1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�9.�Migrating NetWare 4.11 Server to Samba-3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="index.html" title="Samba-3 by Example"><link rel="prev" href="migration.html" title="Chapter�8.�Migrating NT4 Domain to Samba-3"><link rel="next" href="unixclients.html" title="Chapter�10.�Adding UNIX/LINUX Servers and Clients"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�9.�Migrating NetWare 4.11 Server to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="migration.html">Prev</a>�</td><th width="60%" align="center">�</th><td width="20%" align="right">�<a accesskey="n" href="unixclients.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="nw4migration"></a>Chapter�9.�Migrating NetWare 4.11 Server to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="nw4migration.html#id2573355">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id2573472">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id2573557">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id2573636">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id2573740">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id2573748">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></div><p>
2	<a class="indexterm" name="id2573186"></a>
3	<a class="indexterm" name="id2573193"></a>
4	<a class="indexterm" name="id2573200"></a>
5	<a class="indexterm" name="id2573207"></a>
6	<a class="indexterm" name="id2573216"></a>
7	Novell is a company any seasoned IT manager has to admire. Since the acquisition of
8	the SuSE Linux company, the acquisition on Ximian, and other moves that are friendly
9	to the FLOSS (Free-Libre/Open Source Software) movement, Novell are emerging out of
10	a deep regression that almost saw the company disappear into obscurity. The now Linux
11	friendly Novell's SUSE Linux is being used as a host to which NetWare servers are being
12	migrated. It is in many ways ironic that Novell are today hosting NetWare on top of
13	Linux. At the same time older NetWare servers are still being migrated to Samba servers.
14	It will be interesting to see what will become of NetWare over time.
15	</p><p>
16	<a class="indexterm" name="id2573250"></a>
17	<a class="indexterm" name="id2573256"></a>
18	<a class="indexterm" name="id2573263"></a>
19	<a class="indexterm" name="id2573270"></a>
20	Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian,
21	Gentoo, Mandrake, SUSE (Novell) the information in this chapter should be read with
22	appropriate cognizance that file locations may vary a little; even so the information
23	in this chapter should provide something of value.
24	</p><p>
25	<a class="indexterm" name="id2573285"></a>
26	This chapter was contributed by Misty Stanley-Jones, a UNIX administrator of many
27	years who surfaced on the Samba mailing list with a barrage of questions, and who
28	regularly now helps other administrators to solve thorny Samba migration questions.
29	</p><p>
30	<a class="indexterm" name="id2573299"></a>
31	<a class="indexterm" name="id2573306"></a>
32	<a class="indexterm" name="id2573313"></a>
33	<a class="indexterm" name="id2573320"></a>
34	One wonders how many NetWare servers remain in active service. Many are being migrated
35	to Samba on Linux. Red Hat Linux, SUSE Linux 9.x and SUSE Linux Enterprise Server 9 are
36	ideal target platforms to which a NetWare server may be migrated. The migration method
37	of choice is much dependant on the tools that the administrator finds most natural to use.
38	The old-hand NetWare guru will likely want to use the tools like the NetWare NLM for
39	<span><b class="command">rsync</b></span> to migrate files from the NetWare server to the Samba server.
40	The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare
41	Emulator) open source package. The MS Windows network administrator will likely make use of the
42	NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice,
43	migration will be filled with joyous and challenging moments - though probably not
44	concurrently.
45	</p><p>
46	This chapter tells its own story, so ride along, ... maybe the information here presented
47	will help to smooth over a similar migration challenge in your favorite networking environment.
48	</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573355"></a>Introduction</h2></div></div></div><p>
49	<a class="indexterm" name="id2573363"></a>
50	Misty Stanley-Jones was recruited by Abmas Inc. to administer a network that had
51	not received much attention for some years and was much in need of a make-over.
52	As a brand-new sysadmin to this company, she inherited a very old Novell file server,
53	and came with a determination to change things for the better.
54	</p><p>
55	A site survey turned up the following details for the old NetWare server:
56	</p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>200 MHz MMX processor</p></td></tr><tr><td><p>512K RAM</p></td></tr><tr><td><p>24 GB disk space in RAID1</p></td></tr><tr><td><p>Novell 4.11 patched to service pack 7</p></td></tr><tr><td><p>60+ users</p></td></tr><tr><td><p>7 network-attached printers</p></td></tr></table><p>
57	The company had outgrown this server several years ago and were dealing with
58	severe growing pains. Some of the problems experienced were:
59	</p><div class="itemizedlist"><ul type="disc"><li><p>Very slow performance</p></li><li><p>Available storage hovering around the 5% range.</p><div class="itemizedlist"><ul type="circle"><li><p>Extremely slow print spooling.</p></li><li><p>
60					Users storing information on their local hard
61					drives, causing backup integrity problems.
62					</p></li></ul></div></li></ul></div><p>
63	<a class="indexterm" name="id2573459"></a>
64	At one point disk space had filled up to 100% causing the payroll database
65	to become corrupt. This caused the accounting department to be down for over
66	a week and necessitated deployment of another file server. The replacement
67	server was created with very poor security and design considerations from
68	a discarded desktop PC.
69	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573472"></a>Assignment Tasks</h3></div></div></div><p>
70	Misty has provided this summary of her migration experience in the hope
71	that it will help someone to avoid the challenges she faced. Perhaps her
72	configuration files and background will accelerate your learning as you
73	grapple with a similar migration challenge.
74	</p><p>
75	After presenting a cost-benefit report to management, as well as an estimated
76	time-to-completion, approval was given proceed with the solution proposed.
77	The server was built from purchased components. The total project cost
78	was $3000. A brief description of the configuration follows:
79	</p><table class="simplelist" border="0" summary="Simple list"><tr><td>
80			<p>3.0 GHz P4 Processor</p>
81		</td></tr><tr><td>
82			<p>1 GB RAM</p>
83		</td></tr><tr><td>
84			<p>120 GB SATA operating system drive</p>
85		</td></tr><tr><td>
86			<p>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</p>
87		</td></tr><tr><td>
88			<p>2 x 80 GB SATA removable drives for online backup</p>
89		</td></tr><tr><td>
90			<p>A DLT drive for asynchronous offline backup</p>
91		</td></tr><tr><td>
92			<p>SUSE Linux Professional 9.2</p>
93		</td></tr></table><p>
94	The new system has operated for six months without problems. Over the past months
95	much attention has been focused on cleaning up desktops and user profiles.
96	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573557"></a>Dissection and Discussion</h2></div></div></div><p>
97	<a class="indexterm" name="id2573565"></a>
98	<a class="indexterm" name="id2573572"></a>
99	<a class="indexterm" name="id2573579"></a>
100	<a class="indexterm" name="id2573586"></a>
101	A decision to use LDAP was made even though I know nothing about LDAP except that
102	I had been reading the book &#8220;<span class="quote"><span class="emphasis"><em>LDAP System Administration</em></span></span>&#8221;, by Gerald Carter.
103	LDAP seemed to provide some of the functionality of Novell's e-Directory Services
104	and would provide centralized authentication and identity management.
105	</p><p>
106	<a class="indexterm" name="id2573606"></a>
107	<a class="indexterm" name="id2573612"></a>
108	<a class="indexterm" name="id2573619"></a>
109	Building the LDAP database took a while, and a lot of trial and error. Following
110	the guidance I obtained from Jerry Carter's book &#8220;<span class="quote"><span class="emphasis"><em>LDAP System 
111	Administration</em></span></span>&#8221;, I installed OpenLDAP (from RPM; later I compiled
112	a more current version from source) and built my initial LDAP tree.
113	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573636"></a>Technical Issues</h3></div></div></div><p>
114	<a class="indexterm" name="id2573644"></a>
115	<a class="indexterm" name="id2573651"></a>
116	<a class="indexterm" name="id2573658"></a>
117	<a class="indexterm" name="id2573665"></a>
118	<a class="indexterm" name="id2573672"></a>
119	<a class="indexterm" name="id2573678"></a>
120	<a class="indexterm" name="id2573685"></a>
121	<a class="indexterm" name="id2573692"></a>
122	<a class="indexterm" name="id2573699"></a>
123	The first challenge was to create a company white-pages, followed by manually
124	entering everything from the printed company directory. This used only the inetOrgPerson
125	objectclass from the OpenLDAP schemas. The next step was to write a shell script which
126	would look at the <tt class="filename">/etc/passwd</tt> and <tt class="filename">/etc/shadow</tt>
127	files on our mail server, and create a LDIF file from which the information could be
128	imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
129	and SMTP.
130	</p><p>
131	Given that a decision had been made to use Courier-IMAP the schema &#8220;<span class="quote"><span class="emphasis"><em>courier.schema</em></span></span>&#8221;
132	from the Courier-IMAP source tarball is ncessary to resolve Courier-specific LDAP directory
133	needs.
134	</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573740"></a>Implementation</h2></div></div></div><p>
135	</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573748"></a>NetWare Migration Using LDAP Backend</h3></div></div></div><p>
136	The following software must be installed on the SUSE Linux Enterprise Server to perform
137	this migration:
138	</p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>openldap2</p></td></tr><tr><td><p>openldap2-client</p></td></tr><tr><td><p>openldap2-devel (only for Samba compilation)</p></td></tr><tr><td><p>nss_ldap</p></td></tr><tr><td><p>smbldap-tools Version 0.8.7</p></td></tr><tr><td><p>perl-ldap</p></td></tr><tr><td><p>samba-3.0.12 or later</p></td></tr><tr><td><p>samba-client-3.0.12 or later</p></td></tr><tr><td><p>samba-winbind-3.0.12 or later</p></td></tr></table><p>
139	Each software application must be carefully configured in preparation for migration.
140	The configuration files used at Abmas are provided as a guide and should be modified
141	to meet needs at your site.
142	</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2573815"></a>LDAP Server Configuration</h4></div></div></div><p>
143	The <tt class="filename">/etc/openldap/slapd.conf</tt> file Misty used is shown in <a href="nw4migration.html#ch8slapd" title="Example�9.1.�OpenLDAP Control File  slapd.conf Part A">???</a>.
144	</p><div class="example"><a name="ch8slapd"></a><p class="title"><b>Example�9.1.�OpenLDAP Control File  slapd.conf Part A</b></p><pre class="screen">
145#/usr/local/etc/openldap/slapd.conf
146#
147# See slapd.conf(5) for details on configuration options.
148# This file should NOT be world readable.
149#
150include   /etc/openldap/schema/core.schema
151include   /etc/openldap/schema/cosine.schema
152include   /etc/openldap/schema/inetorgperson.schema
153include   /etc/openldap/schema/nis.schema
154include   /etc/openldap/schema/samba.schema
155include   /etc/openldap/schema/dhcp.schema
156include   /etc/openldap/schema/misc.schema
157include   /etc/openldap/schema/idpool.schema
158include   /etc/openldap/schema/eduperson.schema
159include   /etc/openldap/schema/commURI.schema
160include   /etc/openldap/schema/local.schema
161include   /etc/openldap/schema/authldap.schema
162
163pidfile   /var/run/slapd/run/slapd.pid
164argsfile  /var/run/slapd/run/slapd.args
165
166replogfile  /data/ldap/log/slapd.replog
167
168# Load dynamic backend modules:
169modulepath  /usr/lib/openldap/modules
170
171#######################################################################
172# Logging parameters
173#######################################################################
174loglevel 256
175
176#######################################################################
177# SASL and TLS options
178#######################################################################
179sasl-host     ldap.corp.abmas.org
180sasl-realm    DIGEST-MD5
181sasl-secprops   none
182TLSCipherSuite HIGH:MEDIUM:+SSLV2
183TLSCertificateFile    /etc/ssl/certs/private/abmas-cert.pem
184TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem
185password-hash   {SSHA}
186defaultsearchbase "dc=abmas,dc=biz"
187</pre></div><div class="example"><a name="ch8slapd2"></a><p class="title"><b>Example�9.2.�OpenLDAP Control File  slapd.conf Part B</b></p><pre class="screen">
188#######################################################################
189# bdb database definitions
190#######################################################################
191database          bdb
192suffix            "dc=abmas,dc=biz"
193rootdn            "cn=manager,dc=abmas,dc=biz"
194rootpw            {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5
195directory         /data/ldap
196mode    0600
197# The following is for BDB to make it flush its data to disk every
198# 500 seconds or 5kb of data
199checkpoint 500 5
200
201## For running slapindex
202#readonly on
203
204## Indexes for often-requested attributes
205index   objectClass             eq
206index   cn                      eq,sub
207index   sn                      eq,sub
208index   uid                     eq,sub
209index   uidNumber               eq
210index   gidNumber               eq
211index   sambaSID                eq
212index   sambaPrimaryGroupSID    eq
213index   sambaDomainName         eq
214index   default                 sub
215cachesize 2000
216
217replica         host=baa.corp.abmas.org:389
218                suffix="dc=abmas,dc=biz"
219                binddn="cn=replica,dc=abmas,dc=biz"
220                credentials=verysecret
221                bindmethod=simple
222                tls=yes
223replica         host=ns.abmas.org:389
224                suffix="dc=abmas,dc=biz"
225                binddn="cn=replica,dc=abmas,dc=biz"
226                credentials=verysecret
227                bindmethod=simple
228                tls=yes
229</pre></div><div class="example"><a name="ch8slapd3"></a><p class="title"><b>Example�9.3.�OpenLDAP Control File  slapd.conf Part C</b></p><pre class="screen">
230#######################################################################
231# ACL section
232#######################################################################
233## MOST RESTRICTIVE RULES MUST GO FIRST!
234
235## Users can change their own passwords.
236## Nobody else can read the password
237access to attrs=userPassword
238  by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators, \
239		dc=abmas,dc=biz" write
240  by self write
241  by * auth
242
243## Home contact info restricted to the logged-in user
244access to attrs=hometelephoneNumber,homePostalAddress,\
245		mobileTelephoneNumber,pagerTelephoneNumber
246  by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\
247		dc=abmas,dc=biz" write
248  by self write
249  by * none
250
251## Only admins can manage email aliases
252access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz"
253  filter=(roleOccupant=*)
254  attrs=maildrop
255  by dnattr=roleOccupant write
256  by * read
257
258## Allow delegated management of certain aliases which are 
259## for mailman-style mailing lists.
260access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz"
261  by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\
262		dc=abmas,dc=biz" write
263  by * read
264
265## Default to read-only access
266access to *
267  by dn.base="cn=replica,ou=people,ou=corp,dc=abmas,dc=biz" write
268  by group/groupOfUniqueNames/uniqueMember="cn=LDAP Administrators,\
269		dc=abmas,dc=biz" write
270  by * read
271access to attrs=namingcontexts
272  by anonymous read
273</pre></div><p>
274	<a class="indexterm" name="id2573992"></a>
275	The <tt class="filename">/etc/ldap.conf</tt> file used is listed in <a href="nw4migration.html#ch8ldap" title="Example�9.4.�NSS LDAP Control File  /etc/ldap.conf">???</a>.
276	</p><div class="example"><a name="ch8ldap"></a><p class="title"><b>Example�9.4.�NSS LDAP Control File  /etc/ldap.conf</b></p><pre class="screen">
277# /etc/ldap.conf
278# This file is present on every *NIX client that authenticates to LDAP.
279# For me, most of the defaults are fine. There is an amazing amount of
280# customization that can be done see the man page for info.
281
282# Your LDAP server. Must be resolvable without using LDAP. The following
283# is for the LDAP server all others use the FQDN of the server
284URI ldap://127.0.0.1
285
286# The distinguished name of the search base.
287base ou=corp,dc=abmas,dc=biz
288
289# The LDAP version to use (defaults to 3 if supported by client library)
290ldap_version 3
291
292# The distinguished name to bind to the server with if the effective
293# user ID is root. Password is stored in /etc/ldap.secret (mode 600)
294rootbinddn cn=Manager,dc=abmas,dc=biz
295
296# Filter to AND with uid=%s
297pam_filter objectclass=posixAccoun
298
299# The user ID attribute (defaults to uid)
300pam_login_attribute uid
301
302# Group member attribute
303pam_member_attribute memberUID
304
305# Use the OpenLDAP password change
306# extended operation to update the password.
307pam_password exop
308
309# OpenLDAP SSL mechanism
310# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
311ssl start_tls
312
313tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem
314...
315</pre></div><p>
316	The Name Server Switch control file <tt class="filename">/etc/nsswitch.conf</tt> has the following contents:
317</p><pre class="screen">
318# /etc/nsswitch.conf
319# This file controls the resolve order for system databases.
320
321# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
322passwd:   files ldap
323group:    files ldap
324shadow:   files ldap
325# The above are all that I store in LDAP at this point. There are 
326# possibilities to store hosts, services, ethers, and lots of other things.
327</pre><p>
328	</p><p>
329	<a class="indexterm" name="id2574076"></a>
330	<a class="indexterm" name="id2574082"></a>
331	In my setup, users authenticate via PAM and NSS using LDAP-based accounts.
332	This works out of the box with the configuration files in this chapter. It
333	enables you to have no local accounts for users (it is highly advisable 
334	to have a local account for the root user).  Traps for the unwary include:
335	</p><a class="indexterm" name="id2574095"></a><a class="indexterm" name="id2574102"></a><a class="indexterm" name="id2574109"></a><div class="itemizedlist"><ul type="disc"><li><p>
336			If your LDAP database goes down, nobody can authenticate except for root.
337			</p></li><li><p>
338			If fail-over is configured incorrectly weird behavior can occur. For example, 
339			DNS failing to resolve.
340			</p></li></ul></div><p>
341	I do have two LDAP slave servers configured. That subject is beyond the scope
342	of this document and steps for implementing it are well-documented.
343	</p><p>
344	The following services authenticate using LDAP:
345	</p><a class="indexterm" name="id2574145"></a><a class="indexterm" name="id2574151"></a><a class="indexterm" name="id2574158"></a><table class="simplelist" border="0" summary="Simple list"><tr><td><p>UNIX login/ssh</p></td></tr><tr><td><p>Postfix (SMTP)</p></td></tr><tr><td><p>Courier-IMAP/IMAPS/POP3/POP3S</p></td></tr></table><p>
346	<a class="indexterm" name="id2574187"></a>
347	<a class="indexterm" name="id2574194"></a>
348	Company-wide White-Pages can be searched using a LDAP client
349	such as the one in the Windows Address Book.
350	</p><p>
351	<a class="indexterm" name="id2574206"></a>
352	<a class="indexterm" name="id2574213"></a>
353	Having gained a solid understanding of LDAP, and a relatively workable LDAP tree
354	thus far, it was time to configure Samba. I compiled the latest stable SAMBA and
355	also installed the latest <span><b class="command">smbldap-tools</b></span> from 
356	<a href="http://idealx.com" target="_top">Idealx</a>.
357	</p><p>
358	The Samba <tt class="filename">smb.conf</tt> file was configured as shown in <a href="nw4migration.html#ch8smbconf" title="Example�9.5.�Samba Configuration File  smb.conf Part A">???</a>.
359	</p><div class="example"><a name="ch8smbconf"></a><p class="title"><b>Example�9.5.�Samba Configuration File  smb.conf Part A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2574281"></a><i class="parameter"><tt>
360					
361				workgroup = MEGANET2</tt></i></td></tr><tr><td><a class="indexterm" name="id2574296"></a><i class="parameter"><tt>
362					
363				netbios name = MASSIVE</tt></i></td></tr><tr><td><a class="indexterm" name="id2574312"></a><i class="parameter"><tt>
364					
365				server string = Corp File Server</tt></i></td></tr><tr><td><a class="indexterm" name="id2574328"></a><i class="parameter"><tt>
366					
367				passdb backend = ldapsam:ldap://localhost</tt></i></td></tr><tr><td><a class="indexterm" name="id2574344"></a><i class="parameter"><tt>
368					
369				pam password change = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574359"></a><i class="parameter"><tt>
370					
371				username map = /etc/samba/smbusers</tt></i></td></tr><tr><td><a class="indexterm" name="id2574375"></a><i class="parameter"><tt>
372					
373				log level = 1</tt></i></td></tr><tr><td><a class="indexterm" name="id2574390"></a><i class="parameter"><tt>
374					
375				log file = /data/samba/log/%m.log</tt></i></td></tr><tr><td><a class="indexterm" name="id2574406"></a><i class="parameter"><tt>
376					
377				name resolve order = wins host bcast</tt></i></td></tr><tr><td><a class="indexterm" name="id2574422"></a><i class="parameter"><tt>
378					
379				time server = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574437"></a><i class="parameter"><tt>
380					
381				printcap name = cups</tt></i></td></tr><tr><td><a class="indexterm" name="id2574453"></a><i class="parameter"><tt>
382					
383				show add printer wizard = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2574468"></a><i class="parameter"><tt>
384					
385				add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574485"></a><i class="parameter"><tt>
386					
387				add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574501"></a><i class="parameter"><tt>
388					
389				add user to group script</tt></i></td></tr><tr><td><i class="parameter"><tt>/opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574524"></a><i class="parameter"><tt>
390					
391				delete user from group script</tt></i></td></tr><tr><td><i class="parameter"><tt>/opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574547"></a><i class="parameter"><tt>
392					
393				set primary group script</tt></i></td></tr><tr><td><i class="parameter"><tt>/opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574570"></a><i class="parameter"><tt>
394					
395				add machine script = /usr/local/sbin/smbldap-useradd -w "%m"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574587"></a><i class="parameter"><tt>
396					
397				logon script = logon.bat</tt></i></td></tr><tr><td><a class="indexterm" name="id2574602"></a><i class="parameter"><tt>
398					
399				logon path = \\%L\profiles\%U\%a</tt></i></td></tr><tr><td><a class="indexterm" name="id2574618"></a><i class="parameter"><tt>
400					
401				logon drive = H:</tt></i></td></tr><tr><td><a class="indexterm" name="id2574633"></a><i class="parameter"><tt>
402					
403				logon home = \\%L\%U</tt></i></td></tr><tr><td><a class="indexterm" name="id2574649"></a><i class="parameter"><tt>
404					
405				domain logons = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574664"></a><i class="parameter"><tt>
406					
407				wins support = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574680"></a><i class="parameter"><tt>
408					
409				ldap admin dn = cn=Manager,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2574697"></a><i class="parameter"><tt>
410					
411				ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2574712"></a><i class="parameter"><tt>
412					
413				ldap idmap suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2574727"></a><i class="parameter"><tt>
414					
415				ldap machine suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2574744"></a><i class="parameter"><tt>
416					
417				ldap passwd sync = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2574758"></a><i class="parameter"><tt>
418					
419				ldap suffix = ou=MEGANET2,dc=abmas,dc=biz</tt></i></td></tr><tr><td><a class="indexterm" name="id2574775"></a><i class="parameter"><tt>
420					
421				ldap ssl = no</tt></i></td></tr><tr><td><a class="indexterm" name="id2574790"></a><i class="parameter"><tt>
422					
423				ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2574805"></a><i class="parameter"><tt>
424					
425				admin users = root, "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574821"></a><i class="parameter"><tt>
426					
427				printer admin = "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574837"></a><i class="parameter"><tt>
428					
429				force printername = Yes</tt></i></td></tr></table></div><div class="example"><a name="ch8smbconf2"></a><p class="title"><b>Example�9.6.�Samba Configuration File  smb.conf Part B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[netlogon]</tt></i></td></tr><tr><td><a class="indexterm" name="id2574874"></a><i class="parameter"><tt>
430					
431				comment = Network logon service</tt></i></td></tr><tr><td><a class="indexterm" name="id2574890"></a><i class="parameter"><tt>
432					
433				path = /data/samba/netlogon</tt></i></td></tr><tr><td><a class="indexterm" name="id2574905"></a><i class="parameter"><tt>
434					
435				write list = "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2574920"></a><i class="parameter"><tt>
436					
437				guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[profiles]</tt></i></td></tr><tr><td><a class="indexterm" name="id2574945"></a><i class="parameter"><tt>
438					
439				comment = Roaming Profile Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2574961"></a><i class="parameter"><tt>
440					
441				path = /data/samba/profiles/</tt></i></td></tr><tr><td><a class="indexterm" name="id2574976"></a><i class="parameter"><tt>
442					
443				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2574991"></a><i class="parameter"><tt>
444					
445				profile acls = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575007"></a><i class="parameter"><tt>
446					
447				veto files = desktop.ini</tt></i></td></tr><tr><td><a class="indexterm" name="id2575022"></a><i class="parameter"><tt>
448					
449				browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[homes]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575046"></a><i class="parameter"><tt>
450					
451				comment = Home Directories</tt></i></td></tr><tr><td><a class="indexterm" name="id2575062"></a><i class="parameter"><tt>
452					
453				valid users = %S</tt></i></td></tr><tr><td><a class="indexterm" name="id2575077"></a><i class="parameter"><tt>
454					
455				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2575093"></a><i class="parameter"><tt>
456					
457				create mask = 0770</tt></i></td></tr><tr><td><a class="indexterm" name="id2575108"></a><i class="parameter"><tt>
458					
459				veto files = desktop.ini</tt></i></td></tr><tr><td><a class="indexterm" name="id2575124"></a><i class="parameter"><tt>
460					
461				hide files = desktop.ini</tt></i></td></tr><tr><td><a class="indexterm" name="id2575139"></a><i class="parameter"><tt>
462					
463				browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[software]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575163"></a><i class="parameter"><tt>
464					
465				comment = Software for %a computers</tt></i></td></tr><tr><td><a class="indexterm" name="id2575180"></a><i class="parameter"><tt>
466					
467				path = /data/samba/shares/software/%a</tt></i></td></tr><tr><td><a class="indexterm" name="id2575195"></a><i class="parameter"><tt>
468					
469				guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[public]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575219"></a><i class="parameter"><tt>
470					
471				comment = Public Files</tt></i></td></tr><tr><td><a class="indexterm" name="id2575234"></a><i class="parameter"><tt>
472					
473				path = /data/samba/shares/public</tt></i></td></tr><tr><td><a class="indexterm" name="id2575251"></a><i class="parameter"><tt>
474					
475				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2575266"></a><i class="parameter"><tt>
476					
477				guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[PDF]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575290"></a><i class="parameter"><tt>
478					
479				comment = Location of documents printed to PDFCreator printer</tt></i></td></tr><tr><td><a class="indexterm" name="id2575306"></a><i class="parameter"><tt>
480					
481				path = /data/samba/shares/pdf</tt></i></td></tr><tr><td><a class="indexterm" name="id2575321"></a><i class="parameter"><tt>
482					
483				guest ok = Yes</tt></i></td></tr></table></div><div class="example"><a name="ch8smbconf3"></a><p class="title"><b>Example�9.7.�Samba Configuration File  smb.conf Part C</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[EVERYTHING]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575358"></a><i class="parameter"><tt>
484					
485				comment = All shares</tt></i></td></tr><tr><td><a class="indexterm" name="id2575374"></a><i class="parameter"><tt>
486					
487				path = /data/samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2575389"></a><i class="parameter"><tt>
488					
489				valid users = "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2575405"></a><i class="parameter"><tt>
490					
491				read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[CDROM]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575429"></a><i class="parameter"><tt>
492					
493				comment = CD-ROM on MASSIVE</tt></i></td></tr><tr><td><a class="indexterm" name="id2575444"></a><i class="parameter"><tt>
494					
495				path = /mnt</tt></i></td></tr><tr><td><a class="indexterm" name="id2575460"></a><i class="parameter"><tt>
496					
497				guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[print$]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575484"></a><i class="parameter"><tt>
498					
499				comment = Printer Drivers Share</tt></i></td></tr><tr><td><a class="indexterm" name="id2575500"></a><i class="parameter"><tt>
500					
501				path = /data/samba/drivers</tt></i></td></tr><tr><td><a class="indexterm" name="id2575515"></a><i class="parameter"><tt>
502					
503				write list = root</tt></i></td></tr><tr><td><a class="indexterm" name="id2575530"></a><i class="parameter"><tt>
504					
505				browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[printers]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575555"></a><i class="parameter"><tt>
506					
507				comment = All Printers</tt></i></td></tr><tr><td><a class="indexterm" name="id2575570"></a><i class="parameter"><tt>
508					
509				path = /data/samba/spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2575586"></a><i class="parameter"><tt>
510					
511				create mask = 0644</tt></i></td></tr><tr><td><a class="indexterm" name="id2575601"></a><i class="parameter"><tt>
512					
513				printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575616"></a><i class="parameter"><tt>
514					
515				browseable = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[acct_hp8500]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575641"></a><i class="parameter"><tt>
516					
517				comment = "Accounting Color Laser Printer"</tt></i></td></tr><tr><td><a class="indexterm" name="id2575657"></a><i class="parameter"><tt>
518					
519				path = /data/samba/spool/private</tt></i></td></tr><tr><td><a class="indexterm" name="id2575673"></a><i class="parameter"><tt>
520					
521				valid users = @acct, @acct_admin, @hr, "@Domain Admins",\</tt></i></td></tr><tr><td><i class="parameter"><tt>@Receptionist, dwayne, terri, danae, jerry</tt></i></td></tr><tr><td><a class="indexterm" name="id2575696"></a><i class="parameter"><tt>
522					
523				create mask = 0644</tt></i></td></tr><tr><td><a class="indexterm" name="id2575712"></a><i class="parameter"><tt>
524					
525				printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575727"></a><i class="parameter"><tt>
526					
527				copy = printers</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[plotter]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575751"></a><i class="parameter"><tt>
528					
529				comment = Engineering Plotter</tt></i></td></tr><tr><td><a class="indexterm" name="id2575767"></a><i class="parameter"><tt>
530					
531				path = /data/samba/spool</tt></i></td></tr><tr><td><a class="indexterm" name="id2575782"></a><i class="parameter"><tt>
532					
533				create mask = 0644</tt></i></td></tr><tr><td><a class="indexterm" name="id2575798"></a><i class="parameter"><tt>
534					
535				printable = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575813"></a><i class="parameter"><tt>
536					
537				use client driver = Yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2575829"></a><i class="parameter"><tt>
538					
539				copy = printers</tt></i></td></tr></table></div><div class="example"><a name="ch8smbconf4"></a><p class="title"><b>Example�9.8.�Samba Configuration File  smb.conf Part D</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[APPS]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575866"></a><i class="parameter"><tt>
540					
541				path = /data/samba/shares/Apps</tt></i></td></tr><tr><td><a class="indexterm" name="id2575882"></a><i class="parameter"><tt>
542					
543				force group = "Domain Users"</tt></i></td></tr><tr><td><a class="indexterm" name="id2575897"></a><i class="parameter"><tt>
544					
545				read only = No</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[ACCT]</tt></i></td></tr><tr><td><a class="indexterm" name="id2575921"></a><i class="parameter"><tt>
546					
547				path = /data/samba/shares/Accounting</tt></i></td></tr><tr><td><a class="indexterm" name="id2575937"></a><i class="parameter"><tt>
548					
549				valid users = @acct, "@Domain Admins"</tt></i></td></tr><tr><td><a class="indexterm" name="id2575953"></a><i class="parameter"><tt>
550					
551				force group = acct</tt></i></td></tr><tr><td><a class="indexterm" name="id2575968"></a><i class="parameter"><tt>
552					
553				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2575984"></a><i class="parameter"><tt>
554					
555				create mask = 0660</tt></i></td></tr><tr><td><a class="indexterm" name="id2575999"></a><i class="parameter"><tt>
556					
557				directory mask = 0770</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[ACCT_ADMIN]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576023"></a><i class="parameter"><tt>
558					
559				path = /data/samba/shares/Acct_Admin</tt></i></td></tr><tr><td><a class="indexterm" name="id2576040"></a><i class="parameter"><tt>
560					
561				valid users = @���acct_admin���</tt></i></td></tr><tr><td><a class="indexterm" name="id2576056"></a><i class="parameter"><tt>
562					
563				force group = acct_admin</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[HR_PR]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576080"></a><i class="parameter"><tt>
564					
565				path = /data/samba/shares/HR_PR</tt></i></td></tr><tr><td><a class="indexterm" name="id2576096"></a><i class="parameter"><tt>
566					
567				valid users = @hr, @acct_admin</tt></i></td></tr><tr><td><a class="indexterm" name="id2576111"></a><i class="parameter"><tt>
568					
569				force group = hr</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[ENGR]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576136"></a><i class="parameter"><tt>
570					
571				path = /data/samba/shares/Engr</tt></i></td></tr><tr><td><a class="indexterm" name="id2576151"></a><i class="parameter"><tt>
572					
573				valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</tt></i></td></tr><tr><td><a class="indexterm" name="id2576168"></a><i class="parameter"><tt>
574					
575				force group = engr</tt></i></td></tr><tr><td><a class="indexterm" name="id2576183"></a><i class="parameter"><tt>
576					
577				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576198"></a><i class="parameter"><tt>
578					
579				create mask = 0770</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[DATA]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576222"></a><i class="parameter"><tt>
580					
581				path = /data/samba/shares/DATA</tt></i></td></tr><tr><td><a class="indexterm" name="id2576238"></a><i class="parameter"><tt>
582					
583				valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</tt></i></td></tr><tr><td><a class="indexterm" name="id2576255"></a><i class="parameter"><tt>
584					
585				force group = engr</tt></i></td></tr><tr><td><a class="indexterm" name="id2576270"></a><i class="parameter"><tt>
586					
587				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576285"></a><i class="parameter"><tt>
588					
589				create mask = 0770</tt></i></td></tr><tr><td><a class="indexterm" name="id2576300"></a><i class="parameter"><tt>
590					
591				copy = engr</tt></i></td></tr></table></div><div class="example"><a name="ch8smbconf5"></a><p class="title"><b>Example�9.9.�Samba Configuration File  smb.conf Part E</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[X]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576337"></a><i class="parameter"><tt>
592					
593				path = /data/samba/shares/X</tt></i></td></tr><tr><td><a class="indexterm" name="id2576352"></a><i class="parameter"><tt>
594					
595				valid users = @engr, @acct</tt></i></td></tr><tr><td><a class="indexterm" name="id2576368"></a><i class="parameter"><tt>
596					
597				force group = engr</tt></i></td></tr><tr><td><a class="indexterm" name="id2576383"></a><i class="parameter"><tt>
598					
599				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576399"></a><i class="parameter"><tt>
600					
601				create mask = 0770</tt></i></td></tr><tr><td><a class="indexterm" name="id2576414"></a><i class="parameter"><tt>
602					
603				copy = engr</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[NETWORK]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576438"></a><i class="parameter"><tt>
604					
605				path = /data/samba/shares/network</tt></i></td></tr><tr><td><a class="indexterm" name="id2576454"></a><i class="parameter"><tt>
606					
607				valid users = "@Domain Users"</tt></i></td></tr><tr><td><a class="indexterm" name="id2576469"></a><i class="parameter"><tt>
608					
609				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576485"></a><i class="parameter"><tt>
610					
611				create mask = 0770</tt></i></td></tr><tr><td><a class="indexterm" name="id2576500"></a><i class="parameter"><tt>
612					
613				guest ok = Yes</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[UTILS]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576524"></a><i class="parameter"><tt>
614					
615				path = /data/samba/shares/Utils</tt></i></td></tr><tr><td><a class="indexterm" name="id2576540"></a><i class="parameter"><tt>
616					
617				write list = "@Domain Admins"</tt></i></td></tr><tr><td> </td></tr><tr><td><i class="parameter"><tt>[SYS]</tt></i></td></tr><tr><td><a class="indexterm" name="id2576564"></a><i class="parameter"><tt>
618					
619				path = /data/samba/shares/SYS</tt></i></td></tr><tr><td><a class="indexterm" name="id2576580"></a><i class="parameter"><tt>
620					
621				valid users = chad</tt></i></td></tr><tr><td><a class="indexterm" name="id2576595"></a><i class="parameter"><tt>
622					
623				read only = No</tt></i></td></tr><tr><td><a class="indexterm" name="id2576611"></a><i class="parameter"><tt>
624					
625				browseable = No</tt></i></td></tr></table></div><p>
626	<a class="indexterm" name="id2576628"></a>
627	<a class="indexterm" name="id2576635"></a>
628	<a class="indexterm" name="id2576642"></a>
629	Most of these shares are only used by one company group, but they are required
630	because of some ancient Qbasic and Rbase applications were that written expecting
631	their own drive letters.
632	</p><p>
633	<a class="indexterm" name="id2576655"></a>
634	<a class="indexterm" name="id2576662"></a>
635	<a class="indexterm" name="id2576669"></a>
636	Note: During the process of building the new server, I kept data files up-to-date
637	with the Novell server via use of <span><b class="command">rsync</b></span>.  On a separate system (my workstation
638	in fact) which could be rebooted whenever necessary, I set up a mount point to the
639	Novell server via <span><b class="command">ncpmount</b></span>. I then created a
640	<tt class="filename">rsyncd.conf</tt> to share that mount point out to my new server,
641	and synchronized once an hour. The script I used to synchronize is quite nice, so
642	I will include it in an appendix. The reason I had to have the
643	<span><b class="command">rsync</b></span> daemon running on a system which could be rebooted
644	frequently is because <tt class="constant">ncpfs</tt> has a nasty habit of creating
645	stale mount points which cannot be recovered without a reboot.  The reason for
646	hourly synchronization is because some part of the chain was very slow and
647	performance-heavy (whether <span><b class="command">rsync</b></span> itself, the network, or
648	the Novell server I am not sure probably the Novell server).
649	</p><p>
650	After Samba had been configured, I initialized the LDAP database. So the first
651	thing I had to do was to store the LDAP password in the Samba configuration by
652	issuing the command (as root):
653</p><pre class="screen">
654<tt class="prompt">root# </tt> smbpasswd -w verysecret
655</pre><p>
656	where &#8220;<span class="quote"><span class="emphasis"><em>verysecret</em></span></span>&#8221; is replaced by the LDAP bind password.
657	</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
658The Idealx smbldap-tools package can be configured using a script called 
659<span><b class="command">configure.pl</b></span> that is provided as part of the tool. See Chapter 6
660for an example of its use. Many administrators, like Misty, choose to do this manually
661so as to maintain greater awareness of how the tool-chain works, and possibly to avoid
662undesirable actions from occurring un-noticed.
663</p></div><p>
664	Now Samba is ready for use. Now configure the smbldap-tools. There are two
665	relevant files, which are usually put into the directory
666	<tt class="filename">/etc/smbldap-tools</tt>. The main file,
667	<tt class="filename">smbldap.conf</tt> is shown in <a href="nw4migration.html#ch8ideal" title="Example�9.10.�Idealx smbldap-tools Control File  Part A">???</a>.
668	</p><div class="example"><a name="ch8ideal"></a><p class="title"><b>Example�9.10.�Idealx smbldap-tools Control File  Part A</b></p><pre class="screen">
669#########
670#
671# located in /etc/smbldap-tools/smbldap.conf
672#
673##############################################################################
674#
675# General Configuration
676#
677##############################################################################
678
679# Put your own SID
680# to obtain this number do: net getlocalsid
681SID="S-1-5-21-725326080-1709766072-2910717368"
682
683##############################################################################
684#
685# LDAP Configuration
686#
687##############################################################################
688
689# Notes: to use to dual ldap servers backend for Samba, you must patch
690# Samba with the dual-head patch from IDEALX. If not using this patch
691# just use the same server for slaveLDAP and masterLDAP.
692# Those two servers declarations can also be used when you have
693# . one master LDAP server where all writing operations must be done
694# . one slave LDAP server where all reading operations must be done
695#   (typically a replication directory)
696
697# Ex: slaveLDAP=127.0.0.1
698slaveLDAP="127.0.0.1"
699slavePort="389"
700
701# Master LDAP : needed for write operations
702# Ex: masterLDAP=127.0.0.1
703masterLDAP="127.0.0.1"
704masterPort="389"
705
706# Use TLS for LDAP
707# If set to 1, this option will use start_tls for connection
708# (you should also used the port 389)
709ldapTLS="0"
710
711# How to verify the server's certificate (none, optional or require)
712# see "man Net::LDAP" in start_tls section for more details
713verify=""
714</pre></div><div class="example"><a name="ch8ideal2"></a><p class="title"><b>Example�9.11.�Idealx smbldap-tools Control File  Part B</b></p><pre class="screen">
715# CA certificate
716# see "man Net::LDAP" in start_tls section for more details
717cafile=""
718 certificate to use to connect to the ldap server
719# see "man Net::LDAP" in start_tls section for more details
720clientcert=""
721
722# key certificate to use to connect to the ldap server
723# see "man Net::LDAP" in start_tls section for more details
724clientkey=""
725
726# LDAP Suffix
727# Ex: suffix=dc=IDEALX,dc=ORG
728suffix="ou=MEGANET2,dc=abmas,dc=biz"
729
730# Where are stored Users
731# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
732usersdn="ou=People,${suffix}"
733
734# Where are stored Computers
735# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
736computersdn="ou=People,${suffix}"
737
738# Where are stored Groups
739# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
740groupsdn="ou=Groups,${suffix}"
741
742# Where are stored Idmap entries (used if samba is a domain member server)
743# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
744idmapdn="ou=Idmap,${suffix}"
745
746# Where to store next uidNumber and gidNumber available
747sambaUnixIdPooldn="sambaDomainName=MEGANET2,dc=abmas,dc=biz"
748
749# Default scope Used
750scope="sub"
751</pre></div><div class="example"><a name="ch8ideal3"></a><p class="title"><b>Example�9.12.�Idealx smbldap-tools Control File  Part C</b></p><pre class="screen">
752# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
753hash_encrypt="MD5"
754
755# if hash_encrypt is set to CRYPT, you may set a salt format.
756# default is "%s", but many systems will generate MD5 hashed
757# passwords if you use "$1$%.8s". This parameter is optional!
758crypt_salt_format="%s"
759
760##############################################################################
761#
762# Unix Accounts Configuration
763#
764##############################################################################
765
766# Login defs
767# Default Login Shell
768# Ex: userLoginShell="/bin/bash"
769userLoginShell="/bin/false"
770
771# Home directory
772# Ex: userHome="/home/%U"
773userHome="/home/%U"
774
775# Gecos
776userGecos="Samba User"
777
778# Default User (POSIX and Samba) GID
779defaultUserGid="513"
780
781# Default Computer (Samba) GID
782defaultComputerGid="515"
783
784# Skel dir
785skeletonDir="/etc/skel"
786
787# Default password validation time (time in days) Comment the next line if
788# you don't want password to be enable for defaultMaxPasswordAge days (be
789# careful to the sambaPwdMustChange attribute's value)
790defaultMaxPasswordAge="45"
791</pre></div><div class="example"><a name="ch8ideal4"></a><p class="title"><b>Example�9.13.�Idealx smbldap-tools Control File  Part D</b></p><pre class="screen">
792##############################################################################
793#
794# SAMBA Configuration
795#
796##############################################################################
797
798# The UNC path to home drives location (%U username substitution)
799# Ex: \\My-PDC-netbios-name\homes\%U
800# Just set it to a null string if you want to use the smb.conf 'logon home'
801# directive and/or disable roaming profiles
802userSmbHome=""
803
804# The UNC path to profiles locations (%U username substitution)
805# Ex: \\My-PDC-netbios-name\profiles\%U
806# Just set it to a null string if you want to use the smb.conf 'logon path'
807# directive and/or disable roaming profiles
808userProfile=""
809
810# The default Home Drive Letter mapping
811# (will be automatically mapped at logon time if home directory exist)
812# Ex: H: for H:
813userHomeDrive=""
814
815# The default user netlogon script name (%U username substitution)
816# if not used, will be automatically username.cmd
817# make sure script file is edited under dos
818# Ex: %U.cmd
819# userScript="startup.cmd" # make sure script file is edited under dos
820userScript=""
821
822# Domain appended to the users "mail"-attribute
823# when smbldap-useradd -M is used
824mailDomain="abmas.org"
825
826##############################################################################
827#
828# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
829#
830##############################################################################
831# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
832# prefer Crypt::SmbHash library
833with_smbpasswd="0"
834smbpasswd="/usr/bin/smbpasswd"
835</pre></div><p>
836	<a class="indexterm" name="id2577002"></a>
837	NOTE: I chose not to take advantage of the TLS capability of this. 
838	Eventually I may go back and tweak it.  Also I chose not to take advantage
839	of the master/slave configuration as I heard horror stories that it was
840	unstable.  My slave servers are replicas only.
841	</p><p>
842	The <tt class="filename">/etc/smbldap-tools/smbldap_bind.conf</tt> file is shown here:
843</p><pre class="screen">
844# smbldap_bind.conf
845#
846# This file simply tells smbldap-tools how to bind to your LDAP server.
847# It has to be a DN with full write access to the Samba portion of
848# the database.
849
850############################
851# Credential Configuration #
852############################
853# Notes: you can specify two differents configuration if you use a
854# master ldap for writing access and a slave ldap server for reading access
855# By default, we will use the same DN (so it will work for standard Samba
856# release)
857slaveDN="cn=Manager,dc=abmas,dc=biz"
858slavePw="verysecret"
859masterDN="cn=Manager,dc=abmas,dc=biz"
860masterPw="verysecret"
861</pre><p>
862	</p><p>
863	We can now run the <span><b class="command">smbldap-populate</b></span> command which will populate
864	the LDAP tree with the appropriate default users, groups, and UID and GID pools.
865	It will create a user called Administrator with UID=0 and GID=0 matching the
866	Domain Admins group. This is fine you can still log in a root to a Windows system,
867	but it will break cached credentials if you need to log in as the administrator
868	to a system that is not on the network for whatever reason.
869	</p><p>
870	After the LDAP database has been pre-loaded it is prudent to validate that the
871	information needed is in the LDAP directory. This can be done done by restarting
872	the LDAP server, then performing an LDAP search by executing:
873</p><pre class="screen">
874<tt class="prompt">root# </tt> ldapsearch -W -x -b "dc=abmas,dc=biz"\
875	 -D "cn=Manager,dc=abmas,dc=biz" \
876	"(Objectclass=*)"
877Enter LDAP Password:
878# extended LDIF
879#
880# LDAPv3
881# base &lt;dc=abmas,dc=biz&gt; with scope sub
882# filter: (ObjectClass=*)
883# requesting: ALL
884#
885
886# abmas.biz
887dn: dc=abmas,dc=biz
888objectClass: dcObject
889objectClass: organization
890o: abmas
891dc: abmas
892
893# People, abmas.biz
894dn: ou=People,dc=abmas,dc=biz
895objectClass: organizationalUnit
896ou: People
897
898# Groups, abmas.biz
899dn: ou=Groups,dc=abmas,dc=biz
900objectClass: organizationalUnit
901ou: Groups
902
903# Idmap, abmas.biz
904dn: ou=Idmap,dc=abmas,dc=biz
905objectClass: organizationalUnit
906ou: Idmap
907...
908</pre><p>
909	</p><p>
910	<a class="indexterm" name="id2577103"></a>
911	<a class="indexterm" name="id2577110"></a>
912	<a class="indexterm" name="id2577117"></a>
913	<a class="indexterm" name="id2577124"></a>
914	<a class="indexterm" name="id2577130"></a>
915	With the LDAP directory now intialized it is time to create the Windows and POSIX
916	(UNIX) group accounts as well as the mappings from Windows groups to UNIX groups.
917	The easiest way to do this is to use <span><b class="command">smbldap-groupadd</b></span> command.
918	It will create the group with the posixGroup and sambaGroupMapping attributes, a
919	unique GID, and an automatically-determined RID. I learned the hard way not to
920	try to do this by hand.
921	</p><p>
922	<a class="indexterm" name="id2577153"></a>
923	<a class="indexterm" name="id2577160"></a>
924	<a class="indexterm" name="id2577167"></a>
925	After I had my group mappings in place, I added users to the groups (the users
926	don't really have to exist yet). I used the <span><b class="command">smbldap-groupmod</b></span>
927	command to accomplish this. It can also be done manually by adding memberUID
928	attributes to the group entries in LDAP.
929	</p><p>
930	<a class="indexterm" name="id2577187"></a>
931	<a class="indexterm" name="id2577194"></a>
932	<a class="indexterm" name="id2577201"></a>
933	The most monumental task of all was adding the sambaSamAccount information to each
934	already-existent posixAccount entry.  I did it one at a time as I moved people onto
935	the new server, by issuing the command:
936</p><pre class="screen">
937<tt class="prompt">root# </tt> smbldap-usermod -a -P username
938</pre><p>
939	<a class="indexterm" name="id2577224"></a>
940	<a class="indexterm" name="id2577231"></a>
941	<a class="indexterm" name="id2577237"></a>
942	I completed that step for every user after asking the person what their current
943	NetWare password was. The wiser way to have done it would probably be to dump the
944	entire database to an LDIF file. This can be done by executing:
945</p><pre class="screen">
946<tt class="prompt">root# </tt> slapcat &gt; somefile.ldif
947</pre><p>
948	<a class="indexterm" name="id2577261"></a>
949	<a class="indexterm" name="id2577268"></a>
950	Then update the LDIF file created by using a Perl script to parse and add the
951	appropriate attributes and objectClasses to each entry, followed by re-importing
952	the entire database into the LDAP directory. 
953	</p><p>
954	Rebuilding of the LDAP directory can be done as follows:
955</p><pre class="screen">
956<tt class="prompt">root# </tt> rcldap stop
957<tt class="prompt">root# </tt> cd /data/ldap
958<tt class="prompt">root# </tt> rm *bdb _* log*
959<tt class="prompt">root# </tt> su - ldap -c "slapadd -l somefile.ldif"
960<tt class="prompt">root# </tt> rcldap start
961</pre><p>
962	This can be done at any time and for any reason, with no harm to the database.
963	</p><p>
964	So first I added a test user, of course. The LDIF for this test user looks like
965	this, to give you an idea:
966</p><pre class="screen">
967# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
968dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
969cn: Test User
970gecos: Test User
971gidNumber: 513
972givenName: Test
973homeDirectory: /home/test.user
974homePhone: 555
975l: Somewhere
976l: ST
977mail: test.user
978o: Corp
979objectClass: top
980objectClass: inetOrgPerson
981objectClass: posixAccount
982objectClass: sambaSamAccount
983postalCode: 12345
984sn: User
985street: 10 Some St.
986uid: test.user
987uidNumber: 1074
988sambaLogonTime: 0
989sambaLogoffTime: 2147483647
990sambaKickoffTime: 2147483647
991sambaPwdCanChange: 0
992displayName: Samba User
993sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148
994sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE
995sambaAcctFlags: [U]
996sambaNTPassword: D062088E99C95E37D7702287BB35E770
997sambaPwdLastSet: 1102537694
998sambaPwdMustChange: 1106425694
999userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8
1000loginShell: /bin/false
1001</pre><p>
1002	</p><p>
1003	Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain.
1004	It worked, and the machine's account entry under ou=Computers looks like this:
1005</p><pre class="screen">
1006dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz
1007objectClass: top
1008objectClass: inetOrgPerson
1009objectClass: posixAccount
1010objectClass: sambaSamAccount
1011cn: w2kengrspare$
1012sn: w2kengrspare$
1013uid: w2kengrspare$
1014uidNumber: 1104
1015gidNumber: 515
1016homeDirectory: /dev/null
1017loginShell: /bin/false
1018description: Computer
1019gecos: Computer
1020sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208
1021sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031
1022displayName: W2KENGRSPARE$
1023sambaPwdCanChange: 1103149236
1024sambaPwdMustChange: 2147483647
1025sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834
1026sambaPwdLastSet: 1103149236
1027sambaAcctFlags: [W          ]
1028</pre><p>
1029	</p><p>
1030	<a class="indexterm" name="id2577383"></a>
1031	So now I can log in with a test user from the machine w2kengrspare. It's all fine and
1032	good, but that user is in no groups yet so has pretty boring access.  We can fix that
1033	by writing the login script! To write the login script, I used
1034	<a href="http://www.kixtart.org" target="_top">Kixstart</a>. I used it because it will work
1035	with every architecture of Windows, has an active and helpful user base, and was both
1036	easier to learn and more powerful than the standard netlogon scripts I have seen.
1037	I also did not have to do a logon script per user or per group.
1038	</p><p>
1039	<a class="indexterm" name="id2577408"></a>
1040	I downloaded Kixtart and put the following files in my [netlogon] share:
1041</p><pre class="screen">
1042KIX32.EXE
1043KX32.dll
1044KX95.dll  &lt;-- Not needed unless you are running Win9x clients.
1045kx16.dll  &lt;-- Probably not needed unless you are running DOS clients.
1046kxrpc.exe &lt;-- Probably useless as it has to run on the server and can
1047          only be run on NT.  It's for Windows 95 to become group-aware.
1048          We can get around the need.
1049</pre><p>
1050	</p><p>
1051	<a class="indexterm" name="id2577439"></a>
1052	I then wrote the <tt class="filename">logon.kix</tt> file that is shown in
1053	<a href="nw4migration.html#ch8kix" title="Example�9.14.�Kixstart Control File  File: logon.kix">???</a>. I chose to keep it all in one file, but it
1054	can be split up and linked via include directives.
1055	</p><div class="example"><a name="ch8kix"></a><p class="title"><b>Example�9.14.�Kixstart Control File  File: logon.kix</b></p><pre class="screen">
1056; This script just calls the other scripts.
1057
1058; First we want to get things done for everyone.
1059
1060; Second, we do first-time login stuff.
1061
1062; Third, we go through the group-oriented scripts one at a time.
1063
1064
1065; We want to check for group membership here to avoid the overhead of running
1066; scripts which don't apply.
1067call "\\massive\netlogon\scripts\main.kix"
1068call "\\massive\netlogon\scripts\setup.kix"
1069IF INGROUP("MEGANET2\ACCT")
1070  call "scripts\acct.kix"
1071ENDIF
1072IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST")
1073call "\\massive\netlogon\scripts\engr.kix"
1074ENDIF
1075IF INGROUP("MEGANET2\FURN")
1076  call "\\massive\netlogon\scripts\furn.kix"
1077ENDIF
1078IF INGROUP("MEGANET2\TRUSS")
1079  call "\\massive\netlogon\scripts\truss.kix"
1080ENDIF
1081</pre></div><div class="example"><a name="ch8kix2"></a><p class="title"><b>Example�9.15.�Kixstart Control File  File: main.kix</b></p><pre class="screen">
1082break on
1083
1084; Choose whether to hide the login window or not
1085IF INGROUP("MEGANET2\Domain Admins")
1086  USE Z: \\massive\everything
1087  SETCONSOLE("show")
1088ELSE
1089  ; Nobody cares about seeing the login script except admins
1090  SETCONSOLE("hide")
1091ENDIF
1092
1093; Delete all previously connected shares
1094USE * /delete
1095
1096SETTITLE("Logging on @USERID to @LDOMAIN at @TIME")
1097
1098; Set the time on the workstation
1099$Timeserver = "\\massive"
1100Settime $TimeServer
1101
1102; Map the home directory
1103USE H: @HOMESHR ; connect to user's home share
1104IF @ERROR = 0
1105
1106  H:
1107  CD @HOMEDIR ; change directory to user's home directory
1108ENDIF
1109
1110; Everyone gets the N drive
1111USE N: \\massive\network
1112</pre></div><div class="example"><a name="ch8kix3"></a><p class="title"><b>Example�9.16.�Kixstart Control File  File: setup.kix, Part A</b></p><pre class="screen">
1113; My setup.kix is where all of the redirection stuff happens.  Note that with 
1114; the use of registry keys, ths only happens the first time they log in ,or if 
1115; I delete the pertinent registry keys which triggers it to happen again:
1116
1117; Check to see if we have written the Borkholder subkey before
1118$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder")
1119IF NOT $RETURNCODE = 0
1120; Add key for Borkholder-specific things on the first login
1121  ADDKEY("HKEY_CURRENT_USER\Borkholder")
1122  ; The following key gets deleted at the end of the first login
1123  ADDKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
1124ENDIF
1125
1126; People with laptops need My Documents to be in their profile.  People with
1127; desktops can have My Documents redirected to their home directory to avoid
1128; long delays with logging out and out-of-sync files.
1129
1130; Check to see if this is the first login -- doesn't make sense to do this
1131; at the very first login
1132
1133$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
1134IF NOT $RETURNCODE = 0
1135
1136; We don't want to do this stuff for people with laptops or people in the FURN
1137; group.  (They store their profiles in a different server)
1138
1139  IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN")
1140    $RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\Borkholder\profile_copied")
1141
1142; A  crude way to tell what OS our profile is for and copy the "My Documents"
1143; to the redirected folder on the server.  It works because the profiles
1144; are stored as \\server\profiles\user\architecture
1145    IF NOT $RETURNCODE = 0
1146      IF EXIST("\\massive\profiles\@userID\WinXP")
1147        copy "\\massive\profiles\@userID\WinXP\My Documents\*" 
1148"\\massive\@userID\"
1149      ENDIF
1150      IF EXIST("\\massive\profiles\@userID\Win2K")
1151        copy "\\massive\profiles\@userID\Win2K\My Documents\*" 
1152"\\massive\@userID\"
1153      ENDIF
1154      IF EXIST("\\massive\profiles\@userID\WinNT")
1155        copy "\\massive\profiles\@userID\WinNT\My Documents\*" 
1156"\\massive\@userID\"
1157      ENDIF
1158</pre></div><div class="example"><a name="ch8kix3b"></a><p class="title"><b>Example�9.17.�Kixstart Control File  File: setup.kix, Part B</b></p><pre class="screen">
1159; Now we will write the registry values to redirect the locations of "My 
1160Documents"
1161; and other folders.
1162      ADDKEY("HKEY_CURRENT_USER\Borkholder\profile_copied")
1163      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1164Windows\CurrentVersion\Explorer\User 
1165Shell Folders", "Personal","\\massive\@userID","REG_SZ")
1166      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1167Windows\CurrentVersion\Explorer\User 
1168Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ")
1169      IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP
1170Professional"
1171      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1172Windows\CurrentVersion\Explorer\User 
1173Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ")
1174      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1175Windows\CurrentVersion\Explorer\User 
1176Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ")
1177      WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1178Windows\CurrentVersion\Explorer\User 
1179Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ")
1180      ENDIF
1181    ENDIF
1182  ENDIF
1183
1184; Now we will delete the FIRST_LOGIN subkey that we made before.
1185; Note - to run this script again you will want to delete the HKCU\Borkholder
1186; subkey, log out, and log back in.
1187$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
1188IF $RETURNVALUE = 0
1189  DELKEY("HKEY_CURRENT_USER\Borkholder\FIRST_LOGIN")
1190ENDIF
1191</pre></div><div class="example"><a name="ch8kix4"></a><p class="title"><b>Example�9.18.�Kixstart Control File  File: acct.kix</b></p><pre class="screen">
1192; And here is one group-oriented script to show what can be
1193; done that way: acct.kix:
1194
1195IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR")
1196  USE I: \\MEGANET2\HR_PR
1197ENDIF
1198
1199; Set up printer
1200$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500")
1201IF NOT $RETURNVALUE = 0
1202  ADDPRINTERCONNECTION("\\massive\acct_hp8500")
1203  SETDEFAULTPRINTER("\\massive\acct_hp8500")
1204ENDIF
1205; Set up drive mappings
1206  USE M: \\massive\ACCT
1207  IF INGROUP("MEGANET2\ABRA")
1208    USE T: \\trussrv\abra
1209  ENDIF
1210</pre></div><p>
1211	As you can see in the script, I redirect the My Documents to the user's home
1212	share if they are not in the ���Laptop��� group. I also add printers on a
1213	group-by-group basis, and if applicable I setthe group printer. For this to
1214	be effective, the print drivers must be installed on the Samba server in the
1215	<tt class="filename">[print$]</tt> share. Ample documentation exists about how to do that so I did not
1216	cover it.
1217	</p><p>
1218	I actually call this script via the logon.bat script in the [netlogon] directory:
1219</p><pre class="screen">
1220\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f
1221</pre><p>
1222	I only had to fully qualify the paths for Windows 9x, as Windows NT and
1223	greater automatically add [NETLOGON] to the path.
1224	</p><p>
1225	Also of note for Win9x is that the drive mappings and printer setup will not
1226	work because they rely on RPC. One merely has to put the appropriate settings
1227	into the <tt class="filename">c:\autoexec.bat</tt> file or map the drives manually.  One option would
1228	be to check the OS as part of the Kixtart script, and if it is Win9x and if
1229	it is the first login, copy a pre-made <tt class="filename">autoexec.bat</tt> to the <tt class="filename">C:</tt> drive. I only
1230	have three such machines and one is going away in the very near future, so it
1231	was easier to do it by hand.
1232	</p><p>
1233	<a class="indexterm" name="id2577742"></a>
1234	At this point I was able to add the users. This is the part that really falls
1235	into ���upgrade. I moved the users over one group at a time, starting with the
1236	people who used the least amount of resources on the network. With each group
1237	that I moved, I first logged in as a ���standard��� user in that group and took
1238	careful note of their environment, mainly the printers they used, their PATH,
1239	and what network resources they had access to (most importantly which ones
1240	they actually needed access to).
1241	</p><p>
1242	I would then add the user's SambaSamAccount information as mentioned earlier,
1243	and join the computer to the domain. The very first thing I had to do was to
1244	copy the user's profile to the new server. This was very important, and I really
1245	struggled with the most effective way to do it.  Here is the method that worked
1246	for every one of my users on Windows NT, 2000, and XP:
1247	</p><div class="procedure"><ol type="1"><li><p>
1248			Log in as the user on the domain. This creates the local copy
1249			of the user's profile and copies it to the server as they log out.
1250		</p></li><li><p>
1251			Reboot the computer and log in as the local machine administrator.
1252		</p></li><li><p>
1253			Right-click My Computer, click Properties, and navigate to the
1254			user profiles tab (varies per version of Windows).
1255		</p></li><li><p>
1256			Select the user's local profile <tt class="constant">(COMPUTERNAME\username)</tt>,
1257			and click the <span><b class="command">Copy To</b></span> button.
1258		</p></li><li><p>
1259			In the next dialog, copy it directly to the profiles share on the
1260			Samba server (\\PDCname\profiles\user\&lt;architecture&gt; in my
1261			case). You will have had to make a connection to the share as that
1262			user (e.g.: Windows Explorer type \\PDCname\profiles\username).
1263		</p></li><li><p>
1264			When the copy is complete (it can take a while) log out, and log back in
1265			as the user. All his/her settings and all contents of My Documents,
1266			Favorites, and the registry should have been copied successfully.
1267		</p></li><li><p>
1268			If it doesn't look right (the dead giveaway is the desktop background)
1269			shut down the computer without logging out (power cycle) and try logging
1270			in as the user again. If it still doesn't work, repeat the steps above.
1271			I only had to ever repeat it once.
1272		</p></li></ol></div><p>
1273	WORDS TO THE WISE:
1274	</p><div class="itemizedlist"><ul type="disc"><li><p>
1275			If the user was anything other than a standard user on his/her system
1276			before, you will save yourself some headaches by giving them identical
1277			permissions (on the local machine) as their domain account, BEFORE
1278			copying their profile over. Do this through the User Administrator
1279			in the Control Panel, after joining the computer to the domain and
1280			before logging as that user for the first time. Otherwise they will
1281			have trouble with permissions on their registry keys.
1282		</p></li><li><p>
1283			If any application was installed for the user only, rather than for
1284			the entire system, it will probably not work without being reinstalled.
1285		</p></li></ul></div><p>
1286	After all these steps are accomplished, only cleanup details are left. Make sure user's
1287	shortcuts and ���Network Places��� point to the appropriate place on the new server, check
1288	the important applications to be sure they work as expected and troubleshoot any problems
1289	that might arise, check to be sure the user's printers are present and working. By the
1290	way, if there are any network printers installed as system printers (the Novell way)
1291	you will need to log in as a local administrator and delete them.
1292	</p><p>
1293	For my non-laptop systems, I would then log in and out a couple times as the user,
1294	to be sure that their registry settings were modified, then I was finished.
1295	</p><p>
1296	Some compatibility issues that cropped up included:
1297	</p><p>
1298	Blackberry client  It did not like having its registry settings moved around,
1299	and had to be reinstalled. Also it needed write permissions to a portion of
1300	the hard drive, and I had to give it those manually on the one system where
1301	this was an issue.
1302	</p><p>
1303	CAMedia  digital camera software for Canon cameras I had all kinds of trouble
1304	with the registry. I had to use the Run as service to open the registry of
1305	the local user while logged in as the domain user, and give the domain user
1306	the appropriate permissions to some registry keys, then export that portion
1307	of the registry to a file. Then as the domain user I had to import that file
1308	into the registry.
1309	</p><p>
1310	Crystal Reports version 7  More registry problems that were solved by re-copying
1311	the user's profile.
1312	</p><p>
1313	Printing from legacy applications  I found out that Novell sent its jobs to
1314	the printer in a raw format. CUPS sends them in Postscript by default. I had
1315	to make a second printer definition for one printer and tell CUPS specifically
1316	to send raw data to the printer, and assign this printer to the LPT port with
1317	Kixtart's version of the ���net use���command.
1318	</p><p>
1319	These were all eventually solved by elbow grease, queries to the Samba mailing
1320	list and others, and diligence. The complete migration took about 5 weeks.
1321	My userbase is relatively small, but includes multiple versions of Windows,
1322	multiple Linux member servers, a mechanized saw, a pen plotter, and legacy
1323	applications written in Qbasic and R:Base, just to name a few. I actually
1324	ended up making some of these applications work better (or work again, as
1325	some of them had stopped functioning on the old server) because as part of
1326	the process I had to find out how things were supposed to work.
1327	</p><p>
1328	The one thing I have not been able to get working is a very old database that
1329	we had around for reference purposes which uses Novell's Btrieve engine.
1330	</p><p>
1331	As the resources compare, I went from 95% disk usage to just around 10%.
1332	I went from a very high load on the server to an average load of between 1
1333	and 2 runnable processes on the server. I have improved the security and
1334	robustness of the system. I have also implemented
1335	<a href="http://www.clamav.net" target="_top">ClamAV</a> Antivirus
1336	which scans the entire Samba server for viruses every two hours and
1337	quarantines them. I have found it much less problematic than our ancient
1338	version of Norton Antivirus Corporate Edition, and much more up-to-date.
1339	</p><p>
1340	In short, my users are much happier now that the new server is running, that
1341	is what is important to me.
1342	</p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="migration.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="index.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="unixclients.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�8.�Migrating NT4 Domain to Samba-3�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�10.�Adding UNIX/LINUX Servers and Clients</td></tr></table></div></body></html>
1343