1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�10.�Migrating NetWare Server to Samba-3</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part�II.�Domain Members, Updating Samba and Migration"><link rel="prev" href="ntmigration.html" title="Chapter�9.�Migrating NT4 Domain to Samba-3"><link rel="next" href="RefSection.html" title="Part�III.�Reference Section"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�10.�Migrating NetWare Server to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="ntmigration.html">Prev</a>�</td><th width="60%" align="center">Part�II.�Domain Members, Updating Samba and Migration</th><td width="20%" align="right">�<a accesskey="n" href="RefSection.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="nw4migration"></a>Chapter�10.�Migrating NetWare Server to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="nw4migration.html#id2606004">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id2606120">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id2606233">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id2606310">Technical Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="nw4migration.html#id2606500">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="nw4migration.html#id2606509">NetWare Migration Using LDAP Backend</a></span></dt></dl></dd></dl></div><p>
2
<a class="indexterm" name="id2605849"></a>
3
<a class="indexterm" name="id2605855"></a>
4
Novell is a company any seasoned IT manager has to admire. It has become increasingly
5
Linux-friendly and is emerging out of a deep regression that almost saw the company
6
disappear into obscurity. Novell's SUSE Linux hosts the NetWare server and it is the
7
platform of choice to which many older NetWare servers are being migrated.
8
It will be interesting to see what becomes of NetWare over time.
9
Meanwhile, there can be no denying that Novell is a Linux company.
11
<a class="indexterm" name="id2605873"></a>
12
<a class="indexterm" name="id2605880"></a>
13
<a class="indexterm" name="id2605887"></a>
14
<a class="indexterm" name="id2605894"></a>
15
Whatever flavor of Linux is preferred in your environment, whether Red Hat, Debian,
16
Gentoo, Mandrake, or SUSE (Novell), the information in this chapter should be read with
17
the knowledge that file locations may vary a little; even so, the information
18
in this chapter should provide something of value.
20
<a class="indexterm" name="id2605909"></a>
21
Contributions to this chapter were made by Misty Stanley-Jones, a UNIX administrator of many
22
years who surfaced on the Samba mailing list with a barrage of questions and who
23
regularly helps other administrators to solve thorny Samba migration questions.
25
<a class="indexterm" name="id2605923"></a>
26
<a class="indexterm" name="id2605930"></a>
27
<a class="indexterm" name="id2605937"></a>
28
<a class="indexterm" name="id2605944"></a>
29
One wonders how many NetWare servers remain in active service. Many are being migrated
30
to Samba on Linux. Red Hat Linux, SUSE Linux 9.x, and SUSE Linux Enterprise Server 9 are
31
ideal target platforms to which a NetWare server may be migrated. The migration method
32
of choice is much dependent on the tools that the administrator finds most natural to use.
33
The old-hand NetWare guru will likely want to use tools like the NetWare NLM for
34
<code class="literal">rsync</code> to migrate files from the NetWare server to the Samba server.
35
The UNIX administrator might prefer tools that are part of the Mars_NWE (Martin Stovers' NetWare
36
Emulator) open source package. The MS Windows network administrator will likely make use of the
37
NWConv utility that is a part of Windows NT4 Server. Whatever your tool of choice,
38
migration will be filled with joyous and challenging moments though probably not
41
The priority that Misty faced was one of migration of the data files off the NetWare 4.11
42
server and onto a Samba-based Windows file and print server. This chapter does not pretend
43
to document all the different methods that could be used to migrate user and group accounts
44
off a NetWare server. Its focus is on migration of data files.
46
This chapter tells its own story, so ride along. Maybe the information presented here
47
will help to smooth over a similar migration challenge in your favorite networking environment.
49
File paths have been modified to permit use of RPM packages provided by Novell. In the
50
original documentation contributed by Misty, the Courier-IMAP package had been built
51
directly from the original source tarball.
52
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2606004"></a>Introduction</h2></div></div></div><p>
53
<a class="indexterm" name="id2606011"></a>
54
Misty Stanley-Jones was recruited by Abmas to administer a network that had
55
not received much attention for some years and was much in need of a makeover.
56
As a brand-new sysadmin to this company, she inherited a very old Novell file server
57
and came with a determination to change things for the better.
59
A site survey turned up the following details for the old NetWare server:
60
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>200 MHz MMX processor</p></td></tr><tr><td><p>512K RAM</p></td></tr><tr><td><p>24 GB disk space in RAID1</p></td></tr><tr><td><p>Novell 4.11 patched to service pack 7</p></td></tr><tr><td><p>60+ users</p></td></tr><tr><td><p>7 network-attached printers</p></td></tr></table><p>
61
The company had outgrown this server several years before and was dealing with
62
severe growing pains. Some of the problems experienced were:
63
</p><div class="itemizedlist"><ul type="disc"><li><p>Very slow performance</p></li><li><p>Available storage hovering around the 5% range</p><div class="itemizedlist"><ul type="circle"><li><p>Extremely slow print spooling.</p></li><li><p>
64
Users storing information on their local hard
65
drives, causing backup integrity problems
66
</p></li></ul></div></li></ul></div><p>
67
<a class="indexterm" name="id2606107"></a>
68
At one point disk space had filled up to 100 percent, causing the payroll database
69
to become corrupt. This caused the accounting department to be down for over
70
a week and necessitated deployment of another file server. The replacement
71
server was created with very poor security and design considerations from
72
a discarded desktop PC.
73
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2606120"></a>Assignment Tasks</h3></div></div></div><p>
74
Misty has provided this summary of her migration experience in the hope
75
that it will help someone to avoid the challenges she faced. Perhaps her
76
configuration files and background will accelerate your learning as you
77
grapple with a similar migration challenge. Let there be no confusion,
78
the information presented in this chapter is provided to demonstrate
79
how Misty dealt with a particular NetWare migration requirement, and
80
it provides an overall approach to the implementation of a Samba-3
81
environment that is significantly divergent from that presented in
82
<a class="link" href="happy.html" title="Chapter�5.�Making Happy Users">“Making Happy Users”</a>.
84
The complete removal of all site-specific information in order to produce
85
a generic migration solution would rob this chapter of its character.
86
It should be recognized, therefore, that the examples given require
87
significant adaptation to suit local needs and thus
88
there are some gaps in the example files. That is not Misty's fault;it
89
is the result of treatment given to her files in an attempt to make
90
the overall information more useful to you.
92
<a class="indexterm" name="id2606158"></a>
93
After management reviewed a cost-benefit report as well as an estimated
94
time-to-completion, approval was given proceed with the solution proposed.
95
The server was built from purchased components. The total project cost
96
was $3,000. A brief description of the configuration follows:
97
</p><table class="simplelist" border="0" summary="Simple list"><tr><td>
98
<p>3.0 GHz P4 Processor</p>
102
<p>120 GB SATA operating system drive</p>
104
<p>4 x 80 GB SATA data drives (RAID5 240 GB capacity)</p>
106
<p>2 x 80 GB SATA removable drives for online backup</p>
108
<p>A DLT drive for asynchronous offline backup</p>
110
<p>SUSE Linux Professional 9.1</p>
111
</td></tr></table><p>
112
The new system has operated for 6 months without problems. Over the past months
113
much attention has been focused on cleaning up desktops and user profiles.
114
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2606233"></a>Dissection and Discussion</h2></div></div></div><p>
115
<a class="indexterm" name="id2606241"></a>
116
<a class="indexterm" name="id2606248"></a>
117
<a class="indexterm" name="id2606255"></a>
118
<a class="indexterm" name="id2606262"></a>
119
A decision to use LDAP was made even though I knew nothing about LDAP except that
120
I had been reading the book “<span class="quote">LDAP System Administration,</span>” by Gerald Carter.
121
LDAP seemed to provide some of the functionality of Novell's e-Directory Services
122
and would provide centralized authentication and identity management.
124
<a class="indexterm" name="id2606281"></a>
125
<a class="indexterm" name="id2606288"></a>
126
<a class="indexterm" name="id2606294"></a>
127
Building the LDAP database took a while and a lot of trial and error. Following
128
the guidance I obtained from “<span class="quote">LDAP System
129
Administration,</span>” I installed OpenLDAP (from RPM; later I compiled
130
a more current version from source) and built my initial LDAP tree.
131
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2606310"></a>Technical Issues</h3></div></div></div><p>
132
<a class="indexterm" name="id2606318"></a>
133
<a class="indexterm" name="id2606325"></a>
134
<a class="indexterm" name="id2606332"></a>
135
<a class="indexterm" name="id2606338"></a>
136
<a class="indexterm" name="id2606345"></a>
137
<a class="indexterm" name="id2606352"></a>
138
<a class="indexterm" name="id2606359"></a>
139
<a class="indexterm" name="id2606366"></a>
140
<a class="indexterm" name="id2606372"></a>
141
The first challenge was to create a company white pages, followed by manually
142
entering everything from the printed company directory. This used only the inetOrgPerson
143
object class from the OpenLDAP schemas. The next step was to write a shell script that
144
would look at the <code class="filename">/etc/passwd</code> and <code class="filename">/etc/shadow</code>
145
files on our mail server and create an LDIF file from which the information could be
146
imported into LDAP. This would allow use of LDAP for Linux authentication, IMAP, POP3,
149
Because a decision was made to use Courier-IMAP the schema “<span class="quote">authldap.schema</span>”
150
from the Courier-IMAP source, tarball is necessary to resolve Courier-specific LDAP directory
151
needs. Where the Courier-IMAP file provided by SUSE is used, this file is named
152
<code class="filename">courier.schema</code>.
154
Looking back, it would have been much easier to populate the LDAP directory using a convenient
155
tool such as <code class="literal">phpLDAPAdmin</code> from the outset. An excessive amount of time was
156
spent trying to generate LDIF files that could be parsed using the <code class="literal">ldapmodify</code>
157
so that necessary changes could be written to the directory. This was a learning experience!
159
An attempt was made to use the PADL POSIX account migration scripts, but I gave up trying to
160
make them work. Instead, even though it is most inelegant, I wrote a simple script that did
161
what I needed. It is enclosed as a simple example to demonstrate that you do not need to be
162
a guru to make light of otherwise painful repetition. This file is listed in <a class="link" href="nw4migration.html#sbeamg" title="Example�10.1.�A Rough Tool to Create an LDIF File from the System Account Files">“A Rough Tool to Create an LDIF File from the System Account Files”</a>.
163
</p><div class="example"><a name="sbeamg"></a><p class="title"><b>Example�10.1.�A Rough Tool to Create an LDIF File from the System Account Files</b></p><div class="example-contents"><pre class="screen">
166
cat /etc/passwd | while read l; do
167
uid=`echo $l | cut -d : -f 1`
168
uidNumber=`echo $l | cut -d : -f 3`
169
gidNumber=`echo $1 | cut -d : -f 4`
170
gecos=`echo $l | cut -d : -f 5`
171
homeDirectory=`echo $l | cut -d : -f 6`
172
loginShell=`echo $l | cut -d : -f 6`
173
userPassword=`cat /etc/shadow | grep $uid | cut -d : -f 2`
175
echo "dn: cn=$gecos,ou=people,dc=mycompany,dc=com"
176
echo "objectClass: account"
177
echo "objectClass: posixAccount"
180
echo "uidNumber: $uidNumber"
181
echo "gidNumber: $gidNumber"
182
echo "homeDirectory: $homeDirectory"
183
echo "loginShell: $loginShell"
184
echo "userPassword: $userPassword"
186
</pre></div></div><br class="example-break"><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
188
The PADL MigrationTools are recommended for migration of the UNIX account information into
189
the LDAP directory. The tools consist of a set of Perl scripts for migration of users, groups,
190
aliases, hosts, netgroups, networks, protocols, PRCs, and services from the existing ASCII text
191
files (or from a name service such as NIS). This too set can be obtained from the <a class="ulink" href="http://www.padl.com" target="_top">PADL Web site</a>.
192
</p></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2606500"></a>Implementation</h2></div></div></div><p>
193
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2606509"></a>NetWare Migration Using LDAP Backend</h3></div></div></div><p>
194
The following software must be installed on the SUSE Linux Enterprise Server to perform
196
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><p>courier-imap</p></td></tr><tr><td><p>courier-imap-ldap</p></td></tr><tr><td><p>nss_ldap</p></td></tr><tr><td><p>openldap2-client</p></td></tr><tr><td><p>openldap2-devel (only for Samba compilation)</p></td></tr><tr><td><p>openldap2</p></td></tr><tr><td><p>pam_ldap</p></td></tr><tr><td><p>samba-3.0.20 or later</p></td></tr><tr><td><p>samba-client-3.0.20 or later</p></td></tr><tr><td><p>samba-winbind-3.0.20 or later</p></td></tr><tr><td><p>smbldap-tools Version 0.9.1</p></td></tr></table><p>
197
Each software application must be carefully configured in preparation for migration.
198
The configuration files used at Abmas are provided as a guide and should be modified
199
to meet needs at your site.
200
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2606584"></a>LDAP Server Configuration</h4></div></div></div><p>
201
The <code class="filename">/etc/openldap/slapd.conf</code> file Misty used is shown here:
202
</p><pre class="programlisting">
203
#/etc/openldap/slapd.conf
205
# See slapd.conf(5) for details on configuration options.
206
# This file should NOT be world readable.
208
include /etc/openldap/schema/core.schema
209
include /etc/openldap/schema/cosine.schema
210
include /etc/openldap/schema/inetorgperson.schema
211
include /etc/openldap/schema/nis.schema
212
include /etc/openldap/schema/samba3.schema
213
include /etc/openldap/schema/dhcp.schema
214
include /etc/openldap/schema/misc.schema
215
include /etc/openldap/schema/idpool.schema
216
include /etc/openldap/schema/eduperson.schema
217
include /etc/openldap/schema/commURI.schema
218
include /etc/openldap/schema/local.schema
219
include /etc/openldap/schema/courier.schema
221
pidfile /var/run/slapd/run/slapd.pid
222
argsfile /var/run/slapd/run/slapd.args
224
replogfile /data/ldap/log/slapd.replog
226
# Load dynamic backend modules:
227
modulepath /usr/lib/openldap/modules
229
#######################################################################
231
#######################################################################
234
#######################################################################
235
# SASL and TLS options
236
#######################################################################
237
sasl-host ldap.corp.abmas.org
238
sasl-realm DIGEST-MD5
240
TLSCipherSuite HIGH:MEDIUM:+SSLV2
241
TLSCertificateFile /etc/ssl/certs/private/abmas-cert.pem
242
TLSCertificateKeyFile /etc/ssl/certs/private/abmas-key.pem
244
defaultsearchbase "dc=abmas,dc=biz"
246
#######################################################################
247
# bdb database definitions
248
#######################################################################
250
suffix "dc=abmas,dc=biz"
251
rootdn "cn=manager,dc=abmas,dc=biz"
252
rootpw {SSHA}gdo/dUvoT4ZJmULz3rUt6A3H/hBEduJ5
255
# The following is for BDB to make it flush its data to disk every
256
# 500 seconds or 5kb of data
259
## For running slapindex
262
## Indexes for often-requested attributes
270
index sambaPrimaryGroupSID eq
271
index sambaDomainName eq
275
replica host=baa.corp.abmas.org:389
276
suffix="dc=abmas,dc=biz"
277
binddn="cn=replica,dc=abmas,dc=biz"
278
credentials=verysecret
281
replica host=ns.abmas.org:389
282
suffix="dc=abmas,dc=biz"
283
binddn="cn=replica,dc=abmas,dc=biz"
284
credentials=verysecret
288
#######################################################################
290
#######################################################################
291
## MOST RESTRICTIVE RULES MUST GO FIRST!
292
# Admins get access to everything. This way I do not have to rename.
294
by group/groupOfUniqueNames/uniqueMember="cn=LDAP
295
Administrators,ou=groups,dc=abmas,dc=biz" write
298
## Users can change their own passwords.
300
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,
301
sambaPwdMustChange,sambaPwdCanChange
305
## Home contact info restricted to the logged-in user and the HR dept
306
access to attrs=hometelephoneNumber,homePostalAddress,
307
mobileTelephoneNumber,pagerTelephoneNumber
308
by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
309
ou=groups,dc=abmas,dc=biz"
314
## Everyone can read email aliases
315
access to dn.sub="ou=Email Aliases,dc=abmas,dc=biz"
318
## Only admins can manage email aliases
319
## If someone is the role occupant of an alias they can change it -- this
320
## is accomplished by the "organizationalRole" objectclass and is
321
## pretty cool -- like a groupOfUniqueNames but for individual
323
access to dn.children="ou=Email Aliases,dc=abmas,dc=biz"
324
by dnattr=roleOccupant write
327
## Admins and HR can add and delete users
328
access to dn.sub="ou=people,dc=abmas,dc=biz"
329
by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
330
ou=groups,dc=abmas,dc=biz"
334
## Admins and HR can add and delete bizputers
335
access to dn.sub="ou=bizputers,dc=abmas,dc=biz"
336
by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
337
ou=groups,dc=abmas,dc=biz"
341
## Admins and HR can add and delete groups
342
access to dn.sub="ou=groups,dc=abmas,dc=biz"
343
by group/groupOfUniqueNames/uniqueMember="cn=hr_admin,
344
ou=groups,dc=abmas,dc=biz"
348
## This is used to quickly deactivate any LDAP object only
349
## Admins have access.
350
access to dn.sub="ou=inactive,dc=abmas,dc=biz"
353
## This is for programs like Windows Address Book that can
354
## detect the default search base.
355
access to attrs=namingcontexts,supportedControl
359
## Default to read-only access
361
by dn.base="cn=replica,ou=people,dc=abmas,dc=biz" write
365
<a class="indexterm" name="id2606776"></a>
366
The <code class="filename">/etc/ldap.conf</code> file used is listed in <a class="link" href="nw4migration.html#ch8ldap" title="Example�10.2.�NSS LDAP Control File /etc/ldap.conf">“NSS LDAP Control File /etc/ldap.conf”</a>.
367
</p><div class="example"><a name="ch8ldap"></a><p class="title"><b>Example�10.2.�NSS LDAP Control File /etc/ldap.conf</b></p><div class="example-contents"><pre class="screen">
369
# This file is present on every *NIX client that authenticates to LDAP.
370
# For me, most of the defaults are fine. There is an amazing amount of
371
# customization that can be done see the man page for info.
373
# Your LDAP server. Must be resolvable without using LDAP. The following
374
# is for the LDAP server all others use the FQDN of the server
377
# The distinguished name of the search base.
378
base ou=corp,dc=abmas,dc=biz
380
# The LDAP version to use (defaults to 3 if supported by client library)
383
# The distinguished name to bind to the server with if the effective
384
# user ID is root. Password is stored in /etc/ldap.secret (mode 600)
385
rootbinddn cn=Manager,dc=abmas,dc=biz
387
# Filter to AND with uid=%s
388
pam_filter objectclass=posixAccount
390
# The user ID attribute (defaults to uid)
391
pam_login_attribute uid
393
# Group member attribute
394
pam_member_attribute memberUID
396
# Use the OpenLDAP password change
397
# extended operation to update the password.
400
# OpenLDAP SSL mechanism
401
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
404
tls_cacertfile /etc/ssl/certs/private/abmas-cert.pem
406
</pre></div></div><br class="example-break"><p>
407
The NSS control file <code class="filename">/etc/nsswitch.conf</code> has the following contents:
408
</p><pre class="screen">
410
# This file controls the resolve order for system databases.
412
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
415
# The above are all that I store in LDAP at this point. There are
416
# possibilities to store hosts, services, ethers, and lots of other things.
419
<a class="indexterm" name="id2606860"></a>
420
<a class="indexterm" name="id2606867"></a>
421
In my setup, users authenticate via PAM and NSS using LDAP-based accounts.
422
The configuration file that controls the behavior of the PAM <code class="literal">pam_unix2</code>
423
module is shown in <a class="link" href="nw4migration.html#sbepu2" title="Example�10.3.�The PAM Control File /etc/security/pam_unix2.conf">“The PAM Control File /etc/security/pam_unix2.conf”</a> file.
424
This works out of the box with the configuration files in this chapter. It
425
enables you to have no local accounts for users (it is highly advisable
426
to have a local account for the root user). Traps for the unwary include the following:
427
</p><div class="example"><a name="sbepu2"></a><p class="title"><b>Example�10.3.�The PAM Control File <code class="filename">/etc/security/pam_unix2.conf</code></b></p><div class="example-contents"><pre class="screen">
428
# pam_unix2 config file
430
# This file contains options for the pam_unix2.so module.
431
# It contains a list of options for every type of management group,
432
# which will be used for authentication, account management and
433
# password management. Not all options will be used from all types of
436
# At first, pam_unix2 will read this file and then uses the local
437
# options. Not all options can be set her global.
439
# Allowed options are:
441
# debug (account, auth, password, session)
443
# md5 (password / overwrites /etc/default/passwd)
444
# bigcrypt (password / overwrites /etc/default/passwd)
445
# blowfish (password / overwrites /etc/default/passwd)
449
# call_modules=x,y,z (account, auth, password)
454
# password: nullok blowfish crypt_rounds=8
461
</pre></div></div><br class="example-break"><a class="indexterm" name="id2606949"></a><a class="indexterm" name="id2606956"></a><a class="indexterm" name="id2606963"></a><div class="itemizedlist"><ul type="disc"><li><p>
462
If your LDAP database goes down, nobody can authenticate except for root.
464
If failover is configured incorrectly, weird behavior can occur. For example,
465
DNS can fail to resolve.
466
</p></li></ul></div><p>
467
I do have two LDAP slave servers configured. That subject is beyond the scope
468
of this document, and steps for implementing it are well documented.
470
The following services authenticate using LDAP:
471
</p><a class="indexterm" name="id2606999"></a><a class="indexterm" name="id2607006"></a><a class="indexterm" name="id2607013"></a><table class="simplelist" border="0" summary="Simple list"><tr><td><p>UNIX login/ssh</p></td></tr><tr><td><p>Postfix (SMTP)</p></td></tr><tr><td><p>Courier-IMAP/IMAPS/POP3/POP3S</p></td></tr></table><p>
472
<a class="indexterm" name="id2607042"></a>
473
<a class="indexterm" name="id2607048"></a>
474
Companywide white pages can be searched using an LDAP client
475
such as the one in the Windows Address Book.
477
<a class="indexterm" name="id2607061"></a>
478
<a class="indexterm" name="id2607067"></a>
479
Having gained a solid understanding of LDAP and a relatively workable LDAP tree
480
thus far, it was time to configure Samba. I compiled the latest stable Samba and
481
also installed the latest <code class="literal">smbldap-tools</code> from
482
<a class="ulink" href="http://idealx.com" target="_top">Idealx</a>.
484
The Samba <code class="filename">smb.conf</code> file was configured as shown in <a class="link" href="nw4migration.html#ch8smbconf" title="Example�10.4.�Samba Configuration File smb.conf Part A">“Samba Configuration File smb.conf Part A”</a>.
485
</p><div class="example"><a name="ch8smbconf"></a><p class="title"><b>Example�10.4.�Samba Configuration File smb.conf Part A</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td># Global parameters</td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2607137"></a><em class="parameter"><code>workgroup = MEGANET2</code></em></td></tr><tr><td><a class="indexterm" name="id2607149"></a><em class="parameter"><code>netbios name = MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id2607161"></a><em class="parameter"><code>server string = Corp File Server</code></em></td></tr><tr><td><a class="indexterm" name="id2607173"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2607185"></a><em class="parameter"><code>pam password change = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607197"></a><em class="parameter"><code>username map = /etc/samba/smbusers</code></em></td></tr><tr><td><a class="indexterm" name="id2607209"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2607220"></a><em class="parameter"><code>log file = /data/samba/log/%m.log</code></em></td></tr><tr><td><a class="indexterm" name="id2607232"></a><em class="parameter"><code>name resolve order = wins host bcast</code></em></td></tr><tr><td><a class="indexterm" name="id2607244"></a><em class="parameter"><code>time server = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607256"></a><em class="parameter"><code>printcap name = cups</code></em></td></tr><tr><td><a class="indexterm" name="id2607268"></a><em class="parameter"><code>show add printer wizard = No</code></em></td></tr><tr><td><a class="indexterm" name="id2607280"></a><em class="parameter"><code>cups options = Raw</code></em></td></tr><tr><td><a class="indexterm" name="id2607292"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2607304"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2607317"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2607330"></a><em class="parameter"><code>delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"</code></em></td></tr><tr><td><a class="indexterm" name="id2607343"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"</code></em></td></tr><tr><td><a class="indexterm" name="id2607355"></a><em class="parameter"><code>add machine script = /usr/local/sbin/smbldap-useradd -w "%m"</code></em></td></tr><tr><td><a class="indexterm" name="id2607368"></a><em class="parameter"><code>logon script = logon.bat</code></em></td></tr><tr><td><a class="indexterm" name="id2607380"></a><em class="parameter"><code>logon path = \\%L\profiles\%U\%a</code></em></td></tr><tr><td><a class="indexterm" name="id2607392"></a><em class="parameter"><code>logon drive = H:</code></em></td></tr><tr><td><a class="indexterm" name="id2607403"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2607415"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607427"></a><em class="parameter"><code>wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607438"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2607451"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2607463"></a><em class="parameter"><code>ldap idmap suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2607475"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2607487"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607498"></a><em class="parameter"><code>ldap suffix = ou=MEGANET2,dc=abmas,dc=biz</code></em></td></tr><tr><td><a class="indexterm" name="id2607510"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2607522"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2607534"></a><em class="parameter"><code>admin users = root, "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id2607546"></a><em class="parameter"><code>printer admin = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id2607558"></a><em class="parameter"><code>force printername = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf2"></a><p class="title"><b>Example�10.5.�Samba Configuration File smb.conf Part B</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2607598"></a><em class="parameter"><code>comment = Network logon service</code></em></td></tr><tr><td><a class="indexterm" name="id2607609"></a><em class="parameter"><code>path = /data/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2607621"></a><em class="parameter"><code>write list = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id2607633"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2607654"></a><em class="parameter"><code>comment = Roaming Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2607665"></a><em class="parameter"><code>path = /data/samba/profiles/</code></em></td></tr><tr><td><a class="indexterm" name="id2607677"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2607689"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2607701"></a><em class="parameter"><code>veto files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id2607712"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2607733"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2607745"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2607756"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2607768"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id2607779"></a><em class="parameter"><code>veto files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id2607791"></a><em class="parameter"><code>hide files = desktop.ini</code></em></td></tr><tr><td><a class="indexterm" name="id2607803"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[software]</code></em></td></tr><tr><td><a class="indexterm" name="id2607823"></a><em class="parameter"><code>comment = Software for %a computers</code></em></td></tr><tr><td><a class="indexterm" name="id2607835"></a><em class="parameter"><code>path = /data/samba/shares/software/%a</code></em></td></tr><tr><td><a class="indexterm" name="id2607847"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[public]</code></em></td></tr><tr><td><a class="indexterm" name="id2607868"></a><em class="parameter"><code>comment = Public Files</code></em></td></tr><tr><td><a class="indexterm" name="id2607880"></a><em class="parameter"><code>path = /data/samba/shares/public</code></em></td></tr><tr><td><a class="indexterm" name="id2607891"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2607903"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[PDF]</code></em></td></tr><tr><td><a class="indexterm" name="id2607924"></a><em class="parameter"><code>comment = Location of documents printed to PDFCreator printer</code></em></td></tr><tr><td><a class="indexterm" name="id2607936"></a><em class="parameter"><code>path = /data/samba/shares/pdf</code></em></td></tr><tr><td><a class="indexterm" name="id2607948"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf3"></a><p class="title"><b>Example�10.6.�Samba Configuration File smb.conf Part C</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[EVERYTHING]</code></em></td></tr><tr><td><a class="indexterm" name="id2607987"></a><em class="parameter"><code>comment = All shares</code></em></td></tr><tr><td><a class="indexterm" name="id2607998"></a><em class="parameter"><code>path = /data/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2608010"></a><em class="parameter"><code>valid users = "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id2608022"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[CDROM]</code></em></td></tr><tr><td><a class="indexterm" name="id2608042"></a><em class="parameter"><code>comment = CD-ROM on MASSIVE</code></em></td></tr><tr><td><a class="indexterm" name="id2608054"></a><em class="parameter"><code>path = /mnt</code></em></td></tr><tr><td><a class="indexterm" name="id2608066"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2608086"></a><em class="parameter"><code>comment = Printer Drivers Share</code></em></td></tr><tr><td><a class="indexterm" name="id2608098"></a><em class="parameter"><code>path = /data/samba/drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2608110"></a><em class="parameter"><code>write list = root</code></em></td></tr><tr><td><a class="indexterm" name="id2608121"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2608142"></a><em class="parameter"><code>comment = All Printers</code></em></td></tr><tr><td><a class="indexterm" name="id2608154"></a><em class="parameter"><code>path = /data/samba/spool</code></em></td></tr><tr><td><a class="indexterm" name="id2608165"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id2608177"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608189"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[acct_hp8500]</code></em></td></tr><tr><td><a class="indexterm" name="id2608209"></a><em class="parameter"><code>comment = "Accounting Color Laser Printer"</code></em></td></tr><tr><td><a class="indexterm" name="id2608221"></a><em class="parameter"><code>path = /data/samba/spool/private</code></em></td></tr><tr><td><a class="indexterm" name="id2608233"></a><em class="parameter"><code>valid users = @acct, @acct_admin, @hr, "@Domain Admins",@Receptionist, dwayne, terri, danae, jerry</code></em></td></tr><tr><td><a class="indexterm" name="id2608246"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id2608258"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608269"></a><em class="parameter"><code>copy = printers</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[plotter]</code></em></td></tr><tr><td><a class="indexterm" name="id2608290"></a><em class="parameter"><code>comment = Engineering Plotter</code></em></td></tr><tr><td><a class="indexterm" name="id2608302"></a><em class="parameter"><code>path = /data/samba/spool</code></em></td></tr><tr><td><a class="indexterm" name="id2608313"></a><em class="parameter"><code>create mask = 0644</code></em></td></tr><tr><td><a class="indexterm" name="id2608325"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608337"></a><em class="parameter"><code>use client driver = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2608348"></a><em class="parameter"><code>copy = printers</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf4"></a><p class="title"><b>Example�10.7.�Samba Configuration File smb.conf Part D</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[APPS]</code></em></td></tr><tr><td><a class="indexterm" name="id2608388"></a><em class="parameter"><code>path = /data/samba/shares/Apps</code></em></td></tr><tr><td><a class="indexterm" name="id2608400"></a><em class="parameter"><code>force group = "Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2608411"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ACCT]</code></em></td></tr><tr><td><a class="indexterm" name="id2608432"></a><em class="parameter"><code>path = /data/samba/shares/Accounting</code></em></td></tr><tr><td><a class="indexterm" name="id2608444"></a><em class="parameter"><code>valid users = @acct, "@Domain Admins"</code></em></td></tr><tr><td><a class="indexterm" name="id2608456"></a><em class="parameter"><code>force group = acct</code></em></td></tr><tr><td><a class="indexterm" name="id2608468"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2608479"></a><em class="parameter"><code>create mask = 0660</code></em></td></tr><tr><td><a class="indexterm" name="id2608491"></a><em class="parameter"><code>directory mask = 0770</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ACCT_ADMIN]</code></em></td></tr><tr><td><a class="indexterm" name="id2608512"></a><em class="parameter"><code>path = /data/samba/shares/Acct_Admin</code></em></td></tr><tr><td><a class="indexterm" name="id2608524"></a><em class="parameter"><code>valid users = @”acct_admin”</code></em></td></tr><tr><td><a class="indexterm" name="id2608536"></a><em class="parameter"><code>force group = acct_admin</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[HR_PR]</code></em></td></tr><tr><td><a class="indexterm" name="id2608557"></a><em class="parameter"><code>path = /data/samba/shares/HR_PR</code></em></td></tr><tr><td><a class="indexterm" name="id2608569"></a><em class="parameter"><code>valid users = @hr, @acct_admin</code></em></td></tr><tr><td><a class="indexterm" name="id2608581"></a><em class="parameter"><code>force group = hr</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[ENGR]</code></em></td></tr><tr><td><a class="indexterm" name="id2608601"></a><em class="parameter"><code>path = /data/samba/shares/Engr</code></em></td></tr><tr><td><a class="indexterm" name="id2608613"></a><em class="parameter"><code>valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</code></em></td></tr><tr><td><a class="indexterm" name="id2608625"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id2608637"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2608649"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[DATA]</code></em></td></tr><tr><td><a class="indexterm" name="id2608669"></a><em class="parameter"><code>path = /data/samba/shares/DATA</code></em></td></tr><tr><td><a class="indexterm" name="id2608681"></a><em class="parameter"><code>valid users = @engr, @receptionist, @truss, "@Domain Admins", cheri</code></em></td></tr><tr><td><a class="indexterm" name="id2608693"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id2608705"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2608717"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id2608728"></a><em class="parameter"><code>copy = engr</code></em></td></tr></table></div></div><br class="example-break"><div class="example"><a name="ch8smbconf5"></a><p class="title"><b>Example�10.8.�Samba Configuration File smb.conf Part E</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[X]</code></em></td></tr><tr><td><a class="indexterm" name="id2608767"></a><em class="parameter"><code>path = /data/samba/shares/X</code></em></td></tr><tr><td><a class="indexterm" name="id2608779"></a><em class="parameter"><code>valid users = @engr, @acct</code></em></td></tr><tr><td><a class="indexterm" name="id2608790"></a><em class="parameter"><code>force group = engr</code></em></td></tr><tr><td><a class="indexterm" name="id2608802"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2608814"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id2608825"></a><em class="parameter"><code>copy = engr</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[NETWORK]</code></em></td></tr><tr><td><a class="indexterm" name="id2608846"></a><em class="parameter"><code>path = /data/samba/shares/network</code></em></td></tr><tr><td><a class="indexterm" name="id2608858"></a><em class="parameter"><code>valid users = "@Domain Users"</code></em></td></tr><tr><td><a class="indexterm" name="id2608869"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2608881"></a><em class="parameter"><code>create mask = 0770</code></em></td></tr><tr><td><a class="indexterm" name="id2608893"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[UTILS]</code></em></td></tr><tr><td><a class="indexterm" name="id2608913"></a><em class="parameter"><code>path = /data/samba/shares/Utils</code></em></td></tr><tr><td><a class="indexterm" name="id2608925"></a><em class="parameter"><code>write list = "@Domain Admins"</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[SYS]</code></em></td></tr><tr><td><a class="indexterm" name="id2608946"></a><em class="parameter"><code>path = /data/samba/shares/SYS</code></em></td></tr><tr><td><a class="indexterm" name="id2608958"></a><em class="parameter"><code>valid users = chad</code></em></td></tr><tr><td><a class="indexterm" name="id2608969"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2608981"></a><em class="parameter"><code>browseable = No</code></em></td></tr></table></div></div><br class="example-break"><p>
486
<a class="indexterm" name="id2608996"></a>
487
<a class="indexterm" name="id2609002"></a>
488
<a class="indexterm" name="id2609009"></a>
489
Most of these shares are only used by one company group, but they are required
490
because of some ancient Qbasic and Rbase applications were that written expecting
491
their own drive letters.
493
<a class="indexterm" name="id2609023"></a>
494
<a class="indexterm" name="id2609030"></a>
495
<a class="indexterm" name="id2609036"></a>
496
Note: During the process of building the new server, I kept data files
497
up to date with the Novell server via use of <code class="literal">rsync</code>.
498
On a separate system (my workstation in fact), which could be rebooted
499
whenever necessary, I set up a mount point to the Novell server via
500
<code class="literal">ncpmount</code>. I then created a
501
<code class="filename">rsyncd.conf</code> to share that mount point out to my
502
new server, and synchronized once an hour. The script I used to synchronize
503
is shown in <a class="link" href="nw4migration.html#sbersync" title="Example�10.9.�Rsync Script">“Rsync Script”</a>. The files exclusion list I used
504
is shown in <a class="link" href="nw4migration.html#sbexcld" title="Example�10.10.�Rsync Files Exclusion List /root/excludes.txt">“Rsync Files Exclusion List /root/excludes.txt”</a>. The reason I had to have the
505
<code class="literal">rsync</code> daemon running on a system that could be
506
rebooted frequently is because <code class="constant">ncpfs</code>
507
(part of the MARS NetWare Emulation package) has a nasty habit of creating stale
508
mount points that cannot be recovered without a reboot. The reason for hourly
509
synchronization is because some part of the chain was very slow and
510
performance-heavy (whether <code class="literal">rsync</code> itself, the network,
511
or the Novell server, I am not sure, but it was probably the Novell server).
512
</p><div class="example"><a name="sbersync"></a><p class="title"><b>Example�10.9.�Rsync Script</b></p><div class="example-contents"><pre class="screen">
514
# Part 1 - rsync the Novell directories to the new server
515
echo "#############################################"
516
echo "New sync operation starting at `date`"
517
if ! pgrep -fl '^rsync\> ; then
518
echo "Good, no rsync is running!"
519
echo "Synchronizing oink to BHPRO"
520
rsync -av --exclude-from=/root/excludes.txt
521
baa.corp:/BHPRO/SYS1/ /data/samba/shares/SYS1
523
[ ${retval} = 0 ] && echo "Sync operation completed at `date`"
524
echo "Fixing permissions"
525
# I had a whole lot more permission-fixing stuff here. It got
526
# pared down as groups got moved over. The problem
527
# was that the way I was mounting the directory, everything
528
# was owned by the Novell administrator which translated to
529
# Root. This is also why I could only do one-way sync because
530
# I could not fix the ACLs on the Novell side.
531
find /data/samba/shares/Engr/ -perm +770 -exec chmod 770 {} \;
532
find /data/samba/shares/Engr/ ! -group engr -exec chgrp engr {} \;
534
# This rsync took ages and ages -- I had it set to run every hour but
535
# I needed a way to prevent it running into itself.
536
echo "Oh no, rsync is already running!"
537
echo "#############################################"
539
</pre></div></div><br class="example-break"><div class="example"><a name="sbexcld"></a><p class="title"><b>Example�10.10.�Rsync Files Exclusion List <code class="filename">/root/excludes.txt</code></b></p><div class="example-contents"><pre class="screen">
552
</pre></div></div><br class="example-break"><p>
553
After Samba was configured, I initialized the LDAP database. The first
554
thing I had to do was store the LDAP password in the Samba configuration by
555
issuing the command (as root):
556
</p><pre class="screen">
557
<code class="prompt">root# </code> smbpasswd -w verysecret
559
where “<span class="quote">verysecret</span>” is replaced by the LDAP bind password.
560
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
561
The Idealx smbldap-tools package can be configured using a script called
562
<code class="literal">configure.pl</code> that is provided as part of the tool. See <a class="link" href="happy.html" title="Chapter�5.�Making Happy Users">“Making Happy Users”</a>
563
for an example of its use. Many administrators, like Misty, choose to do this manually
564
so as to maintain greater awareness of how the tool-chain works and possibly to avoid
565
undesirable actions from occurring unnoticed.
567
Now Samba was ready for use and it was time to configure the smbldap-tools. There are two
568
relevant files, which are usually put into the directory
569
<code class="filename">/etc/smbldap-tools</code>. The main file,
570
<code class="filename">smbldap.conf</code> is shown in <a class="link" href="nw4migration.html#ch8ideal" title="Example�10.11.�Idealx smbldap-tools Control File Part A">“Idealx smbldap-tools Control File Part A”</a>.
571
</p><div class="example"><a name="ch8ideal"></a><p class="title"><b>Example�10.11.�Idealx smbldap-tools Control File Part A</b></p><div class="example-contents"><pre class="screen">
574
# located in /etc/smbldap-tools/smbldap.conf
576
######################################################################
578
# General Configuration
580
######################################################################
583
# to obtain this number do: net getlocalsid
584
SID="S-1-5-21-725326080-1709766072-2910717368"
586
######################################################################
590
######################################################################
592
# Notes: to use to dual ldap servers backend for Samba, you must patch
593
# Samba with the dual-head patch from IDEALX. If not using this patch
594
# just use the same server for slaveLDAP and masterLDAP.
595
# Those two servers declarations can also be used when you have
596
# . one master LDAP server where all writing operations must be done
597
# . one slave LDAP server where all reading operations must be done
598
# (typically a replication directory)
600
# Ex: slaveLDAP=127.0.0.1
601
slaveLDAP="127.0.0.1"
604
# Master LDAP : needed for write operations
605
# Ex: masterLDAP=127.0.0.1
606
masterLDAP="127.0.0.1"
610
# If set to 1, this option will use start_tls for connection
611
# (you should also used the port 389)
614
# How to verify the server's certificate (none, optional or require)
615
# see "man Net::LDAP" in start_tls section for more details
617
</pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal2"></a><p class="title"><b>Example�10.12.�Idealx smbldap-tools Control File Part B</b></p><div class="example-contents"><pre class="screen">
619
# see "man Net::LDAP" in start_tls section for more details
621
certificate to use to connect to the ldap server
622
# see "man Net::LDAP" in start_tls section for more details
625
# key certificate to use to connect to the ldap server
626
# see "man Net::LDAP" in start_tls section for more details
630
# Ex: suffix=dc=IDEALX,dc=ORG
631
suffix="ou=MEGANET2,dc=abmas,dc=biz"
633
# Where are stored Users
634
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
635
usersdn="ou=People,${suffix}"
637
# Where are stored Computers
638
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
639
computersdn="ou=People,${suffix}"
641
# Where are stored Groups
642
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
643
groupsdn="ou=Groups,${suffix}"
645
# Where are stored Idmap entries
646
# (used if samba is a domain member server)
647
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
648
idmapdn="ou=Idmap,${suffix}"
650
# Where to store next uidNumber and gidNumber available
651
sambaUnixIdPooldn="sambaDomainName=MEGANET2,${suffix}"
655
</pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal3"></a><p class="title"><b>Example�10.13.�Idealx smbldap-tools Control File Part C</b></p><div class="example-contents"><pre class="screen">
656
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
659
# if hash_encrypt is set to CRYPT, you may set a salt format.
660
# default is "%s", but many systems will generate MD5 hashed
661
# passwords if you use "$1$%.8s". This parameter is optional!
662
crypt_salt_format="%s"
664
######################################################################
666
# Unix Accounts Configuration
668
######################################################################
671
# Default Login Shell
672
# Ex: userLoginShell="/bin/bash"
673
userLoginShell="/bin/false"
676
# Ex: userHome="/home/%U"
680
userGecos="Samba User"
682
# Default User (POSIX and Samba) GID
685
# Default Computer (Samba) GID
686
defaultComputerGid="515"
689
skeletonDir="/etc/skel"
691
# Default password validation time (time in days) Comment the next
692
# line if you don't want password to be enable for
693
# defaultMaxPasswordAge days (be careful to the sambaPwdMustChange
695
defaultMaxPasswordAge="45"
696
</pre></div></div><br class="example-break"><div class="example"><a name="ch8ideal4"></a><p class="title"><b>Example�10.14.�Idealx smbldap-tools Control File Part D</b></p><div class="example-contents"><pre class="screen">
697
######################################################################
699
# SAMBA Configuration
701
######################################################################
703
# The UNC path to home drives location (%U username substitution)
704
# Ex: \\My-PDC-netbios-name\homes\%U
705
# Just set it to a null string if you want to use the smb.conf
706
# 'logon home' directive and/or disable roaming profiles
709
# The UNC path to profiles locations (%U username substitution)
710
# Ex: \\My-PDC-netbios-name\profiles\%U
711
# Just set it to a null string if you want to use the smb.conf
712
# 'logon path' directive and/or disable roaming profiles
715
# The default Home Drive Letter mapping
716
# (will be automatically mapped at logon time if home directory exist)
720
# The default user netlogon script name (%U username substitution)
721
# if not used, will be automatically username.cmd
722
# make sure script file is edited under DOS
724
# userScript="startup.cmd" # make sure script file is edited under DOS
727
# Domain appended to the users "mail"-attribute
728
# when smbldap-useradd -M is used
729
mailDomain="abmas.org"
731
######################################################################
733
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
735
######################################################################
736
# Allows not to use smbpasswd
737
# (if with_smbpasswd == 0 in smbldap_conf.pm) but
738
# prefer Crypt::SmbHash library
740
smbpasswd="/usr/bin/smbpasswd"
741
</pre></div></div><br class="example-break"><p>
742
<a class="indexterm" name="id2609499"></a>
743
Note: I chose not to take advantage of the TLS capability of this.
744
Eventually I may go back and tweak it. Also, I chose not to take advantage
745
of the master/slave configuration as I heard horror stories that it was
746
unstable. My slave servers are replicas only.
748
The <code class="filename">/etc/smbldap-tools/smbldap_bind.conf</code> file is shown here:
749
</p><pre class="screen">
752
# This file simply tells smbldap-tools how to bind to your LDAP server.
753
# It has to be a DN with full write access to the Samba portion of
756
############################
757
# Credential Configuration #
758
############################
759
# Notes: you can specify two different configurations if you use a
760
# master ldap for writing access and a slave ldap server for reading access
761
# By default, we will use the same DN (so it will work for standard Samba
763
slaveDN="cn=Manager,dc=abmas,dc=biz"
765
masterDN="cn=Manager,dc=abmas,dc=biz"
766
masterPw="verysecret"
769
The next step was to run the <code class="literal">smbldap-populate</code> command, which populates
770
the LDAP tree with the appropriate default users, groups, and UID and GID pools.
771
It creates a user called Administrator with UID=0 and GID=0 matching the
772
Domain Admins group. This is fine because you can still log on as root to a Windows system,
773
but it will break cached credentials if you need to log on as the administrator
774
to a system that is not on the network.
776
After the LDAP database has been preloaded, it is prudent to validate that the
777
information needed is in the LDAP directory. This can be done done by restarting
778
the LDAP server, then performing an LDAP search by executing:
779
</p><pre class="screen">
780
<code class="prompt">root# </code> ldapsearch -W -x -b "dc=abmas,dc=biz"\
781
-D "cn=Manager,dc=abmas,dc=biz" \
787
# base <dc=abmas,dc=biz> with scope sub
788
# filter: (ObjectClass=*)
794
objectClass: dcObject
795
objectClass: organization
800
dn: ou=People,dc=abmas,dc=biz
801
objectClass: organizationalUnit
805
dn: ou=Groups,dc=abmas,dc=biz
806
objectClass: organizationalUnit
810
dn: ou=Idmap,dc=abmas,dc=biz
811
objectClass: organizationalUnit
816
<a class="indexterm" name="id2609600"></a>
817
<a class="indexterm" name="id2609607"></a>
818
<a class="indexterm" name="id2609613"></a>
819
<a class="indexterm" name="id2609620"></a>
820
<a class="indexterm" name="id2609627"></a>
821
With the LDAP directory now initialized, it was time to create the Windows and POSIX
822
(UNIX) group accounts as well as the mappings from Windows groups to UNIX groups.
823
The easiest way to do this was to use <code class="literal">smbldap-groupadd</code> command.
824
It creates the group with the posixGroup and sambaGroupMapping attributes, a
825
unique GID, and an automatically determined RID. I learned the hard way not to
826
try to do this by hand.
828
<a class="indexterm" name="id2609650"></a>
829
<a class="indexterm" name="id2609657"></a>
830
<a class="indexterm" name="id2609664"></a>
831
After I had my group mappings in place, I added users to the groups (the users
832
don't really have to exist yet). I used the <code class="literal">smbldap-groupmod</code>
833
command to accomplish this. It can also be done manually by adding memberUID
834
attributes to the group entries in LDAP.
836
<a class="indexterm" name="id2609684"></a>
837
<a class="indexterm" name="id2609691"></a>
838
<a class="indexterm" name="id2609698"></a>
839
The most monumental task of all was adding the sambaSamAccount information to each
840
already existent posixAccount entry. I did it one at a time as I moved people onto
841
the new server, by issuing the command:
842
</p><pre class="screen">
843
<code class="prompt">root# </code> smbldap-usermod -a -P username
845
<a class="indexterm" name="id2609720"></a>
846
<a class="indexterm" name="id2609727"></a>
847
<a class="indexterm" name="id2609734"></a>
848
I completed that step for every user after asking the person what his or her current
849
NetWare password was. The wiser way to have done it would probably have been to dump the
850
entire database to an LDIF file. This can be done by executing:
851
</p><pre class="screen">
852
<code class="prompt">root# </code> slapcat > somefile.ldif
854
<a class="indexterm" name="id2609758"></a>
855
<a class="indexterm" name="id2609764"></a>
856
Then update the LDIF file created by using a Perl script to parse and add the
857
appropriate attributes and objectClasses to each entry, followed by re-importing
858
the entire database into the LDAP directory.
860
Rebuilding of the LDAP directory can be done as follows:
861
</p><pre class="screen">
862
<code class="prompt">root# </code> rcldap stop
863
<code class="prompt">root# </code> cd /data/ldap
864
<code class="prompt">root# </code> rm *bdb _* log*
865
<code class="prompt">root# </code> su - ldap -c "slapadd -l somefile.ldif"
866
<code class="prompt">root# </code> rcldap start
868
This can be done at any time and for any reason, with no harm to the database.
870
I first added a test user, of course. The LDIF for this test user looks like
871
this, to give you an idea:
872
</p><pre class="screen">
873
# Entry 1: cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
874
dn:cn=Test User,ou=people,ou=corp,dc=abmas,dc=biz
879
homeDirectory: /home/test.user
886
objectClass: inetOrgPerson
887
objectClass: posixAccount
888
objectClass: sambaSamAccount
895
sambaLogoffTime: 2147483647
896
sambaKickoffTime: 2147483647
898
displayName: Samba User
899
sambaSID: S-1-5-21-725326080-1709766072-2910717368-3148
900
sambaLMPassword: 9D29C287C58448F9AAD3B435B51404EE
902
sambaNTPassword: D062088E99C95E37D7702287BB35E770
903
sambaPwdLastSet: 1102537694
904
sambaPwdMustChange: 1106425694
905
userPassword: {SSHA}UzFZ2VxRGdwUueLnTGtsTBtnsvMO1oj8
906
loginShell: /bin/false
909
Then I went over to a spare Windows NT machine and joined it to the MEGANET2 domain.
910
It worked, and the machine's account entry under ou=Computers looks like this:
911
</p><pre class="screen">
912
dn:uid=w2kengrspare$,ou=Computers,ou=MEGANET2,dc=abmas,dc=biz
914
objectClass: inetOrgPerson
915
objectClass: posixAccount
916
objectClass: sambaSamAccount
922
homeDirectory: /dev/null
923
loginShell: /bin/false
924
description: Computer
926
sambaSID: S-1-5-21-725326080-1709766072-2910717368-3208
927
sambaPrimaryGroupSID: S-1-5-21-725326080-1709766072-2910717368-2031
928
displayName: W2KENGRSPARE$
929
sambaPwdCanChange: 1103149236
930
sambaPwdMustChange: 2147483647
931
sambaNTPassword: CA199C45CB6737035DB6D9D9F6CD1834
932
sambaPwdLastSet: 1103149236
936
<a class="indexterm" name="id2609879"></a>
937
So now I could log on with a test user from the machine w2kengrspare. It was all well and
938
good, but that user was in no groups yet and so had pretty boring access. I fixed that
939
by writing the login script! To write the login script, I used
940
<a class="ulink" href="http://www.kixtart.org" target="_top">Kixtart</a> because it will work
941
with every architecture of Windows, has an active and helpful user base, and was both
942
easier to learn and more powerful than the standard netlogon scripts I have seen.
943
I also did not have to do a logon script per user or per group.
945
<a class="indexterm" name="id2609904"></a>
946
I downloaded Kixtart and put the following files in my netlogon share:
947
</p><pre class="screen">
950
KX95.dll <-- Not needed unless you are running Win9x clients.
951
kx16.dll <-- Probably not needed unless you are running DOS clients.
952
kxrpc.exe <-- Probably useless as it has to run on the server and can
953
only be run on NT. It's for Windows 95 to become group-aware.
954
We can get around the need.
957
<a class="indexterm" name="id2609935"></a>
958
I then wrote the <code class="filename">logon.kix</code> file that is shown in
959
<a class="link" href="nw4migration.html#ch8kix" title="Example�10.15.�Kixtart Control File File: logon.kix">“Kixtart Control File File: logon.kix”</a>. I chose to keep it all in one file, but it
960
can be split up and linked via include directives.
961
</p><div class="example"><a name="ch8kix"></a><p class="title"><b>Example�10.15.�Kixtart Control File File: logon.kix</b></p><div class="example-contents"><pre class="screen">
962
; This script just calls the other scripts.
964
; First we want to get things done for everyone.
966
; Second, we do first-time login stuff.
968
; Third, we go through the group-oriented scripts one at a time.
971
; We want to check for group membership here to avoid the overhead of running
972
; scripts which don't apply.
973
call "\\massive\netlogon\scripts\main.kix"
974
call "\\massive\netlogon\scripts\setup.kix"
975
IF INGROUP("MEGANET2\ACCT")
976
call "scripts\acct.kix"
978
IF INGROUP("MEGANET2\ENGR","MEGANET2\RECEPTIONIST")
979
call "\\massive\netlogon\scripts\engr.kix"
981
IF INGROUP("MEGANET2\FURN")
982
call "\\massive\netlogon\scripts\furn.kix"
984
IF INGROUP("MEGANET2\TRUSS")
985
call "\\massive\netlogon\scripts\truss.kix"
987
</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix2"></a><p class="title"><b>Example�10.16.�Kixtart Control File File: main.kix</b></p><div class="example-contents"><pre class="screen">
990
; Choose whether to hide the login window or not
991
IF INGROUP("MEGANET2\Domain Admins")
992
USE Z: \\massive\everything
995
; Nobody cares about seeing the login script except admins
999
; Delete all previously connected shares
1002
SETTITLE("Logging on @USERID to @LDOMAIN at @TIME")
1004
; Set the time on the workstation
1005
$Timeserver = "\\massive"
1008
; Map the home directory
1009
USE H: @HOMESHR ; connect to user's home share
1013
CD @HOMEDIR ; change directory to user's home directory
1016
; Everyone gets the N drive
1017
USE N: \\massive\network
1018
</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix3"></a><p class="title"><b>Example�10.17.�Kixtart Control File File: setup.kix, Part A</b></p><div class="example-contents"><pre class="screen">
1019
; My setup.kix is where all of the redirection stuff happens. Note that with
1020
; the use of registry keys, this only happens the first time they log in ,or if
1021
; I delete the pertinent registry keys which triggers it to happen again:
1023
; Check to see if we have written the abmas sub-key before
1024
$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas")
1025
IF NOT $RETURNCODE = 0
1026
; Add key for abmas-specific things on the first login
1027
ADDKEY("HKEY_CURRENT_USER\abmas")
1028
; The following key gets deleted at the end of the first login
1029
ADDKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
1032
; People with laptops need My Documents to be in their profile. People with
1033
; desktops can have My Documents redirected to their home directory to avoid
1034
; long delays with logging out and out-of-sync files.
1036
; Check to see if this is the first login -- doesn't make sense to do this
1037
; at the very first login
1039
$RETURNCODE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
1040
IF NOT $RETURNCODE = 0
1042
; We don't want to do this stuff for people with laptops or people in the FURN
1043
; group. (They store their profiles in a different server)
1045
IF NOT INGROUP("MASSIVE\Laptop","MASSIVE\FURN")
1046
$RETURNCODE=EXISTKEY("HKEY_CURRENT_USER\abmas\profile_copied")
1048
; A crude way to tell what OS our profile is for and copy the "My Documents"
1049
; to the redirected folder on the server. It works because the profiles
1050
; are stored as \\server\profiles\user\architecture
1051
IF NOT $RETURNCODE = 0
1052
IF EXIST("\\massive\profiles\@userID\WinXP")
1053
copy "\\massive\profiles\@userID\WinXP\My Documents\*"
1054
"\\massive\@userID\"
1056
IF EXIST("\\massive\profiles\@userID\Win2K")
1057
copy "\\massive\profiles\@userID\Win2K\My Documents\*"
1058
"\\massive\@userID\"
1060
IF EXIST("\\massive\profiles\@userID\WinNT")
1061
copy "\\massive\profiles\@userID\WinNT\My Documents\*"
1062
"\\massive\@userID\"
1064
</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix3b"></a><p class="title"><b>Example�10.18.�Kixtart Control File File: setup.kix, Part B</b></p><div class="example-contents"><pre class="screen">
1065
; Now we will write the registry values to redirect the locations of "My
1067
; and other folders.
1068
ADDKEY("HKEY_CURRENT_USER\abmas\profile_copied")
1069
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1070
Windows\CurrentVersion\Explorer\User
1071
Shell Folders", "Personal","\\massive\@userID","REG_SZ")
1072
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1073
Windows\CurrentVersion\Explorer\User
1074
Shell Folders", "My Pictures", "\\massive\@userID\My Pictures", "REG_SZ")
1075
IF @PRODUCTTYPE="Windows 2000 Professional" or @PRODUCTTYPE="Windows XP
1077
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1078
Windows\CurrentVersion\Explorer\User
1079
Shell Folders", "My Videos", "\\massive\@userID\My Videos", "REG_SZ")
1080
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1081
Windows\CurrentVersion\Explorer\User
1082
Shell Folders", "My Music", "\\massive\@userID\My Music", "REG_SZ")
1083
WRITEVALUE("HKEY_CURRENT_USER\Software\Microsoft\
1084
Windows\CurrentVersion\Explorer\User
1085
Shell Folders", "My eBooks", "\\massive\@userID\My eBooks", "REG_SZ")
1090
; Now we will delete the FIRST_LOGIN sub-key that we made before.
1091
; Note - to run this script again you will want to delete the HKCU\abmas
1092
; sub-key, log out, and log back in.
1093
$RETURNVALUE = EXISTKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
1095
DELKEY("HKEY_CURRENT_USER\abmas\FIRST_LOGIN")
1097
</pre></div></div><br class="example-break"><div class="example"><a name="ch8kix4"></a><p class="title"><b>Example�10.19.�Kixtart Control File File: acct.kix</b></p><div class="example-contents"><pre class="screen">
1098
; And here is one group-oriented script to show what can be
1099
; done that way: acct.kix:
1101
IF INGROUP("MASSIVE\Acct_Admin","MASSIVE\HR")
1102
USE I: \\MEGANET2\HR_PR
1106
$RETURNVALUE = existkey("HKEY_CURRENT_USER\Printers\,,massive,acct_hp8500")
1107
IF NOT $RETURNVALUE = 0
1108
ADDPRINTERCONNECTION("\\massive\acct_hp8500")
1109
SETDEFAULTPRINTER("\\massive\acct_hp8500")
1111
; Set up drive mappings
1112
USE M: \\massive\ACCT
1113
IF INGROUP("MEGANET2\ABRA")
1114
USE T: \\trussrv\abra
1116
</pre></div></div><br class="example-break"><p>
1117
As you can see in the script, I redirected the My Documents to the user's home
1118
share if he or she were not in the Laptop group. I also added printers on a
1119
group-by-group basis, and if applicable I set the group printer. For this to
1120
be effective, the print drivers must be installed on the Samba server in the
1121
<code class="filename">[print$]</code> share. Ample documentation exists about how to
1122
do that, so it is not covered here.
1124
I call this script via the logon.bat script in the [netlogon] directory:
1125
</p><pre class="screen">
1126
\\corpsrv\netlogon\kix32 \\corpsrv\netlogon\logon.kix /f
1128
I only had to fully qualify the paths for Windows 9x, as Windows NT and
1129
greater automatically add [NETLOGON] to the path.
1131
Also of note for Win9x is that the drive mappings and printer setup will not
1132
work because they rely on RPC. You merely have to put the appropriate settings
1133
into the <code class="filename">c:\autoexec.bat</code> file or map the drives manually.
1134
One option is to check the OS as part of the Kixtart script, and if it
1135
is Win9x and is the first login, copy a premade
1136
<code class="filename">autoexec.bat</code> to the <code class="filename">C:</code> drive. I
1137
have only three such machines, and one is going away in the very near future,
1138
so it was easier to do it by hand.
1140
<a class="indexterm" name="id2610232"></a>
1141
At this point I was able to add the users. This is the part that really falls
1142
into upgrade. I moved the users over one group at a time, starting with the
1143
people who used the least amount of resources on the network. With each group
1144
that I moved, I first logged on as a standard user in that group and took
1145
careful note of the environment, mainly the printers he or she used, the PATH,
1146
and what network resources he or she had access to (most importantly, which ones
1147
the user actually needed access to).
1149
I then added the user's SambaSamAccount information as mentioned earlier,
1150
and join the computer to the domain. The very first thing I had to do was to
1151
copy the user's profile to the new server. This was very important, and I really
1152
struggled with the most effective way to do it. Here is the method that worked
1153
for every one of my users on Windows NT, 2000, and XP:
1154
</p><div class="procedure"><ol type="1"><li><p>
1155
Log in as the user on the domain. This creates the local copy
1156
of the user's profile and copies it to the server as he or she logs out.
1158
Reboot the computer and log in as the local machine administrator.
1160
Right-click My Computer, click Properties, and navigate to the
1161
user profiles tab (varies per version of Windows).
1163
Select the user's local profile <code class="constant">(COMPUTERNAME\username)</code>,
1164
and click the <code class="literal">Copy To</code> button.
1166
In the next dialog, copy it directly to the profiles share on the
1167
Samba server (in my case \\PDCname\profiles\user\<architecture>.
1168
You will have had to make a connection to the share as that
1169
user (e.g., Windows Explorer type \\PDCname\profiles\username).
1171
When the copy is complete (it can take a while) log out, and log back in
1172
as the user. All of his or her settings and all contents of My Documents,
1173
Favorites, and the registry should have been copied successfully.
1175
If it doesn't look right (the dead giveaway is the desktop background),
1176
shut down the computer without logging out (power cycle) and try logging
1177
in as the user again. If it still doesn't work, repeat the steps above.
1178
I only had to ever repeat it once.
1179
</p></li></ol></div><p>
1181
</p><div class="itemizedlist"><ul type="disc"><li><p>
1182
If the user was anything other than a standard user on his or her system
1183
before, you will save yourself some headaches by giving him or her identical
1184
permissions (on the local machine) as his or her domain account <span class="emphasis"><em>before</em></span>
1185
copying the profile over. Do this through the User Administrator
1186
in the Control Panel, after joining the computer to the domain and
1187
before logging on as that user for the first time. Otherwise the user will
1188
have trouble with permissions on his or her registry keys.
1190
If any application was installed for the user only, rather than for
1191
the entire system, it will probably not work without being reinstalled.
1192
</p></li></ul></div><p>
1193
After all these steps are accomplished, only cleanup details are left. Make sure user's
1194
shortcuts and Network Places point to the appropriate place on the new server, check
1195
the important applications to be sure they work as expected and troubleshoot any problems
1196
that might arise, and check to be sure the user's printers are present and working. By the
1197
way, if there are any network printers installed as system printers (the Novell way),
1198
you will need to log in as a local administrator and delete them.
1200
For my non-laptop systems, I would then log in and out a couple times as the user
1201
to be sure that his or her registry settings were modified, and then I was finished.
1203
Some compatibility issues that cropped up included the following:
1205
Blackberry client: It did not like having its registry settings moved around
1206
and so had to be reinstalled. Also, it needed write permissions to a portion of
1207
the hard drive, and I had to give it those manually on the one system where
1210
CAMedia: Digital camera software for Canon cameras caused all kinds of trouble
1211
with the registry. I had to use the Run as service to open the registry of
1212
the local user while logged in as the domain user, and give the domain user
1213
the appropriate permissions to some registry keys, then export that portion
1214
of the registry to a file. Then, as the domain user, I had to import that file
1217
Crystal Reports version 7: More registry problems that were solved by recopying
1220
Printing from legacy applications: I found out that Novell sends its jobs to
1221
the printer in a raw format. CUPS sends them in PostScript by default. I had
1222
to make a second printer definition for one printer and tell CUPS specifically
1223
to send raw data to the printer, then assign this printer to the LPT port with
1224
Kixtart's version of the net use command.
1226
These were all eventually solved by elbow grease, queries to the Samba mailing
1227
list and others, and diligence. The complete migration took about 5 weeks.
1228
My userbase is relatively small but includes multiple versions of Windows,
1229
multiple Linux member servers, a mechanized saw, a pen plotter, and legacy
1230
applications written in Qbasic and R:Base, just to name a few. I actually
1231
ended up making some of these applications work better (or work again, as
1232
some of them had stopped functioning on the old server) because as part of
1233
the process I had to find out how things were supposed to work.
1235
The one thing I have not been able to get working is a very old database that
1236
we had around for reference purposes; it uses Novell's Btrieve engine.
1238
As the resources compare, I went from 95 percent disk usage to just around 10 percent.
1239
I went from a very high load on the server to an average load of between one
1240
and two runnable processes on the server. I have improved the security and
1241
robustness of the system. I have also implemented
1242
<a class="ulink" href="http://www.clamav.net" target="_top">ClamAV</a> antivirus software,
1243
which scans the entire Samba server for viruses every 2 hours and
1244
quarantines them. I have found it much less problematic than our ancient
1245
version of Norton Antivirus Corporate Edition, and much more up-to-date.
1247
In short, my users are much happier now that the new server is running, and that
1248
is what is important to me.
1249
</p></div></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="ntmigration.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="RefSection.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�9.�Migrating NT4 Domain to Samba-3�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Part�III.�Reference Section</td></tr></table></div></body></html>