--- /dev/null
+<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 9. Migrating NT4 Domain to Samba-3</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.68.1"><link rel="start" href="index.html" title="Samba-3 by Example"><link rel="up" href="DMSMig.html" title="Part II. Domain Members, Updating Samba and Migration"><link rel="prev" href="upgrades.html" title="Chapter 8. Updating Samba-3"><link rel="next" href="nw4migration.html" title="Chapter 10. Migrating NetWare Server to Samba-3"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 9. Migrating NT4 Domain to Samba-3</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="upgrades.html">Prev</a> </td><th width="60%" align="center">Part II. Domain Members, Updating Samba and Migration</th><td width="20%" align="right"> <a accesskey="n" href="nw4migration.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="ntmigration"></a>Chapter 9. Migrating NT4 Domain to Samba-3</h2></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="ntmigration.html#id2569410">Introduction</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id2569495">Assignment Tasks</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id2569550">Dissection and Discussion</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id2569721">Technical Issues</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id2570044">Political Issues</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id2570070">Implementation</a></span></dt><dd><dl><dt><span class="sect2"><a href="ntmigration.html#id2570211">NT4 Migration Using LDAP Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id2572803">NT4 Migration Using tdbsam Backend</a></span></dt><dt><span class="sect2"><a href="ntmigration.html#id2573196">Key Points Learned</a></span></dt></dl></dd><dt><span class="sect1"><a href="ntmigration.html#id2573235">Questions and Answers</a></span></dt></dl></div><p>
+ Ever since Microsoft announced that it was discontinuing support for Windows
+ NT4, Samba users started to ask for detailed instructions on how to migrate
+ from NT4 to Samba-3. This chapter provides background information that should
+ meet these needs.
+ </p><p>
+ One wonders how many NT4 systems will be left in service by the time you read this
+ book though.
+ </p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2569410"></a>Introduction</h2></div></div></div><p><a class="indexterm" name="id2569416"></a>
+ Network administrators who want to migrate off a Windows NT4 environment know
+ one thing with certainty. They feel that NT4 has been abandoned, and they want
+ to update. The desire to get off NT4 and to not adopt Windows 200x and Active
+ Directory is driven by a mixture of concerns over complexity, cost, fear of
+ failure, and much more.
+ </p><p>
+ <a class="indexterm" name="id2569434"></a>
+ <a class="indexterm" name="id2569441"></a>
+ <a class="indexterm" name="id2569450"></a>
+ <a class="indexterm" name="id2569460"></a>
+ The migration from NT4 to Samba-3 can involve a number of factors, including
+ migration of data to another server, migration of network environment controls
+ such as group policies, and migration of the users, groups, and machine
+ accounts.
+ </p><p>
+ <a class="indexterm" name="id2569476"></a>
+ It should be pointed out now that it is possible to migrate some systems from
+ a Windows NT4 domain environment to a Samba-3 domain environment. This is certainly
+ not possible in every case. It is possible to just migrate the domain accounts
+ to Samba-3 and then to switch machines, but as a hands-off transition, this is more
+ the exception than the rule. Most systems require some tweaking after
+ migration before an environment that is acceptable for immediate use
+ is obtained.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2569495"></a>Assignment Tasks</h3></div></div></div><p>
+ <a class="indexterm" name="id2569503"></a>
+ <a class="indexterm" name="id2569509"></a>
+ <a class="indexterm" name="id2569516"></a>
+ You are about to migrate an MS Windows NT4 domain accounts database to
+ a Samba-3 server. The Samba-3 server is using a
+ <em class="parameter"><code>passdb backend</code></em> based on LDAP. The
+ <code class="constant">ldapsam</code> is ideal because an LDAP backend can be distributed
+ for use with BDCs generally essential for larger networks.
+ </p><p>
+ Your objective is to document the process of migrating user and group accounts
+ from several NT4 domains into a single Samba-3 LDAP backend database.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2569550"></a>Dissection and Discussion</h2></div></div></div><p>
+ <a class="indexterm" name="id2569557"></a>
+ <a class="indexterm" name="id2569564"></a>
+ <a class="indexterm" name="id2569571"></a>
+ <a class="indexterm" name="id2569582"></a>
+ <a class="indexterm" name="id2569594"></a>
+ <a class="indexterm" name="id2569600"></a>
+ The migration process takes a snapshot of information that is stored in the
+ Windows NT4 registry-based accounts database. That information resides in
+ the Security Account Manager (SAM) portion of the NT4 registry under keys called
+ <code class="constant">SAM</code> and <code class="constant">SECURITY</code>.
+ </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ <a class="indexterm" name="id2569625"></a>
+ <a class="indexterm" name="id2569632"></a>
+ The Windows NT4 registry keys called <code class="constant">SAM</code> and <code class="constant">SECURITY</code>
+ are protected so that you cannot view the contents. If you change the security setting
+ to reveal the contents under these hive keys, your Windows NT4 domain is crippled. Do not
+ do this unless you are willing to render your domain controller inoperative.
+ </p></div><p>
+ <a class="indexterm" name="id2569654"></a>
+ <a class="indexterm" name="id2569663"></a>
+ Before commencing an NT4 to Samba-3 migration, you should consider what your objectives are.
+ While in some cases it is possible simply to migrate an NT4 domain to a single Samba-3 server,
+ that may not be a good idea from an administration perspective. Since the process involves going
+ through a certain amount of disruptive activity anyhow, why not take this opportunity to
+ review the structure of the network, how Windows clients are controlled and how they
+ interact with the network environment.
+ </p><p>
+ <a class="indexterm" name="id2569681"></a>
+ <a class="indexterm" name="id2569691"></a>
+ <a class="indexterm" name="id2569698"></a>
+ MS Windows NT4 was introduced some time around 1996. Many environments in which NT4 was deployed
+ have done little to keep the NT4 server environment up to date with more recent Windows releases,
+ particularly Windows XP Professional. The migration provides opportunity to revise and update
+ roaming profile deployment as well as folder redirection. Given that you must port the
+ greater network configuration of this from the old NT4 server to the new Samba-3 server.
+ Do not forget to validate the security descriptors in the profiles share as well as network logon
+ scripts. Feedback from sites that are migrating to Samba-3 suggests that many are using this
+ as a good time to update desktop systems also. In all, the extra effort should constitute no
+ real disruption to users, but rather, with due diligence and care, should make their network experience
+ a much happier one.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2569721"></a>Technical Issues</h3></div></div></div><p>
+ <a class="indexterm" name="id2569729"></a>
+ <a class="indexterm" name="id2569735"></a>
+ Migration of an NT4 domain user and group database to Samba-3 involves a certain strategic
+ element. Many sites have asked for instructions regarding merging of multiple NT4
+ domains into one Samba-3 LDAP database. It seems that this is viewed as a significant
+ added value compared with the alternative of migration to Windows Server 200x and Active
+ Directory. The diagram in <a href="ntmigration.html#ch8-migration" title="Figure 9.1. Schematic Explaining the net rpc vampire Process">???</a> illustrates the effect of migration
+ from a Windows NT4 domain to a Samba domain.
+ </p><div class="figure"><a name="ch8-migration"></a><p class="title"><b>Figure 9.1. Schematic Explaining the <span>net rpc vampire</span> Process</b></p><div class="mediaobject"><img src="images/ch8-migration.png" width="297" alt="Schematic Explaining the net rpc vampire Process"></div></div><p>
+ <a class="indexterm" name="id2569809"></a>
+ <a class="indexterm" name="id2569815"></a>
+ If you want to merge multiple NT4 domain account databases into one Samba domain,
+ you must now dump the contents of the first migration and edit it as appropriate. Now clean
+ out (remove) the tdbsam backend file (<code class="filename">passdb.tdb</code>) or the LDAP database
+ files. You must start each migration with a new database into which you merge your NT4
+ domains.
+ </p><p><a class="indexterm" name="id2569836"></a>
+ At this point, you are ready to perform the second migration, following the same steps as
+ for the first. In other words, dump the database, edit it, and then you may merge the
+ dump for the first and second migrations.
+ </p><p><a class="indexterm" name="id2569851"></a><a class="indexterm" name="id2569859"></a><a class="indexterm" name="id2569867"></a>
+ You must be careful. If you choose to migrate to an LDAP backend, your dump file
+ now contains the full account information, including the domain SID. The domain SID for each
+ of the two NT4 domains will be different. You must choose one and change the domain
+ portion of the account SIDs so that all are the same.
+ </p><p>
+ <a class="indexterm" name="id2569884"></a>
+ <a class="indexterm" name="id2569891"></a>
+ <a class="indexterm" name="id2569898"></a>
+ <a class="indexterm" name="id2569905"></a>
+ <a class="indexterm" name="id2569912"></a>
+ <a class="indexterm" name="id2569918"></a>
+ <a class="indexterm" name="id2569925"></a>
+ <a class="indexterm" name="id2569932"></a>
+ <a class="indexterm" name="id2569939"></a>
+ <a class="indexterm" name="id2569946"></a>
+ <a class="indexterm" name="id2569953"></a>
+ <a class="indexterm" name="id2569960"></a>
+ If you choose to use a tdbsam (<code class="filename">passdb.tdb</code>) backend file, your best choice
+ is to use <span><strong class="command">pdbedit</strong></span> to export the contents of the tdbsam file into an
+ smbpasswd data file. This automatically strips out all domain-specific information,
+ such as logon hours, logon machines, logon script, profile path, as well as the domain SID.
+ The resulting file can be easily merged with other migration attempts (each of which must start
+ with a clean file). It should also be noted that all users who end up in the merged smbpasswd
+ file must have an account in <code class="filename">/etc/passwd</code>. The resulting smbpasswd file
+ may be exported or imported into either a tdbsam (<code class="filename">passdb.tdb</code>) or
+ an LDAP backend.
+ </p><div class="figure"><a name="NT4DUM"></a><p class="title"><b>Figure 9.2. View of Accounts in NT4 Domain User Manager</b></p><div class="mediaobject"><img src="images/UserMgrNT4.png" width="270" alt="View of Accounts in NT4 Domain User Manager"></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2570044"></a>Political Issues</h3></div></div></div><p>
+ The merging of multiple Windows NT4-style domains into a single LDAP-backend-based Samba-3
+ domain may be seen by those who had power over them as a loss of prestige or a loss of
+ power. The imposition of a single domain may even be seen as a threat. So in migrating and
+ merging account databases, be consciously aware of the political fall-out in which you
+ may find yourself entangled when key staff feel a loss of prestige.
+ </p><p>
+ The best advice that can be given to those who set out to merge NT4 domains into a single
+ Samba-3 domain is to promote (sell) the action as one that reduces costs and delivers
+ greater network interoperability and manageability.
+ </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2570070"></a>Implementation</h2></div></div></div><p>
+ From feedback on the Samba mailing lists, it seems that most Windows NT4 migrations
+ to Samba-3 are being performed using a new server or a new installation of a Linux or UNIX
+ server. If you contemplate doing this, please note that the steps that follow in this
+ chapter assume familiarity with the information that has been previously covered in this
+ book. You are particularly encouraged to be familiar with <a href="secure.html" title="Chapter 3. Secure Office Networking">???</a>,
+ <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a> and <a href="happy.html" title="Chapter 5. Making Happy Users">???</a>.
+ </p><p>
+ We present here the steps and example output for two NT4 to Samba-3 domain migrations. The
+ first uses an LDAP-based backend, and the second uses a tdbsam backend. In each case the
+ scripts you specify in the <code class="filename">smb.conf</code> file for the <em class="parameter"><code>add user script</code></em>
+ collection of parameters are used to effect the addition of accounts into the passdb backend.
+ </p><p>
+ Before proceeding to NT4 migration using either a tdbsam or ldapsam, it is most strongly recommended to
+ review <a href="Big500users.html#ch5-dnshcp-setup" title="Installation of DHCP, DNS, and Samba Control Files">???</a> for DNS and DHCP configuration. The importance of correctly
+ functioning name resolution must be recognized. This applies equally for both hostname and NetBIOS names
+ (machine names, computer names, domain names, workgroup names ALL names!).
+ </p><p>
+ The migration process involves the following steps:
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ Prepare the target Samba-3 server. This involves configuring Samba-3 for
+ migration to either a tdbsam or an ldapsam backend.
+ </p></li><li><p>
+ <a class="indexterm" name="id2570157"></a>
+ <a class="indexterm" name="id2570163"></a>
+ <a class="indexterm" name="id2570170"></a>
+ Clean up the source NT4 PDC. Delete all accounts that need not be migrated.
+ Delete all files that should not be migrated. Where possible, change NT group
+ names so there are no spaces or uppercase characters. This is important if
+ the target UNIX host insists on POSIX-compliant all lowercase user and group
+ names.
+ </p></li><li><p>
+ Step through the migration process.
+ </p></li><li><p><a class="indexterm" name="id2570191"></a>
+ Remove the NT4 PDC from the network.
+ </p></li><li><p>
+ Upgrade the Samba-3 server from a BDC to a PDC, and validate all account
+ information.
+ </p></li></ul></div><p>
+ It may help to use the above outline as a pre-migration checklist.
+ </p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2570211"></a>NT4 Migration Using LDAP Backend</h3></div></div></div><p>
+ In this example, the migration is of an NT4 PDC to a Samba-3 PDC with an LDAP backend. The accounts about
+ to be migrated are shown in <a href="ntmigration.html#NT4DUM" title="Figure 9.2. View of Accounts in NT4 Domain User Manager">???</a>. In this example use is made of the
+ smbldap-tools scripts to add the accounts that are migrated into the ldapsam passdb backend.
+ Four scripts are essential to the migration process. Other scripts will be required
+ for daily management, but these are not critical to migration. The critical scripts are dependant
+ on which passdb backend is being used. Refer to <a href="ntmigration.html#ch8-vampire" title="Table 9.1. Samba smb.conf Scripts Essential to Samba Operation">???</a> to see which scripts
+ must be provided so that the migration process can complete.
+ </p><p>
+ Verify that you have correctly specified in the <code class="filename">smb.conf</code> file the scripts and arguments
+ that should be passed to them before attempting to perform the account migration. Note also
+ that the deletion scripts must be commented out during migration. These should be uncommented
+ following successful migration of the NT4 Domain accounts.
+ </p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>
+ Under absolutely no circumstances should the Samba daemons be started until instructed to do so.
+ Delete the <code class="filename">/etc/samba/secrets.tdb</code> file and all Samba control tdb files
+ before commencing the following configuration steps.
+ </p></div><div class="table"><a name="ch8-vampire"></a><p class="title"><b>Table 9.1. Samba <code class="filename">smb.conf</code> Scripts Essential to Samba Operation</b></p><table summary="Samba smb.conf Scripts Essential to Samba Operation" border="1"><colgroup><col align="left"><col align="center"><col align="center"></colgroup><thead><tr><th align="left">Entity</th><th align="center">ldapsam Script</th><th align="center">tdbsam Script</th></tr></thead><tbody><tr><td align="left">Add User Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr><tr><td align="left">Delete User Accounts</td><td align="center">smbldap-userdel</td><td align="center">userdel</td></tr><tr><td align="left">Add Group Accounts</td><td align="center">smbldap-groupadd</td><td align="center">groupadd</td></tr><tr><td align="left">Delete Group Accounts</td><td align="center">smbldap-groupdel</td><td align="center">groupdel</td></tr><tr><td align="left">Add User to Group</td><td align="center">smbldap-groupmod</td><td align="center">usermod (See Note)</td></tr><tr><td align="left">Add Machine Accounts</td><td align="center">smbldap-useradd</td><td align="center">useradd</td></tr></tbody></table></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ <a class="indexterm" name="id2570413"></a>
+ <a class="indexterm" name="id2570420"></a>
+ <a class="indexterm" name="id2570427"></a>
+ The UNIX/Linux <span><strong class="command">usermod</strong></span> utility does not permit simple user addition to (or deletion
+ of users from) groups. This is a feature provided by the smbldap-tools scripts. If you want this
+ capability, you must create your own tool to do this. Alternately, you can search the Web
+ to locate a utility called <span><strong class="command">groupmem</strong></span> (by George Kraft) that provides this functionality.
+ The <span><strong class="command">groupmem</strong></span> utility was contributed to the shadow package but has not surfaced
+ in the formal commands provided by Linux distributions (March 2004).
+ </p></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
+ <a class="indexterm" name="id2570464"></a>
+ The <span><strong class="command">tdbdump</strong></span> utility is a utility that you can build from the Samba source-code tree. Not all Linux binary distributions include this tool. If it is missing from your
+ Linux distribution, you will need to build this yourself or else forgo its use.
+ </p></div><p>
+ <a class="indexterm" name="id2570484"></a>
+ Before starting the migration, all dead accounts were removed from the NT4 domain using the User Manager for Domains.
+ </p><div class="procedure"><a name="id2570494"></a><p class="title"><b>Procedure 9.1. User Migration Steps</b></p><div class="example"><a name="sbent4smb"></a><p class="title"><b>Example 9.1. NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: A</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2570555"></a><em class="parameter"><code>workgroup = DAMNATION</code></em></td></tr><tr><td><a class="indexterm" name="id2570568"></a><em class="parameter"><code>netbios name = MERLIN</code></em></td></tr><tr><td><a class="indexterm" name="id2570580"></a><em class="parameter"><code>passdb backend = ldapsam:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2570594"></a><em class="parameter"><code>log level = 1</code></em></td></tr><tr><td><a class="indexterm" name="id2570606"></a><em class="parameter"><code>syslog = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2570619"></a><em class="parameter"><code>log file = /var/log/samba/%m</code></em></td></tr><tr><td><a class="indexterm" name="id2570632"></a><em class="parameter"><code>max log size = 0</code></em></td></tr><tr><td><a class="indexterm" name="id2570645"></a><em class="parameter"><code>smb ports = 139 445</code></em></td></tr><tr><td><a class="indexterm" name="id2570657"></a><em class="parameter"><code>name resolve order = wins bcast hosts</code></em></td></tr><tr><td><a class="indexterm" name="id2570670"></a><em class="parameter"><code>add user script = /opt/IDEALX/sbin/smbldap-useradd -m '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2570684"></a><em class="parameter"><code>#delete user script = /opt/IDEALX/sbin/smbldap-userdel '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2570697"></a><em class="parameter"><code>add group script = /opt/IDEALX/sbin/smbldap-groupadd '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2570711"></a><em class="parameter"><code>#delete group script = /opt/IDEALX/sbin/smbldap-groupdel '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2570725"></a><em class="parameter"><code>add user to group script = /opt/IDEALX/sbin/ smbldap-groupmod -m '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2570738"></a><em class="parameter"><code>#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x '%u' '%g'</code></em></td></tr><tr><td><a class="indexterm" name="id2570753"></a><em class="parameter"><code>set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g '%g' '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2570766"></a><em class="parameter"><code>add machine script = /opt/IDEALX/sbin/smbldap-useradd -w '%u'</code></em></td></tr><tr><td><a class="indexterm" name="id2570780"></a><em class="parameter"><code>logon script = scripts\logon.cmd</code></em></td></tr><tr><td><a class="indexterm" name="id2570793"></a><em class="parameter"><code>logon path = \\%L\profiles\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2570806"></a><em class="parameter"><code>logon home = \\%L\%U</code></em></td></tr><tr><td><a class="indexterm" name="id2570819"></a><em class="parameter"><code>logon drive = X:</code></em></td></tr><tr><td><a class="indexterm" name="id2570832"></a><em class="parameter"><code>domain logons = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2570844"></a><em class="parameter"><code>domain master = No</code></em></td></tr><tr><td><a class="indexterm" name="id2570857"></a><em class="parameter"><code>#wins support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2570870"></a><em class="parameter"><code>wins server = 192.168.123.124</code></em></td></tr><tr><td><a class="indexterm" name="id2570883"></a><em class="parameter"><code>ldap admin dn = cn=Manager,dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2570896"></a><em class="parameter"><code>ldap group suffix = ou=Groups</code></em></td></tr><tr><td><a class="indexterm" name="id2570909"></a><em class="parameter"><code>ldap idmap suffix = ou=Idmap</code></em></td></tr><tr><td><a class="indexterm" name="id2570922"></a><em class="parameter"><code>ldap machine suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2570935"></a><em class="parameter"><code>ldap passwd sync = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2570948"></a><em class="parameter"><code>ldap suffix = dc=terpstra-world,dc=org</code></em></td></tr><tr><td><a class="indexterm" name="id2570961"></a><em class="parameter"><code>ldap ssl = no</code></em></td></tr><tr><td><a class="indexterm" name="id2570974"></a><em class="parameter"><code>ldap timeout = 20</code></em></td></tr><tr><td><a class="indexterm" name="id2570987"></a><em class="parameter"><code>ldap user suffix = ou=People</code></em></td></tr><tr><td><a class="indexterm" name="id2571000"></a><em class="parameter"><code>idmap backend = ldap:ldap://localhost</code></em></td></tr><tr><td><a class="indexterm" name="id2571013"></a><em class="parameter"><code>idmap uid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2571026"></a><em class="parameter"><code>idmap gid = 15000-20000</code></em></td></tr><tr><td><a class="indexterm" name="id2571039"></a><em class="parameter"><code>winbind nested groups = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2571052"></a><em class="parameter"><code>ea support = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2571064"></a><em class="parameter"><code>map acl inherit = Yes</code></em></td></tr></table></div><div class="example"><a name="sbent4smb2"></a><p class="title"><b>Example 9.2. NT4 Migration Samba-3 Server <code class="filename">smb.conf</code> Part: B</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[apps]</code></em></td></tr><tr><td><a class="indexterm" name="id2571111"></a><em class="parameter"><code>comment = Application Data</code></em></td></tr><tr><td><a class="indexterm" name="id2571124"></a><em class="parameter"><code>path = /data/home/apps</code></em></td></tr><tr><td><a class="indexterm" name="id2571136"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[homes]</code></em></td></tr><tr><td><a class="indexterm" name="id2571158"></a><em class="parameter"><code>comment = Home Directories</code></em></td></tr><tr><td><a class="indexterm" name="id2571171"></a><em class="parameter"><code>path = /home/users/%U/Documents</code></em></td></tr><tr><td><a class="indexterm" name="id2571184"></a><em class="parameter"><code>valid users = %S</code></em></td></tr><tr><td><a class="indexterm" name="id2571196"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2571209"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[printers]</code></em></td></tr><tr><td><a class="indexterm" name="id2571231"></a><em class="parameter"><code>comment = SMB Print Spool</code></em></td></tr><tr><td><a class="indexterm" name="id2571244"></a><em class="parameter"><code>path = /var/spool/samba</code></em></td></tr><tr><td><a class="indexterm" name="id2571256"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2571269"></a><em class="parameter"><code>printable = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2571282"></a><em class="parameter"><code>use client driver = No</code></em></td></tr><tr><td><a class="indexterm" name="id2571295"></a><em class="parameter"><code>browseable = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[netlogon]</code></em></td></tr><tr><td><a class="indexterm" name="id2571316"></a><em class="parameter"><code>comment = Network Logon Service</code></em></td></tr><tr><td><a class="indexterm" name="id2571329"></a><em class="parameter"><code>path = /var/lib/samba/netlogon</code></em></td></tr><tr><td><a class="indexterm" name="id2571342"></a><em class="parameter"><code>guest ok = Yes</code></em></td></tr><tr><td><a class="indexterm" name="id2571355"></a><em class="parameter"><code>locking = No</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profiles]</code></em></td></tr><tr><td><a class="indexterm" name="id2571376"></a><em class="parameter"><code>comment = Profile Share</code></em></td></tr><tr><td><a class="indexterm" name="id2571389"></a><em class="parameter"><code>path = /var/lib/samba/profiles</code></em></td></tr><tr><td><a class="indexterm" name="id2571402"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2571415"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[profdata]</code></em></td></tr><tr><td><a class="indexterm" name="id2571436"></a><em class="parameter"><code>comment = Profile Data Share</code></em></td></tr><tr><td><a class="indexterm" name="id2571449"></a><em class="parameter"><code>path = /var/lib/samba/profdata</code></em></td></tr><tr><td><a class="indexterm" name="id2571462"></a><em class="parameter"><code>read only = No</code></em></td></tr><tr><td><a class="indexterm" name="id2571475"></a><em class="parameter"><code>profile acls = Yes</code></em></td></tr><tr><td> </td></tr><tr><td><em class="parameter"><code>[print$]</code></em></td></tr><tr><td><a class="indexterm" name="id2571497"></a><em class="parameter"><code>comment = Printer Drivers</code></em></td></tr><tr><td><a class="indexterm" name="id2571510"></a><em class="parameter"><code>path = /var/lib/samba/drivers</code></em></td></tr></table></div><div class="example"><a name="sbentslapd"></a><p class="title"><b>Example 9.3. NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part A</b></p><pre class="screen">
+include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba3.schema
+
+pidfile /var/run/slapd/slapd.pid
+argsfile /var/run/slapd/slapd.args
+
+access to dn.base=""
+ by self write
+ by * auth
+
+access to attr=userPassword
+ by self write
+ by * auth
+
+access to attr=shadowLastChange
+ by self write
+ by * read
+
+access to *
+ by * read
+ by anonymous auth
+</pre></div><div class="example"><a name="sbentslapd2"></a><p class="title"><b>Example 9.4. NT4 Migration LDAP Server Configuration File: <code class="filename">/etc/openldap/slapd.conf</code> Part B</b></p><pre class="screen">
+#loglevel 256
+
+#schemacheck on
+idletimeout 30
+#backend bdb
+database bdb
+checkpoint 1024 5
+cachesize 10000
+
+suffix "dc=terpstra-world,dc=org"
+rootdn "cn=Manager,dc=terpstra-world,dc=org"
+
+# rootpw = not24get
+rootpw {SSHA}86kTavd9Dw3FAz6qzWTrCOKX/c0Qe+UV
+
+directory /var/lib/ldap
+
+# Indices to maintain
+index objectClass eq
+index cn pres,sub,eq
+index sn pres,sub,eq
+index uid pres,sub,eq
+index displayName pres,sub,eq
+index uidNumber eq
+index gidNumber eq
+index memberUID eq
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index default sub
+</pre></div><div class="example"><a name="sbrntldapconf"></a><p class="title"><b>Example 9.5. NT4 Migration NSS LDAP File: <code class="filename">/etc/ldap.conf</code></b></p><pre class="screen">
+host 127.0.0.1
+
+base dc=terpstra-world,dc=org
+
+ldap_version 3
+
+binddn cn=Manager,dc=terpstra-world,dc=org
+bindpw not24get
+
+pam_password exop
+
+nss_base_passwd ou=People,dc=terpstra-world,dc=org?one
+nss_base_shadow ou=People,dc=terpstra-world,dc=org?one
+nss_base_group ou=Groups,dc=terpstra-world,dc=org?one
+
+ssl off
+</pre></div><div class="example"><a name="sbentnss"></a><p class="title"><b>Example 9.6. NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:1)</b></p><pre class="screen">
+passwd: files #ldap
+shadow: files #ldap
+group: files #ldap
+
+hosts: files dns wins
+networks: files dns
+
+services: files
+protocols: files
+rpc: files
+ethers: files
+netmasks: files
+netgroup: files
+publickey: files
+
+bootparams: files
+automount: files nis
+aliases: files
+#passwd_compat: ldap #Not needed.
+#group_compat: ldap #Not needed.
+</pre></div><div class="example"><a name="sbentnss2"></a><p class="title"><b>Example 9.7. NT4 Migration NSS Control File: <code class="filename">/etc/nsswitch.conf</code> (Stage:2)</b></p><pre class="screen">
+passwd: files ldap
+shadow: files ldap
+group: files ldap
+
+hosts: files dns wins
+networks: files dns
+
+services: files
+protocols: files
+rpc: files
+ethers: files
+netmasks: files
+netgroup: files
+publickey: files
+
+bootparams: files
+automount: files nis
+aliases: files
+#passwd_compat: ldap #Not needed.
+#group_compat: ldap #Not needed.
+</pre></div><ol type="1"><li><p>
+ Configure the Samba <code class="filename">smb.conf</code> file to create a BDC. An example configuration is
+ given in <a href="ntmigration.html#sbent4smb" title="Example 9.1. NT4 Migration Samba-3 Server smb.conf Part: A">???</a>.
+ The delete scripts are commented out so that during the process of migration
+ no account information can be deleted.
+ </p></li><li><p>
+ <a class="indexterm" name="id2571529"></a>
+ Configure OpenLDAP in preparation for the migration. An example
+ <code class="filename">sladp.conf</code> file is shown in <a href="ntmigration.html#sbentslapd" title="Example 9.3. NT4 Migration LDAP Server Configuration File: /etc/openldap/slapd.conf Part A">???</a>.
+ The <code class="constant">rootpw</code> value is an encrypted password string that can
+ be obtained by executing the <span><strong class="command">slappasswd</strong></span> command.
+ </p></li><li><p>
+ <a class="indexterm" name="id2571643"></a>
+ <a class="indexterm" name="id2571649"></a>
+ Install the PADL <span><strong class="command">nss_ldap</strong></span> tool set, then configure the <code class="filename">/etc/ldap.conf</code>
+ as shown in <a href="ntmigration.html#sbrntldapconf" title="Example 9.5. NT4 Migration NSS LDAP File: /etc/ldap.conf">???</a>.
+ </p></li><li><p>
+ <a class="indexterm" name="id2571710"></a>
+ Edit the <code class="filename">/etc/nsswitch.conf</code> file so it has the entries shown
+ in <a href="ntmigration.html#sbentnss" title="Example 9.6. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:1)">???</a>. Note that the LDAP entries have been commented out.
+ This is deliberate. If these entries are active (not commented out), and the
+ <code class="filename">/etc/ldap.conf</code> file has been configured, when the LDAP server
+ is started, the process of starting the LDAP server will cause LDAP lookups. This
+ causes the LDAP server <span><strong class="command">slapd</strong></span> to hang because it finds port 389
+ open and therefore cannot gain exclusive control of it. By commenting these entries
+ out, it is possible to avoid this gridlock situation and thus the overall
+ installation and configuration will progress more smoothly.
+ </p></li><li><p>
+ Validate the the target NT4 PDC name is being correctly resolved to its IP address by
+ executing the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> ping transgression
+PING transgression.terpstra-world.org (192.168.1.5) 56(84) bytes of data.
+64 bytes from (192.168.1.5): icmp_seq=1 ttl=128 time=0.159 ms
+64 bytes from (192.168.1.5): icmp_seq=2 ttl=128 time=0.192 ms
+64 bytes from (192.168.1.5): icmp_seq=3 ttl=128 time=0.141 ms
+
+--- transgression.terpstra-world.org ping statistics ---
+3 packets transmitted, 3 received, 0% packet loss, time 2000ms
+rtt min/avg/max/mdev = 0.141/0.164/0.192/0.021 ms
+</pre><p>
+ Do not proceed to the next step if this step fails. It is imperative that the name of the PDC
+ can be resolved to its IP address. If this is broken, fix it.
+ </p></li><li><p>
+ Pull the domain SID from the NT4 domain that is being migrated as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc getsid -S TRANGRESSION -U Administrator%not24get
+Storing SID S-1-5-21-1385457007-882775198-1210191635 \
+ for Domain DAMNATION in secrets.tdb
+</pre><p>
+ </p><p>
+ Another way to obtain the domain SID from the target NT4 domain that is being
+ migrated to Samba-3 is by executing the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc info -S TRANSGRESSION
+</pre><p>
+ If this method is used, do not forget to store the SID obtained into the
+ <code class="filename">secrets.tdb</code> file. This can be done by executing:
+</p><pre class="screen">
+<code class="prompt">root# </code> net setlocalsid S-1-5-21-1385457007-882775198-1210191635
+</pre><p>
+ </p></li><li><p>
+ <a class="indexterm" name="id2571880"></a>
+ <a class="indexterm" name="id2571886"></a>
+ <a class="indexterm" name="id2571893"></a>
+ <a class="indexterm" name="id2571900"></a>
+ Install the Idealx <span><strong class="command">smbldap-tools</strong></span> software package, following
+ the instructions given in <a href="happy.html#sbeidealx" title="Install and Configure Idealx smbldap-tools Scripts">???</a>. The resulting perl scripts
+ should be located in the <code class="filename">/opt/IDEALX/sbin</code> directory.
+ Change into that location, or wherever the scripts have been installed. Execute the
+ <code class="filename">configure.pl</code> script to configure the Idealx package for use.
+ Note: Use the domain SID obtained from the step above. The following is
+ an example configuration session:
+</p><pre class="screen">
+<code class="prompt">root# </code> ./configure.pl
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+ smbldap-tools script configuration
+ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Before starting, check
+ . if your samba controller is up and running.
+ . if the domain SID is defined
+ (you can get it with the 'net getlocalsid')
+
+ . you can leave the configuration using the Crtl-c key combination
+ . empty value can be set with the "." character
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Looking for configuration files...
+
+Samba Config File Location [/etc/samba/smb.conf] >
+smbldap Config file Location (global parameters)
+ [/etc/smbldap-tools/smbldap.conf] >
+smbldap Config file Location (bind parameters)
+ [/etc/smbldap-tools/smbldap_bind.conf] >
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+Let's start configuring the smbldap-tools scripts ...
+
+. workgroup name: name of the domain Samba act as a PDC
+ workgroup name [DAMNATION] >
+. netbios name: netbios name of the samba controller
+ netbios name [MERLIN] >
+. logon drive: local path to which the home directory
+ will be connected (for NT Workstations). Ex: 'H:'
+ logon drive [X:] > H:
+. logon home: home directory location (for Win95/98 or NT Workstation)
+ (use %U as username) Ex:'\\MERLIN\home\%U'
+ logon home (leave blank if you don't want homeDirectory)
+ [\\MERLIN\home\%U] > \\%L\%U
+. logon path: directory where roaming profiles are stored.
+ Ex:'\\MERLIN\profiles\%U'
+ logon path (leave blank if you don't want roaming profile)
+ [\\MERLIN\profiles\%U] > \\%L\profiles\%U
+. home directory prefix (use %U as username) [/home/%U] >
+ /home/users/%U
+. default user netlogon script (use %U as username)
+ [%U.cmd] > scripts\logon.cmd
+ default password validation time (time in days) [45] > 180
+. ldap suffix [dc=terpstra-world,dc=org] >
+. ldap group suffix [ou=Groups] >
+. ldap user suffix [ou=People] >
+. ldap machine suffix [ou=People] >
+. Idmap suffix [ou=Idmap] >
+. sambaUnixIdPooldn: object where you want to store the next uidNumber
+ and gidNumber available for new users and groups
+ sambaUnixIdPooldn object (relative to ${suffix})
+ [sambaDomainName=DAMNATION] >
+. ldap master server:
+ IP address or DNS name of the master (writable) ldap server
+ ldap master server [] > 127.0.0.1
+. ldap master port [389] >
+. ldap master bind dn [cn=Manager,dc=terpstra-world,dc=org] >
+. ldap master bind password [] >
+. ldap slave server: IP address or DNS name of the slave ldap server:
+ can also be the master one
+ ldap slave server [] > 127.0.0.1
+. ldap slave port [389] >
+. ldap slave bind dn [cn=Manager,dc=terpstra-world,dc=org] >
+. ldap slave bind password [] >
+. ldap tls support (1/0) [0] >
+. SID for domain DAMNATION: SID of the domain
+ (can be obtained with 'net getlocalsid MERLIN')
+ SID for domain DAMNATION []
+ > S-1-5-21-1385457007-882775198-1210191635
+. unix password encryption: encryption used for unix passwords
+unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) [SSHA] > MD5
+. default user gidNumber [513] >
+. default computer gidNumber [515] >
+. default login shell [/bin/bash] >
+. default domain name to append to mail address [] >
+ terpstra-world.org
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+backup old configuration files:
+ /etc/smbldap-tools/smbldap.conf->
+ /etc/smbldap-tools/smbldap.conf.old
+ /etc/smbldap-tools/smbldap_bind.conf->
+ /etc/smbldap-tools/smbldap_bind.conf.old
+writing new configuration file:
+ /etc/smbldap-tools/smbldap.conf done.
+ /etc/smbldap-tools/smbldap_bind.conf done.
+</pre><p>
+ <a class="indexterm" name="id2572050"></a>
+ <a class="indexterm" name="id2572057"></a>
+ <a class="indexterm" name="id2572064"></a>
+ <a class="indexterm" name="id2572071"></a>
+ Note that the NT4 domain SID that was previously obtained was entered above. Also,
+ the sambaUnixIdPooldn object was specified as sambaDomainName=DAMNATION. This is
+ the location into which the Idealx smbldap-tools store the next available UID/GID
+ information. It is also where Samba stores domain specific information such as the
+ next RID, the SID, and so on. In older version of the smbldap-tools this information
+ was stored in the sambaUnixIdPooldn DIT location cn=NextFreeUnixId. Where smbldap-tools
+ are being upgraded to version 0.9.1 it is appropriate to update this to the new location
+ only if the directory information is also relocated.
+ </p></li><li><p>
+ Start the LDAP server using the system interface script. On Novell SLES9
+ this is done as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> rcldap start
+</pre><p>
+ </p></li><li><p>
+ Edit the <code class="filename">/etc/nsswitch.conf</code> file so it has the entries shown in
+ <a href="ntmigration.html#sbentnss2" title="Example 9.7. NT4 Migration NSS Control File: /etc/nsswitch.conf (Stage:2)">???</a>. Note that the LDAP entries have now been uncommented.
+ </p></li><li><p>
+ The LDAP management password must be installed into the <code class="filename">secrets.tdb</code>
+ file as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> smbpasswd -w not24get
+Setting stored password for
+ "cn=Manager,dc=terpstra-world,dc=org" in secrets.tdb
+</pre><p>
+ </p></li><li><p>
+ Populate the LDAP directory as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> /opt/IDEALX/sbin/smbldap-populate -a root -k 0 -m 0
+Using workgroup name from sambaUnixIdPooldn (smbldap.conf):
+ sambaDomainName=DAMNATION
+Using builtin directory structure
+adding new entry: dc=terpstra-world,dc=org
+adding new entry: ou=People,dc=terpstra-world,dc=org
+adding new entry: ou=Groups,dc=terpstra-world,dc=org
+entry ou=People,dc=terpstra-world,dc=org already exist.
+adding new entry: ou=Idmap,dc=terpstra-world,dc=org
+adding new entry: sambaDomainName=DAMNATION,dc=terpstra-world,dc=org
+adding new entry: uid=root,ou=People,dc=terpstra-world,dc=org
+adding new entry: uid=nobody,ou=People,dc=terpstra-world,dc=org
+adding new entry: cn=Domain Admins,ou=Groups,dc=terpstra-world,dc=org
+adding new entry: cn=Domain Users,ou=Groups,dc=terpstra-world,dc=org
+adding new entry: cn=Domain Guests,ou=Groups,dc=terpstra-world,dc=org
+adding new entry: cn=Domain Computers,ou=Groups,dc=terpstra-world,dc=org
+adding new entry: cn=Administrators,ou=Groups,dc=terpstra-world,dc=org
+adding new entry: cn=Print Operators,ou=Groups,dc=terpstra-world,dc=org
+adding new entry: cn=Backup Operators,ou=Groups,dc=terpstra-world,dc=org
+adding new entry: cn=Replicators,ou=Groups,dc=terpstra-world,dc=org
+</pre><p>
+ The script tries to add the ou=People container twice, hence the error message.
+ This is expected behavior.
+ </p></li><li><p>
+ <a class="indexterm" name="id2572246"></a>
+ Restart the LDAP server following initialization of the LDAP directory. Execute the
+ system control script provided on your system. The following steps can be used on
+ Novell SUSE SLES 9:
+</p><pre class="screen">
+<code class="prompt">root# </code> rcldap restart
+<code class="prompt">root# </code> chkconfig ldap on
+</pre><p>
+ </p></li><li><p>
+ Verify that the new user accounts that have been added to the LDAP directory can be
+ resolved as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> getent passwd
+...
+nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash
+man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash
+news:x:9:13:News system:/etc/news:/bin/bash
+uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
++::0:0:::
+root:x:0:0:Netbios Domain Administrator:/home/users/root:/bin/false
+nobody:x:999:514:nobody:/dev/null:/bin/false
+</pre><p>
+ Now repeat this for the group accounts as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> getent group
+...
+nobody:x:65533:
+nogroup:x:65534:nobody
+users:x:100:
++::0:
+Domain Admins:x:512:root
+Domain Users:x:513:
+Domain Guests:x:514:
+Domain Computers:x:515:
+Administrators:x:544:
+Print Operators:x:550:
+Backup Operators:x:551:
+Replicators:x:552:
+</pre><p>
+ In both cases the LDAP accounts follow the “<span class="quote">+::0:</span>” entry.
+ </p></li><li><p>
+ Now it is time to join the Samba BDC to the target NT4 domain that is being
+ migrated to Samba-3 by executing the following:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc join -S TRANSGRESSION -U Administrator%not24get
+merlin:/opt/IDEALX/sbin # net rpc join -S TRANSGRESSION \
+ -U Administrator%not24get
+Joined domain DAMNATION.
+</pre><p>
+ </p></li><li><p>
+ Set the new domain administrator (root) password for both UNIX and Windows as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> /opt/IDEALX/sbin/smbldap-passwd root
+Changing password for root
+New password : ********
+Retype new password : ********
+</pre><p>
+ Note: During account migration, the Windows Administrator account will not be migrated
+ to the Samba server.
+ </p></li><li><p>
+ Now validate that these accounts can be resolved using Samba's tools as
+ shown here for user accounts:
+</p><pre class="screen">
+<code class="prompt">root# </code> pdbedit -Lw
+root:0:84B0D8E14D158FF8417EAF50CFAC29C3:
+ AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-425F6467:
+nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:
+ NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:[NU ]:LCT-00000000:
+</pre><p>
+ Now complete the following step to validate that group account mappings have
+ been correctly set:
+</p><pre class="screen">
+<code class="prompt">root# </code> net groupmap list
+Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512)
+ -> Domain Admins
+Domain Users (S-1-5-21-1385457007-882775198-1210191635-513)
+ -> Domain Users
+Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514)
+ -> Domain Guests
+Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515)
+ -> Domain Computers
+Administrators (S-1-5-32-544) -> Administrators
+Print Operators (S-1-5-32-550) -> Print Operators
+Backup Operators (S-1-5-32-551) -> Backup Operators
+Replicators (S-1-5-32-552) -> Replicators
+</pre><p>
+ These are the expected results for a correctly configured system.
+ </p></li><li><p>
+ Commence migration as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc vampire -S TRANSGRESSION \
+ -U Administrator%not24get > /tmp/vampire.log 2>1
+</pre><p>
+ Check the vampire log to confirm that only expected errors have been
+ reported. See <a href="ntmigration.html#sbevam1" title="Migration Log Validation">???</a>.
+ </p></li><li><p>
+ The migration of user accounts can be quickly validated as follows:
+</p><pre class="screen">
+<code class="prompt">root# </code> pdbedit -Lw
+root:0:84B0D8E14D158FF8417EAF50CFAC29C3:...
+nobody:65534:NO PASSWORDXXXXXXXXXXXXXXXXXXXXX:...
+Administrator:0:84B0D8E14D158FF8417EAF50CFAC29C3:...
+Guest:1:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:...
+TRANSGRESSION$:2:CC044B748CEE294CE76B6B0D1B86C1A8:...
+IUSR_TRANSGRESSION:3:64046AC81B056C375F9537FC409085F8:...
+MIDEARTH$:4:E93186E5819706D2AAD3B435B51404EE:...
+atrickhoffer:5:DC08CFE0C12B2867352502E32A407F23:...
+barryf:6:B829BCDE01FF24376E45D5F10408CFBD:...
+fsellerby:7:6A97CBEBE8F9826B417EAF50CFAC29C3:...
+gdaison:8:48F6A8C8A900024351DA8C2061C5F1D3:...
+hrambotham:9:7330D9EA0964465EAAD3B435B51404EE:...
+jrhapsody:10:ACBA7D207E2BA35D9BD41A26B01626BD:...
+maryk:11:293B5A4CA41F6CA1A7D80430B8342B73:...
+jacko:12:8E8982D86BD037C364BBD09A598E07AD:...
+bridge:13:0D2CA7D2BE67FE2193BE3A377C968336:...
+sharpec:14:8841A75CAC19D2855D8B73B1F4D430F8:...
+jimbo:15:6E8BDC904FD9EC5C17306D272A9441BB:...
+dhenwick:16:D1694A03C33584BDAAD3B435B51404EE:...
+dork:17:69E2D19E69A593D5AAD3B435B51404EE:...
+blue:18:E355EBF9559979FEAAD3B435B51404EE:...
+billw:19:EE35C3481CF7F7DB484448BC86A641A5:...
+rfreshmill:20:7EC033B58661B60CAAD3B435B51404EE:...
+MAGGOT$:21:A3B9334765AD30F7AAD3B435B51404EE:...
+TRENTWARE$:22:1D92C8DD5E7F0DDF93BE3A377C968336:...
+MORTON$:23:89342E69DCA9D3F8AAD3B435B51404EE:...
+NARM$:24:2B93E2D1D25448BDAAD3B435B51404EE:...
+LAPDOG$:25:14AA535885120943AAD3B435B51404EE:...
+SCAVENGER$:26:B6288EB6D147B56F8963805A19B0ED49:...
+merlin$:27:820C50523F368C54AB9D85AE603AD09D:...
+</pre><p>
+ </p></li><li><p>
+ The mapping of UNIX and Windows groups can be validated as show here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net groupmap list
+Domain Admins (S-1-5-21-1385457007-882775198-1210191635-512)
+ -> Domain Admins
+Domain Users (S-1-5-21-1385457007-882775198-1210191635-513)
+ -> Domain Users
+Domain Guests (S-1-5-21-1385457007-882775198-1210191635-514)
+ -> Domain Guests
+Domain Computers (S-1-5-21-1385457007-882775198-1210191635-515)
+ -> Domain Computers
+Administrators (S-1-5-32-544) -> Administrators
+Print Operators (S-1-5-32-550) -> Print Operators
+Backup Operators (S-1-5-32-551) -> Backup Operators
+Replicator (S-1-5-32-552) -> Replicators
+Engineers (S-1-5-21-1385457007-882775198-1210191635-1020) -> Engineers
+Marketoids (S-1-5-21-1385457007-882775198-1210191635-1022) -> Marketoids
+Gnomes (S-1-5-21-1385457007-882775198-1210191635-1023) -> Gnomes
+Catalyst (S-1-5-21-1385457007-882775198-1210191635-1024) -> Catalyst
+Recieving (S-1-5-21-1385457007-882775198-1210191635-1025) -> Recieving
+Rubberboot (S-1-5-21-1385457007-882775198-1210191635-1026) -> Rubberboot
+Sales (S-1-5-21-1385457007-882775198-1210191635-1027) -> Sales
+Accounting (S-1-5-21-1385457007-882775198-1210191635-1028) -> Accounting
+Shipping (S-1-5-21-1385457007-882775198-1210191635-1029) -> Shipping
+Account Operators (S-1-5-32-548) -> Account Operators
+Guests (S-1-5-32-546) -> Guests
+Server Operators (S-1-5-32-549) -> Server Operators
+Users (S-1-5-32-545) -> Users
+</pre><p>
+ It is of vital importance that the domain SID portions of all group
+ accounts are identical.
+ </p></li><li><p>
+ The final responsibility in the migration process is to create identical
+ shares and printing resources on the new Samba-3 server, copy all data
+ across, set up privileges, and set share and file/directory access controls.
+ </p></li><li><p>
+ <a class="indexterm" name="id2572560"></a>
+ <a class="indexterm" name="id2572567"></a>
+ Edit the <code class="filename">smb.conf</code> file to reset the parameter
+ <a class="indexterm" name="id2572581"></a>domain master = Yes so that
+ the Samba server functions as a PDC for the purpose of migration.
+ Also, uncomment the deletion scripts so they will now be fully functional,
+ enable the <em class="parameter"><code>wins support = yes</code></em> parameter and
+ comment out the <em class="parameter"><code>wins server</code></em>. Validate the configuration
+ with the <span><strong class="command">testparm</strong></span> utility as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> testparm
+Load smb config files from /etc/samba/smb.conf
+Processing section "[apps]"
+Processing section "[media]"
+Processing section "[homes]"
+Processing section "[printers]"
+Processing section "[netlogon]"
+Processing section "[profiles]"
+Processing section "[profdata]"
+Processing section "[print$]"
+Loaded services file OK.
+Server role: ROLE_DOMAIN_PDC
+Press enter to see a dump of your service definitions
+</pre><p>
+ </p></li><li><p>
+ Now shut down the old NT4 PDC. Only when the old NT4 PDC and all
+ NT4 BDCs have been shut down can the Samba-3 PDC be started.
+ </p></li><li><p>
+ All workstations should function as they did with the old NT4 PDC. All
+ interdomain trust accounts should remain in place and fully functional.
+ All machine accounts and user logon accounts should also function correctly.
+ </p></li><li><p>
+ The configuration of Samba-3 BDC servers can be accomplished now or at any
+ convenient time in the future. Please refer to the carefully detailed process
+ for doing so is outlined in <a href="happy.html#sbehap-bldg1" title="Samba-3 BDC Configuration">???</a>.
+ </p></li></ol></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="sbevam1"></a>Migration Log Validation</h4></div></div></div><p>
+ The following <code class="filename">vampire.log</code> file is typical of a valid migration.
+</p><pre class="screen">
+adding user Administrator to group Domain Admins
+adding user atrickhoffer to group Engineers
+adding user dhenwick to group Engineers
+adding user dork to group Engineers
+adding user rfreshmill to group Marketoids
+adding user jacko to group Gnomes
+adding user jimbo to group Gnomes
+adding user maryk to group Gnomes
+adding user gdaison to group Gnomes
+adding user dhenwick to group Catalyst
+adding user jacko to group Catalyst
+adding user jacko to group Recieving
+adding user blue to group Recieving
+adding user hrambotham to group Rubberboot
+adding user billw to group Sales
+adding user bridge to group Sales
+adding user jrhapsody to group Sales
+adding user maryk to group Sales
+adding user rfreshmill to group Sales
+adding user fsellerby to group Sales
+adding user sharpec to group Sales
+adding user jimbo to group Accounting
+adding user gdaison to group Accounting
+adding user jacko to group Shipping
+adding user blue to group Shipping
+Fetching DOMAIN database
+Creating unix group: 'Engineers'
+Creating unix group: 'Marketoids'
+Creating unix group: 'Gnomes'
+Creating unix group: 'Catalyst'
+Creating unix group: 'Recieving'
+Creating unix group: 'Rubberboot'
+Creating unix group: 'Sales'
+Creating unix group: 'Accounting'
+Creating unix group: 'Shipping'
+Creating account: Administrator
+Creating account: Guest
+Creating account: TRANSGRESSION$
+Creating account: IUSR_TRANSGRESSION
+Creating account: MIDEARTH$
+Creating account: atrickhoffer
+Creating account: barryf
+Creating account: fsellerby
+Creating account: gdaison
+Creating account: hrambotham
+Creating account: jrhapsody
+Creating account: maryk
+Creating account: jacko
+Creating account: bridge
+Creating account: sharpec
+Creating account: jimbo
+Creating account: dhenwick
+Creating account: dork
+Creating account: blue
+Creating account: billw
+Creating account: rfreshmill
+Creating account: MAGGOT$
+Creating account: TRENTWARE$
+Creating account: MORTON$
+Creating account: NARM$
+Creating account: LAPDOG$
+Creating account: SCAVENGER$
+Creating account: merlin$
+Group members of Domain Admins: Administrator,
+Group members of Domain Users: Administrator(primary),
+TRANSGRESSION$(primary),IUSR_TRANSGRESSION(primary),
+MIDEARTH$(primary),atrickhoffer(primary),barryf(primary),
+fsellerby(primary),gdaison(primary),hrambotham(primary),
+jrhapsody(primary),maryk(primary),jacko(primary),bridge(primary),
+sharpec(primary),jimbo(primary),dhenwick(primary),dork(primary),
+blue(primary),billw(primary),rfreshmill(primary),MAGGOT$(primary),
+TRENTWARE$(primary),MORTON$(primary),NARM$(primary),
+LAPDOG$(primary),SCAVENGER$(primary),merlin$(primary),
+Group members of Domain Guests: Guest(primary),
+Group members of Engineers: atrickhoffer,dhenwick,dork,
+Group members of Marketoids: rfreshmill,
+Group members of Gnomes: jacko,jimbo,maryk,gdaison,
+Group members of Catalyst: dhenwick,jacko,
+Group members of Recieving: jacko,blue,
+Group members of Rubberboot: hrambotham,
+Group members of Sales: billw,bridge,jrhapsody,maryk,
+rfreshmill,fsellerby,sharpec,
+Group members of Accounting: jimbo,gdaison,
+Group members of Shipping: jacko,blue,
+Fetching BUILTIN database
+skipping SAM_DOMAIN_INFO delta for 'Builtin' (is not my domain)
+Creating unix group: 'Account Operators'
+Creating unix group: 'Guests'
+Creating unix group: 'Server Operators'
+Creating unix group: 'Users'
+</pre><p>
+ </p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2572803"></a>NT4 Migration Using tdbsam Backend</h3></div></div></div><p>
+ In this example, we change the domain name of the NT4 server from
+ <code class="constant">DRUGPREP</code> to <code class="constant">MEGANET</code> prior to the use
+ of the vampire (migration) tool. This migration process makes use of Linux system tools
+ (like <span><strong class="command">useradd</strong></span>) to add the accounts that are migrated into the
+ UNIX/Linux <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>
+ databases. These entries must therefore be present, and correct options specified,
+ in your <code class="filename">smb.conf</code> file, or else the migration does not work as it should.
+ </p><div class="procedure"><a name="id2572850"></a><p class="title"><b>Procedure 9.2. Migration Steps Using tdbsam</b></p><ol type="1"><li><p>
+ Prepare a Samba-3 server precisely per the instructions shown in <a href="Big500users.html" title="Chapter 4. The 500-User Office">???</a>.
+ Set the workgroup name to <code class="constant">MEGANET</code>.
+ </p></li><li><p><a class="indexterm" name="id2572878"></a><a class="indexterm" name="id2572886"></a>
+ Edit the <code class="filename">smb.conf</code> file to temporarily change the parameter
+ <a class="indexterm" name="id2572902"></a>domain master = No so
+ the Samba server functions as a BDC for the purpose of migration.
+ </p></li><li><p>
+ Start Samba as you have done previously.
+ </p></li><li><p><a class="indexterm" name="id2572923"></a>
+ Join the NT4 Domain as a BDC, as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc join -S oldnt4pdc -W MEGANET -UAdministrator%not24get
+Joined domain MEGANET.
+</pre><p>
+ </p></li><li><p><a class="indexterm" name="id2572958"></a>
+ You may vampire the accounts from the NT4 PDC by executing the command, as shown here:
+</p><pre class="screen">
+<code class="prompt">root# </code> net rpc vampire -S oldnt4pdc -U Administrator%not24get
+Fetching DOMAIN database
+SAM_DELTA_DOMAIN_INFO not handled
+Creating unix group: 'Domain Admins'
+Creating unix group: 'Domain Users'
+Creating unix group: 'Domain Guests'
+Creating unix group: 'Engineers'
+Creating unix group: 'Marketoids'
+Creating unix group: 'Account Operators'
+Creating unix group: 'Administrators'
+Creating unix group: 'Backup Operators'
+Creating unix group: 'Guests'
+Creating unix group: 'Print Operators'
+Creating unix group: 'Replicator'
+Creating unix group: 'Server Operators'
+Creating unix group: 'Users'
+Creating account: Administrator
+Creating account: Guest
+Creating account: oldnt4pdc$
+Creating account: jacko
+Creating account: maryk
+Creating account: bridge
+Creating account: sharpec
+Creating account: jimbo
+Creating account: dhenwick
+Creating account: dork
+Creating account: blue
+Creating account: billw
+Creating account: massive$
+Group members of Engineers: Administrator,
+ sharpec(primary),bridge,billw(primary),dhenwick
+Group members of Marketoids: Administrator,jacko(primary),
+ maryk(primary),jimbo,blue(primary),dork(primary)
+Creating unix group: 'Gnomes'
+Fetching BUILTIN database
+SAM_DELTA_DOMAIN_INFO not handled
+</pre><p>
+ </p></li><li><p><a class="indexterm" name="id2573033"></a>
+ At this point, we can validate our migration. Let's look at the accounts
+ in the form in which they are seen in a smbpasswd file. This achieves that:
+</p><pre class="screen">
+<code class="prompt">root# </code> pdbedit -Lw
+Administrator:505:84B0D8E14D158FF8417EAF50CFAC29C3:
+ AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[UX ]:LCT-3DF7AA9F:
+jimbo:512:6E9A2A51F64A1BD5C187B8085FE1D9DF:
+ CDF7E305E639966E489A0CEFB95EE5E0:[UX ]:LCT-3E9362BC:
+sharpec:511:E4301A7CD8FDD1EC6BBF9BC19CDF8151:
+ 7000255938831D5B948C95C1931534C5:[UX ]:LCT-3E8B42C4:
+dhenwick:513:DCD8886141E3F892AAD3B435B51404EE:
+ 2DB36465949CB938DD98C312EFDC2639:[UX ]:LCT-3E939F41:
+bridge:510:3FE6873A43101B46417EAF50CFAC29C3:
+ 891741F481AF111B4CAA09A94016BD01:[UX ]:LCT-3E8B4291:
+blue:515:256D41D2559BB3D2AAD3B435B51404EE:
+ 9CCADDA4F7D281DD0FAD321478C6F971:[UX ]:LCT-3E939FDC:
+diamond$:517:6C8E7B64EDCDBC4218B6345447A4454B:
+ 3323AC63C666CFAACB60C13F65D54E9A:[S ]:LCT-00000000:
+oldnt4pdc$:507:3E39430CDCABB5B09ED320D0448AE568:
+ 95DBAF885854A919C7C7E671060478B9:[S ]:LCT-3DF7AA9F:
+Guest:506:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
+ XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[DUX ]:LCT-3E93A008:
+billw:516:85380CA7C21B6EBE168C8150662AF11B:
+ 5D7478508293709937E55FB5FBA14C17:[UX ]:LCT-3FED7CA1:
+dork:514:78C70DDEC35A35B5AAD3B435B51404EE:
+ 0AD886E015AC595EC0AF40E6C9689E1A:[UX ]:LCT-3E939F9A:
+jacko:508:BC472F3BF9A0A5F63832C92FC614B7D1:
+ 0C6822AAF85E86600A40DC73E40D06D5:[UX ]:LCT-3E8B4242:
+maryk:509:3636AB7E12EBE79AB79AE2610DD89D4C:
+ CF271B744F7A55AFDA277FF88D80C527:[UX ]:LCT-3E8B4270:
+</pre><p>
+ </p></li><li><p><a class="indexterm" name="id2573086"></a>
+ An expanded view of a user account entry shows more of what was
+ obtained from the NT4 PDC:
+</p><pre class="screen">
+sleeth:~ # pdbedit -Lv maryk
+Unix username: maryk
+NT username: maryk
+Account Flags: [UX ]
+User SID: S-1-5-21-1988699175-926296742-1295600288-1003
+Primary Group SID: S-1-5-21-1988699175-926296742-1295600288-1007
+Full Name: Mary Kathleen
+Home Directory: \\diamond\maryk
+HomeDir Drive: X:
+Logon Script: scripts\logon.bat
+Profile Path: \\diamond\profiles\maryk
+Domain: MEGANET
+Account desc: Peace Maker
+Workstations:
+Munged dial:
+Logon time: 0
+Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Password last set: Wed, 02 Apr 2003 13:05:04 GMT
+Password can change: 0
+Password must change: Mon, 18 Jan 2038 20:14:07 GMT
+</pre><p>
+ </p></li><li><p><a class="indexterm" name="id2573121"></a>
+ The following command lists the long names of the groups that have been
+ imported (vampired) from the NT4 PDC:
+</p><pre class="screen">
+<code class="prompt">root# </code> net group -l -Uroot%not24get -Smassive
+
+Group name Comment
+-----------------------------
+Engineers Snake Oil Engineers
+Marketoids Untrustworthy Hype Vendors
+Gnomes Plain Vanilla Garden Gnomes
+Replicator Supports file replication in a domain
+Guests Users granted guest access to the computer/domain
+Administrators Members can fully administer the computer/domain
+Users Ordinary users
+</pre><p>
+ Everything looks well and in order.
+ </p></li><li><p><a class="indexterm" name="id2573161"></a><a class="indexterm" name="id2573169"></a>
+ Edit the <code class="filename">smb.conf</code> file to reset the parameter
+ <a class="indexterm" name="id2573184"></a>domain master = Yes so
+ the Samba server functions as a PDC for the purpose of migration.
+ </p></li></ol></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2573196"></a>Key Points Learned</h3></div></div></div><p>
+ Migration of an NT4 PDC database to a Samba-3 PDC is possible.
+ </p><div class="itemizedlist"><ul type="disc"><li><p>
+ An LDAP backend is a suitable vehicle for NT4 migrations.
+ </p></li><li><p>
+ A tdbsam backend can be used to perform a migration.
+ </p></li><li><p>
+ Multiple NT4 domains can be merged into a single Samba-3
+ domain.
+ </p></li><li><p>
+ The net Samba-3 domain most likely requires some
+ administration and updating before going live.
+ </p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2573235"></a>Questions and Answers</h2></div></div></div><p>
+ </p><div class="qandaset"><dl><dt> <a href="ntmigration.html#id2573250">clean database
+ Why must I start each migration with a clean database?
+ </a></dt><dt> <a href="ntmigration.html#id2573291">Domain SID
+ Is it possible to set my domain SID to anything I like?
+ </a></dt><dt> <a href="ntmigration.html#id2573348">/etc/passwd/etc/grouptdbsampassdb backendaccountsuseraccountsgroupaccountsDomain
+ When using a tdbsam passdb backend, why must I have all domain user and group accounts
+ in /etc/passwd and /etc/group?
+ </a></dt><dt> <a href="ntmigration.html#id2573522">validateconnectivitymigration
+ Why did you validate connectivity before attempting migration?
+ </a></dt><dt> <a href="ntmigration.html#id2573568">
+ How would you merge 10 tdbsam-based domains into an LDAP database?
+ </a></dt><dt> <a href="ntmigration.html#id2573697">machine accountsaccountsmachine
+ I want to change my domain name after I migrate all accounts from an NT4 domain to a
+ Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?
+ </a></dt><dt> <a href="ntmigration.html#id2573773">multiple group mappings
+ After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?
+ </a></dt><dt> <a href="ntmigration.html#id2573838">
+ How can I reset group membership after loading the account information into the LDAP database?
+ </a></dt><dt> <a href="ntmigration.html#id2573872">group names
+ What are the limits or constraints that apply to group names?
+ </a></dt><dt> <a href="ntmigration.html#id2573977">vampire
+ My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3
+ LDAP backend system using the vampire process?
+ </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%"><tbody><tr class="question"><td align="left" valign="top"><a name="id2573250"></a><a name="id2573252"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573256"></a>
+ Why must I start each migration with a clean database?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573271"></a>
+ This is a recommendation that permits the data from each NT4 domain to
+ be kept separate until you are ready to merge them. Also, if you do not start with a clean database,
+ you may find errors due to users or groups from multiple domains having the
+ same name but different SIDs. It is better to permit each migration to complete
+ without undue errors and then to handle the merging of vampired data under
+ proper supervision.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2573291"></a><a name="id2573293"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573296"></a>
+ Is it possible to set my domain SID to anything I like?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573312"></a><a class="indexterm" name="id2573320"></a><a class="indexterm" name="id2573327"></a>
+ Yes, so long as the SID you create has the same structure as an autogenerated SID.
+ The typical SID looks like this: S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX, where
+ the XXXXXXXXXX can be any number with from 6 to 10 digits. On the other hand, why
+ would you really want to create your own SID? I cannot think of a good reason.
+ You may want to set the SID to one that is already in use somewhere on your network,
+ but that is a little different from straight out creating your own domain SID.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2573348"></a><a name="id2573350"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573353"></a><a class="indexterm" name="id2573361"></a><a class="indexterm" name="id2573369"></a><a class="indexterm" name="id2573377"></a><a class="indexterm" name="id2573385"></a><a class="indexterm" name="id2573396"></a><a class="indexterm" name="id2573408"></a>
+ When using a tdbsam passdb backend, why must I have all domain user and group accounts
+ in <code class="filename">/etc/passwd</code> and <code class="filename">/etc/group</code>?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573439"></a><a class="indexterm" name="id2573447"></a><a class="indexterm" name="id2573454"></a><a class="indexterm" name="id2573462"></a><a class="indexterm" name="id2573470"></a><a class="indexterm" name="id2573478"></a>
+ Samba-3 must be able to tie all user and group account SIDs to a UNIX UID or GID. Samba
+ does not fabricate the UNIX IDs from thin air, but rather requires them to be located
+ in a suitable place.
+ </p><p>
+ When migrating a <code class="filename">smbpasswd</code> file to an LDAP backend, the
+ UID of each account is taken together with the account information in the
+ <code class="filename">/etc/passwd</code>, and both sets of data are used to create the account
+ entry in the LDAP database.
+ </p><p>
+ If you elect to create the POSIX account also, the entire UNIX account is copied to the
+ LDAP backend. The same occurs with NT groups and UNIX groups. At the conclusion of
+ migration to the LDAP database, the accounts may be removed from the UNIX database files.
+ In short then, all UNIX and Windows networking accounts, both in tdbsam as well as in
+ LDAP, require UIDs/GIDs.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2573522"></a><a name="id2573524"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573528"></a><a class="indexterm" name="id2573536"></a><a class="indexterm" name="id2573544"></a>
+ Why did you validate connectivity before attempting migration?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ Access validation before attempting to migrate NT4 domain accounts helps to pinpoint
+ potential problems that may otherwise affect or impede account migration. I am always
+ mindful of the 4 P's of migration: Planning Prevents Poor Performance.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2573568"></a><a name="id2573570"></a><b></b></td><td align="left" valign="top"><p>
+ How would you merge 10 tdbsam-based domains into an LDAP database?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573581"></a><a class="indexterm" name="id2573589"></a><a class="indexterm" name="id2573596"></a><a class="indexterm" name="id2573604"></a><a class="indexterm" name="id2573612"></a><a class="indexterm" name="id2573620"></a><a class="indexterm" name="id2573628"></a><a class="indexterm" name="id2573635"></a><a class="indexterm" name="id2573643"></a><a class="indexterm" name="id2573651"></a><a class="indexterm" name="id2573659"></a>
+ If you have 10 tdbsam Samba domains, there is considerable risk that there are a number of
+ accounts that have the same UNIX identifier (UID/GID). This means that you almost
+ certainly have to edit a lot of data. It would be easiest to dump each database in smbpasswd
+ file format and then manually edit all records to ensure that each has a unique UID. Each
+ file can then be imported a number of ways. You can use the <span><strong class="command">pdbedit</strong></span> tool
+ to affect a transfer from the smbpasswd file to LDAP, or you can migrate them en masse to
+ tdbsam and then to LDAP. The final choice is yours. Just remember to verify all accounts that
+ you have migrated before handing over access to a user. After all, too many users with a bad
+ migration experience may threaten your career.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2573697"></a><a name="id2573699"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573702"></a><a class="indexterm" name="id2573710"></a>
+ I want to change my domain name after I migrate all accounts from an NT4 domain to a
+ Samba-3 domain. Does it make any sense to migrate the machine accounts in that case?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573731"></a><a class="indexterm" name="id2573739"></a><a class="indexterm" name="id2573747"></a><a class="indexterm" name="id2573755"></a>
+ I would recommend not to migrate the machine account. The machine accounts should still work, but there are registry entries
+ on each Windows NT4 and upward client that have a tattoo of the old domain name. If you
+ unjoin the domain and then rejoin the newly renamed Samba-3 domain, you can be certain to avoid
+ this tattooing effect.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2573773"></a><a name="id2573775"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573778"></a>
+ After merging multiple NT4 domains into a Samba-3 domain, I lost all multiple group mappings. Why?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573795"></a><a class="indexterm" name="id2573802"></a>
+ Samba-3 currently does not implement multiple group membership internally. If you use the Windows
+ NT4 Domain User Manager to manage accounts and you have an LDAP backend, the multiple group
+ membership is stored in the POSIX groups area. If you use either tdbsam or smbpasswd backend,
+ then multiple group membership is handled through the UNIX groups file. When you dump the user
+ accounts, no group account information is provided. When you edit (change) UIDs and GIDs in each
+ file to which you migrated the NT4 Domain data, do not forget to edit the UNIX <code class="filename">/etc/passwd</code>
+ and <code class="filename">/etc/group</code> information also. That is where the multiple group information
+ is most closely at your fingertips.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2573838"></a><a name="id2573840"></a><b></b></td><td align="left" valign="top"><p>
+ How can I reset group membership after loading the account information into the LDAP database?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573851"></a>
+ You can use the NT4 Domain User Manager that can be downloaded from the Microsoft Web site. The
+ installation file is called <code class="filename">SRVTOOLS.EXE</code>.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2573872"></a><a name="id2573874"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573877"></a>
+ What are the limits or constraints that apply to group names?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573893"></a><a class="indexterm" name="id2573901"></a><a class="indexterm" name="id2573909"></a><a class="indexterm" name="id2573917"></a><a class="indexterm" name="id2573924"></a><a class="indexterm" name="id2573932"></a>
+ A Windows 200x group name can be up to 254 characters long, while in Windows NT4 the group
+ name is limited to 20 characters. Most UNIX systems limit this to 32 characters. Windows
+ groups can contain upper- and lowercase characters, as well as spaces.
+ Many UNIX system do not permit the use of uppercase characters, and some do not permit the
+ space character either. A number of systems (i.e., Linux) work fine with both uppercase
+ and space characters in group names, but the shadow-utils package that provides the group
+ control functions (<span><strong class="command">groupadd</strong></span>, <span><strong class="command">groupmod</strong></span>, <span><strong class="command">groupdel</strong></span>, and so on) do not permit them.
+ Also, a number of UNIX systems management tools enforce their own particular interpretation
+ of the POSIX standards and likewise do not permit uppercase or space characters in group
+ or user account names. You have to experiment with your system to find what its
+ peculiarities are.
+ </p></td></tr><tr class="question"><td align="left" valign="top"><a name="id2573977"></a><a name="id2573979"></a><b></b></td><td align="left" valign="top"><p><a class="indexterm" name="id2573982"></a>
+ My Windows NT4 PDC has 323,000 user accounts. How long will it take to migrate them to a Samba-3
+ LDAP backend system using the vampire process?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p>
+ UNIX UIDs and GIDs on most UNIX systems use an unsigned short or an unsigned integer. Recent Linux
+ kernels support at least a much larger number. On systems that have a 16-bit constraint on UID/GIDs,
+ you would not be able to migrate 323,000 accounts because this number cannot fit into a 16-bit unsigned
+ integer. UNIX/Linux systems that have a 32-bit UID/GID can easily handle this number of accounts.
+ Please check this carefully before you attempt to effect a migration using the vampire process.
+ </p><p><a class="indexterm" name="id2574011"></a>
+ Migration speed depends much on the processor speed, the network speed, disk I/O capability, and
+ LDAP update overheads. On a dual processor AMD MP1600+ with 1 GB memory that was mirroring LDAP
+ to a second identical system over 1 Gb Ethernet, I was able to migrate around 180 user accounts
+ per minute. Migration would obviously go much faster if LDAP mirroring were turned off during the migration.
+ </p></td></tr></tbody></table></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="upgrades.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="DMSMig.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="nw4migration.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter 8. Updating Samba-3 </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 10. Migrating NetWare Server to Samba-3</td></tr></table></div></body></html>
projects / samba / blobdiff