1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�9.�Migrating NetWare 4.11 Server to Samba-3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="migration.html" title="Chapter�8.�Migrating NT4 Domain to Samba-3"><link rel="next" href="unixclients.html" title="Chapter�10.�Adding UNIX/LINUX Servers and Clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�9.�Migrating NetWare 4.11 Server to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="unixclients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="nw4migration"></a>Chapter�9.�Migrating NetWare 4.11 Server to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="nw4migration.html#id2573355">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id2573472">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id2573557">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id2573636">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id2573740">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id2573748">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></div><p> 2 <a class="indexterm" name="id2573186"></a> 3 <a class="indexterm" name="id2573193"></a> 4 <a class="indexterm" name="id2573200"></a> 5 <a class="indexterm" name="id2573207"></a> 6 <a class="indexterm" name="id2573216"></a> 7 Novell is a company any seasoned IT manager has to admire. Since the acquisition of 8 the SuSE Linux company, the acquisition on Ximian, and other moves that are friendly 9 to the FLOSS (Free-Libre/Open Source Software) movement, Novell are emerging out of 10 a deep regression that almost saw the company disappear into obscurity. The now Linux 11 friendly Novell's SUSE Linux is being used as a host to which NetWare servers are being 12 migrated. It is in many ways ironic that Novell are today hosting NetWare on top of 13 Linux. At the same time older NetWare servers are still being migrated to Samba servers. 14 It will be interesting to see what will become of NetWare over time. 15 </p><p> 16 <a class="indexterm" name="id2573250"></a> 17 <a class="indexterm" name="id2573256"></a> 18 <a class="indexterm" name="id2573263"></a> 19 <a class="indexterm" name="id2573270"></a> 20 Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian, 21 Gentoo, Mandrake, SUSE (Novell) the information in this chapter should be read with 22 appropriate cognizance that file locations may vary a little; even so the information 23 in this chapter should provide something of value. 24 </p><p> 25 <a class="indexterm" name="id2573285"></a> 26 This chapter was contributed by Misty Stanley-Jones, a UNIX administrator of many 27 years who surfaced on the Samba mailing list with a barrage of questions, and who 28 regularly now helps other administrators to solve thorny Samba migration questions. 29 </p><p> 30 <a class="indexterm" name="id2573299"></a> 31 <a class="indexterm" name="id2573306"></a> 32 <a class="indexterm" name="id2573313"></a> 33 <a class="indexterm" name="id2573320"></a> 34 One wonders how many NetWare servers remain in active service. Many are being migrated 35 to Samba on Linux. Red Hat Linux, SUSE Linux 9.x and SUSE Linux Enterprise Server 9 are 36 ideal target platforms to which a NetWare server may be migrated. The migration method 37 of choice is much dependant on the tools that the administrator finds most natural to use. 38 The old-hand NetWare guru will likely want to use the tools like the NetWare NLM for 39 <span><b class="command">rsync</b></span> to migrate files from the NetWare server to the Samba server. 40 The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare 41 Emulator) open source package. The MS Windows network administrator will likely make use of the 42 NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice, 43 migration will be filled with joyous and challenging moments - though probably not 44 concurrently. 45 </p><p> 46 This chapter tells its own story, so ride along, ... maybe the information here presented 47 will help to smooth over a similar migration challenge in your favorite networking environment. 48 </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573355"></a>Introduction</h2></div></div></div><p> 49 <a class="indexterm" name="id2573363"></a> 50 Misty Stanley-Jones was recruited by Abmas Inc. to administer a network that had 51 not received much attention for some years and was much in need of a make-over. 52 As a brand-new sysadmin to this company, she inherited a very old Novell file server, 53 and came with a determination to change things for the better. 54 </p><p> 55 A site survey turned up the following details for the old NetWare server: 56 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>200 MHz MMX processor</p></td></tr><tr><td><p>512K RAM</p></td></tr><tr><td><p>24 GB disk space in RAID1</p></td></tr><tr><td><p>Novell 4.11 patched to service pack 7</p></td></tr><tr><td><p>60+ users</p></td></tr><tr><td><p>7 network-attached printers</p></td></tr></table><p> 57 The company had outgrown this server several years ago and were dealing with 58 severe growing pains. Some of the problems experienced were: 59 </p><div class="itemizedlist"><ul type="disc"><li><p>Very slow performance</p></li><li><p>Available storage hovering around the 5% range.</p><div class="itemizedlist"><ul type="circle"><li><p>Extremely slow print spooling.</p></li><li><p> 60 Users storing information on their local hard 61 drives, causing backup integrity problems. 62 </p></li></ul></div></li></ul></div><p> 63 <a class="indexterm" name="id2573459"></a> 64 At one point disk space had filled up to 100% causing the payroll database 65 to become corrupt. This caused the accounting department to be down for over 66 a week and necessitated deployment of another file server. The replacement 67 server was created with very poor security and design considerations from 68 a discarded desktop PC. 69 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573472"></a>Assignment Tasks</h3></div></div></div><p> 70 Misty has provided this summary of her migration experience in the hope 71 that it will help someone to avoid the challenges she faced. Perhaps her 72 configuration files and background will accelerate your learning as you 73 grapple with a similar migration challenge. 74 </p><p> 75 After presenting a cost-benefit report to management, as well as an estimated 76 time-to-completion, approval was given proceed with the solution proposed. 77 The server was built from purchased components. The total project cost 78 was $3000. A brief description of the configuration follows: 79 </p><table class="simplelist" border="0" summary="Simple list"><tr><td> 80 <p>3.0 GHz P4 Processor</p> 81 </td></tr><tr><td> 82 <p>1 GB RAM</p> 83 </td></tr><tr><td> 84 <p>120 GB SATA operating system drive</p> 85 </td></tr><tr><td> 86 <p>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</p> 87 </td></tr><tr><td> 88 <p>2 x 80 GB SATA removable drives for online backup</p> 89 </td></tr><tr><td> 90 <p>A DLT drive for asynchronous offline backup</p> 91 </td></tr><tr><td> 92 <p>SUSE Linux Professional 9.2</p> 93 </td></tr></table><p> 94 The new system has operated for six months without problems. Over the past months 95 much attention has been focused on cleaning up desktops and user profiles. 96 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573557"></a>Dissection and Discussion</h2></div></div></div><p> 97 <a class="indexterm" name="id2573565"></a> 98 <a class="indexterm" name="id2573572"></a> 99 <a class="indexterm" name="id2573579"></a> 100 <a class="indexterm" name="id2573586"></a> 101 A decision to use LDAP was made even though I know nothing about LDAP except that 102 I had been reading the book “<span class="quote"><span class="emphasis"><em>LDAP System Administration</em></span></span>”, by Gerald Carter. 103 LDAP seemed to provide some of the functionality of Novell's e-Directory Services 104 and would provide centralized authentication and identity management. 105 </p><p> 106 <a class="indexterm" name="id2573606"></a> 107 <a class="indexterm" name="id2573612"></a> 108 <a class="indexterm" name="id2573619"></a> 109 Building the LDAP database took a while, and a lot of trial and error. Following 110 the guidance I obtained from Jerry Carter's book “<span class="quote"><span class="emphasis"><em>LDAP System 111 Administration</em></span></span>”, I installed OpenLDAP (from RPM; later I compiled 112 a more current version from source) and built my initial LDAP tree. 113 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573636"></a>Technical Issues</h3></div></div></div><p> 114 <a class="indexterm" name="id2573644"></a> 115 <a class="indexterm" name="id2573651"></a> 116 <a class="indexterm" name="id2573658"></a> 117 <a class="indexterm" name="id2573665"></a> 118 <a class="indexterm" name="id2573672"></a> 119 <a class="indexterm" name="id2573678"></a> 120 <a class="indexterm" name="id2573685"></a> 121 <a class="indexterm" name="id2573692"></a> 122 <a class="indexterm" name="id2573699"></a> 123 The first challenge was to create a company white-pages, followed by manually 124 entering everything from the printed company directory. This used only the inetOrgPerson 125 objectclass from the OpenLDAP schemas. The next step was to write a shell script which 126 would look at the <tt class="filename">/etc/passwd</tt> and <tt class="filename">/etc/shadow</tt> 127 files on our mail server, and create a LDIF file from which the information could be 128 imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3, 129 and SMTP. 130 </p><p> 131 Given that a decision had been made to use Courier-IMAP the schema “<span class="quote"><span class="emphasis"><em>courier.schema</em></span></span>” 132 from the Courier-IMAP source tarball is ncessary to resolve Courier-specific LDAP directory 133 needs. 134 </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573740"></a>Implementation</h2></div></div></div><p> 135 </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573748"></a>NetWare Migration Using LDAP Backend</h3></div></div></div><p> 136 The following software must be installed on the SUSE Linux Enterprise Server to perform 137 this migration: 138 </p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>openldap2</p></td></tr><tr><td><p>openldap2-client</p></td></tr><tr><td><p>openldap2-devel (only for Samba compilation)</p></td></tr><tr><td><p>nss_ldap</p></td></tr><tr><td><p>smbldap-tools Version 0.8.7</p></td></tr><tr><td><p>perl-ldap</p></td></tr><tr><td><p>samba-3.0.12 or later</p></td></tr><tr><td><p>samba-client-3.0.12 or later</p></td></tr><tr><td><p>samba-winbind-3.0.12 or later</p></td></tr></table><p> 139 Each software application must be carefully configured in preparation for migration. 140 The configuration files used at Abmas are provided as a guide and should be modified 141 to meet needs at your site. 142 </p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2573815"></a>LDAP Server Configuration</h4></div></div></div><p> 143 The <tt class="filename">/etc/openldap/slapd.conf</tt> file Misty used is shown in <a href="nw4migration.html#ch8slapd" title="Example�9.1.�OpenLDAP Control File slapd.conf Part A">???</a>. 144 </p><div class="example"><a name="ch8slapd"></a><p class="title"><b>Example�9.1.�OpenLDAP Control File slapd.conf Part A</b></p><pre class="screen"> 145#/usr/local/etc/openldap/slapd.conf 146# 147# See slapd.conf(5) for details on configuration options. 148# This file should NOT be world readable. 149# 150include /etc/openldap/schema/core.schema 151include /etc/openldap/schema/cosine.schema 152include /etc/openldap/schema/inetorgperson.schema 153include /etc/openldap/schema/nis.schema 154include /etc/openldap/schema/samba.schema 155include /etc/openldap/schema/dhcp.schema 156include /etc/openldap/schema/misc.schema 157include /etc/openldap/schema/idpool.schema 158include /etc/openldap/schema/eduperson.schema 159include /etc/openldap/schema/commURI.schema 160include /etc/openldap/schema/local.schema 161include /etc/openldap/schema/authldap.schema 162 163pidfile /var/run/slapd/run/slapd.pid 164argsfile /var/run/slapd/run/slapd.args 165 166replogfile /data/ldap/log/slapd.replog 167 168# Load dynamic backend modules: 169modulepath /usr/lib/openldap/modules 170 171####################################################################### 172# Logging parameters 173####################################################################### 174loglevel 256 175 176####################################################################### 177# SASL and TLS options 178####################################################################### 179sasl-host ldap.corp.abmas.org 180sasl-realm DIGEST-MD5 181sasl-secprops none 182TLSCipherSuite HIGH:MEDIUM:+SSLV2 183TLSCertificateFile /etc/ssl/certs/private/abmas-cert.pem 184TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem 185password-hash {SSHA} 186defaultsearchbase "dc=abmas,dc=biz" 187</pre></div><div class="example"><a name="ch8slapd2"></a><p class="title"><b>Example�9.2.�OpenLDAP Control File slapd.conf Part B</b></p><pre class="screen"> 188####################################################################### 189# bdb database definitions 190####################################################################### 191database bdb 192suffix "dc=abmas,dc=biz" 193rootdn "cn=manager,dc=abmas,dc=biz" 194rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5 195directory /data/ldap 196mode 0600 197# The following is for BDB to make it flush its data to disk every 198# 500 seconds or 5kb of data 199checkpoint 500 5 200 201## For running slapindex 202#readonly on 203 204## Indexes for often-requested attributes 205index objectClass eq 206index cn eq,sub 207index sn eq,sub 208index uid eq,sub 209index uidNumber eq 210index gidNumber eq 211index sambaSID eq 212index sambaPrimaryGroupSID eq 213index sambaDomainName eq 214index default sub 215cachesize 2000 216 217replica host=baa.corp.abmas.org:389 218 suffix="dc=abmas,dc=biz" 219 binddn="cn=replica,dc=abmas,dc=biz" 220 credentials=verysecret 221 bindmethod=simple 222 tls=yes 223replica host=ns.abmas.org:389 224 suffix="dc=abmas,dc=biz" 225 binddn="cn=replica,dc=abmas,dc=biz" 226 credentials=verysecret 227 bindmethod=simple 228 tls=yes 229</pre></div><div class="example"><a name="ch8slapd3"></a><p class="title"><b>Example�9.3.�OpenLDAP Control File slapd.conf Part C</b></p><pre class="screen"> 230####################################################################### 231# ACL section 232####################################################################### 233## MOST RESTRICTIVE RULES MUST GO FIRST! 234 235## Users can change their own passwords. 236## Nobody else can read the password 237access to attrs=userPassword 238 by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators, \ 239 dc=abmas,dc=biz" write 240 by self write 241 by * auth 242 243## Home contact info restricted to the logged-in user 244access to attrs=hometelephoneNumber,homePostalAddress,\ 245 mobileTelephoneNumber,pagerTelephoneNumber 246 by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\ 247 dc=abmas,dc=biz" write 248 by self write 249 by * none 250 251## Only admins can manage email aliases 252access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz" 253 filter=(roleOccupant=*) 254 attrs=maildrop 255 by dnattr=roleOccupant write 256 by * read 257 258## Allow delegated management of certain aliases which are 259## for mailman-style mailing lists. 260access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz" 261 by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\ 262 dc=abmas,dc=biz" write 263 by * read 264 265## Default to read-only access 266access to * 267 by dn.base="cn=replica,ou=people,ou=corp,dc=abmas,dc=biz" write 268 by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\ 269 dc=abmas,dc=biz" write 270 by * read 271access to attrs=namingcontexts 272 by anonymous read 273</pre></div><p> 274 <a class="indexterm" name="id2573992"></a> 275 The <tt class="filename">/etc/ldap.conf</tt> file used is listed in <a href="nw4migration.html#ch8ldap" title="Example�9.4.�NSS LDAP Control File /etc/ldap.conf">???</a>. 276 </p><div class="example"><a name="ch8ldap"></a><p class="title"><b>Example�9.4.�NSS LDAP Control File /etc/ldap.conf</b></p><pre class="screen"> 277# /etc/ldap.conf 278# This file is present on every *NIX client that authenticates to LDAP. 279# For me, most of the defaults are fine. There is an amazing amount of 280# customization that can be done see the man page for info. 281 282# Your LDAP server. Must be resolvable without using LDAP. The following 283# is for the LDAP server all others use the FQDN of the server 284URI ldap://127.0.0.1 285 286# The distinguished name of the search base. 287base ou=corp,dc=abmas,dc=biz 288 289# The LDAP version to use (defaults to 3 if supported by client library) 290ldap_version 3 291 292# The distinguished name to bind to the server with if the effective 293# user ID is root. Password is stored in /etc/ldap.secret (mode 600) 294rootbinddn cn=Manager,dc=abmas,dc=biz 295 296# Filter to AND with uid=%s 297pam_filter objectclass=posixAccoun 298 299# The user ID attribute (defaults to uid) 300pam_login_attribute uid 301 302# Group member attribute 303pam_member_attribute memberUID 304 305# Use the OpenLDAP password change 306# extended operation to update the password. 307pam_password exop 308 309# OpenLDAP SSL mechanism 310# start_tls mechanism uses the normal LDAP port, LDAPS typically 636 311ssl start_tls 312 313tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem 314... 315</pre></div><p> 316 The Name Server Switch control file <tt class="filename">/etc/nsswitch.conf</tt> has the following contents: 317</p><pre class="screen"> 318# /etc/nsswitch.conf 319# This file controls the resolve order for system databases. 320 321# the following two lines obviate the "+" entry in /etc/passwd and /etc/group. 322passwd: files ldap 323group: files ldap 324shadow: files ldap 325# The above are all that I store in LDAP at this point. There are 326# possibilities to store hosts, services, ethers, and lots of other things. 327</pre><p> 328 </p><p> 329 <a class="indexterm" name="id2574076"></a> 330 <a class="indexterm" name="id2574082"></a> 331 In my setup, users authenticate via PAM and NSS using LDAP-based accounts. 332 This works out of the box with the configuration files in this chapter. It 333 enables you to have no local accounts for users (it is highly advisable 334 to have a local account for the root user). Traps for the unwary include: 335 </p><a class="indexterm" name="id2574095"></a><a class="indexterm" name="id2574102"></a><a class="indexterm" name="id2574109"></a><div class="itemizedlist"><ul type="disc"><li><p> 336 If your LDAP database goes down, nobody can authenticate except for root. 337 </p></li><li><p> 338 If fail-over is configured incorrectly weird behavior can occur. For example, 339 DNS failing to resolve. 340 </p></li></ul></div><p> 341 I do have two LDAP slave servers configured. That subject is beyond the scope 342 of this document and steps for implementing it are well-documented. 343 </p><p> 344 The following services authenticate using LDAP: 345 </p><a class="indexterm" name="id2574145"></a><a class="indexterm" name="id2574151"></a><a class="indexterm" name="id2574158"></a><table class="simplelist" border="0" summary="Simple list"><tr><td><p>UNIX login/ssh</p></td></tr><tr><td><p>Postfix (SMTP)</p></td></tr><tr><td><p>Courier-IMAP/IMAPS/POP3/POP3S</p></td></tr></table><p> 346 <a class="indexterm" name="id2574187"></a> 347 <a class="indexterm" name="id2574194"></a> 348 Company-wide White-Pages can be searched using a LDAP client 349 such as the one in the Windows Address Book. 350 </p><p> 351 <a class="indexterm" name="id2574206"></a> 352 <a class="indexterm" name="id2574213"></a> 353 Having gained a solid understanding of LDAP, and a relatively workable LDAP tree 354 thus far, it was time to configure Samba. I compiled the latest stable SAMBA and 355 also installed the latest <span><b class="command">smbldap-tools</b></span> from 356 <a href="http://idealx.com" target="_top">Idealx</a>. 357 </p><p> 358 The Samba <tt class="filename">smb.conf</tt> file was configured as shown in <a href="nw4migration.html#ch8smbconf" title="Example�9.5.�Samba Configuration File smb.conf Part A">???</a>. 359 </p><div class="example"><a name="ch8smbconf"></a><p class="title"><b>Example�9.5.�Samba Configuration File smb.conf Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2574281"></a><i class="parameter"><tt> 360 361 workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2574296"></a><i class="parameter"><tt> 362 363 netbios name = MASSIVE</tt></i></td></tr><tr><td><a class="indexterm" name="id2574312"></a><i class="parameter"><tt> 364 365 server string = Corp File Server</tt></i></td></tr><tr><td><a class="indexterm" name="id2574328"></a><i class="parameter"><tt> 366 367 passdb backend = ldapsam:ldap://localhost</tt></i></td></tr><tr><td><a class="indexterm" name="id2574344"></a><i class="parameter"><tt> 368 369 pam password change = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574359"></a><i class="parameter"><tt> 370 371 username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2574375"></a><i class="parameter"><tt> 372 373 log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2574390"></a><i class="parameter"><tt> 374 375 log file = /data/samba/log/%m.log</tt></i></td></tr><tr><td><a class="indexterm" name="id2574406"></a><i class="parameter"><tt> 376 377 name resolve order = wins host bcast</tt></i></td></tr><tr><td><a class="indexterm" name="id2574422"></a><i class="parameter"><tt> 378 379 time server = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574437"></a><i class="parameter"><tt> 380 381 printcap name = cups</tt></i></td></tr><tr><td><a class="indexterm" name="id2574453"></a><i class="parameter"><tt> 382 383 show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2574468"></a><i class="parameter"><tt> 384 385 add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574485"></a><i class="parameter"><tt> 386 387 add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574501"></a><i class="parameter"><tt> 388 389 add user to group script</tt></i></td></tr><tr><td><i class="parameter"><tt>/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574524"></a><i class="parameter"><tt> 390 391 delete user from group script</tt></i></td></tr><tr><td><i class="parameter"><tt>/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574547"></a><i class="parameter"><tt> 392 393 set primary group script</tt></i></td></tr><tr><td><i class="parameter"><tt>/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574570"></a><i class="parameter"><tt> 394 395 add machine script = /usr/local/sbin/smbldap-useradd -w "%m"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574587"></a><i class="parameter"><tt> 396 397 logon script = logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2574602"></a><i class="parameter"><tt> 398 399 logon path = \\%L\profiles\%U\%a</tt></i></td></tr><tr><td><a class="indexterm" name="id2574618"></a><i class="parameter"><tt> 400 401 logon drive = H:</tt></i></td></tr><tr><td><a class="indexterm" name="id2574633"></a><i class="parameter"><tt> 402 403 logon home = \\%L\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2574649"></a><i class="parameter"><tt> 404 405 domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574664"></a><i class="parameter"><tt> 406 407 wins support = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574680"></a><i class="parameter"><tt> 408 409 ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2574697"></a><i class="parameter"><tt> 410 411 ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2574712"></a><i class="parameter"><tt> 412 413 ldap idmap suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2574727"></a><i class="parameter"><tt> 414 415 ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2574744"></a><i class="parameter"><tt> 416 417 ldap passwd sync = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574758"></a><i class="parameter"><tt> 418 419 ldap suffix = ou=MEGANET2,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2574775"></a><i class="parameter"><tt> 420 421 ldap ssl = no</tt></i></td></tr><tr><td><a class="indexterm" name="id2574790"></a><i class="parameter"><tt> 422 423 ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2574805"></a><i class="parameter"><tt> 424 425 admin users = root, "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574821"></a><i class="parameter"><tt> 426 427 printer admin = "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574837"></a><i class="parameter"><tt> 428 429 force printername = Yes</tt></i></td></tr></table></div><div class="example"><a name="ch8smbconf2"></a><p class="title"><b>Example�9.6.�Samba Configuration File smb.conf Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><a class="indexterm" name="id2574874"></a><i class="parameter"><tt> 430 431 comment = Network logon service</tt></i></td></tr><tr><td><a class="indexterm" name="id2574890"></a><i class="parameter"><tt> 432 433 path = /data/samba/netlogon</tt></i></td></tr><tr><td><a class="indexterm" name="id2574905"></a><i class="parameter"><tt> 434 435 write list = "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574920"></a><i class="parameter"><tt> 436 437 guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><a class="indexterm" name="id2574945"></a><i class="parameter"><tt> 438 439 comment = Roaming Profile Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2574961"></a><i class="parameter"><tt> 440 441 path = /data/samba/profiles/</tt></i></td></tr><tr><td><a class="indexterm" name="id2574976"></a><i class="parameter"><tt> 442 443 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2574991"></a><i class="parameter"><tt> 444 445 profile acls = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575007"></a><i class="parameter"><tt> 446 447 veto files = desktop.ini</tt></i></td></tr><tr><td><a class="indexterm" name="id2575022"></a><i class="parameter"><tt> 448 449 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575046"></a><i class="parameter"><tt> 450 451 comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2575062"></a><i class="parameter"><tt> 452 453 valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2575077"></a><i class="parameter"><tt> 454 455 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2575093"></a><i class="parameter"><tt> 456 457 create mask = 0770</tt></i></td></tr><tr><td><a class="indexterm" name="id2575108"></a><i class="parameter"><tt> 458 459 veto files = desktop.ini</tt></i></td></tr><tr><td><a class="indexterm" name="id2575124"></a><i class="parameter"><tt> 460 461 hide files = desktop.ini</tt></i></td></tr><tr><td><a class="indexterm" name="id2575139"></a><i class="parameter"><tt> 462 463 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[software]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575163"></a><i class="parameter"><tt> 464 465 comment = Software for %a computers</tt></i></td></tr><tr><td><a class="indexterm" name="id2575180"></a><i class="parameter"><tt> 466 467 path = /data/samba/shares/software/%a</tt></i></td></tr><tr><td><a class="indexterm" name="id2575195"></a><i class="parameter"><tt> 468 469 guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[public]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575219"></a><i class="parameter"><tt> 470 471 comment = Public Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2575234"></a><i class="parameter"><tt> 472 473 path = /data/samba/shares/public</tt></i></td></tr><tr><td><a class="indexterm" name="id2575251"></a><i class="parameter"><tt> 474 475 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2575266"></a><i class="parameter"><tt> 476 477 guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[PDF]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575290"></a><i class="parameter"><tt> 478 479 comment = Location of documents printed to PDFCreator printer</tt></i></td></tr><tr><td><a class="indexterm" name="id2575306"></a><i class="parameter"><tt> 480 481 path = /data/samba/shares/pdf</tt></i></td></tr><tr><td><a class="indexterm" name="id2575321"></a><i class="parameter"><tt> 482 483 guest ok = Yes</tt></i></td></tr></table></div><div class="example"><a name="ch8smbconf3"></a><p class="title"><b>Example�9.7.�Samba Configuration File smb.conf Part C</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[EVERYTHING]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575358"></a><i class="parameter"><tt> 484 485 comment = All shares</tt></i></td></tr><tr><td><a class="indexterm" name="id2575374"></a><i class="parameter"><tt> 486 487 path = /data/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2575389"></a><i class="parameter"><tt> 488 489 valid users = "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2575405"></a><i class="parameter"><tt> 490 491 read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[CDROM]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575429"></a><i class="parameter"><tt> 492 493 comment = CD-ROM on MASSIVE</tt></i></td></tr><tr><td><a class="indexterm" name="id2575444"></a><i class="parameter"><tt> 494 495 path = /mnt</tt></i></td></tr><tr><td><a class="indexterm" name="id2575460"></a><i class="parameter"><tt> 496 497 guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575484"></a><i class="parameter"><tt> 498 499 comment = Printer Drivers Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2575500"></a><i class="parameter"><tt> 500 501 path = /data/samba/drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2575515"></a><i class="parameter"><tt> 502 503 write list = root</tt></i></td></tr><tr><td><a class="indexterm" name="id2575530"></a><i class="parameter"><tt> 504 505 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575555"></a><i class="parameter"><tt> 506 507 comment = All Printers</tt></i></td></tr><tr><td><a class="indexterm" name="id2575570"></a><i class="parameter"><tt> 508 509 path = /data/samba/spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2575586"></a><i class="parameter"><tt> 510 511 create mask = 0644</tt></i></td></tr><tr><td><a class="indexterm" name="id2575601"></a><i class="parameter"><tt> 512 513 printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575616"></a><i class="parameter"><tt> 514 515 browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[acct_hp8500]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575641"></a><i class="parameter"><tt> 516 517 comment = "Accounting Color Laser Printer"</tt></i></td></tr><tr><td><a class="indexterm" name="id2575657"></a><i class="parameter"><tt> 518 519 path = /data/samba/spool/private</tt></i></td></tr><tr><td><a class="indexterm" name="id2575673"></a><i class="parameter"><tt> 520 521 valid users = @acct, @acct_admin, @hr, "@Domain Admins",\</tt></i></td></tr><tr><td><i class="parameter"><tt>@Receptionist, dwayne, terri, danae, jerry</tt></i></td></tr><tr><td><a class="indexterm" name="id2575696"></a><i class="parameter"><tt> 522 523 create mask = 0644</tt></i></td></tr><tr><td><a class="indexterm" name="id2575712"></a><i class="parameter"><tt> 524 525 printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575727"></a><i class="parameter"><tt> 526 527 copy = printers</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[plotter]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575751"></a><i class="parameter"><tt> 528 529 comment = Engineering Plotter</tt></i></td></tr><tr><td><a class="indexterm" name="id2575767"></a><i class="parameter"><tt> 530 531 path = /data/samba/spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2575782"></a><i class="parameter"><tt> 532 533 create mask = 0644</tt></i></td></tr><tr><td><a class="indexterm" name="id2575798"></a><i class="parameter"><tt> 534 535 printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575813"></a><i class="parameter"><tt> 536 537 use client driver = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575829"></a><i class="parameter"><tt> 538 539 copy = printers</tt></i></td></tr></table></div><div class="example"><a name="ch8smbconf4"></a><p class="title"><b>Example�9.8.�Samba Configuration File smb.conf Part D</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[APPS]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575866"></a><i class="parameter"><tt> 540 541 path = /data/samba/shares/Apps</tt></i></td></tr><tr><td><a class="indexterm" name="id2575882"></a><i class="parameter"><tt> 542 543 force group = "Domain Users"</tt></i></td></tr><tr><td><a class="indexterm" name="id2575897"></a><i class="parameter"><tt> 544 545 read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[ACCT]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575921"></a><i class="parameter"><tt> 546 547 path = /data/samba/shares/Accounting</tt></i></td></tr><tr><td><a class="indexterm" name="id2575937"></a><i class="parameter"><tt> 548 549 valid users = @acct, "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2575953"></a><i class="parameter"><tt> 550 551 force group = acct</tt></i></td></tr><tr><td><a class="indexterm" name="id2575968"></a><i class="parameter"><tt> 552 553 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2575984"></a><i class="parameter"><tt> 554 555 create mask = 0660</tt></i></td></tr><tr><td><a class="indexterm" name="id2575999"></a><i class="parameter"><tt> 556 557 directory mask = 0770</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[ACCT_ADMIN]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576023"></a><i class="parameter"><tt> 558 559 path = /data/samba/shares/Acct_Admin</tt></i></td></tr><tr><td><a class="indexterm" name="id2576040"></a><i class="parameter"><tt> 560 561 valid users = @���acct_admin���</tt></i></td></tr><tr><td><a class="indexterm" name="id2576056"></a><i class="parameter"><tt> 562 563 force group = acct_admin</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[HR_PR]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576080"></a><i class="parameter"><tt> 564 565 path = /data/samba/shares/HR_PR</tt></i></td></tr><tr><td><a class="indexterm" name="id2576096"></a><i class="parameter"><tt> 566 567 valid users = @hr, @acct_admin</tt></i></td></tr><tr><td><a class="indexterm" name="id2576111"></a><i class="parameter"><tt> 568 569 force group = hr</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[ENGR]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576136"></a><i class="parameter"><tt> 570 571 path = /data/samba/shares/Engr</tt></i></td></tr><tr><td><a class="indexterm" name="id2576151"></a><i class="parameter"><tt> 572 573 valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</tt></i></td></tr><tr><td><a class="indexterm" name="id2576168"></a><i class="parameter"><tt> 574 575 force group = engr</tt></i></td></tr><tr><td><a class="indexterm" name="id2576183"></a><i class="parameter"><tt> 576 577 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576198"></a><i class="parameter"><tt> 578 579 create mask = 0770</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[DATA]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576222"></a><i class="parameter"><tt> 580 581 path = /data/samba/shares/DATA</tt></i></td></tr><tr><td><a class="indexterm" name="id2576238"></a><i class="parameter"><tt> 582 583 valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</tt></i></td></tr><tr><td><a class="indexterm" name="id2576255"></a><i class="parameter"><tt> 584 585 force group = engr</tt></i></td></tr><tr><td><a class="indexterm" name="id2576270"></a><i class="parameter"><tt> 586 587 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576285"></a><i class="parameter"><tt> 588 589 create mask = 0770</tt></i></td></tr><tr><td><a class="indexterm" name="id2576300"></a><i class="parameter"><tt> 590 591 copy = engr</tt></i></td></tr></table></div><div class="example"><a name="ch8smbconf5"></a><p class="title"><b>Example�9.9.�Samba Configuration File smb.conf Part E</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[X]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576337"></a><i class="parameter"><tt> 592 593 path = /data/samba/shares/X</tt></i></td></tr><tr><td><a class="indexterm" name="id2576352"></a><i class="parameter"><tt> 594 595 valid users = @engr, @acct</tt></i></td></tr><tr><td><a class="indexterm" name="id2576368"></a><i class="parameter"><tt> 596 597 force group = engr</tt></i></td></tr><tr><td><a class="indexterm" name="id2576383"></a><i class="parameter"><tt> 598 599 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576399"></a><i class="parameter"><tt> 600 601 create mask = 0770</tt></i></td></tr><tr><td><a class="indexterm" name="id2576414"></a><i class="parameter"><tt> 602 603 copy = engr</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[NETWORK]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576438"></a><i class="parameter"><tt> 604 605 path = /data/samba/shares/network</tt></i></td></tr><tr><td><a class="indexterm" name="id2576454"></a><i class="parameter"><tt> 606 607 valid users = "@Domain Users"</tt></i></td></tr><tr><td><a class="indexterm" name="id2576469"></a><i class="parameter"><tt> 608 609 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576485"></a><i class="parameter"><tt> 610 611 create mask = 0770</tt></i></td></tr><tr><td><a class="indexterm" name="id2576500"></a><i class="parameter"><tt> 612 613 guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[UTILS]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576524"></a><i class="parameter"><tt> 614 615 path = /data/samba/shares/Utils</tt></i></td></tr><tr><td><a class="indexterm" name="id2576540"></a><i class="parameter"><tt> 616 617 write list = "@Domain Admins"</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[SYS]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576564"></a><i class="parameter"><tt> 618 619 path = /data/samba/shares/SYS</tt></i></td></tr><tr><td><a class="indexterm" name="id2576580"></a><i class="parameter"><tt> 620 621 valid users = chad</tt></i></td></tr><tr><td><a class="indexterm" name="id2576595"></a><i class="parameter"><tt> 622 623 read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576611"></a><i class="parameter"><tt> 624 625 browseable = No</tt></i></td></tr></table></div><p> 626 <a class="indexterm" name="id2576628"></a> 627 <a class="indexterm" name="id2576635"></a> 628 <a class="indexterm" name="id2576642"></a> 629 Most of these shares are only used by one company group, but they are required 630 because of some ancient Qbasic and Rbase applications were that written expecting 631 their own drive letters. 632 </p><p> 633 <a class="indexterm" name="id2576655"></a> 634 <a class="indexterm" name="id2576662"></a> 635 <a class="indexterm" name="id2576669"></a> 636 Note: During the process of building the new server, I kept data files up-to-date 637 with the Novell server via use of <span><b class="command">rsync</b></span>. On a separate system (my workstation 638 in fact) which could be rebooted whenever necessary, I set up a mount point to the 639 Novell server via <span><b class="command">ncpmount</b></span>. I then created a 640 <tt class="filename">rsyncd.conf</tt> to share that mount point out to my new server, 641 and synchronized once an hour. The script I used to synchronize is quite nice, so 642 I will include it in an appendix. The reason I had to have the 643 <span><b class="command">rsync</b></span> daemon running on a system which could be rebooted 644 frequently is because <tt class="constant">ncpfs</tt> has a nasty habit of creating 645 stale mount points which cannot be recovered without a reboot. The reason for 646 hourly synchronization is because some part of the chain was very slow and 647 performance-heavy (whether <span><b class="command">rsync</b></span> itself, the network, or 648 the Novell server I am not sure probably the Novell server). 649 </p><p> 650 After Samba had been configured, I initialized the LDAP database. So the first 651 thing I had to do was to store the LDAP password in the Samba configuration by 652 issuing the command (as root): 653</p><pre class="screen"> 654<tt class="prompt">root# </tt> smbpasswd -w verysecret 655</pre><p> 656 where “<span class="quote"><span class="emphasis"><em>verysecret</em></span></span>” is replaced by the LDAP bind password. 657 </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> 658The Idealx smbldap-tools package can be configured using a script called 659<span><b class="command">configure.pl</b></span> that is provided as part of the tool. See Chapter 6 660for an example of its use. Many administrators, like Misty, choose to do this manually 661so as to maintain greater awareness of how the tool-chain works, and possibly to avoid 662undesirable actions from occurring un-noticed. 663</p></div><p> 664 Now Samba is ready for use. Now configure the smbldap-tools. There are two 665 relevant files, which are usually put into the directory 666 <tt class="filename">/etc/smbldap-tools</tt>. The main file, 667 <tt class="filename">smbldap.conf</tt> is shown in <a href="nw4migration.html#ch8ideal" title="Example�9.10.�Idealx smbldap-tools Control File Part A">???</a>. 668 </p><div class="example"><a name="ch8ideal"></a><p class="title"><b>Example�9.10.�Idealx smbldap-tools Control File Part A</b></p><pre class="screen"> 669######### 670# 671# located in /etc/smbldap-tools/smbldap.conf 672# 673############################################################################## 674# 675# General Configuration 676# 677############################################################################## 678 679# Put your own SID 680# to obtain this number do: net getlocalsid 681SID="S-1-5-21-725326080-1709766072-2910717368" 682 683############################################################################## 684# 685# LDAP Configuration 686# 687############################################################################## 688 689# Notes: to use to dual ldap servers backend for Samba, you must patch 690# Samba with the dual-head patch from IDEALX. If not using this patch 691# just use the same server for slaveLDAP and masterLDAP. 692# Those two servers declarations can also be used when you have 693# . one master LDAP server where all writing operations must be done 694# . one slave LDAP server where all reading operations must be done 695# (typically a replication directory) 696 697# Ex: slaveLDAP=127.0.0.1 698slaveLDAP="127.0.0.1" 699slavePort="389" 700 701# Master LDAP : needed for write operations 702# Ex: masterLDAP=127.0.0.1 703masterLDAP="127.0.0.1" 704masterPort="389" 705 706# Use TLS for LDAP 707# If set to 1, this option will use start_tls for connection 708# (you should also used the port 389) 709ldapTLS="0" 710 711# How to verify the server's certificate (none, optional or require) 712# see "man Net::LDAP" in start_tls section for more details 713verify="" 714</pre></div><div class="example"><a name="ch8ideal2"></a><p class="title"><b>Example�9.11.�Idealx smbldap-tools Control File Part B</b></p><pre class="screen"> 715# CA certificate 716# see "man Net::LDAP" in start_tls section for more details 717cafile="" 718 certificate to use to connect to the ldap server 719# see "man Net::LDAP" in start_tls section for more details 720clientcert="" 721 722# key certificate to use to connect to the ldap server 723# see "man Net::LDAP" in start_tls section for more details 724clientkey="" 725 726# LDAP Suffix 727# Ex: suffix=dc=IDEALX,dc=ORG 728suffix="ou=MEGANET2,dc=abmas,dc=biz" 729 730# Where are stored Users 731# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" 732usersdn="ou=People,${suffix}" 733 734# Where are stored Computers 735# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" 736computersdn="ou=People,${suffix}" 737 738# Where are stored Groups 739# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" 740groupsdn="ou=Groups,${suffix}" 741 742# Where are stored Idmap entries (used if samba is a domain member server) 743# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" 744idmapdn="ou=Idmap,${suffix}" 745 746# Where to store next uidNumber and gidNumber available 747sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz" 748 749# Default scope Used 750scope="sub" 751</pre></div><div class="example"><a name="ch8ideal3"></a><p class="title"><b>Example�9.12.�Idealx smbldap-tools Control File Part C</b></p><pre class="screen"> 752# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) 753hash_encrypt="MD5" 754 755# if hash_encrypt is set to CRYPT, you may set a salt format. 756# default is "%s", but many systems will generate MD5 hashed 757# passwords if you use "$1$%.8s". This parameter is optional! 758crypt_salt_format="%s" 759 760############################################################################## 761# 762# Unix Accounts Configuration 763# 764############################################################################## 765 766# Login defs 767# Default Login Shell 768# Ex: userLoginShell="/bin/bash" 769userLoginShell="/bin/false" 770 771# Home directory 772# Ex: userHome="/home/%U" 773userHome="/home/%U" 774 775# Gecos 776userGecos="Samba User" 777 778# Default User (POSIX and Samba) GID 779defaultUserGid="513" 780 781# Default Computer (Samba) GID 782defaultComputerGid="515" 783 784# Skel dir 785skeletonDir="/etc/skel" 786 787# Default password validation time (time in days) Comment the next line if 788# you don't want password to be enable for defaultMaxPasswordAge days (be 789# careful to the sambaPwdMustChange attribute's value) 790defaultMaxPasswordAge="45" 791</pre></div><div class="example"><a name="ch8ideal4"></a><p class="title"><b>Example�9.13.�Idealx smbldap-tools Control File Part D</b></p><pre class="screen"> 792############################################################################## 793# 794# SAMBA Configuration 795# 796############################################################################## 797 798# The UNC path to home drives location (%U username substitution) 799# Ex: \\My-PDC-netbios-name\homes\%U 800# Just set it to a null string if you want to use the smb.conf 'logon home' 801# directive and/or disable roaming profiles 802userSmbHome="" 803 804# The UNC path to profiles locations (%U username substitution) 805# Ex: \\My-PDC-netbios-name\profiles\%U 806# Just set it to a null string if you want to use the smb.conf 'logon path' 807# directive and/or disable roaming profiles 808userProfile="" 809 810# The default Home Drive Letter mapping 811# (will be automatically mapped at logon time if home directory exist) 812# Ex: H: for H: 813userHomeDrive="" 814 815# The default user netlogon script name (%U username substitution) 816# if not used, will be automatically username.cmd 817# make sure script file is edited under dos 818# Ex: %U.cmd 819# userScript="startup.cmd" # make sure script file is edited under dos 820userScript="" 821 822# Domain appended to the users "mail"-attribute 823# when smbldap-useradd -M is used 824mailDomain="abmas.org" 825 826############################################################################## 827# 828# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) 829# 830############################################################################## 831# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but 832# prefer Crypt::SmbHash library 833with_smbpasswd="0" 834smbpasswd="/usr/bin/smbpasswd" 835</pre></div><p> 836 <a class="indexterm" name="id2577002"></a> 837 NOTE: I chose not to take advantage of the TLS capability of this. 838 Eventually I may go back and tweak it. Also I chose not to take advantage 839 of the master/slave configuration as I heard horror stories that it was 840 unstable. My slave servers are replicas only. 841 </p><p> 842 The <tt class="filename">/etc/smbldap-tools/smbldap_bind.conf</tt> file is shown here: 843</p><pre class="screen"> 844# smbldap_bind.conf 845# 846# This file simply tells smbldap-tools how to bind to your LDAP server. 847# It has to be a DN with full write access to the Samba portion of 848# the database. 849 850############################ 851# Credential Configuration # 852############################ 853# Notes: you can specify two differents configuration if you use a 854# master ldap for writing access and a slave ldap server for reading access 855# By default, we will use the same DN (so it will work for standard Samba 856# release) 857slaveDN="cn=Manager,dc=abmas,dc=biz" 858slavePw="verysecret" 859masterDN="cn=Manager,dc=abmas,dc=biz" 860masterPw="verysecret" 861</pre><p> 862 </p><p> 863 We can now run the <span><b class="command">smbldap-populate</b></span> command which will populate 864 the LDAP tree with the appropriate default users, groups, and UID and GID pools. 865 It will create a user called Administrator with UID=0 and GID=0 matching the 866 Domain Admins group. This is fine you can still log in a root to a Windows system, 867 but it will break cached credentials if you need to log in as the administrator 868 to a system that is not on the network for whatever reason. 869 </p><p> 870 After the LDAP database has been pre-loaded it is prudent to validate that the 871 information needed is in the LDAP directory. This can be done done by restarting 872 the LDAP server, then performing an LDAP search by executing: 873</p><pre class="screen"> 874<tt class="prompt">root# </tt> ldapsearch -W -x -b "dc=abmas,dc=biz"\ 875 -D "cn=Manager,dc=abmas,dc=biz" \ 876 "(Objectclass=*)" 877Enter LDAP Password: 878# extended LDIF 879# 880# LDAPv3 881# base <dc=abmas,dc=biz> with scope sub 882# filter: (ObjectClass=*) 883# requesting: ALL 884# 885 886# abmas.biz 887dn: dc=abmas,dc=biz 888objectClass: dcObject 889objectClass: organization 890o: abmas 891dc: abmas 892 893# People, abmas.biz 894dn: ou=People,dc=abmas,dc=biz 895objectClass: organizationalUnit 896ou: People 897 898# Groups, abmas.biz 899dn: ou=Groups,dc=abmas,dc=biz 900objectClass: organizationalUnit 901ou: Groups 902 903# Idmap, abmas.biz 904dn: ou=Idmap,dc=abmas,dc=biz 905objectClass: organizationalUnit 906ou: Idmap 907... 908</pre><p> 909 </p><p> 910 <a class="indexterm" name="id2577103"></a> 911 <a class="indexterm" name="id2577110"></a> 912 <a class="indexterm" name="id2577117"></a> 913 <a class="indexterm" name="id2577124"></a> 914 <a class="indexterm" name="id2577130"></a> 915 With the LDAP directory now intialized it is time to create the Windows and POSIX 916 (UNIX) group accounts as well as the mappings from Windows groups to UNIX groups. 917 The easiest way to do this is to use <span><b class="command">smbldap-groupadd</b></span> command. 918 It will create the group with the posixGroup and sambaGroupMapping attributes, a 919 unique GID, and an automatically-determined RID. I learned the hard way not to 920 try to do this by hand. 921 </p><p> 922 <a class="indexterm" name="id2577153"></a> 923 <a class="indexterm" name="id2577160"></a> 924 <a class="indexterm" name="id2577167"></a> 925 After I had my group mappings in place, I added users to the groups (the users 926 don't really have to exist yet). I used the <span><b class="command">smbldap-groupmod</b></span> 927 command to accomplish this. It can also be done manually by adding memberUID 928 attributes to the group entries in LDAP. 929 </p><p> 930 <a class="indexterm" name="id2577187"></a> 931 <a class="indexterm" name="id2577194"></a> 932 <a class="indexterm" name="id2577201"></a> 933 The most monumental task of all was adding the sambaSamAccount information to each 934 already-existent posixAccount entry. I did it one at a time as I moved people onto 935 the new server, by issuing the command: 936</p><pre class="screen"> 937<tt class="prompt">root# </tt> smbldap-usermod -a -P username 938</pre><p> 939 <a class="indexterm" name="id2577224"></a> 940 <a class="indexterm" name="id2577231"></a> 941 <a class="indexterm" name="id2577237"></a> 942 I completed that step for every user after asking the person what their current 943 NetWare password was. The wiser way to have done it would probably be to dump the 944 entire database to an LDIF file. This can be done by executing: 945</p><pre class="screen"> 946<tt class="prompt">root# </tt> slapcat > somefile.ldif 947</pre><p> 948 <a class="indexterm" name="id2577261"></a> 949 <a class="indexterm" name="id2577268"></a> 950 Then update the LDIF file created by using a Perl script to parse and add the 951 appropriate attributes and objectClasses to each entry, followed by re-importing 952 the entire database into the LDAP directory. 953 </p><p> 954 Rebuilding of the LDAP directory can be done as follows: 955</p><pre class="screen"> 956<tt class="prompt">root# </tt> rcldap stop 957<tt class="prompt">root# </tt> cd /data/ldap 958<tt class="prompt">root# </tt> rm *bdb _* log* 959<tt class="prompt">root# </tt> su - ldap -c "slapadd -l somefile.ldif" 960<tt class="prompt">root# </tt> rcldap start 961</pre><p> 962 This can be done at any time and for any reason, with no harm to the database. 963 </p><p> 964 So first I added a test user, of course. The LDIF for this test user looks like 965 this, to give you an idea: 966</p><pre class="screen"> 967# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz 968dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz 969cn: Test User 970gecos: Test User 971gidNumber: 513 972givenName: Test 973homeDirectory: /home/test.user 974homePhone: 555 975l: Somewhere 976l: ST 977mail: test.user 978o: Corp 979objectClass: top 980objectClass: inetOrgPerson 981objectClass: posixAccount 982objectClass: sambaSamAccount 983postalCode: 12345 984sn: User 985street: 10 Some St. 986uid: test.user 987uidNumber: 1074 988sambaLogonTime: 0 989sambaLogoffTime: 2147483647 990sambaKickoffTime: 2147483647 991sambaPwdCanChange: 0 992displayName: Samba User 993sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148 994sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE 995sambaAcctFlags: [U] 996sambaNTPassword: D062088E99C95E37D7702287BB35E770 997sambaPwdLastSet: 1102537694 998sambaPwdMustChange: 1106425694 999userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8 1000loginShell: /bin/false 1001</pre><p> 1002 </p><p> 1003 Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain. 1004 It worked, and the machine's account entry under ou=Computers looks like this: 1005</p><pre class="screen"> 1006dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz 1007objectClass: top 1008objectClass: inetOrgPerson 1009objectClass: posixAccount 1010objectClass: sambaSamAccount 1011cn: w2kengrspare$ 1012sn: w2kengrspare$ 1013uid: w2kengrspare$ 1014uidNumber: 1104 1015gidNumber: 515 1016homeDirectory: /dev/null 1017loginShell: /bin/false 1018description: Computer 1019gecos: Computer 1020sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208 1021sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031 1022displayName: W2KENGRSPARE$ 1023sambaPwdCanChange: 1103149236 1024sambaPwdMustChange: 2147483647 1025sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834 1026sambaPwdLastSet: 1103149236 1027sambaAcctFlags: [W ] 1028</pre><p> 1029 </p><p> 1030 <a class="indexterm" name="id2577383"></a> 1031 So now I can log in with a test user from the machine w2kengrspare. It's all fine and 1032 good, but that user is in no groups yet so has pretty boring access. We can fix that 1033 by writing the login script! To write the login script, I used 1034 <a href="http://www.kixtart.org" target="_top">Kixstart</a>. I used it because it will work 1035 with every architecture of Windows, has an active and helpful user base, and was both 1036 easier to learn and more powerful than the standard netlogon scripts I have seen. 1037 I also did not have to do a logon script per user or per group. 1038 </p><p> 1039 <a class="indexterm" name="id2577408"></a> 1040 I downloaded Kixtart and put the following files in my [netlogon] share: 1041</p><pre class="screen"> 1042KIX32.EXE 1043KX32.dll 1044KX95.dll <-- Not needed unless you are running Win9x clients. 1045kx16.dll <-- Probably not needed unless you are running DOS clients. 1046kxrpc.exe <-- Probably useless as it has to run on the server and can 1047 only be run on NT. It's for Windows 95 to become group-aware. 1048 We can get around the need. 1049</pre><p> 1050 </p><p> 1051 <a class="indexterm" name="id2577439"></a> 1052 I then wrote the <tt class="filename">logon.kix</tt> file that is shown in 1053 <a href="nw4migration.html#ch8kix" title="Example�9.14.�Kixstart Control File File: logon.kix">???</a>. I chose to keep it all in one file, but it 1054 can be split up and linked via include directives. 1055 </p><div class="example"><a name="ch8kix"></a><p class="title"><b>Example�9.14.�Kixstart Control File File: logon.kix</b></p><pre class="screen"> 1056; This script just calls the other scripts. 1057 1058; First we want to get things done for everyone. 1059 1060; Second, we do first-time login stuff. 1061 1062; Third, we go through the group-oriented scripts one at a time. 1063 1064 1065; We want to check for group membership here to avoid the overhead of running 1066; scripts which don't apply. 1067call "\\massive\netlogon\scripts\main.kix" 1068call "\\massive\netlogon\scripts\setup.kix" 1069IF INGROUP("MEGANET2\ACCT") 1070 call "scripts\acct.kix" 1071ENDIF 1072IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST") 1073call "\\massive\netlogon\scripts\engr.kix" 1074ENDIF 1075IF INGROUP("MEGANET2\FURN") 1076 call "\\massive\netlogon\scripts\furn.kix" 1077ENDIF 1078IF INGROUP("MEGANET2\TRUSS") 1079 call "\\massive\netlogon\scripts\truss.kix" 1080ENDIF 1081</pre></div><div class="example"><a name="ch8kix2"></a><p class="title"><b>Example�9.15.�Kixstart Control File File: main.kix</b></p><pre class="screen"> 1082break on 1083 1084; Choose whether to hide the login window or not 1085IF INGROUP("MEGANET2\Domain Admins") 1086 USE Z: \\massive\everything 1087 SETCONSOLE("show") 1088ELSE 1089 ; Nobody cares about seeing the login script except admins 1090 SETCONSOLE("hide") 1091ENDIF 1092 1093; Delete all previously connected shares 1094USE * /delete 1095 1096SETTITLE("Logging on @USERID to @LDOMAIN at @TIME") 1097 1098; Set the time on the workstation 1099$Timeserver = "\\massive" 1100Settime $TimeServer 1101 1102; Map the home directory 1103USE H: @HOMESHR ; connect to user's home share 1104IF @ERROR = 0 1105 1106 H: 1107 CD @HOMEDIR ; change directory to user's home directory 1108ENDIF 1109 1110; Everyone gets the N drive 1111USE N: \\massive\network 1112</pre></div><div class="example"><a name="ch8kix3"></a><p class="title"><b>Example�9.16.�Kixstart Control File File: setup.kix, Part A</b></p><pre class="screen"> 1113; My setup.kix is where all of the redirection stuff happens. Note that with 1114; the use of registry keys, ths only happens the first time they log in ,or if 1115; I delete the pertinent registry keys which triggers it to happen again: 1116 1117; Check to see if we have written the Borkholder subkey before 1118$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder") 1119IF NOT $RETURNCODE = 0 1120; Add key for Borkholder-specific things on the first login 1121 ADDKEY("HKEY_CURRENT_USER\Borkholder") 1122 ; The following key gets deleted at the end of the first login 1123 ADDKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN") 1124ENDIF 1125 1126; People with laptops need My Documents to be in their profile. People with 1127; desktops can have My Documents redirected to their home directory to avoid 1128; long delays with logging out and out-of-sync files. 1129 1130; Check to see if this is the first login -- doesn't make sense to do this 1131; at the very first login 1132 1133$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN") 1134IF NOT $RETURNCODE = 0 1135 1136; We don't want to do this stuff for people with laptops or people in the FURN 1137; group. (They store their profiles in a different server) 1138 1139 IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN") 1140 $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\Borkholder\profile_copied") 1141 1142; A crude way to tell what OS our profile is for and copy the "My Documents" 1143; to the redirected folder on the server. It works because the profiles 1144; are stored as \\server\profiles\user\architecture 1145 IF NOT $RETURNCODE = 0 1146 IF EXIST("\\massive\profiles\@userID\WinXP") 1147 copy "\\massive\profiles\@userID\WinXP\My Documents\*" 1148"\\massive\@userID\" 1149 ENDIF 1150 IF EXIST("\\massive\profiles\@userID\Win2K") 1151 copy "\\massive\profiles\@userID\Win2K\My Documents\*" 1152"\\massive\@userID\" 1153 ENDIF 1154 IF EXIST("\\massive\profiles\@userID\WinNT") 1155 copy "\\massive\profiles\@userID\WinNT\My Documents\*" 1156"\\massive\@userID\" 1157 ENDIF 1158</pre></div><div class="example"><a name="ch8kix3b"></a><p class="title"><b>Example�9.17.�Kixstart Control File File: setup.kix, Part B</b></p><pre class="screen"> 1159; Now we will write the registry values to redirect the locations of "My 1160Documents" 1161; and other folders. 1162 ADDKEY("HKEY_CURRENT_USER\Borkholder\profile_copied") 1163 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1164Windows\CurrentVersion\Explorer\User 1165Shell Folders", "Personal","\\massive\@userID","REG_SZ") 1166 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1167Windows\CurrentVersion\Explorer\User 1168Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ") 1169 IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP 1170Professional" 1171 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1172Windows\CurrentVersion\Explorer\User 1173Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ") 1174 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1175Windows\CurrentVersion\Explorer\User 1176Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ") 1177 WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\ 1178Windows\CurrentVersion\Explorer\User 1179Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ") 1180 ENDIF 1181 ENDIF 1182 ENDIF 1183 1184; Now we will delete the FIRST_LOGIN subkey that we made before. 1185; Note - to run this script again you will want to delete the HKCU\Borkholder 1186; subkey, log out, and log back in. 1187$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN") 1188IF $RETURNVALUE = 0 1189 DELKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN") 1190ENDIF 1191</pre></div><div class="example"><a name="ch8kix4"></a><p class="title"><b>Example�9.18.�Kixstart Control File File: acct.kix</b></p><pre class="screen"> 1192; And here is one group-oriented script to show what can be 1193; done that way: acct.kix: 1194 1195IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR") 1196 USE I: \\MEGANET2\HR_PR 1197ENDIF 1198 1199; Set up printer 1200$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500") 1201IF NOT $RETURNVALUE = 0 1202 ADDPRINTERCONNECTION("\\massive\acct_hp8500") 1203 SETDEFAULTPRINTER("\\massive\acct_hp8500") 1204ENDIF 1205; Set up drive mappings 1206 USE M: \\massive\ACCT 1207 IF INGROUP("MEGANET2\ABRA") 1208 USE T: \\trussrv\abra 1209 ENDIF 1210</pre></div><p> 1211 As you can see in the script, I redirect the My Documents to the user's home 1212 share if they are not in the ���Laptop��� group. I also add printers on a 1213 group-by-group basis, and if applicable I setthe group printer. For this to 1214 be effective, the print drivers must be installed on the Samba server in the 1215 <tt class="filename">[print$]</tt> share. Ample documentation exists about how to do that so I did not 1216 cover it. 1217 </p><p> 1218 I actually call this script via the logon.bat script in the [netlogon] directory: 1219</p><pre class="screen"> 1220\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f 1221</pre><p> 1222 I only had to fully qualify the paths for Windows 9x, as Windows NT and 1223 greater automatically add [NETLOGON] to the path. 1224 </p><p> 1225 Also of note for Win9x is that the drive mappings and printer setup will not 1226 work because they rely on RPC. One merely has to put the appropriate settings 1227 into the <tt class="filename">c:\autoexec.bat</tt> file or map the drives manually. One option would 1228 be to check the OS as part of the Kixtart script, and if it is Win9x and if 1229 it is the first login, copy a pre-made <tt class="filename">autoexec.bat</tt> to the <tt class="filename">C:</tt> drive. I only 1230 have three such machines and one is going away in the very near future, so it 1231 was easier to do it by hand. 1232 </p><p> 1233 <a class="indexterm" name="id2577742"></a> 1234 At this point I was able to add the users. This is the part that really falls 1235 into ���upgrade. I moved the users over one group at a time, starting with the 1236 people who used the least amount of resources on the network. With each group 1237 that I moved, I first logged in as a ���standard��� user in that group and took 1238 careful note of their environment, mainly the printers they used, their PATH, 1239 and what network resources they had access to (most importantly which ones 1240 they actually needed access to). 1241 </p><p> 1242 I would then add the user's SambaSamAccount information as mentioned earlier, 1243 and join the computer to the domain. The very first thing I had to do was to 1244 copy the user's profile to the new server. This was very important, and I really 1245 struggled with the most effective way to do it. Here is the method that worked 1246 for every one of my users on Windows NT, 2000, and XP: 1247 </p><div class="procedure"><ol type="1"><li><p> 1248 Log in as the user on the domain. This creates the local copy 1249 of the user's profile and copies it to the server as they log out. 1250 </p></li><li><p> 1251 Reboot the computer and log in as the local machine administrator. 1252 </p></li><li><p> 1253 Right-click My Computer, click Properties, and navigate to the 1254 user profiles tab (varies per version of Windows). 1255 </p></li><li><p> 1256 Select the user's local profile <tt class="constant">(COMPUTERNAME\username)</tt>, 1257 and click the <span><b class="command">Copy To</b></span> button. 1258 </p></li><li><p> 1259 In the next dialog, copy it directly to the profiles share on the 1260 Samba server (\\PDCname\profiles\user\<architecture> in my 1261 case). You will have had to make a connection to the share as that 1262 user (e.g.: Windows Explorer type \\PDCname\profiles\username). 1263 </p></li><li><p> 1264 When the copy is complete (it can take a while) log out, and log back in 1265 as the user. All his/her settings and all contents of My Documents, 1266 Favorites, and the registry should have been copied successfully. 1267 </p></li><li><p> 1268 If it doesn't look right (the dead giveaway is the desktop background) 1269 shut down the computer without logging out (power cycle) and try logging 1270 in as the user again. If it still doesn't work, repeat the steps above. 1271 I only had to ever repeat it once. 1272 </p></li></ol></div><p> 1273 WORDS TO THE WISE: 1274 </p><div class="itemizedlist"><ul type="disc"><li><p> 1275 If the user was anything other than a standard user on his/her system 1276 before, you will save yourself some headaches by giving them identical 1277 permissions (on the local machine) as their domain account, BEFORE 1278 copying their profile over. Do this through the User Administrator 1279 in the Control Panel, after joining the computer to the domain and 1280 before logging as that user for the first time. Otherwise they will 1281 have trouble with permissions on their registry keys. 1282 </p></li><li><p> 1283 If any application was installed for the user only, rather than for 1284 the entire system, it will probably not work without being reinstalled. 1285 </p></li></ul></div><p> 1286 After all these steps are accomplished, only cleanup details are left. Make sure user's 1287 shortcuts and ���Network Places��� point to the appropriate place on the new server, check 1288 the important applications to be sure they work as expected and troubleshoot any problems 1289 that might arise, check to be sure the user's printers are present and working. By the 1290 way, if there are any network printers installed as system printers (the Novell way) 1291 you will need to log in as a local administrator and delete them. 1292 </p><p> 1293 For my non-laptop systems, I would then log in and out a couple times as the user, 1294 to be sure that their registry settings were modified, then I was finished. 1295 </p><p> 1296 Some compatibility issues that cropped up included: 1297 </p><p> 1298 Blackberry client It did not like having its registry settings moved around, 1299 and had to be reinstalled. Also it needed write permissions to a portion of 1300 the hard drive, and I had to give it those manually on the one system where 1301 this was an issue. 1302 </p><p> 1303 CAMedia digital camera software for Canon cameras I had all kinds of trouble 1304 with the registry. I had to use the Run as service to open the registry of 1305 the local user while logged in as the domain user, and give the domain user 1306 the appropriate permissions to some registry keys, then export that portion 1307 of the registry to a file. Then as the domain user I had to import that file 1308 into the registry. 1309 </p><p> 1310 Crystal Reports version 7 More registry problems that were solved by re-copying 1311 the user's profile. 1312 </p><p> 1313 Printing from legacy applications I found out that Novell sent its jobs to 1314 the printer in a raw format. CUPS sends them in Postscript by default. I had 1315 to make a second printer definition for one printer and tell CUPS specifically 1316 to send raw data to the printer, and assign this printer to the LPT port with 1317 Kixtart's version of the ���net use���command. 1318 </p><p> 1319 These were all eventually solved by elbow grease, queries to the Samba mailing 1320 list and others, and diligence. The complete migration took about 5 weeks. 1321 My userbase is relatively small, but includes multiple versions of Windows, 1322 multiple Linux member servers, a mechanized saw, a pen plotter, and legacy 1323 applications written in Qbasic and R:Base, just to name a few. I actually 1324 ended up making some of these applications work better (or work again, as 1325 some of them had stopped functioning on the old server) because as part of 1326 the process I had to find out how things were supposed to work. 1327 </p><p> 1328 The one thing I have not been able to get working is a very old database that 1329 we had around for reference purposes which uses Novell's Btrieve engine. 1330 </p><p> 1331 As the resources compare, I went from 95% disk usage to just around 10%. 1332 I went from a very high load on the server to an average load of between 1 1333 and 2 runnable processes on the server. I have improved the security and 1334 robustness of the system. I have also implemented 1335 <a href="http://www.clamav.net" target="_top">ClamAV</a> Antivirus 1336 which scans the entire Samba server for viruses every two hours and 1337 quarantines them. I have found it much less problematic than our ancient 1338 version of Norton Antivirus Corporate Edition, and much more up-to-date. 1339 </p><p> 1340 In short, my users are much happier now that the new server is running, that 1341 is what is important to me. 1342 </p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="unixclients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�8.�Migrating NT4 Domain to Samba-3�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�10.�Adding UNIX/LINUX Servers and Clients</td></tr></table></div></body></html> 1343