[Samba] Several samba / ldap for a pdc/bdc setup/transition
craigwhite at azapple.com
Tue Sep 12 12:38:26 GMT 2006
On Wed, 2006-09-06 at 17:05 -0400, Bob Hetzel wrote:
> Greetings all,
> I've been researching migrating my NT4 PDC and BDC services to samba
> to get around the concerns we have here with NT4 no longer being
> patched when security holes are found.
> Details of my current NT4 domain...
> approx 300 computers, most of which can be migrated out soon either
> to be in no-domain or in an active directory domain
> approx 3000 user accounts, which need to be maintained until we can
> transition servers and custom built webapps to an active directory domain.
> I have no interest in doing shares, printers, or roaming profiles on
> these domain controllers. Server 2003 licenses are extremely cheap
> for us here in the university environment and we have to have windows
> to run the current commercial apps we have anyway. We're working on
> transitioning everything into MS Active Directory but cannot migrate
> using the standard MS methods for a variety of reasons and are likely
> to be stuck with the old NT4 domain for at least the next 6-12
> months. Additionally that hardware is pretty old and I have
> reliability concerns with it.
> Conclusions and questions I've come to so far... correct these if you
> think there is a superior way. I've been reading lots of docs and
> how-tos mostly from www.samba.org
> 1) an LDAP backend is really required for proper operation of
> replication between the two domain controllers while maintaining
> complete redundancy
> 2) users and machines must be in both the LDAP and in the
> /etc/password files. I'd rather not have this as I do not want
> these users signing into my unix box under other protocols.
> 3) I'll enable the software firewall on the unix box to prevent
> unauthorized access into the LDAP servers. How should I secure the
> LDAP servers beyond that? I assume I need encryption on the
> replication traffic between the master and slave LDAP. I want to
> make sure anybody can't just use their own account to query the LDAP
> and get out other people's password hashes (or even their own if I
> can prevent that while still allowing them to change their own password).
> 4) The most common database back-end seems to be BDB which I'm not
> familiar with. Are there any common tools to query that directly
> beyond querying it through the ldap server? This is not a
> requirement but I'd like to know the details of what's in the
> database and how it's laid out for my own info.
> 5) Am I likely to run into any problems importing the accounts and
> groups from the NT4 domain? We have all of our servers set to use
> only NTLMv2. My goal is to make this happen in a way that end-users
> shouldn't notice any difference, so if their passwords change it'll
> be a disaster. Additionally we have automated jobs kicking off all
> hours of the day and night which will depend on users, passwords, and
> group memberships not changing.
> Any additional details you can provide would be wonderful.
users need only be in LDAP and not in both LDAP and /etc/passwd files as
you state in #2
be prepared to perform the vampire (import from NT4) many times until
you get everything right.
Lastly, some amount of mastery of LDAP is going to make this a whole lot
easier. Learn to use LDAP command line clients such as
ldapadd/ldapmodify/ldapsearch and TLS/SSL with LDAP prior to samba
More information about the samba