~ubuntu-branches/ubuntu/maverick/samba/maverick-security

Viewing changes to docs/htmldocs/Samba3-ByExample/ntmigration.html

Committer: Bazaar Package Importer
Author(s): Chuck Short
Date: 2010-01-29 06:16:15 UTC
mfrom: (0.27.9 upstream) (0.34.4 squeeze)
Revision ID: james.westby@ubuntu.com-20100129061615-37hs6xqpsdhjq3ld

Tags: 2:3.4.5~dfsg-1ubuntu1

* Merge from debian testing.  Remaining changes:
  + debian/patches/VERSION.patch:
    - set SAMBA_VERSION_SUFFIX to Ubuntu.
  + debian/smb.conf:
    - Add "(Samba, Ubuntu)" to server string.
    - Comment out the default [homes] share, and add a comment about "valid users = %s"
      to show users how to restrict access to \\server\username to only username.
    - Set 'usershare allow guests', so that usershare admins are allowed to create
      public shares in additon to authenticated ones.
    - add map to guest = Bad user, maps bad username to gues access.
  + debian/samba-common.conf:
    - Do not change priority to high if dhclient3 is installed.
    - Use priority medium instead of high for the workgroup question.
  + debian/mksambapasswd.awk:
    - Do not add user with UID less than 1000 to smbpasswd.
  + debian/control:
    - Make libswbclient0 replace/conflict with hardy's likewise-open.
    - Don't build against ctdb, since its not in main yet.
  + debian/rules:
    - Enable "native" PIE hardening.
    - Add BIND_NOW to maximize benefit of RELRO hardening.
  + Add ufw integration:
    - Created debian/samba.ufw.profile.
    - debian/rules, debian/samba.dirs, debian/samba.files: install
  + Add apoort hook:
    - Created debian/source_samba.py.
    - debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
  + debian/rules, debian/samba.if-up: allow "NetworkManager" as a recognized address
    family... it's obviously /not/ an address family, but it's what gets
    sent when using NM, so we'll cope for now.  (LP: #462169). Taken from karmic-proposed.
  + debian/control: Recommend keyutils for smbfs (LP: #493565)
  + Dropped patches:
    - debian/patches/security-CVE-2009-3297.patch: No longer needed
    - debian/patches/fix-too-many-open-files.patch: No longer needed

files added:
.pc/debian-changes-2:3.4.5~dfsg-1ubuntu1

.pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3

.pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3/client

.pc/debian-changes-2:3.4.5~dfsg-1ubuntu1/source3/client/mount.cifs.c

debian/patches/debian-changes-2:3.4.5~dfsg-1ubuntu1

docs-xml/registry/Win7_Samba3DomainMember.reg

docs-xml/smbdotconf/base/enablecorefiles.xml

docs-xml/smbdotconf/ldap/ldappagesize.xml

docs-xml/smbdotconf/misc/cachedirectory.xml

docs-xml/smbdotconf/misc/directorynamecachesize.xml

docs-xml/smbdotconf/misc/statedirectory.xml

docs-xml/smbdotconf/printing/enablespoolss.xml

docs-xml/smbdotconf/tuning/aiowritebehind.xml

docs/registry/Win7_Samba3DomainMember.reg

source3/include/krb5_protos.h

source3/include/smb_krb5.h

files removed:
.pc/fix-manpages-warnings.patch

.pc/fix-manpages-warnings.patch/docs

.pc/fix-manpages-warnings.patch/docs/manpages

.pc/fix-manpages-warnings.patch/docs/manpages/cifs.upcall.8

.pc/fix-manpages-warnings.patch/docs/manpages/eventlogadm.8

.pc/fix-manpages-warnings.patch/docs/manpages/findsmb.1

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_ad.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_adex.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_hash.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_ldap.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_nss.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_rid.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_tdb.8

.pc/fix-manpages-warnings.patch/docs/manpages/idmap_tdb2.8

.pc/fix-manpages-warnings.patch/docs/manpages/ldb.3

.pc/fix-manpages-warnings.patch/docs/manpages/ldbadd.1

.pc/fix-manpages-warnings.patch/docs/manpages/ldbdel.1

.pc/fix-manpages-warnings.patch/docs/manpages/ldbedit.1

.pc/fix-manpages-warnings.patch/docs/manpages/ldbmodify.1

.pc/fix-manpages-warnings.patch/docs/manpages/ldbsearch.1

.pc/fix-manpages-warnings.patch/docs/manpages/libsmbclient.7

.pc/fix-manpages-warnings.patch/docs/manpages/lmhosts.5

.pc/fix-manpages-warnings.patch/docs/manpages/log2pcap.1

.pc/fix-manpages-warnings.patch/docs/manpages/mount.cifs.8

.pc/fix-manpages-warnings.patch/docs/manpages/net.8

.pc/fix-manpages-warnings.patch/docs/manpages/nmbd.8

.pc/fix-manpages-warnings.patch/docs/manpages/nmblookup.1

.pc/fix-manpages-warnings.patch/docs/manpages/ntlm_auth.1

.pc/fix-manpages-warnings.patch/docs/manpages/pam_winbind.8

.pc/fix-manpages-warnings.patch/docs/manpages/pdbedit.8

.pc/fix-manpages-warnings.patch/docs/manpages/profiles.1

.pc/fix-manpages-warnings.patch/docs/manpages/rpcclient.1

.pc/fix-manpages-warnings.patch/docs/manpages/samba.7

.pc/fix-manpages-warnings.patch/docs/manpages/smb.conf.5

.pc/fix-manpages-warnings.patch/docs/manpages/smbcacls.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbclient.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbcontrol.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbcquotas.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbd.8

.pc/fix-manpages-warnings.patch/docs/manpages/smbget.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbgetrc.5

.pc/fix-manpages-warnings.patch/docs/manpages/smbpasswd.5

.pc/fix-manpages-warnings.patch/docs/manpages/smbpasswd.8

.pc/fix-manpages-warnings.patch/docs/manpages/smbspool.8

.pc/fix-manpages-warnings.patch/docs/manpages/smbstatus.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbtar.1

.pc/fix-manpages-warnings.patch/docs/manpages/smbtree.1

.pc/fix-manpages-warnings.patch/docs/manpages/swat.8

.pc/fix-manpages-warnings.patch/docs/manpages/tdbbackup.8

.pc/fix-manpages-warnings.patch/docs/manpages/tdbdump.8

.pc/fix-manpages-warnings.patch/docs/manpages/tdbtool.8

.pc/fix-manpages-warnings.patch/docs/manpages/testparm.1

.pc/fix-manpages-warnings.patch/docs/manpages/umount.cifs.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_audit.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_cacheprime.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_cap.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_catia.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_commit.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_default_quota.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_extd_audit.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_fake_perms.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_fileid.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_full_audit.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_gpfs.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_netatalk.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_notify_fam.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_prealloc.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_readahead.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_readonly.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_recycle.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_shadow_copy.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_shadow_copy2.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_smb_traffic_analyzer.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_streams_depot.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_streams_xattr.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfs_xattr_tdb.8

.pc/fix-manpages-warnings.patch/docs/manpages/vfstest.1

.pc/fix-manpages-warnings.patch/docs/manpages/wbinfo.1

.pc/fix-manpages-warnings.patch/docs/manpages/winbind_krb5_locator.7

.pc/fix-manpages-warnings.patch/docs/manpages/winbindd.8

.pc/fix-too-many-open-files.patch

.pc/fix-too-many-open-files.patch/source3

.pc/fix-too-many-open-files.patch/source3/include

.pc/fix-too-many-open-files.patch/source3/include/local.h

.pc/fix-too-many-open-files.patch/source3/param

.pc/fix-too-many-open-files.patch/source3/param/loadparm.c

.pc/fix-too-many-open-files.patch/source3/smbd

.pc/fix-too-many-open-files.patch/source3/smbd/files.c

.pc/security-CVE-2009-3297.patch

.pc/security-CVE-2009-3297.patch/source3

.pc/security-CVE-2009-3297.patch/source3/client

.pc/security-CVE-2009-3297.patch/source3/client/mount.cifs.c

debian/patches/fix-too-many-open-files.patch

debian/patches/security-CVE-2009-2813.patch

debian/patches/security-CVE-2009-2906.patch

debian/patches/security-CVE-2009-2948.patch

debian/patches/security-CVE-2009-3297.patch

source4/ldap_server/devdocs/draft-armijo-ldap-syntax-00.txt

source4/ldap_server/devdocs/ldapext-ldapv3-vlv-04.txt

files modified:
.pc/VERSION.patch/source3/VERSION

.pc/adapt_machine_creation_script.patch/docs/manpages/smb.conf.5

.pc/applied-patches

.pc/autoconf.patch/source3/configure

.pc/codepages-location.patch/source3/Makefile.in

.pc/debian-changes-2:3.4.3-2ubuntu1/source3/VERSION

.pc/documentation.patch/docs/manpages/lmhosts.5

.pc/documentation.patch/docs/manpages/nmbd.8

.pc/documentation.patch/docs/manpages/ntlm_auth.1

.pc/documentation.patch/docs/manpages/smbd.8

.pc/documentation.patch/docs/manpages/swat.8

.pc/documentation.patch/docs/manpages/tdbbackup.8

.pc/documentation.patch/docs/manpages/winbindd.8

.pc/external-talloc-support.patch/source3/configure.in

.pc/smbclient-pager.patch/source3/include/local.h

.pc/undefined-symbols.patch/source3/Makefile.in

.pc/usershare.patch/docs/manpages/net.8

.pc/usershare.patch/source3/param/loadparm.c

WHATSNEW.txt

debian/changelog

debian/control

debian/patches/adapt_machine_creation_script.patch

debian/patches/autoconf.patch

debian/patches/documentation.patch

debian/patches/series

debian/samba-common.dirs

debian/samba.postinst

debian/watch

docs-xml/manpages-3/mount.cifs.8.xml

docs-xml/manpages-3/pdbedit.8.xml

docs-xml/smbdotconf/filename/manglednames.xml

docs-xml/smbdotconf/locking/oplocks.xml

docs/Samba3-ByExample.pdf

docs/Samba3-Developers-Guide.pdf

docs/Samba3-HOWTO.pdf

docs/htmldocs/Samba3-ByExample/2000users.html

docs/htmldocs/Samba3-ByExample/Big500users.html

docs/htmldocs/Samba3-ByExample/DMSMig.html

docs/htmldocs/Samba3-ByExample/DomApps.html

docs/htmldocs/Samba3-ByExample/ExNetworks.html

docs/htmldocs/Samba3-ByExample/HA.html

docs/htmldocs/Samba3-ByExample/RefSection.html

docs/htmldocs/Samba3-ByExample/apa.html

docs/htmldocs/Samba3-ByExample/appendix.html

docs/htmldocs/Samba3-ByExample/ch14.html

docs/htmldocs/Samba3-ByExample/go01.html

docs/htmldocs/Samba3-ByExample/happy.html

docs/htmldocs/Samba3-ByExample/index.html

docs/htmldocs/Samba3-ByExample/ix01.html

docs/htmldocs/Samba3-ByExample/kerberos.html

docs/htmldocs/Samba3-ByExample/ntmigration.html

docs/htmldocs/Samba3-ByExample/nw4migration.html

docs/htmldocs/Samba3-ByExample/pr01.html

docs/htmldocs/Samba3-ByExample/pr02.html

docs/htmldocs/Samba3-ByExample/pr03.html

docs/htmldocs/Samba3-ByExample/preface.html

docs/htmldocs/Samba3-ByExample/primer.html

docs/htmldocs/Samba3-ByExample/secure.html

docs/htmldocs/Samba3-ByExample/simple.html

docs/htmldocs/Samba3-ByExample/small.html

docs/htmldocs/Samba3-ByExample/unixclients.html

docs/htmldocs/Samba3-ByExample/upgrades.html

docs/htmldocs/Samba3-Developers-Guide/CodingSuggestions.html

docs/htmldocs/Samba3-Developers-Guide/Packaging.html

docs/htmldocs/Samba3-Developers-Guide/architecture.html

docs/htmldocs/Samba3-Developers-Guide/contributing.html

docs/htmldocs/Samba3-Developers-Guide/debug.html

docs/htmldocs/Samba3-Developers-Guide/devprinting.html

docs/htmldocs/Samba3-Developers-Guide/index.html

docs/htmldocs/Samba3-Developers-Guide/internals.html

docs/htmldocs/Samba3-Developers-Guide/modules.html

docs/htmldocs/Samba3-Developers-Guide/ntdomain.html

docs/htmldocs/Samba3-Developers-Guide/parsing.html

docs/htmldocs/Samba3-Developers-Guide/pr01.html

docs/htmldocs/Samba3-Developers-Guide/pt01.html

docs/htmldocs/Samba3-Developers-Guide/pt02.html

docs/htmldocs/Samba3-Developers-Guide/pt03.html

docs/htmldocs/Samba3-Developers-Guide/pt04.html

docs/htmldocs/Samba3-Developers-Guide/pt05.html

docs/htmldocs/Samba3-Developers-Guide/pwencrypt.html

docs/htmldocs/Samba3-Developers-Guide/rpc-plugin.html

docs/htmldocs/Samba3-Developers-Guide/tracing.html

docs/htmldocs/Samba3-Developers-Guide/unix-smb.html

docs/htmldocs/Samba3-Developers-Guide/vfs.html

docs/htmldocs/Samba3-Developers-Guide/wins.html

docs/htmldocs/Samba3-HOWTO/AccessControls.html

docs/htmldocs/Samba3-HOWTO/AdvancedNetworkManagement.html

docs/htmldocs/Samba3-HOWTO/Appendix.html

docs/htmldocs/Samba3-HOWTO/Backup.html

docs/htmldocs/Samba3-HOWTO/CUPS-printing.html

docs/htmldocs/Samba3-HOWTO/ChangeNotes.html

docs/htmldocs/Samba3-HOWTO/ClientConfig.html

docs/htmldocs/Samba3-HOWTO/DNSDHCP.html

docs/htmldocs/Samba3-HOWTO/FastStart.html

docs/htmldocs/Samba3-HOWTO/InterdomainTrusts.html

docs/htmldocs/Samba3-HOWTO/IntroSMB.html

docs/htmldocs/Samba3-HOWTO/NT4Migration.html

docs/htmldocs/Samba3-HOWTO/NetCommand.html

docs/htmldocs/Samba3-HOWTO/NetworkBrowsing.html

docs/htmldocs/Samba3-HOWTO/Other-Clients.html

docs/htmldocs/Samba3-HOWTO/PolicyMgmt.html

docs/htmldocs/Samba3-HOWTO/Portability.html

docs/htmldocs/Samba3-HOWTO/ProfileMgmt.html

docs/htmldocs/Samba3-HOWTO/SWAT.html

docs/htmldocs/Samba3-HOWTO/SambaHA.html

docs/htmldocs/Samba3-HOWTO/ServerType.html

docs/htmldocs/Samba3-HOWTO/StandAloneServer.html

docs/htmldocs/Samba3-HOWTO/TOSHpreface.html

docs/htmldocs/Samba3-HOWTO/VFS.html

docs/htmldocs/Samba3-HOWTO/apa.html

docs/htmldocs/Samba3-HOWTO/bugreport.html

docs/htmldocs/Samba3-HOWTO/cfgsmarts.html

docs/htmldocs/Samba3-HOWTO/ch-ldap-tls.html

docs/htmldocs/Samba3-HOWTO/ch47.html

docs/htmldocs/Samba3-HOWTO/classicalprinting.html

docs/htmldocs/Samba3-HOWTO/compiling.html

docs/htmldocs/Samba3-HOWTO/diagnosis.html

docs/htmldocs/Samba3-HOWTO/domain-member.html

docs/htmldocs/Samba3-HOWTO/go01.html

docs/htmldocs/Samba3-HOWTO/groupmapping.html

docs/htmldocs/Samba3-HOWTO/idmapper.html

docs/htmldocs/Samba3-HOWTO/index.html

docs/htmldocs/Samba3-HOWTO/install.html

docs/htmldocs/Samba3-HOWTO/integrate-ms-networks.html

docs/htmldocs/Samba3-HOWTO/introduction.html

docs/htmldocs/Samba3-HOWTO/ix01.html

docs/htmldocs/Samba3-HOWTO/largefile.html

docs/htmldocs/Samba3-HOWTO/locking.html

docs/htmldocs/Samba3-HOWTO/migration.html

docs/htmldocs/Samba3-HOWTO/msdfs.html

docs/htmldocs/Samba3-HOWTO/optional.html

docs/htmldocs/Samba3-HOWTO/pam.html

docs/htmldocs/Samba3-HOWTO/passdb.html

docs/htmldocs/Samba3-HOWTO/pr01.html

docs/htmldocs/Samba3-HOWTO/pr02.html

docs/htmldocs/Samba3-HOWTO/pr03.html

docs/htmldocs/Samba3-HOWTO/problems.html

docs/htmldocs/Samba3-HOWTO/rights.html

docs/htmldocs/Samba3-HOWTO/samba-bdc.html

docs/htmldocs/Samba3-HOWTO/samba-pdc.html

docs/htmldocs/Samba3-HOWTO/securing-samba.html

docs/htmldocs/Samba3-HOWTO/speed.html

docs/htmldocs/Samba3-HOWTO/tdb.html

docs/htmldocs/Samba3-HOWTO/troubleshooting.html

docs/htmldocs/Samba3-HOWTO/type.html

docs/htmldocs/Samba3-HOWTO/unicode.html

docs/htmldocs/Samba3-HOWTO/upgrading-to-3.0.html

docs/htmldocs/Samba3-HOWTO/winbind.html

docs/htmldocs/manpages/cifs.upcall.8.html

docs/htmldocs/manpages/eventlogadm.8.html

docs/htmldocs/manpages/findsmb.1.html

docs/htmldocs/manpages/idmap_ad.8.html

docs/htmldocs/manpages/idmap_adex.8.html

docs/htmldocs/manpages/idmap_hash.8.html

docs/htmldocs/manpages/idmap_ldap.8.html

docs/htmldocs/manpages/idmap_nss.8.html

docs/htmldocs/manpages/idmap_rid.8.html

docs/htmldocs/manpages/idmap_tdb.8.html

docs/htmldocs/manpages/idmap_tdb2.8.html

docs/htmldocs/manpages/index.html

docs/htmldocs/manpages/ldb.3.html

docs/htmldocs/manpages/ldbadd.1.html

docs/htmldocs/manpages/ldbdel.1.html

docs/htmldocs/manpages/ldbedit.1.html

docs/htmldocs/manpages/ldbmodify.1.html

docs/htmldocs/manpages/ldbrename.1.html

docs/htmldocs/manpages/ldbsearch.1.html

docs/htmldocs/manpages/libsmbclient.7.html

docs/htmldocs/manpages/lmhosts.5.html

docs/htmldocs/manpages/log2pcap.1.html

docs/htmldocs/manpages/mount.cifs.8.html

docs/htmldocs/manpages/net.8.html

docs/htmldocs/manpages/nmbd.8.html

docs/htmldocs/manpages/nmblookup.1.html

docs/htmldocs/manpages/ntlm_auth.1.html

docs/htmldocs/manpages/pam_winbind.8.html

docs/htmldocs/manpages/pdbedit.8.html

docs/htmldocs/manpages/profiles.1.html

docs/htmldocs/manpages/rpcclient.1.html

docs/htmldocs/manpages/samba.7.html

docs/htmldocs/manpages/sharesec.1.html

docs/htmldocs/manpages/smb.conf.5.html

docs/htmldocs/manpages/smbcacls.1.html

docs/htmldocs/manpages/smbclient.1.html

docs/htmldocs/manpages/smbcontrol.1.html

docs/htmldocs/manpages/smbcquotas.1.html

docs/htmldocs/manpages/smbd.8.html

docs/htmldocs/manpages/smbget.1.html

docs/htmldocs/manpages/smbgetrc.5.html

docs/htmldocs/manpages/smbpasswd.5.html

docs/htmldocs/manpages/smbpasswd.8.html

docs/htmldocs/manpages/smbspool.8.html

docs/htmldocs/manpages/smbstatus.1.html

docs/htmldocs/manpages/smbtar.1.html

docs/htmldocs/manpages/smbtree.1.html

docs/htmldocs/manpages/swat.8.html

docs/htmldocs/manpages/tdbbackup.8.html

docs/htmldocs/manpages/tdbdump.8.html

docs/htmldocs/manpages/tdbtool.8.html

docs/htmldocs/manpages/testparm.1.html

docs/htmldocs/manpages/umount.cifs.8.html

docs/htmldocs/manpages/vfs_acl_tdb.8.html

docs/htmldocs/manpages/vfs_acl_xattr.8.html

docs/htmldocs/manpages/vfs_audit.8.html

docs/htmldocs/manpages/vfs_cacheprime.8.html

docs/htmldocs/manpages/vfs_cap.8.html

docs/htmldocs/manpages/vfs_catia.8.html

docs/htmldocs/manpages/vfs_commit.8.html

docs/htmldocs/manpages/vfs_default_quota.8.html

docs/htmldocs/manpages/vfs_dirsort.8.html

docs/htmldocs/manpages/vfs_extd_audit.8.html

docs/htmldocs/manpages/vfs_fake_perms.8.html

docs/htmldocs/manpages/vfs_fileid.8.html

docs/htmldocs/manpages/vfs_full_audit.8.html

docs/htmldocs/manpages/vfs_gpfs.8.html

docs/htmldocs/manpages/vfs_netatalk.8.html

docs/htmldocs/manpages/vfs_notify_fam.8.html

docs/htmldocs/manpages/vfs_prealloc.8.html

docs/htmldocs/manpages/vfs_preopen.8.html

docs/htmldocs/manpages/vfs_readahead.8.html

docs/htmldocs/manpages/vfs_readonly.8.html

docs/htmldocs/manpages/vfs_recycle.8.html

docs/htmldocs/manpages/vfs_shadow_copy.8.html

docs/htmldocs/manpages/vfs_shadow_copy2.8.html

docs/htmldocs/manpages/vfs_smb_traffic_analyzer.8.html

docs/htmldocs/manpages/vfs_streams_depot.8.html

docs/htmldocs/manpages/vfs_streams_xattr.8.html

docs/htmldocs/manpages/vfs_xattr_tdb.8.html

docs/htmldocs/manpages/vfstest.1.html

docs/htmldocs/manpages/wbinfo.1.html

docs/htmldocs/manpages/winbind_krb5_locator.7.html

docs/htmldocs/manpages/winbindd.8.html

docs/manpages/cifs.upcall.8

docs/manpages/eventlogadm.8

docs/manpages/findsmb.1

docs/manpages/idmap_ad.8

docs/manpages/idmap_adex.8

docs/manpages/idmap_hash.8

docs/manpages/idmap_ldap.8

docs/manpages/idmap_nss.8

docs/manpages/idmap_rid.8

docs/manpages/idmap_tdb.8

docs/manpages/idmap_tdb2.8

docs/manpages/ldb.3

docs/manpages/ldbadd.1

docs/manpages/ldbdel.1

docs/manpages/ldbedit.1

docs/manpages/ldbmodify.1

docs/manpages/ldbrename.1

docs/manpages/ldbsearch.1

docs/manpages/libsmbclient.7

docs/manpages/lmhosts.5

docs/manpages/log2pcap.1

docs/manpages/mount.cifs.8

docs/manpages/net.8

docs/manpages/nmbd.8

docs/manpages/nmblookup.1

docs/manpages/ntlm_auth.1

docs/manpages/pam_winbind.8

docs/manpages/pdbedit.8

docs/manpages/profiles.1

docs/manpages/rpcclient.1

docs/manpages/samba.7

docs/manpages/sharesec.1

docs/manpages/smb.conf.5

docs/manpages/smbcacls.1

docs/manpages/smbclient.1

docs/manpages/smbcontrol.1

docs/manpages/smbcquotas.1

docs/manpages/smbd.8

docs/manpages/smbget.1

docs/manpages/smbgetrc.5

docs/manpages/smbpasswd.5

docs/manpages/smbpasswd.8

docs/manpages/smbspool.8

docs/manpages/smbstatus.1

docs/manpages/smbtar.1

docs/manpages/smbtree.1

docs/manpages/swat.8

docs/manpages/tdbbackup.8

docs/manpages/tdbdump.8

docs/manpages/tdbtool.8

docs/manpages/testparm.1

docs/manpages/umount.cifs.8

docs/manpages/vfs_acl_tdb.8

docs/manpages/vfs_acl_xattr.8

docs/manpages/vfs_audit.8

docs/manpages/vfs_cacheprime.8

docs/manpages/vfs_cap.8

docs/manpages/vfs_catia.8

docs/manpages/vfs_commit.8

docs/manpages/vfs_default_quota.8

docs/manpages/vfs_dirsort.8

docs/manpages/vfs_extd_audit.8

docs/manpages/vfs_fake_perms.8

docs/manpages/vfs_fileid.8

docs/manpages/vfs_full_audit.8

docs/manpages/vfs_gpfs.8

docs/manpages/vfs_netatalk.8

docs/manpages/vfs_notify_fam.8

docs/manpages/vfs_prealloc.8

docs/manpages/vfs_preopen.8

docs/manpages/vfs_readahead.8

docs/manpages/vfs_readonly.8

docs/manpages/vfs_recycle.8

docs/manpages/vfs_shadow_copy.8

docs/manpages/vfs_shadow_copy2.8

docs/manpages/vfs_smb_traffic_analyzer.8

docs/manpages/vfs_streams_depot.8

docs/manpages/vfs_streams_xattr.8

docs/manpages/vfs_xattr_tdb.8

docs/manpages/vfstest.1

docs/manpages/wbinfo.1

docs/manpages/winbind_krb5_locator.7

docs/manpages/winbindd.8

lib/async_req/async_req.c

lib/async_req/async_req.h

lib/util/util.c

librpc/gen_ndr/cli_echo.c

librpc/gen_ndr/cli_epmapper.c

librpc/gen_ndr/cli_eventlog.c

librpc/gen_ndr/cli_ntsvcs.c

librpc/gen_ndr/cli_spoolss.c

librpc/gen_ndr/cli_spoolss.h

librpc/gen_ndr/cli_srvsvc.c

librpc/gen_ndr/cli_svcctl.c

librpc/gen_ndr/cli_winreg.c

librpc/gen_ndr/misc.h

librpc/gen_ndr/ndr_misc.c

librpc/gen_ndr/ndr_misc.h

librpc/gen_ndr/ndr_spoolss.c

librpc/gen_ndr/ndr_spoolss.h

librpc/gen_ndr/ndr_winreg.c

librpc/gen_ndr/ndr_winreg.h

librpc/gen_ndr/spoolss.h

librpc/gen_ndr/srv_spoolss.c

librpc/gen_ndr/winreg.h

librpc/idl/misc.idl

librpc/idl/spoolss.idl

librpc/idl/winreg.idl

nsswitch/winbind_krb5_locator.c

packaging/RHEL-CTDB/samba.spec

packaging/RHEL/makerpms.git.sh

packaging/RHEL/makerpms.sh

packaging/RHEL/makerpms.sh.tmpl

packaging/RHEL/samba.spec

pidl/lib/Parse/Pidl/Samba3/ClientNDR.pm

pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm

pidl/tests/samba3-cli.pl

release-scripts/create-tarball

source3/Makefile.in

source3/VERSION

source3/auth/auth_sam.c

source3/client/cifs.upcall.c

source3/configure

source3/configure.in

source3/include/ads.h

source3/include/authdata.h

source3/include/config.h.in

source3/include/includes.h

source3/include/proto.h

source3/include/version.h

source3/lib/dbwrap_util.c

source3/lib/util_reg.c

source3/libaddns/dnsgss.c

source3/libads/ads_status.c

source3/libads/authdata.c

source3/libads/kerberos.c

source3/libads/kerberos_keytab.c

source3/libads/kerberos_verify.c

source3/libads/krb5_errs.c

source3/libads/krb5_setpw.c

source3/libads/ldap.c

source3/libnet/libnet.h

source3/librpc/gen_ndr/messaging.h

source3/librpc/gen_ndr/notify.h

source3/libsmb/cliconnect.c

source3/libsmb/clikrb5.c

source3/libsmb/clispnego.c

source3/libsmb/libsmb_context.c

source3/libsmb/libsmb_dir.c

source3/libsmb/libsmb_path.c

source3/libsmb/libsmb_setget.c

source3/m4/aclocal.m4

source3/modules/vfs_cap.c

source3/modules/vfs_default.c

source3/passdb/pdb_ldap.c

source3/rpc_client/cli_lsarpc.c

source3/rpc_client/cli_netlogon.c

source3/rpc_client/cli_pipe.c

source3/rpc_client/cli_spoolss.c

source3/rpc_server/srv_pipe_hnd.c

source3/rpc_server/srv_samr_nt.c

source3/rpc_server/srv_spoolss_nt.c

source3/smbd/blocking.c

source3/smbd/dosmode.c

source3/smbd/mangle_hash.c

source3/smbd/nttrans.c

source3/smbd/open.c

source3/smbd/pipes.c

source3/smbd/posix_acls.c

source3/smbd/reply.c

source3/smbd/trans2.c

source3/utils/net_rpc.c

source3/utils/ntlm_auth.c

source3/utils/pdbedit.c

source3/winbindd/idmap_ldap.c

source3/winbindd/winbindd_cred_cache.c

source3/winbindd/winbindd_pam.c

source3/winbindd/winbindd_rpc.c

source4/torture/rpc/spoolss.c

source4/torture/rpc/spoolss_win.c

Show diffs side-by-side

added added

removed removed

docs/htmldocs/Samba3-ByExample/ntmigration.html

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�9.�Migrating NT4 Domain to Samba-3</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part�II.�Domain Members, Updating Samba and Migration"><link rel="prev" href="upgrades.html" title="Chapter�8.�Updating Samba-3"><link rel="next" href="nw4migration.html" title="Chapter�10.�Migrating NetWare Server to Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�9.�Migrating NT4 Domain to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrades.html">Prev</a>�</td><th width="60%" align="center">Part�II.�Domain Members, Updating Samba and Migration</th><td width="20%" align="right">�<a accesskey="n" href="nw4migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ntmigration"></a>Chapter�9.�Migrating NT4 Domain to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ntmigration.html#id2601336">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id2601421">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id2601476">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id2601662">Technical Issues</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id2601985">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id2602011">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id2602152">NT4 Migration Using LDAP Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id2604610">NT4 Migration Using tdbsam Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id2605017">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id2605055">Questions and Answers</a></span></dt></dl></div><p>

<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�9.�Migrating NT4 Domain to Samba-3</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.75.2"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part�II.�Domain Members, Updating Samba and Migration"><link rel="prev" href="upgrades.html" title="Chapter�8.�Updating Samba-3"><link rel="next" href="nw4migration.html" title="Chapter�10.�Migrating NetWare Server to Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�9.�Migrating NT4 Domain to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrades.html">Prev</a>�</td><th width="60%" align="center">Part�II.�Domain Members, Updating Samba and Migration</th><td width="20%" align="right">�<a accesskey="n" href="nw4migration.html">Next</a></td></tr></table><hr></div><div class="chapter" title="Chapter�9.�Migrating NT4 Domain to Samba-3"><div class="titlepage"><div><div><h2 class="title"><a name="ntmigration"></a>Chapter�9.�Migrating NT4 Domain to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ntmigration.html#id2607394">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id2607479">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id2607534">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id2607720">Technical Issues</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id2608043">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id2608069">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id2608210">NT4 Migration Using LDAP Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id2610669">NT4 Migration Using tdbsam Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id2611075">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id2611114">Questions and Answers</a></span></dt></dl></div><p>

Ever since Microsoft announced that it was discontinuing support for Windows

NT4, Samba users started to ask for detailed instructions on how to migrate

from NT4 to Samba-3. This chapter provides background information that should

</p><p>

One wonders how many NT4 systems will be left in service by the time you read this

book though.

</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601336"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2601342"></a>

</p><div class="sect1" title="Introduction"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607394"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2607401"></a>

Network administrators who want to migrate off a Windows NT4 environment know

one thing with certainty. They feel that NT4 has been abandoned, and they want

to update. The desire to get off NT4 and to not adopt Windows 200x and Active

Directory is driven by a mixture of concerns over complexity, cost, fear of

failure, and much more.

</p><p>

The migration from NT4 to Samba-3 can involve a number of factors, including

migration of data to another server, migration of network environment controls

such as group policies, and migration of the users, groups, and machine

accounts.

</p><p>

It should be pointed out now that it is possible to migrate some systems from

a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly

not possible in every case. It is possible to just migrate the domain accounts

the exception than the rule. Most systems require some tweaking after

migration before an environment that is acceptable for immediate use

is obtained.

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601421"></a>Assignment Tasks</h3></div></div></div><p>

</p><div class="sect2" title="Assignment Tasks"><div class="titlepage"><div><div><h3 class="title"><a name="id2607479"></a>Assignment Tasks</h3></div></div></div><p>

You are about to migrate an MS Windows NT4 domain accounts database to

a Samba-3 server. The Samba-3 server is using a

<em class="parameter"><code>passdb backend</code></em> based on LDAP. The

</p><p>

Your objective is to document the process of migrating user and group accounts

from several NT4 domains into a single Samba-3 LDAP backend database.

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2601476"></a>Dissection and Discussion</h2></div></div></div><p>

</p></div></div><div class="sect1" title="Dissection and Discussion"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2607534"></a>Dissection and Discussion</h2></div></div></div><p>

The migration process takes a snapshot of information that is stored in the

Windows NT4 registry-based accounts database. That information resides in

the Security Account Manager (SAM) portion of the NT4 registry under keys called

<code class="constant">SAM</code> and <code class="constant">SECURITY</code>.

</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>

</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>

The Windows NT4 registry keys called <code class="constant">SAM</code> and <code class="constant">SECURITY</code>

are protected so that you cannot view the contents. If you change the security setting

to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not

do this unless you are willing to render your domain controller inoperative.

</p></div><p>

Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are.

While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server,

that may not be a good idea from an administration perspective. Since the process involves going

review the structure of the network, how Windows clients are controlled and how they

interact with the network environment.

</p><p>

MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed

have done little to keep the NT4 server environment up to date with more recent Windows releases,

particularly Windows XP Professional. The migration provides opportunity to revise and update

as a good time to update desktop systems also. In all, the extra effort should constitute no

real disruption to users, but rather, with due diligence and care, should make their network experience

a much happier one.

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601662"></a>Technical Issues</h3></div></div></div><p>

</p><div class="sect2" title="Technical Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id2607720"></a>Technical Issues</h3></div></div></div><p>

Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic

element. Many sites have asked for instructions regarding merging of multiple NT4

domains into one Samba-3 LDAP database. It seems that this is viewed as a significant

Directory. The diagram in <a class="link" href="ntmigration.html#ch8-migration" title="Figure�9.1.�Schematic Explaining the net rpc vampire Process">“Schematic Explaining the net rpc vampire Process”</a> illustrates the effect of migration

from a Windows NT4 domain to a Samba domain.

</p><div class="figure"><a name="ch8-migration"></a><p class="title"><b>Figure�9.1.�Schematic Explaining the <code class="literal">net rpc vampire</code> Process</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/ch8-migration.png" width="297" alt="Schematic Explaining the net rpc vampire Process"></div></div></div><br class="figure-break"><p>

If you want to merge multiple NT4 domain account databases into one Samba domain,

you must now dump the contents of the first migration and edit it as appropriate. Now clean

100

out (remove) the tdbsam backend file (<code class="filename">passdb.tdb</code>) or the LDAP database

101

files. You must start each migration with a new database into which you merge your NT4

102

domains.

103

</p><p><a class="indexterm" name="id2601777"></a>

103

</p><p><a class="indexterm" name="id2607835"></a>

104

At this point, you are ready to perform the second migration, following the same steps as

105

for the first. In other words, dump the database, edit it, and then you may merge the

106

dump for the first and second migrations.

107

</p><p><a class="indexterm" name="id2601792"></a><a class="indexterm" name="id2601800"></a><a class="indexterm" name="id2601808"></a>

107

</p><p><a class="indexterm" name="id2607850"></a><a class="indexterm" name="id2607858"></a><a class="indexterm" name="id2607866"></a>

108

You must be careful. If you choose to migrate to an LDAP backend, your dump file

109

now contains the full account information, including the domain SID. The domain SID for each

110

of the two NT4 domains will be different. You must choose one and change the domain

111

portion of the account SIDs so that all are the same.

112

</p><p>

113

114

115

116

117

118

119

120

121

122

123

124

113

114

115

116

117

118

119

120

121

122

123

124

125

If you choose to use a tdbsam (<code class="filename">passdb.tdb</code>) backend file, your best choice

126

is to use <code class="literal">pdbedit</code> to export the contents of the tdbsam file into an

127

smbpasswd data file. This automatically strips out all domain-specific information,

131

file must have an account in <code class="filename">/etc/passwd</code>. The resulting smbpasswd file

132

may be exported or imported into either a tdbsam (<code class="filename">passdb.tdb</code>) or

133

an LDAP backend.

134

</p><div class="figure"><a name="NT4DUM"></a><p class="title"><b>Figure�9.2.�View of Accounts in NT4 Domain User Manager</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UserMgrNT4.png" width="270" alt="View of Accounts in NT4 Domain User Manager"></div></div></div><br class="figure-break"></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2601985"></a>Political Issues</h3></div></div></div><p>

134

</p><div class="figure"><a name="NT4DUM"></a><p class="title"><b>Figure�9.2.�View of Accounts in NT4 Domain User Manager</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/UserMgrNT4.png" width="270" alt="View of Accounts in NT4 Domain User Manager"></div></div></div><br class="figure-break"></div><div class="sect2" title="Political Issues"><div class="titlepage"><div><div><h3 class="title"><a name="id2608043"></a>Political Issues</h3></div></div></div><p>

135

The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3

136

domain may be seen by those who had power over them as a loss of prestige or a loss of

137

power. The imposition of a single domain may even be seen as a threat. So in migrating and

141

The best advice that can be given to those who set out to merge NT4 domains into a single

142

Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers

143

greater network interoperability and manageability.

144

</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2602011"></a>Implementation</h2></div></div></div><p>

144

</p></div></div><div class="sect1" title="Implementation"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2608069"></a>Implementation</h2></div></div></div><p>

145

From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations

146

to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX

147

server. If you contemplate doing this, please note that the steps that follow in this

160

(machine names, computer names, domain names, workgroup names ALL names!).

161

</p><p>

162

The migration process involves the following steps:

163

</p><div class="itemizedlist"><ul type="disc"><li><p>

163

</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>

164

Prepare the target Samba-3 server. This involves configuring Samba-3 for

165

migration to either a tdbsam or an ldapsam backend.

166

</p></li><li><p>

167

168

169

166

</p></li><li class="listitem"><p>

167

168

169

170

Clean up the source NT4 PDC. Delete all accounts that need not be migrated.

171

Delete all files that should not be migrated. Where possible, change NT group

172

names so there are no spaces or uppercase characters. This is important if

173

the target UNIX host insists on POSIX-compliant all lowercase user and group

174

names.

175

</p></li><li><p>

175

</p></li><li class="listitem"><p>

176

Step through the migration process.

177

</p></li><li><p><a class="indexterm" name="id2602132"></a>

177

</p></li><li class="listitem"><p><a class="indexterm" name="id2608190"></a>

178

Remove the NT4 PDC from the network.

179

</p></li><li><p>

179

</p></li><li class="listitem"><p>

180

Upgrade the Samba-3 server from a BDC to a PDC, and validate all account

181

information.

182

</p></li></ul></div><p>

183

It may help to use the above outline as a pre-migration checklist.

184

</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2602152"></a>NT4 Migration Using LDAP Backend</h3></div></div></div><p>

184

</p><div class="sect2" title="NT4 Migration Using LDAP Backend"><div class="titlepage"><div><div><h3 class="title"><a name="id2608210"></a>NT4 Migration Using LDAP Backend</h3></div></div></div><p>

185

In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about

186

to be migrated are shown in <a class="link" href="ntmigration.html#NT4DUM" title="Figure�9.2.�View of Accounts in NT4 Domain User Manager">“View of Accounts in NT4 Domain User Manager”</a>. In this example use is made of the

187

smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend.

194

that should be passed to them before attempting to perform the account migration. Note also

195

that the deletion scripts must be commented out during migration. These should be uncommented

196

following successful migration of the NT4 Domain accounts.

197

</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>

197

</p><div class="warning" title="Warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>

198

Under absolutely no circumstances should the Samba daemons be started until instructed to do so.

199

Delete the <code class="filename">/etc/samba/secrets.tdb</code> file and all Samba control tdb files

200

before commencing the following configuration steps.

201

</p></div><div class="table"><a name="ch8-vampire"></a><p class="title"><b>Table�9.1.�Samba <code class="filename">smb.conf</code> Scripts Essential to Samba Operation</b></p><div class="table-contents"><table summary="Samba smb.conf Scripts Essential to Samba Operation" border="1"><colgroup><col align="left"><col align="center"><col align="center"></colgroup><thead><tr><th align="left">Entity</th><th align="center">ldapsam Script</th><th align="center">tdbsam Script</th></tr></thead><tbody><tr><td align="left">Add User Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr><tr><td align="left">Delete User Accounts</td><td align="center">smbldap-userdel</td><td align="center">userdel</td></tr><tr><td align="left">Add Group Accounts</td><td align="center">smbldap-groupadd</td><td align="center">groupadd</td></tr><tr><td align="left">Delete Group Accounts</td><td align="center">smbldap-groupdel</td><td align="center">groupdel</td></tr><tr><td align="left">Add User to Group</td><td align="center">smbldap-groupmod</td><td align="center">usermod (See Note)</td></tr><tr><td align="left">Add Machine Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr></tbody></table></div></div><br class="table-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

202

203

204

201

</p></div><div class="table"><a name="ch8-vampire"></a><p class="title"><b>Table�9.1.�Samba <code class="filename">smb.conf</code> Scripts Essential to Samba Operation</b></p><div class="table-contents"><table summary="Samba smb.conf Scripts Essential to Samba Operation" border="1"><colgroup><col align="left"><col align="center"><col align="center"></colgroup><thead><tr><th align="left">Entity</th><th align="center">ldapsam Script</th><th align="center">tdbsam Script</th></tr></thead><tbody><tr><td align="left">Add User Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr><tr><td align="left">Delete User Accounts</td><td align="center">smbldap-userdel</td><td align="center">userdel</td></tr><tr><td align="left">Add Group Accounts</td><td align="center">smbldap-groupadd</td><td align="center">groupadd</td></tr><tr><td align="left">Delete Group Accounts</td><td align="center">smbldap-groupdel</td><td align="center">groupdel</td></tr><tr><td align="left">Add User to Group</td><td align="center">smbldap-groupmod</td><td align="center">usermod (See Note)</td></tr><tr><td align="left">Add Machine Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr></tbody></table></div></div><br class="table-break"><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

202

203

204

205

The UNIX/Linux <code class="literal">usermod</code> utility does not permit simple user addition to (or deletion

206

of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this

207

capability, you must create your own tool to do this. Alternately, you can search the Web

208

to locate a utility called <code class="literal">groupmem</code> (by George Kraft) that provides this functionality.

209

The <code class="literal">groupmem</code> utility was contributed to the shadow package but has not surfaced

210

in the formal commands provided by Linux distributions (March 2004).

211

</p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

212

211

</p></div><div class="note" title="Note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>

212

213

The <code class="literal">tdbdump</code> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your

214

Linux distribution, you will need to build this yourself or else forgo its use.

215

</p></div><p>

216

216

217

Before starting the migration, all dead accounts were removed from the NT4 domain using the User Manager for Domains.

218

</p><div class="procedure"><a name="id2602435"></a><p class="title"><b>Procedure�9.1.�User Migration Steps</b></p><div class="example"><a name="sbent4smb"></a><p class="title"><b>Example�9.1.�NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2602495"></a><em class="parameter"><code>workgroup = DAMNATION</code></em></td></tr><tr><td><a class="indexterm" name="id2602507"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td><a class="indexterm" name="id2602519"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2602531"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2602543"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2602554"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2602566"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2602578"></a><em class="parameter"><code>smb ports = 139 445</code></em></td></tr><tr><td><a class="indexterm" name="id2602589"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2602601"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2602614"></a><em class="parameter"><code>#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2602626"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2602639"></a><em class="parameter"><code>#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2602651"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2602664"></a><em class="parameter"><code>#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2602677"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2602690"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2602702"></a><em class="parameter"><code>logon script = scripts\logon.cmd</code></em></td></tr><tr><td><a class="indexterm" name="id2602714"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2602726"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2602738"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2602750"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602761"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2602773"></a><em class="parameter"><code>#wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602785"></a><em class="parameter"><code>wins server = 192.168.123.124</code></em></td></tr><tr><td><a class="indexterm" name="id2602797"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2602809"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2602821"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2602833"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2602845"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602857"></a><em class="parameter"><code>ldap suffix = dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2602869"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2602880"></a><em class="parameter"><code>ldap timeout = 20</code></em></td></tr><tr><td><a class="indexterm" name="id2602892"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2602904"></a><em class="parameter"><code>idmap backend = ldap:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2602916"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2602928"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2602940"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602952"></a><em class="parameter"><code>ea support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2602963"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbent4smb2"></a><p class="title"><b>Example�9.2.�NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2603009"></a><em class="parameter"><code>comment = Application Data</code></em></td></tr><tr><td><a class="indexterm" name="id2603020"></a><em class="parameter"><code>path = /data/home/apps</code></em></td></tr><tr><td><a class="indexterm" name="id2603032"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2603053"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2603064"></a><em class="parameter"><code>path = /home/users/%U/Documents</code></em></td></tr><tr><td><a class="indexterm" name="id2603076"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2603088"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2603100"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2603120"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2603132"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2603144"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2603155"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2603167"></a><em class="parameter"><code>use client driver = No</code></em></td></tr><tr><td><a class="indexterm" name="id2603179"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2603199"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2603211"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2603223"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2603234"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2603255"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2603267"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2603279"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2603290"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2603311"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2603323"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2603335"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2603346"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2603367"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2603379"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbentslapd"></a><p class="title"><b>Example�9.3.�NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen">

218

</p><div class="procedure" title="Procedure�9.1.�User Migration Steps"><a name="id2608494"></a><p class="title"><b>Procedure�9.1.�User Migration Steps</b></p><div class="example"><a name="sbent4smb"></a><p class="title"><b>Example�9.1.�NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: A</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2608554"></a><em class="parameter"><code>workgroup = DAMNATION</code></em></td></tr><tr><td><a class="indexterm" name="id2608565"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td><a class="indexterm" name="id2608577"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2608589"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2608601"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2608612"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2608624"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2608636"></a><em class="parameter"><code>smb ports = 139 445</code></em></td></tr><tr><td><a class="indexterm" name="id2608648"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2608660"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2608672"></a><em class="parameter"><code>#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2608685"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2608697"></a><em class="parameter"><code>#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2608710"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2608722"></a><em class="parameter"><code>#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2608736"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2608748"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2608761"></a><em class="parameter"><code>logon script = scripts\logon.cmd</code></em></td></tr><tr><td><a class="indexterm" name="id2608773"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2608785"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2608796"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2608808"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608820"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2608832"></a><em class="parameter"><code>#wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608843"></a><em class="parameter"><code>wins server = 192.168.123.124</code></em></td></tr><tr><td><a class="indexterm" name="id2608855"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2608867"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2608879"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2608891"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2608903"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608915"></a><em class="parameter"><code>ldap suffix = dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2608927"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2608939"></a><em class="parameter"><code>ldap timeout = 20</code></em></td></tr><tr><td><a class="indexterm" name="id2608951"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2608963"></a><em class="parameter"><code>idmap backend = ldap:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2608975"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2608986"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2608998"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609010"></a><em class="parameter"><code>ea support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609022"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbent4smb2"></a><p class="title"><b>Example�9.2.�NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: B</b></p><div class="example-contents"><table border="0" summary="Simple list" class="simplelist"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2609067"></a><em class="parameter"><code>comment = Application Data</code></em></td></tr><tr><td><a class="indexterm" name="id2609079"></a><em class="parameter"><code>path = /data/home/apps</code></em></td></tr><tr><td><a class="indexterm" name="id2609091"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2609111"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2609123"></a><em class="parameter"><code>path = /home/users/%U/Documents</code></em></td></tr><tr><td><a class="indexterm" name="id2609135"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2609146"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2609158"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2609178"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2609190"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2609202"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609214"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609225"></a><em class="parameter"><code>use client driver = No</code></em></td></tr><tr><td><a class="indexterm" name="id2609237"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2609258"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2609269"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2609281"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2609293"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2609313"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2609325"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2609337"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2609349"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2609369"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2609381"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2609393"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2609405"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2609425"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2609437"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="sbentslapd"></a><p class="title"><b>Example�9.3.�NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><div class="example-contents"><pre class="screen">

219

include /etc/openldap/schema/core.schema

220

include /etc/openldap/schema/cosine.schema

221

include /etc/openldap/schema/inetorgperson.schema

330

aliases: files

331

#passwd_compat: ldap #Not needed.

332

#group_compat: ldap #Not needed.

333

</pre></div></div><br class="example-break"><ol type="1"><li><p>

333

</pre></div></div><br class="example-break"><ol class="procedure" type="1"><li class="step" title="Step 1"><p>

334

Configure the Samba <code class="filename">smb.conf</code> file to create a BDC. An example configuration is

335

given in <a class="link" href="ntmigration.html#sbent4smb" title="Example�9.1.�NT4 Migration Samba-3 Server smb.conf Part: A">“NT4 Migration Samba-3 Server smb.conf Part: A”</a>.

336

The delete scripts are commented out so that during the process of migration

337

no account information can be deleted.

338

</p></li><li><p>

339

338

</p></li><li class="step" title="Step 2"><p>

339

340

Configure OpenLDAP in preparation for the migration. An example

341

<code class="filename">sladp.conf</code> file is shown in <a class="link" href="ntmigration.html#sbentslapd" title="Example�9.3.�NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A">“NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A”</a>.

342

The <code class="constant">rootpw</code> value is an encrypted password string that can

343

be obtained by executing the <code class="literal">slappasswd</code> command.

344

</p></li><li><p>

345

346

344

</p></li><li class="step" title="Step 3"><p>

345

346

347

Install the PADL <code class="literal">nss_ldap</code> tool set, then configure the <code class="filename">/etc/ldap.conf</code>

348

as shown in <a class="link" href="ntmigration.html#sbrntldapconf" title="Example�9.5.�NT4 Migration NSS LDAP File: /etc/ldap.conf">“NT4 Migration NSS LDAP File: /etc/ldap.conf”</a>.

349

</p></li><li><p>

350

349

</p></li><li class="step" title="Step 4"><p>

350

351

Edit the <code class="filename">/etc/nsswitch.conf</code> file so it has the entries shown

352

in <a class="link" href="ntmigration.html#sbentnss" title="Example�9.6.�NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)">“NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)”</a>. Note that the LDAP entries have been commented out.

353

This is deliberate. If these entries are active (not commented out), and the

357

open and therefore cannot gain exclusive control of it. By commenting these entries

358

out, it is possible to avoid this gridlock situation and thus the overall

359

installation and configuration will progress more smoothly.

360

</p></li><li><p>

360

</p></li><li class="step" title="Step 5"><p>

361

Validate the the target NT4 PDC name is being correctly resolved to its IP address by

362

executing the following:

363

</p><pre class="screen">

373

</pre><p>

374

Do not proceed to the next step if this step fails. It is imperative that the name of the PDC

375

can be resolved to its IP address. If this is broken, fix it.

376

</p></li><li><p>

376

</p></li><li class="step" title="Step 6"><p>

377

Pull the domain SID from the NT4 domain that is being migrated as follows:

378

</p><pre class="screen">

379

<code class="prompt">root# </code> net rpc getsid -S TRANGRESSION -U Administrator%not24get

391

</p><pre class="screen">

392

<code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635

393

</pre><p>

394

</p></li><li><p>

395

396

397

398

394

</p></li><li class="step" title="Step 7"><p>

395

396

397

398

399

Install the Idealx <code class="literal">smbldap-tools</code> software package, following

400

the instructions given in <a class="link" href="happy.html#sbeidealx" title="Install and Configure Idealx smbldap-tools Scripts">“Install and Configure Idealx smbldap-tools Scripts”</a>. The resulting perl scripts

401

should be located in the <code class="filename">/opt/IDEALX/sbin</code> directory.

489

/etc/smbldap-tools/smbldap.conf done.

490

/etc/smbldap-tools/smbldap_bind.conf done.

491

</pre><p>

492

493

494

495

492

493

494

495

496

Note that the NT4 domain SID that was previously obtained was entered above. Also,

497

the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is

498

the location into which the Idealx smbldap-tools store the next available UID/GID

501

was stored in the sambaUnixIdPooldn DIT location cn=NextFreeUnixId. Where smbldap-tools

502

are being upgraded to version 0.9.1 it is appropriate to update this to the new location

503

only if the directory information is also relocated.

504

</p></li><li><p>

504

</p></li><li class="step" title="Step 8"><p>

505

Start the LDAP server using the system interface script. On Novell SLES9

506

this is done as shown here:

507

</p><pre class="screen">

508

<code class="prompt">root# </code> rcldap start

509

</pre><p>

510

</p></li><li><p>

510

</p></li><li class="step" title="Step 9"><p>

511

Edit the <code class="filename">/etc/nsswitch.conf</code> file so it has the entries shown in

512

<a class="link" href="ntmigration.html#sbentnss2" title="Example�9.7.�NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:2)">“NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:2)”</a>. Note that the LDAP entries have now been uncommented.

513

</p></li><li><p>

513

</p></li><li class="step" title="Step 10"><p>

514

The LDAP management password must be installed into the <code class="filename">secrets.tdb</code>

515

file as follows:

516

</p><pre class="screen">

518

Setting stored password for

519

"cn=Manager,dc=terpstra-world,dc=org" in secrets.tdb

520

</pre><p>

521

</p></li><li><p>

521

</p></li><li class="step" title="Step 11"><p>

522

Populate the LDAP directory as shown here:

523

</p><pre class="screen">

524

<code class="prompt">root# </code> /opt/IDEALX/sbin/smbldap-populate -a root -k 0 -m 0

544

</pre><p>

545

The script tries to add the ou=People container twice, hence the error message.

546

This is expected behavior.

547

</p></li><li><p>

548

547

</p></li><li class="step" title="Step 12"><p>

548

549

Restart the LDAP server following initialization of the LDAP directory. Execute the

550

system control script provided on your system. The following steps can be used on

551

Novell SUSE SLES 9:

553

<code class="prompt">root# </code> rcldap restart

554

<code class="prompt">root# </code> chkconfig ldap on

555

</pre><p>

556

</p></li><li><p>

556

</p></li><li class="step" title="Step 13"><p>

557

Verify that the new user accounts that have been added to the LDAP directory can be

558

resolved as follows:

559

</p><pre class="screen">

584

Backup Operators:x:551:

585

Replicators:x:552:

586

</pre><p>

587

In both cases the LDAP accounts follow the “<span class="quote">+::0:</span>” entry.

588

</p></li><li><p>

587

In both cases the LDAP accounts follow the <span class="quote">“<span class="quote">+::0:</span>”</span> entry.

588

</p></li><li class="step" title="Step 14"><p>

589

Now it is time to join the Samba BDC to the target NT4 domain that is being

590

migrated to Samba-3 by executing the following:

591

</p><pre class="screen">

594

-U Administrator%not24get

595

Joined domain DAMNATION.

596

</pre><p>

597

</p></li><li><p>

597

</p></li><li class="step" title="Step 15"><p>

598

Set the new domain administrator (root) password for both UNIX and Windows as shown here:

599

</p><pre class="screen">

600

<code class="prompt">root# </code> /opt/IDEALX/sbin/smbldap-passwd root

604

</pre><p>

605

Note: During account migration, the Windows Administrator account will not be migrated

606

to the Samba server.

607

</p></li><li><p>

607

</p></li><li class="step" title="Step 16"><p>

608

Now validate that these accounts can be resolved using Samba's tools as

609

shown here for user accounts:

610

</p><pre class="screen">

632

Replicators (S-1-5-32-552) -> Replicators

633

</pre><p>

634

These are the expected results for a correctly configured system.

635

</p></li><li><p>

635

</p></li><li class="step" title="Step 17"><p>

636

Commence migration as shown here:

637

</p><pre class="screen">

638

<code class="prompt">root# </code> net rpc vampire -S TRANSGRESSION \

640

</pre><p>

641

Check the vampire log to confirm that only expected errors have been

642

reported. See <a class="link" href="ntmigration.html#sbevam1" title="Migration Log Validation">“Migration Log Validation”</a>.

643

</p></li><li><p>

643

</p></li><li class="step" title="Step 18"><p>

644

The migration of user accounts can be quickly validated as follows:

645

</p><pre class="screen">

646

<code class="prompt">root# </code> pdbedit -Lw

675

SCAVENGER$:26:B6288EB6D147B56F8963805A19B0ED49:...

676

merlin$:27:820C50523F368C54AB9D85AE603AD09D:...

677

</pre><p>

678

</p></li><li><p>

678

</p></li><li class="step" title="Step 19"><p>

679

The mapping of UNIX and Windows groups can be validated as show here:

680

</p><pre class="screen">

681

<code class="prompt">root# </code> net groupmap list

707

</pre><p>

708

It is of vital importance that the domain SID portions of all group

709

accounts are identical.

710

</p></li><li><p>

710

</p></li><li class="step" title="Step 20"><p>

711

The final responsibility in the migration process is to create identical

712

shares and printing resources on the new Samba-3 server, copy all data

713

across, set up privileges, and set share and file/directory access controls.

714

</p></li><li><p>

715

716

714

</p></li><li class="step" title="Step 21"><p>

715

716

717

Edit the <code class="filename">smb.conf</code> file to reset the parameter

718

<a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master = Yes</a> so that

719

the Samba server functions as a PDC for the purpose of migration.

736

Server role: ROLE_DOMAIN_PDC

737

Press enter to see a dump of your service definitions

738

</pre><p>

739

</p></li><li><p>

739

</p></li><li class="step" title="Step 22"><p>

740

Now shut down the old NT4 PDC. Only when the old NT4 PDC and all

741

NT4 BDCs have been shut down can the Samba-3 PDC be started.

742

</p></li><li><p>

742

</p></li><li class="step" title="Step 23"><p>

743

All workstations should function as they did with the old NT4 PDC. All

744

interdomain trust accounts should remain in place and fully functional.

745

All machine accounts and user logon accounts should also function correctly.

746

</p></li><li><p>

746

</p></li><li class="step" title="Step 24"><p>

747

The configuration of Samba-3 BDC servers can be accomplished now or at any

748

convenient time in the future. Please refer to the carefully detailed process

749

for doing so is outlined in <a class="link" href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">“Samba-3 BDC Configuration”</a>.

750

</p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbevam1"></a>Migration Log Validation</h4></div></div></div><p>

750

</p></li></ol></div><div class="sect3" title="Migration Log Validation"><div class="titlepage"><div><div><h4 class="title"><a name="sbevam1"></a>Migration Log Validation</h4></div></div></div><p>

751

The following <code class="filename">vampire.log</code> file is typical of a valid migration.

752

</p><pre class="screen">

753

adding user Administrator to group Domain Admins

841

Creating unix group: 'Server Operators'

842

Creating unix group: 'Users'

843

</pre><p>

844

</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2604610"></a>NT4 Migration Using tdbsam Backend</h3></div></div></div><p>

844

</p></div></div><div class="sect2" title="NT4 Migration Using tdbsam Backend"><div class="titlepage"><div><div><h3 class="title"><a name="id2610669"></a>NT4 Migration Using tdbsam Backend</h3></div></div></div><p>

845

In this example, we change the domain name of the NT4 server from

846

<code class="constant">DRUGPREP</code> to <code class="constant">MEGANET</code> prior to the use

847

of the vampire (migration) tool. This migration process makes use of Linux system tools

849

UNIX/Linux <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>

850

databases. These entries must therefore be present, and correct options specified,

851

in your <code class="filename">smb.conf</code> file, or else the migration does not work as it should.

852

</p><div class="procedure"><a name="id2604657"></a><p class="title"><b>Procedure�9.2.�Migration Steps Using tdbsam</b></p><ol type="1"><li><p>

852

</p><div class="procedure" title="Procedure�9.2.�Migration Steps Using tdbsam"><a name="id2610716"></a><p class="title"><b>Procedure�9.2.�Migration Steps Using tdbsam</b></p><ol class="procedure" type="1"><li class="step" title="Step 1"><p>

853

Prepare a Samba-3 server precisely per the instructions shown in <a class="link" href="Big500users.html" title="Chapter�4.�The 500-User Office">“The 500-User Office”</a>.

854

Set the workgroup name to <code class="constant">MEGANET</code>.

855

</p></li><li><p><a class="indexterm" name="id2604685"></a><a class="indexterm" name="id2604693"></a>

855

</p></li><li class="step" title="Step 2"><p><a class="indexterm" name="id2610744"></a><a class="indexterm" name="id2610752"></a>

856

Edit the <code class="filename">smb.conf</code> file to temporarily change the parameter

857

<a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master = No</a> so

858

the Samba server functions as a BDC for the purpose of migration.

859

</p></li><li><p>

859

</p></li><li class="step" title="Step 3"><p>

860

Start Samba as you have done previously.

861

</p></li><li><p><a class="indexterm" name="id2604735"></a>

861

</p></li><li class="step" title="Step 4"><p><a class="indexterm" name="id2610794"></a>

862

Join the NT4 Domain as a BDC, as shown here:

863

</p><pre class="screen">

864

<code class="prompt">root# </code> net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get

865

Joined domain MEGANET.

866

</pre><p>

867

</p></li><li><p><a class="indexterm" name="id2604770"></a>

867

</p></li><li class="step" title="Step 5"><p><a class="indexterm" name="id2610829"></a>

868

You may vampire the accounts from the NT4 PDC by executing the command, as shown here:

869

</p><pre class="screen">

870

<code class="prompt">root# </code> net rpc vampire -S oldnt4pdc -U Administrator%not24get

904

Fetching BUILTIN database

905

SAM_DELTA_DOMAIN_INFO not handled

906

</pre><p>

907

</p></li><li><p><a class="indexterm" name="id2604824"></a>

907

</p></li><li class="step" title="Step 6"><p><a class="indexterm" name="id2610883"></a>

908

At this point, we can validate our migration. Let's look at the accounts

909

in the form in which they are seen in a smbpasswd file. This achieves that:

910

</p><pre class="screen">

936

maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C:

937

CF271B744F7A55AFDA277FF88D80C527:[UX ]:LCT-3E8B4270:

938

</pre><p>

939

</p></li><li><p><a class="indexterm" name="id2604901"></a>

939

</p></li><li class="step" title="Step 7"><p><a class="indexterm" name="id2610960"></a>

940

An expanded view of a user account entry shows more of what was

941

obtained from the NT4 PDC:

942

</p><pre class="screen">

962

Password can change: 0

963

Password must change: Mon, 18 Jan 2038 20:14:07 GMT

964

</pre><p>

965

</p></li><li><p><a class="indexterm" name="id2604936"></a>

965

</p></li><li class="step" title="Step 8"><p><a class="indexterm" name="id2610995"></a>

966

The following command lists the long names of the groups that have been

967

imported (vampired) from the NT4 PDC:

968

</p><pre class="screen">

979

Users Ordinary users

980

</pre><p>

981

Everything looks well and in order.

982

</p></li><li><p><a class="indexterm" name="id2604976"></a><a class="indexterm" name="id2604984"></a>

982

</p></li><li class="step" title="Step 9"><p><a class="indexterm" name="id2611035"></a><a class="indexterm" name="id2611043"></a>

983

Edit the <code class="filename">smb.conf</code> file to reset the parameter

984

<a class="link" href="smb.conf.5.html#DOMAINMASTER" target="_top">domain master = Yes</a> so

985

the Samba server functions as a PDC for the purpose of migration.

986

</p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2605017"></a>Key Points Learned</h3></div></div></div><p>

986

</p></li></ol></div></div><div class="sect2" title="Key Points Learned"><div class="titlepage"><div><div><h3 class="title"><a name="id2611075"></a>Key Points Learned</h3></div></div></div><p>

987

Migration of an NT4 PDC database to a Samba-3 PDC is possible.

988

</p><div class="itemizedlist"><ul type="disc"><li><p>

988

</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>

989

An LDAP backend is a suitable vehicle for NT4 migrations.

990

</p></li><li><p>

990

</p></li><li class="listitem"><p>

991

A tdbsam backend can be used to perform a migration.

992

</p></li><li><p>

992

</p></li><li class="listitem"><p>

993

Multiple NT4 domains can be merged into a single Samba-3

994

domain.

995

</p></li><li><p>

995

</p></li><li class="listitem"><p>

996

The net Samba-3 domain most likely requires some

997

administration and updating before going live.

998

</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2605055"></a>Questions and Answers</h2></div></div></div><p>

999

</p><div class="qandaset"><dl><dt> <a href="ntmigration.html#id2605070">

998

</p></li></ul></div></div></div><div class="sect1" title="Questions and Answers"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2611114"></a>Questions and Answers</h2></div></div></div><p>

999

</p><div class="qandaset" title="Frequently Asked Questions"><a name="id2611123"></a><dl><dt> <a href="ntmigration.html#id2611129">

1000

Why must I start each migration with a clean database?

1001

</a></dt><dt> <a href="ntmigration.html#id2605111">

1001

</a></dt><dt> <a href="ntmigration.html#id2611169">

1002

Is it possible to set my domain SID to anything I like?

1003

</a></dt><dt> <a href="ntmigration.html#id2605168">

1003

</a></dt><dt> <a href="ntmigration.html#id2611226">

1004

When using a tdbsam passdb backend, why must I have all domain user and group accounts

1005

in /etc/passwd and /etc/group?

1006

</a></dt><dt> <a href="ntmigration.html#id2605348">

1006

</a></dt><dt> <a href="ntmigration.html#id2611406">

1007

Why did you validate connectivity before attempting migration?

1008

</a></dt><dt> <a href="ntmigration.html#id2605393">

1008

</a></dt><dt> <a href="ntmigration.html#id2611452">

1009

How would you merge 10 tdbsam-based domains into an LDAP database?

1010

</a></dt><dt> <a href="ntmigration.html#id2605516">

1010

</a></dt><dt> <a href="ntmigration.html#id2611574">

1011

I want to change my domain name after I migrate all accounts from an NT4 domain to a

1012

Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?

1013

</a></dt><dt> <a href="ntmigration.html#id2605591">

1013

</a></dt><dt> <a href="ntmigration.html#id2611650">

1014

After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?

1015

</a></dt><dt> <a href="ntmigration.html#id2605656">

1015

</a></dt><dt> <a href="ntmigration.html#id2611715">

1016

How can I reset group membership after loading the account information into the LDAP database?

1017

</a></dt><dt> <a href="ntmigration.html#id2605691">

1017

</a></dt><dt> <a href="ntmigration.html#id2611749">

1018

What are the limits or constraints that apply to group names?

1019

</a></dt><dt> <a href="ntmigration.html#id2605795">

1019

</a></dt><dt> <a href="ntmigration.html#id2611854">

1020

My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3

1021

LDAP backend system using the vampire process?

1022

</a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2605070"></a><a name="id2605072"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605076"></a>

1022

</a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%"><col><tbody><tr class="question"><td align="left" valign="top"><a name="id2611129"></a><a name="id2611131"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611134"></a>

1023

Why must I start each migration with a clean database?

1024

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605091"></a>

1024

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611150"></a>

1025

This is a recommendation that permits the data from each NT4 domain to

1026

be kept separate until you are ready to merge them. Also, if you do not start with a clean database,

1027

you may find errors due to users or groups from multiple domains having the

1028

same name but different SIDs. It is better to permit each migration to complete

1029

without undue errors and then to handle the merging of vampired data under

1030

proper supervision.

1031

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605111"></a><a name="id2605113"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605116"></a>

1031

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611169"></a><a name="id2611172"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611175"></a>

1032

Is it possible to set my domain SID to anything I like?

1033

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605132"></a><a class="indexterm" name="id2605140"></a><a class="indexterm" name="id2605147"></a>

1033

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611190"></a><a class="indexterm" name="id2611198"></a><a class="indexterm" name="id2611206"></a>

1034

Yes, so long as the SID you create has the same structure as an autogenerated SID.

1035

The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where

1036

the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why

1037

would you really want to create your own SID? I cannot think of a good reason.

1038

You may want to set the SID to one that is already in use somewhere on your network,

1039

but that is a little different from straight out creating your own domain SID.

1040

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605168"></a><a name="id2605170"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605173"></a><a class="indexterm" name="id2605181"></a><a class="indexterm" name="id2605188"></a><a class="indexterm" name="id2605196"></a><a class="indexterm" name="id2605204"></a><a class="indexterm" name="id2605215"></a><a class="indexterm" name="id2605227"></a>

1040

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611226"></a><a name="id2611229"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611232"></a><a class="indexterm" name="id2611239"></a><a class="indexterm" name="id2611247"></a><a class="indexterm" name="id2611255"></a><a class="indexterm" name="id2611263"></a><a class="indexterm" name="id2611274"></a><a class="indexterm" name="id2611285"></a>

1041

When using a tdbsam passdb backend, why must I have all domain user and group accounts

1042

in <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>?

1043

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605258"></a><a class="indexterm" name="id2605266"></a><a class="indexterm" name="id2605273"></a><a class="indexterm" name="id2605281"></a><a class="indexterm" name="id2605289"></a><a class="indexterm" name="id2605297"></a>

1043

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611317"></a><a class="indexterm" name="id2611324"></a><a class="indexterm" name="id2611332"></a><a class="indexterm" name="id2611340"></a><a class="indexterm" name="id2611348"></a><a class="indexterm" name="id2611356"></a>

1044

Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba

1045

does not fabricate the UNIX IDs from thin air, but rather requires them to be located

1046

in a suitable place.

1055

migration to the LDAP database, the accounts may be removed from the UNIX database files.

1056

In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in

1057

LDAP, require UIDs/GIDs.

1058

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605348"></a><a name="id2605350"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605353"></a><a class="indexterm" name="id2605361"></a><a class="indexterm" name="id2605369"></a>

1058

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611406"></a><a name="id2611409"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611412"></a><a class="indexterm" name="id2611420"></a><a class="indexterm" name="id2611428"></a>

1059

Why did you validate connectivity before attempting migration?

1060

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

1061

Access validation before attempting to migrate NT4 domain accounts helps to pinpoint

1062

potential problems that may otherwise affect or impede account migration. I am always

1063

mindful of the 4 P's of migration: Planning Prevents Poor Performance.

1064

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605393"></a><a name="id2605395"></a></td><td align="left" valign="top"><p>

1064

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611452"></a><a name="id2611454"></a></td><td align="left" valign="top"><p>

1065

How would you merge 10 tdbsam-based domains into an LDAP database?

1066

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605406"></a><a class="indexterm" name="id2605414"></a><a class="indexterm" name="id2605422"></a><a class="indexterm" name="id2605430"></a><a class="indexterm" name="id2605438"></a><a class="indexterm" name="id2605446"></a><a class="indexterm" name="id2605453"></a><a class="indexterm" name="id2605461"></a><a class="indexterm" name="id2605469"></a><a class="indexterm" name="id2605477"></a><a class="indexterm" name="id2605485"></a>

1066

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611465"></a><a class="indexterm" name="id2611473"></a><a class="indexterm" name="id2611481"></a><a class="indexterm" name="id2611488"></a><a class="indexterm" name="id2611496"></a><a class="indexterm" name="id2611504"></a><a class="indexterm" name="id2611512"></a><a class="indexterm" name="id2611520"></a><a class="indexterm" name="id2611527"></a><a class="indexterm" name="id2611535"></a><a class="indexterm" name="id2611543"></a>

1067

If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of

1068

accounts that have the same UNIX identifier (UID/GID). This means that you almost

1069

certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd

1073

tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that

1074

you have migrated before handing over access to a user. After all, too many users with a bad

1075

migration experience may threaten your career.

1076

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605516"></a><a name="id2605518"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605521"></a><a class="indexterm" name="id2605529"></a>

1076

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611574"></a><a name="id2611576"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611580"></a><a class="indexterm" name="id2611588"></a>

1077

I want to change my domain name after I migrate all accounts from an NT4 domain to a

1078

Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?

1079

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605550"></a><a class="indexterm" name="id2605558"></a><a class="indexterm" name="id2605566"></a><a class="indexterm" name="id2605573"></a>

1079

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611608"></a><a class="indexterm" name="id2611616"></a><a class="indexterm" name="id2611624"></a><a class="indexterm" name="id2611632"></a>

1080

I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries

1081

on each Windows NT4 and upward client that have a tattoo of the old domain name. If you

1082

unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid

1083

this tattooing effect.

1084

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605591"></a><a name="id2605594"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605597"></a>

1084

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611650"></a><a name="id2611652"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611655"></a>

1085

After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?

1086

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605613"></a><a class="indexterm" name="id2605621"></a>

1086

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611672"></a><a class="indexterm" name="id2611680"></a>

1087

Samba-3 currently does not implement multiple group membership internally. If you use the Windows

1088

NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group

1089

membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend,

1092

file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <code class="filename">/etc/passwd</code>

1093

and <code class="filename">/etc/group</code> information also. That is where the multiple group information

1094

is most closely at your fingertips.

1095

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605656"></a><a name="id2605658"></a></td><td align="left" valign="top"><p>

1095

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611715"></a><a name="id2611717"></a></td><td align="left" valign="top"><p>

1096

How can I reset group membership after loading the account information into the LDAP database?

1097

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605670"></a>

1097

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611728"></a>

1098

You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The

1099

installation file is called <code class="filename">SRVTOOLS.EXE</code>.

1100

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605691"></a><a name="id2605693"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605696"></a>

1100

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611749"></a><a name="id2611751"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611754"></a>

1101

What are the limits or constraints that apply to group names?

1102

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2605711"></a><a class="indexterm" name="id2605719"></a><a class="indexterm" name="id2605727"></a><a class="indexterm" name="id2605735"></a><a class="indexterm" name="id2605743"></a><a class="indexterm" name="id2605751"></a>

1102

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p><a class="indexterm" name="id2611770"></a><a class="indexterm" name="id2611778"></a><a class="indexterm" name="id2611786"></a><a class="indexterm" name="id2611794"></a><a class="indexterm" name="id2611802"></a><a class="indexterm" name="id2611809"></a>

1103

A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group

1104

name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows

1105

groups can contain upper- and lowercase characters, as well as spaces.

1111

of the POSIX standards and likewise do not permit uppercase or space characters in group

1112

or user account names. You have to experiment with your system to find what its

1113

peculiarities are.

1114

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2605795"></a><a name="id2605797"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2605801"></a>

1114

</p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2611854"></a><a name="id2611856"></a></td><td align="left" valign="top"><p><a class="indexterm" name="id2611859"></a>

1115

My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3

1116

LDAP backend system using the vampire process?

1117

</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>

1120

you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned

1121

integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts.

1122

Please check this carefully before you attempt to effect a migration using the vampire process.

1123

</p><p><a class="indexterm" name="id2605838"></a>

1123

</p><p><a class="indexterm" name="id2611896"></a>

1124

Migration speed depends much on the processor speed, the network speed, disk I/O capability, and

1125

LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP

1126

to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts

Older »