Sites that wish to migrate from MS Windows NT4 Domain Control to a Samba-based solution generally fit into three basic categories. Table 30.1 shows the possibilities. Table 30.1. The Three Major Site Types Number of Users | Description | < 50 | Want simple conversion with no pain. | 50 - 250 | Want new features, can manage some in-house complexity. | > 250 | Solution/Implementation must scale well, complex needs. Cross-departmental decision process. Local expertise in most areas. | 30.2.1 Planning for Success There are three basic choices for sites that intend to migrate from MS Windows NT4 to Samba-3: -
Simple conversion (total replacement). -
Upgraded conversion (could be one of integration). -
Complete redesign (completely new solution). Minimize down-stream problems by: Table 30.2 lists the conversion choices given the type of migration being contemplated. Table 30.2. Nature of the Conversion Choices Simple | Upgraded | Redesign | Make use of minimal OS specific features. | Translate NT4 features to new host OS features. | Decide: | Move all accounts from NT4 into Samba-3 | Copy and improve | Authentication regime (database location and access) | Make least number of operational changes | Make progressive improvements | Desktop management methods | Take least amount of time to migrate | Minimize user impact | Better control of Desktops/Users | Live versus isolated conversion | Maximize functionality | Identify Needs for: Manageability, Scalability, Security, Availability | Integrate Samba-3 then migrate while users are active, then change of control (swap out) | Take advantage of lower maintenance opportunity | | 30.2.2 Samba-3 Implementation Choices Authentication Database/Backend ” Samba-3 can use an external authentication backend: -
Winbind (external Samba or NT4/200x server). -
External server could use Active Directory or NT4 Domain. -
Can use pam_mkhomedir.so to auto-create home dirs. -
Samba-3 can use a local authentication backend: smbpasswd , tdbsam , ldapsam , mysqlsam Access Control Points ” Samba permits Access Control Points to be set: -
On the share itself ” using Share ACLs. -
On the file system ” using UNIX permissions on files and directories. Note: Can enable Posix ACLs in file system also. Policies (migrate or create new ones) ” Exercise great caution when affecting registry changes, use the right tool and be aware that changes made through NT4-style NTConfig.POL files can leave permanent changes. User and Group Profiles ” Platform-specific so use platform tool to change from a Local to a Roaming profile. Can use new profiles tool to change SIDs ( NTUser.DAT ). Logon Scripts ” Know how they work. User and Group Mapping to UNIX/Linux ” User and Group mapping code is new. Many problems have been experienced as network administrators who are familiar with Samba-2.2.x migrate to Samba-3. Carefully study the chapters that document the new password backend behavior and the new group mapping functionality. -
The username map facility may be needed. -
Use net groupmap to connect NT4 groups to UNIX groups. -
Use pdbedit to set/change user configuration. When migrating to LDAP backend, it may be easier to dump the initial LDAP database to LDIF, edit, then reload into LDAP. OS Specific Scripts/Programs may be Needed ” Every operating system has its peculiarities . These are the result of engineering decisions that were based on the experience of the designer, and may have side-effects that were not anticipated. Limitations that may bite the Windows network administrator include: -
Add/Delete Users: Note OS limits on size of name (Linux 8 chars) NT4 up to 254 chars. -
Add/Delete Machines: Applied only to Domain Members (Note: machine names may be limited to 16 characters ). -
Use net groupmap to connect NT4 groups to UNIX groups. -
Add/Delete Groups: Note OS limits on size and nature. Linux limit is 16 char, no spaces and no upper case chars ( groupadd ). Migration Tools ” Domain Control (NT4 Style) Profiles, Policies, Access Controls, Security -
Samba: net, rpcclient, smbpasswd, pdbedit, profiles. -
Windows: NT4 Domain User Manager, Server Manager (NEXUS) |