On Wed, 2006-09-06 at 17:05 -0400, Bob Hetzel wrote: > Greetings all, > > I've been researching migrating my NT4 PDC and BDC services to samba > to get around the concerns we have here with NT4 no longer being > patched when security holes are found. > > Details of my current NT4 domain... > > approx 300 computers, most of which can be migrated out soon either > to be in no-domain or in an active directory domain > > approx 3000 user accounts, which need to be maintained until we can > transition servers and custom built webapps to an active directory domain. > > I have no interest in doing shares, printers, or roaming profiles on > these domain controllers. Server 2003 licenses are extremely cheap > for us here in the university environment and we have to have windows > to run the current commercial apps we have anyway. We're working on > transitioning everything into MS Active Directory but cannot migrate > using the standard MS methods for a variety of reasons and are likely > to be stuck with the old NT4 domain for at least the next 6-12 > months. Additionally that hardware is pretty old and I have > reliability concerns with it. > > Conclusions and questions I've come to so far... correct these if you > think there is a superior way. I've been reading lots of docs and > how-tos mostly from www.samba.org > > 1) an LDAP backend is really required for proper operation of > replication between the two domain controllers while maintaining > complete redundancy > > 2) users and machines must be in both the LDAP and in the > /etc/password files. I'd rather not have this as I do not want > these users signing into my unix box under other protocols. > > 3) I'll enable the software firewall on the unix box to prevent > unauthorized access into the LDAP servers. How should I secure the > LDAP servers beyond that? I assume I need encryption on the > replication traffic between the master and slave LDAP. I want to > make sure anybody can't just use their own account to query the LDAP > and get out other people's password hashes (or even their own if I > can prevent that while still allowing them to change their own password). > > 4) The most common database back-end seems to be BDB which I'm not > familiar with. Are there any common tools to query that directly > beyond querying it through the ldap server? This is not a > requirement but I'd like to know the details of what's in the > database and how it's laid out for my own info. > > 5) Am I likely to run into any problems importing the accounts and > groups from the NT4 domain? We have all of our servers set to use > only NTLMv2. My goal is to make this happen in a way that end-users > shouldn't notice any difference, so if their passwords change it'll > be a disaster. Additionally we have automated jobs kicking off all > hours of the day and night which will depend on users, passwords, and > group memberships not changing. > > Any additional details you can provide would be wonderful. ---- users need only be in LDAP and not in both LDAP and /etc/passwd files as you state in #2
be prepared to perform the vampire (import from NT4) many times until you get everything right. Lastly, some amount of mastery of LDAP is going to make this a whole lot easier. Learn to use LDAP command line clients such as ldapadd/ldapmodify/ldapsearch and TLS/SSL with LDAP prior to samba integration. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
