[Samba] Several samba / ldap for a pdc/bdc setup/transition questions

Bob Hetzel beh at case.edu
Wed Sep 6 21:05:47 GMT 2006

Greetings all,

I've been researching migrating my NT4 PDC and BDC services to samba 
to get around the concerns we have here with NT4 no longer being 
patched when security holes are found.

Details of my current NT4 domain...

approx 300 computers, most of which can be migrated out soon either 
to be in no-domain or in an active directory domain

approx 3000 user accounts, which need to be maintained until we can 
transition servers and custom built webapps to an active directory domain.

I have no interest in doing shares, printers, or roaming profiles on 
these domain controllers.  Server 2003 licenses are extremely cheap 
for us here in the university environment and we have to have windows 
to run the current commercial apps we have anyway.  We're working on 
transitioning everything into MS Active Directory but cannot migrate 
using the standard MS methods for a variety of reasons and are likely 
to be stuck with the old NT4 domain for at least the next 6-12 
months.  Additionally that hardware is pretty old and I have 
reliability concerns with it.

Conclusions and questions I've come to so far... correct these if you 
think there is a superior way.  I've been reading lots of docs and 
how-tos mostly from www.samba.org

1) an LDAP backend is really required for proper operation of 
replication between the two domain controllers while maintaining 
complete redundancy

2) users and machines must be in both the LDAP and in the 
/etc/password files.   I'd rather not have this as I do not want 
these users signing into my unix box under other protocols.

3) I'll enable the software firewall on the unix box to prevent 
unauthorized access into the LDAP servers.  How should I secure the 
LDAP servers beyond that?  I assume I need encryption on the 
replication traffic between the master and slave LDAP.  I want to 
make sure anybody can't just use their own account to query the LDAP 
and get out other people's password hashes (or even their own if I 
can prevent that while still allowing them to change their own password).

4) The most common database back-end seems to be BDB which I'm not 
familiar with.  Are there any common tools to query that directly 
beyond querying it through the ldap server?  This is not a 
requirement but I'd like to know the details of what's in the 
database and how it's laid out for my own info.

5) Am I likely to run into any problems importing the accounts and 
groups from the NT4 domain?  We have all of our servers set to use 
only NTLMv2.  My goal is to make this happen in a way that end-users 
shouldn't notice any difference, so if their passwords change it'll 
be a disaster.  Additionally we have automated jobs kicking off all 
hours of the day and night which will depend on users, passwords, and 
group memberships not changing.

Any additional details you can provide would be wonderful.


More information about the samba mailing list