[Samba] Several samba / ldap for a pdc/bdc setup/transition questions

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Mon Sep 11 13:46:44 GMT 2006

Hash: SHA1

On 09/06/2006 06:05 PM, Bob Hetzel escreveu:
> Greetings all,
> I've been researching migrating my NT4 PDC and BDC services to samba to
> get around the concerns we have here with NT4 no longer being patched
> when security holes are found.
> Details of my current NT4 domain...
> approx 300 computers, most of which can be migrated out soon either to
> be in no-domain or in an active directory domain
> approx 3000 user accounts, which need to be maintained until we can
> transition servers and custom built webapps to an active directory domain.
> I have no interest in doing shares, printers, or roaming profiles on
> these domain controllers.  Server 2003 licenses are extremely cheap for
> us here in the university environment and we have to have windows to run
> the current commercial apps we have anyway.  We're working on
> transitioning everything into MS Active Directory but cannot migrate
> using the standard MS methods for a variety of reasons and are likely to
> be stuck with the old NT4 domain for at least the next 6-12 months. 
> Additionally that hardware is pretty old and I have reliability concerns
> with it.
> Conclusions and questions I've come to so far... correct these if you
> think there is a superior way.  I've been reading lots of docs and
> how-tos mostly from www.samba.org
> 1) an LDAP backend is really required for proper operation of
> replication between the two domain controllers while maintaining
> complete redundancy

	Yes. LDAP is the best approach to have PDC/BDC model and
to allow replication of the information.

> 2) users and machines must be in both the LDAP and in the /etc/password
> files.   I'd rather not have this as I do not want these users signing
> into my unix box under other protocols.

	No. The LDAP should be enough.

	And you can change PAM to only allow some users to login
to the unix box using other protocols (let's say: ssh). You can
have plain Samba Users (even if the need unix objects).

> 3) I'll enable the software firewall on the unix box to prevent
> unauthorized access into the LDAP servers.  How should I secure the LDAP
> servers beyond that?  

	ACLs. Check http://www.openldap.org  and look for the
OpenLDAP Administrator Guide. Also, use TLS to encrypt all data.

> I assume I need encryption on the replication
> traffic between the master and slave LDAP.  

	Not only that, but enforce it as the only safe way to
use the LDAP. You could allow non encrypted connections on
anonymous access (but use ACLs to allow only a few fields to
be retrieved), a common use-case for that, is LDAP e-mail
queries using Mail Clients.

> I want to make sure anybody
> can't just use their own account to query the LDAP and get out other
> people's password hashes (or even their own if I can prevent that while
> still allowing them to change their own password).

	Hmmm, ACLs is the way to go. :)

> 4) The most common database back-end seems to be BDB which I'm not
> familiar with.  Are there any common tools to query that directly beyond
> querying it through the ldap server?  This is not a requirement but I'd
> like to know the details of what's in the database and how it's laid out
> for my own info.

	Berkeley Database. The 'very (in)famous sleepycat'. :)

	You could use bdb tools for that, but I'm not sure that it
will work as expected, specially because LDAP has a special way to
store its information.

> 5) Am I likely to run into any problems importing the accounts and
> groups from the NT4 domain?  We have all of our servers set to use only
> NTLMv2.  My goal is to make this happen in a way that end-users
> shouldn't notice any difference, so if their passwords change it'll be a
> disaster.  Additionally we have automated jobs kicking off all hours of
> the day and night which will depend on users, passwords, and group
> memberships not changing.

	Check the Official Documentation, there are a lot of small
situations that you will need to consider, profile problems, SID
domain, user identification, passwords and so on.

> Any additional details you can provide would be wonderful.

	There is a big list of details, it will depend on your
migration plan and which points you set as critical.

>     Bob

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org


More information about the samba mailing list