7
7
One wonders how many NT4 systems will be left in service by the time you read this
9
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601336"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2601342"></a>
9
</p><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607394"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2607401"></a>
10
10
Network administrators who want to migrate off a Windows NT4 environment know
11
11
one thing with certainty. They feel that NT4 has been abandoned, and they want
12
12
to update. The desire to get off NT4 and to not adopt Windows 200x and Active
13
13
Directory is driven by a mixture of concerns over complexity, cost, fear of
14
14
failure, and much more.
16
<a class="indexterm" name="id2601360"></a>
17
<a class="indexterm" name="id2601367"></a>
18
<a class="indexterm" name="id2601376"></a>
19
<a class="indexterm" name="id2601386"></a>
16
<a class="indexterm" name="id2607419"></a>
17
<a class="indexterm" name="id2607426"></a>
18
<a class="indexterm" name="id2607435"></a>
19
<a class="indexterm" name="id2607444"></a>
20
20
The migration from NT4 to Samba-3 can involve a number of factors, including
21
21
migration of data to another server, migration of network environment controls
22
22
such as group policies, and migration of the users, groups, and machine
25
<a class="indexterm" name="id2601402"></a>
25
<a class="indexterm" name="id2607461"></a>
26
26
It should be pointed out now that it is possible to migrate some systems from
27
27
a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly
28
28
not possible in every case. It is possible to just migrate the domain accounts
43
43
Your objective is to document the process of migrating user and group accounts
44
44
from several NT4 domains into a single Samba-3 LDAP backend database.
45
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601476"></a>Dissection and Discussion</h2></div></div></div><p>
46
<a class="indexterm" name="id2601483"></a>
47
<a class="indexterm" name="id2601490"></a>
48
<a class="indexterm" name="id2601497"></a>
49
<a class="indexterm" name="id2601508"></a>
50
<a class="indexterm" name="id2601520"></a>
51
<a class="indexterm" name="id2601526"></a>
45
</p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607534"></a>Dissection and Discussion</h2></div></div></div><p>
46
<a class="indexterm" name="id2607542"></a>
47
<a class="indexterm" name="id2607548"></a>
48
<a class="indexterm" name="id2607555"></a>
49
<a class="indexterm" name="id2607567"></a>
50
<a class="indexterm" name="id2607578"></a>
51
<a class="indexterm" name="id2607585"></a>
52
52
The migration process takes a snapshot of information that is stored in the
53
53
Windows NT4 registry-based accounts database. That information resides in
54
54
the Security Account Manager (SAM) portion of the NT4 registry under keys called
55
55
<code class="constant">SAM</code> and <code class="constant">SECURITY</code>.
56
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
57
<a class="indexterm" name="id2601551"></a>
58
<a class="indexterm" name="id2601558"></a>
56
</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
57
<a class="indexterm" name="id2607609"></a>
58
<a class="indexterm" name="id2607616"></a>
59
59
The Windows NT4 registry keys called <code class="constant">SAM</code> and <code class="constant">SECURITY</code>
60
60
are protected so that you cannot view the contents. If you change the security setting
61
61
to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not
62
62
do this unless you are willing to render your domain controller inoperative.
64
<a class="indexterm" name="id2601580"></a>
65
<a class="indexterm" name="id2601589"></a>
64
<a class="indexterm" name="id2607638"></a>
65
<a class="indexterm" name="id2607647"></a>
66
66
Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are.
67
67
While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server,
68
68
that may not be a good idea from an administration perspective. Since the process involves going
93
93
Directory. The diagram in <a class="link" href="ntmigration.html#ch8-migration" title="Figure�9.1.�Schematic Explaining the net rpc vampire Process">“Schematic Explaining the net rpc vampire Process”</a> illustrates the effect of migration
94
94
from a Windows NT4 domain to a Samba domain.
95
95
</p><div class="figure"><a name="ch8-migration"></a><p class="title"><b>Figure�9.1.�Schematic Explaining the <code class="literal">net rpc vampire</code> Process</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch8-migration.png" width="297" alt="Schematic Explaining the net rpc vampire Process"></div></div></div><br class="figure-break"><p>
96
<a class="indexterm" name="id2601750"></a>
97
<a class="indexterm" name="id2601756"></a>
96
<a class="indexterm" name="id2607808"></a>
97
<a class="indexterm" name="id2607815"></a>
98
98
If you want to merge multiple NT4 domain account databases into one Samba domain,
99
99
you must now dump the contents of the first migration and edit it as appropriate. Now clean
100
100
out (remove) the tdbsam backend file (<code class="filename">passdb.tdb</code>) or the LDAP database
101
101
files. You must start each migration with a new database into which you merge your NT4
103
</p><p><a class="indexterm" name="id2601777"></a>
103
</p><p><a class="indexterm" name="id2607835"></a>
104
104
At this point, you are ready to perform the second migration, following the same steps as
105
105
for the first. In other words, dump the database, edit it, and then you may merge the
106
106
dump for the first and second migrations.
107
</p><p><a class="indexterm" name="id2601792"></a><a class="indexterm" name="id2601800"></a><a class="indexterm" name="id2601808"></a>
107
</p><p><a class="indexterm" name="id2607850"></a><a class="indexterm" name="id2607858"></a><a class="indexterm" name="id2607866"></a>
108
108
You must be careful. If you choose to migrate to an LDAP backend, your dump file
109
109
now contains the full account information, including the domain SID. The domain SID for each
110
110
of the two NT4 domains will be different. You must choose one and change the domain
111
111
portion of the account SIDs so that all are the same.
113
<a class="indexterm" name="id2601825"></a>
114
<a class="indexterm" name="id2601832"></a>
115
<a class="indexterm" name="id2601839"></a>
116
<a class="indexterm" name="id2601846"></a>
117
<a class="indexterm" name="id2601852"></a>
118
<a class="indexterm" name="id2601859"></a>
119
<a class="indexterm" name="id2601866"></a>
120
<a class="indexterm" name="id2601873"></a>
121
<a class="indexterm" name="id2601880"></a>
122
<a class="indexterm" name="id2601887"></a>
123
<a class="indexterm" name="id2601894"></a>
124
<a class="indexterm" name="id2601900"></a>
113
<a class="indexterm" name="id2607884"></a>
114
<a class="indexterm" name="id2607890"></a>
115
<a class="indexterm" name="id2607897"></a>
116
<a class="indexterm" name="id2607904"></a>
117
<a class="indexterm" name="id2607911"></a>
118
<a class="indexterm" name="id2607918"></a>
119
<a class="indexterm" name="id2607925"></a>
120
<a class="indexterm" name="id2607932"></a>
121
<a class="indexterm" name="id2607938"></a>
122
<a class="indexterm" name="id2607945"></a>
123
<a class="indexterm" name="id2607952"></a>
124
<a class="indexterm" name="id2607959"></a>
125
125
If you choose to use a tdbsam (<code class="filename">passdb.tdb</code>) backend file, your best choice
126
126
is to use <code class="literal">pdbedit</code> to export the contents of the tdbsam file into an
127
127
smbpasswd data file. This automatically strips out all domain-specific information,
160
160
(machine names, computer names, domain names, workgroup names ALL names!).
162
162
The migration process involves the following steps:
163
</p><div class="itemizedlist"><ul type="disc"><li><p>
163
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
164
164
Prepare the target Samba-3 server. This involves configuring Samba-3 for
165
165
migration to either a tdbsam or an ldapsam backend.
167
<a class="indexterm" name="id2602098"></a>
168
<a class="indexterm" name="id2602104"></a>
169
<a class="indexterm" name="id2602111"></a>
166
</p></li><li class="listitem"><p>
167
<a class="indexterm" name="id2608156"></a>
168
<a class="indexterm" name="id2608163"></a>
169
<a class="indexterm" name="id2608169"></a>
170
170
Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
171
171
Delete all files that should not be migrated. Where possible, change NT group
172
172
names so there are no spaces or uppercase characters. This is important if
173
173
the target UNIX host insists on POSIX-compliant all lowercase user and group
175
</p></li><li class="listitem"><p>
176
176
Step through the migration process.
177
</p></li><li><p><a class="indexterm" name="id2602132"></a>
177
</p></li><li class="listitem"><p><a class="indexterm" name="id2608190"></a>
178
178
Remove the NT4 PDC from the network.
179
</p></li><li class="listitem"><p>
180
180
Upgrade the Samba-3 server from a BDC to a PDC, and validate all account
182
182
</p></li></ul></div><p>
183
183
It may help to use the above outline as a pre-migration checklist.
184
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602152"></a>NT4 Migration Using LDAP Backend</h3></div></div></div><p>
184
</p><div class="sect2" title="NT4 Migration Using LDAP Backend"><div class="titlepage"><div><div><h3 class="title"><a name="id2608210"></a>NT4 Migration Using LDAP Backend</h3></div></div></div><p>
185
185
In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about
186
186
to be migrated are shown in <a class="link" href="ntmigration.html#NT4DUM" title="Figure�9.2.�View of Accounts in NT4 Domain User Manager">“View of Accounts in NT4 Domain User Manager”</a>. In this example use is made of the
187
187
smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend.
194
194
that should be passed to them before attempting to perform the account migration. Note also
195
195
that the deletion scripts must be commented out during migration. These should be uncommented
196
196
following successful migration of the NT4 Domain accounts.
197
</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
197
</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
198
198
Under absolutely no circumstances should the Samba daemons be started until instructed to do so.
199
199
Delete the <code class="filename">/etc/samba/secrets.tdb</code> file and all Samba control tdb files
200
200
before commencing the following configuration steps.
201
</p></div><div class="table"><a name="ch8-vampire"></a><p class="title"><b>Table�9.1.�Samba <code class="filename">smb.conf</code> Scripts Essential to Samba Operation</b></p><div class="table-contents"><table summary="Samba smb.conf Scripts Essential to Samba Operation" border="1"><colgroup><col align="left"><col align="center"><col align="center"></colgroup><thead><tr><th align="left">Entity</th><th align="center">ldapsam Script</th><th align="center">tdbsam Script</th></tr></thead><tbody><tr><td align="left">Add User Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr><tr><td align="left">Delete User Accounts</td><td align="center">smbldap-userdel</td><td align="center">userdel</td></tr><tr><td align="left">Add Group Accounts</td><td align="center">smbldap-groupadd</td><td align="center">groupadd</td></tr><tr><td align="left">Delete Group Accounts</td><td align="center">smbldap-groupdel</td><td align="center">groupdel</td></tr><tr><td align="left">Add User to Group</td><td align="center">smbldap-groupmod</td><td align="center">usermod (See Note)</td></tr><tr><td align="left">Add Machine Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr></tbody></table></div></div><br class="table-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
202
<a class="indexterm" name="id2602354"></a>
203
<a class="indexterm" name="id2602361"></a>
204
<a class="indexterm" name="id2602368"></a>
201
</p></div><div class="table"><a name="ch8-vampire"></a><p class="title"><b>Table�9.1.�Samba <code class="filename">smb.conf</code> Scripts Essential to Samba Operation</b></p><div class="table-contents"><table summary="Samba smb.conf Scripts Essential to Samba Operation" border="1"><colgroup><col align="left"><col align="center"><col align="center"></colgroup><thead><tr><th align="left">Entity</th><th align="center">ldapsam Script</th><th align="center">tdbsam Script</th></tr></thead><tbody><tr><td align="left">Add User Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr><tr><td align="left">Delete User Accounts</td><td align="center">smbldap-userdel</td><td align="center">userdel</td></tr><tr><td align="left">Add Group Accounts</td><td align="center">smbldap-groupadd</td><td align="center">groupadd</td></tr><tr><td align="left">Delete Group Accounts</td><td align="center">smbldap-groupdel</td><td align="center">groupdel</td></tr><tr><td align="left">Add User to Group</td><td align="center">smbldap-groupmod</td><td align="center">usermod (See Note)</td></tr><tr><td align="left">Add Machine Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr></tbody></table></div></div><br class="table-break"><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
202
<a class="indexterm" name="id2608413"></a>
203
<a class="indexterm" name="id2608420"></a>
204
<a class="indexterm" name="id2608426"></a>
205
205
The UNIX/Linux <code class="literal">usermod</code> utility does not permit simple user addition to (or deletion
206
206
of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this
207
207
capability, you must create your own tool to do this. Alternately, you can search the Web
208
208
to locate a utility called <code class="literal">groupmem</code> (by George Kraft) that provides this functionality.
209
209
The <code class="literal">groupmem</code> utility was contributed to the shadow package but has not surfaced
210
210
in the formal commands provided by Linux distributions (March 2004).
211
</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
212
<a class="indexterm" name="id2602405"></a>
211
</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
212
<a class="indexterm" name="id2608463"></a>
213
213
The <code class="literal">tdbdump</code> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your
214
214
Linux distribution, you will need to build this yourself or else forgo its use.
216
<a class="indexterm" name="id2602425"></a>
216
<a class="indexterm" name="id2608484"></a>
217
217
Before starting the migration, all dead accounts were removed from the NT4 domain using the User Manager for Domains.
218
</p><div class="procedure"><a name="id2602435"></a><p class="title"><b>Procedure�9.1.�User Migration Steps</b></p><div class="example"><a name="sbent4smb"></a><p class="title"><b>Example�9.1.�NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2602495"></a><em class="parameter"><code>workgroup = DAMNATION</code></em></td></tr><tr><td><a class="indexterm" name="id2602507"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td><a class="indexterm" name="id2602519"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2602531"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2602543"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2602554"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2602566"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2602578"></a><em class="parameter"><code>smb ports = 139 445</code></em></td></tr><tr><td><a class="indexterm" name="id2602589"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2602601"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2602614"></a><em class="parameter"><code>#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2602626"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2602639"></a><em class="parameter"><code>#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2602651"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2602664"></a><em class="parameter"><code>#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2602677"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2602690"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2602702"></a><em class="parameter"><code>logon script = scripts\logon.cmd</code></em></td></tr><tr><td><a class="indexterm" name="id2602714"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2602726"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2602738"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2602750"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602761"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2602773"></a><em class="parameter"><code>#wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602785"></a><em class="parameter"><code>wins server = 192.168.123.124</code></em></td></tr><tr><td><a class="indexterm" name="id2602797"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2602809"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2602821"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2602833"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2602845"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602857"></a><em class="parameter"><code>ldap suffix = dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2602869"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2602880"></a><em class="parameter"><code>ldap timeout = 20</code></em></td></tr><tr><td><a class="indexterm" name="id2602892"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2602904"></a><em class="parameter"><code>idmap backend = ldap:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2602916"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2602928"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2602940"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602952"></a><em class="parameter"><code>ea support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602963"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbent4smb2"></a><p class="title"><b>Example�9.2.�NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2603009"></a><em class="parameter"><code>comment = Application Data</code></em></td></tr><tr><td><a class="indexterm" name="id2603020"></a><em class="parameter"><code>path = /data/home/apps</code></em></td></tr><tr><td><a class="indexterm" name="id2603032"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2603053"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2603064"></a><em class="parameter"><code>path = /home/users/%U/Documents</code></em></td></tr><tr><td><a class="indexterm" name="id2603076"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2603088"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2603100"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2603120"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2603132"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2603144"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2603155"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2603167"></a><em class="parameter"><code>use client driver = No</code></em></td></tr><tr><td><a class="indexterm" name="id2603179"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2603199"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2603211"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2603223"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2603234"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2603255"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2603267"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2603279"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2603290"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2603311"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2603323"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2603335"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2603346"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2603367"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2603379"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbentslapd"></a><p class="title"><b>Example�9.3.�NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen">
218
</p><div class="procedure" title="Procedure�9.1.�User Migration Steps"><a name="id2608494"></a><p class="title"><b>Procedure�9.1.�User Migration Steps</b></p><div class="example"><a name="sbent4smb"></a><p class="title"><b>Example�9.1.�NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2608554"></a><em class="parameter"><code>workgroup = DAMNATION</code></em></td></tr><tr><td><a class="indexterm" name="id2608565"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td><a class="indexterm" name="id2608577"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2608589"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2608601"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2608612"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2608624"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2608636"></a><em class="parameter"><code>smb ports = 139 445</code></em></td></tr><tr><td><a class="indexterm" name="id2608648"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2608660"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2608672"></a><em class="parameter"><code>#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2608685"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2608697"></a><em class="parameter"><code>#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2608710"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2608722"></a><em class="parameter"><code>#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2608736"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2608748"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2608761"></a><em class="parameter"><code>logon script = scripts\logon.cmd</code></em></td></tr><tr><td><a class="indexterm" name="id2608773"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2608785"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2608796"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2608808"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608820"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2608832"></a><em class="parameter"><code>#wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608843"></a><em class="parameter"><code>wins server = 192.168.123.124</code></em></td></tr><tr><td><a class="indexterm" name="id2608855"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2608867"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2608879"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2608891"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2608903"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608915"></a><em class="parameter"><code>ldap suffix = dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2608927"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2608939"></a><em class="parameter"><code>ldap timeout = 20</code></em></td></tr><tr><td><a class="indexterm" name="id2608951"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2608963"></a><em class="parameter"><code>idmap backend = ldap:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2608975"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2608986"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2608998"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609010"></a><em class="parameter"><code>ea support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609022"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbent4smb2"></a><p class="title"><b>Example�9.2.�NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2609067"></a><em class="parameter"><code>comment = Application Data</code></em></td></tr><tr><td><a class="indexterm" name="id2609079"></a><em class="parameter"><code>path = /data/home/apps</code></em></td></tr><tr><td><a class="indexterm" name="id2609091"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2609111"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2609123"></a><em class="parameter"><code>path = /home/users/%U/Documents</code></em></td></tr><tr><td><a class="indexterm" name="id2609135"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2609146"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2609158"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2609178"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2609190"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2609202"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609214"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609225"></a><em class="parameter"><code>use client driver = No</code></em></td></tr><tr><td><a class="indexterm" name="id2609237"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2609258"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2609269"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2609281"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609293"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2609313"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2609325"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2609337"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2609349"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2609369"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2609381"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2609393"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2609405"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2609425"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2609437"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbentslapd"></a><p class="title"><b>Example�9.3.�NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen">
219
219
include /etc/openldap/schema/core.schema
220
220
include /etc/openldap/schema/cosine.schema
221
221
include /etc/openldap/schema/inetorgperson.schema
331
331
#passwd_compat: ldap #Not needed.
332
332
#group_compat: ldap #Not needed.
333
</pre></div></div><br class="example-break"><ol type="1"><li><p>
333
</pre></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
334
334
Configure the Samba <code class="filename">smb.conf</code> file to create a BDC. An example configuration is
335
335
given in <a class="link" href="ntmigration.html#sbent4smb" title="Example�9.1.�NT4 Migration Samba-3 Server smb.conf Part: A">“NT4 Migration Samba-3 Server smb.conf Part: A”</a>.
336
336
The delete scripts are commented out so that during the process of migration
337
337
no account information can be deleted.
339
<a class="indexterm" name="id2603397"></a>
338
</p></li><li class="step" title="Step 2"><p>
339
<a class="indexterm" name="id2609455"></a>
340
340
Configure OpenLDAP in preparation for the migration. An example
341
341
<code class="filename">sladp.conf</code> file is shown in <a class="link" href="ntmigration.html#sbentslapd" title="Example�9.3.�NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A">“NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A”</a>.
342
342
The <code class="constant">rootpw</code> value is an encrypted password string that can
343
343
be obtained by executing the <code class="literal">slappasswd</code> command.
345
<a class="indexterm" name="id2603511"></a>
346
<a class="indexterm" name="id2603517"></a>
344
</p></li><li class="step" title="Step 3"><p>
345
<a class="indexterm" name="id2609569"></a>
346
<a class="indexterm" name="id2609576"></a>
347
347
Install the PADL <code class="literal">nss_ldap</code> tool set, then configure the <code class="filename">/etc/ldap.conf</code>
348
348
as shown in <a class="link" href="ntmigration.html#sbrntldapconf" title="Example�9.5.�NT4 Migration NSS LDAP File: /etc/ldap.conf">“NT4 Migration NSS LDAP File: /etc/ldap.conf”</a>.
350
<a class="indexterm" name="id2603578"></a>
349
</p></li><li class="step" title="Step 4"><p>
350
<a class="indexterm" name="id2609637"></a>
351
351
Edit the <code class="filename">/etc/nsswitch.conf</code> file so it has the entries shown
352
352
in <a class="link" href="ntmigration.html#sbentnss" title="Example�9.6.�NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)">“NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)”</a>. Note that the LDAP entries have been commented out.
353
353
This is deliberate. If these entries are active (not commented out), and the
736
736
Server role: ROLE_DOMAIN_PDC
737
737
Press enter to see a dump of your service definitions
739
</p></li><li class="step" title="Step 22"><p>
740
740
Now shut down the old NT4 PDC. Only when the old NT4 PDC and all
741
741
NT4 BDCs have been shut down can the Samba-3 PDC be started.
742
</p></li><li class="step" title="Step 23"><p>
743
743
All workstations should function as they did with the old NT4 PDC. All
744
744
interdomain trust accounts should remain in place and fully functional.
745
745
All machine accounts and user logon accounts should also function correctly.
746
</p></li><li class="step" title="Step 24"><p>
747
747
The configuration of Samba-3 BDC servers can be accomplished now or at any
748
748
convenient time in the future. Please refer to the carefully detailed process
749
749
for doing so is outlined in <a class="link" href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">“Samba-3 BDC Configuration”</a>.
750
</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbevam1"></a>Migration Log Validation</h4></div></div></div><p>
750
</p></li></ol></div><div class="sect3" title="Migration Log Validation"><div class="titlepage"><div><div><h4 class="title"><a name="sbevam1"></a>Migration Log Validation</h4></div></div></div><p>
751
751
The following <code class="filename">vampire.log</code> file is typical of a valid migration.
752
752
</p><pre class="screen">
753
753
adding user Administrator to group Domain Admins
849
849
UNIX/Linux <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>
850
850
databases. These entries must therefore be present, and correct options specified,
851
851
in your <code class="filename">smb.conf</code> file, or else the migration does not work as it should.
852
</p><div class="procedure"><a name="id2604657"></a><p class="title"><b>Procedure�9.2.�Migration Steps Using tdbsam</b></p><ol type="1"><li><p>
852
</p><div class="procedure" title="Procedure�9.2.�Migration Steps Using tdbsam"><a name="id2610716"></a><p class="title"><b>Procedure�9.2.�Migration Steps Using tdbsam</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>
853
853
Prepare a Samba-3 server precisely per the instructions shown in <a class="link" href="Big500users.html" title="Chapter�4.�The 500-User Office">“The 500-User Office”</a>.
854
854
Set the workgroup name to <code class="constant">MEGANET</code>.
855
</p></li><li><p><a class="indexterm" name="id2604685"></a><a class="indexterm" name="id2604693"></a>
855
</p></li><li class="step" title="Step 2"><p><a class="indexterm" name="id2610744"></a><a class="indexterm" name="id2610752"></a>
856
856
Edit the <code class="filename">smb.conf</code> file to temporarily change the parameter
857
857
<a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master = No</a> so
858
858
the Samba server functions as a BDC for the purpose of migration.
859
</p></li><li class="step" title="Step 3"><p>
860
860
Start Samba as you have done previously.
861
</p></li><li><p><a class="indexterm" name="id2604735"></a>
861
</p></li><li class="step" title="Step 4"><p><a class="indexterm" name="id2610794"></a>
862
862
Join the NT4 Domain as a BDC, as shown here:
863
863
</p><pre class="screen">
864
864
<code class="prompt">root# </code> net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get
865
865
Joined domain MEGANET.
867
</p></li><li><p><a class="indexterm" name="id2604770"></a>
867
</p></li><li class="step" title="Step 5"><p><a class="indexterm" name="id2610829"></a>
868
868
You may vampire the accounts from the NT4 PDC by executing the command, as shown here:
869
869
</p><pre class="screen">
870
870
<code class="prompt">root# </code> net rpc vampire -S oldnt4pdc -U Administrator%not24get
979
979
Users Ordinary users
981
981
Everything looks well and in order.
982
</p></li><li><p><a class="indexterm" name="id2604976"></a><a class="indexterm" name="id2604984"></a>
982
</p></li><li class="step" title="Step 9"><p><a class="indexterm" name="id2611035"></a><a class="indexterm" name="id2611043"></a>
983
983
Edit the <code class="filename">smb.conf</code> file to reset the parameter
984
984
<a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master = Yes</a> so
985
985
the Samba server functions as a PDC for the purpose of migration.
986
</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2605017"></a>Key Points Learned</h3></div></div></div><p>
986
</p></li></ol></div></div><div class="sect2" title="Key Points Learned"><div class="titlepage"><div><div><h3 class="title"><a name="id2611075"></a>Key Points Learned</h3></div></div></div><p>
987
987
Migration of an NT4 PDC database to a Samba-3 PDC is possible.
988
</p><div class="itemizedlist"><ul type="disc"><li><p>
988
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
989
989
An LDAP backend is a suitable vehicle for NT4 migrations.
990
</p></li><li class="listitem"><p>
991
991
A tdbsam backend can be used to perform a migration.
992
</p></li><li class="listitem"><p>
993
993
Multiple NT4 domains can be merged into a single Samba-3
995
</p></li><li class="listitem"><p>
996
996
The net Samba-3 domain most likely requires some
997
997
administration and updating before going live.
998
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605055"></a>Questions and Answers</h2></div></div></div><p>
999
</p><div class="qandaset"><dl><dt> <a href="ntmigration.html#id2605070">
998
</p></li></ul></div></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2611114"></a>Questions and Answers</h2></div></div></div><p>
999
</p><div class="qandaset" title="Frequently Asked Questions"><a name="id2611123"></a><dl><dt> <a href="ntmigration.html#id2611129">
1000
1000
Why must I start each migration with a clean database?
1001
</a></dt><dt> <a href="ntmigration.html#id2605111">
1001
</a></dt><dt> <a href="ntmigration.html#id2611169">
1002
1002
Is it possible to set my domain SID to anything I like?
1003
</a></dt><dt> <a href="ntmigration.html#id2605168">
1003
</a></dt><dt> <a href="ntmigration.html#id2611226">
1004
1004
When using a tdbsam passdb backend, why must I have all domain user and group accounts
1005
1005
in /etc/passwd and /etc/group?
1006
</a></dt><dt> <a href="ntmigration.html#id2605348">
1006
</a></dt><dt> <a href="ntmigration.html#id2611406">
1007
1007
Why did you validate connectivity before attempting migration?
1008
</a></dt><dt> <a href="ntmigration.html#id2605393">
1008
</a></dt><dt> <a href="ntmigration.html#id2611452">
1009
1009
How would you merge 10 tdbsam-based domains into an LDAP database?
1010
</a></dt><dt> <a href="ntmigration.html#id2605516">
1010
</a></dt><dt> <a href="ntmigration.html#id2611574">
1011
1011
I want to change my domain name after I migrate all accounts from an NT4 domain to a
1012
1012
Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?
1013
</a></dt><dt> <a href="ntmigration.html#id2605591">
1013
</a></dt><dt> <a href="ntmigration.html#id2611650">
1014
1014
After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?
1015
</a></dt><dt> <a href="ntmigration.html#id2605656">
1015
</a></dt><dt> <a href="ntmigration.html#id2611715">
1016
1016
How can I reset group membership after loading the account information into the LDAP database?
1017
</a></dt><dt> <a href="ntmigration.html#id2605691">
1017
</a></dt><dt> <a href="ntmigration.html#id2611749">
1018
1018
What are the limits or constraints that apply to group names?
1019
</a></dt><dt> <a href="ntmigration.html#id2605795">
1019
</a></dt><dt> <a href="ntmigration.html#id2611854">
1020
1020
My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3
1021
1021
LDAP backend system using the vampire process?
1022
</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2605070"></a><a name="id2605072"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605076"></a>
1022
</a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id2611129"></a><a name="id2611131"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611134"></a>
1023
1023
Why must I start each migration with a clean database?
1024
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605091"></a>
1024
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611150"></a>
1025
1025
This is a recommendation that permits the data from each NT4 domain to
1026
1026
be kept separate until you are ready to merge them. Also, if you do not start with a clean database,
1027
1027
you may find errors due to users or groups from multiple domains having the
1028
1028
same name but different SIDs. It is better to permit each migration to complete
1029
1029
without undue errors and then to handle the merging of vampired data under
1030
1030
proper supervision.
1031
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605111"></a><a name="id2605113"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605116"></a>
1031
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611169"></a><a name="id2611172"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611175"></a>
1032
1032
Is it possible to set my domain SID to anything I like?
1033
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605132"></a><a class="indexterm" name="id2605140"></a><a class="indexterm" name="id2605147"></a>
1033
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611190"></a><a class="indexterm" name="id2611198"></a><a class="indexterm" name="id2611206"></a>
1034
1034
Yes, so long as the SID you create has the same structure as an autogenerated SID.
1035
1035
The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where
1036
1036
the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why
1037
1037
would you really want to create your own SID? I cannot think of a good reason.
1038
1038
You may want to set the SID to one that is already in use somewhere on your network,
1039
1039
but that is a little different from straight out creating your own domain SID.
1040
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605168"></a><a name="id2605170"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605173"></a><a class="indexterm" name="id2605181"></a><a class="indexterm" name="id2605188"></a><a class="indexterm" name="id2605196"></a><a class="indexterm" name="id2605204"></a><a class="indexterm" name="id2605215"></a><a class="indexterm" name="id2605227"></a>
1040
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611226"></a><a name="id2611229"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611232"></a><a class="indexterm" name="id2611239"></a><a class="indexterm" name="id2611247"></a><a class="indexterm" name="id2611255"></a><a class="indexterm" name="id2611263"></a><a class="indexterm" name="id2611274"></a><a class="indexterm" name="id2611285"></a>
1041
1041
When using a tdbsam passdb backend, why must I have all domain user and group accounts
1042
1042
in <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>?
1043
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605258"></a><a class="indexterm" name="id2605266"></a><a class="indexterm" name="id2605273"></a><a class="indexterm" name="id2605281"></a><a class="indexterm" name="id2605289"></a><a class="indexterm" name="id2605297"></a>
1043
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611317"></a><a class="indexterm" name="id2611324"></a><a class="indexterm" name="id2611332"></a><a class="indexterm" name="id2611340"></a><a class="indexterm" name="id2611348"></a><a class="indexterm" name="id2611356"></a>
1044
1044
Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba
1045
1045
does not fabricate the UNIX IDs from thin air, but rather requires them to be located
1046
1046
in a suitable place.
1055
1055
migration to the LDAP database, the accounts may be removed from the UNIX database files.
1056
1056
In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in
1057
1057
LDAP, require UIDs/GIDs.
1058
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605348"></a><a name="id2605350"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605353"></a><a class="indexterm" name="id2605361"></a><a class="indexterm" name="id2605369"></a>
1058
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611406"></a><a name="id2611409"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611412"></a><a class="indexterm" name="id2611420"></a><a class="indexterm" name="id2611428"></a>
1059
1059
Why did you validate connectivity before attempting migration?
1060
1060
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
1061
1061
Access validation before attempting to migrate NT4 domain accounts helps to pinpoint
1062
1062
potential problems that may otherwise affect or impede account migration. I am always
1063
1063
mindful of the 4 P's of migration: Planning Prevents Poor Performance.
1064
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605393"></a><a name="id2605395"></a></td><td align="left" valign="top"><p>
1064
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611452"></a><a name="id2611454"></a></td><td align="left" valign="top"><p>
1065
1065
How would you merge 10 tdbsam-based domains into an LDAP database?
1066
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605406"></a><a class="indexterm" name="id2605414"></a><a class="indexterm" name="id2605422"></a><a class="indexterm" name="id2605430"></a><a class="indexterm" name="id2605438"></a><a class="indexterm" name="id2605446"></a><a class="indexterm" name="id2605453"></a><a class="indexterm" name="id2605461"></a><a class="indexterm" name="id2605469"></a><a class="indexterm" name="id2605477"></a><a class="indexterm" name="id2605485"></a>
1066
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611465"></a><a class="indexterm" name="id2611473"></a><a class="indexterm" name="id2611481"></a><a class="indexterm" name="id2611488"></a><a class="indexterm" name="id2611496"></a><a class="indexterm" name="id2611504"></a><a class="indexterm" name="id2611512"></a><a class="indexterm" name="id2611520"></a><a class="indexterm" name="id2611527"></a><a class="indexterm" name="id2611535"></a><a class="indexterm" name="id2611543"></a>
1067
1067
If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of
1068
1068
accounts that have the same UNIX identifier (UID/GID). This means that you almost
1069
1069
certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd
1073
1073
tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that
1074
1074
you have migrated before handing over access to a user. After all, too many users with a bad
1075
1075
migration experience may threaten your career.
1076
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605516"></a><a name="id2605518"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605521"></a><a class="indexterm" name="id2605529"></a>
1076
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611574"></a><a name="id2611576"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611580"></a><a class="indexterm" name="id2611588"></a>
1077
1077
I want to change my domain name after I migrate all accounts from an NT4 domain to a
1078
1078
Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?
1079
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605550"></a><a class="indexterm" name="id2605558"></a><a class="indexterm" name="id2605566"></a><a class="indexterm" name="id2605573"></a>
1079
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611608"></a><a class="indexterm" name="id2611616"></a><a class="indexterm" name="id2611624"></a><a class="indexterm" name="id2611632"></a>
1080
1080
I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries
1081
1081
on each Windows NT4 and upward client that have a tattoo of the old domain name. If you
1082
1082
unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid
1083
1083
this tattooing effect.
1084
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605591"></a><a name="id2605594"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605597"></a>
1084
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611650"></a><a name="id2611652"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611655"></a>
1085
1085
After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?
1086
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605613"></a><a class="indexterm" name="id2605621"></a>
1086
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611672"></a><a class="indexterm" name="id2611680"></a>
1087
1087
Samba-3 currently does not implement multiple group membership internally. If you use the Windows
1088
1088
NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group
1089
1089
membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend,
1092
1092
file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <code class="filename">/etc/passwd</code>
1093
1093
and <code class="filename">/etc/group</code> information also. That is where the multiple group information
1094
1094
is most closely at your fingertips.
1095
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605656"></a><a name="id2605658"></a></td><td align="left" valign="top"><p>
1095
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611715"></a><a name="id2611717"></a></td><td align="left" valign="top"><p>
1096
1096
How can I reset group membership after loading the account information into the LDAP database?
1097
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605670"></a>
1097
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611728"></a>
1098
1098
You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The
1099
1099
installation file is called <code class="filename">SRVTOOLS.EXE</code>.
1100
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605691"></a><a name="id2605693"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605696"></a>
1100
</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611749"></a><a name="id2611751"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611754"></a>
1101
1101
What are the limits or constraints that apply to group names?
1102
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605711"></a><a class="indexterm" name="id2605719"></a><a class="indexterm" name="id2605727"></a><a class="indexterm" name="id2605735"></a><a class="indexterm" name="id2605743"></a><a class="indexterm" name="id2605751"></a>
1102
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611770"></a><a class="indexterm" name="id2611778"></a><a class="indexterm" name="id2611786"></a><a class="indexterm" name="id2611794"></a><a class="indexterm" name="id2611802"></a><a class="indexterm" name="id2611809"></a>
1103
1103
A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group
1104
1104
name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows
1105
1105
groups can contain upper- and lowercase characters, as well as spaces.