samba - Sep 2006 - Several samba / ldap for a pdc/bdc setup/transition questions

Greetings all,

I've been researching migrating my NT4 PDC and BDC services to samba 
to get around the concerns we have here with NT4 no longer being 
patched when security holes are found.

Details of my current NT4 domain...

approx 300 computers, most of which can be migrated out soon either 
to be in no-domain or in an active directory domain

approx 3000 user accounts, which need to be maintained until we can 
transition servers and custom built webapps to an active directory domain.

I have no interest in doing shares, printers, or roaming profiles on 
these domain controllers.  Server 2003 licenses are extremely cheap 
for us here in the university environment and we have to have windows 
to run the current commercial apps we have anyway.  We're working on 
transitioning everything into MS Active Directory but cannot migrate 
using the standard MS methods for a variety of reasons and are likely 
to be stuck with the old NT4 domain for at least the next 6-12 
months.  Additionally that hardware is pretty old and I have 
reliability concerns with it.

Conclusions and questions I've come to so far... correct these if you 
think there is a superior way.  I've been reading lots of docs and 
how-tos mostly from www.samba.org

1) an LDAP backend is really required for proper operation of 
replication between the two domain controllers while maintaining 
complete redundancy

2) users and machines must be in both the LDAP and in the 
/etc/password files.   I'd rather not have this as I do not want 
these users signing into my unix box under other protocols.

3) I'll enable the software firewall on the unix box to prevent 
unauthorized access into the LDAP servers.  How should I secure the 
LDAP servers beyond that?  I assume I need encryption on the 
replication traffic between the master and slave LDAP.  I want to 
make sure anybody can't just use their own account to query the LDAP 
and get out other people's password hashes (or even their own if I 
can prevent that while still allowing them to change their own password).

4) The most common database back-end seems to be BDB which I'm not 
familiar with.  Are there any common tools to query that directly 
beyond querying it through the ldap server?  This is not a 
requirement but I'd like to know the details of what's in the 
database and how it's laid out for my own info.

5) Am I likely to run into any problems importing the accounts and 
groups from the NT4 domain?  We have all of our servers set to use 
only NTLMv2.  My goal is to make this happen in a way that end-users 
shouldn't notice any difference, so if their passwords change it'll 
be a disaster.  Additionally we have automated jobs kicking off all 
hours of the day and night which will depend on users, passwords, and 
group memberships not changing.

Any additional details you can provide would be wonderful.

     Bob

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/06/2006 06:05 PM, Bob Hetzel escreveu:
> Greetings all,
> I've been researching migrating my NT4 PDC and BDC services to samba to
> get around the concerns we have here with NT4 no longer being patched
> when security holes are found.
> 
> Details of my current NT4 domain...
> 
> approx 300 computers, most of which can be migrated out soon either to
> be in no-domain or in an active directory domain
> 
> approx 3000 user accounts, which need to be maintained until we can
> transition servers and custom built webapps to an active directory domain.
> 
> I have no interest in doing shares, printers, or roaming profiles on
> these domain controllers.  Server 2003 licenses are extremely cheap for
> us here in the university environment and we have to have windows to run
> the current commercial apps we have anyway.  We're working on
> transitioning everything into MS Active Directory but cannot migrate
> using the standard MS methods for a variety of reasons and are likely to
> be stuck with the old NT4 domain for at least the next 6-12 months. 
> Additionally that hardware is pretty old and I have reliability concerns
> with it.
> 
> Conclusions and questions I've come to so far... correct these if you
> think there is a superior way.  I've been reading lots of docs and
> how-tos mostly from www.samba.org
> 
> 1) an LDAP backend is really required for proper operation of
> replication between the two domain controllers while maintaining
> complete redundancy
	Yes. LDAP is the best approach to have PDC/BDC model and
to allow replication of the information.

> 2) users and machines must be in both the LDAP and in the /etc/password
> files.   I'd rather not have this as I do not want these users signing
> into my unix box under other protocols.
	No. The LDAP should be enough.

	And you can change PAM to only allow some users to login
to the unix box using other protocols (let's say: ssh). You can
have plain Samba Users (even if the need unix objects).

> 3) I'll enable the software firewall on the unix box to prevent
> unauthorized access into the LDAP servers.  How should I secure the LDAP
> servers beyond that?  
	ACLs. Check http://www.openldap.org  and look for the
OpenLDAP Administrator Guide. Also, use TLS to encrypt all data.

> I assume I need encryption on the replication
> traffic between the master and slave LDAP.  
	Not only that, but enforce it as the only safe way to
use the LDAP. You could allow non encrypted connections on
anonymous access (but use ACLs to allow only a few fields to
be retrieved), a common use-case for that, is LDAP e-mail
queries using Mail Clients.

> I want to make sure anybody
> can't just use their own account to query the LDAP and get out other
> people's password hashes (or even their own if I can prevent that while
> still allowing them to change their own password).
	Hmmm, ACLs is the way to go. :)

> 4) The most common database back-end seems to be BDB which I'm not
> familiar with.  Are there any common tools to query that directly beyond
> querying it through the ldap server?  This is not a requirement but I'd
> like to know the details of what's in the database and how it's
laid out
> for my own info.
	Berkeley Database. The 'very (in)famous sleepycat'. :)

	You could use bdb tools for that, but I'm not sure that it
will work as expected, specially because LDAP has a special way to
store its information.

> 5) Am I likely to run into any problems importing the accounts and
> groups from the NT4 domain?  We have all of our servers set to use only
> NTLMv2.  My goal is to make this happen in a way that end-users
> shouldn't notice any difference, so if their passwords change it'll
be a
> disaster.  Additionally we have automated jobs kicking off all hours of
> the day and night which will depend on users, passwords, and group
> memberships not changing.
	Check the Official Documentation, there are a lot of small
situations that you will need to consider, profile problems, SID
domain, user identification, passwords and so on.

> Any additional details you can provide would be wonderful.
	There is a big list of details, it will depend on your
migration plan and which points you set as critical.

>     Bob

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFBWjECj65ZxU4gPQRAqkkAJ9zoRlLUZyCjKoP2aCp9ufZ0xVDDQCePsKE
/Nc0JnOFRLRnxPR/g2FWDxA=y8/Y
-----END PGP SIGNATURE-----

On Wed, 2006-09-06 at 17:05 -0400, Bob Hetzel wrote:
> Greetings all,
> 
> I've been researching migrating my NT4 PDC and BDC services to samba 
> to get around the concerns we have here with NT4 no longer being 
> patched when security holes are found.
> 
> Details of my current NT4 domain...
> 
> approx 300 computers, most of which can be migrated out soon either 
> to be in no-domain or in an active directory domain
> 
> approx 3000 user accounts, which need to be maintained until we can 
> transition servers and custom built webapps to an active directory domain.
> 
> I have no interest in doing shares, printers, or roaming profiles on 
> these domain controllers.  Server 2003 licenses are extremely cheap 
> for us here in the university environment and we have to have windows 
> to run the current commercial apps we have anyway.  We're working on 
> transitioning everything into MS Active Directory but cannot migrate 
> using the standard MS methods for a variety of reasons and are likely 
> to be stuck with the old NT4 domain for at least the next 6-12 
> months.  Additionally that hardware is pretty old and I have 
> reliability concerns with it.
> 
> Conclusions and questions I've come to so far... correct these if you 
> think there is a superior way.  I've been reading lots of docs and 
> how-tos mostly from www.samba.org
> 
> 1) an LDAP backend is really required for proper operation of 
> replication between the two domain controllers while maintaining 
> complete redundancy
> 
> 2) users and machines must be in both the LDAP and in the 
> /etc/password files.   I'd rather not have this as I do not want 
> these users signing into my unix box under other protocols.
> 
> 3) I'll enable the software firewall on the unix box to prevent 
> unauthorized access into the LDAP servers.  How should I secure the 
> LDAP servers beyond that?  I assume I need encryption on the 
> replication traffic between the master and slave LDAP.  I want to 
> make sure anybody can't just use their own account to query the LDAP 
> and get out other people's password hashes (or even their own if I 
> can prevent that while still allowing them to change their own password).
> 
> 4) The most common database back-end seems to be BDB which I'm not 
> familiar with.  Are there any common tools to query that directly 
> beyond querying it through the ldap server?  This is not a 
> requirement but I'd like to know the details of what's in the 
> database and how it's laid out for my own info.
> 
> 5) Am I likely to run into any problems importing the accounts and 
> groups from the NT4 domain?  We have all of our servers set to use 
> only NTLMv2.  My goal is to make this happen in a way that end-users 
> shouldn't notice any difference, so if their passwords change it'll
> be a disaster.  Additionally we have automated jobs kicking off all 
> hours of the day and night which will depend on users, passwords, and 
> group memberships not changing.
> 
> Any additional details you can provide would be wonderful.
----
users need only be in LDAP and not in both LDAP and /etc/passwd files as
you state in #2

be prepared to perform the vampire (import from NT4) many times until
you get everything right.

Lastly, some amount of mastery of LDAP is going to make this a whole lot
easier. Learn to use LDAP command line clients such as
ldapadd/ldapmodify/ldapsearch and TLS/SSL with LDAP prior to samba
integration.

Craig