440sambaPwdMustChange,sambaPwdCanChange 441 by self write 442 by * auth 443 444## Home contact info restricted to the logged-in user and the HR dept 445access to attrs=hometelephoneNumber,homePostalAddress, 446mobileTelephoneNumber,pagerTelephoneNumber 447 by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, 448ou=groups,dc=abmas,dc=biz" 449write 450 by self write 451 by * none 452 453## Everyone can read email aliases 454access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz" 455 by * read 456 457## Only admins can manage email aliases 458## If someone is the role occupant of an alias they can change it -- this 459## is accomplished by the "organizationalRole" objectclass and is 460## pretty cool -- like a groupOfUniqueNames but for individual 461## users. 462access to dn.children="ou=Email Aliases,dc=abmas,dc=biz" 463 by dnattr=roleOccupant write 464 by * read 465 466## Admins and HR can add and delete users 467access to dn.sub="ou=people,dc=abmas,dc=biz" 468 by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, 469ou=groups,dc=abmas,dc=biz" 470write 471 by * read 472 473## Admins and HR can add and delete bizputers 474access to dn.sub="ou=bizputers,dc=abmas,dc=biz" 475 by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, 476ou=groups,dc=abmas,dc=biz" 477write 478 by * read 479 480## Admins and HR can add and delete groups 481access to dn.sub="ou=groups,dc=abmas,dc=biz" 482 by group/groupOfUniqueNames/uniqueMember="cn=hr_admin, 483ou=groups,dc=abmas,dc=biz" 484write 485 by * read 486 487## This is used to quickly deactivate any LDAP object only 488## Admins have access. 489access to dn.sub="ou=inactive,dc=abmas,dc=biz" 490 by * none 491 492## This is for programs like Windows Address Book that can 493## detect the default search base. 494access to attrs=namingcontexts,supportedControl 495 by anonymous =cs 496 by * read 497 498## Default to read-only access 499access to * 500 by dn.base="cn=replica,ou=people,dc=abmas,dc=biz" write 501 by * read 502</programlisting> 503</para> 504 505 <para> 506 <indexterm><primary>/etc/ldap.conf</primary></indexterm> 507 The <filename>/etc/ldap.conf</filename> file used is listed in <link linkend="ch8ldap"/>. 508 </para> 509 510<example id="ch8ldap"> 511<title>NSS LDAP Control File &smbmdash; /etc/ldap.conf</title> 512<screen> 513# /etc/ldap.conf 514# This file is present on every *NIX client that authenticates to LDAP. 515# For me, most of the defaults are fine. There is an amazing amount of 516# customization that can be done see the man page for info. 517 518# Your LDAP server. Must be resolvable without using LDAP. The following 519# is for the LDAP server all others use the FQDN of the server 520URI ldap://127.0.0.1 521 522# The distinguished name of the search base. 523base ou=corp,dc=abmas,dc=biz 524 525# The LDAP version to use (defaults to 3 if supported by client library) 526ldap_version 3 527 528# The distinguished name to bind to the server with if the effective 529# user ID is root. Password is stored in /etc/ldap.secret (mode 600) 530rootbinddn cn=Manager,dc=abmas,dc=biz 531 532# Filter to AND with uid=%s 533pam_filter objectclass=posixAccount 534 535# The user ID attribute (defaults to uid) 536pam_login_attribute uid 537 538# Group member attribute 539pam_member_attribute memberUID 540 541# Use the OpenLDAP password change 542# extended operation to update the password. 543pam_password exop 544 545# OpenLDAP SSL mechanism 546# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 547ssl start_tls 548 549tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem 550... 551</screen> 552</example> 553 554 <para> 555 The NSS control file <filename>/etc/nsswitch.conf</filename> has the following contents: 556<screen> 557# /etc/nsswitch.conf 558# This file controls the resolve order for system databases. 559 560# the following two lines obviate the "+" entry in /etc/passwd and /etc/group. 561passwd: compat ldap 562group: compat ldap 563# The above are all that I store in LDAP at this point. There are 564# possibilities to store hosts, services, ethers, and lots of other things. 565</screen> 566 </para> 567 568 <para> 569 <indexterm><primary>PAM</primary></indexterm> 570 <indexterm><primary>NSS</primary></indexterm> 571 In my setup, users authenticate via PAM and NSS using LDAP-based accounts. 572 The configuration file that controls the behavior of the PAM <command>pam_unix2</command> 573 module is shown in <link linkend="sbepu2"/> file. 574 This works out of the box with the configuration files in this chapter. It 575 enables you to have no local accounts for users (it is highly advisable 576 to have a local account for the root user). Traps for the unwary include the following: 577 </para> 578 579<example id="sbepu2"> 580<title>The PAM Control File <filename>/etc/security/pam_unix2.conf</filename></title> 581<screen> 582# pam_unix2 config file 583# 584# This file contains options for the pam_unix2.so module. 585# It contains a list of options for every type of management group, 586# which will be used for authentication, account management and 587# password management. Not all options will be used from all types of 588# management groups. 589# 590# At first, pam_unix2 will read this file and then uses the local 591# options. Not all options can be set her global. 592# 593# Allowed options are: 594# 595# debug (account, auth, password, session) 596# nullok (auth) 597# md5 (password / overwrites /etc/default/passwd) 598# bigcrypt (password / overwrites /etc/default/passwd) 599# blowfish (password / overwrites /etc/default/passwd) 600# crypt_rounds=XX 601# none (session) 602# trace (session) 603# call_modules=x,y,z (account, auth, password) 604# 605# Example: 606# auth: nullok 607# account: 608# password: nullok blowfish crypt_rounds=8 609# session: none 610# 611auth: use_ldap 612account: use_ldap 613password: use_ldap 614session: none 615</screen> 616</example> 617 618 <indexterm><primary>LDAP</primary></indexterm> 619 <indexterm><primary>authenticate</primary></indexterm> 620 <indexterm><primary>DNS</primary></indexterm> 621 <itemizedlist> 622 <listitem> 623 <para> 624 If your LDAP database goes down, nobody can authenticate except for root. 625 </para> 626 </listitem> 627 628 <listitem> 629 <para> 630 If failover is configured incorrectly, weird behavior can occur. For example, 631 DNS can fail to resolve. 632 </para> 633 </listitem> 634 </itemizedlist> 635 636 <para> 637 I do have two LDAP slave servers configured. That subject is beyond the scope 638 of this document, and steps for implementing it are well documented. 639 </para> 640 641 <para> 642 The following services authenticate using LDAP: 643 </para> 644 <indexterm><primary>UNIX</primary></indexterm> 645 <indexterm><primary>Postfix</primary></indexterm> 646 <indexterm><primary>Courier-IMAP</primary></indexterm> 647 <simplelist> 648 <member>UNIX login/ssh</member> 649 <member>Postfix (SMTP)</member> 650 <member>Courier-IMAP/IMAPS/POP3/POP3S</member> 651 </simplelist> 652 653 <para> 654 <indexterm><primary>white-pages</primary></indexterm> 655 <indexterm><primary>Windows Address Book</primary></indexterm> 656 Companywide white pages can be searched using an LDAP client 657 such as the one in the Windows Address Book. 658 </para> 659 660 <para> 661 <indexterm><primary>LDAP</primary></indexterm> 662 <indexterm><primary>smbldap-tools</primary></indexterm> 663 Having gained a solid understanding of LDAP and a relatively workable LDAP tree 664 thus far, it was time to configure Samba. I compiled the latest stable Samba and 665 also installed the latest <command>smbldap-tools</command> from 666 <ulink url="http://idealx.com">Idealx</ulink>. 667 </para> 668 669 <para> 670 The Samba &smb.conf; file was configured as shown in <link linkend="ch8smbconf"/>. 671 </para> 672 673<example id="ch8smbconf"> 674<title>Samba Configuration File &smbmdash; smb.conf Part A</title> 675<smbconfblock> 676<smbconfcomment>Global parameters</smbconfcomment> 677<smbconfsection name="[global]"/> 678<smbconfoption name="workgroup">MEGANET2</smbconfoption> 679<smbconfoption name="netbios name">MASSIVE</smbconfoption> 680<smbconfoption name="server string">Corp File Server</smbconfoption> 681<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption> 682<smbconfoption name="pam password change">Yes</smbconfoption> 683<smbconfoption name="username map">/etc/samba/smbusers</smbconfoption> 684<smbconfoption name="log level">1</smbconfoption> 685<smbconfoption name="log file">/data/samba/log/%m.log</smbconfoption> 686<smbconfoption name="name resolve order">wins host bcast</smbconfoption> 687<smbconfoption name="time server">Yes</smbconfoption> 688<smbconfoption name="printcap name">cups</smbconfoption> 689<smbconfoption name="show add printer wizard">No</smbconfoption> 690<smbconfoption name="cups options">Raw</smbconfoption> 691<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m "%u"</smbconfoption> 692<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd -p "%g"</smbconfoption> 693<smbconfoption name="add user to group script">/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</smbconfoption> 694<smbconfoption name="delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</smbconfoption> 695<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</smbconfoption> 696<smbconfoption name="add machine script">/usr/local/sbin/smbldap-useradd -w "%m"</smbconfoption> 697<smbconfoption name="logon script">logon.bat</smbconfoption> 698<smbconfoption name="logon path">\\%L\profiles\%U\%a</smbconfoption> 699<smbconfoption name="logon drive">H:</smbconfoption> 700<smbconfoption name="logon home">\\%L\%U</smbconfoption> 701<smbconfoption name="domain logons">Yes</smbconfoption> 702<smbconfoption name="wins support">Yes</smbconfoption> 703<smbconfoption name="ldap admin dn">cn=Manager,dc=abmas,dc=biz</smbconfoption> 704<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption> 705<smbconfoption name="ldap idmap suffix">ou=People</smbconfoption> 706<smbconfoption name="ldap machine suffix">ou=People</smbconfoption> 707<smbconfoption name="ldap passwd sync">Yes</smbconfoption> 708<smbconfoption name="ldap suffix">ou=MEGANET2,dc=abmas,dc=biz</smbconfoption> 709<smbconfoption name="ldap ssl">no</smbconfoption> 710<smbconfoption name="ldap user suffix">ou=People</smbconfoption> 711<smbconfoption name="admin users">root, "@Domain Admins"</smbconfoption> 712<smbconfoption name="printer admin">"@Domain Admins"</smbconfoption> 713<smbconfoption name="force printername">Yes</smbconfoption> 714</smbconfblock> 715</example> 716 717<example id="ch8smbconf2"> 718<title>Samba Configuration File &smbmdash; smb.conf Part B</title> 719<smbconfblock> 720<smbconfsection name="[netlogon]"/> 721<smbconfoption name="comment">Network logon service</smbconfoption> 722<smbconfoption name="path">/data/samba/netlogon</smbconfoption> 723<smbconfoption name="write list">"@Domain Admins"</smbconfoption> 724<smbconfoption name="guest ok">Yes</smbconfoption> 725 726<smbconfsection name="[profiles]"/> 727<smbconfoption name="comment">Roaming Profile Share</smbconfoption> 728<smbconfoption name="path">/data/samba/profiles/</smbconfoption> 729<smbconfoption name="read only">No</smbconfoption> 730<smbconfoption name="profile acls">Yes</smbconfoption> 731<smbconfoption name="veto files">desktop.ini</smbconfoption> 732<smbconfoption name="browseable">No</smbconfoption> 733 734<smbconfsection name="[homes]"/> 735<smbconfoption name="comment">Home Directories</smbconfoption> 736<smbconfoption name="valid users">%S</smbconfoption> 737<smbconfoption name="read only">No</smbconfoption> 738<smbconfoption name="create mask">0770</smbconfoption> 739<smbconfoption name="veto files">desktop.ini</smbconfoption> 740<smbconfoption name="hide files">desktop.ini</smbconfoption> 741<smbconfoption name="browseable">No</smbconfoption> 742 743<smbconfsection name="[software]"/> 744<smbconfoption name="comment">Software for %a computers</smbconfoption> 745<smbconfoption name="path">/data/samba/shares/software/%a</smbconfoption> 746<smbconfoption name="guest ok">Yes</smbconfoption> 747 748<smbconfsection name="[public]"/> 749<smbconfoption name="comment">Public Files</smbconfoption> 750<smbconfoption name="path">/data/samba/shares/public</smbconfoption> 751<smbconfoption name="read only">No</smbconfoption> 752<smbconfoption name="guest ok">Yes</smbconfoption> 753 754<smbconfsection name="[PDF]"/> 755<smbconfoption name="comment">Location of documents printed to PDFCreator printer</smbconfoption> 756<smbconfoption name="path">/data/samba/shares/pdf</smbconfoption> 757<smbconfoption name="guest ok">Yes</smbconfoption> 758</smbconfblock> 759</example> 760 761<example id="ch8smbconf3"> 762<title>Samba Configuration File &smbmdash; smb.conf Part C</title> 763<smbconfblock> 764<smbconfsection name="[EVERYTHING]"/> 765<smbconfoption name="comment">All shares</smbconfoption> 766<smbconfoption name="path">/data/samba</smbconfoption> 767<smbconfoption name="valid users">"@Domain Admins"</smbconfoption> 768<smbconfoption name="read only">No</smbconfoption> 769 770<smbconfsection name="[CDROM]"/> 771<smbconfoption name="comment">CD-ROM on MASSIVE</smbconfoption> 772<smbconfoption name="path">/mnt</smbconfoption> 773<smbconfoption name="guest ok">Yes</smbconfoption> 774 775<smbconfsection name="[print$]"/> 776<smbconfoption name="comment">Printer Drivers Share</smbconfoption> 777<smbconfoption name="path">/data/samba/drivers</smbconfoption> 778<smbconfoption name="write list">root</smbconfoption> 779<smbconfoption name="browseable">No</smbconfoption> 780 781<smbconfsection name="[printers]"/> 782<smbconfoption name="comment">All Printers</smbconfoption> 783<smbconfoption name="path">/data/samba/spool</smbconfoption> 784<smbconfoption name="create mask">0644</smbconfoption> 785<smbconfoption name="printable">Yes</smbconfoption> 786<smbconfoption name="browseable">No</smbconfoption> 787 788<smbconfsection name="[acct_hp8500]"/> 789<smbconfoption name="comment">"Accounting Color Laser Printer"</smbconfoption> 790<smbconfoption name="path">/data/samba/spool/private</smbconfoption> 791<smbconfoption name="valid users">@acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry</smbconfoption> 792<smbconfoption name="create mask">0644</smbconfoption> 793<smbconfoption name="printable">Yes</smbconfoption> 794<smbconfoption name="copy">printers</smbconfoption> 795 796<smbconfsection name="[plotter]"/> 797<smbconfoption name="comment">Engineering Plotter</smbconfoption> 798<smbconfoption name="path">/data/samba/spool</smbconfoption> 799<smbconfoption name="create mask">0644</smbconfoption> 800<smbconfoption name="printable">Yes</smbconfoption> 801<smbconfoption name="use client driver">Yes</smbconfoption> 802<smbconfoption name="copy">printers</smbconfoption> 803</smbconfblock> 804</example> 805 806<example id="ch8smbconf4"> 807<title>Samba Configuration File &smbmdash; smb.conf Part D</title> 808<smbconfblock> 809<smbconfsection name="[APPS]"/> 810<smbconfoption name="path">/data/samba/shares/Apps</smbconfoption> 811<smbconfoption name="force group">"Domain Users"</smbconfoption> 812<smbconfoption name="read only">No</smbconfoption> 813 814<smbconfsection name="[ACCT]"/> 815<smbconfoption name="path">/data/samba/shares/Accounting</smbconfoption> 816<smbconfoption name="valid users">@acct, "@Domain Admins"</smbconfoption> 817<smbconfoption name="force group">acct</smbconfoption> 818<smbconfoption name="read only">No</smbconfoption> 819<smbconfoption name="create mask">0660</smbconfoption> 820<smbconfoption name="directory mask">0770</smbconfoption> 821 822<smbconfsection name="[ACCT_ADMIN]"/> 823<smbconfoption name="path">/data/samba/shares/Acct_Admin</smbconfoption> 824<smbconfoption name="valid users">@"acct_admin"</smbconfoption> 825<smbconfoption name="force group">acct_admin</smbconfoption> 826 827<smbconfsection name="[HR_PR]"/> 828<smbconfoption name="path">/data/samba/shares/HR_PR</smbconfoption> 829<smbconfoption name="valid users">@hr, @acct_admin</smbconfoption> 830<smbconfoption name="force group">hr</smbconfoption> 831 832<smbconfsection name="[ENGR]"/> 833<smbconfoption name="path">/data/samba/shares/Engr</smbconfoption> 834<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption> 835<smbconfoption name="force group">engr</smbconfoption> 836<smbconfoption name="read only">No</smbconfoption> 837<smbconfoption name="create mask">0770</smbconfoption> 838 839<smbconfsection name="[DATA]"/> 840<smbconfoption name="path">/data/samba/shares/DATA</smbconfoption> 841<smbconfoption name="valid users">@engr, @receptionist, @truss, "@Domain Admins", cheri</smbconfoption> 842<smbconfoption name="force group">engr</smbconfoption> 843<smbconfoption name="read only">No</smbconfoption> 844<smbconfoption name="create mask">0770</smbconfoption> 845<smbconfoption name="copy">engr</smbconfoption> 846</smbconfblock> 847</example> 848 849<example id="ch8smbconf5"> 850<title>Samba Configuration File &smbmdash; smb.conf Part E</title> 851<smbconfblock> 852<smbconfsection name="[X]"/> 853<smbconfoption name="path">/data/samba/shares/X</smbconfoption> 854<smbconfoption name="valid users">@engr, @acct</smbconfoption> 855<smbconfoption name="force group">engr</smbconfoption> 856<smbconfoption name="read only">No</smbconfoption> 857<smbconfoption name="create mask">0770</smbconfoption> 858<smbconfoption name="copy">engr</smbconfoption> 859 860<smbconfsection name="[NETWORK]"/> 861<smbconfoption name="path">/data/samba/shares/network</smbconfoption> 862<smbconfoption name="valid users">"@Domain Users"</smbconfoption> 863<smbconfoption name="read only">No</smbconfoption> 864<smbconfoption name="create mask">0770</smbconfoption> 865<smbconfoption name="guest ok">Yes</smbconfoption> 866 867<smbconfsection name="[UTILS]"/> 868<smbconfoption name="path">/data/samba/shares/Utils</smbconfoption> 869<smbconfoption name="write list">"@Domain Admins"</smbconfoption> 870 871<smbconfsection name="[SYS]"/> 872<smbconfoption name="path">/data/samba/shares/SYS</smbconfoption> 873<smbconfoption name="valid users">chad</smbconfoption> 874<smbconfoption name="read only">No</smbconfoption> 875<smbconfoption name="browseable">No</smbconfoption> 876</smbconfblock> 877</example> 878 879 <para> 880 <indexterm><primary>Qbasic</primary></indexterm> 881 <indexterm><primary>Rbase</primary></indexterm> 882 <indexterm><primary>drive letters</primary></indexterm> 883 Most of these shares are only used by one company group, but they are required 884 because of some ancient Qbasic and Rbase applications were that written expecting 885 their own drive letters. 886 </para> 887 888 <para> 889 <indexterm><primary>rsync</primary></indexterm> 890 <indexterm><primary>rsyncd.conf</primary></indexterm> 891 <indexterm><primary>synchronize</primary></indexterm> 892 Note: During the process of building the new server, I kept data files 893 up to date with the Novell server via use of <command>rsync</command>. 894 On a separate system (my workstation in fact), which could be rebooted 895 whenever necessary, I set up a mount point to the Novell server via 896 <command>ncpmount</command>. I then created a 897 <filename>rsyncd.conf</filename> to share that mount point out to my 898 new server, and synchronized once an hour. The script I used to synchronize 899 is shown in <link linkend="sbersync"/>. The files exclusion list I used 900 is shown in <link linkend="sbexcld"/>. The reason I had to have the 901 <command>rsync</command> daemon running on a system that could be 902 rebooted frequently is because <constant>ncpfs</constant> 903 (part of the MARS NetWare Emulation package) has a nasty habit of creating stale 904 mount points that cannot be recovered without a reboot. The reason for hourly 905 synchronization is because some part of the chain was very slow and 906 performance-heavy (whether <command>rsync</command> itself, the network, 907 or the Novell server, I am not sure, but it was probably the Novell server). 908 </para> 909 910<example id="sbersync"> 911<title>Rsync Script</title> 912<screen> 913#!/bin/bash 914# Part 1 - rsync the Novell directories to the new server 915echo "#############################################" 916echo "New sync operation starting at `date`" 917if ! pgrep -fl '^rsync\> ; then 918 echo "Good, no rsync is running!" 919 echo "Synchronizing oink to BHPRO" 920 rsync -av --exclude-from=/root/excludes.txt 921baa.corp:/BHPRO/SYS1/ /data/samba/shares/SYS1 922 retval=$? 923 [ ${retval} = 0 ] && echo "Sync operation completed at `date`" 924 echo "Fixing permissions" 925 # I had a whole lot more permission-fixing stuff here. It got 926 # pared down as groups got moved over. The problem 927 # was that the way I was mounting the directory, everything 928 # was owned by the Novell administrator which translated to 929 # Root. This is also why I could only do one-way sync because 930 # I could not fix the ACLs on the Novell side. 931 find /data/samba/shares/Engr/ -perm +770 -exec chmod 770 {} \; 932 find /data/samba/shares/Engr/ ! -group engr -exec chgrp engr {} \; 933else 934 # This rsync took ages and ages -- I had it set to run every hour but 935 # I needed a way to prevent it running into itself. 936 echo "Oh no, rsync is already running!" 937echo "#############################################" 938fi 939</screen> 940</example> 941 942<example id="sbexcld"> 943<title>Rsync Files Exclusion List &smbmdash; <filename>/root/excludes.txt</filename></title> 944<screen> 945/Acct/ 946/Apps/ 947/DATA/ 948/Engr/*.pc3 949/Engr/plotter 950/Engr/APPOLO/ 951/Engr/LIBRARY/ 952/Home/Accounting/ 953/Home/Angie/ 954/Home/AngieY/ 955/Home/Brandon/ 956/Home/Carl/ 957</screen> 958</example> 959 960 <para> 961 After Samba was configured, I initialized the LDAP database. The first 962 thing I had to do was store the LDAP password in the Samba configuration by 963 issuing the command (as root): 964<screen> 965&rootprompt; smbpasswd -w verysecret 966</screen> 967 where <quote>verysecret</quote> is replaced by the LDAP bind password. 968 </para> 969 970<note><para> 971The Idealx smbldap-tools package can be configured using a script called 972<command>configure.pl</command> that is provided as part of the tool. See <link linkend="happy"/> 973for an example of its use. Many administrators, like Misty, choose to do this manually 974so as to maintain greater awareness of how the tool-chain works and possibly to avoid 975undesirable actions from occurring unnoticed. 976</para></note> 977 978 <para> 979 Now Samba was ready for use and it was time to configure the smbldap-tools. There are two 980 relevant files, which are usually put into the directory 981 <filename>/etc/smbldap-tools</filename>. The main file, 982 <filename>smbldap.conf</filename> is shown in <link linkend="ch8ideal"/>. 983 </para> 984 985<example id="ch8ideal"> 986<title>Idealx smbldap-tools Control File &smbmdash; Part A</title> 987<screen> 988######### 989# 990# located in /etc/smbldap-tools/smbldap.conf 991# 992###################################################################### 993# 994# General Configuration 995# 996###################################################################### 997 998# Put your own SID 999# to obtain this number do: net getlocalsid 1000SID="S-1-5-21-725326080-1709766072-2910717368" 1001 1002###################################################################### 1003# 1004# LDAP Configuration 1005# 1006###################################################################### 1007 1008# Notes: to use to dual ldap servers backend for Samba, you must patch 1009# Samba with the dual-head patch from IDEALX. If not using this patch 1010# just use the same server for slaveLDAP and masterLDAP. 1011# Those two servers declarations can also be used when you have 1012# . one master LDAP server where all writing operations must be done 1013# . one slave LDAP server where all reading operations must be done 1014# (typically a replication directory) 1015 1016# Ex: slaveLDAP=127.0.0.1 1017slaveLDAP="127.0.0.1" 1018slavePort="389" 1019 1020# Master LDAP : needed for write operations 1021# Ex: masterLDAP=127.0.0.1 1022masterLDAP="127.0.0.1" 1023masterPort="389" 1024 1025# Use TLS for LDAP 1026# If set to 1, this option will use start_tls for connection 1027# (you should also used the port 389) 1028ldapTLS="0" 1029 1030# How to verify the server's certificate (none, optional or require) 1031# see "man Net::LDAP" in start_tls section for more details 1032verify="" 1033</screen> 1034</example> 1035 1036<example id="ch8ideal2"> 1037<title>Idealx smbldap-tools Control File &smbmdash; Part B</title> 1038<screen> 1039# CA certificate 1040# see "man Net::LDAP" in start_tls section for more details 1041cafile="" 1042 certificate to use to connect to the ldap server 1043# see "man Net::LDAP" in start_tls section for more details 1044clientcert="" 1045 1046# key certificate to use to connect to the ldap server 1047# see "man Net::LDAP" in start_tls section for more details 1048clientkey="" 1049 1050# LDAP Suffix 1051# Ex: suffix=dc=IDEALX,dc=ORG 1052suffix="ou=MEGANET2,dc=abmas,dc=biz" 1053 1054# Where are stored Users 1055# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" 1056usersdn="ou=People,${suffix}" 1057 1058# Where are stored Computers 1059# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" 1060computersdn="ou=People,${suffix}" 1061 1062# Where are stored Groups 1063# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" 1064groupsdn="ou=Groups,${suffix}" 1065 1066# Where are stored Idmap entries 1067# (used if samba is a domain member server) 1068# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" 1069idmapdn="ou=Idmap,${suffix}" 1070 1071# Where to store next uidNumber and gidNumber available 1072sambaUnixIdPooldn="sambaDomainName=MEGANET2,${suffix}" 1073 1074# Default scope Used 1075scope="sub" 1076</screen> 1077</example> 1078 1079<example id="ch8ideal3"> 1080<title>Idealx smbldap-tools Control File &smbmdash; Part C</title> 1081<screen> 1082# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) 1083hash_encrypt="MD5" 1084 1085# if hash_encrypt is set to CRYPT, you may set a salt format. 1086# default is "%s", but many systems will generate MD5 hashed 1087# passwords if you use "$1$%.8s". This parameter is optional! 1088crypt_salt_format="%s" 1089 1090###################################################################### 1091# 1092# Unix Accounts Configuration 1093# 1094###################################################################### 1095 1096# Login defs 1097# Default Login Shell 1098# Ex: userLoginShell="/bin/bash" 1099userLoginShell="/bin/false" 1100 1101# Home directory 1102# Ex: userHome="/home/%U" 1103userHome="/home/%U" 1104 1105# Gecos 1106userGecos="Samba User" 1107 1108# Default User (POSIX and Samba) GID 1109defaultUserGid="513" 1110 1111# Default Computer (Samba) GID 1112defaultComputerGid="515" 1113 1114# Skel dir 1115skeletonDir="/etc/skel" 1116 1117# Default password validation time (time in days) Comment the next 1118# line if you don't want password to be enable for 1119# defaultMaxPasswordAge days (be careful to the sambaPwdMustChange 1120# attribute's value) 1121defaultMaxPasswordAge="45" 1122</screen> 1123</example> 1124 1125<example id="ch8ideal4"> 1126<title>Idealx smbldap-tools Control File &smbmdash; Part D</title> 1127<screen> 1128###################################################################### 1129# 1130# SAMBA Configuration 1131# 1132###################################################################### 1133 1134# The UNC path to home drives location (%U username substitution) 1135# Ex: \\My-PDC-netbios-name\homes\%U 1136# Just set it to a null string if you want to use the smb.conf 1137# 'logon home' directive and/or disable roaming profiles 1138userSmbHome="" 1139 1140# The UNC path to profiles locations (%U username substitution) 1141# Ex: \\My-PDC-netbios-name\profiles\%U 1142# Just set it to a null string if you want to use the smb.conf 1143# 'logon path' directive and/or disable roaming profiles 1144userProfile="" 1145 1146# The default Home Drive Letter mapping 1147# (will be automatically mapped at logon time if home directory exist) 1148# Ex: H: for H: 1149userHomeDrive="" 1150 1151# The default user netlogon script name (%U username substitution) 1152# if not used, will be automatically username.cmd 1153# make sure script file is edited under DOS 1154# Ex: %U.cmd 1155# userScript="startup.cmd" # make sure script file is edited under DOS 1156userScript="" 1157 1158# Domain appended to the users "mail"-attribute 1159# when smbldap-useradd -M is used 1160mailDomain="abmas.org" 1161 1162###################################################################### 1163# 1164# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) 1165# 1166###################################################################### 1167# Allows not to use smbpasswd 1168# (if with_smbpasswd == 0 in smbldap_conf.pm) but 1169# prefer Crypt::SmbHash library 1170with_smbpasswd="0" 1171smbpasswd="/usr/bin/smbpasswd" 1172</screen> 1173</example> 1174 1175 <para> 1176 <indexterm><primary>TLS</primary></indexterm> 1177 Note: I chose not to take advantage of the TLS capability of this. 1178 Eventually I may go back and tweak it. Also, I chose not to take advantage 1179 of the master/slave configuration as I heard horror stories that it was 1180 unstable. My slave servers are replicas only. 1181 </para> 1182 1183 <para> 1184 The <filename>/etc/smbldap-tools/smbldap_bind.conf</filename> file is shown here: 1185<screen> 1186# smbldap_bind.conf 1187# 1188# This file simply tells smbldap-tools how to bind to your LDAP server. 1189# It has to be a DN with full write access to the Samba portion of 1190# the database. 1191 1192############################ 1193# Credential Configuration # 1194############################ 1195# Notes: you can specify two different configurations if you use a 1196# master ldap for writing access and a slave ldap server for reading access 1197# By default, we will use the same DN (so it will work for standard Samba 1198# release) 1199slaveDN="cn=Manager,dc=abmas,dc=biz" 1200slavePw="verysecret" 1201masterDN="cn=Manager,dc=abmas,dc=biz" 1202masterPw="verysecret" 1203</screen> 1204 </para> 1205 1206 <para> 1207 The next step was to run the <command>smbldap-populate</command> command, which populates 1208 the LDAP tree with the appropriate default users, groups, and UID and GID pools. 1209 It creates a user called Administrator with UID=0 and GID=0 matching the 1210 Domain Admins group. This is fine because you can still log on as root to a Windows system, 1211 but it will break cached credentials if you need to log on as the administrator 1212 to a system that is not on the network. 1213 </para> 1214 1215 <para> 1216 After the LDAP database has been preloaded, it is prudent to validate that the 1217 information needed is in the LDAP directory. This can be done done by restarting 1218 the LDAP server, then performing an LDAP search by executing: 1219<screen> 1220&rootprompt; ldapsearch -W -x -b "dc=abmas,dc=biz"\ 1221 -D "cn=Manager,dc=abmas,dc=biz" \ 1222 "(Objectclass=*)" 1223Enter LDAP Password: 1224# extended LDIF 1225# 1226# LDAPv3 1227# base <dc=abmas,dc=biz> with scope sub 1228# filter: (ObjectClass=*) 1229# requesting: ALL 1230# 1231 1232# abmas.biz 1233dn: dc=abmas,dc=biz 1234objectClass: dcObject 1235objectClass: organization 1236o: abmas 1237dc: abmas 1238 1239# People, abmas.biz 1240dn: ou=People,dc=abmas,dc=biz 1241objectClass: organizationalUnit 1242ou: People 1243 1244# Groups, abmas.biz 1245dn: ou=Groups,dc=abmas,dc=biz 1246objectClass: organizationalUnit 1247ou: Groups 1248 1249# Idmap, abmas.biz 1250dn: ou=Idmap,dc=abmas,dc=biz 1251objectClass: organizationalUnit 1252ou: Idmap 1253... 1254</screen> 1255 </para> 1256 1257 <para> 1258 <indexterm><primary>Windows</primary></indexterm> 1259 <indexterm><primary>POSIX</primary></indexterm> 1260 <indexterm><primary>smbldap-groupadd</primary></indexterm> 1261 <indexterm><primary>RID</primary></indexterm> 1262 <indexterm><primary>sambaGroupMapping</primary></indexterm> 1263 With the LDAP directory now initialized, it was time to create the Windows and POSIX 1264 (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups. 1265 The easiest way to do this was to use <command>smbldap-groupadd</command> command. 1266 It creates the group with the posixGroup and sambaGroupMapping attributes, a 1267 unique GID, and an automatically determined RID. I learned the hard way not to 1268 try to do this by hand. 1269 </para> 1270 1271 <para> 1272 <indexterm><primary>group mapping</primary></indexterm> 1273 <indexterm><primary>smbldap-groupmod</primary></indexterm> 1274 <indexterm><primary>memberUID</primary></indexterm> 1275 After I had my group mappings in place, I added users to the groups (the users 1276 don't really have to exist yet). I used the <command>smbldap-groupmod</command> 1277 command to accomplish this. It can also be done manually by adding memberUID 1278 attributes to the group entries in LDAP. 1279 </para> 1280 1281 <para> 1282 <indexterm><primary>sambaSamAccount</primary></indexterm> 1283 <indexterm><primary>posixAccount</primary></indexterm> 1284 <indexterm><primary>smbldap-usermod</primary></indexterm> 1285 The most monumental task of all was adding the sambaSamAccount information to each 1286 already existent posixAccount entry. I did it one at a time as I moved people onto 1287 the new server, by issuing the command: 1288<screen> 1289&rootprompt; smbldap-usermod -a -P username 1290</screen> 1291 <indexterm><primary>NetWare</primary></indexterm> 1292 <indexterm><primary>LDIF</primary></indexterm> 1293 <indexterm><primary>slapcat</primary></indexterm> 1294 I completed that step for every user after asking the person what his or her current 1295 NetWare password was. The wiser way to have done it would probably have been to dump the 1296 entire database to an LDIF file. This can be done by executing: 1297<screen> 1298&rootprompt; slapcat > somefile.ldif 1299</screen> 1300 <indexterm><primary>Perl</primary></indexterm> 1301 <indexterm><primary>objectClass</primary></indexterm> 1302 Then update the LDIF file created by using a Perl script to parse and add the 1303 appropriate attributes and objectClasses to each entry, followed by re-importing 1304 the entire database into the LDAP directory. 1305 </para> 1306 1307 <para> 1308 Rebuilding of the LDAP directory can be done as follows: 1309<screen> 1310&rootprompt; rcldap stop 1311&rootprompt; cd /data/ldap 1312&rootprompt; rm *bdb _* log* 1313&rootprompt; su - ldap -c "slapadd -l somefile.ldif" 1314&rootprompt; rcldap start 1315</screen> 1316 This can be done at any time and for any reason, with no harm to the database. 1317 </para> 1318 1319 <para> 1320 I first added a test user, of course. The LDIF for this test user looks like 1321 this, to give you an idea: 1322<screen> 1323# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz 1324dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz 1325cn: Test User 1326gecos: Test User 1327gidNumber: 513 1328givenName: Test 1329homeDirectory: /home/test.user 1330homePhone: 555 1331l: Somewhere 1332l: ST 1333mail: test.user 1334o: Corp 1335objectClass: top 1336objectClass: inetOrgPerson 1337objectClass: posixAccount 1338objectClass: sambaSamAccount 1339postalCode: 12345 1340sn: User 1341street: 10 Some St. 1342uid: test.user 1343uidNumber: 1074 1344sambaLogonTime: 0 1345sambaLogoffTime: 2147483647 1346sambaKickoffTime: 2147483647 1347sambaPwdCanChange: 0 1348displayName: Samba User 1349sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148 1350sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE 1351sambaAcctFlags: [U] 1352sambaNTPassword: D062088E99C95E37D7702287BB35E770 1353sambaPwdLastSet: 1102537694 1354sambaPwdMustChange: 1106425694 1355userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8 1356loginShell: /bin/false 1357</screen> 1358 </para> 1359 1360 <para> 1361 Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain. 1362 It worked, and the machine's account entry under ou=Computers looks like this: 1363<screen> 1364dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz 1365objectClass: top 1366objectClass: inetOrgPerson 1367objectClass: posixAccount 1368objectClass: sambaSamAccount 1369cn: w2kengrspare$ 1370sn: w2kengrspare$ 1371uid: w2kengrspare$ 1372uidNumber: 1104 1373gidNumber: 515 1374homeDirectory: /dev/null 1375loginShell: /bin/false 1376description: Computer 1377gecos: Computer 1378sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208 1379sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031 1380displayName: W2KENGRSPARE$ 1381sambaPwdCanChange: 1103149236 1382sambaPwdMustChange: 2147483647 1383sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834 1384sambaPwdLastSet: 1103149236 1385sambaAcctFlags: [W ] 1386</screen> 1387 </para> 1388 1389 <para> 1390 <indexterm><primary>netlogon</primary></indexterm> 1391 So now I could log on with a test user from the machine w2kengrspare. It was all well and 1392 good, but that user was in no groups yet and so had pretty boring access. I fixed that 1393 by writing the login script! To write the login script, I used 1394 <ulink url="http://www.kixtart.org">Kixtart</ulink> because it will work 1395 with every architecture of Windows, has an active and helpful user base, and was both 1396 easier to learn and more powerful than the standard netlogon scripts I have seen. 1397 I also did not have to do a logon script per user or per group. 1398 </para> 1399 1400 <para> 1401 <indexterm><primary>Kixtart</primary></indexterm> 1402 I downloaded Kixtart and put the following files in my netlogon share: 1403<screen> 1404KIX32.EXE 1405KX32.dll 1406KX95.dll <-- Not needed unless you are running Win9x clients. 1407kx16.dll <-- Probably not needed unless you are running DOS clients. 1408kxrpc.exe <-- Probably useless as it has to run on the server and can 1409 only be run on NT. It's for Windows 95 to become group-aware. 1410 We can get around the need. 1411</screen> 1412 </para> 1413 1414 <para> 1415 <indexterm><primary>logon.kix</primary></indexterm> 1416 I then wrote the <filename>logon.kix</filename> file that is shown in 1417 <link linkend="ch8kix"/>. I chose to keep it all in one file, but it 1418 can be split up and linked via include directives. 1419 </para> 1420 1421<example id="ch8kix"> 1422<title>Kixtart Control File &smbmdash; File: logon.kix</title> 1423<screen> 1424; This script just calls the other scripts. 1425 1426; First we want to get things done for everyone. 1427 1428; Second, we do first-time login stuff. 1429 1430; Third, we go through the group-oriented scripts one at a time. 1431 1432 1433; We want to check for group membership here to avoid the overhead of running 1434; scripts which don't apply. 1435call "\\massive\netlogon\scripts\main.kix" 1436call "\\massive\netlogon\scripts\setup.kix" 1437IF INGROUP("MEGANET2\ACCT") 1438 call "scripts\acct.kix" 1439ENDIF 1440IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST") 1441call "\\massive\netlogon\scripts\engr.kix" 1442ENDIF 1443IF INGROUP("MEGANET2\FURN") 1444 call "\\massive\netlogon\scripts\furn.kix" 1445ENDIF 1446IF INGROUP("MEGANET2\TRUSS") 1447 call "\\massive\netlogon\scripts\truss.kix" 1448ENDIF 1449</screen> 1450</example> 1451 1452<example id="ch8kix2"> 1453<title>Kixtart Control File &smbmdash; File: main.kix</title> 1454<screen> 1455break on 1456 1457; Choose whether to hide the login window or not 1458IF INGROUP("MEGANET2\Domain Admins") 1459 USE Z: \\massive\everything 1460 SETCONSOLE("show") 1461ELSE 1462 ; Nobody cares about seeing the login script except admins 1463 SETCONSOLE("hide") 1464ENDIF 1465 1466; Delete all previously connected shares 1467USE * /delete 1468 1469SETTITLE("Logging on @USERID to @LDOMAIN at @TIME") 1470 1471; Set the time on the workstation 1472$Timeserver = "\\massive" 1473Settime $TimeServer 1474 1475; Map the home directory 1476USE H: @HOMESHR ; connect to user's home share 1477IF @ERROR = 0 1478 1479 H: 1480 CD @HOMEDIR ; change directory to user's home directory 1481ENDIF 1482 1483; Everyone gets the N drive 1484USE N: \\massive\network 1485</screen> 1486</example> 1487 1488<example id="ch8kix3"> 1489<title>Kixtart Control File &smbmdash; File: setup.kix, Part A</title> 1490<screen> 1491; My setup.kix is where all of the redirection stuff happens. Note that with 1492; the use of registry keys, this only happens the first time they log in ,or if 1493; I delete the pertinent registry keys which triggers it to happen again: 1494 1495; Check to see if we have written the abmas sub-key before 1496$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas") 1497IF NOT $RETURNCODE = 0 1498; Add key for abmas-specific things on the first login 1499 ADDKEY("HKEY_CURRENT_USER\abmas") 1500 ; The following key gets deleted at the end of the first login 1501 ADDKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") 1502ENDIF 1503 1504; People with laptops need My Documents to be in their profile. People with 1505; desktops can have My Documents redirected to their home directory to avoid 1506; long delays with logging out and out-of-sync files. 1507 1508; Check to see if this is the first login -- doesn't make sense to do this 1509; at the very first login 1510 1511$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") 1512IF NOT $RETURNCODE = 0 1513 1514; We don't want to do this stuff for people with laptops or people in the FURN 1515; group. (They store their profiles in a different server) 1516 1517 IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN") 1518 $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\abmas\profile_copied") 1519 1520; A crude way to tell what OS our profile is for and copy the "My Documents" 1521; to the redirected folder on the server. It works because the profiles 1522; are stored as \\server\profiles\user\architecture 1523 IF NOT $RETURNCODE = 0 1524 IF EXIST("\\massive\profiles\@userID\WinXP") 1525 copy "\\massive\profiles\@userID\WinXP\My Documents\*" 1526"\\massive\@userID\" 1527 ENDIF 1528 IF EXIST("\\massive\profiles\@userID\Win2K") 1529 copy "\\massive\profiles\@userID\Win2K\My Documents\*" 1530"\\massive\@userID\" 1531 ENDIF 1532 IF EXIST("\\massive\profiles\@userID\WinNT") 1533 copy "\\massive\profiles\@userID\WinNT\My Documents\*" 1534"\\massive\@userID\" 1535 ENDIF 1536</screen> 1537</example> 1538 1539<example id="ch8kix3b"> 1540<title>Kixtart Control File &smbmdash; File: setup.kix, Part B</title> 1541<screen> 1542; Now we will write the registry values to redirect the locations of "My 1543Documents" 1544; and other folders. 1545 ADDKEY("HKEY_CURRENT_USER\abmas\profile_copied") 1546 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1547Windows\CurrentVersion\Explorer\User 1548Shell Folders", "Personal","\\massive\@userID","REG_SZ") 1549 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1550Windows\CurrentVersion\Explorer\User 1551Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ") 1552 IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP 1553Professional" 1554 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1555Windows\CurrentVersion\Explorer\User 1556Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ") 1557 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1558Windows\CurrentVersion\Explorer\User 1559Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ") 1560 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1561Windows\CurrentVersion\Explorer\User 1562Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ") 1563 ENDIF 1564 ENDIF 1565 ENDIF 1566 1567; Now we will delete the FIRST_LOGIN sub-key that we made before. 1568; Note - to run this script again you will want to delete the HKCU\abmas 1569; sub-key, log out, and log back in. 1570$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") 1571IF $RETURNVALUE = 0 1572 DELKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN") 1573ENDIF 1574</screen> 1575</example> 1576 1577<example id="ch8kix4"> 1578<title>Kixtart Control File &smbmdash; File: acct.kix</title> 1579<screen> 1580; And here is one group-oriented script to show what can be 1581; done that way: acct.kix: 1582 1583IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR") 1584 USE I: \\MEGANET2\HR_PR 1585ENDIF 1586 1587; Set up printer 1588$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500") 1589IF NOT $RETURNVALUE = 0 1590 ADDPRINTERCONNECTION("\\massive\acct_hp8500") 1591 SETDEFAULTPRINTER("\\massive\acct_hp8500") 1592ENDIF 1593; Set up drive mappings 1594 USE M: \\massive\ACCT 1595 IF INGROUP("MEGANET2\ABRA") 1596 USE T: \\trussrv\abra 1597 ENDIF 1598</screen> 1599</example> 1600 1601 <para> 1602 As you can see in the script, I redirected the My Documents to the user's home 1603 share if he or she were not in the Laptop group. I also added printers on a 1604 group-by-group basis, and if applicable I set the group printer. For this to 1605 be effective, the print drivers must be installed on the Samba server in the 1606 <filename>[print$]</filename> share. Ample documentation exists about how to 1607 do that, so it is not covered here. 1608 </para> 1609 1610 <para> 1611 I call this script via the logon.bat script in the [netlogon] directory: 1612<screen> 1613\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f 1614</screen> 1615 I only had to fully qualify the paths for Windows 9x, as Windows NT and 1616 greater automatically add [NETLOGON] to the path. 1617 </para> 1618 1619 <para> 1620 Also of note for Win9x is that the drive mappings and printer setup will not 1621 work because they rely on RPC. You merely have to put the appropriate settings 1622 into the <filename>c:\autoexec.bat</filename> file or map the drives manually. 1623 One option is to check the OS as part of the Kixtart script, and if it 1624 is Win9x and is the first login, copy a premade 1625 <filename>autoexec.bat</filename> to the <filename>C:</filename> drive. I 1626 have only three such machines, and one is going away in the very near future, 1627 so it was easier to do it by hand. 1628 </para> 1629 1630 <para> 1631 <indexterm><primary>upgrade</primary></indexterm> 1632 At this point I was able to add the users. This is the part that really falls 1633 into upgrade. I moved the users over one group at a time, starting with the 1634 people who used the least amount of resources on the network. With each group 1635 that I moved, I first logged on as a standard user in that group and took 1636 careful note of the environment, mainly the printers he or she used, the PATH, 1637 and what network resources he or she had access to (most importantly, which ones 1638 the user actually needed access to). 1639 </para> 1640 1641 <para> 1642 I then added the user's SambaSamAccount information as mentioned earlier, 1643 and join the computer to the domain. The very first thing I had to do was to 1644 copy the user's profile to the new server. This was very important, and I really 1645 struggled with the most effective way to do it. Here is the method that worked 1646 for every one of my users on Windows NT, 2000, and XP: 1647 </para> 1648 1649 <procedure> 1650 <step><para> 1651 Log in as the user on the domain. This creates the local copy 1652 of the user's profile and copies it to the server as he or she logs out. 1653 </para></step> 1654 1655 <step><para> 1656 Reboot the computer and log in as the local machine administrator. 1657 </para></step> 1658 1659 <step><para> 1660 Right-click My Computer, click Properties, and navigate to the 1661 user profiles tab (varies per version of Windows). 1662 </para></step> 1663 1664 <step><para> 1665 Select the user's local profile <constant>(COMPUTERNAME\username)</constant>, 1666 and click the <command>Copy To</command> button. 1667 </para></step> 1668 1669 <step><para> 1670 In the next dialog, copy it directly to the profiles share on the 1671 Samba server (in my case \\PDCname\profiles\user\<architecture>. 1672 You will have had to make a connection to the share as that 1673 user (e.g., Windows Explorer type \\PDCname\profiles\username). 1674 </para></step> 1675 1676 <step><para> 1677 When the copy is complete (it can take a while) log out, and log back in 1678 as the user. All of his or her settings and all contents of My Documents, 1679 Favorites, and the registry should have been copied successfully. 1680 </para></step> 1681 1682 <step><para> 1683 If it doesn't look right (the dead giveaway is the desktop background), 1684 shut down the computer without logging out (power cycle) and try logging 1685 in as the user again. If it still doesn't work, repeat the steps above. 1686 I only had to ever repeat it once. 1687 </para></step> 1688 1689 </procedure> 1690 1691 <para> 1692 Words to the Wise: 1693 </para> 1694 1695 <itemizedlist> 1696 <listitem><para> 1697 If the user was anything other than a standard user on his or her system 1698 before, you will save yourself some headaches by giving him or her identical 1699 permissions (on the local machine) as his or her domain account <emphasis>before</emphasis> 1700 copying the profile over. Do this through the User Administrator 1701 in the Control Panel, after joining the computer to the domain and 1702 before logging on as that user for the first time. Otherwise the user will 1703 have trouble with permissions on his or her registry keys. 1704 </para></listitem> 1705 1706 <listitem><para> 1707 If any application was installed for the user only, rather than for 1708 the entire system, it will probably not work without being reinstalled. 1709 </para></listitem> 1710 </itemizedlist> 1711 1712 <para> 1713 After all these steps are accomplished, only cleanup details are left. Make sure user's 1714 shortcuts and Network Places point to the appropriate place on the new server, check 1715 the important applications to be sure they work as expected and troubleshoot any problems 1716 that might arise, and check to be sure the user's printers are present and working. By the 1717 way, if there are any network printers installed as system printers (the Novell way), 1718 you will need to log in as a local administrator and delete them. 1719 </para> 1720 1721 <para> 1722 For my non-laptop systems, I would then log in and out a couple times as the user 1723 to be sure that his or her registry settings were modified, and then I was finished. 1724 </para> 1725 1726 <para> 1727 Some compatibility issues that cropped up included the following: 1728 </para> 1729 1730 <para> 1731 Blackberry client: It did not like having its registry settings moved around 1732 and so had to be reinstalled. Also, it needed write permissions to a portion of 1733 the hard drive, and I had to give it those manually on the one system where 1734 this was an issue. 1735 </para> 1736 1737 <para> 1738 CAMedia: Digital camera software for Canon cameras caused all kinds of trouble 1739 with the registry. I had to use the Run as service to open the registry of 1740 the local user while logged in as the domain user, and give the domain user 1741 the appropriate permissions to some registry keys, then export that portion 1742 of the registry to a file. Then, as the domain user, I had to import that file 1743 into the registry. 1744 </para> 1745 1746 <para> 1747 Crystal Reports version 7: More registry problems that were solved by recopying 1748 the user's profile. 1749 </para> 1750 1751 <para> 1752 Printing from legacy applications: I found out that Novell sends its jobs to 1753 the printer in a raw format. CUPS sends them in PostScript by default. I had 1754 to make a second printer definition for one printer and tell CUPS specifically 1755 to send raw data to the printer, then assign this printer to the LPT port with 1756 Kixtart's version of the net use command. 1757 </para> 1758 1759 <para> 1760 These were all eventually solved by elbow grease, queries to the Samba mailing 1761 list and others, and diligence. The complete migration took about 5 weeks. 1762 My userbase is relatively small but includes multiple versions of Windows, 1763 multiple Linux member servers, a mechanized saw, a pen plotter, and legacy 1764 applications written in Qbasic and R:Base, just to name a few. I actually 1765 ended up making some of these applications work better (or work again, as 1766 some of them had stopped functioning on the old server) because as part of 1767 the process I had to find out how things were supposed to work. 1768 </para> 1769 1770 <para> 1771 The one thing I have not been able to get working is a very old database that 1772 we had around for reference purposes; it uses Novell's Btrieve engine. 1773 </para> 1774 1775 <para> 1776 As the resources compare, I went from 95 percent disk usage to just around 10 percent. 1777 I went from a very high load on the server to an average load of between one 1778 and two runnable processes on the server. I have improved the security and 1779 robustness of the system. I have also implemented 1780 <ulink url="http://www.clamav.net">ClamAV</ulink> antivirus software, 1781 which scans the entire Samba server for viruses every 2 hours and 1782 quarantines them. I have found it much less problematic than our ancient 1783 version of Norton Antivirus Corporate Edition, and much more up-to-date. 1784 </para> 1785 1786 <para> 1787 In short, my users are much happier now that the new server is running, and that 1788 is what is important to me. 1789 </para> 1790 1791 </sect3> 1792 1793 </sect2> 1794 1795</sect1> 1796 1797</chapter> 1798 1799