1
<?xml version="1.0" encoding="iso-8859-1"?>
2
<!DOCTYPE chapter PUBLIC "-//Samba-Team//DTD DocBook V4.2-Based Variant V1.0//EN" "http://www.samba.org/samba/DTD/samba-doc">
3
<chapter id="ntmigration">
4
<title>Migrating NT4 Domain to Samba-3</title>
7
Ever since Microsoft announced that it was discontinuing support for Windows
8
NT4, Samba users started to ask for detailed instructions on how to migrate
9
from NT4 to Samba-3. This chapter provides background information that should
14
One wonders how many NT4 systems will be left in service by the time you read this
19
<title>Introduction</title>
22
<primary>migration</primary>
24
Network administrators who want to migrate off a Windows NT4 environment know
25
one thing with certainty. They feel that NT4 has been abandoned, and they want
26
to update. The desire to get off NT4 and to not adopt Windows 200x and Active
27
Directory is driven by a mixture of concerns over complexity, cost, fear of
28
failure, and much more.
32
<indexterm><primary>group policies</primary></indexterm>
33
<indexterm><primary>accounts</primary><secondary>user</secondary></indexterm>
34
<indexterm><primary>accounts</primary><secondary>group</secondary></indexterm>
35
<indexterm><primary>accounts</primary><secondary>machine</secondary></indexterm>
36
The migration from NT4 to Samba-3 can involve a number of factors, including
37
migration of data to another server, migration of network environment controls
38
such as group policies, and migration of the users, groups, and machine
43
<indexterm><primary>accounts</primary><secondary>Domain</secondary></indexterm>
44
It should be pointed out now that it is possible to migrate some systems from
45
a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly
46
not possible in every case. It is possible to just migrate the domain accounts
47
to Samba-3 and then to switch machines, but as a hands-off transition, this is more
48
the exception than the rule. Most systems require some tweaking after
49
migration before an environment that is acceptable for immediate use
54
<title>Assignment Tasks</title>
57
<indexterm><primary>LDAP</primary></indexterm>
58
<indexterm><primary>ldapsam</primary></indexterm>
59
<indexterm><primary>passdb backend</primary></indexterm>
60
You are about to migrate an MS Windows NT4 domain accounts database to
61
a Samba-3 server. The Samba-3 server is using a
62
<parameter>passdb backend</parameter> based on LDAP. The
63
<constant>ldapsam</constant> is ideal because an LDAP backend can be distributed
64
for use with BDCs &smbmdash; generally essential for larger networks.
68
Your objective is to document the process of migrating user and group accounts
69
from several NT4 domains into a single Samba-3 LDAP backend database.
76
<title>Dissection and Discussion</title>
79
<indexterm><primary>snap-shot</primary></indexterm>
80
<indexterm><primary>NT4 registry</primary></indexterm>
81
<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SAM</tertiary></indexterm>
82
<indexterm><primary>registry</primary><secondary>keys</secondary><tertiary>SECURITY</tertiary></indexterm>
83
<indexterm><primary>SAM</primary></indexterm>
84
<indexterm><primary>Security Account Manager</primary><see>SAM</see></indexterm>
85
The migration process takes a snapshot of information that is stored in the
86
Windows NT4 registry-based accounts database. That information resides in
87
the Security Account Manager (SAM) portion of the NT4 registry under keys called
88
<constant>SAM</constant> and <constant>SECURITY</constant>.
92
<indexterm><primary>crippled</primary></indexterm>
93
<indexterm><primary>inoperative</primary></indexterm>
94
The Windows NT4 registry keys called <constant>SAM</constant> and <constant>SECURITY</constant>
95
are protected so that you cannot view the contents. If you change the security setting
96
to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not
97
do this unless you are willing to render your domain controller inoperative.
101
<indexterm><primary>migration</primary><secondary>objectives</secondary></indexterm>
102
<indexterm><primary>disruptive</primary></indexterm>
103
Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are.
104
While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server,
105
that may not be a good idea from an administration perspective. Since the process involves going
106
through a certain amount of disruptive activity anyhow, why not take this opportunity to
107
review the structure of the network, how Windows clients are controlled and how they
108
interact with the network environment.
112
<indexterm><primary>network</primary><secondary>logon scripts</secondary></indexterm>
113
<indexterm><primary>profiles share</primary></indexterm>
114
<indexterm><primary>security descriptors</primary></indexterm>
115
MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed
116
have done little to keep the NT4 server environment up to date with more recent Windows releases,
117
particularly Windows XP Professional. The migration provides opportunity to revise and update
118
roaming profile deployment as well as folder redirection. Given that you must port the
119
greater network configuration of this from the old NT4 server to the new Samba-3 server.
120
Do not forget to validate the security descriptors in the profiles share as well as network logon
121
scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
122
as a good time to update desktop systems also. In all, the extra effort should constitute no
123
real disruption to users, but rather, with due diligence and care, should make their network experience
128
<title>Technical Issues</title>
131
<indexterm><primary>strategic</primary></indexterm>
132
<indexterm><primary>active directory</primary></indexterm>
133
Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic
134
element. Many sites have asked for instructions regarding merging of multiple NT4
135
domains into one Samba-3 LDAP database. It seems that this is viewed as a significant
136
added value compared with the alternative of migration to Windows Server 200x and Active
137
Directory. The diagram in <link linkend="ch8-migration"/> illustrates the effect of migration
138
from a Windows NT4 domain to a Samba domain.
141
<figure id="ch8-migration">
142
<title>Schematic Explaining the <command>net rpc vampire</command> Process</title>
143
<imagefile scale="55">ch8-migration</imagefile>
147
<indexterm><primary>merge</primary></indexterm>
148
<indexterm><primary>passdb.tdb</primary></indexterm>
149
If you want to merge multiple NT4 domain account databases into one Samba domain,
150
you must now dump the contents of the first migration and edit it as appropriate. Now clean
151
out (remove) the tdbsam backend file (<filename>passdb.tdb</filename>) or the LDAP database
152
files. You must start each migration with a new database into which you merge your NT4
157
<primary>dump</primary>
159
At this point, you are ready to perform the second migration, following the same steps as
160
for the first. In other words, dump the database, edit it, and then you may merge the
161
dump for the first and second migrations.
165
<primary>LDAP</primary>
166
</indexterm><indexterm>
167
<primary>migrate</primary>
168
</indexterm><indexterm>
169
<primary>Domain SID</primary>
171
You must be careful. If you choose to migrate to an LDAP backend, your dump file
172
now contains the full account information, including the domain SID. The domain SID for each
173
of the two NT4 domains will be different. You must choose one and change the domain
174
portion of the account SIDs so that all are the same.
178
<indexterm><primary>passdb.tdb</primary></indexterm>
179
<indexterm><primary>/etc/passwd</primary></indexterm>
180
<indexterm><primary>merged</primary></indexterm>
181
<indexterm><primary>logon script</primary></indexterm>
182
<indexterm><primary>logon hours</primary></indexterm>
183
<indexterm><primary>logon machines</primary></indexterm>
184
<indexterm><primary>profile path</primary></indexterm>
185
<indexterm><primary>smbpasswd</primary></indexterm>
186
<indexterm><primary>tdbsam</primary></indexterm>
187
<indexterm><primary>LDAP backend</primary></indexterm>
188
<indexterm><primary>export</primary></indexterm>
189
<indexterm><primary>import</primary></indexterm>
190
If you choose to use a tdbsam (<filename>passdb.tdb</filename>) backend file, your best choice
191
is to use <command>pdbedit</command> to export the contents of the tdbsam file into an
192
smbpasswd data file. This automatically strips out all domain-specific information,
193
such as logon hours, logon machines, logon script, profile path, as well as the domain SID.
194
The resulting file can be easily merged with other migration attempts (each of which must start
195
with a clean file). It should also be noted that all users who end up in the merged smbpasswd
196
file must have an account in <filename>/etc/passwd</filename>. The resulting smbpasswd file
197
may be exported or imported into either a tdbsam (<filename>passdb.tdb</filename>) or
202
<title>View of Accounts in NT4 Domain User Manager</title>
203
<imagefile scale="50">UserMgrNT4</imagefile>
210
<title>Political Issues</title>
213
The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3
214
domain may be seen by those who had power over them as a loss of prestige or a loss of
215
power. The imposition of a single domain may even be seen as a threat. So in migrating and
216
merging account databases, be consciously aware of the political fall-out in which you
217
may find yourself entangled when key staff feel a loss of prestige.
221
The best advice that can be given to those who set out to merge NT4 domains into a single
222
Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers
223
greater network interoperability and manageability.
231
<title>Implementation</title>
234
From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations
235
to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX
236
server. If you contemplate doing this, please note that the steps that follow in this
237
chapter assume familiarity with the information that has been previously covered in this
238
book. You are particularly encouraged to be familiar with <link linkend="secure"/>,
239
<link linkend="Big500users"/> and <link linkend="happy"/>.
243
We present here the steps and example output for two NT4 to Samba-3 domain migrations. The
244
first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the
245
scripts you specify in the &smb.conf; file for the <parameter>add user script</parameter>
246
collection of parameters are used to effect the addition of accounts into the passdb backend.
250
Before proceeding to NT4 migration using either a tdbsam or ldapsam, it is most strongly recommended to
251
review <link linkend="ch5-dnshcp-setup"/> for DNS and DHCP configuration. The importance of correctly
252
functioning name resolution must be recognized. This applies equally for both hostname and NetBIOS names
253
(machine names, computer names, domain names, workgroup names &smbmdash; ALL names!).
257
The migration process involves the following steps:
262
Prepare the target Samba-3 server. This involves configuring Samba-3 for
263
migration to either a tdbsam or an ldapsam backend.
267
<indexterm><primary>uppercase</primary></indexterm>
268
<indexterm><primary>Posix</primary></indexterm>
269
<indexterm><primary>lower-case</primary></indexterm>
270
Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
271
Delete all files that should not be migrated. Where possible, change NT group
272
names so there are no spaces or uppercase characters. This is important if
273
the target UNIX host insists on POSIX-compliant all lowercase user and group
278
Step through the migration process.
281
<listitem><para><indexterm><primary>PDC</primary></indexterm>
282
Remove the NT4 PDC from the network.
286
Upgrade the Samba-3 server from a BDC to a PDC, and validate all account
292
It may help to use the above outline as a pre-migration checklist.
296
<title>NT4 Migration Using LDAP Backend</title>
299
In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about
300
to be migrated are shown in <link linkend="NT4DUM"/>. In this example use is made of the
301
smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend.
302
Four scripts are essential to the migration process. Other scripts will be required
303
for daily management, but these are not critical to migration. The critical scripts are dependant
304
on which passdb backend is being used. Refer to <link linkend="ch8-vampire"/> to see which scripts
305
must be provided so that the migration process can complete.
309
Verify that you have correctly specified in the &smb.conf; file the scripts and arguments
310
that should be passed to them before attempting to perform the account migration. Note also
311
that the deletion scripts must be commented out during migration. These should be uncommented
312
following successful migration of the NT4 Domain accounts.
316
Under absolutely no circumstances should the Samba daemons be started until instructed to do so.
317
Delete the <filename>/etc/samba/secrets.tdb</filename> file and all Samba control tdb files
318
before commencing the following configuration steps.
321
<table id="ch8-vampire">
322
<title>Samba &smb.conf; Scripts Essential to Samba Operation</title>
324
<colspec align="left"/>
325
<colspec align="center"/>
326
<colspec align="center"/>
329
<entry>Entity</entry>
330
<entry>ldapsam Script</entry>
331
<entry>tdbsam Script</entry>
336
<entry>Add User Accounts</entry>
337
<entry>smbldap-useradd</entry>
338
<entry>useradd</entry>
341
<entry>Delete User Accounts</entry>
342
<entry>smbldap-userdel</entry>
343
<entry>userdel</entry>
346
<entry>Add Group Accounts</entry>
347
<entry>smbldap-groupadd</entry>
348
<entry>groupadd</entry>
351
<entry>Delete Group Accounts</entry>
352
<entry>smbldap-groupdel</entry>
353
<entry>groupdel</entry>
356
<entry>Add User to Group</entry>
357
<entry>smbldap-groupmod</entry>
358
<entry>usermod (See Note)</entry>
361
<entry>Add Machine Accounts</entry>
362
<entry>smbldap-useradd</entry>
363
<entry>useradd</entry>
370
<indexterm><primary>usermod</primary></indexterm>
371
<indexterm><primary>groupmem</primary></indexterm>
372
<indexterm><primary>smbldap-tools</primary></indexterm>
373
The UNIX/Linux <command>usermod</command> utility does not permit simple user addition to (or deletion
374
of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this
375
capability, you must create your own tool to do this. Alternately, you can search the Web
376
to locate a utility called <command>groupmem</command> (by George Kraft) that provides this functionality.
377
The <command>groupmem</command> utility was contributed to the shadow package but has not surfaced
378
in the formal commands provided by Linux distributions (March 2004).
382
<indexterm><primary>tdbdump</primary></indexterm>
383
The <command>tdbdump</command> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your
384
Linux distribution, you will need to build this yourself or else forgo its use.
388
<indexterm><primary>User Manager</primary></indexterm>
389
Before starting the migration, all dead accounts were removed from the NT4 domain using the User Manager for Domains.
393
<title>User Migration Steps</title>
396
Configure the Samba &smb.conf; file to create a BDC. An example configuration is
397
given in <link linkend="sbent4smb"/>.
398
The delete scripts are commented out so that during the process of migration
399
no account information can be deleted.
402
<example id="sbent4smb">
403
<title>NT4 Migration Samba-3 Server <filename>smb.conf</filename> &smbmdash; Part: A</title>
405
<smbconfsection name="[global]"/>
406
<smbconfoption name="workgroup">DAMNATION</smbconfoption>
407
<smbconfoption name="netbios name">MERLIN</smbconfoption>
408
<smbconfoption name="passdb backend">ldapsam:ldap://localhost</smbconfoption>
409
<smbconfoption name="log level">1</smbconfoption>
410
<smbconfoption name="syslog">0</smbconfoption>
411
<smbconfoption name="log file">/var/log/samba/%m</smbconfoption>
412
<smbconfoption name="max log size">0</smbconfoption>
413
<smbconfoption name="smb ports">139 445</smbconfoption>
414
<smbconfoption name="name resolve order">wins bcast hosts</smbconfoption>
415
<smbconfoption name="add user script">/opt/IDEALX/sbin/smbldap-useradd -m '%u'</smbconfoption>
416
<smbconfoption name="#delete user script">/opt/IDEALX/sbin/smbldap-userdel '%u'</smbconfoption>
417
<smbconfoption name="add group script">/opt/IDEALX/sbin/smbldap-groupadd '%g'</smbconfoption>
418
<smbconfoption name="#delete group script">/opt/IDEALX/sbin/smbldap-groupdel '%g'</smbconfoption>
419
<smbconfoption name="add user to group script">/opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</smbconfoption>
420
<smbconfoption name="#delete user from group script">/opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</smbconfoption>
421
<smbconfoption name="set primary group script">/opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</smbconfoption>
422
<smbconfoption name="add machine script">/opt/IDEALX/sbin/smbldap-useradd -w '%u'</smbconfoption>
423
<smbconfoption name="logon script">scripts\logon.cmd</smbconfoption>
424
<smbconfoption name="logon path">\\%L\profiles\%U</smbconfoption>
425
<smbconfoption name="logon home">\\%L\%U</smbconfoption>
426
<smbconfoption name="logon drive">X:</smbconfoption>
427
<smbconfoption name="domain logons">Yes</smbconfoption>
428
<smbconfoption name="domain master">No</smbconfoption>
429
<smbconfoption name="#wins support">Yes</smbconfoption>
430
<smbconfoption name="wins server">192.168.123.124</smbconfoption>
431
<smbconfoption name="ldap admin dn">cn=Manager,dc=terpstra-world,dc=org</smbconfoption>
432
<smbconfoption name="ldap group suffix">ou=Groups</smbconfoption>
433
<smbconfoption name="ldap idmap suffix">ou=Idmap</smbconfoption>
434
<smbconfoption name="ldap machine suffix">ou=People</smbconfoption>
435
<smbconfoption name="ldap passwd sync">Yes</smbconfoption>
436
<smbconfoption name="ldap suffix">dc=terpstra-world,dc=org</smbconfoption>
437
<smbconfoption name="ldap ssl">no</smbconfoption>
438
<smbconfoption name="ldap timeout">20</smbconfoption>
439
<smbconfoption name="ldap user suffix">ou=People</smbconfoption>
440
<smbconfoption name="idmap backend">ldap:ldap://localhost</smbconfoption>
441
<smbconfoption name="idmap uid">15000-20000</smbconfoption>
442
<smbconfoption name="idmap gid">15000-20000</smbconfoption>
443
<smbconfoption name="winbind nested groups">Yes</smbconfoption>
444
<smbconfoption name="ea support">Yes</smbconfoption>
445
<smbconfoption name="map acl inherit">Yes</smbconfoption>
449
<example id="sbent4smb2">
450
<title>NT4 Migration Samba-3 Server <filename>smb.conf</filename> &smbmdash; Part: B</title>
452
<smbconfsection name="[apps]"/>
453
<smbconfoption name="comment">Application Data</smbconfoption>
454
<smbconfoption name="path">/data/home/apps</smbconfoption>
455
<smbconfoption name="read only">No</smbconfoption>
457
<smbconfsection name="[homes]"/>
458
<smbconfoption name="comment">Home Directories</smbconfoption>
459
<smbconfoption name="path">/home/users/%U/Documents</smbconfoption>
460
<smbconfoption name="valid users">%S</smbconfoption>
461
<smbconfoption name="read only">No</smbconfoption>
462
<smbconfoption name="browseable">No</smbconfoption>
464
<smbconfsection name="[printers]"/>
465
<smbconfoption name="comment">SMB Print Spool</smbconfoption>
466
<smbconfoption name="path">/var/spool/samba</smbconfoption>
467
<smbconfoption name="guest ok">Yes</smbconfoption>
468
<smbconfoption name="printable">Yes</smbconfoption>
469
<smbconfoption name="use client driver">No</smbconfoption>
470
<smbconfoption name="browseable">No</smbconfoption>
472
<smbconfsection name="[netlogon]"/>
473
<smbconfoption name="comment">Network Logon Service</smbconfoption>
474
<smbconfoption name="path">/var/lib/samba/netlogon</smbconfoption>
475
<smbconfoption name="guest ok">Yes</smbconfoption>
476
<smbconfoption name="locking">No</smbconfoption>
478
<smbconfsection name="[profiles]"/>
479
<smbconfoption name="comment">Profile Share</smbconfoption>
480
<smbconfoption name="path">/var/lib/samba/profiles</smbconfoption>
481
<smbconfoption name="read only">No</smbconfoption>
482
<smbconfoption name="profile acls">Yes</smbconfoption>
484
<smbconfsection name="[profdata]"/>
485
<smbconfoption name="comment">Profile Data Share</smbconfoption>
486
<smbconfoption name="path">/var/lib/samba/profdata</smbconfoption>
487
<smbconfoption name="read only">No</smbconfoption>
488
<smbconfoption name="profile acls">Yes</smbconfoption>
490
<smbconfsection name="[print$]"/>
491
<smbconfoption name="comment">Printer Drivers</smbconfoption>
492
<smbconfoption name="path">/var/lib/samba/drivers</smbconfoption>
497
<indexterm><primary>slapd.conf</primary></indexterm>
498
Configure OpenLDAP in preparation for the migration. An example
499
<filename>sladp.conf</filename> file is shown in <link linkend="sbentslapd"/>.
500
The <constant>rootpw</constant> value is an encrypted password string that can
501
be obtained by executing the <command>slappasswd</command> command.
504
<example id="sbentslapd">
505
<title>NT4 Migration LDAP Server Configuration File: <filename>/etc/openldap/slapd.conf</filename> &smbmdash; Part A</title>
507
include /etc/openldap/schema/core.schema
508
include /etc/openldap/schema/cosine.schema
509
include /etc/openldap/schema/inetorgperson.schema
510
include /etc/openldap/schema/nis.schema
511
include /etc/openldap/schema/samba3.schema
513
pidfile /var/run/slapd/slapd.pid
514
argsfile /var/run/slapd/slapd.args
520
access to attr=userPassword
524
access to attr=shadowLastChange
534
<example id="sbentslapd2">
535
<title>NT4 Migration LDAP Server Configuration File: <filename>/etc/openldap/slapd.conf</filename> &smbmdash; Part B</title>
546
suffix "dc=terpstra-world,dc=org"
547
rootdn "cn=Manager,dc=terpstra-world,dc=org"
550
rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
552
directory /var/lib/ldap
554
# Indices to maintain
558
index uid pres,sub,eq
559
index displayName pres,sub,eq
564
index sambaPrimaryGroupSID eq
565
index sambaDomainName eq
571
<indexterm><primary>nss_ldap</primary></indexterm>
572
<indexterm><primary>/etc/ldap.conf</primary></indexterm>
573
Install the PADL <command>nss_ldap</command> tool set, then configure the <filename>/etc/ldap.conf</filename>
574
as shown in <link linkend="sbrntldapconf"/>.
577
<example id="sbrntldapconf">
578
<title>NT4 Migration NSS LDAP File: <filename>/etc/ldap.conf</filename></title>
582
base dc=terpstra-world,dc=org
586
binddn cn=Manager,dc=terpstra-world,dc=org
591
nss_base_passwd ou=People,dc=terpstra-world,dc=org?one
592
nss_base_shadow ou=People,dc=terpstra-world,dc=org?one
593
nss_base_group ou=Groups,dc=terpstra-world,dc=org?one
600
<indexterm><primary>/etc/nsswitch.conf</primary></indexterm>
601
Edit the <filename>/etc/nsswitch.conf</filename> file so it has the entries shown
602
in <link linkend="sbentnss"/>. Note that the LDAP entries have been commented out.
603
This is deliberate. If these entries are active (not commented out), and the
604
<filename>/etc/ldap.conf</filename> file has been configured, when the LDAP server
605
is started, the process of starting the LDAP server will cause LDAP lookups. This
606
causes the LDAP server <command>slapd</command> to hang because it finds port 389
607
open and therefore cannot gain exclusive control of it. By commenting these entries
608
out, it is possible to avoid this gridlock situation and thus the overall
609
installation and configuration will progress more smoothly.
612
<example id="sbentnss">
613
<title>NT4 Migration NSS Control File: <filename>/etc/nsswitch.conf</filename> (Stage:1)</title>
619
hosts: files dns wins
633
#passwd_compat: ldap #Not needed.
634
#group_compat: ldap #Not needed.
639
Validate the the target NT4 PDC name is being correctly resolved to its IP address by
640
executing the following:
642
&rootprompt; ping transgression
643
PING transgression.terpstra-world.org (192.168.1.5) 56(84) bytes of data.
644
64 bytes from (192.168.1.5): icmp_seq=1 ttl=128 time=0.159 ms
645
64 bytes from (192.168.1.5): icmp_seq=2 ttl=128 time=0.192 ms
646
64 bytes from (192.168.1.5): icmp_seq=3 ttl=128 time=0.141 ms
648
--- transgression.terpstra-world.org ping statistics ---
649
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
650
rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms
652
Do not proceed to the next step if this step fails. It is imperative that the name of the PDC
653
can be resolved to its IP address. If this is broken, fix it.
657
Pull the domain SID from the NT4 domain that is being migrated as follows:
659
&rootprompt; net rpc getsid -S TRANGRESSION -U Administrator%not24get
660
Storing SID S-1-5-21-1385457007-882775198-1210191635 \
661
for Domain DAMNATION in secrets.tdb
666
Another way to obtain the domain SID from the target NT4 domain that is being
667
migrated to Samba-3 is by executing the following:
669
&rootprompt; net rpc info -S TRANSGRESSION
671
If this method is used, do not forget to store the SID obtained into the
672
<filename>secrets.tdb</filename> file. This can be done by executing:
674
&rootprompt; net setlocalsid S-1-5-21-1385457007-882775198-1210191635
679
<indexterm><primary>Idealx</primary></indexterm>
680
<indexterm><primary>configure.pl</primary></indexterm>
681
<indexterm><primary>/opt/IDEALX/sbin</primary></indexterm>
682
<indexterm><primary>smbldap-tools</primary></indexterm>
683
Install the Idealx <command>smbldap-tools</command> software package, following
684
the instructions given in <link linkend="sbeidealx"/>. The resulting perl scripts
685
should be located in the <filename>/opt/IDEALX/sbin</filename> directory.
686
Change into that location, or wherever the scripts have been installed. Execute the
687
<filename>configure.pl</filename> script to configure the Idealx package for use.
688
Note: Use the domain SID obtained from the step above. The following is
689
an example configuration session:
691
&rootprompt; ./configure.pl
692
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
693
smbldap-tools script configuration
694
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
695
Before starting, check
696
. if your samba controller is up and running.
697
. if the domain SID is defined
698
(you can get it with the 'net getlocalsid')
700
. you can leave the configuration using the Crtl-c key combination
701
. empty value can be set with the "." character
702
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
703
Looking for configuration files...
705
Samba Config File Location [/etc/samba/smb.conf] >
706
smbldap Config file Location (global parameters)
707
[/etc/smbldap-tools/smbldap.conf] >
708
smbldap Config file Location (bind parameters)
709
[/etc/smbldap-tools/smbldap_bind.conf] >
710
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
711
Let's start configuring the smbldap-tools scripts ...
713
. workgroup name: name of the domain Samba act as a PDC
714
workgroup name [DAMNATION] >
715
. netbios name: netbios name of the samba controller
716
netbios name [MERLIN] >
717
. logon drive: local path to which the home directory
718
will be connected (for NT Workstations). Ex: 'H:'
719
logon drive [X:] > H:
720
. logon home: home directory location (for Win95/98 or NT Workstation)
721
(use %U as username) Ex:'\\MERLIN\home\%U'
722
logon home (leave blank if you don't want homeDirectory)
723
[\\MERLIN\home\%U] > \\%L\%U
724
. logon path: directory where roaming profiles are stored.
725
Ex:'\\MERLIN\profiles\%U'
726
logon path (leave blank if you don't want roaming profile)
727
[\\MERLIN\profiles\%U] > \\%L\profiles\%U
728
. home directory prefix (use %U as username) [/home/%U] >
730
. default user netlogon script (use %U as username)
731
[%U.cmd] > scripts\logon.cmd
732
default password validation time (time in days) [45] > 180
733
. ldap suffix [dc=terpstra-world,dc=org] >
734
. ldap group suffix [ou=Groups] >
735
. ldap user suffix [ou=People] >
736
. ldap machine suffix [ou=People] >
737
. Idmap suffix [ou=Idmap] >
738
. sambaUnixIdPooldn: object where you want to store the next uidNumber
739
and gidNumber available for new users and groups
740
sambaUnixIdPooldn object (relative to ${suffix})
741
[sambaDomainName=DAMNATION] >
742
. ldap master server:
743
IP address or DNS name of the master (writable) ldap server
744
ldap master server [] > 127.0.0.1
745
. ldap master port [389] >
746
. ldap master bind dn [cn=Manager,dc=terpstra-world,dc=org] >
747
. ldap master bind password [] >
748
. ldap slave server: IP address or DNS name of the slave ldap server:
749
can also be the master one
750
ldap slave server [] > 127.0.0.1
751
. ldap slave port [389] >
752
. ldap slave bind dn [cn=Manager,dc=terpstra-world,dc=org] >
753
. ldap slave bind password [] >
754
. ldap tls support (1/0) [0] >
755
. SID for domain DAMNATION: SID of the domain
756
(can be obtained with 'net getlocalsid MERLIN')
757
SID for domain DAMNATION []
758
> S-1-5-21-1385457007-882775198-1210191635
759
. unix password encryption: encryption used for unix passwords
760
unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
761
. default user gidNumber [513] >
762
. default computer gidNumber [515] >
763
. default login shell [/bin/bash] >
764
. default domain name to append to mail address [] >
766
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
767
backup old configuration files:
768
/etc/smbldap-tools/smbldap.conf->
769
/etc/smbldap-tools/smbldap.conf.old
770
/etc/smbldap-tools/smbldap_bind.conf->
771
/etc/smbldap-tools/smbldap_bind.conf.old
772
writing new configuration file:
773
/etc/smbldap-tools/smbldap.conf done.
774
/etc/smbldap-tools/smbldap_bind.conf done.
776
<indexterm><primary>sambaDomainName</primary></indexterm>
777
<indexterm><primary>NextFreeUnixId</primary></indexterm>
778
<indexterm><primary>updating smbldap-tools</primary></indexterm>
779
<indexterm><primary>smbldap-tools updating</primary></indexterm>
780
Note that the NT4 domain SID that was previously obtained was entered above. Also,
781
the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is
782
the location into which the Idealx smbldap-tools store the next available UID/GID
783
information. It is also where Samba stores domain specific information such as the
784
next RID, the SID, and so on. In older version of the smbldap-tools this information
785
was stored in the sambaUnixIdPooldn DIT location cn=NextFreeUnixId. Where smbldap-tools
786
are being upgraded to version 0.9.1 it is appropriate to update this to the new location
787
only if the directory information is also relocated.
791
Start the LDAP server using the system interface script. On Novell SLES9
792
this is done as shown here:
794
&rootprompt; rcldap start
799
Edit the <filename>/etc/nsswitch.conf</filename> file so it has the entries shown in
800
<link linkend="sbentnss2"/>. Note that the LDAP entries have now been uncommented.
803
<example id="sbentnss2">
804
<title>NT4 Migration NSS Control File: <filename>/etc/nsswitch.conf</filename> (Stage:2)</title>
810
hosts: files dns wins
824
#passwd_compat: ldap #Not needed.
825
#group_compat: ldap #Not needed.
830
The LDAP management password must be installed into the <filename>secrets.tdb</filename>
833
&rootprompt; smbpasswd -w not24get
834
Setting stored password for
835
"cn=Manager,dc=terpstra-world,dc=org" in secrets.tdb
840
Populate the LDAP directory as shown here:
842
&rootprompt; /opt/IDEALX/sbin/smbldap-populate -a root -k 0 -m 0
843
Using workgroup name from sambaUnixIdPooldn (smbldap.conf):
844
sambaDomainName=DAMNATION
845
Using builtin directory structure
846
adding new entry: dc=terpstra-world,dc=org
847
adding new entry: ou=People,dc=terpstra-world,dc=org
848
adding new entry: ou=Groups,dc=terpstra-world,dc=org
849
entry ou=People,dc=terpstra-world,dc=org already exist.
850
adding new entry: ou=Idmap,dc=terpstra-world,dc=org
851
adding new entry: sambaDomainName=DAMNATION,dc=terpstra-world,dc=org
852
adding new entry: uid=root,ou=People,dc=terpstra-world,dc=org
853
adding new entry: uid=nobody,ou=People,dc=terpstra-world,dc=org
854
adding new entry: cn=Domain Admins,ou=Groups,dc=terpstra-world,dc=org
855
adding new entry: cn=Domain Users,ou=Groups,dc=terpstra-world,dc=org
856
adding new entry: cn=Domain Guests,ou=Groups,dc=terpstra-world,dc=org
857
adding new entry: cn=Domain Computers,ou=Groups,dc=terpstra-world,dc=org
858
adding new entry: cn=Administrators,ou=Groups,dc=terpstra-world,dc=org
859
adding new entry: cn=Print Operators,ou=Groups,dc=terpstra-world,dc=org
860
adding new entry: cn=Backup Operators,ou=Groups,dc=terpstra-world,dc=org
861
adding new entry: cn=Replicators,ou=Groups,dc=terpstra-world,dc=org
863
The script tries to add the ou=People container twice, hence the error message.
864
This is expected behavior.
868
<indexterm><primary>Novell SUSE SLES 9</primary></indexterm>
869
Restart the LDAP server following initialization of the LDAP directory. Execute the
870
system control script provided on your system. The following steps can be used on
873
&rootprompt; rcldap restart
874
&rootprompt; chkconfig ldap on
879
Verify that the new user accounts that have been added to the LDAP directory can be
882
&rootprompt; getent passwd
884
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
885
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
886
news:x:9:13:News system:/etc/news:/bin/bash
887
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
889
root:x:0:0:Netbios Domain Administrator:/home/users/root:/bin/false
890
nobody:x:999:514:nobody:/dev/null:/bin/false
892
Now repeat this for the group accounts as shown here:
894
&rootprompt; getent group
897
nogroup:x:65534:nobody
900
Domain Admins:x:512:root
903
Domain Computers:x:515:
904
Administrators:x:544:
905
Print Operators:x:550:
906
Backup Operators:x:551:
909
In both cases the LDAP accounts follow the <quote>+::0:</quote> entry.
913
Now it is time to join the Samba BDC to the target NT4 domain that is being
914
migrated to Samba-3 by executing the following:
916
&rootprompt; net rpc join -S TRANSGRESSION -U Administrator%not24get
917
merlin:/opt/IDEALX/sbin # net rpc join -S TRANSGRESSION \
918
-U Administrator%not24get
919
Joined domain DAMNATION.
924
Set the new domain administrator (root) password for both UNIX and Windows as shown here:
926
&rootprompt; /opt/IDEALX/sbin/smbldap-passwd root
927
Changing password for root
928
New password : ********
929
Retype new password : ********
931
Note: During account migration, the Windows Administrator account will not be migrated
936
Now validate that these accounts can be resolved using Samba's tools as
937
shown here for user accounts:
939
&rootprompt; pdbedit -Lw
940
root:0:84B0D8E14D158FF8417EAF50CFAC29C3:
941
AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-425F6467:
942
nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
943
NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000:
945
Now complete the following step to validate that group account mappings have
948
&rootprompt; net groupmap list
949
Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512)
951
Domain Users (S-1-5-21-1385457007-882775198-1210191635-513)
953
Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514)
955
Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515)
956
-> Domain Computers
957
Administrators (S-1-5-32-544) -> Administrators
958
Print Operators (S-1-5-32-550) -> Print Operators
959
Backup Operators (S-1-5-32-551) -> Backup Operators
960
Replicators (S-1-5-32-552) -> Replicators
962
These are the expected results for a correctly configured system.
966
Commence migration as shown here:
968
&rootprompt; net rpc vampire -S TRANSGRESSION \
969
-U Administrator%not24get > /tmp/vampire.log 2>1
971
Check the vampire log to confirm that only expected errors have been
972
reported. See <link linkend="sbevam1"/>.
976
The migration of user accounts can be quickly validated as follows:
978
&rootprompt; pdbedit -Lw
979
root:0:84B0D8E14D158FF8417EAF50CFAC29C3:...
980
nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:...
981
Administrator:0:84B0D8E14D158FF8417EAF50CFAC29C3:...
982
Guest:1:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:...
983
TRANSGRESSION$:2:CC044B748CEE294CE76B6B0D1B86C1A8:...
984
IUSR_TRANSGRESSION:3:64046AC81B056C375F9537FC409085F8:...
985
MIDEARTH$:4:E93186E5819706D2AAD3B435B51404EE:...
986
atrickhoffer:5:DC08CFE0C12B2867352502E32A407F23:...
987
barryf:6:B829BCDE01FF24376E45D5F10408CFBD:...
988
fsellerby:7:6A97CBEBE8F9826B417EAF50CFAC29C3:...
989
gdaison:8:48F6A8C8A900024351DA8C2061C5F1D3:...
990
hrambotham:9:7330D9EA0964465EAAD3B435B51404EE:...
991
jrhapsody:10:ACBA7D207E2BA35D9BD41A26B01626BD:...
992
maryk:11:293B5A4CA41F6CA1A7D80430B8342B73:...
993
jacko:12:8E8982D86BD037C364BBD09A598E07AD:...
994
bridge:13:0D2CA7D2BE67FE2193BE3A377C968336:...
995
sharpec:14:8841A75CAC19D2855D8B73B1F4D430F8:...
996
jimbo:15:6E8BDC904FD9EC5C17306D272A9441BB:...
997
dhenwick:16:D1694A03C33584BDAAD3B435B51404EE:...
998
dork:17:69E2D19E69A593D5AAD3B435B51404EE:...
999
blue:18:E355EBF9559979FEAAD3B435B51404EE:...
1000
billw:19:EE35C3481CF7F7DB484448BC86A641A5:...
1001
rfreshmill:20:7EC033B58661B60CAAD3B435B51404EE:...
1002
MAGGOT$:21:A3B9334765AD30F7AAD3B435B51404EE:...
1003
TRENTWARE$:22:1D92C8DD5E7F0DDF93BE3A377C968336:...
1004
MORTON$:23:89342E69DCA9D3F8AAD3B435B51404EE:...
1005
NARM$:24:2B93E2D1D25448BDAAD3B435B51404EE:...
1006
LAPDOG$:25:14AA535885120943AAD3B435B51404EE:...
1007
SCAVENGER$:26:B6288EB6D147B56F8963805A19B0ED49:...
1008
merlin$:27:820C50523F368C54AB9D85AE603AD09D:...
1013
The mapping of UNIX and Windows groups can be validated as show here:
1015
&rootprompt; net groupmap list
1016
Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512)
1018
Domain Users (S-1-5-21-1385457007-882775198-1210191635-513)
1020
Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514)
1022
Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515)
1023
-> Domain Computers
1024
Administrators (S-1-5-32-544) -> Administrators
1025
Print Operators (S-1-5-32-550) -> Print Operators
1026
Backup Operators (S-1-5-32-551) -> Backup Operators
1027
Replicator (S-1-5-32-552) -> Replicators
1028
Engineers (S-1-5-21-1385457007-882775198-1210191635-1020) -> Engineers
1029
Marketoids (S-1-5-21-1385457007-882775198-1210191635-1022) -> Marketoids
1030
Gnomes (S-1-5-21-1385457007-882775198-1210191635-1023) -> Gnomes
1031
Catalyst (S-1-5-21-1385457007-882775198-1210191635-1024) -> Catalyst
1032
Recieving (S-1-5-21-1385457007-882775198-1210191635-1025) -> Recieving
1033
Rubberboot (S-1-5-21-1385457007-882775198-1210191635-1026) -> Rubberboot
1034
Sales (S-1-5-21-1385457007-882775198-1210191635-1027) -> Sales
1035
Accounting (S-1-5-21-1385457007-882775198-1210191635-1028) -> Accounting
1036
Shipping (S-1-5-21-1385457007-882775198-1210191635-1029) -> Shipping
1037
Account Operators (S-1-5-32-548) -> Account Operators
1038
Guests (S-1-5-32-546) -> Guests
1039
Server Operators (S-1-5-32-549) -> Server Operators
1040
Users (S-1-5-32-545) -> Users
1042
It is of vital importance that the domain SID portions of all group
1043
accounts are identical.
1047
The final responsibility in the migration process is to create identical
1048
shares and printing resources on the new Samba-3 server, copy all data
1049
across, set up privileges, and set share and file/directory access controls.
1053
<indexterm><primary>domain master</primary></indexterm>
1054
<indexterm><primary>PDC</primary></indexterm>
1055
Edit the &smb.conf; file to reset the parameter
1056
<smbconfoption name="domain master">Yes</smbconfoption> so that
1057
the Samba server functions as a PDC for the purpose of migration.
1058
Also, uncomment the deletion scripts so they will now be fully functional,
1059
enable the <parameter>wins support = yes</parameter> parameter and
1060
comment out the <parameter>wins server</parameter>. Validate the configuration
1061
with the <command>testparm</command> utility as shown here:
1063
&rootprompt; testparm
1064
Load smb config files from /etc/samba/smb.conf
1065
Processing section "[apps]"
1066
Processing section "[media]"
1067
Processing section "[homes]"
1068
Processing section "[printers]"
1069
Processing section "[netlogon]"
1070
Processing section "[profiles]"
1071
Processing section "[profdata]"
1072
Processing section "[print$]"
1073
Loaded services file OK.
1074
Server role: ROLE_DOMAIN_PDC
1075
Press enter to see a dump of your service definitions
1080
Now shut down the old NT4 PDC. Only when the old NT4 PDC and all
1081
NT4 BDCs have been shut down can the Samba-3 PDC be started.
1085
All workstations should function as they did with the old NT4 PDC. All
1086
interdomain trust accounts should remain in place and fully functional.
1087
All machine accounts and user logon accounts should also function correctly.
1091
The configuration of Samba-3 BDC servers can be accomplished now or at any
1092
convenient time in the future. Please refer to the carefully detailed process
1093
for doing so is outlined in <link linkend="sbehap-bldg1"/>.
1098
<sect3 id="sbevam1">
1099
<title>Migration Log Validation</title>
1102
The following <filename>vampire.log</filename> file is typical of a valid migration.
1104
adding user Administrator to group Domain Admins
1105
adding user atrickhoffer to group Engineers
1106
adding user dhenwick to group Engineers
1107
adding user dork to group Engineers
1108
adding user rfreshmill to group Marketoids
1109
adding user jacko to group Gnomes
1110
adding user jimbo to group Gnomes
1111
adding user maryk to group Gnomes
1112
adding user gdaison to group Gnomes
1113
adding user dhenwick to group Catalyst
1114
adding user jacko to group Catalyst
1115
adding user jacko to group Recieving
1116
adding user blue to group Recieving
1117
adding user hrambotham to group Rubberboot
1118
adding user billw to group Sales
1119
adding user bridge to group Sales
1120
adding user jrhapsody to group Sales
1121
adding user maryk to group Sales
1122
adding user rfreshmill to group Sales
1123
adding user fsellerby to group Sales
1124
adding user sharpec to group Sales
1125
adding user jimbo to group Accounting
1126
adding user gdaison to group Accounting
1127
adding user jacko to group Shipping
1128
adding user blue to group Shipping
1129
Fetching DOMAIN database
1130
Creating unix group: 'Engineers'
1131
Creating unix group: 'Marketoids'
1132
Creating unix group: 'Gnomes'
1133
Creating unix group: 'Catalyst'
1134
Creating unix group: 'Recieving'
1135
Creating unix group: 'Rubberboot'
1136
Creating unix group: 'Sales'
1137
Creating unix group: 'Accounting'
1138
Creating unix group: 'Shipping'
1139
Creating account: Administrator
1140
Creating account: Guest
1141
Creating account: TRANSGRESSION$
1142
Creating account: IUSR_TRANSGRESSION
1143
Creating account: MIDEARTH$
1144
Creating account: atrickhoffer
1145
Creating account: barryf
1146
Creating account: fsellerby
1147
Creating account: gdaison
1148
Creating account: hrambotham
1149
Creating account: jrhapsody
1150
Creating account: maryk
1151
Creating account: jacko
1152
Creating account: bridge
1153
Creating account: sharpec
1154
Creating account: jimbo
1155
Creating account: dhenwick
1156
Creating account: dork
1157
Creating account: blue
1158
Creating account: billw
1159
Creating account: rfreshmill
1160
Creating account: MAGGOT$
1161
Creating account: TRENTWARE$
1162
Creating account: MORTON$
1163
Creating account: NARM$
1164
Creating account: LAPDOG$
1165
Creating account: SCAVENGER$
1166
Creating account: merlin$
1167
Group members of Domain Admins: Administrator,
1168
Group members of Domain Users: Administrator(primary),
1169
TRANSGRESSION$(primary),IUSR_TRANSGRESSION(primary),
1170
MIDEARTH$(primary),atrickhoffer(primary),barryf(primary),
1171
fsellerby(primary),gdaison(primary),hrambotham(primary),
1172
jrhapsody(primary),maryk(primary),jacko(primary),bridge(primary),
1173
sharpec(primary),jimbo(primary),dhenwick(primary),dork(primary),
1174
blue(primary),billw(primary),rfreshmill(primary),MAGGOT$(primary),
1175
TRENTWARE$(primary),MORTON$(primary),NARM$(primary),
1176
LAPDOG$(primary),SCAVENGER$(primary),merlin$(primary),
1177
Group members of Domain Guests: Guest(primary),
1178
Group members of Engineers: atrickhoffer,dhenwick,dork,
1179
Group members of Marketoids: rfreshmill,
1180
Group members of Gnomes: jacko,jimbo,maryk,gdaison,
1181
Group members of Catalyst: dhenwick,jacko,
1182
Group members of Recieving: jacko,blue,
1183
Group members of Rubberboot: hrambotham,
1184
Group members of Sales: billw,bridge,jrhapsody,maryk,
1185
rfreshmill,fsellerby,sharpec,
1186
Group members of Accounting: jimbo,gdaison,
1187
Group members of Shipping: jacko,blue,
1188
Fetching BUILTIN database
1189
skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain)
1190
Creating unix group: 'Account Operators'
1191
Creating unix group: 'Guests'
1192
Creating unix group: 'Server Operators'
1193
Creating unix group: 'Users'
1202
<title>NT4 Migration Using tdbsam Backend</title>
1205
In this example, we change the domain name of the NT4 server from
1206
<constant>DRUGPREP</constant> to <constant>MEGANET</constant> prior to the use
1207
of the vampire (migration) tool. This migration process makes use of Linux system tools
1208
(like <command>useradd</command>) to add the accounts that are migrated into the
1209
UNIX/Linux <filename>/etc/passwd</filename> and <filename>/etc/group</filename>
1210
databases. These entries must therefore be present, and correct options specified,
1211
in your &smb.conf; file, or else the migration does not work as it should.
1215
<title>Migration Steps Using tdbsam</title>
1218
Prepare a Samba-3 server precisely per the instructions shown in <link linkend="Big500users"/>.
1219
Set the workgroup name to <constant>MEGANET</constant>.
1222
<step><para><indexterm>
1223
<primary>domain master</primary>
1224
</indexterm><indexterm>
1225
<primary>BDC</primary>
1227
Edit the &smb.conf; file to temporarily change the parameter
1228
<smbconfoption name="domain master">No</smbconfoption> so
1229
the Samba server functions as a BDC for the purpose of migration.
1233
Start Samba as you have done previously.
1236
<step><para><indexterm>
1237
<primary>net</primary>
1238
<secondary>rpc</secondary>
1239
<tertiary>join</tertiary>
1241
Join the NT4 Domain as a BDC, as shown here:
1243
&rootprompt; net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get
1244
Joined domain MEGANET.
1248
<step><para><indexterm>
1249
<primary>net</primary>
1250
<secondary>rpc</secondary>
1251
<tertiary>vampire</tertiary>
1253
You may vampire the accounts from the NT4 PDC by executing the command, as shown here:
1255
&rootprompt; net rpc vampire -S oldnt4pdc -U Administrator%not24get
1256
Fetching DOMAIN database
1257
SAM_DELTA_DOMAIN_INFO not handled
1258
Creating unix group: 'Domain Admins'
1259
Creating unix group: 'Domain Users'
1260
Creating unix group: 'Domain Guests'
1261
Creating unix group: 'Engineers'
1262
Creating unix group: 'Marketoids'
1263
Creating unix group: 'Account Operators'
1264
Creating unix group: 'Administrators'
1265
Creating unix group: 'Backup Operators'
1266
Creating unix group: 'Guests'
1267
Creating unix group: 'Print Operators'
1268
Creating unix group: 'Replicator'
1269
Creating unix group: 'Server Operators'
1270
Creating unix group: 'Users'
1271
Creating account: Administrator
1272
Creating account: Guest
1273
Creating account: oldnt4pdc$
1274
Creating account: jacko
1275
Creating account: maryk
1276
Creating account: bridge
1277
Creating account: sharpec
1278
Creating account: jimbo
1279
Creating account: dhenwick
1280
Creating account: dork
1281
Creating account: blue
1282
Creating account: billw
1283
Creating account: massive$
1284
Group members of Engineers: Administrator,
1285
sharpec(primary),bridge,billw(primary),dhenwick
1286
Group members of Marketoids: Administrator,jacko(primary),
1287
maryk(primary),jimbo,blue(primary),dork(primary)
1288
Creating unix group: 'Gnomes'
1289
Fetching BUILTIN database
1290
SAM_DELTA_DOMAIN_INFO not handled
1294
<step><para><indexterm>
1295
<primary>pdbedit</primary>
1297
At this point, we can validate our migration. Let's look at the accounts
1298
in the form in which they are seen in a smbpasswd file. This achieves that:
1300
&rootprompt; pdbedit -Lw
1301
Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3:
1302
AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[UX ]:LCT-3DF7AA9F:
1303
jimbo:512:6E9A2A51F64A1BD5C187B8085FE1D9DF:
1304
CDF7E305E639966E489A0CEFB95EE5E0:[UX ]:LCT-3E9362BC:
1305
sharpec:511:E4301A7CD8FDD1EC6BBF9BC19CDF8151:
1306
7000255938831D5B948C95C1931534C5:[UX ]:LCT-3E8B42C4:
1307
dhenwick:513:DCD8886141E3F892AAD3B435B51404EE:
1308
2DB36465949CB938DD98C312EFDC2639:[UX ]:LCT-3E939F41:
1309
bridge:510:3FE6873A43101B46417EAF50CFAC29C3:
1310
891741F481AF111B4CAA09A94016BD01:[UX ]:LCT-3E8B4291:
1311
blue:515:256D41D2559BB3D2AAD3B435B51404EE:
1312
9CCADDA4F7D281DD0FAD321478C6F971:[UX ]:LCT-3E939FDC:
1313
diamond$:517:6C8E7B64EDCDBC4218B6345447A4454B:
1314
3323AC63C666CFAACB60C13F65D54E9A:[S ]:LCT-00000000:
1315
oldnt4pdc$:507:3E39430CDCABB5B09ED320D0448AE568:
1316
95DBAF885854A919C7C7E671060478B9:[S ]:LCT-3DF7AA9F:
1317
Guest:506:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
1318
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DUX ]:LCT-3E93A008:
1319
billw:516:85380CA7C21B6EBE168C8150662AF11B:
1320
5D7478508293709937E55FB5FBA14C17:[UX ]:LCT-3FED7CA1:
1321
dork:514:78C70DDEC35A35B5AAD3B435B51404EE:
1322
0AD886E015AC595EC0AF40E6C9689E1A:[UX ]:LCT-3E939F9A:
1323
jacko:508:BC472F3BF9A0A5F63832C92FC614B7D1:
1324
0C6822AAF85E86600A40DC73E40D06D5:[UX ]:LCT-3E8B4242:
1325
maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C:
1326
CF271B744F7A55AFDA277FF88D80C527:[UX ]:LCT-3E8B4270:
1330
<step><para><indexterm>
1331
<primary>pdbedit</primary>
1333
An expanded view of a user account entry shows more of what was
1334
obtained from the NT4 PDC:
1336
sleeth:~ # pdbedit -Lv maryk
1337
Unix username: maryk
1339
Account Flags: [UX ]
1340
User SID: S-1-5-21-1988699175-926296742-1295600288-1003
1341
Primary Group SID: S-1-5-21-1988699175-926296742-1295600288-1007
1342
Full Name: Mary Kathleen
1343
Home Directory: \\diamond\maryk
1345
Logon Script: scripts\logon.bat
1346
Profile Path: \\diamond\profiles\maryk
1348
Account desc: Peace Maker
1352
Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
1353
Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
1354
Password last set: Wed, 02 Apr 2003 13:05:04 GMT
1355
Password can change: 0
1356
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
1360
<step><para><indexterm>
1361
<primary>net</primary>
1362
<secondary>group</secondary>
1364
The following command lists the long names of the groups that have been
1365
imported (vampired) from the NT4 PDC:
1367
&rootprompt; net group -l -Uroot%not24get -Smassive
1370
-----------------------------
1371
Engineers Snake Oil Engineers
1372
Marketoids Untrustworthy Hype Vendors
1373
Gnomes Plain Vanilla Garden Gnomes
1374
Replicator Supports file replication in a domain
1375
Guests Users granted guest access to the computer/domain
1376
Administrators Members can fully administer the computer/domain
1377
Users Ordinary users
1379
Everything looks well and in order.
1382
<step><para><indexterm>
1383
<primary>domain master</primary>
1384
</indexterm><indexterm>
1385
<primary>PDC</primary>
1387
Edit the &smb.conf; file to reset the parameter
1388
<smbconfoption name="domain master">Yes</smbconfoption> so
1389
the Samba server functions as a PDC for the purpose of migration.
1395
<title>Key Points Learned</title>
1398
Migration of an NT4 PDC database to a Samba-3 PDC is possible.
1403
An LDAP backend is a suitable vehicle for NT4 migrations.
1407
A tdbsam backend can be used to perform a migration.
1411
Multiple NT4 domains can be merged into a single Samba-3
1416
The net Samba-3 domain most likely requires some
1417
administration and updating before going live.
1426
<title>Questions and Answers</title>
1431
<qandaset defaultlabel="chap08qa" type="number">
1436
<primary>clean database</primary>
1438
Why must I start each migration with a clean database?
1445
<primary>merge</primary>
1447
This is a recommendation that permits the data from each NT4 domain to
1448
be kept separate until you are ready to merge them. Also, if you do not start with a clean database,
1449
you may find errors due to users or groups from multiple domains having the
1450
same name but different SIDs. It is better to permit each migration to complete
1451
without undue errors and then to handle the merging of vampired data under
1462
<primary>Domain SID</primary>
1464
Is it possible to set my domain SID to anything I like?
1471
<primary>auto-generated SID</primary>
1472
</indexterm><indexterm>
1473
<primary>SID</primary>
1474
</indexterm><indexterm>
1475
<primary>Domain SID</primary>
1477
Yes, so long as the SID you create has the same structure as an autogenerated SID.
1478
The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where
1479
the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why
1480
would you really want to create your own SID? I cannot think of a good reason.
1481
You may want to set the SID to one that is already in use somewhere on your network,
1482
but that is a little different from straight out creating your own domain SID.
1492
<primary>/etc/passwd</primary>
1493
</indexterm><indexterm>
1494
<primary>/etc/group</primary>
1495
</indexterm><indexterm>
1496
<primary>tdbsam</primary>
1497
</indexterm><indexterm>
1498
<primary>passdb backend</primary>
1499
</indexterm><indexterm>
1500
<primary>accounts</primary>
1501
<secondary>user</secondary>
1502
</indexterm><indexterm>
1503
<primary>accounts</primary>
1504
<secondary>group</secondary>
1505
</indexterm><indexterm>
1506
<primary>accounts</primary>
1507
<secondary>Domain</secondary>
1509
When using a tdbsam passdb backend, why must I have all domain user and group accounts
1510
in <filename>/etc/passwd</filename> and <filename>/etc/group</filename>?
1517
<primary>UID</primary>
1518
</indexterm><indexterm>
1519
<primary>GID</primary>
1520
</indexterm><indexterm>
1521
<primary>smbpasswd</primary>
1522
</indexterm><indexterm>
1523
<primary>/etc/passwd</primary>
1524
</indexterm><indexterm>
1525
<primary>Posix</primary>
1526
</indexterm><indexterm>
1527
<primary>LDAP database</primary>
1529
Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba
1530
does not fabricate the UNIX IDs from thin air, but rather requires them to be located
1531
in a suitable place.
1535
When migrating a <filename>smbpasswd</filename> file to an LDAP backend, the
1536
UID of each account is taken together with the account information in the
1537
<filename>/etc/passwd</filename>, and both sets of data are used to create the account
1538
entry in the LDAP database.
1542
If you elect to create the POSIX account also, the entire UNIX account is copied to the
1543
LDAP backend. The same occurs with NT groups and UNIX groups. At the conclusion of
1544
migration to the LDAP database, the accounts may be removed from the UNIX database files.
1545
In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in
1546
LDAP, require UIDs/GIDs.
1556
<primary>validate</primary>
1557
</indexterm><indexterm>
1558
<primary>connectivity</primary>
1559
</indexterm><indexterm>
1560
<primary>migration</primary>
1562
Why did you validate connectivity before attempting migration?
1569
Access validation before attempting to migrate NT4 domain accounts helps to pinpoint
1570
potential problems that may otherwise affect or impede account migration. I am always
1571
mindful of the 4 P's of migration: Planning Prevents Poor Performance.
1581
How would you merge 10 tdbsam-based domains into an LDAP database?
1588
<primary>risk</primary>
1589
</indexterm><indexterm>
1590
<primary>dump</primary>
1591
</indexterm><indexterm>
1592
<primary>tdbsam</primary>
1593
</indexterm><indexterm>
1594
<primary>Samba Domain</primary>
1595
</indexterm><indexterm>
1596
<primary>UID</primary>
1597
</indexterm><indexterm>
1598
<primary>GID</primary>
1599
</indexterm><indexterm>
1600
<primary>pdbedit</primary>
1601
</indexterm><indexterm>
1602
<primary>transfer</primary>
1603
</indexterm><indexterm>
1604
<primary>smbpasswd</primary>
1605
</indexterm><indexterm>
1606
<primary>LDAP</primary>
1607
</indexterm><indexterm>
1608
<primary>tool</primary>
1610
If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of
1611
accounts that have the same UNIX identifier (UID/GID). This means that you almost
1612
certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd
1613
file format and then manually edit all records to ensure that each has a unique UID. Each
1614
file can then be imported a number of ways. You can use the <command>pdbedit</command> tool
1615
to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to
1616
tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that
1617
you have migrated before handing over access to a user. After all, too many users with a bad
1618
migration experience may threaten your career.
1628
<primary>machine accounts</primary>
1629
</indexterm><indexterm>
1630
<primary>accounts</primary>
1631
<secondary>machine</secondary>
1633
I want to change my domain name after I migrate all accounts from an NT4 domain to a
1634
Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?
1641
<primary>registry</primary>
1642
</indexterm><indexterm>
1643
<primary>un-join</primary>
1644
</indexterm><indexterm>
1645
<primary>rejoin</primary>
1646
</indexterm><indexterm>
1647
<primary>tattooing</primary>
1649
I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries
1650
on each Windows NT4 and upward client that have a tattoo of the old domain name. If you
1651
unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid
1652
this tattooing effect.
1662
<primary>multiple group mappings</primary>
1664
After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?
1671
<primary>/etc/passwd</primary>
1672
</indexterm><indexterm>
1673
<primary>/etc/group</primary>
1675
Samba-3 currently does not implement multiple group membership internally. If you use the Windows
1676
NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group
1677
membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend,
1678
then multiple group membership is handled through the UNIX groups file. When you dump the user
1679
accounts, no group account information is provided. When you edit (change) UIDs and GIDs in each
1680
file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <filename>/etc/passwd</filename>
1681
and <filename>/etc/group</filename> information also. That is where the multiple group information
1682
is most closely at your fingertips.
1692
How can I reset group membership after loading the account information into the LDAP database?
1699
<primary>SRVTOOLS.EXE</primary>
1701
You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The
1702
installation file is called <filename>SRVTOOLS.EXE</filename>.
1712
<primary>group names</primary>
1714
What are the limits or constraints that apply to group names?
1721
<primary>limit</primary>
1722
</indexterm><indexterm>
1723
<primary>shadow-utils</primary>
1724
</indexterm><indexterm>
1725
<primary>groupadd</primary>
1726
</indexterm><indexterm>
1727
<primary>groupdel</primary>
1728
</indexterm><indexterm>
1729
<primary>groupmod</primary>
1730
</indexterm><indexterm>
1731
<primary>account names</primary>
1733
A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group
1734
name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows
1735
groups can contain upper- and lowercase characters, as well as spaces.
1736
Many UNIX system do not permit the use of uppercase characters, and some do not permit the
1737
space character either. A number of systems (i.e., Linux) work fine with both uppercase
1738
and space characters in group names, but the shadow-utils package that provides the group
1739
control functions (<command>groupadd</command>, <command>groupmod</command>, <command>groupdel</command>, and so on) do not permit them.
1740
Also, a number of UNIX systems management tools enforce their own particular interpretation
1741
of the POSIX standards and likewise do not permit uppercase or space characters in group
1742
or user account names. You have to experiment with your system to find what its
1753
<primary>vampire</primary>
1755
My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3
1756
LDAP backend system using the vampire process?
1763
UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux
1764
kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs,
1765
you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned
1766
integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts.
1767
Please check this carefully before you attempt to effect a migration using the vampire process.
1771
<primary>Migration speed</primary>
1773
Migration speed depends much on the processor speed, the network speed, disk I/O capability, and
1774
LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP
1775
to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts
1776
per minute. Migration would obviously go much faster if LDAP mirroring were turned off during the migration.