Ubuntu
smbldap-tools package

Merge lp:~l3on/ubuntu/quantal/smbldap-tools/merge into lp:debian/smbldap-tools

Quantal (12.10)
merge
Merge into sid

Proposed by Leo Iannacone on 2012-09-21

Status:	Needs review
Proposed branch:	lp:~l3on/ubuntu/quantal/smbldap-tools/merge
Merge into:	lp:debian/smbldap-tools
Diff against target:	3048 lines (+2421/-556) 8 files modified .pc/0001_debian_nobody.patch/smbldap-populate.pl (+0/-553) .pc/applied-patches (+0/-1) debian/changelog (+28/-0) debian/control (+2/-1) debian/patches/0020_original_doc_html_index.patch (+2369/-0) debian/patches/0021_smbldap-useradd_flush_nscd_cache.patch (+19/-0) debian/patches/series (+2/-0) smbldap-populate.pl (+1/-1)
To merge this branch:	bzr merge lp:~l3on/ubuntu/quantal/smbldap-tools/merge
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu branches		2012-09-21	Pending
Review via email: mp+125754@code.launchpad.net

Description of the Change

Propose merge as filed in:
https://bugs.launchpad.net/ubuntu/+source/smbldap-tools/+bug/1054130

Unmerged revisions

9. By Leo Iannacone on 2012-09-21: * Merge from debian unstable (LP: #1054130). Remaining chagnes:
  - Apply patch from rdratlos to resolve being unable to join a Windows
    7 or Windows 2008 machine to a Samba domain due to the use of cached
    nss credentials. (LP: #814898)
  - 0020_original_doc_html_index.patch: Add index html file.
* New upstream release (Closes: #647860, #679935, #680939, #681350)
* Previous upstream version closes: #670246
* Bumped standard version (no changes needed)
8. By Leo Iannacone on 2011-09-27: * Merge from debian unstable (LP: #889308). Remaining changes:
  - Apply patch from rdratlos to resolve being unable to join a Windows
    7 or Windows 2008 machine to a Samba domain due to the use of cached
    nss credentials. (LP: #814898)
  - 0020_original_doc_html_index.patch: Add index html file.
7. By Daniel T Chen on 2011-08-01: Apply patch from rdratlos to resolve being unable to join a Windows
7 or Windows 2008 machine to a Samba domain due to the use of cached
nss credentials. (LP: #814898)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

James Westby

Leo Iannacone

 === removed directory '.pc/0001_debian_nobody.patch'
 === removed file '.pc/0001_debian_nobody.patch/smbldap-populate.pl'
 --- .pc/0001_debian_nobody.patch/smbldap-populate.pl	2012-08-07 20:28:37 +0000
 +++ .pc/0001_debian_nobody.patch/smbldap-populate.pl	1970-01-01 00:00:00 +0000
@@ -1,553 +0,0 @@
--#!@PERL_COMMAND@
--
--# $Id: smbldap-populate.pl 121 2011-10-07 05:40:06Z fumiyas $
--
--#  This code was developped by Jerome Tournier (jtournier@gmail.com) and
--#  contributors (their names can be found in the CONTRIBUTORS file).
--
--#  This was first contributed by IDEALX (http://www.opentrust.com/)
--
--#  This program is free software: you can redistribute it and/or modify
--#  it under the terms of the GNU General Public License as published by
--#  the Free Software Foundation, either version 2 of the License, or
--#  (at your option) any later version.
--#
--#  This program is distributed in the hope that it will be useful,
--#  but WITHOUT ANY WARRANTY; without even the implied warranty of
--#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
--#  GNU General Public License for more details.
--#
--#  You should have received a copy of the GNU General Public License
--#  along with this program.  If not, see <http://www.gnu.org/licenses/>.
--
--#  Purpose :
--#       . Create an initial LDAP database suitable for Samba 3
--#       . For lazy people, replace ldapadd (with only an ldif parameter)
--
--use strict;
--use warnings;
--use FindBin qw($RealBin);
--use smbldap_tools;
--use Getopt::Std;
--use Net::LDAP qw(LDAP_NO_SUCH_OBJECT);
--use Net::LDAP::LDIF;
--use Net::LDAP::Entry;
--
--my %oc_by_attr = (
--      "dc" =>			"dcObject",
--      "o" =>			"organization",
--      "ou" =>			"organizationalUnit",
--      "cn" =>			"organizationalRole",
--      "sambaDomainName" =>	"sambaDomain",
--);
--
--my %Options;
--
--my $ok = getopts('a:b:e:g:i:k:l:m:r:R:u:?', \%Options);
--if ( (!$ok) || ($Options{'?'}) ) {
--    print_banner;
--    print "Usage: $0 [-abegiklmru?] [ldif]\n";
--    print "  -a user	administrator login name (default: root)\n";
--    print "  -b user	guest login name (default: nobody)\n";
--    print "  -e file	export ldif file\n";
--    print "  -g gidNumber	first uidNumber to allocate (default: 1000)\n";
--    print "  -i file	import ldif file\n";
--    print "  -k uidNumber	administrator's uidNumber (default: 0)\n";
--    print "  -l uidNumber	guest's uidNumber (default: 999)\n";
--    print "  -m gidNumber	administrator's gidNumber (default: 0)\n";
--    print "  -r ridNumber	first sambaNextRid to allocate (default: 1000)\n";
--    print "  -R ridBase		sambaAlgorithmicRidBase (none)\n";
--    print "  -u uidNumber	first uidNumber to allocate (default: 1000)\n";
--    print "  -?		show this help message\n";
--
--    exit (1);
--}
--
--# sanity checks
--my $domain = $config{sambaDomain};
--if (! defined $domain) {
--    print STDERR "error: domain name not found !\n";
--    print STDERR "possible reasons are:\n";
--    print STDERR ". incorrect 'sambaDomain' parameter in smbldap.conf\n";
--    print STDERR ". incorrect 'samba_conf' definition in smbldap_tools.pm\n";
--    die;
--}
--
--my $firstuidNumber=$Options{'u'};
--if (!defined($firstuidNumber)) {
--    $firstuidNumber=1000;
--}
--
--my $firstgidNumber=$Options{'g'};
--if (!defined($firstgidNumber)) {
--    $firstgidNumber=1000;
--}
--
--my $firstridNumber=$Options{'r'};
--if (!defined($firstridNumber)) {
--    $firstridNumber=1000;
--}
--
--my $algorithmicRidBase = $Options{'R'};
--
--my $adminName = $Options{'a'};
--if (!defined($adminName)) {
--    $adminName = "root";
--}
--
--my $guestName = $Options{'b'};
--if (!defined($guestName)) {
--    $guestName = "nobody";
--}
--
--my $adminUidNumber=$Options{'k'};
--my $adminRid = 500;
--if (!defined($adminUidNumber)) {
--    $adminUidNumber = 0;
--} else {
--    if (defined($algorithmicRidBase)) {
--	## For backward compatibility with smbldap-tools 0.9.6 and older
--	$adminRid = 2 * $adminUidNumber + $algorithmicRidBase;
--    }
--}
--
--my $guestUidNumber=$Options{'l'};
--my $guestRid = 501;
--if (!defined($guestUidNumber)) {
--    $guestUidNumber = "999";
--} else {
--    if (defined($algorithmicRidBase)) {
--	## For backward compatibility with smbldap-tools 0.9.6 and older
--	$guestRid = 2 * $guestUidNumber + $algorithmicRidBase;
--    }
--}
--
--my $adminGidNumber=$Options{'m'};
--if (!defined($adminGidNumber)) {
--    $adminGidNumber = "0";
--}
--
--print "Populating LDAP directory for domain $domain ($config{SID})\n";
--
--my $entries_iter;
--
--if (my $file = $Options{'i'}) {
--    my $ldif = Net::LDAP::LDIF->new($file, "r", onerror => 'undef') or
--	die "Cannot open file: $file: $!";
--    $entries_iter = sub {
--	return $ldif->read_entry;
--    };
--} else {
--    my @entries;
--    my $entry;
--
--    print "(using builtin directory structure)\n\n";
--
--    unless ($config{suffix} =~ /^([^=]+)=([^,]+)/) {
--	die "Cannot extract first attr and value from suffix: $config{suffix}";
--    }
--    my $suffix_attr = $1;
--    my $suffix_val = $2;
--    my $suffix_oc = $oc_by_attr{$suffix_attr};
--    if (!defined($suffix_oc)) {
--	die "Cannot determine object class for suffix entry: $config{suffix}";
--    }
--
--    $entry = Net::LDAP::Entry->new($config{suffix},
--	objectClass => $suffix_oc,
--	$suffix_attr => $suffix_val,
--    );
--    if ($config{suffix} =~ m/(?:^|,)dc=([^,]+)/) {
--	$entry->add(
--	    objectClass => "organization",
--	    o => $1,
--	);
--    }
--    push(@entries, $entry);
--
--    my @config_dn = @config{
--	qw(usersdn groupsdn computersdn idmapdn sambaDomaindn sambaUnixIdPooldn)
--    };
--    my %entry_by_dn = ();
--
--    for my $config_dn (@config_dn) {
--	my $prefix = $config_dn;
--	$prefix =~ s/,\Q$config{suffix}\E$//i;
--
--	my $dn = $config{suffix};
--	for my $node (reverse(split(/,/, $prefix))) {
--	    $dn = "$node,$dn";
--	    next if ($entry_by_dn{$dn});
--
--	    unless ($node =~ /^([^=]+)=([^,]*)$/) {
--		die "Cannot extract first attr and value for entry: $dn";
--	    }
--	    my $attr = $1;
--	    my $val = $2;
--	    my $oc = $oc_by_attr{$attr};
--	    if (!defined($oc)) {
--		die "Cannot determine object class for entry: $dn";
--	    }
--
--	    $entry = Net::LDAP::Entry->new($dn,
--		objectClass => $oc,
--		$attr => $val,
--	    );
--
--	    ## Add attribute required by object class
--	    $entry->add(sambaSID => $config{SID}) if ($oc eq 'sambaDomain');
--	    $entry->add(sn => $val) if ($oc eq 'inetOrgPerson');
--
--	    push(@entries, $entry);
--	    $entry_by_dn{$dn} = $entry;
--	}
--    }
--
--    $entry = $entry_by_dn{$config{sambaDomaindn}};
--    if (defined($algorithmicRidBase)) {
--	$entry->add(sambaAlgorithmicRidBase => $algorithmicRidBase);
--    } else {
--	$entry->add(sambaNextRid => $firstridNumber);
--    }
--
--    $entry_by_dn{$config{sambaUnixIdPooldn}}->add(
--	objectClass =>	"sambaUnixIdPool",
--	uidNumber =>	$firstuidNumber,
--	gidNumber =>	$firstgidNumber,
--    );
--
--    $entry = Net::LDAP::Entry->new("uid=$adminName,$config{usersdn}",
--	objectClass =>	[qw(top person organizationalPerson inetOrgPerson sambaSAMAccount posixAccount)],
--	uid =>		$adminName,
--	cn =>		$adminName,
--	sn =>		$adminName,
--	gidNumber =>	$adminGidNumber,
--	uidNumber =>	$adminUidNumber,
--    );
--    if ($config{shadowAccount}) {
--	$entry->add(objectClass => "shadowAccount");
--    }
--    if (defined $config{userHome} and $config{userHome} ne "") {
--	my $userHome=$config{userHome};
--	$userHome=~s/\%U/$adminName/;
--	$entry->add(homeDirectory => $userHome);
--    } else {
--	$entry->add(homeDirectory => "/nonexistent");
--    }
--    $entry->add(
--	sambaPwdLastSet =>	0,
--	sambaLogonTime =>	0,
--	sambaLogoffTime =>	2147483647,
--	sambaKickoffTime =>	2147483647,
--	sambaPwdCanChange =>	0,
--	sambaPwdMustChange =>	2147483647,
--    );
--    if (defined $config{userSmbHome} and $config{userSmbHome} ne "") {
--	my $userSmbHome = $config{userSmbHome};
--	$userSmbHome =~ s/\%U/$adminName/;
--	$entry->add(sambaHomePath => $userSmbHome);
--    }
--    if (defined $config{userHomeDrive} and $config{userHomeDrive} ne "") {
--	$entry->add(sambaHomeDrive => $config{userHomeDrive});
--    }
--    if (defined $config{userProfile} and $config{userProfile} ne "") {
--	my $userProfile = $config{userProfile};
--	$userProfile =~ s/\%U/$adminName/;
--	$entry->add(sambaProfilePath => $userProfile);
--    }
--    $entry->add(
--	sambaPrimaryGroupSID =>	"$config{SID}-512",
--	sambaLMPassword =>	"XXX",
--	sambaNTPassword =>	"XXX",
--	sambaAcctFlags =>	"[U          ]",
--	sambaSID =>		"$config{SID}-$adminRid",
--	loginShell =>		"/bin/false",
--	gecos =>		"Netbios Domain Administrator",
--    );
--    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("uid=$guestName,$config{usersdn}",
--	objectClass => [qw(top person organizationalPerson inetOrgPerson sambaSAMAccount posixAccount)],
--	cn =>			$guestName,
--	sn =>			$guestName,
--	gidNumber =>		514,
--	uid =>			$guestName,
--	uidNumber =>		$guestUidNumber,
--	homeDirectory =>	"/nonexistent",
--	sambaPwdLastSet =>	0,
--	sambaLogonTime =>	0,
--	sambaLogoffTime =>	2147483647,
--	sambaKickoffTime =>	2147483647,
--	sambaPwdCanChange =>	0,
--	sambaPwdMustChange =>	2147483647,
--    );
--    if ($config{shadowAccount}) {
--	$entry->add(objectClass => "shadowAccount");
--    }
--    if (defined $config{userSmbHome} and $config{userSmbHome} ne "") {
--	my $userSmbHome = $config{userSmbHome};
--	$userSmbHome =~ s/\%U/$guestName/;
--	$entry->add(sambaHomePath => $userSmbHome);
--    }
--    if (defined $config{userHomeDrive} and $config{userHomeDrive} ne "") {
--	$entry->add(sambaHomeDrive => $config{userHomeDrive});
--    }
--    if (defined $config{userProfile} and $config{userProfile} ne "") {
--	my $userProfile=$config{userProfile};
--	$userProfile=~s/\%U/$guestName/;
--	$entry->add(sambaProfilePath => $userProfile);
--    }
--    $entry->add(
--	sambaPrimaryGroupSID => "$config{SID}-514",
--	sambaLMPassword =>	"NO PASSWORDXXXXXXXXXXXXXXXXXXXXX",
--	sambaNTPassword =>	"NO PASSWORDXXXXXXXXXXXXXXXXXXXXX",
--	# account disabled by default
--	sambaAcctFlags =>	"[NUD        ]",
--	sambaSID =>		"$config{SID}-$guestRid",
--	loginShell =>		"/bin/false",
--    );
--    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("cn=Domain Admins,$config{groupsdn}",
--	objectClass => [qw(top posixGroup sambaGroupMapping)],
--	cn =>		"Domain Admins",
--	gidNumber =>	512,
--	memberUid =>	$adminName,
--	description =>	"Netbios Domain Administrators",
--	sambaSID =>	"$config{SID}-512",
--	sambaGroupType =>2,
--	displayName =>	"Domain Admins",
--    );
--    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("cn=Domain Users,$config{groupsdn}",
--	objectClass => [qw(top posixGroup sambaGroupMapping)],
--	cn =>		"Domain Users",
--	gidNumber =>	513,
--	description =>	"Netbios Domain Users",
--	sambaSID =>	"$config{SID}-513",
--	sambaGroupType =>2,
--	displayName =>	"Domain Users",
--    );
--    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("cn=Domain Guests,$config{groupsdn}",
--	objectClass => [qw(top posixGroup sambaGroupMapping)],
--	cn =>		"Domain Guests",
--	gidNumber =>	514,
--	description =>	"Netbios Domain Guests Users",
--	sambaSID =>	"$config{SID}-514",
--	sambaGroupType =>2,
--	displayName =>	"Domain Guests",
--    );
--    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("cn=Domain Computers,$config{groupsdn}",
--	objectClass => [qw(top posixGroup sambaGroupMapping)],
--	cn =>		"Domain Computers",
--	gidNumber =>	515,
--	description =>	"Netbios Domain Computers accounts",
--	sambaSID =>	"$config{SID}-515",
--	sambaGroupType =>2,
--	displayName =>	"Domain Computers",
--    );
--    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("cn=Administrators,$config{groupsdn}",
--	objectClass => [qw(top posixGroup sambaGroupMapping)],
--	cn =>		"Administrators",
--	gidNumber =>	544,
--	description =>	"Netbios Domain Members can fully administer the computer/sambaDomainName",
--	sambaSID =>	"S-1-5-32-544",
--	sambaGroupType => 4,
--	displayName =>	"Administrators",
--    );
--    push(@entries, $entry);
--
--#    $entry = Net::LDAP::Entry->new("cn=Users,$config{groupsdn}",
--#	objectClass => [qw(top posixGroup sambaGroupMapping)],
--#	gidNumber =>	545,
--#	cn =>		"Users",
--#	description =>	"Netbios Domain Ordinary users",
--#	sambaSID =>	"S-1-5-32-545",
--#	sambaGroupType =>	4,
--#	displayName =>	"users",
--#    );
--#    push(@entries, $entry);
--
--#    $entry = Net::LDAP::Entry->new("cn=Guests,$config{groupsdn}",
--#	objectClass => [qw(top posixGroup sambaGroupMapping)],
--#	gidNumber =>	546,
--#	cn =>		"Guests",
--#	memberUid =>	$guestName,
--#	description =>	"Netbios Domain Users granted guest access to the computer/sambaDomainName",
--#	sambaSID =>	"S-1-5-32-546",
--#	sambaGroupType =>	4,
--#	displayName =>	"Guests",
--#    );
--#    push(@entries, $entry);
--
--#    $entry = Net::LDAP::Entry->new("cn=Power Users,$config{groupsdn}",
--#	objectClass => [qw(top posixGroup sambaGroupMapping)],
--#	gidNumber =>	547,
--#	cn =>		"Power Users",
--#	description =>	"Netbios Domain Members can share directories and printers",
--#	sambaSID =>	"S-1-5-32-547",
--#	sambaGroupType =>	4,
--#	displayName =>	"Power Users",
--#    );
--#    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("cn=Account Operators,$config{groupsdn}",
--	objectClass => [qw(top posixGroup sambaGroupMapping)],
--	cn =>		"Account Operators",
--	gidNumber =>	548,
--	description =>	"Netbios Domain Users to manipulate users accounts",
--	sambaSID =>	"S-1-5-32-548",
--	sambaGroupType =>	4,
--	displayName =>	"Account Operators",
--    );
--    push(@entries, $entry);
--
--#    $entry = Net::LDAP::Entry->new("cn=System Operators,$config{groupsdn}",
--#	objectClass => [qw(top posixGroup sambaGroupMapping)],
--#	gidNumber =>	549,
--#	cn =>		"System Operators",
--#	description =>	"Netbios Domain System Operators",
--#	sambaSID =>	"S-1-5-32-549",
--#	sambaGroupType =>	4,
--#	displayName =>	"System Operators",
--#    );
--#    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("cn=Print Operators,$config{groupsdn}",
--	objectClass =>	[qw(top posixGroup sambaGroupMapping)],
--	cn =>		"Print Operators",
--	gidNumber =>	550,
--	description =>	"Netbios Domain Print Operators",
--	sambaSID =>	"S-1-5-32-550",
--	sambaGroupType =>	4,
--	displayName =>	"Print Operators",
--    );
--    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("cn=Backup Operators,$config{groupsdn}",
--	objectClass =>	[qw(top posixGroup sambaGroupMapping)],
--	cn =>		"Backup Operators",
--	gidNumber =>	551,
--	description =>	"Netbios Domain Members can bypass file security to back up files",
--	sambaSID =>	"S-1-5-32-551",
--	sambaGroupType =>	4,
--	displayName =>	"Backup Operators",
--    );
--    push(@entries, $entry);
--
--    $entry = Net::LDAP::Entry->new("cn=Replicators,$config{groupsdn}",
--	objectClass => [qw(top posixGroup sambaGroupMapping)],
--	cn =>		"Replicators",
--	gidNumber =>	552,
--	description =>	"Netbios Domain Supports file replication in a sambaDomainName",
--	sambaSID =>	"S-1-5-32-552",
--	sambaGroupType =>	4,
--	displayName =>	"Replicators",
--    );
--    push(@entries, $entry);
--
--    $entries_iter = sub {
--	return shift(@entries);
--    };
--}
--
--if (my $file = $Options{'e'}) {
--    open my $file_fh, ">$file" or die "Cannot open file: $file: $!";
--    while (my $entry = $entries_iter->()) {
--	$file_fh->print($entry->ldif);
--    }
--    print "exported ldif file: $file\n";
--    exit(0);
--}
--
--my $ldap_master=connect_ldap_master();
--while (my $entry = $entries_iter->()) {
--    my $dn = $entry->dn;
--    # we first check if the entry exist
--    my $mesg = $ldap_master->search(
--	base => $dn,
--	scope => "base",
--	filter => "objectclass=*"
--    );
--    if ($mesg->code && $mesg->code != LDAP_NO_SUCH_OBJECT) {
--	die "failed to search entry: ", $mesg->error;
--    }
--    if ($mesg->count == 1) {
--	print "entry $dn already exist. ";
--	if ($dn eq $config{sambaUnixIdPooldn}) {
--	    print "Updating it...\n";
--	    my @mods;
--	    foreach my $attr_tmp ($entry->attributes) {
--		push(@mods,$attr_tmp=>[$entry->get_value("$attr_tmp")]);
--	    }
--	    my $modify = $ldap_master->modify($dn,
--		'replace' => { @mods },
--	    );
--	    $modify->code && warn "failed to modify entry: ", $modify->error ;
--	} else {
--	    print "\n";
--	}
--    } else {
--	print "adding new entry: $dn\n";
--	my $result=$ldap_master->add($entry);
--	$result->code && warn "failed to add entry: ", $result->error ;
--    }
--}
--$ldap_master->unbind;
--
--# secure the admin account
--print "\nPlease provide a password for the domain $adminName: \n";
--system("$RealBin/smbldap-passwd", $adminName);
--
--exit(0);
--
--
--########################################
--
--=head1 NAME
--
--smbldap-populate - Populate your LDAP database
--
--=head1 SYNOPSIS
--
--smbldap-populate [ldif-file]
--
--=head1 DESCRIPTION
--
--The smbldap-populate command helps to populate an LDAP server by adding the necessary entries : base suffix (doesn't abort if already there), organizational units for users, groups and computers, builtin users : Administrator and guest, builtin groups (though posixAccount only, no SambaTNG support).
--
---a name
--Your local administrator login name (default: root)
--
---b name
--Your local guest login name (default: nobody)
--
---e file
--export an ldif file
--
---i file
--import an ldif file (Options -a and -b will be ignored)
--
--=head1 FILES
--
--@SYSCONFDIR@/smbldap.conf : main configuration
--@SYSCONFDIR@/smbldap_bind.conf : credentials for binding to the directory
--
--=head1 SEE ALSO
--
--smb.conf(5)
--
--=cut
--
--#'
--
--
--
--# - The End
 === removed file '.pc/applied-patches'
 --- .pc/applied-patches	2012-08-07 20:28:37 +0000
 +++ .pc/applied-patches	1970-01-01 00:00:00 +0000
@@ -1,1 +0,0 @@
--0001_debian_nobody.patch
 === modified file 'debian/changelog'
 --- debian/changelog	2012-08-07 20:28:37 +0000
 +++ debian/changelog	2012-09-21 15:41:28 +0000
@@ -1,3 +1,13 @@
++smbldap-tools (0.9.9-1ubuntu1) quantal; urgency=low
++
++  * Merge from debian unstable (LP: #1054130).  Remaining chagnes:
++    - Apply patch from rdratlos to resolve being unable to join a Windows
++      7 or Windows 2008 machine to a Samba domain due to the use of cached
++      nss credentials. (LP: #814898)
++    - 0020_original_doc_html_index.patch: Add index html file.
++
++ -- Leo Iannacone <l3on@ubuntu.com>  Fri, 21 Sep 2012 17:10:57 +0200
++
  smbldap-tools (0.9.9-1) unstable; urgency=low
    * New upstream release (Closes: #647860, #679935, #680939, #681350)
@@ -6,6 +16,16 @@
   -- Sergio Talens-Oliag <sto@debian.org>  Tue, 07 Aug 2012 20:28:37 +0200
++smbldap-tools (0.9.7-1ubuntu1) precise; urgency=low
++
++  * Merge from debian unstable (LP: #889308).  Remaining changes:
++    - Apply patch from rdratlos to resolve being unable to join a Windows
++      7 or Windows 2008 machine to a Samba domain due to the use of cached
++      nss credentials. (LP: #814898)
++    - 0020_original_doc_html_index.patch: Add index html file.
++
++ -- Leo Iannacone <l3on@ubuntu.com>  Tue, 27 Sep 2011 18:05:13 +0000
++
  smbldap-tools (0.9.7-1) unstable; urgency=low
    * New upstream release
@@ -23,6 +43,14 @@
   -- Sergio Talens-Oliag <sto@debian.org>  Thu, 18 Aug 2011 10:55:45 +0200
++smbldap-tools (0.9.5-1ubuntu1) oneiric; urgency=low
++
++  * Apply patch from rdratlos to resolve being unable to join a Windows
++    7 or Windows 2008 machine to a Samba domain due to the use of cached
++    nss credentials. (LP: #814898)
++
++ -- Daniel T Chen <crimsun@ubuntu.com>  Mon, 01 Aug 2011 15:14:32 -0400
++
  smbldap-tools (0.9.5-1) unstable; urgency=low
    * New upstream release (Closes: Bug#548665).
 === modified file 'debian/control'
 --- debian/control	2012-08-07 20:28:37 +0000
 +++ debian/control	2012-09-21 15:41:28 +0000
@@ -1,7 +1,8 @@
  Source: smbldap-tools
  Section: admin
  Priority: extra
--Maintainer: Sergio Talens-Oliag <sto@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Sergio Talens-Oliag <sto@debian.org>
  Build-Depends: debhelper (>= 7.0.50~), quilt
  Build-Depends-Indep: perl
  Standards-Version: 3.9.3.0
 === added file 'debian/patches/0020_original_doc_html_index.patch'
 --- debian/patches/0020_original_doc_html_index.patch	1970-01-01 00:00:00 +0000
 +++ debian/patches/0020_original_doc_html_index.patch	2012-09-21 15:41:28 +0000
@@ -0,0 +1,2369 @@
++Description: Page downloaded from
++ http://download.gna.org/smbldap-tools/docs/smbldap-tools/
++--- smbldap-tools-0.9.5.orig/doc/html/index.html
+++++ smbldap-tools-0.9.5/doc/html/index.html
++@@ -0,0 +1,2364 @@
+++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
+++            "http://www.w3.org/TR/REC-html40/loose.dtd">
+++<HTML>
+++<HEAD><TITLE>Smbldap-tools User Manual
+++(Release: 0.9.3 )</TITLE>
+++
+++<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+++<META name="GENERATOR" content="hevea 1.07">
+++
+++<link rel="stylesheet" href="IDXDOC.css">
+++</HEAD>
+++<BODY >
+++<!--HEVEA command line is: hevea -fix -I ./styles -exec xxdate.exe -pedantic IDXDOC.hva smbldap-tools.tex -o smbldap-tools.html -->
+++<!--HTMLHEAD-->
+++
+++
+++  <DIV class="entete">
+++  Copyright 2002 &copy; IDEALX S.A.S. -
+++  Contact:&nbsp;<A href="mailto:samba@IDEALX.org">samba@IDEALX.org</A>
+++  </DIV>
+++  <HR>
+++<!--ENDHTML-->
+++<!--PREFIX <ARG ></ARG>-->
+++<!--CUT DEF section 1 -->
+++
+++
+++
+++
+++
+++<H1 ALIGN=center>Smbldap-tools User Manual<BR>
+++(<I>Release</I>: 0.9.3 )</H1>
+++
+++<H3 ALIGN=center>Jérôme Tournier</H3>
+++
+++<H3 ALIGN=center><I>Revision</I>: 1.7 , generated July 12, 2007<BR>
+++</H3>
+++<DIV ALIGN=center>
+++
+++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+++<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Release:</TD>
+++<TD ALIGN=left NOWRAP>&nbsp;</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Reference:</TD>
+++<TD ALIGN=left NOWRAP>&nbsp;</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Publication date:</TD>
+++<TD ALIGN=left NOWRAP>&nbsp;</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Print date:</TD>
+++<TD ALIGN=left NOWRAP>July 12, 2007</TD>
+++</TR></TABLE>
+++ </DIV>
+++
+++<BR>
+++This document is the property of IDEALX<SUP><A NAME="text1" HREF="#note1">1</A></SUP>.
+++Permission is granted to distribute this document under the terms of the GNU
+++Free Documentation License (<A HREF="http://www.gnu.org/copyleft/fdl.html"><TT>http://www.gnu.org/copyleft/fdl.html</TT></A>).<BR>
+++<BR>
+++<!--TOC section Table of Contents-->
+++
+++<H2>Table of Contents</H2><!--SEC END -->
+++
+++<UL><LI>
+++<A HREF="#htoc1">1&nbsp;&nbsp;Introduction</A>
+++<UL><LI>
+++<A HREF="#htoc2">1.1&nbsp;&nbsp;Software requirements</A>
+++<LI><A HREF="#htoc3">1.2&nbsp;&nbsp;Updates of this document</A>
+++<LI><A HREF="#htoc4">1.3&nbsp;&nbsp;Availability of this document</A>
+++</UL>
+++<LI><A HREF="#htoc5">2&nbsp;&nbsp;Installation</A>
+++<UL><LI>
+++<A HREF="#htoc6">2.1&nbsp;&nbsp;Requirements</A>
+++<LI><A HREF="#htoc7">2.2&nbsp;&nbsp;Installation</A>
+++<UL><LI>
+++<A HREF="#htoc8">2.2.1&nbsp;&nbsp;Installing from rpm</A>
+++<LI><A HREF="#htoc9">2.2.2&nbsp;&nbsp;Installing from a tarball</A>
+++</UL>
+++</UL>
+++<LI><A HREF="#htoc10">3&nbsp;&nbsp;Configuring the smbldap-tools</A>
+++<UL><LI>
+++<A HREF="#htoc11">3.1&nbsp;&nbsp;The smbldap.conf file</A>
+++<LI><A HREF="#htoc12">3.2&nbsp;&nbsp;The smbldap_bind.conf file</A>
+++</UL>
+++<LI><A HREF="#htoc13">4&nbsp;&nbsp;Using the scripts</A>
+++<UL><LI>
+++<A HREF="#htoc14">4.1&nbsp;&nbsp;Initial directory's population</A>
+++<LI><A HREF="#htoc15">4.2&nbsp;&nbsp;User management</A>
+++<UL><LI>
+++<A HREF="#htoc16">4.2.1&nbsp;&nbsp;Adding a user</A>
+++<LI><A HREF="#htoc17">4.2.2&nbsp;&nbsp;Removing a user</A>
+++<LI><A HREF="#htoc18">4.2.3&nbsp;&nbsp;Modifying a user</A>
+++</UL>
+++<LI><A HREF="#htoc19">4.3&nbsp;&nbsp;Group management</A>
+++<UL><LI>
+++<A HREF="#htoc20">4.3.1&nbsp;&nbsp;Adding a group</A>
+++<LI><A HREF="#htoc21">4.3.2&nbsp;&nbsp;Removing a group</A>
+++</UL>
+++<LI><A HREF="#htoc22">4.4&nbsp;&nbsp;Adding a interdomain trust account</A>
+++</UL>
+++<LI><A HREF="#htoc23">5&nbsp;&nbsp;Samba and the smbldap-tools scripts</A>
+++<UL><LI>
+++<A HREF="#htoc24">5.1&nbsp;&nbsp;General configuration</A>
+++<LI><A HREF="#htoc25">5.2&nbsp;&nbsp;Migrating an NT4 PDC to Samba3</A>
+++</UL>
+++<LI><A HREF="#htoc26">6&nbsp;&nbsp;Frequently Asked Questions</A>
+++<UL><LI>
+++<A HREF="#htoc27">6.1&nbsp;&nbsp;How can i use old released uidNumber and gidNumber ?</A>
+++<LI><A HREF="#htoc28">6.2&nbsp;&nbsp;I always have this error: "Can't locate IO/Socket/SSL.pm"</A>
+++<LI><A HREF="#htoc29">6.3&nbsp;&nbsp;I can't initialize the directory with <TT>smbldap-populate</TT></A>
+++<LI><A HREF="#htoc30">6.4&nbsp;&nbsp;I can't join the domain with the <TT>root</TT> account</A>
+++<LI><A HREF="#htoc31">6.5&nbsp;&nbsp;I have the <TT>sambaSamAccount</TT> but i can't logged in</A>
+++<LI><A HREF="#htoc32">6.6&nbsp;&nbsp;I want to create machine account on the fly, but it does
+++ not works or I must do it twice</A>
+++<LI><A HREF="#htoc33">6.7&nbsp;&nbsp;I can't manage the Oracle Internet Database</A>
+++<LI><A HREF="#htoc34">6.8&nbsp;&nbsp;The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
+++called, or i got a error message when changing the password from windows</A>
+++<LI><A HREF="#htoc35">6.9&nbsp;&nbsp;New computers account can't be set in ou=computers</A>
+++<LI><A HREF="#htoc36">6.10&nbsp;&nbsp;I can join the domain, but i can't log on</A>
+++<LI><A HREF="#htoc37">6.11&nbsp;&nbsp;I can't create a user with <TT>smbldap-useradd</TT></A>
+++<LI><A HREF="#htoc38">6.12&nbsp;&nbsp;smbldap-useradd: Can't call method "get_value" on an undefined value at
+++/usr/local/sbin/smbldap-useradd line 154</A>
+++<LI><A HREF="#htoc39">6.13&nbsp;&nbsp;Typical errors on creating a new user or a new group</A>
+++</UL>
+++<LI><A HREF="#htoc40">7&nbsp;&nbsp;Thanks</A>
+++<LI><A HREF="#htoc41">8&nbsp;&nbsp;Annexes</A>
+++<UL><LI>
+++<A HREF="#htoc42">8.1&nbsp;&nbsp;Full configuration files</A>
+++<UL><LI>
+++<A HREF="#htoc43">8.1.1&nbsp;&nbsp;The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</A>
+++<LI><A HREF="#htoc44">8.1.2&nbsp;&nbsp;The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</A>
+++<LI><A HREF="#htoc45">8.1.3&nbsp;&nbsp;The samba configuration file : <TT>/etc/samba/smb.conf</TT> </A>
+++<LI><A HREF="#htoc46">8.1.4&nbsp;&nbsp;The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></A>
+++</UL>
+++<LI><A HREF="#htoc47">8.2&nbsp;&nbsp;Changing the administrative account (<TT>ldap admin
+++ dn</TT> in <TT>smb.conf</TT> file)</A>
+++<LI><A HREF="#htoc48">8.3&nbsp;&nbsp;known bugs</A>
+++</UL>
+++</UL>
+++
+++
+++
+++<!--TOC section Introduction-->
+++
+++<H2><A NAME="htoc1">1</A>&nbsp;&nbsp;Introduction</H2><!--SEC END -->
+++
+++<A NAME="sec:intro"></A>
+++Smbldap-tools is a set of scripts designed to help integrate Samba and a
+++LDAP directory. They target both users and administrators of Linux systems.<BR>
+++<BR>
+++Users can change their password in a way similar to the standard ``passwd''
+++command.<BR>
+++<BR>
+++Administrators can perform user and group management command line actions
+++and synchronise Samba account management consistently.<BR>
+++<BR>
+++This document presents:
+++<UL><LI>
+++a detailled view of the smbldap-tools scripts
+++<LI>a step by step explanation of how to set up a Samba3 domain controller
+++</UL>
+++<!--TOC subsection Software requirements-->
+++
+++<H3><A NAME="htoc2">1.1</A>&nbsp;&nbsp;Software requirements</H3><!--SEC END -->
+++
+++The smbldap-tools have been developped and tested with the following configuration :
+++<UL><LI>
+++<FONT COLOR=purple><I>Linux</I></FONT> CentOS4 (be should work on any <FONT COLOR=purple><I>Linux</I></FONT> distribution)
+++<LI>	<FONT COLOR=purple>Samba</FONT> release 3.0.10,
+++<LI><FONT COLOR=purple>OpenLDAP</FONT> release 2.2.13
+++<LI><FONT COLOR=purple>Microsoft Windows NT</FONT> 4.0, Windows 2000 and Windows XP Workstations and Servers,
+++</UL>
+++This guide applies to <FONT COLOR=purple>smbldap-tools</FONT> <I>Release</I>: 0.9.3 .<BR>
+++<BR>
+++<!--TOC subsection Updates of this document-->
+++
+++<H3><A NAME="htoc3">1.2</A>&nbsp;&nbsp;Updates of this document</H3><!--SEC END -->
+++
+++The most up to date release of this document may be found on the
+++smbldap-tools project page available at <A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>.<BR>
+++<BR>
+++If you find any bugs in this document, or if you want this document to
+++integrate some additional infos, please drop me a mail with your bug report
+++and/or change request at <U>jtournier@gmail.com</U>.<BR>
+++<BR>
+++<!--TOC subsection Availability of this document-->
+++
+++<H3><A NAME="htoc4">1.3</A>&nbsp;&nbsp;Availability of this document</H3><!--SEC END -->
+++
+++This document is the property of <FONT COLOR=purple>IDEALX</FONT> (<A HREF="http://www.IDEALX.com/"><TT>http://www.IDEALX.com/</TT></A>). <BR>
+++<BR>
+++Permission is granted to distribute this document under the terms of the GNU
+++Free Documentation License (See <A HREF="http://www.gnu.org/copyleft/fdl.html"><TT>http://www.gnu.org/copyleft/fdl.html</TT></A>).
+++ <!--TOC section Installation-->
+++
+++<H2><A NAME="htoc5">2</A>&nbsp;&nbsp;Installation</H2><!--SEC END -->
+++
+++<!--TOC subsection Requirements-->
+++
+++<H3><A NAME="htoc6">2.1</A>&nbsp;&nbsp;Requirements</H3><!--SEC END -->
+++
+++The main requirement for using smbldap-tools are the two perl module:
+++Net::LDAP and Crypt::SmbHash.
+++In most cases, you'll also need the IO-Socket-SSL Perl module to use
+++TLS functionnality.<BR>
+++<BR>
+++If you want samba to call the scripts so that you can use the User
+++Manager (or any other) under MS-Windows (to add, delete modify users and
+++groups), <FONT COLOR=purple>Samba</FONT> must be installed on the same computer.
+++Finally, <FONT COLOR=purple>OpenLDAP</FONT> can be installed on any computer. Please check that it
+++can be contacted by a standard LDAP client software.<BR>
+++<BR>
+++<FONT COLOR=purple>Samba</FONT> and <FONT COLOR=purple>OpenLDAP</FONT> installations will not be discussed
+++here. You can consult the howto also available on the
+++project page (<A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>).<BR>
+++<BR>
+++<!--TOC subsection Installation-->
+++
+++<H3><A NAME="htoc7">2.2</A>&nbsp;&nbsp;Installation</H3><!--SEC END -->
+++
+++An archive of the <FONT COLOR=purple>smbldap-tools</FONT> scripts can be downloaded on our project
+++page <A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>. Archive and RedHat packages are
+++available.
+++<BR>
+++If you are upgrading, look at the <TT>INSTALL</TT> file or read the link
+++<A HREF="#faq::error::add::user">6.13</A>.<BR>
+++<BR>
+++<!--TOC subsubsection Installing from rpm-->
+++
+++<H4><A NAME="htoc8">2.2.1</A>&nbsp;&nbsp;Installing from rpm</H4><!--SEC END -->
+++
+++To install the scripts on a RedHat system, download the RPM
+++package and run the following command:
+++<PRE>
+++rpm -Uvh smbldap-tools-0.9.3-1.i386.rpm
+++</PRE>
+++<!--TOC subsubsection Installing from a tarball-->
+++
+++<H4><A NAME="htoc9">2.2.2</A>&nbsp;&nbsp;Installing from a tarball</H4><!--SEC END -->
+++
+++On non RedHat system, download a source archive of the scripts. The current
+++archive is <TT>smbldap-tools-0.9.3.tar.gz</TT>.
+++Uncompress it and copy all of the Perl scripts in <TT>/usr/sbin</TT>
+++directory, and the two configuration files in
+++<TT>/etc/smbldap-tools/</TT> directory:
+++<PRE>
+++mkdir /etc/smbldap-tools/
+++cp *.conf /etc//smbldap-tools/
+++cp smbldap-* /usr/sbin/
+++</PRE>
+++The configuration is now based on two differents files:
+++<UL><LI>
+++<TT>smbldap.conf</TT>: define global parameter
+++<LI><TT>smbldap_bind.conf</TT>: define an administrative account to
+++ bind to the directory
+++</UL>
+++The second file <B>must</B> be readable only for 'root', as it contains
+++credentials allowing modifications on all the directory. Make sure the
+++files are protected by running the following commands:
+++<PRE>
+++chmod 644 /etc/smbldap-tools/smbldap.conf
+++chmod 600 /etc/smbldap-tools/smbldap_bind.conf
+++</PRE> <!--TOC section Configuring the smbldap-tools-->
+++
+++<H2><A NAME="htoc10">3</A>&nbsp;&nbsp;Configuring the smbldap-tools</H2><!--SEC END -->
+++
+++As mentioned in the previous section, you'll have to update two
+++configuration files. The first (<TT>smbldap.conf</TT>) allows you to
+++set global parameter that are readable by everybody, and the second
+++(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to
+++bind to a slave and a master ldap server: this file must thus be
+++readable only by root.<BR>
+++<BR>
+++A script named <TT>configure.pl</TT> can help you to set their contents
+++up. It is located in the tarball
+++downloaded or in the documentation directory if you got the RPM
+++archive (see <TT>/usr/share/doc/smbldap-tools-0.9.3/</TT>). Just invoke it:
+++<PRE>
+++/usr/share/doc/smbldap-tools-0.9.3/configure.pl
+++</PRE>It will ask for the default values defined in your
+++<TT>smb.conf</TT> file, and will update the two configuration files used
+++by the scripts. Samba configuration file should then be already configured.
+++Note that you can stop the script at any moment with
+++the <TT>Crtl-c</TT> keys.<BR>
+++Before using this script :
+++<UL><LI>
+++the two configuration files <B>must</B> be present in the
+++ <TT>/etc/smbldap-tools/</TT> directory
+++<LI>check that samba is configured and running, as the script will try to
+++ get your workgroup's domain secure id (SID).
+++</UL>
+++In those files, parameters are defined like this:
+++<PRE>
+++key="value"
+++</PRE>Full example configuration files can be found at
+++<A HREF="#configuration::files">8.1</A>.<BR>
+++<BR>
+++<!--TOC subsection The smbldap.conf file-->
+++
+++<H3><A NAME="htoc11">3.1</A>&nbsp;&nbsp;The smbldap.conf file</H3><!--SEC END -->
+++
+++This file is used to define parameters that can be readable by
+++everybody. A full example file is available in section <A HREF="#configuration::file::smbldap">8.1.1</A>.<BR>
+++<BR>
+++Let's have a look at all available parameters.
+++<UL><LI>
+++<TT>UID_START</TT> and <TT>GID_START</TT>&nbsp;: parameters deprecated
+++ <UL><LI>
+++ Those parameters must be removed or commented.
+++ <LI>Available uid and gid are now defined in the default
+++ new entry <TT>sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"</TT>.
+++ See later for <TT>${sambaDomain}</TT> and <TT>${suffix}</TT> definitions.
+++ </UL>
+++<LI><TT>SID</TT>&nbsp;: Secure Identifier Domain
+++ <UL><LI>
+++ Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT>
+++ <LI>Remark: you can get the SID for your domain using the "<TT>net getlocalsid</TT>"
+++ command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers).
+++ </UL>
+++<LI><TT>sambaDomain</TT>&nbsp;: Samba Domain the Samba server is in charge
+++ <UL><LI>
+++ Example: <TT>sambaDomain="DOMSMB"</TT>
+++ <LI>Remark: if not defined, parameter is taking from smb.conf configuration file
+++ </UL>
+++<LI><TT>slaveLDAP</TT>&nbsp;: slave LDAP server
+++ <UL><LI>
+++ Example: <TT>slaveLDAP="127.0.0.1"</TT>
+++ <LI>Remark: must be a resolvable DNS name or it's IP address
+++ </UL>
+++<LI><TT>slavePort</TT>&nbsp;: port to contact the slave server
+++ <UL><LI>
+++ Example: <TT>slavePort="389"</TT>
+++ </UL>
+++<LI><TT>masterLDAP</TT>&nbsp;: master LDAP server
+++ <UL><LI>
+++ Example: <TT>masterLDAP="127.0.0.1"</TT>
+++ </UL>
+++<LI><TT>masterPort</TT>&nbsp;: port to contact the master server
+++ <UL><LI>
+++ Example: <TT>masterPort="389"</TT>
+++ </UL>
+++<LI><TT>ldapTLS</TT>&nbsp;: should we use TLS connection to contact the
+++ ldap servers ?
+++ <UL><LI>
+++ Example: <TT>ldapTLS="1"</TT>
+++ <LI>Remark: the LDAP severs must be configured to accept TLS
+++ connections. See section the Samba-LDAP Howto for more
+++ details (<A HREF="http://samba.idealx.org/smbldap-howto.fr.html"><TT>http://samba.idealx.org/smbldap-howto.fr.html</TT></A>). If you are using TLS support, select port 389 to connect to
+++ the master and slave directories.
+++ </UL>
+++<LI><TT>verify</TT>&nbsp;: How to verify the server's certificate (none, optional or require).
+++ <UL><LI>
+++ Example: <TT>verify="require"</TT>
+++ <LI>Remarl: See ``man Net::LDAP'' in start_tls section for more details
+++ </UL>
+++<LI><TT>cafile</TT>&nbsp;: the PEM-format file containing certificates
+++ for the CA that slapd will trust
+++ <UL><LI>
+++ Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT>
+++ </UL>
+++<LI><TT>clientcert</TT>&nbsp;: the file that contains the client certificate
+++ <UL><LI>
+++ Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT>
+++ </UL>
+++<LI><TT>clientkey</TT>&nbsp;: the file that contains the private key that
+++ matches the certificate stored in the clientcert file
+++ <UL><LI>
+++ Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT>
+++ </UL>
+++<LI><TT>suffix</TT>&nbsp;: The distinguished name of the search base
+++ <UL><LI>
+++ Example: <TT>suffix="dc=idealx,dc=com"</TT>
+++ </UL>
+++<LI><TT>usersdn</TT>&nbsp;: branch in which users account can be found or
+++ must be added
+++ <UL><LI>
+++ Example: <TT>usersdn="ou=Users,${suffix}"</TT>
+++ <LI>Remark: this branch is <B>not</B> relative to the suffix value
+++ </UL>
+++<LI><TT>computersdn</TT>&nbsp;: branch in which computers account can be
+++ found or must be added
+++ <UL><LI>
+++ Example: <TT>computersdn"ou=Computers,${suffix}"</TT>
+++ <LI>Remark: this branch is <B>not</B> relative to the suffix value
+++ </UL>
+++<LI><TT>groupsdn</TT>&nbsp;: branch in which groups account can be found
+++ or must be added
+++ <UL><LI>
+++ Example: <TT>groupsdn="ou=Groups,${suffix}"</TT>
+++ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
+++ </UL>
+++<LI><TT>idmapdn</TT>&nbsp;: where are stored Idmap entries (used if samba is a domain member server)
+++<UL><LI>
+++ Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT>
+++ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
+++</UL>
+++<LI><TT>sambaUnixIdPooldn</TT>&nbsp;: object in which next uidNumber and gidNumber available are stored
+++<UL><LI>
+++ Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT>
+++ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
+++</UL>
+++<LI><TT>scope</TT>&nbsp;: the search scope.
+++<UL><LI>
+++ Example: <TT>scope="sub"</TT>
+++</UL>
+++<LI><TT>hash_encrypt</TT>&nbsp;: hash to be used when generating a
+++ user password.
+++ <UL><LI>
+++ Example: <TT>hash_encrypt="SSHA"</TT>
+++ <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute.
+++ </UL>
+++<LI><TT>crypt_salt_format="%s"</TT>&nbsp;: if hash_encrypt is set to
+++ CRYPT, you may set a salt format. Default is "%s", but many systems
+++ will generate MD5 hashed passwords if you use "$1$%.8s". This
+++ parameter is optional.
+++<LI><TT>userLoginShell</TT>&nbsp;: default shell given to users.
+++ <UL><LI>
+++ Example: <TT>userLoginShell="/bin/bash"</TT>
+++ <LI>Remark: This is stored in <I>loginShell</I> attribute.
+++ </UL>
+++<LI><TT>userHome</TT>&nbsp;: default directory where users's home
+++ directory are located.
+++ <UL><LI>
+++ Example: <TT>userHome="/home/%U"</TT>
+++ <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute.
+++ </UL>
+++<LI><TT>userGecos</TT>&nbsp;: gecos used for users
+++ <UL><LI>
+++ Example: <TT>userGecos="System User"</TT>
+++ </UL>
+++<LI><TT>defaultUserGid</TT>&nbsp;: default primary group set to users accounts
+++ <UL><LI>
+++ Example: <TT>defaultUserGid="513"</TT>
+++ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
+++</UL>
+++<LI><TT>defaultComputerGid</TT>&nbsp;: default primary group set to
+++ computers accounts
+++ <UL><LI>
+++ Example: <TT>defaultComputerGid="550"</TT>
+++ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
+++</UL>
+++<LI><TT>skeletonDir</TT>&nbsp;: skeleton directory used for users accounts
+++ <UL><LI>
+++ Example: <TT>skeletonDir="/etc/skel"</TT>
+++ <LI>Remark: this option is used only if you ask for home directory creation when adding a new user.
+++ </UL>
+++<LI><TT>defaultMaxPasswordAge</TT>&nbsp;: default validation time for Samba password (in days)
+++ <UL><LI>
+++ Example: <TT>defaultMaxPassword="55"</TT>
+++ </UL>
+++<LI><TT>userSmbHome</TT>&nbsp;: samba share used to store user's home directory
+++ <UL><LI>
+++ Example:
+++ <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT>
+++ <LI>Remark: this is stored in <I>sambaHomePath</I> attribute.
+++</UL>
+++<LI><TT>userProfile</TT>&nbsp;: samba share used to store user's profile
+++ <UL><LI>
+++ Example:
+++ <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT>
+++ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
+++ </UL>
+++<LI><TT>userHomeDrive</TT>&nbsp;: letter used on windows system to map
+++ the home directory
+++ <UL><LI>
+++ Example: <TT>userHomeDrive="K:"</TT>
+++ </UL>
+++<LI><TT>userScript</TT>&nbsp;: default user netlogon script name. If not used, will be automatically <I>username.cmd</I>
+++ <UL><LI>
+++ Example:
+++ <TT>userScript="%U"</TT>
+++ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
+++ </UL>
+++<LI><TT>mailDomain</TT>&nbsp;: Domain appended to the users "mail"
+++ attribute.
+++ <UL><LI>
+++ Example: <TT>mailDomain="idealx.org"</TT>
+++ </UL>
+++<LI><TT>with_smbpasswd</TT>&nbsp;: should we use the <I>smbpasswd</I> command
+++ to set the user's password (instead of the <I>mkntpwd</I> utility) ?
+++ <UL><LI>
+++ Example: <TT>with_smbpasswd="0"</TT>
+++ <LI>Remark: must be a boolean value (0 or 1).
+++ </UL>
+++<LI><TT>smbpasswd</TT>&nbsp;: path to the <TT>smbpasswd</TT> binary
+++ <UL><LI>
+++ Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT>
+++ </UL>
+++<LI><TT>with_slappasswd</TT>&nbsp;: should we use the <I>slappasswd</I> command
+++ to set the Unix user's password (instead of the <I>Crypt::</I> librairies) ?
+++ <UL><LI>
+++ Example: <TT>with_smbpasswd="0"</TT>
+++ <LI>Remark: must be a boolean value (0 or 1).
+++ </UL>
+++<LI><TT>slappasswd</TT>&nbsp;: path to the <TT>slappasswd</TT> binary
+++ <UL><LI>
+++ Example: <TT>smbpasswd="/usr/sbin/slappasswd"</TT>
+++ </UL>
+++</UL>
+++<!--TOC subsection The smbldap_bind.conf file-->
+++
+++<H3><A NAME="htoc12">3.2</A>&nbsp;&nbsp;The smbldap_bind.conf file</H3><!--SEC END -->
+++
+++This file is only used by <I>root</I> to give bind parameters to the directory when modifications are asked.
+++It contains distinguised names and credentials to connect to
+++both the master and slave directories. A full example file is available
+++in section <A HREF="#configuration::file::smbldap::bind">8.1.2</A>.<BR>
+++<BR>
+++Let's have a look at all available parameters.
+++<UL><LI>
+++<TT>slaveDN</TT>&nbsp;: distinguished name used to bind to the slave server
+++ <UL><LI>
+++ Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT>
+++ <LI>Example 2: <TT>slaveDN=""</TT>
+++ <LI>Remark: this can be the manager account of the directory or
+++ any LDAP account that has sufficient permissions to read the full
+++ directory (Slave directory is only used for reading). Anonymous
+++ connections uses the second example form.
+++ </UL>
+++<LI><TT>slavePw</TT>&nbsp;: the credentials to bind to the slave server
+++ <UL><LI>
+++ Example 1: <TT>slavePw="secret"</TT>
+++ <LI>Example 2: <TT>slavePw=""</TT>
+++ <LI>Remark: the password must be stored here in clear form. This
+++ file must then be readable only by root! All anonymous connections
+++ use the second form provided in our example.
+++ </UL>
+++<LI><TT>masterDN</TT>&nbsp;: the distinguished name used to bind to the master server
+++ <UL><LI>
+++ Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT>
+++ <LI>Remark: this can be the manager account of the directory or
+++ any LDAP account that has enough permissions to modify the content
+++ of the directory. Anonymous access does not make any sense here.
+++</UL>
+++<LI><TT>masterPw</TT>&nbsp;: the credentials to bind to the master server
+++ <UL><LI>
+++ Example: <TT>masterPw="secret"</TT>
+++ <LI>Remark: the password must be in clear text. Be sure to protect
+++ this file against unauthorized readers!
+++ </UL>
+++</UL>
+++ <!--TOC section Using the scripts-->
+++
+++<H2><A NAME="htoc13">4</A>&nbsp;&nbsp;Using the scripts</H2><!--SEC END -->
+++
+++<!--TOC subsection Initial directory's population-->
+++
+++<H3><A NAME="htoc14">4.1</A>&nbsp;&nbsp;Initial directory's population</H3><!--SEC END -->
+++
+++You can initialize the LDAP directory using the
+++<TT>smbldap-populate</TT> script. To do that, the account defined in
+++the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> to access the
+++master directory <B>must</B> must be the manager account defined in the
+++directory configuration. On RedHat system, this file is
+++<TT>/etc/openldap/slapd.conf</TT> and the account is defined with
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>
+++  rootdn          "cn=Manager,dc=idealx,dc=com"
+++  rootpw          secret
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE>The <TT>smbldap_bind.conf</TT> file must then be configured so that
+++the parameters to connect to the master LDAP server match the previous ones:
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>
+++  masterDN="cn=Manager,dc=idealx,dc=com"
+++  masterPw="secret"
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE><BR>
+++Available options for this script are summarized in the table <A HREF="#table::populate">1</A>:
+++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+++ <A NAME="code_epsilon_var"></A>
+++ <DIV ALIGN=center>
+++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+++<TR><TD ALIGN=left NOWRAP>option</TD>
+++<TD ALIGN=left NOWRAP>definition</TD>
+++<TD ALIGN=left NOWRAP>default value</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP>-u <I>uidNumber</I></TD>
+++<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
+++<TD ALIGN=left NOWRAP>1000</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP>-g <I>gidNumber</I></TD>
+++<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
+++<TD ALIGN=left NOWRAP>1000</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP>-a <I>user</I></TD>
+++<TD ALIGN=left NOWRAP>administrator login name</TD>
+++<TD ALIGN=left NOWRAP>Administrator</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP>-b <I>user</I></TD>
+++<TD ALIGN=left NOWRAP>guest login name</TD>
+++<TD ALIGN=left NOWRAP>nobody</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP>-e <I>file</I></TD>
+++<TD ALIGN=left NOWRAP>export a init file</TD>
+++<TD ALIGN=left NOWRAP>&nbsp;</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP>-i <I>file</I></TD>
+++<TD ALIGN=left NOWRAP>import a init file</TD>
+++<TD ALIGN=left NOWRAP>&nbsp;</TD>
+++</TR></TABLE>
+++ </DIV>
+++ <BR>
+++<DIV ALIGN=center>Table 1: Options available for the <TT>smbldap-populate</TT> script</DIV><BR>
+++
+++ <A NAME="table::populate"></A>
+++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+++In the more general case, to set up your directory, simply use the
+++following command:
+++<PRE>
+++[root@etoile root]# smbldap-populate
+++Using builtin directory structure
+++adding new entry: dc=idealx,dc=com
+++adding new entry: ou=Users,dc=idealx,dc=com
+++adding new entry: ou=Groups,dc=idealx,dc=com
+++adding new entry: ou=Computers,dc=idealx,dc=com
+++adding new entry: ou=Idmap,dc=idealx,dc=org
+++adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org
+++adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com
+++adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com
+++adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com
+++adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com
+++adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com
+++adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com
+++adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com
+++adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com
+++adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com
+++</PRE>
+++After this step, if you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
+++account anymore, you can create a dedicated account for Samba and the
+++smbldap-tools. See section <A HREF="#change::manager">8.2</A> for more details.<BR>
+++<BR>
+++The <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> entry is only used to
+++defined the next uidNumber and gidNumber available for creating new
+++users and groups. The default values for those numbers are 1000. You
+++can change it with the <TT>-u</TT> and <TT>-g</TT> option. For
+++example, if you want the first available value for uidNumber and
+++gidNumber to be set to 1500, you can use the following command :
+++<PRE>
+++smbldap-populate -u 1550 -g 1500
+++</PRE>
+++<!--TOC subsection User management-->
+++
+++<H3><A NAME="htoc15">4.2</A>&nbsp;&nbsp;User management</H3><!--SEC END -->
+++
+++<!--TOC subsubsection Adding a user-->
+++
+++<H4><A NAME="htoc16">4.2.1</A>&nbsp;&nbsp;Adding a user</H4><!--SEC END -->
+++<A NAME="add::user"></A>
+++To add a user, use the <TT>smbldap-useradd</TT> script. Available
+++options are summarized in the table <A HREF="#table::add::user">2</A>. If applicable,
+++default values are mentionned in the third column. Any string beginning with a
+++$ symbol refers to a parameter defined in the
+++<TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> configuration file.
+++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+++ <DIV ALIGN=center>
+++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+++<TR><TD VALIGN=top ALIGN=left>option</TD>
+++<TD VALIGN=top ALIGN=left>definition</TD>
+++<TD VALIGN=top ALIGN=left>example</TD>
+++<TD VALIGN=top ALIGN=left>default value</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-a</TD>
+++<TD VALIGN=top ALIGN=left>create a Windows account. Otherwise, only a Posix account
+++ is created</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-w</TD>
+++<TD VALIGN=top ALIGN=left>create a Windows Workstation account</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-i</TD>
+++<TD VALIGN=top ALIGN=left>create an interdomain trust account. See section
+++ <A HREF="#trust::account">4.4</A> for more details</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-u</TD>
+++<TD VALIGN=top ALIGN=left>set a uid value</TD>
+++<TD VALIGN=top ALIGN=left>-u 1003</TD>
+++<TD VALIGN=top ALIGN=left>first uid available</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-g</TD>
+++<TD VALIGN=top ALIGN=left>set a gid value</TD>
+++<TD VALIGN=top ALIGN=left>-g 1003</TD>
+++<TD VALIGN=top ALIGN=left>first gid available</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-G</TD>
+++<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
+++ groups (comma-separated)</TD>
+++<TD VALIGN=top ALIGN=left>-G 512,550</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-d</TD>
+++<TD VALIGN=top ALIGN=left>set the home directory</TD>
+++<TD VALIGN=top ALIGN=left>-d /var/user</TD>
+++<TD VALIGN=top ALIGN=left>$userHomePrefix/user</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-s</TD>
+++<TD VALIGN=top ALIGN=left>set the login shell</TD>
+++<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
+++<TD VALIGN=top ALIGN=left>$userLoginShell</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-c</TD>
+++<TD VALIGN=top ALIGN=left>set the user gecos</TD>
+++<TD VALIGN=top ALIGN=left>-c "admin user"</TD>
+++<TD VALIGN=top ALIGN=left>$userGecos</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-m</TD>
+++<TD VALIGN=top ALIGN=left>creates user's home directory and copies /etc/skel
+++ into it</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-k</TD>
+++<TD VALIGN=top ALIGN=left>set the skeleton dir (with -m)</TD>
+++<TD VALIGN=top ALIGN=left>-k /etc/skel2</TD>
+++<TD VALIGN=top ALIGN=left>$skeletonDir</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-P</TD>
+++<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's
+++ password</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-A</TD>
+++<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
+++<TD VALIGN=top ALIGN=left>-A 1</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-B</TD>
+++<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
+++ if yes</TD>
+++<TD VALIGN=top ALIGN=left>-B 1</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-C</TD>
+++<TD VALIGN=top ALIGN=left>set the samba home share</TD>
+++<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
+++<TD VALIGN=top ALIGN=left>$userSmbHome</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-D</TD>
+++<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
+++<TD VALIGN=top ALIGN=left>-D H:</TD>
+++<TD VALIGN=top ALIGN=left>$userHomeDrive</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-E</TD>
+++<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
+++<TD VALIGN=top ALIGN=left>-E common.bat</TD>
+++<TD VALIGN=top ALIGN=left>$userScript</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-F</TD>
+++<TD VALIGN=top ALIGN=left>set the profile directory</TD>
+++<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
+++<TD VALIGN=top ALIGN=left>$userProfile</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-H</TD>
+++<TD VALIGN=top ALIGN=left>set the samba account control bits
+++ like'[NDHTUMWSLKI]'</TD>
+++<TD VALIGN=top ALIGN=left>-H [X]</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-N</TD>
+++<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-S</TD>
+++<TD VALIGN=top ALIGN=left>set the surname of the user</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-M</TD>
+++<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
+++<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-T</TD>
+++<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
+++<TD VALIGN=top ALIGN=left>-T
+++ testuser@domain.org</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR></TABLE>
+++ </DIV>
+++ <BR>
+++<DIV ALIGN=center>Table 2: Options available to the <TT>smbldap-useradd</TT> script</DIV><BR>
+++
+++ <A NAME="table::add::user"></A>
+++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+++
+++For example, if you want to add a user named <I>user_admin</I> and who :
+++<UL><LI>
+++is a windows user
+++<LI>must belong to the group of gid=512 ('Domain Admins' group)
+++<LI>has a home directory
+++<LI>does not have a login shell
+++<LI>has a homeDirectory set to /dev/null
+++<LI>does not have a roaming profile
+++<LI>and for whom we want to set a first login password
+++</UL>
+++you must invoke:
+++<PRE>
+++smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin
+++</PRE>
+++<!--TOC subsubsection Removing a user-->
+++
+++<H4><A NAME="htoc17">4.2.2</A>&nbsp;&nbsp;Removing a user</H4><!--SEC END -->
+++
+++To remove a user account, use the <TT>smbldap-userdel</TT> script.
+++Available options are
+++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+++ <DIV ALIGN=center>
+++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+++<TR><TD ALIGN=left NOWRAP>option</TD>
+++<TD ALIGN=left NOWRAP>definition</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP>-r</TD>
+++<TD ALIGN=left NOWRAP>remove home directory</TD>
+++</TR>
+++<TR><TD ALIGN=left NOWRAP>-R</TD>
+++<TD ALIGN=left NOWRAP>remove home directory interactively</TD>
+++</TR></TABLE>
+++ </DIV>
+++ <BR>
+++<DIV ALIGN=center>Table 3: Option available to the <TT>smbldap-userdel</TT> script</DIV><BR>
+++
+++ <A NAME="table::del::user"></A>
+++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+++For example, if you want to remove the <I>user1</I> account
+++from the LDAP directory, and if you also want to delete his home
+++directory, use the following command :
+++<PRE>
+++smbldap-userdel -r user1
+++</PRE>
+++Note: '-r' is dangerous as it may delete precious and unbackuped data,
+++please be careful.<BR>
+++<BR>
+++<!--TOC subsubsection Modifying a user-->
+++
+++<H4><A NAME="htoc18">4.2.3</A>&nbsp;&nbsp;Modifying a user</H4><!--SEC END -->
+++<A NAME="modify::user"></A>
+++To modify a user account, use the <TT>smbldap-usermod</TT> script.
+++Availables options are listed in the table <A HREF="#table::modify::user">4</A>.
+++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+++ <DIV ALIGN=center>
+++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+++<TR><TD VALIGN=top ALIGN=left>option</TD>
+++<TD VALIGN=top ALIGN=left>definition</TD>
+++<TD VALIGN=top ALIGN=left>example</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-c</TD>
+++<TD VALIGN=top ALIGN=left>set the user gecos</TD>
+++<TD VALIGN=top ALIGN=left>-c "admin user"</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-d</TD>
+++<TD VALIGN=top ALIGN=left>set the home directory</TD>
+++<TD VALIGN=top ALIGN=left>-d /var/user</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-u</TD>
+++<TD VALIGN=top ALIGN=left>set a uid value</TD>
+++<TD VALIGN=top ALIGN=left>-u 1003</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-g</TD>
+++<TD VALIGN=top ALIGN=left>set a gid value</TD>
+++<TD VALIGN=top ALIGN=left>-g 1003</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-G</TD>
+++<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
+++ groups (comma-separated)</TD>
+++<TD VALIGN=top ALIGN=left>-G 512,550</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>			</TD>
+++<TD VALIGN=top ALIGN=left>-G -512,550</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>			</TD>
+++<TD VALIGN=top ALIGN=left>-G +512,550</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-s</TD>
+++<TD VALIGN=top ALIGN=left>set the login shell</TD>
+++<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-N</TD>
+++<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-S</TD>
+++<TD VALIGN=top ALIGN=left>set the surname of the user</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-P</TD>
+++<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's password</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-a</TD>
+++<TD VALIGN=top ALIGN=left>add sambaSAMAccount objectclass</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-e</TD>
+++<TD VALIGN=top ALIGN=left>set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)</TD>
+++<TD VALIGN=top ALIGN=left>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-A</TD>
+++<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
+++<TD VALIGN=top ALIGN=left>-A 1</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-B</TD>
+++<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
+++ if yes</TD>
+++<TD VALIGN=top ALIGN=left>-B 1</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-C</TD>
+++<TD VALIGN=top ALIGN=left>set the samba home share</TD>
+++<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>-C ""</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-D</TD>
+++<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
+++<TD VALIGN=top ALIGN=left>-D H:</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>-D ""</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-E</TD>
+++<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
+++<TD VALIGN=top ALIGN=left>-E common.bat</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>-E ""</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-F</TD>
+++<TD VALIGN=top ALIGN=left>set the profile directory</TD>
+++<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>	</TD>
+++<TD VALIGN=top ALIGN=left>-F ""</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-H</TD>
+++<TD VALIGN=top ALIGN=left>set the samba account control bits like'[NDHTUMWSLKI]'</TD>
+++<TD VALIGN=top ALIGN=left>-H [X]</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-I</TD>
+++<TD VALIGN=top ALIGN=left>disable a user account</TD>
+++<TD VALIGN=top ALIGN=left>-I 1</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-J</TD>
+++<TD VALIGN=top ALIGN=left>enable a user</TD>
+++<TD VALIGN=top ALIGN=left>-J 1</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-M</TD>
+++<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
+++<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-T</TD>
+++<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
+++<TD VALIGN=top ALIGN=left>-T
+++ testuser@domain.org</TD>
+++</TR></TABLE>
+++ </DIV>
+++ <BR>
+++<DIV ALIGN=center>Table 4: Options available to the <TT>smbldap-usermod</TT> script</DIV><BR>
+++
+++ <A NAME="table::modify::user"></A>
+++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+++You can also use the <TT>smbldap-userinfo</TT> script to update user's information. This script can
+++also be used by users themselves to update their own informations listed in the tables
+++<A HREF="#table::modify::self::user">5</A> (adequats ACL must be set in the directory server). Available
+++options are&nbsp;:
+++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+++ <DIV ALIGN=center>
+++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+++<TR><TD VALIGN=top ALIGN=left>option</TD>
+++<TD VALIGN=top ALIGN=left>definition</TD>
+++<TD VALIGN=top ALIGN=left>example</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-f</TD>
+++<TD VALIGN=top ALIGN=left>set the full name's user</TD>
+++<TD VALIGN=top ALIGN=left>-f MyName</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-r</TD>
+++<TD VALIGN=top ALIGN=left>set the room number</TD>
+++<TD VALIGN=top ALIGN=left>-r 99</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-w</TD>
+++<TD VALIGN=top ALIGN=left>set the work phone number</TD>
+++<TD VALIGN=top ALIGN=left>-w 111111111</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-h</TD>
+++<TD VALIGN=top ALIGN=left>set the home phone number</TD>
+++<TD VALIGN=top ALIGN=left>-h 222222222</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-o</TD>
+++<TD VALIGN=top ALIGN=left>set other information (in gecos definition)</TD>
+++<TD VALIGN=top ALIGN=left>-o "second stage"</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left>-s</TD>
+++<TD VALIGN=top ALIGN=left>set the default bash</TD>
+++<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
+++</TR></TABLE>
+++ </DIV>
+++ <BR>
+++<DIV ALIGN=center>Table 5: Options available to the <TT>smbldap-userinfo</TT> script</DIV><BR>
+++
+++ <A NAME="table::modify::self::user"></A>
+++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+++<!--TOC subsection Group management-->
+++
+++<H3><A NAME="htoc19">4.3</A>&nbsp;&nbsp;Group management</H3><!--SEC END -->
+++
+++<!--TOC subsubsection Adding a group-->
+++
+++<H4><A NAME="htoc20">4.3.1</A>&nbsp;&nbsp;Adding a group</H4><!--SEC END -->
+++
+++To add a new group in the LDAP directory, use the <TT>smbldap-groupadd</TT>
+++script. Available options are listed in the table
+++<A HREF="#table::add::group">6</A>.
+++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+++ <DIV ALIGN=center>
+++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+++<TR><TD VALIGN=top ALIGN=left NOWRAP>option</TD>
+++<TD VALIGN=top ALIGN=left>definition</TD>
+++<TD VALIGN=top ALIGN=left NOWRAP>example</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left NOWRAP>-a</TD>
+++<TD VALIGN=top ALIGN=left>add automatic group mapping entry</TD>
+++<TD VALIGN=top ALIGN=left NOWRAP>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left NOWRAP>-g <TT>gid</TT></TD>
+++<TD VALIGN=top ALIGN=left>set the <I>gidNumer</I> for this group to
+++ <I>gid</I></TD>
+++<TD VALIGN=top ALIGN=left NOWRAP><TT>-g 1002</TT></TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left NOWRAP>-o</TD>
+++<TD VALIGN=top ALIGN=left>gidNumber is not unique</TD>
+++<TD VALIGN=top ALIGN=left NOWRAP>&nbsp;</TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left NOWRAP>-r <TT>group-rid</TT></TD>
+++<TD VALIGN=top ALIGN=left>set the rid of the group to
+++ <I>group-rid</I></TD>
+++<TD VALIGN=top ALIGN=left NOWRAP><TT>-r 1002</TT></TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left NOWRAP>-s <TT>group-sid</TT></TD>
+++<TD VALIGN=top ALIGN=left>set the sid of the group to
+++ <I>group-sid</I></TD>
+++<TD VALIGN=top ALIGN=left NOWRAP><TT><FONT SIZE=1>-s
+++ S-1-5-21-3703471949-3718591838-2324585696-1002</FONT></TT></TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left NOWRAP>-t <TT>group-type</TT></TD>
+++<TD VALIGN=top ALIGN=left>set the <I>sambaGroupType</I> to
+++ <I>group-type</I></TD>
+++<TD VALIGN=top ALIGN=left NOWRAP><TT>-t 2</TT></TD>
+++</TR>
+++<TR><TD VALIGN=top ALIGN=left NOWRAP>-p</TD>
+++<TD VALIGN=top ALIGN=left>print the gidNumber to stdout</TD>
+++<TD VALIGN=top ALIGN=left NOWRAP>&nbsp;</TD>
+++</TR></TABLE>
+++ </DIV>
+++ <BR>
+++<DIV ALIGN=center>Table 6: Options available for the <TT>smbldap-groupadd</TT> script</DIV><BR>
+++
+++ <A NAME="table::add::group"></A>
+++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+++<!--TOC subsubsection Removing a group-->
+++
+++<H4><A NAME="htoc21">4.3.2</A>&nbsp;&nbsp;Removing a group</H4><!--SEC END -->
+++
+++To remove the group named <TT>group1</TT>, just use the following
+++command :
+++<PRE>
+++smbldap-userdel group1
+++</PRE>
+++<!--TOC subsection Adding a interdomain trust account-->
+++
+++<H3><A NAME="htoc22">4.4</A>&nbsp;&nbsp;Adding a interdomain trust account</H3><!--SEC END -->
+++<A NAME="trust::account"></A>
+++To add an interdomain trust account to the primary controller <I>trust-pdc</I>, use the <TT>-i</TT> option of
+++<TT>smbldap-useradd</TT> as follows :
+++<PRE>
+++[root@etoile root]# smbldap-useradd -i trust-pdc
+++New password : *******
+++Retype new password : *******
+++</PRE>
+++The script will terminate asking for a password for this trust
+++account. The account will be created in the directory branch where
+++all computer accounts are stored (<TT>ou=Computers</TT> by
+++default). The only two particularities of this account are that you are
+++setting a password for this account, and the flags of this account are
+++<TT>[I          ]</TT>.
+++ <!--TOC section Samba and the smbldap-tools scripts-->
+++
+++<H2><A NAME="htoc23">5</A>&nbsp;&nbsp;Samba and the smbldap-tools scripts</H2><!--SEC END -->
+++
+++<!--TOC subsection General configuration-->
+++
+++<H3><A NAME="htoc24">5.1</A>&nbsp;&nbsp;General configuration</H3><!--SEC END -->
+++
+++Samba can be configured to use the <FONT COLOR=purple>smbldap-tools</FONT> scripts. This allows
+++administrators to add, delete or modify user and group accounts for <FONT COLOR=purple>Microsoft Windows</FONT>
+++operating systems using, for example, User Manager utility under MS-Windows.
+++To enable the use of this utility, samba needs to be configured correctly. The
+++<TT>smb.conf</TT> configuration file must contain the following directives :
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>
+++ldap delete dn = Yes
+++add user script = /usr/local/sbin/smbldap-useradd -m "%u"
+++add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
+++add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
+++add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
+++delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
+++set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE><BR>
+++Remark: the two directives <TT>delete user script</TT> et <TT>delete group
+++script</TT> can also be used. However, an error message can appear in User Manager
+++even if the operations actually succeed.
+++If you want to enable this behaviour, you need to add
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>
+++delete user script = /usr/local/sbin/smbldap-userdel "%u"
+++delete group script = /usr/local/sbin/smbldap-groupdel "%g"
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE><BR>
+++<!--TOC subsection Migrating an NT4 PDC to Samba3-->
+++
+++<H3><A NAME="htoc25">5.2</A>&nbsp;&nbsp;Migrating an NT4 PDC to Samba3</H3><!--SEC END -->
+++
+++The account migration procedure becomes really simple when samba is configured to use
+++the <FONT COLOR=purple>smbldap-tools</FONT>. Samba configuration (smb.conf file) must contain the
+++directive defined above to properly call the script for managing users, groups and computer accounts.
+++The migration process is outlined in the chapter 30 of the samba howto
+++<A HREF="http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html"><TT>http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html</TT></A>.
+++ <BR>
+++<BR>
+++<!--TOC section Frequently Asked Questions-->
+++
+++<H2><A NAME="htoc26">6</A>&nbsp;&nbsp;Frequently Asked Questions</H2><!--SEC END -->
+++
+++<!--TOC subsection How can i use old released uidNumber and gidNumber ?-->
+++
+++<H3><A NAME="htoc27">6.1</A>&nbsp;&nbsp;How can i use old released uidNumber and gidNumber ?</H3><!--SEC END -->
+++
+++There are two way to do this :
+++<UL><LI>
+++modify the <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> and
+++ change the <TT>uidNumber</TT> and/or <TT>gidNumber</TT> value. This
+++ must be done manually. For example, if you want to use all available
+++ uidNumber and gidNumber higher then 1500, you need to create a
+++ <TT>update-NextFreeUnixId.ldif</TT> file containing :
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>dn: cn=NextFreeUnixId,dc=idealx,dc=org
+++changetype: modify
+++uidNumber: 1500
+++gidNumber: 1500
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE>
+++and then update the directory :
+++<PRE>
+++ldapmodify -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f update-NextFreeUnixId.ldif
+++</PRE><LI>use the <TT>-u</TT> or <TT>-g</TT> option to the script you need to set the value you
+++ want to use
+++</UL>
+++<!--TOC subsection I always have this error: "Can't locate IO/Socket/SSL.pm"-->
+++
+++<H3><A NAME="htoc28">6.2</A>&nbsp;&nbsp;I always have this error: "Can't locate IO/Socket/SSL.pm"</H3><!--SEC END -->
+++
+++This happens when you want to use a certificate. In this case, you need to install the
+++IO-Socket-SSL Perl module.<BR>
+++<BR>
+++<!--TOC subsection I can't initialize the directory with <TT>smbldap-populate</TT>-->
+++
+++<H3><A NAME="htoc29">6.3</A>&nbsp;&nbsp;I can't initialize the directory with <TT>smbldap-populate</TT></H3><!--SEC END -->
+++
+++When I want to initialize the directory using the <TT>smbldap-populate</TT>
+++script, I get
+++<PRE>
+++[root@slave sbin]# smbldap-populate.pl
+++  Using builtin directory structure
+++  adding new entry: dc=IDEALX,dc=COM
+++  Can't call method "code" without a package or object reference at
+++  /usr/local/sbin/smbldap-populate.pl line 270, &lt;GEN1&gt; line 2.
+++</PRE>Answer: check the TLS configuration
+++<UL><LI>
+++if you don't want to use TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file
+++with
+++<PRE>
+++ldapSSL="0"
+++</PRE><LI>if you want TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file with
+++<PRE>
+++ldapSSL="1"
+++</PRE>and check that the directory server is configured to accept TLS connections.
+++</UL>
+++<!--TOC subsection I can't join the domain with the <TT>root</TT> account-->
+++
+++<H3><A NAME="htoc30">6.4</A>&nbsp;&nbsp;I can't join the domain with the <TT>root</TT> account</H3><!--SEC END -->
+++
+++<UL><LI>
+++check that the root account has the sambaSamAccount objectclass
+++<LI>check that the directive <TT>add machine script</TT> is present and configured
+++</UL>
+++<!--TOC subsection I have the <TT>sambaSamAccount</TT> but i can't logged in-->
+++
+++<H3><A NAME="htoc31">6.5</A>&nbsp;&nbsp;I have the <TT>sambaSamAccount</TT> but i can't logged in</H3><!--SEC END -->
+++
+++Check that the <TT>sambaPwdLastSet</TT> attribute is not null (equal to 0)<BR>
+++<BR>
+++<!--TOC subsection I want to create machine account on the fly, but it does
+++ not works or I must do it twice-->
+++
+++<H3><A NAME="htoc32">6.6</A>&nbsp;&nbsp;I want to create machine account on the fly, but it does
+++ not works or I must do it twice</H3><!--SEC END -->
+++
+++<UL><LI>
+++The script defined with the <TT>add machine script</TT> must not add
+++the <TT>sambaSAMAccount</TT> objectclass of the machine account. The
+++script must only add the Posix machine account. Samba will add the <TT>sambaSAMAccount</TT> when
+++joining the domain.
+++<LI>Check that the <TT>add <B>machine</B> script</TT> is present in samba
+++ configuration file.
+++</UL>
+++<!--TOC subsection I can't manage the Oracle Internet Database-->
+++
+++<H3><A NAME="htoc33">6.7</A>&nbsp;&nbsp;I can't manage the Oracle Internet Database</H3><!--SEC END -->
+++
+++If you have an error message like :
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>
+++Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187.
+++Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627.
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE>For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a
+++new index for samba attributes and make sure that the following attributes are also indexed :
+++ uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...<BR>
+++<BR>
+++<!--TOC subsection The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
+++called, or i got a error message when changing the password from windows-->
+++
+++<H3><A NAME="htoc34">6.8</A>&nbsp;&nbsp;The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
+++called, or i got a error message when changing the password from windows</H3><!--SEC END -->
+++
+++The directive is called if you also set <TT>unix password sync = Yes</TT>.
+++Notes:
+++<UL><LI>
+++if you use OpenLDAP, none of those two options are needed. You just need <TT>ldap
+++passwd sync = Yes</TT>.
+++<LI>the script called here must only update the <TT>userPassword</TT> attribute. This is the
+++reason of the <TT>-u</TT> option. Samba passwords will be updated by samba itself.
+++<LI>the <TT>passwd chat</TT> directive must match what is prompted when using the
+++<TT>smbldap-passwd</TT> command
+++</UL>
+++<!--TOC subsection New computers account can't be set in ou=computers-->
+++
+++<H3><A NAME="htoc35">6.9</A>&nbsp;&nbsp;New computers account can't be set in ou=computers</H3><!--SEC END -->
+++<A NAME="sec::bug::ou::computer"></A>
+++This is a known samba bug. There's a workarround: look at
+++<A HREF="http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2"><TT>http://marc.theaimsgroup.com/?l=samba&amp;m=108439612826440&amp;w=2</TT></A><BR>
+++<BR>
+++<!--TOC subsection I can join the domain, but i can't log on-->
+++
+++<H3><A NAME="htoc36">6.10</A>&nbsp;&nbsp;I can join the domain, but i can't log on</H3><!--SEC END -->
+++
+++look at section <A HREF="#sec::bug::ou::computer">6.9</A><BR>
+++<BR>
+++<!--TOC subsection I can't create a user with <TT>smbldap-useradd</TT>-->
+++
+++<H3><A NAME="htoc37">6.11</A>&nbsp;&nbsp;I can't create a user with <TT>smbldap-useradd</TT></H3><!--SEC END -->
+++
+++When creating a new user account I get the following error message:
+++<PRE>
+++/usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513
+++</PRE>Answer:
+++<UL><LI>
+++is nss_ldap correctly configured ?
+++<LI>is the default group's users mapped to the 'Domain Users' NT group ?
+++<PRE>
+++net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users"
+++</PRE></UL>
+++<!--TOC subsection smbldap-useradd: Can't call method "get_value" on an undefined value at
+++/usr/local/sbin/smbldap-useradd line 154-->
+++
+++<H3><A NAME="htoc38">6.12</A>&nbsp;&nbsp;smbldap-useradd: Can't call method "get_value" on an undefined value at
+++/usr/local/sbin/smbldap-useradd line 154</H3><!--SEC END -->
+++
+++<UL><LI>
+++does the default group defined in smbldap.conf exist
+++ (defaultUserGid="513") ?
+++<LI>does the NT "Domain Users" group mapped to a unix
+++ group of rid 513 (see option <I>-r</I> of <TT>smbldap-groupadd</TT> and
+++ <TT>smbldap-groupmod</TT> to set a rid) ?
+++</UL>
+++<!--TOC subsection Typical errors on creating a new user or a new group-->
+++
+++<H3><A NAME="htoc39">6.13</A>&nbsp;&nbsp;Typical errors on creating a new user or a new group</H3><!--SEC END -->
+++<A NAME="faq::error::add::user"></A>
+++<UL><LI>
+++i've got the following error:
+++<PRE>
+++Could not find base dn, to get next uidNumber at /usr/local/sbin//smbldap_tools.pm line 909
+++</PRE><OL type=1><LI>
+++	you do not have created the object to defined the next uidNumber and gidNumber available.
+++	<UL><LI>
+++	for version 0.8.7&nbsp;: you can just run the <TT>smbldap-populate</TT> script that will
+++		update the sambaDomain entry to store those informations
+++	<LI>for version before 0.8.7&nbsp;:
+++	You have updated the smbldap-tools to version 0.8.5 or newer.
+++	You have to do this manually. Create an file called <TT>add.ldif</TT> and containing
+++<PRE>
+++dn: cn=NextFreeUnixId,dc=idealx,dc=org
+++objectClass: inetOrgPerson
+++objectClass: sambaUnixIdPool
+++uidNumber: 1000
+++gidNumber: 1000
+++cn: NextFreeUnixId
+++sn: NextFreeUnixId
+++</PRE>	and then add the object with the ldapadd utility:
+++<PRE>
+++$ ldapadd -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f add.ldif
+++</PRE>	Here, 1000 is the first available value for uidNumber and gidNumber (of course, if this value is
+++	already used by a user or a group, the first available after 1000 will be used).
+++	</UL><BR>
+++<BR>
+++<LI>The error also appear when there is a need for TLS (ldapTLS=1 in <TT>smbldap.conf</TT>) and
+++something is wrong with certificate naming or path settings.
+++</OL><BR>
+++<BR>
+++<LI>i've got the following error:
+++<PRE>
+++Use of uninitialized value in string at
+++/usr/local/sbin//smbldap\_tools.pm line 914.
+++Error: No DN specified at /usr/local/sbin//smbldap\_tools.pm line 919
+++</PRE>You have not updated the configuration file to defined the object where are sotred the next
+++uidNumber and gidNumber available. In our example, you have to add a nex entry in
+++<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I> containing :
+++<PRE>
+++# Where to store next uidNumber and gidNumber available
+++sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+++</PRE>btw, a new option is now available too: the domain to append to users. You can add to the
+++configuration file the following lines:
+++<PRE>
+++# Domain appended to the users "mail"-attribute
+++# when smbldap-useradd -M is used mailDomain="idealx.com"
+++</PRE><BR>
+++<BR>
+++<LI>i've got the following error:
+++<PRE>
+++Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/smbldap-useradd line 183.
+++Use of uninitialized value in substitution (s///) at /usr/local/sbin/smbldap-useradd line 185.
+++Use of uninitialized value in string at /usr/local/sbin/smbldap-useradd line 264.
+++failed to add entry: homedirectory: value #0 invalid per syntax at /usr/local/sbin/smbldap-useradd line 280.
+++userHomeDirectory=User "jto" already member of the group "513".
+++failed to add entry: No such object at /usr/local/sbin/smbldap-useradd line 382.
+++</PRE>you have to change the variable name <TT>userHomePrefix</TT> to <TT>userHome</TT> in
+++<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I><BR>
+++<BR>
+++<LI>i've got the following error:
+++<PRE>
+++failed to add entry: referral missing at /usr/local/sbin/smbldap-useradd line 279, &lt;DATA&gt; line 283.
+++</PRE>you have to update the configuration file that defined users, groups and computers dn. Those
+++parameters must not be relative to the <TT>suffix</TT> parameter. A typical
+++configuration look like this :
+++<PRE>
+++usersdn="ou=Users,${suffix}"
+++computersdn="ou=Computers,${suffix}"
+++groupsdn="ou=Groups,${suffix}"
+++</PRE><BR>
+++<BR>
+++<LI>i've got the following error:
+++<PRE>
+++erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad protocol 'tcp')
+++at /usr/local/sbin//smbldap_tools.pm line 153.
+++</PRE>remove <I>ldap</I> from <I>/etc/nsswitch.conf</I> for <I>services</I> list of possible check. For
+++example, if your ldap directory is not configured to give services information, you must have
+++<PRE>
+++services    files
+++</PRE>and not
+++<PRE>
+++services:   ldap [NOTFOUND=return] files
+++</PRE></UL>
+++
+++
+++<!--TOC section Thanks-->
+++
+++<H2><A NAME="htoc40">7</A>&nbsp;&nbsp;Thanks</H2><!--SEC END -->
+++
+++<A NAME="thanks"></A>
+++People who have worked on this document are
+++<UL><LI>
+++Jérôme Tournier &lt;jerome.tournier@IDEALX.com&gt;
+++<LI>David Barth &lt;david.barth@IDEALX.com&gt;
+++<LI>Nat Makarevitch &lt;nat@IDEALX.com&gt;
+++</UL>
+++The authors would like to thank the following people for providing help with
+++some of the more complicated subjects, for clarifying some of the internal
+++workings of <FONT COLOR=purple>Samba</FONT> or <FONT COLOR=purple>OpenLDAP</FONT>, for pointing out errors or mistakes in
+++previous versions of this document, or generally for making
+++suggestions :
+++<UL><LI>
+++IDEALX team :
+++ <UL><LI>
+++ Roméo Adekambi &lt;romeo.adekambi@IDEALX.com&gt;
+++ <LI>Aurelien Degremont &lt;adegremont@IDEALX.com&gt;
+++ <LI>Renaud Renard &lt;rrenard@IDEALX.com&gt;
+++ </UL>
+++<LI>John H Terpstra &lt;jht@samba.org&gt;
+++</UL>
+++ <!--TOC section Annexes-->
+++
+++<H2><A NAME="htoc41">8</A>&nbsp;&nbsp;Annexes</H2><!--SEC END -->
+++
+++<!--TOC subsection Full configuration files-->
+++
+++<H3><A NAME="htoc42">8.1</A>&nbsp;&nbsp;Full configuration files</H3><!--SEC END -->
+++<A NAME="configuration::files"></A>
+++<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file-->
+++
+++<H4><A NAME="htoc43">8.1.1</A>&nbsp;&nbsp;The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><!--SEC END -->
+++<A NAME="configuration::file::smbldap"></A>
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE># $Source: $
+++# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
+++#
+++# smbldap-tools.conf : Q &amp; D configuration file for smbldap-tools
+++
+++#  This code was developped by IDEALX (http://IDEALX.org/) and
+++#  contributors (their names can be found in the CONTRIBUTORS file).
+++#
+++#                 Copyright (C) 2001-2002 IDEALX
+++#
+++#  This program is free software; you can redistribute it and/or
+++#  modify it under the terms of the GNU General Public License
+++#  as published by the Free Software Foundation; either version 2
+++#  of the License, or (at your option) any later version.
+++#
+++#  This program is distributed in the hope that it will be useful,
+++#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+++#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+++#  GNU General Public License for more details.
+++#
+++#  You should have received a copy of the GNU General Public License
+++#  along with this program; if not, write to the Free Software
+++#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+++#  USA.
+++
+++#  Purpose :
+++#       . be the configuration file for all smbldap-tools scripts
+++
+++##############################################################################
+++#
+++# General Configuration
+++#
+++##############################################################################
+++
+++# Put your own SID. To obtain this number do: "net getlocalsid".
+++# If not defined, parameter is taking from "net getlocalsid" return
+++SID="S-1-5-21-2252255531-4061614174-2474224977"
+++
+++# Domain name the Samba server is in charged.
+++# If not defined, parameter is taking from smb.conf configuration file
+++# Ex: sambaDomain="IDEALX-NT"
+++sambaDomain="DOMSMB"
+++
+++##############################################################################
+++#
+++# LDAP Configuration
+++#
+++##############################################################################
+++
+++# Notes: to use to dual ldap servers backend for Samba, you must patch
+++# Samba with the dual-head patch from IDEALX. If not using this patch
+++# just use the same server for slaveLDAP and masterLDAP.
+++# Those two servers declarations can also be used when you have
+++# . one master LDAP server where all writing operations must be done
+++# . one slave LDAP server where all reading operations must be done
+++#   (typically a replication directory)
+++
+++# Slave LDAP server
+++# Ex: slaveLDAP=127.0.0.1
+++# If not defined, parameter is set to "127.0.0.1"
+++slaveLDAP="127.0.0.1"
+++
+++# Slave LDAP port
+++# If not defined, parameter is set to "389"
+++slavePort="389"
+++
+++# Master LDAP server: needed for write operations
+++# Ex: masterLDAP=127.0.0.1
+++# If not defined, parameter is set to "127.0.0.1"
+++masterLDAP="127.0.0.1"
+++
+++# Master LDAP port
+++# If not defined, parameter is set to "389"
+++masterPort="389"
+++
+++# Use TLS for LDAP
+++# If set to 1, this option will use start_tls for connection
+++# (you should also used the port 389)
+++# If not defined, parameter is set to "1"
+++ldapTLS="0"
+++
+++# How to verify the server's certificate (none, optional or require)
+++# see "man Net::LDAP" in start_tls section for more details
+++verify="require"
+++
+++# CA certificate
+++# see "man Net::LDAP" in start_tls section for more details
+++cafile="/etc/smbldap-tools/ca.pem"
+++
+++# certificate to use to connect to the ldap server
+++# see "man Net::LDAP" in start_tls section for more details
+++clientcert="/etc/smbldap-tools/smbldap-tools.pem"
+++
+++# key certificate to use to connect to the ldap server
+++# see "man Net::LDAP" in start_tls section for more details
+++clientkey="/etc/smbldap-tools/smbldap-tools.key"
+++
+++# LDAP Suffix
+++# Ex: suffix=dc=IDEALX,dc=ORG
+++suffix="dc=company,dc=com"
+++
+++# Where are stored Users
+++# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+++# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
+++usersdn="ou=Users,${suffix}"
+++
+++# Where are stored Computers
+++# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+++# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
+++computersdn="ou=Computers,${suffix}"
+++
+++# Where are stored Groups
+++# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+++# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
+++groupsdn="ou=Groups,${suffix}"
+++
+++# Where are stored Idmap entries (used if samba is a domain member server)
+++# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+++# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
+++idmapdn="ou=Idmap,${suffix}"
+++
+++# Where to store next uidNumber and gidNumber available for new users and groups
+++# If not defined, entries are stored in sambaDomainName object.
+++# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+++# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+++sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+++
+++# Default scope Used
+++scope="sub"
+++
+++# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
+++hash_encrypt="SSHA"
+++
+++# if hash_encrypt is set to CRYPT, you may set a salt format.
+++# default is "%s", but many systems will generate MD5 hashed
+++# passwords if you use "$1$%.8s". This parameter is optional!
+++crypt_salt_format="%s"
+++
+++##############################################################################
+++#
+++# Unix Accounts Configuration
+++#
+++##############################################################################
+++
+++# Login defs
+++# Default Login Shell
+++# Ex: userLoginShell="/bin/bash"
+++userLoginShell="/bin/bash"
+++
+++# Home directory
+++# Ex: userHome="/home/%U"
+++userHome="/home/%U"
+++
+++# Default mode used for user homeDirectory
+++userHomeDirectoryMode="700"
+++
+++# Gecos
+++userGecos="System User"
+++
+++# Default User (POSIX and Samba) GID
+++defaultUserGid="513"
+++
+++# Default Computer (Samba) GID
+++defaultComputerGid="515"
+++
+++# Skel dir
+++skeletonDir="/etc/skel"
+++
+++# Default password validation time (time in days) Comment the next line if
+++# you don't want password to be enable for defaultMaxPasswordAge days (be
+++# careful to the sambaPwdMustChange attribute's value)
+++defaultMaxPasswordAge="45"
+++
+++##############################################################################
+++#
+++# SAMBA Configuration
+++#
+++##############################################################################
+++
+++# The UNC path to home drives location (%U username substitution)
+++# Just set it to a null string if you want to use the smb.conf 'logon home'
+++# directive and/or disable roaming profiles
+++# Ex: userSmbHome="\\PDC-SMB3\%U"
+++userSmbHome="\\PDC-SRV\%U"
+++
+++# The UNC path to profiles locations (%U username substitution)
+++# Just set it to a null string if you want to use the smb.conf 'logon path'
+++# directive and/or disable roaming profiles
+++# Ex: userProfile="\\PDC-SMB3\profiles\%U"
+++userProfile="\\PDC-SRV\profiles\%U"
+++
+++# The default Home Drive Letter mapping
+++# (will be automatically mapped at logon time if home directory exist)
+++# Ex: userHomeDrive="H:"
+++userHomeDrive="H:"
+++
+++# The default user netlogon script name (%U username substitution)
+++# if not used, will be automatically username.cmd
+++# make sure script file is edited under dos
+++# Ex: userScript="startup.cmd" # make sure script file is edited under dos
+++userScript="logon.bat"
+++
+++# Domain appended to the users "mail"-attribute
+++# when smbldap-useradd -M is used
+++# Ex: mailDomain="idealx.com"
+++mailDomain="idealx.com"
+++
+++##############################################################################
+++#
+++# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+++#
+++##############################################################################
+++
+++# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
+++# prefer Crypt::SmbHash library
+++with_smbpasswd="0"
+++smbpasswd="/usr/bin/smbpasswd"
+++
+++# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
+++# but prefer Crypt:: libraries
+++with_slappasswd="0"
+++slappasswd="/usr/sbin/slappasswd"
+++
+++# comment out the following line to get rid of the default banner
+++# no_banner="1"
+++
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE><BR>
+++<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file-->
+++
+++<H4><A NAME="htoc44">8.1.2</A>&nbsp;&nbsp;The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><!--SEC END -->
+++<A NAME="configuration::file::smbldap::bind"></A>
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>############################
+++# Credential Configuration #
+++############################
+++# Notes: you can specify two differents configuration if you use a
+++# master ldap for writing access and a slave ldap server for reading access
+++# By default, we will use the same DN (so it will work for standard Samba
+++# release)
+++slaveDN="cn=Manager,dc=company,dc=com"
+++slavePw="secret"
+++masterDN="cn=Manager,dc=company,dc=com"
+++masterPw="secret"
+++
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE><BR>
+++<!--TOC subsubsection The samba configuration file : <TT>/etc/samba/smb.conf</TT> -->
+++
+++<H4><A NAME="htoc45">8.1.3</A>&nbsp;&nbsp;The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4><!--SEC END -->
+++
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE># Global parameters
+++[global]
+++ workgroup = DOMSMB
+++ netbios name = PDC-SRV
+++ security = user
+++ enable privileges = yes
+++ #interfaces = 192.168.5.11
+++ #username map = /etc/samba/smbusers
+++ server string = Samba Server %v
+++ #security = ads
+++ encrypt passwords = Yes
+++ min passwd length = 3
+++ #pam password change = no
+++ #obey pam restrictions = No
+++
+++ # method 1:
+++ #unix password sync = no
+++ #ldap passwd sync = yes
+++
+++ # method 2:
+++ unix password sync = yes
+++ ldap passwd sync = no
+++ passwd program = /usr/sbin/smbldap-passwd -u "%u"
+++ passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
+++
+++ log level = 0
+++ syslog = 0
+++ log file = /var/log/samba/log.%U
+++ max log size = 100000
+++ time server = Yes
+++ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
+++ mangling method = hash2
+++ Dos charset = 850
+++ Unix charset = ISO8859-1
+++
+++ logon script = logon.bat
+++ logon drive = H:
+++        logon home =
+++        logon path =
+++
+++ domain logons = Yes
+++ domain master = Yes
+++ os level = 65
+++ preferred master = Yes
+++ wins support = yes
+++ passdb backend = ldapsam:ldap://127.0.0.1/
+++ ldap admin dn = cn=Manager,dc=company,dc=com
+++ #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
+++ ldap suffix = dc=company,dc=com
+++        ldap group suffix = ou=Groups
+++        ldap user suffix = ou=Users
+++        ldap machine suffix = ou=Computers
+++ #ldap idmap suffix = ou=Idmap
+++        add user script = /usr/sbin/smbldap-useradd -m "%u"
+++        #ldap delete dn = Yes
+++        delete user script = /usr/sbin/smbldap-userdel "%u"
+++        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
+++        add group script = /usr/sbin/smbldap-groupadd -p "%g"
+++        #delete group script = /usr/sbin/smbldap-groupdel "%g"
+++        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
+++        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
+++ set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
+++
+++ # printers configuration
+++ #printer admin = @"Print Operators"
+++ load printers = Yes
+++ create mask = 0640
+++ directory mask = 0750
+++ #force create mode = 0640
+++ #force directory mode = 0750
+++ nt acl support = No
+++ printing = cups
+++ printcap name = cups
+++ deadtime = 10
+++ guest account = nobody
+++ map to guest = Bad User
+++ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
+++ show add printer wizard = yes
+++ ; to maintain capital letters in shortcuts in any of the profile folders:
+++ preserve case = yes
+++ short preserve case = yes
+++ case sensitive = no
+++
+++[netlogon]
+++ path = /home/netlogon/
+++ browseable = No
+++ read only = yes
+++
+++[profiles]
+++ path = /home/profiles
+++ read only = no
+++ create mask = 0600
+++ directory mask = 0700
+++ browseable = No
+++ guest ok = Yes
+++ profile acls = yes
+++ csc policy = disable
+++ # next line is a great way to secure the profiles
+++ #force user = %U
+++ # next line allows administrator to access all profiles
+++ #valid users = %U "Domain Admins"
+++
+++[printers]
+++        comment = Network Printers
+++        #printer admin = @"Print Operators"
+++        guest ok = yes
+++        printable = yes
+++        path = /home/spool/
+++        browseable = No
+++        read only  = Yes
+++        printable = Yes
+++        print command = /usr/bin/lpr -P%p -r %s
+++        lpq command = /usr/bin/lpq -P%p
+++        lprm command = /usr/bin/lprm -P%p %j
+++        # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
+++        # lpq command = /usr/bin/lpq -U%U@%M -P%p
+++        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
+++        # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
+++        # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
+++        # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
+++        # queueresume command = /usr/sbin/lpc -U%U@%M start %p
+++
+++[print$]
+++        path = /home/printers
+++        guest ok = No
+++        browseable = Yes
+++        read only = Yes
+++        valid users = @"Print Operators"
+++        write list = @"Print Operators"
+++        create mask = 0664
+++        directory mask = 0775
+++
+++[public]
+++ path = /tmp
+++ guest ok = yes
+++ browseable = Yes
+++ writable = yes
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE><BR>
+++<!--TOC subsubsection The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT>-->
+++
+++<H4><A NAME="htoc46">8.1.4</A>&nbsp;&nbsp;The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4><!--SEC END -->
+++
+++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>#
+++# See slapd.conf(5) for details on configuration options.
+++# This file should NOT be world readable.
+++#
+++include  /etc/openldap/schema/core.schema
+++include  /etc/openldap/schema/cosine.schema
+++include  /etc/openldap/schema/inetorgperson.schema
+++include  /etc/openldap/schema/nis.schema
+++include  /etc/openldap/schema/samba.schema
+++
+++schemacheck on
+++
+++# Allow LDAPv2 client connections.  This is NOT the default.
+++allow bind_v2
+++
+++# Do not enable referrals until AFTER you have a working directory
+++# service AND an understanding of referrals.
+++#referral ldap://root.openldap.org
+++
+++pidfile  /var/run/slapd.pid
+++argsfile /var/run/slapd.args
+++
+++# Load dynamic backend modules:
+++# modulepath /usr/sbin/openldap
+++# moduleload back_bdb.la
+++# moduleload back_ldap.la
+++# moduleload back_ldbm.la
+++# moduleload back_passwd.la
+++# moduleload back_shell.la
+++
+++# The next three lines allow use of TLS for encrypting connections using a
+++# dummy test certificate which you can generate by changing to
+++# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
+++# slapd.pem so that the ldap user or group can read it.  Your client software
+++# may balk at self-signed certificates, however.
+++#TLSCertificateFile /etc/openldap/ldap.company.com.pem
+++#TLSCertificateKeyFile /etc/openldap/ldap.company.com.key
+++#TLSCACertificateFile /etc/openldap/ca.pem
+++#TLSCipherSuite :SSLv3
+++
+++# Sample security restrictions
+++# Require integrity protection (prevent hijacking)
+++# Require 112-bit (3DES or better) encryption for updates
+++# Require 63-bit encryption for simple bind
+++# security ssf=1 update_ssf=112 simple_bind=64
+++
+++# Sample access control policy:
+++# Root DSE: allow anyone to read it
+++# Subschema (sub)entry DSE: allow anyone to read it
+++# Other DSEs:
+++#  Allow self write access
+++#  Allow authenticated users read access
+++#  Allow anonymous users to authenticate
+++# Directives needed to implement policy:
+++# access to dn.base="" by * read
+++# access to dn.base="cn=Subschema" by * read
+++# access to *
+++# by self write
+++# by users read
+++# by anonymous auth
+++#
+++# if no access controls are present, the default policy
+++# allows anyone and everyone to read anything but restricts
+++# updates to rootdn.  (e.g., "access to * by * read")
+++#
+++# rootdn can always read and write EVERYTHING!
+++
+++#######################################################################
+++# ldbm and/or bdb database definitions
+++#######################################################################
+++
+++database bdb
+++suffix  "dc=company,dc=com"
+++rootdn  "cn=Manager,dc=company,dc=com"
+++# Cleartext passwords, especially for the rootdn, should
+++# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
+++# Use of strong authentication encouraged.
+++rootpw  secret
+++# rootpw  {crypt}ijFYNcSNctBYg
+++
+++# The database directory MUST exist prior to running slapd AND
+++# should only be accessible by the slapd and slap tools.
+++# Mode 700 recommended.
+++directory /var/lib/ldap
+++lastmod  on
+++
+++# Indices to maintain for this database
+++index objectClass                       eq,pres
+++index ou,cn,sn,mail,givenname    eq,pres,sub
+++index uidNumber,gidNumber,memberUid     eq,pres
+++index loginShell   eq,pres
+++## required to support pdb_getsampwnam
+++index uid                       pres,sub,eq
+++## required to support pdb_getsambapwrid()
+++index displayName               pres,sub,eq
+++index nisMapName,nisMapEntry            eq,pres,sub
+++index   sambaSID                eq,sub
+++index   sambaPrimaryGroupSID   eq
+++index   sambaDomainName         eq
+++index   default                sub
+++
+++
+++# users can authenticate and change their password
+++access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
+++      by dn="cn=Manager,dc=company,dc=com" write
+++      by self write
+++      by anonymous auth
+++      by * none
+++
+++# those 2 parameters must be world readable for password aging to work correctly
+++# (or use a priviledge account in /etc/ldap.conf to bind to the directory)
+++access to attrs=shadowLastChange,shadowMax
+++      by dn="cn=Manager,dc=company,dc=com" write
+++      by self write
+++      by * read
+++
+++
+++# all others attributes are readable to everybody
+++access to *
+++      by * read
+++
+++# Replicas of this database
+++#replogfile /var/lib/ldap/openldap-master-replog
+++#replica host=ldap-1.example.com:389 starttls=critical
+++#     bindmethod=sasl saslmech=GSSAPI
+++#     authcId=host/ldap-master.example.com@EXAMPLE.COM
+++</PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE><BR>
+++<!--TOC subsection Changing the administrative account (<TT>ldap admin
+++ dn</TT> in <TT>smb.conf</TT> file)-->
+++
+++<H3><A NAME="htoc47">8.2</A>&nbsp;&nbsp;Changing the administrative account (<TT>ldap admin
+++ dn</TT> in <TT>smb.conf</TT> file)</H3><!--SEC END -->
+++<A NAME="change::manager"></A>
+++If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
+++account anymore, you can create a dedicated account for Samba and the
+++smbldap-tools scripts. To do
+++this, create an account named <I>samba</I> as follows (see
+++section <A HREF="#add::user">4.2.1</A> for a more detailed syntax) :
+++<PRE>
+++smbldap-useradd -s /bin/false -d /dev/null -P samba
+++</PRE>This command will ask you to set a password for this account. Let's
+++set it to <I>samba</I> for this example.
+++You then need to modify configuration files:
+++<UL><LI>
+++file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT>
+++ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>
+++    slaveDN="uid=samba,ou=Users,dc=idealx,dc=com"
+++    slavePw="samba"
+++    masterDN="uid=samba,ou=Users,dc=idealx,dc=com"
+++    masterPw="samba"
+++  </PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE><LI>file <TT>/etc/samba/smb.conf</TT>
+++ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>
+++    ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
+++  </PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE>don't forget to also set the samba account password in
+++ <TT>secrets.tdb</TT> file :
+++<PRE>
+++smbpasswd -w samba
+++</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the
+++ <I>samba</I> user permissions to modify some attributes: this
+++ user needs to be able to modify all the samba attributes and some
+++ others (uidNumber, gidNumber ...) :
+++ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
+++<TR><TD><TABLE BORDER=0 CELLPADDING=0
+++ CELLSPACING=0>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
+++<TR><TD><PRE>
+++# users can authenticate and change their password
+++access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
+++      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+++      by self write
+++      by anonymous auth
+++      by * none
+++# some attributes need to be readable anonymously so that 'id user' can answer correctly
+++access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
+++      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+++      by * read
+++# somme attributes can be writable by users themselves
+++access to attrs=description,telephoneNumber
+++      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+++      by self write
+++      by * read
+++# some attributes need to be writable for samba
+++access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
+++      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+++      by self read
+++      by * none
+++# samba need to be able to create the samba domain account
+++access to dn.base="dc=idealx,dc=com"
+++      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+++      by * none
+++# samba need to be able to create new users account
+++access to dn="ou=Users,dc=idealx,dc=com"
+++      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+++      by * none
+++# samba need to be able to create new groups account
+++access to dn="ou=Groups,dc=idealx,dc=com"
+++      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+++      by * none
+++# samba need to be able to create new computers account
+++access to dn="ou=Computers,dc=idealx,dc=com"
+++      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+++      by * none
+++# this can be omitted but we leave it: there could be other branch
+++# in the directory
+++access to *
+++      by self read
+++      by * none
+++  </PRE></TD>
+++</TR></TABLE></TD>
+++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR>
+++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
+++<TR><TD>
+++ </TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></TD>
+++</TR></TABLE></UL>
+++<!--TOC subsection known bugs-->
+++
+++<H3><A NAME="htoc48">8.3</A>&nbsp;&nbsp;known bugs</H3><!--SEC END -->
+++
+++<UL><LI>
+++Option <I>-B</I> (user must change password) of
+++ <TT>smbldap-useradd</TT> does not have effect: when
+++ <TT>smbldap-passwd</TT> script is called,
+++ <I>sambaPwdMustChange</I> attribute is rewrite.
+++</UL>
+++
+++<!--BEGIN NOTES document-->
+++<HR WIDTH="50%" SIZE=1><DL><DT><A NAME="note1" HREF="#text1"><FONT SIZE=5>1</FONT></A><DD><A HREF="http://IDEALX.com/"><TT>http://IDEALX.com/</TT></A>
+++</DL>
+++<!--END NOTES-->
+++<!--HTMLFOOT-->
+++
+++
+++<DIV class="piedpage">
+++<HR>
+++<P>Documents&nbsp;: Copyright © 2002 IDEALX S.A.S..
+++'IDEALX' is the property of IDEALX.
+++'Samba' is the property of Samba Team. All other trademarks belong to their respective owners.
+++</DIV>
+++
+++<!--ENDHTML-->
+++<!--FOOTER-->
+++<HR SIZE=2>
+++<BLOCKQUOTE><EM>This document was translated from L<sup>A</sup>T<sub>E</sub>X by
+++</EM><A HREF="http://pauillac.inria.fr/~maranget/hevea/index.html"><EM>H<FONT SIZE=2><sup>E</sup></FONT>V<FONT SIZE=2><sup>E</sup></FONT>A</EM></A><EM>.
+++</EM></BLOCKQUOTE>
+++</BODY>
+++</HTML>
 === added file 'debian/patches/0021_smbldap-useradd_flush_nscd_cache.patch'
 --- debian/patches/0021_smbldap-useradd_flush_nscd_cache.patch	1970-01-01 00:00:00 +0000
 +++ debian/patches/0021_smbldap-useradd_flush_nscd_cache.patch	2012-09-21 15:41:28 +0000
@@ -0,0 +1,19 @@
++Description: Force an nss flush to fix failure to join a Windows 7 or Windows 2008 machine to Samba domain
++Forwarded: no
++Author: rdratlos
++Origin: rdratlos, https://bugs.launchpad.net/ubuntu/+source/smbldap-tools/+bug/814898/+attachment/2226951/+files/smbldap-useradd_flush_nscd_cache.patch
++Reviewed-By: Daniel T Chen <crimsun@ubuntu.com>
++Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/smbldap-tools/+bug/814898
++Last-Update: 2011-08-01
++--- a/smbldap-useradd.pl
+++++ b/smbldap-useradd.pl
++@@ -402,6 +402,9 @@
++     }
++
++     $ldap_master->unbind;
+++    # Flush nscd cache to be aligned with the LDAP directory change
+++    system "[ -x /usr/sbin/nscd ] && /usr/sbin/nscd -i passwd 2>/dev/null";
+++    system "[ -x /usr/sbin/nscd ] && /usr/sbin/nscd -i group 2>/dev/null";
++     exit 0;
++ }
++
 === modified file 'debian/patches/series'
 --- debian/patches/series	2012-08-07 20:28:37 +0000
 +++ debian/patches/series	2012-09-21 15:41:28 +0000
@@ -1,1 +1,3 @@
 _debian_nobody.patch
++0020_original_doc_html_index.patch
++0021_smbldap-useradd_flush_nscd_cache.patch
 === added directory 'doc/html'
 === modified file 'smbldap-populate.pl'
 --- smbldap-populate.pl	2012-08-07 20:28:37 +0000
 +++ smbldap-populate.pl	2012-09-21 15:41:28 +0000
@@ -114,7 +114,7 @@
  my $guestUidNumber=$Options{'l'};
  my $guestRid = 501;
  if (!defined($guestUidNumber)) {
--    $guestUidNumber = "65534";
++    $guestUidNumber = "999";
  } else {
      if (defined($algorithmicRidBase)) {
  	## For backward compatibility with smbldap-tools 0.9.6 and older

Ubuntusmbldap-tools package

Merge lp:~l3on/ubuntu/quantal/smbldap-tools/merge into lp:debian/smbldap-tools

Commit Message

Description of the Change

Unmerged revisions

Preview Diff

Subscribers

Ubuntu
smbldap-tools package