[Samba] Several samba / ldap for a pdc/bdc setup/transition
beh at case.edu
Wed Sep 6 21:05:47 GMT 2006
I've been researching migrating my NT4 PDC and BDC services to samba
to get around the concerns we have here with NT4 no longer being
patched when security holes are found.
Details of my current NT4 domain...
approx 300 computers, most of which can be migrated out soon either
to be in no-domain or in an active directory domain
approx 3000 user accounts, which need to be maintained until we can
transition servers and custom built webapps to an active directory domain.
I have no interest in doing shares, printers, or roaming profiles on
these domain controllers. Server 2003 licenses are extremely cheap
for us here in the university environment and we have to have windows
to run the current commercial apps we have anyway. We're working on
transitioning everything into MS Active Directory but cannot migrate
using the standard MS methods for a variety of reasons and are likely
to be stuck with the old NT4 domain for at least the next 6-12
months. Additionally that hardware is pretty old and I have
reliability concerns with it.
Conclusions and questions I've come to so far... correct these if you
think there is a superior way. I've been reading lots of docs and
how-tos mostly from www.samba.org
1) an LDAP backend is really required for proper operation of
replication between the two domain controllers while maintaining
2) users and machines must be in both the LDAP and in the
/etc/password files. I'd rather not have this as I do not want
these users signing into my unix box under other protocols.
3) I'll enable the software firewall on the unix box to prevent
unauthorized access into the LDAP servers. How should I secure the
LDAP servers beyond that? I assume I need encryption on the
replication traffic between the master and slave LDAP. I want to
make sure anybody can't just use their own account to query the LDAP
and get out other people's password hashes (or even their own if I
can prevent that while still allowing them to change their own password).
4) The most common database back-end seems to be BDB which I'm not
familiar with. Are there any common tools to query that directly
beyond querying it through the ldap server? This is not a
requirement but I'd like to know the details of what's in the
database and how it's laid out for my own info.
5) Am I likely to run into any problems importing the accounts and
groups from the NT4 domain? We have all of our servers set to use
only NTLMv2. My goal is to make this happen in a way that end-users
shouldn't notice any difference, so if their passwords change it'll
be a disaster. Additionally we have automated jobs kicking off all
hours of the day and night which will depend on users, passwords, and
group memberships not changing.
Any additional details you can provide would be wonderful.
More information about the samba