[Samba] Several samba / ldap for a pdc/bdc setup/transition questions

[Craig White]

On Wed, 2006-09-06 at 17:05 -0400, Bob Hetzel wrote:
> Greetings all,
> 
> I've been researching migrating my NT4 PDC and BDC services to samba 
> to get around the concerns we have here with NT4 no longer being 
> patched when security holes are found.
> 
> Details of my current NT4 domain...
> 
> approx 300 computers, most of which can be migrated out soon either 
> to be in no-domain or in an active directory domain
> 
> approx 3000 user accounts, which need to be maintained until we can 
> transition servers and custom built webapps to an active directory domain.
> 
> I have no interest in doing shares, printers, or roaming profiles on 
> these domain controllers.  Server 2003 licenses are extremely cheap 
> for us here in the university environment and we have to have windows 
> to run the current commercial apps we have anyway.  We're working on 
> transitioning everything into MS Active Directory but cannot migrate 
> using the standard MS methods for a variety of reasons and are likely 
> to be stuck with the old NT4 domain for at least the next 6-12 
> months.  Additionally that hardware is pretty old and I have 
> reliability concerns with it.
> 
> Conclusions and questions I've come to so far... correct these if you 
> think there is a superior way.  I've been reading lots of docs and 
> how-tos mostly from www.samba.org
> 
> 1) an LDAP backend is really required for proper operation of 
> replication between the two domain controllers while maintaining 
> complete redundancy
> 
> 2) users and machines must be in both the LDAP and in the 
> /etc/password files.   I'd rather not have this as I do not want 
> these users signing into my unix box under other protocols.
> 
> 3) I'll enable the software firewall on the unix box to prevent 
> unauthorized access into the LDAP servers.  How should I secure the 
> LDAP servers beyond that?  I assume I need encryption on the 
> replication traffic between the master and slave LDAP.  I want to 
> make sure anybody can't just use their own account to query the LDAP 
> and get out other people's password hashes (or even their own if I 
> can prevent that while still allowing them to change their own password).
> 
> 4) The most common database back-end seems to be BDB which I'm not 
> familiar with.  Are there any common tools to query that directly 
> beyond querying it through the ldap server?  This is not a 
> requirement but I'd like to know the details of what's in the 
> database and how it's laid out for my own info.
> 
> 5) Am I likely to run into any problems importing the accounts and 
> groups from the NT4 domain?  We have all of our servers set to use 
> only NTLMv2.  My goal is to make this happen in a way that end-users 
> shouldn't notice any difference, so if their passwords change it'll 
> be a disaster.  Additionally we have automated jobs kicking off all 
> hours of the day and night which will depend on users, passwords, and 
> group memberships not changing.
> 
> Any additional details you can provide would be wonderful.
----
users need only be in LDAP and not in both LDAP and /etc/passwd files as
you state in #2

be prepared to perform the vampire (import from NT4) many times until
you get everything right.

Lastly, some amount of mastery of LDAP is going to make this a whole lot
easier. Learn to use LDAP command line clients such as
ldapadd/ldapmodify/ldapsearch and TLS/SSL with LDAP prior to samba
integration.

Craig