Merge lp:~l3on/ubuntu/quantal/smbldap-tools/merge into lp:debian/smbldap-tools
- Quantal (12.10)
- merge
- Merge into sid
Status: | Needs review |
---|---|
Proposed branch: | lp:~l3on/ubuntu/quantal/smbldap-tools/merge |
Merge into: | lp:debian/smbldap-tools |
Diff against target: |
3048 lines (+2421/-556) 8 files modified
.pc/0001_debian_nobody.patch/smbldap-populate.pl (+0/-553) .pc/applied-patches (+0/-1) debian/changelog (+28/-0) debian/control (+2/-1) debian/patches/0020_original_doc_html_index.patch (+2369/-0) debian/patches/0021_smbldap-useradd_flush_nscd_cache.patch (+19/-0) debian/patches/series (+2/-0) smbldap-populate.pl (+1/-1) |
To merge this branch: | bzr merge lp:~l3on/ubuntu/quantal/smbldap-tools/merge |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Ubuntu branches | Pending | ||
Review via email: mp+125754@code.launchpad.net |
Commit message
Description of the change
Propose merge as filed in:
https:/
Unmerged revisions
- 9. By Leo Iannacone
-
* Merge from debian unstable (LP: #1054130). Remaining chagnes:
- Apply patch from rdratlos to resolve being unable to join a Windows
7 or Windows 2008 machine to a Samba domain due to the use of cached
nss credentials. (LP: #814898)
- 0020_original_doc_html_ index.patch: Add index html file.
* New upstream release (Closes: #647860, #679935, #680939, #681350)
* Previous upstream version closes: #670246
* Bumped standard version (no changes needed) - 8. By Leo Iannacone
-
* Merge from debian unstable (LP: #889308). Remaining changes:
- Apply patch from rdratlos to resolve being unable to join a Windows
7 or Windows 2008 machine to a Samba domain due to the use of cached
nss credentials. (LP: #814898)
- 0020_original_doc_html_ index.patch: Add index html file. - 7. By Daniel T Chen
-
Apply patch from rdratlos to resolve being unable to join a Windows
7 or Windows 2008 machine to a Samba domain due to the use of cached
nss credentials. (LP: #814898)
Preview Diff
1 | === removed directory '.pc/0001_debian_nobody.patch' |
2 | === removed file '.pc/0001_debian_nobody.patch/smbldap-populate.pl' |
3 | --- .pc/0001_debian_nobody.patch/smbldap-populate.pl 2012-08-07 20:28:37 +0000 |
4 | +++ .pc/0001_debian_nobody.patch/smbldap-populate.pl 1970-01-01 00:00:00 +0000 |
5 | @@ -1,553 +0,0 @@ |
6 | -#!@PERL_COMMAND@ |
7 | - |
8 | -# $Id: smbldap-populate.pl 121 2011-10-07 05:40:06Z fumiyas $ |
9 | - |
10 | -# This code was developped by Jerome Tournier (jtournier@gmail.com) and |
11 | -# contributors (their names can be found in the CONTRIBUTORS file). |
12 | - |
13 | -# This was first contributed by IDEALX (http://www.opentrust.com/) |
14 | - |
15 | -# This program is free software: you can redistribute it and/or modify |
16 | -# it under the terms of the GNU General Public License as published by |
17 | -# the Free Software Foundation, either version 2 of the License, or |
18 | -# (at your option) any later version. |
19 | -# |
20 | -# This program is distributed in the hope that it will be useful, |
21 | -# but WITHOUT ANY WARRANTY; without even the implied warranty of |
22 | -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
23 | -# GNU General Public License for more details. |
24 | -# |
25 | -# You should have received a copy of the GNU General Public License |
26 | -# along with this program. If not, see <http://www.gnu.org/licenses/>. |
27 | - |
28 | -# Purpose : |
29 | -# . Create an initial LDAP database suitable for Samba 3 |
30 | -# . For lazy people, replace ldapadd (with only an ldif parameter) |
31 | - |
32 | -use strict; |
33 | -use warnings; |
34 | -use FindBin qw($RealBin); |
35 | -use smbldap_tools; |
36 | -use Getopt::Std; |
37 | -use Net::LDAP qw(LDAP_NO_SUCH_OBJECT); |
38 | -use Net::LDAP::LDIF; |
39 | -use Net::LDAP::Entry; |
40 | - |
41 | -my %oc_by_attr = ( |
42 | - "dc" => "dcObject", |
43 | - "o" => "organization", |
44 | - "ou" => "organizationalUnit", |
45 | - "cn" => "organizationalRole", |
46 | - "sambaDomainName" => "sambaDomain", |
47 | -); |
48 | - |
49 | -my %Options; |
50 | - |
51 | -my $ok = getopts('a:b:e:g:i:k:l:m:r:R:u:?', \%Options); |
52 | -if ( (!$ok) || ($Options{'?'}) ) { |
53 | - print_banner; |
54 | - print "Usage: $0 [-abegiklmru?] [ldif]\n"; |
55 | - print " -a user administrator login name (default: root)\n"; |
56 | - print " -b user guest login name (default: nobody)\n"; |
57 | - print " -e file export ldif file\n"; |
58 | - print " -g gidNumber first uidNumber to allocate (default: 1000)\n"; |
59 | - print " -i file import ldif file\n"; |
60 | - print " -k uidNumber administrator's uidNumber (default: 0)\n"; |
61 | - print " -l uidNumber guest's uidNumber (default: 999)\n"; |
62 | - print " -m gidNumber administrator's gidNumber (default: 0)\n"; |
63 | - print " -r ridNumber first sambaNextRid to allocate (default: 1000)\n"; |
64 | - print " -R ridBase sambaAlgorithmicRidBase (none)\n"; |
65 | - print " -u uidNumber first uidNumber to allocate (default: 1000)\n"; |
66 | - print " -? show this help message\n"; |
67 | - |
68 | - exit (1); |
69 | -} |
70 | - |
71 | -# sanity checks |
72 | -my $domain = $config{sambaDomain}; |
73 | -if (! defined $domain) { |
74 | - print STDERR "error: domain name not found !\n"; |
75 | - print STDERR "possible reasons are:\n"; |
76 | - print STDERR ". incorrect 'sambaDomain' parameter in smbldap.conf\n"; |
77 | - print STDERR ". incorrect 'samba_conf' definition in smbldap_tools.pm\n"; |
78 | - die; |
79 | -} |
80 | - |
81 | -my $firstuidNumber=$Options{'u'}; |
82 | -if (!defined($firstuidNumber)) { |
83 | - $firstuidNumber=1000; |
84 | -} |
85 | - |
86 | -my $firstgidNumber=$Options{'g'}; |
87 | -if (!defined($firstgidNumber)) { |
88 | - $firstgidNumber=1000; |
89 | -} |
90 | - |
91 | -my $firstridNumber=$Options{'r'}; |
92 | -if (!defined($firstridNumber)) { |
93 | - $firstridNumber=1000; |
94 | -} |
95 | - |
96 | -my $algorithmicRidBase = $Options{'R'}; |
97 | - |
98 | -my $adminName = $Options{'a'}; |
99 | -if (!defined($adminName)) { |
100 | - $adminName = "root"; |
101 | -} |
102 | - |
103 | -my $guestName = $Options{'b'}; |
104 | -if (!defined($guestName)) { |
105 | - $guestName = "nobody"; |
106 | -} |
107 | - |
108 | -my $adminUidNumber=$Options{'k'}; |
109 | -my $adminRid = 500; |
110 | -if (!defined($adminUidNumber)) { |
111 | - $adminUidNumber = 0; |
112 | -} else { |
113 | - if (defined($algorithmicRidBase)) { |
114 | - ## For backward compatibility with smbldap-tools 0.9.6 and older |
115 | - $adminRid = 2 * $adminUidNumber + $algorithmicRidBase; |
116 | - } |
117 | -} |
118 | - |
119 | -my $guestUidNumber=$Options{'l'}; |
120 | -my $guestRid = 501; |
121 | -if (!defined($guestUidNumber)) { |
122 | - $guestUidNumber = "999"; |
123 | -} else { |
124 | - if (defined($algorithmicRidBase)) { |
125 | - ## For backward compatibility with smbldap-tools 0.9.6 and older |
126 | - $guestRid = 2 * $guestUidNumber + $algorithmicRidBase; |
127 | - } |
128 | -} |
129 | - |
130 | -my $adminGidNumber=$Options{'m'}; |
131 | -if (!defined($adminGidNumber)) { |
132 | - $adminGidNumber = "0"; |
133 | -} |
134 | - |
135 | -print "Populating LDAP directory for domain $domain ($config{SID})\n"; |
136 | - |
137 | -my $entries_iter; |
138 | - |
139 | -if (my $file = $Options{'i'}) { |
140 | - my $ldif = Net::LDAP::LDIF->new($file, "r", onerror => 'undef') or |
141 | - die "Cannot open file: $file: $!"; |
142 | - $entries_iter = sub { |
143 | - return $ldif->read_entry; |
144 | - }; |
145 | -} else { |
146 | - my @entries; |
147 | - my $entry; |
148 | - |
149 | - print "(using builtin directory structure)\n\n"; |
150 | - |
151 | - unless ($config{suffix} =~ /^([^=]+)=([^,]+)/) { |
152 | - die "Cannot extract first attr and value from suffix: $config{suffix}"; |
153 | - } |
154 | - my $suffix_attr = $1; |
155 | - my $suffix_val = $2; |
156 | - my $suffix_oc = $oc_by_attr{$suffix_attr}; |
157 | - if (!defined($suffix_oc)) { |
158 | - die "Cannot determine object class for suffix entry: $config{suffix}"; |
159 | - } |
160 | - |
161 | - $entry = Net::LDAP::Entry->new($config{suffix}, |
162 | - objectClass => $suffix_oc, |
163 | - $suffix_attr => $suffix_val, |
164 | - ); |
165 | - if ($config{suffix} =~ m/(?:^|,)dc=([^,]+)/) { |
166 | - $entry->add( |
167 | - objectClass => "organization", |
168 | - o => $1, |
169 | - ); |
170 | - } |
171 | - push(@entries, $entry); |
172 | - |
173 | - my @config_dn = @config{ |
174 | - qw(usersdn groupsdn computersdn idmapdn sambaDomaindn sambaUnixIdPooldn) |
175 | - }; |
176 | - my %entry_by_dn = (); |
177 | - |
178 | - for my $config_dn (@config_dn) { |
179 | - my $prefix = $config_dn; |
180 | - $prefix =~ s/,\Q$config{suffix}\E$//i; |
181 | - |
182 | - my $dn = $config{suffix}; |
183 | - for my $node (reverse(split(/,/, $prefix))) { |
184 | - $dn = "$node,$dn"; |
185 | - next if ($entry_by_dn{$dn}); |
186 | - |
187 | - unless ($node =~ /^([^=]+)=([^,]*)$/) { |
188 | - die "Cannot extract first attr and value for entry: $dn"; |
189 | - } |
190 | - my $attr = $1; |
191 | - my $val = $2; |
192 | - my $oc = $oc_by_attr{$attr}; |
193 | - if (!defined($oc)) { |
194 | - die "Cannot determine object class for entry: $dn"; |
195 | - } |
196 | - |
197 | - $entry = Net::LDAP::Entry->new($dn, |
198 | - objectClass => $oc, |
199 | - $attr => $val, |
200 | - ); |
201 | - |
202 | - ## Add attribute required by object class |
203 | - $entry->add(sambaSID => $config{SID}) if ($oc eq 'sambaDomain'); |
204 | - $entry->add(sn => $val) if ($oc eq 'inetOrgPerson'); |
205 | - |
206 | - push(@entries, $entry); |
207 | - $entry_by_dn{$dn} = $entry; |
208 | - } |
209 | - } |
210 | - |
211 | - $entry = $entry_by_dn{$config{sambaDomaindn}}; |
212 | - if (defined($algorithmicRidBase)) { |
213 | - $entry->add(sambaAlgorithmicRidBase => $algorithmicRidBase); |
214 | - } else { |
215 | - $entry->add(sambaNextRid => $firstridNumber); |
216 | - } |
217 | - |
218 | - $entry_by_dn{$config{sambaUnixIdPooldn}}->add( |
219 | - objectClass => "sambaUnixIdPool", |
220 | - uidNumber => $firstuidNumber, |
221 | - gidNumber => $firstgidNumber, |
222 | - ); |
223 | - |
224 | - $entry = Net::LDAP::Entry->new("uid=$adminName,$config{usersdn}", |
225 | - objectClass => [qw(top person organizationalPerson inetOrgPerson sambaSAMAccount posixAccount)], |
226 | - uid => $adminName, |
227 | - cn => $adminName, |
228 | - sn => $adminName, |
229 | - gidNumber => $adminGidNumber, |
230 | - uidNumber => $adminUidNumber, |
231 | - ); |
232 | - if ($config{shadowAccount}) { |
233 | - $entry->add(objectClass => "shadowAccount"); |
234 | - } |
235 | - if (defined $config{userHome} and $config{userHome} ne "") { |
236 | - my $userHome=$config{userHome}; |
237 | - $userHome=~s/\%U/$adminName/; |
238 | - $entry->add(homeDirectory => $userHome); |
239 | - } else { |
240 | - $entry->add(homeDirectory => "/nonexistent"); |
241 | - } |
242 | - $entry->add( |
243 | - sambaPwdLastSet => 0, |
244 | - sambaLogonTime => 0, |
245 | - sambaLogoffTime => 2147483647, |
246 | - sambaKickoffTime => 2147483647, |
247 | - sambaPwdCanChange => 0, |
248 | - sambaPwdMustChange => 2147483647, |
249 | - ); |
250 | - if (defined $config{userSmbHome} and $config{userSmbHome} ne "") { |
251 | - my $userSmbHome = $config{userSmbHome}; |
252 | - $userSmbHome =~ s/\%U/$adminName/; |
253 | - $entry->add(sambaHomePath => $userSmbHome); |
254 | - } |
255 | - if (defined $config{userHomeDrive} and $config{userHomeDrive} ne "") { |
256 | - $entry->add(sambaHomeDrive => $config{userHomeDrive}); |
257 | - } |
258 | - if (defined $config{userProfile} and $config{userProfile} ne "") { |
259 | - my $userProfile = $config{userProfile}; |
260 | - $userProfile =~ s/\%U/$adminName/; |
261 | - $entry->add(sambaProfilePath => $userProfile); |
262 | - } |
263 | - $entry->add( |
264 | - sambaPrimaryGroupSID => "$config{SID}-512", |
265 | - sambaLMPassword => "XXX", |
266 | - sambaNTPassword => "XXX", |
267 | - sambaAcctFlags => "[U ]", |
268 | - sambaSID => "$config{SID}-$adminRid", |
269 | - loginShell => "/bin/false", |
270 | - gecos => "Netbios Domain Administrator", |
271 | - ); |
272 | - push(@entries, $entry); |
273 | - |
274 | - $entry = Net::LDAP::Entry->new("uid=$guestName,$config{usersdn}", |
275 | - objectClass => [qw(top person organizationalPerson inetOrgPerson sambaSAMAccount posixAccount)], |
276 | - cn => $guestName, |
277 | - sn => $guestName, |
278 | - gidNumber => 514, |
279 | - uid => $guestName, |
280 | - uidNumber => $guestUidNumber, |
281 | - homeDirectory => "/nonexistent", |
282 | - sambaPwdLastSet => 0, |
283 | - sambaLogonTime => 0, |
284 | - sambaLogoffTime => 2147483647, |
285 | - sambaKickoffTime => 2147483647, |
286 | - sambaPwdCanChange => 0, |
287 | - sambaPwdMustChange => 2147483647, |
288 | - ); |
289 | - if ($config{shadowAccount}) { |
290 | - $entry->add(objectClass => "shadowAccount"); |
291 | - } |
292 | - if (defined $config{userSmbHome} and $config{userSmbHome} ne "") { |
293 | - my $userSmbHome = $config{userSmbHome}; |
294 | - $userSmbHome =~ s/\%U/$guestName/; |
295 | - $entry->add(sambaHomePath => $userSmbHome); |
296 | - } |
297 | - if (defined $config{userHomeDrive} and $config{userHomeDrive} ne "") { |
298 | - $entry->add(sambaHomeDrive => $config{userHomeDrive}); |
299 | - } |
300 | - if (defined $config{userProfile} and $config{userProfile} ne "") { |
301 | - my $userProfile=$config{userProfile}; |
302 | - $userProfile=~s/\%U/$guestName/; |
303 | - $entry->add(sambaProfilePath => $userProfile); |
304 | - } |
305 | - $entry->add( |
306 | - sambaPrimaryGroupSID => "$config{SID}-514", |
307 | - sambaLMPassword => "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", |
308 | - sambaNTPassword => "NO PASSWORDXXXXXXXXXXXXXXXXXXXXX", |
309 | - # account disabled by default |
310 | - sambaAcctFlags => "[NUD ]", |
311 | - sambaSID => "$config{SID}-$guestRid", |
312 | - loginShell => "/bin/false", |
313 | - ); |
314 | - push(@entries, $entry); |
315 | - |
316 | - $entry = Net::LDAP::Entry->new("cn=Domain Admins,$config{groupsdn}", |
317 | - objectClass => [qw(top posixGroup sambaGroupMapping)], |
318 | - cn => "Domain Admins", |
319 | - gidNumber => 512, |
320 | - memberUid => $adminName, |
321 | - description => "Netbios Domain Administrators", |
322 | - sambaSID => "$config{SID}-512", |
323 | - sambaGroupType =>2, |
324 | - displayName => "Domain Admins", |
325 | - ); |
326 | - push(@entries, $entry); |
327 | - |
328 | - $entry = Net::LDAP::Entry->new("cn=Domain Users,$config{groupsdn}", |
329 | - objectClass => [qw(top posixGroup sambaGroupMapping)], |
330 | - cn => "Domain Users", |
331 | - gidNumber => 513, |
332 | - description => "Netbios Domain Users", |
333 | - sambaSID => "$config{SID}-513", |
334 | - sambaGroupType =>2, |
335 | - displayName => "Domain Users", |
336 | - ); |
337 | - push(@entries, $entry); |
338 | - |
339 | - $entry = Net::LDAP::Entry->new("cn=Domain Guests,$config{groupsdn}", |
340 | - objectClass => [qw(top posixGroup sambaGroupMapping)], |
341 | - cn => "Domain Guests", |
342 | - gidNumber => 514, |
343 | - description => "Netbios Domain Guests Users", |
344 | - sambaSID => "$config{SID}-514", |
345 | - sambaGroupType =>2, |
346 | - displayName => "Domain Guests", |
347 | - ); |
348 | - push(@entries, $entry); |
349 | - |
350 | - $entry = Net::LDAP::Entry->new("cn=Domain Computers,$config{groupsdn}", |
351 | - objectClass => [qw(top posixGroup sambaGroupMapping)], |
352 | - cn => "Domain Computers", |
353 | - gidNumber => 515, |
354 | - description => "Netbios Domain Computers accounts", |
355 | - sambaSID => "$config{SID}-515", |
356 | - sambaGroupType =>2, |
357 | - displayName => "Domain Computers", |
358 | - ); |
359 | - push(@entries, $entry); |
360 | - |
361 | - $entry = Net::LDAP::Entry->new("cn=Administrators,$config{groupsdn}", |
362 | - objectClass => [qw(top posixGroup sambaGroupMapping)], |
363 | - cn => "Administrators", |
364 | - gidNumber => 544, |
365 | - description => "Netbios Domain Members can fully administer the computer/sambaDomainName", |
366 | - sambaSID => "S-1-5-32-544", |
367 | - sambaGroupType => 4, |
368 | - displayName => "Administrators", |
369 | - ); |
370 | - push(@entries, $entry); |
371 | - |
372 | -# $entry = Net::LDAP::Entry->new("cn=Users,$config{groupsdn}", |
373 | -# objectClass => [qw(top posixGroup sambaGroupMapping)], |
374 | -# gidNumber => 545, |
375 | -# cn => "Users", |
376 | -# description => "Netbios Domain Ordinary users", |
377 | -# sambaSID => "S-1-5-32-545", |
378 | -# sambaGroupType => 4, |
379 | -# displayName => "users", |
380 | -# ); |
381 | -# push(@entries, $entry); |
382 | - |
383 | -# $entry = Net::LDAP::Entry->new("cn=Guests,$config{groupsdn}", |
384 | -# objectClass => [qw(top posixGroup sambaGroupMapping)], |
385 | -# gidNumber => 546, |
386 | -# cn => "Guests", |
387 | -# memberUid => $guestName, |
388 | -# description => "Netbios Domain Users granted guest access to the computer/sambaDomainName", |
389 | -# sambaSID => "S-1-5-32-546", |
390 | -# sambaGroupType => 4, |
391 | -# displayName => "Guests", |
392 | -# ); |
393 | -# push(@entries, $entry); |
394 | - |
395 | -# $entry = Net::LDAP::Entry->new("cn=Power Users,$config{groupsdn}", |
396 | -# objectClass => [qw(top posixGroup sambaGroupMapping)], |
397 | -# gidNumber => 547, |
398 | -# cn => "Power Users", |
399 | -# description => "Netbios Domain Members can share directories and printers", |
400 | -# sambaSID => "S-1-5-32-547", |
401 | -# sambaGroupType => 4, |
402 | -# displayName => "Power Users", |
403 | -# ); |
404 | -# push(@entries, $entry); |
405 | - |
406 | - $entry = Net::LDAP::Entry->new("cn=Account Operators,$config{groupsdn}", |
407 | - objectClass => [qw(top posixGroup sambaGroupMapping)], |
408 | - cn => "Account Operators", |
409 | - gidNumber => 548, |
410 | - description => "Netbios Domain Users to manipulate users accounts", |
411 | - sambaSID => "S-1-5-32-548", |
412 | - sambaGroupType => 4, |
413 | - displayName => "Account Operators", |
414 | - ); |
415 | - push(@entries, $entry); |
416 | - |
417 | -# $entry = Net::LDAP::Entry->new("cn=System Operators,$config{groupsdn}", |
418 | -# objectClass => [qw(top posixGroup sambaGroupMapping)], |
419 | -# gidNumber => 549, |
420 | -# cn => "System Operators", |
421 | -# description => "Netbios Domain System Operators", |
422 | -# sambaSID => "S-1-5-32-549", |
423 | -# sambaGroupType => 4, |
424 | -# displayName => "System Operators", |
425 | -# ); |
426 | -# push(@entries, $entry); |
427 | - |
428 | - $entry = Net::LDAP::Entry->new("cn=Print Operators,$config{groupsdn}", |
429 | - objectClass => [qw(top posixGroup sambaGroupMapping)], |
430 | - cn => "Print Operators", |
431 | - gidNumber => 550, |
432 | - description => "Netbios Domain Print Operators", |
433 | - sambaSID => "S-1-5-32-550", |
434 | - sambaGroupType => 4, |
435 | - displayName => "Print Operators", |
436 | - ); |
437 | - push(@entries, $entry); |
438 | - |
439 | - $entry = Net::LDAP::Entry->new("cn=Backup Operators,$config{groupsdn}", |
440 | - objectClass => [qw(top posixGroup sambaGroupMapping)], |
441 | - cn => "Backup Operators", |
442 | - gidNumber => 551, |
443 | - description => "Netbios Domain Members can bypass file security to back up files", |
444 | - sambaSID => "S-1-5-32-551", |
445 | - sambaGroupType => 4, |
446 | - displayName => "Backup Operators", |
447 | - ); |
448 | - push(@entries, $entry); |
449 | - |
450 | - $entry = Net::LDAP::Entry->new("cn=Replicators,$config{groupsdn}", |
451 | - objectClass => [qw(top posixGroup sambaGroupMapping)], |
452 | - cn => "Replicators", |
453 | - gidNumber => 552, |
454 | - description => "Netbios Domain Supports file replication in a sambaDomainName", |
455 | - sambaSID => "S-1-5-32-552", |
456 | - sambaGroupType => 4, |
457 | - displayName => "Replicators", |
458 | - ); |
459 | - push(@entries, $entry); |
460 | - |
461 | - $entries_iter = sub { |
462 | - return shift(@entries); |
463 | - }; |
464 | -} |
465 | - |
466 | -if (my $file = $Options{'e'}) { |
467 | - open my $file_fh, ">$file" or die "Cannot open file: $file: $!"; |
468 | - while (my $entry = $entries_iter->()) { |
469 | - $file_fh->print($entry->ldif); |
470 | - } |
471 | - print "exported ldif file: $file\n"; |
472 | - exit(0); |
473 | -} |
474 | - |
475 | -my $ldap_master=connect_ldap_master(); |
476 | -while (my $entry = $entries_iter->()) { |
477 | - my $dn = $entry->dn; |
478 | - # we first check if the entry exist |
479 | - my $mesg = $ldap_master->search( |
480 | - base => $dn, |
481 | - scope => "base", |
482 | - filter => "objectclass=*" |
483 | - ); |
484 | - if ($mesg->code && $mesg->code != LDAP_NO_SUCH_OBJECT) { |
485 | - die "failed to search entry: ", $mesg->error; |
486 | - } |
487 | - if ($mesg->count == 1) { |
488 | - print "entry $dn already exist. "; |
489 | - if ($dn eq $config{sambaUnixIdPooldn}) { |
490 | - print "Updating it...\n"; |
491 | - my @mods; |
492 | - foreach my $attr_tmp ($entry->attributes) { |
493 | - push(@mods,$attr_tmp=>[$entry->get_value("$attr_tmp")]); |
494 | - } |
495 | - my $modify = $ldap_master->modify($dn, |
496 | - 'replace' => { @mods }, |
497 | - ); |
498 | - $modify->code && warn "failed to modify entry: ", $modify->error ; |
499 | - } else { |
500 | - print "\n"; |
501 | - } |
502 | - } else { |
503 | - print "adding new entry: $dn\n"; |
504 | - my $result=$ldap_master->add($entry); |
505 | - $result->code && warn "failed to add entry: ", $result->error ; |
506 | - } |
507 | -} |
508 | -$ldap_master->unbind; |
509 | - |
510 | -# secure the admin account |
511 | -print "\nPlease provide a password for the domain $adminName: \n"; |
512 | -system("$RealBin/smbldap-passwd", $adminName); |
513 | - |
514 | -exit(0); |
515 | - |
516 | - |
517 | -######################################## |
518 | - |
519 | -=head1 NAME |
520 | - |
521 | -smbldap-populate - Populate your LDAP database |
522 | - |
523 | -=head1 SYNOPSIS |
524 | - |
525 | -smbldap-populate [ldif-file] |
526 | - |
527 | -=head1 DESCRIPTION |
528 | - |
529 | -The smbldap-populate command helps to populate an LDAP server by adding the necessary entries : base suffix (doesn't abort if already there), organizational units for users, groups and computers, builtin users : Administrator and guest, builtin groups (though posixAccount only, no SambaTNG support). |
530 | - |
531 | --a name |
532 | -Your local administrator login name (default: root) |
533 | - |
534 | --b name |
535 | -Your local guest login name (default: nobody) |
536 | - |
537 | --e file |
538 | -export an ldif file |
539 | - |
540 | --i file |
541 | -import an ldif file (Options -a and -b will be ignored) |
542 | - |
543 | -=head1 FILES |
544 | - |
545 | -@SYSCONFDIR@/smbldap.conf : main configuration |
546 | -@SYSCONFDIR@/smbldap_bind.conf : credentials for binding to the directory |
547 | - |
548 | -=head1 SEE ALSO |
549 | - |
550 | -smb.conf(5) |
551 | - |
552 | -=cut |
553 | - |
554 | -#' |
555 | - |
556 | - |
557 | - |
558 | -# - The End |
559 | |
560 | === removed file '.pc/applied-patches' |
561 | --- .pc/applied-patches 2012-08-07 20:28:37 +0000 |
562 | +++ .pc/applied-patches 1970-01-01 00:00:00 +0000 |
563 | @@ -1,1 +0,0 @@ |
564 | -0001_debian_nobody.patch |
565 | |
566 | === modified file 'debian/changelog' |
567 | --- debian/changelog 2012-08-07 20:28:37 +0000 |
568 | +++ debian/changelog 2012-09-21 15:41:28 +0000 |
569 | @@ -1,3 +1,13 @@ |
570 | +smbldap-tools (0.9.9-1ubuntu1) quantal; urgency=low |
571 | + |
572 | + * Merge from debian unstable (LP: #1054130). Remaining chagnes: |
573 | + - Apply patch from rdratlos to resolve being unable to join a Windows |
574 | + 7 or Windows 2008 machine to a Samba domain due to the use of cached |
575 | + nss credentials. (LP: #814898) |
576 | + - 0020_original_doc_html_index.patch: Add index html file. |
577 | + |
578 | + -- Leo Iannacone <l3on@ubuntu.com> Fri, 21 Sep 2012 17:10:57 +0200 |
579 | + |
580 | smbldap-tools (0.9.9-1) unstable; urgency=low |
581 | |
582 | * New upstream release (Closes: #647860, #679935, #680939, #681350) |
583 | @@ -6,6 +16,16 @@ |
584 | |
585 | -- Sergio Talens-Oliag <sto@debian.org> Tue, 07 Aug 2012 20:28:37 +0200 |
586 | |
587 | +smbldap-tools (0.9.7-1ubuntu1) precise; urgency=low |
588 | + |
589 | + * Merge from debian unstable (LP: #889308). Remaining changes: |
590 | + - Apply patch from rdratlos to resolve being unable to join a Windows |
591 | + 7 or Windows 2008 machine to a Samba domain due to the use of cached |
592 | + nss credentials. (LP: #814898) |
593 | + - 0020_original_doc_html_index.patch: Add index html file. |
594 | + |
595 | + -- Leo Iannacone <l3on@ubuntu.com> Tue, 27 Sep 2011 18:05:13 +0000 |
596 | + |
597 | smbldap-tools (0.9.7-1) unstable; urgency=low |
598 | |
599 | * New upstream release |
600 | @@ -23,6 +43,14 @@ |
601 | |
602 | -- Sergio Talens-Oliag <sto@debian.org> Thu, 18 Aug 2011 10:55:45 +0200 |
603 | |
604 | +smbldap-tools (0.9.5-1ubuntu1) oneiric; urgency=low |
605 | + |
606 | + * Apply patch from rdratlos to resolve being unable to join a Windows |
607 | + 7 or Windows 2008 machine to a Samba domain due to the use of cached |
608 | + nss credentials. (LP: #814898) |
609 | + |
610 | + -- Daniel T Chen <crimsun@ubuntu.com> Mon, 01 Aug 2011 15:14:32 -0400 |
611 | + |
612 | smbldap-tools (0.9.5-1) unstable; urgency=low |
613 | |
614 | * New upstream release (Closes: Bug#548665). |
615 | |
616 | === modified file 'debian/control' |
617 | --- debian/control 2012-08-07 20:28:37 +0000 |
618 | +++ debian/control 2012-09-21 15:41:28 +0000 |
619 | @@ -1,7 +1,8 @@ |
620 | Source: smbldap-tools |
621 | Section: admin |
622 | Priority: extra |
623 | -Maintainer: Sergio Talens-Oliag <sto@debian.org> |
624 | +Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
625 | +XSBC-Original-Maintainer: Sergio Talens-Oliag <sto@debian.org> |
626 | Build-Depends: debhelper (>= 7.0.50~), quilt |
627 | Build-Depends-Indep: perl |
628 | Standards-Version: 3.9.3.0 |
629 | |
630 | === added file 'debian/patches/0020_original_doc_html_index.patch' |
631 | --- debian/patches/0020_original_doc_html_index.patch 1970-01-01 00:00:00 +0000 |
632 | +++ debian/patches/0020_original_doc_html_index.patch 2012-09-21 15:41:28 +0000 |
633 | @@ -0,0 +1,2369 @@ |
634 | +Description: Page downloaded from |
635 | + http://download.gna.org/smbldap-tools/docs/smbldap-tools/ |
636 | +--- smbldap-tools-0.9.5.orig/doc/html/index.html |
637 | ++++ smbldap-tools-0.9.5/doc/html/index.html |
638 | +@@ -0,0 +1,2364 @@ |
639 | ++<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" |
640 | ++ "http://www.w3.org/TR/REC-html40/loose.dtd"> |
641 | ++<HTML> |
642 | ++<HEAD><TITLE>Smbldap-tools User Manual |
643 | ++(Release: 0.9.3 )</TITLE> |
644 | ++ |
645 | ++<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
646 | ++<META name="GENERATOR" content="hevea 1.07"> |
647 | ++ |
648 | ++<link rel="stylesheet" href="IDXDOC.css"> |
649 | ++</HEAD> |
650 | ++<BODY > |
651 | ++<!--HEVEA command line is: hevea -fix -I ./styles -exec xxdate.exe -pedantic IDXDOC.hva smbldap-tools.tex -o smbldap-tools.html --> |
652 | ++<!--HTMLHEAD--> |
653 | ++ |
654 | ++ |
655 | ++ <DIV class="entete"> |
656 | ++ Copyright 2002 © IDEALX S.A.S. - |
657 | ++ Contact: <A href="mailto:samba@IDEALX.org">samba@IDEALX.org</A> |
658 | ++ </DIV> |
659 | ++ <HR> |
660 | ++<!--ENDHTML--> |
661 | ++<!--PREFIX <ARG ></ARG>--> |
662 | ++<!--CUT DEF section 1 --> |
663 | ++ |
664 | ++ |
665 | ++ |
666 | ++ |
667 | ++ |
668 | ++<H1 ALIGN=center>Smbldap-tools User Manual<BR> |
669 | ++(<I>Release</I>: 0.9.3 )</H1> |
670 | ++ |
671 | ++<H3 ALIGN=center>Jérôme Tournier</H3> |
672 | ++ |
673 | ++<H3 ALIGN=center><I>Revision</I>: 1.7 , generated July 12, 2007<BR> |
674 | ++</H3> |
675 | ++<DIV ALIGN=center> |
676 | ++ |
677 | ++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> |
678 | ++<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Release:</TD> |
679 | ++<TD ALIGN=left NOWRAP> </TD> |
680 | ++</TR> |
681 | ++<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Reference:</TD> |
682 | ++<TD ALIGN=left NOWRAP> </TD> |
683 | ++</TR> |
684 | ++<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Publication date:</TD> |
685 | ++<TD ALIGN=left NOWRAP> </TD> |
686 | ++</TR> |
687 | ++<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Print date:</TD> |
688 | ++<TD ALIGN=left NOWRAP>July 12, 2007</TD> |
689 | ++</TR></TABLE> |
690 | ++ </DIV> |
691 | ++ |
692 | ++<BR> |
693 | ++This document is the property of IDEALX<SUP><A NAME="text1" HREF="#note1">1</A></SUP>. |
694 | ++Permission is granted to distribute this document under the terms of the GNU |
695 | ++Free Documentation License (<A HREF="http://www.gnu.org/copyleft/fdl.html"><TT>http://www.gnu.org/copyleft/fdl.html</TT></A>).<BR> |
696 | ++<BR> |
697 | ++<!--TOC section Table of Contents--> |
698 | ++ |
699 | ++<H2>Table of Contents</H2><!--SEC END --> |
700 | ++ |
701 | ++<UL><LI> |
702 | ++<A HREF="#htoc1">1 Introduction</A> |
703 | ++<UL><LI> |
704 | ++<A HREF="#htoc2">1.1 Software requirements</A> |
705 | ++<LI><A HREF="#htoc3">1.2 Updates of this document</A> |
706 | ++<LI><A HREF="#htoc4">1.3 Availability of this document</A> |
707 | ++</UL> |
708 | ++<LI><A HREF="#htoc5">2 Installation</A> |
709 | ++<UL><LI> |
710 | ++<A HREF="#htoc6">2.1 Requirements</A> |
711 | ++<LI><A HREF="#htoc7">2.2 Installation</A> |
712 | ++<UL><LI> |
713 | ++<A HREF="#htoc8">2.2.1 Installing from rpm</A> |
714 | ++<LI><A HREF="#htoc9">2.2.2 Installing from a tarball</A> |
715 | ++</UL> |
716 | ++</UL> |
717 | ++<LI><A HREF="#htoc10">3 Configuring the smbldap-tools</A> |
718 | ++<UL><LI> |
719 | ++<A HREF="#htoc11">3.1 The smbldap.conf file</A> |
720 | ++<LI><A HREF="#htoc12">3.2 The smbldap_bind.conf file</A> |
721 | ++</UL> |
722 | ++<LI><A HREF="#htoc13">4 Using the scripts</A> |
723 | ++<UL><LI> |
724 | ++<A HREF="#htoc14">4.1 Initial directory's population</A> |
725 | ++<LI><A HREF="#htoc15">4.2 User management</A> |
726 | ++<UL><LI> |
727 | ++<A HREF="#htoc16">4.2.1 Adding a user</A> |
728 | ++<LI><A HREF="#htoc17">4.2.2 Removing a user</A> |
729 | ++<LI><A HREF="#htoc18">4.2.3 Modifying a user</A> |
730 | ++</UL> |
731 | ++<LI><A HREF="#htoc19">4.3 Group management</A> |
732 | ++<UL><LI> |
733 | ++<A HREF="#htoc20">4.3.1 Adding a group</A> |
734 | ++<LI><A HREF="#htoc21">4.3.2 Removing a group</A> |
735 | ++</UL> |
736 | ++<LI><A HREF="#htoc22">4.4 Adding a interdomain trust account</A> |
737 | ++</UL> |
738 | ++<LI><A HREF="#htoc23">5 Samba and the smbldap-tools scripts</A> |
739 | ++<UL><LI> |
740 | ++<A HREF="#htoc24">5.1 General configuration</A> |
741 | ++<LI><A HREF="#htoc25">5.2 Migrating an NT4 PDC to Samba3</A> |
742 | ++</UL> |
743 | ++<LI><A HREF="#htoc26">6 Frequently Asked Questions</A> |
744 | ++<UL><LI> |
745 | ++<A HREF="#htoc27">6.1 How can i use old released uidNumber and gidNumber ?</A> |
746 | ++<LI><A HREF="#htoc28">6.2 I always have this error: "Can't locate IO/Socket/SSL.pm"</A> |
747 | ++<LI><A HREF="#htoc29">6.3 I can't initialize the directory with <TT>smbldap-populate</TT></A> |
748 | ++<LI><A HREF="#htoc30">6.4 I can't join the domain with the <TT>root</TT> account</A> |
749 | ++<LI><A HREF="#htoc31">6.5 I have the <TT>sambaSamAccount</TT> but i can't logged in</A> |
750 | ++<LI><A HREF="#htoc32">6.6 I want to create machine account on the fly, but it does |
751 | ++ not works or I must do it twice</A> |
752 | ++<LI><A HREF="#htoc33">6.7 I can't manage the Oracle Internet Database</A> |
753 | ++<LI><A HREF="#htoc34">6.8 The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not |
754 | ++called, or i got a error message when changing the password from windows</A> |
755 | ++<LI><A HREF="#htoc35">6.9 New computers account can't be set in ou=computers</A> |
756 | ++<LI><A HREF="#htoc36">6.10 I can join the domain, but i can't log on</A> |
757 | ++<LI><A HREF="#htoc37">6.11 I can't create a user with <TT>smbldap-useradd</TT></A> |
758 | ++<LI><A HREF="#htoc38">6.12 smbldap-useradd: Can't call method "get_value" on an undefined value at |
759 | ++/usr/local/sbin/smbldap-useradd line 154</A> |
760 | ++<LI><A HREF="#htoc39">6.13 Typical errors on creating a new user or a new group</A> |
761 | ++</UL> |
762 | ++<LI><A HREF="#htoc40">7 Thanks</A> |
763 | ++<LI><A HREF="#htoc41">8 Annexes</A> |
764 | ++<UL><LI> |
765 | ++<A HREF="#htoc42">8.1 Full configuration files</A> |
766 | ++<UL><LI> |
767 | ++<A HREF="#htoc43">8.1.1 The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</A> |
768 | ++<LI><A HREF="#htoc44">8.1.2 The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</A> |
769 | ++<LI><A HREF="#htoc45">8.1.3 The samba configuration file : <TT>/etc/samba/smb.conf</TT> </A> |
770 | ++<LI><A HREF="#htoc46">8.1.4 The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></A> |
771 | ++</UL> |
772 | ++<LI><A HREF="#htoc47">8.2 Changing the administrative account (<TT>ldap admin |
773 | ++ dn</TT> in <TT>smb.conf</TT> file)</A> |
774 | ++<LI><A HREF="#htoc48">8.3 known bugs</A> |
775 | ++</UL> |
776 | ++</UL> |
777 | ++ |
778 | ++ |
779 | ++ |
780 | ++<!--TOC section Introduction--> |
781 | ++ |
782 | ++<H2><A NAME="htoc1">1</A> Introduction</H2><!--SEC END --> |
783 | ++ |
784 | ++<A NAME="sec:intro"></A> |
785 | ++Smbldap-tools is a set of scripts designed to help integrate Samba and a |
786 | ++LDAP directory. They target both users and administrators of Linux systems.<BR> |
787 | ++<BR> |
788 | ++Users can change their password in a way similar to the standard ``passwd'' |
789 | ++command.<BR> |
790 | ++<BR> |
791 | ++Administrators can perform user and group management command line actions |
792 | ++and synchronise Samba account management consistently.<BR> |
793 | ++<BR> |
794 | ++This document presents: |
795 | ++<UL><LI> |
796 | ++a detailled view of the smbldap-tools scripts |
797 | ++<LI>a step by step explanation of how to set up a Samba3 domain controller |
798 | ++</UL> |
799 | ++<!--TOC subsection Software requirements--> |
800 | ++ |
801 | ++<H3><A NAME="htoc2">1.1</A> Software requirements</H3><!--SEC END --> |
802 | ++ |
803 | ++The smbldap-tools have been developped and tested with the following configuration : |
804 | ++<UL><LI> |
805 | ++<FONT COLOR=purple><I>Linux</I></FONT> CentOS4 (be should work on any <FONT COLOR=purple><I>Linux</I></FONT> distribution) |
806 | ++<LI> <FONT COLOR=purple>Samba</FONT> release 3.0.10, |
807 | ++<LI><FONT COLOR=purple>OpenLDAP</FONT> release 2.2.13 |
808 | ++<LI><FONT COLOR=purple>Microsoft Windows NT</FONT> 4.0, Windows 2000 and Windows XP Workstations and Servers, |
809 | ++</UL> |
810 | ++This guide applies to <FONT COLOR=purple>smbldap-tools</FONT> <I>Release</I>: 0.9.3 .<BR> |
811 | ++<BR> |
812 | ++<!--TOC subsection Updates of this document--> |
813 | ++ |
814 | ++<H3><A NAME="htoc3">1.2</A> Updates of this document</H3><!--SEC END --> |
815 | ++ |
816 | ++The most up to date release of this document may be found on the |
817 | ++smbldap-tools project page available at <A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>.<BR> |
818 | ++<BR> |
819 | ++If you find any bugs in this document, or if you want this document to |
820 | ++integrate some additional infos, please drop me a mail with your bug report |
821 | ++and/or change request at <U>jtournier@gmail.com</U>.<BR> |
822 | ++<BR> |
823 | ++<!--TOC subsection Availability of this document--> |
824 | ++ |
825 | ++<H3><A NAME="htoc4">1.3</A> Availability of this document</H3><!--SEC END --> |
826 | ++ |
827 | ++This document is the property of <FONT COLOR=purple>IDEALX</FONT> (<A HREF="http://www.IDEALX.com/"><TT>http://www.IDEALX.com/</TT></A>). <BR> |
828 | ++<BR> |
829 | ++Permission is granted to distribute this document under the terms of the GNU |
830 | ++Free Documentation License (See <A HREF="http://www.gnu.org/copyleft/fdl.html"><TT>http://www.gnu.org/copyleft/fdl.html</TT></A>). |
831 | ++ <!--TOC section Installation--> |
832 | ++ |
833 | ++<H2><A NAME="htoc5">2</A> Installation</H2><!--SEC END --> |
834 | ++ |
835 | ++<!--TOC subsection Requirements--> |
836 | ++ |
837 | ++<H3><A NAME="htoc6">2.1</A> Requirements</H3><!--SEC END --> |
838 | ++ |
839 | ++The main requirement for using smbldap-tools are the two perl module: |
840 | ++Net::LDAP and Crypt::SmbHash. |
841 | ++In most cases, you'll also need the IO-Socket-SSL Perl module to use |
842 | ++TLS functionnality.<BR> |
843 | ++<BR> |
844 | ++If you want samba to call the scripts so that you can use the User |
845 | ++Manager (or any other) under MS-Windows (to add, delete modify users and |
846 | ++groups), <FONT COLOR=purple>Samba</FONT> must be installed on the same computer. |
847 | ++Finally, <FONT COLOR=purple>OpenLDAP</FONT> can be installed on any computer. Please check that it |
848 | ++can be contacted by a standard LDAP client software.<BR> |
849 | ++<BR> |
850 | ++<FONT COLOR=purple>Samba</FONT> and <FONT COLOR=purple>OpenLDAP</FONT> installations will not be discussed |
851 | ++here. You can consult the howto also available on the |
852 | ++project page (<A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>).<BR> |
853 | ++<BR> |
854 | ++<!--TOC subsection Installation--> |
855 | ++ |
856 | ++<H3><A NAME="htoc7">2.2</A> Installation</H3><!--SEC END --> |
857 | ++ |
858 | ++An archive of the <FONT COLOR=purple>smbldap-tools</FONT> scripts can be downloaded on our project |
859 | ++page <A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>. Archive and RedHat packages are |
860 | ++available. |
861 | ++<BR> |
862 | ++If you are upgrading, look at the <TT>INSTALL</TT> file or read the link |
863 | ++<A HREF="#faq::error::add::user">6.13</A>.<BR> |
864 | ++<BR> |
865 | ++<!--TOC subsubsection Installing from rpm--> |
866 | ++ |
867 | ++<H4><A NAME="htoc8">2.2.1</A> Installing from rpm</H4><!--SEC END --> |
868 | ++ |
869 | ++To install the scripts on a RedHat system, download the RPM |
870 | ++package and run the following command: |
871 | ++<PRE> |
872 | ++rpm -Uvh smbldap-tools-0.9.3-1.i386.rpm |
873 | ++</PRE> |
874 | ++<!--TOC subsubsection Installing from a tarball--> |
875 | ++ |
876 | ++<H4><A NAME="htoc9">2.2.2</A> Installing from a tarball</H4><!--SEC END --> |
877 | ++ |
878 | ++On non RedHat system, download a source archive of the scripts. The current |
879 | ++archive is <TT>smbldap-tools-0.9.3.tar.gz</TT>. |
880 | ++Uncompress it and copy all of the Perl scripts in <TT>/usr/sbin</TT> |
881 | ++directory, and the two configuration files in |
882 | ++<TT>/etc/smbldap-tools/</TT> directory: |
883 | ++<PRE> |
884 | ++mkdir /etc/smbldap-tools/ |
885 | ++cp *.conf /etc//smbldap-tools/ |
886 | ++cp smbldap-* /usr/sbin/ |
887 | ++</PRE> |
888 | ++The configuration is now based on two differents files: |
889 | ++<UL><LI> |
890 | ++<TT>smbldap.conf</TT>: define global parameter |
891 | ++<LI><TT>smbldap_bind.conf</TT>: define an administrative account to |
892 | ++ bind to the directory |
893 | ++</UL> |
894 | ++The second file <B>must</B> be readable only for 'root', as it contains |
895 | ++credentials allowing modifications on all the directory. Make sure the |
896 | ++files are protected by running the following commands: |
897 | ++<PRE> |
898 | ++chmod 644 /etc/smbldap-tools/smbldap.conf |
899 | ++chmod 600 /etc/smbldap-tools/smbldap_bind.conf |
900 | ++</PRE> <!--TOC section Configuring the smbldap-tools--> |
901 | ++ |
902 | ++<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><!--SEC END --> |
903 | ++ |
904 | ++As mentioned in the previous section, you'll have to update two |
905 | ++configuration files. The first (<TT>smbldap.conf</TT>) allows you to |
906 | ++set global parameter that are readable by everybody, and the second |
907 | ++(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to |
908 | ++bind to a slave and a master ldap server: this file must thus be |
909 | ++readable only by root.<BR> |
910 | ++<BR> |
911 | ++A script named <TT>configure.pl</TT> can help you to set their contents |
912 | ++up. It is located in the tarball |
913 | ++downloaded or in the documentation directory if you got the RPM |
914 | ++archive (see <TT>/usr/share/doc/smbldap-tools-0.9.3/</TT>). Just invoke it: |
915 | ++<PRE> |
916 | ++/usr/share/doc/smbldap-tools-0.9.3/configure.pl |
917 | ++</PRE>It will ask for the default values defined in your |
918 | ++<TT>smb.conf</TT> file, and will update the two configuration files used |
919 | ++by the scripts. Samba configuration file should then be already configured. |
920 | ++Note that you can stop the script at any moment with |
921 | ++the <TT>Crtl-c</TT> keys.<BR> |
922 | ++Before using this script : |
923 | ++<UL><LI> |
924 | ++the two configuration files <B>must</B> be present in the |
925 | ++ <TT>/etc/smbldap-tools/</TT> directory |
926 | ++<LI>check that samba is configured and running, as the script will try to |
927 | ++ get your workgroup's domain secure id (SID). |
928 | ++</UL> |
929 | ++In those files, parameters are defined like this: |
930 | ++<PRE> |
931 | ++key="value" |
932 | ++</PRE>Full example configuration files can be found at |
933 | ++<A HREF="#configuration::files">8.1</A>.<BR> |
934 | ++<BR> |
935 | ++<!--TOC subsection The smbldap.conf file--> |
936 | ++ |
937 | ++<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3><!--SEC END --> |
938 | ++ |
939 | ++This file is used to define parameters that can be readable by |
940 | ++everybody. A full example file is available in section <A HREF="#configuration::file::smbldap">8.1.1</A>.<BR> |
941 | ++<BR> |
942 | ++Let's have a look at all available parameters. |
943 | ++<UL><LI> |
944 | ++<TT>UID_START</TT> and <TT>GID_START</TT> : parameters deprecated |
945 | ++ <UL><LI> |
946 | ++ Those parameters must be removed or commented. |
947 | ++ <LI>Available uid and gid are now defined in the default |
948 | ++ new entry <TT>sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"</TT>. |
949 | ++ See later for <TT>${sambaDomain}</TT> and <TT>${suffix}</TT> definitions. |
950 | ++ </UL> |
951 | ++<LI><TT>SID</TT> : Secure Identifier Domain |
952 | ++ <UL><LI> |
953 | ++ Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT> |
954 | ++ <LI>Remark: you can get the SID for your domain using the "<TT>net getlocalsid</TT>" |
955 | ++ command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers). |
956 | ++ </UL> |
957 | ++<LI><TT>sambaDomain</TT> : Samba Domain the Samba server is in charge |
958 | ++ <UL><LI> |
959 | ++ Example: <TT>sambaDomain="DOMSMB"</TT> |
960 | ++ <LI>Remark: if not defined, parameter is taking from smb.conf configuration file |
961 | ++ </UL> |
962 | ++<LI><TT>slaveLDAP</TT> : slave LDAP server |
963 | ++ <UL><LI> |
964 | ++ Example: <TT>slaveLDAP="127.0.0.1"</TT> |
965 | ++ <LI>Remark: must be a resolvable DNS name or it's IP address |
966 | ++ </UL> |
967 | ++<LI><TT>slavePort</TT> : port to contact the slave server |
968 | ++ <UL><LI> |
969 | ++ Example: <TT>slavePort="389"</TT> |
970 | ++ </UL> |
971 | ++<LI><TT>masterLDAP</TT> : master LDAP server |
972 | ++ <UL><LI> |
973 | ++ Example: <TT>masterLDAP="127.0.0.1"</TT> |
974 | ++ </UL> |
975 | ++<LI><TT>masterPort</TT> : port to contact the master server |
976 | ++ <UL><LI> |
977 | ++ Example: <TT>masterPort="389"</TT> |
978 | ++ </UL> |
979 | ++<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the |
980 | ++ ldap servers ? |
981 | ++ <UL><LI> |
982 | ++ Example: <TT>ldapTLS="1"</TT> |
983 | ++ <LI>Remark: the LDAP severs must be configured to accept TLS |
984 | ++ connections. See section the Samba-LDAP Howto for more |
985 | ++ details (<A HREF="http://samba.idealx.org/smbldap-howto.fr.html"><TT>http://samba.idealx.org/smbldap-howto.fr.html</TT></A>). If you are using TLS support, select port 389 to connect to |
986 | ++ the master and slave directories. |
987 | ++ </UL> |
988 | ++<LI><TT>verify</TT> : How to verify the server's certificate (none, optional or require). |
989 | ++ <UL><LI> |
990 | ++ Example: <TT>verify="require"</TT> |
991 | ++ <LI>Remarl: See ``man Net::LDAP'' in start_tls section for more details |
992 | ++ </UL> |
993 | ++<LI><TT>cafile</TT> : the PEM-format file containing certificates |
994 | ++ for the CA that slapd will trust |
995 | ++ <UL><LI> |
996 | ++ Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT> |
997 | ++ </UL> |
998 | ++<LI><TT>clientcert</TT> : the file that contains the client certificate |
999 | ++ <UL><LI> |
1000 | ++ Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT> |
1001 | ++ </UL> |
1002 | ++<LI><TT>clientkey</TT> : the file that contains the private key that |
1003 | ++ matches the certificate stored in the clientcert file |
1004 | ++ <UL><LI> |
1005 | ++ Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT> |
1006 | ++ </UL> |
1007 | ++<LI><TT>suffix</TT> : The distinguished name of the search base |
1008 | ++ <UL><LI> |
1009 | ++ Example: <TT>suffix="dc=idealx,dc=com"</TT> |
1010 | ++ </UL> |
1011 | ++<LI><TT>usersdn</TT> : branch in which users account can be found or |
1012 | ++ must be added |
1013 | ++ <UL><LI> |
1014 | ++ Example: <TT>usersdn="ou=Users,${suffix}"</TT> |
1015 | ++ <LI>Remark: this branch is <B>not</B> relative to the suffix value |
1016 | ++ </UL> |
1017 | ++<LI><TT>computersdn</TT> : branch in which computers account can be |
1018 | ++ found or must be added |
1019 | ++ <UL><LI> |
1020 | ++ Example: <TT>computersdn"ou=Computers,${suffix}"</TT> |
1021 | ++ <LI>Remark: this branch is <B>not</B> relative to the suffix value |
1022 | ++ </UL> |
1023 | ++<LI><TT>groupsdn</TT> : branch in which groups account can be found |
1024 | ++ or must be added |
1025 | ++ <UL><LI> |
1026 | ++ Example: <TT>groupsdn="ou=Groups,${suffix}"</TT> |
1027 | ++ <LI>Remarks: this branch is <B>not</B> relative to the suffix value |
1028 | ++ </UL> |
1029 | ++<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server) |
1030 | ++<UL><LI> |
1031 | ++ Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT> |
1032 | ++ <LI>Remarks: this branch is <B>not</B> relative to the suffix value |
1033 | ++</UL> |
1034 | ++<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored |
1035 | ++<UL><LI> |
1036 | ++ Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT> |
1037 | ++ <LI>Remarks: this branch is <B>not</B> relative to the suffix value |
1038 | ++</UL> |
1039 | ++<LI><TT>scope</TT> : the search scope. |
1040 | ++<UL><LI> |
1041 | ++ Example: <TT>scope="sub"</TT> |
1042 | ++</UL> |
1043 | ++<LI><TT>hash_encrypt</TT> : hash to be used when generating a |
1044 | ++ user password. |
1045 | ++ <UL><LI> |
1046 | ++ Example: <TT>hash_encrypt="SSHA"</TT> |
1047 | ++ <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute. |
1048 | ++ </UL> |
1049 | ++<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to |
1050 | ++ CRYPT, you may set a salt format. Default is "%s", but many systems |
1051 | ++ will generate MD5 hashed passwords if you use "$1$%.8s". This |
1052 | ++ parameter is optional. |
1053 | ++<LI><TT>userLoginShell</TT> : default shell given to users. |
1054 | ++ <UL><LI> |
1055 | ++ Example: <TT>userLoginShell="/bin/bash"</TT> |
1056 | ++ <LI>Remark: This is stored in <I>loginShell</I> attribute. |
1057 | ++ </UL> |
1058 | ++<LI><TT>userHome</TT> : default directory where users's home |
1059 | ++ directory are located. |
1060 | ++ <UL><LI> |
1061 | ++ Example: <TT>userHome="/home/%U"</TT> |
1062 | ++ <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute. |
1063 | ++ </UL> |
1064 | ++<LI><TT>userGecos</TT> : gecos used for users |
1065 | ++ <UL><LI> |
1066 | ++ Example: <TT>userGecos="System User"</TT> |
1067 | ++ </UL> |
1068 | ++<LI><TT>defaultUserGid</TT> : default primary group set to users accounts |
1069 | ++ <UL><LI> |
1070 | ++ Example: <TT>defaultUserGid="513"</TT> |
1071 | ++ <LI>Remark: this is stored in <I>gidNumber</I> attribute. |
1072 | ++</UL> |
1073 | ++<LI><TT>defaultComputerGid</TT> : default primary group set to |
1074 | ++ computers accounts |
1075 | ++ <UL><LI> |
1076 | ++ Example: <TT>defaultComputerGid="550"</TT> |
1077 | ++ <LI>Remark: this is stored in <I>gidNumber</I> attribute. |
1078 | ++</UL> |
1079 | ++<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts |
1080 | ++ <UL><LI> |
1081 | ++ Example: <TT>skeletonDir="/etc/skel"</TT> |
1082 | ++ <LI>Remark: this option is used only if you ask for home directory creation when adding a new user. |
1083 | ++ </UL> |
1084 | ++<LI><TT>defaultMaxPasswordAge</TT> : default validation time for Samba password (in days) |
1085 | ++ <UL><LI> |
1086 | ++ Example: <TT>defaultMaxPassword="55"</TT> |
1087 | ++ </UL> |
1088 | ++<LI><TT>userSmbHome</TT> : samba share used to store user's home directory |
1089 | ++ <UL><LI> |
1090 | ++ Example: |
1091 | ++ <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT> |
1092 | ++ <LI>Remark: this is stored in <I>sambaHomePath</I> attribute. |
1093 | ++</UL> |
1094 | ++<LI><TT>userProfile</TT> : samba share used to store user's profile |
1095 | ++ <UL><LI> |
1096 | ++ Example: |
1097 | ++ <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT> |
1098 | ++ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute. |
1099 | ++ </UL> |
1100 | ++<LI><TT>userHomeDrive</TT> : letter used on windows system to map |
1101 | ++ the home directory |
1102 | ++ <UL><LI> |
1103 | ++ Example: <TT>userHomeDrive="K:"</TT> |
1104 | ++ </UL> |
1105 | ++<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I> |
1106 | ++ <UL><LI> |
1107 | ++ Example: |
1108 | ++ <TT>userScript="%U"</TT> |
1109 | ++ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute. |
1110 | ++ </UL> |
1111 | ++<LI><TT>mailDomain</TT> : Domain appended to the users "mail" |
1112 | ++ attribute. |
1113 | ++ <UL><LI> |
1114 | ++ Example: <TT>mailDomain="idealx.org"</TT> |
1115 | ++ </UL> |
1116 | ++<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command |
1117 | ++ to set the user's password (instead of the <I>mkntpwd</I> utility) ? |
1118 | ++ <UL><LI> |
1119 | ++ Example: <TT>with_smbpasswd="0"</TT> |
1120 | ++ <LI>Remark: must be a boolean value (0 or 1). |
1121 | ++ </UL> |
1122 | ++<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary |
1123 | ++ <UL><LI> |
1124 | ++ Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT> |
1125 | ++ </UL> |
1126 | ++<LI><TT>with_slappasswd</TT> : should we use the <I>slappasswd</I> command |
1127 | ++ to set the Unix user's password (instead of the <I>Crypt::</I> librairies) ? |
1128 | ++ <UL><LI> |
1129 | ++ Example: <TT>with_smbpasswd="0"</TT> |
1130 | ++ <LI>Remark: must be a boolean value (0 or 1). |
1131 | ++ </UL> |
1132 | ++<LI><TT>slappasswd</TT> : path to the <TT>slappasswd</TT> binary |
1133 | ++ <UL><LI> |
1134 | ++ Example: <TT>smbpasswd="/usr/sbin/slappasswd"</TT> |
1135 | ++ </UL> |
1136 | ++</UL> |
1137 | ++<!--TOC subsection The smbldap_bind.conf file--> |
1138 | ++ |
1139 | ++<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3><!--SEC END --> |
1140 | ++ |
1141 | ++This file is only used by <I>root</I> to give bind parameters to the directory when modifications are asked. |
1142 | ++It contains distinguised names and credentials to connect to |
1143 | ++both the master and slave directories. A full example file is available |
1144 | ++in section <A HREF="#configuration::file::smbldap::bind">8.1.2</A>.<BR> |
1145 | ++<BR> |
1146 | ++Let's have a look at all available parameters. |
1147 | ++<UL><LI> |
1148 | ++<TT>slaveDN</TT> : distinguished name used to bind to the slave server |
1149 | ++ <UL><LI> |
1150 | ++ Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT> |
1151 | ++ <LI>Example 2: <TT>slaveDN=""</TT> |
1152 | ++ <LI>Remark: this can be the manager account of the directory or |
1153 | ++ any LDAP account that has sufficient permissions to read the full |
1154 | ++ directory (Slave directory is only used for reading). Anonymous |
1155 | ++ connections uses the second example form. |
1156 | ++ </UL> |
1157 | ++<LI><TT>slavePw</TT> : the credentials to bind to the slave server |
1158 | ++ <UL><LI> |
1159 | ++ Example 1: <TT>slavePw="secret"</TT> |
1160 | ++ <LI>Example 2: <TT>slavePw=""</TT> |
1161 | ++ <LI>Remark: the password must be stored here in clear form. This |
1162 | ++ file must then be readable only by root! All anonymous connections |
1163 | ++ use the second form provided in our example. |
1164 | ++ </UL> |
1165 | ++<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server |
1166 | ++ <UL><LI> |
1167 | ++ Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT> |
1168 | ++ <LI>Remark: this can be the manager account of the directory or |
1169 | ++ any LDAP account that has enough permissions to modify the content |
1170 | ++ of the directory. Anonymous access does not make any sense here. |
1171 | ++</UL> |
1172 | ++<LI><TT>masterPw</TT> : the credentials to bind to the master server |
1173 | ++ <UL><LI> |
1174 | ++ Example: <TT>masterPw="secret"</TT> |
1175 | ++ <LI>Remark: the password must be in clear text. Be sure to protect |
1176 | ++ this file against unauthorized readers! |
1177 | ++ </UL> |
1178 | ++</UL> |
1179 | ++ <!--TOC section Using the scripts--> |
1180 | ++ |
1181 | ++<H2><A NAME="htoc13">4</A> Using the scripts</H2><!--SEC END --> |
1182 | ++ |
1183 | ++<!--TOC subsection Initial directory's population--> |
1184 | ++ |
1185 | ++<H3><A NAME="htoc14">4.1</A> Initial directory's population</H3><!--SEC END --> |
1186 | ++ |
1187 | ++You can initialize the LDAP directory using the |
1188 | ++<TT>smbldap-populate</TT> script. To do that, the account defined in |
1189 | ++the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> to access the |
1190 | ++master directory <B>must</B> must be the manager account defined in the |
1191 | ++directory configuration. On RedHat system, this file is |
1192 | ++<TT>/etc/openldap/slapd.conf</TT> and the account is defined with |
1193 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
1194 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
1195 | ++ CELLSPACING=0> |
1196 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1197 | ++<TR><TD> |
1198 | ++ </TD> |
1199 | ++</TR></TABLE></TD> |
1200 | ++</TR> |
1201 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1202 | ++<TR><TD> |
1203 | ++ </TD> |
1204 | ++</TR></TABLE></TD> |
1205 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
1206 | ++<TR><TD><PRE> |
1207 | ++ rootdn "cn=Manager,dc=idealx,dc=com" |
1208 | ++ rootpw secret |
1209 | ++</PRE></TD> |
1210 | ++</TR></TABLE></TD> |
1211 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1212 | ++<TR><TD> |
1213 | ++ </TD> |
1214 | ++</TR></TABLE></TD> |
1215 | ++</TR> |
1216 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1217 | ++<TR><TD> |
1218 | ++ </TD> |
1219 | ++</TR></TABLE></TD> |
1220 | ++</TR></TABLE></TD> |
1221 | ++</TR></TABLE>The <TT>smbldap_bind.conf</TT> file must then be configured so that |
1222 | ++the parameters to connect to the master LDAP server match the previous ones: |
1223 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
1224 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
1225 | ++ CELLSPACING=0> |
1226 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1227 | ++<TR><TD> |
1228 | ++ </TD> |
1229 | ++</TR></TABLE></TD> |
1230 | ++</TR> |
1231 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1232 | ++<TR><TD> |
1233 | ++ </TD> |
1234 | ++</TR></TABLE></TD> |
1235 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
1236 | ++<TR><TD><PRE> |
1237 | ++ masterDN="cn=Manager,dc=idealx,dc=com" |
1238 | ++ masterPw="secret" |
1239 | ++</PRE></TD> |
1240 | ++</TR></TABLE></TD> |
1241 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1242 | ++<TR><TD> |
1243 | ++ </TD> |
1244 | ++</TR></TABLE></TD> |
1245 | ++</TR> |
1246 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1247 | ++<TR><TD> |
1248 | ++ </TD> |
1249 | ++</TR></TABLE></TD> |
1250 | ++</TR></TABLE></TD> |
1251 | ++</TR></TABLE><BR> |
1252 | ++Available options for this script are summarized in the table <A HREF="#table::populate">1</A>: |
1253 | ++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> |
1254 | ++ <A NAME="code_epsilon_var"></A> |
1255 | ++ <DIV ALIGN=center> |
1256 | ++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> |
1257 | ++<TR><TD ALIGN=left NOWRAP>option</TD> |
1258 | ++<TD ALIGN=left NOWRAP>definition</TD> |
1259 | ++<TD ALIGN=left NOWRAP>default value</TD> |
1260 | ++</TR> |
1261 | ++<TR><TD ALIGN=left NOWRAP>-u <I>uidNumber</I></TD> |
1262 | ++<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD> |
1263 | ++<TD ALIGN=left NOWRAP>1000</TD> |
1264 | ++</TR> |
1265 | ++<TR><TD ALIGN=left NOWRAP>-g <I>gidNumber</I></TD> |
1266 | ++<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD> |
1267 | ++<TD ALIGN=left NOWRAP>1000</TD> |
1268 | ++</TR> |
1269 | ++<TR><TD ALIGN=left NOWRAP>-a <I>user</I></TD> |
1270 | ++<TD ALIGN=left NOWRAP>administrator login name</TD> |
1271 | ++<TD ALIGN=left NOWRAP>Administrator</TD> |
1272 | ++</TR> |
1273 | ++<TR><TD ALIGN=left NOWRAP>-b <I>user</I></TD> |
1274 | ++<TD ALIGN=left NOWRAP>guest login name</TD> |
1275 | ++<TD ALIGN=left NOWRAP>nobody</TD> |
1276 | ++</TR> |
1277 | ++<TR><TD ALIGN=left NOWRAP>-e <I>file</I></TD> |
1278 | ++<TD ALIGN=left NOWRAP>export a init file</TD> |
1279 | ++<TD ALIGN=left NOWRAP> </TD> |
1280 | ++</TR> |
1281 | ++<TR><TD ALIGN=left NOWRAP>-i <I>file</I></TD> |
1282 | ++<TD ALIGN=left NOWRAP>import a init file</TD> |
1283 | ++<TD ALIGN=left NOWRAP> </TD> |
1284 | ++</TR></TABLE> |
1285 | ++ </DIV> |
1286 | ++ <BR> |
1287 | ++<DIV ALIGN=center>Table 1: Options available for the <TT>smbldap-populate</TT> script</DIV><BR> |
1288 | ++ |
1289 | ++ <A NAME="table::populate"></A> |
1290 | ++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> |
1291 | ++In the more general case, to set up your directory, simply use the |
1292 | ++following command: |
1293 | ++<PRE> |
1294 | ++[root@etoile root]# smbldap-populate |
1295 | ++Using builtin directory structure |
1296 | ++adding new entry: dc=idealx,dc=com |
1297 | ++adding new entry: ou=Users,dc=idealx,dc=com |
1298 | ++adding new entry: ou=Groups,dc=idealx,dc=com |
1299 | ++adding new entry: ou=Computers,dc=idealx,dc=com |
1300 | ++adding new entry: ou=Idmap,dc=idealx,dc=org |
1301 | ++adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org |
1302 | ++adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com |
1303 | ++adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com |
1304 | ++adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com |
1305 | ++adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com |
1306 | ++adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com |
1307 | ++adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com |
1308 | ++adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com |
1309 | ++adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com |
1310 | ++adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com |
1311 | ++</PRE> |
1312 | ++After this step, if you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT> |
1313 | ++account anymore, you can create a dedicated account for Samba and the |
1314 | ++smbldap-tools. See section <A HREF="#change::manager">8.2</A> for more details.<BR> |
1315 | ++<BR> |
1316 | ++The <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> entry is only used to |
1317 | ++defined the next uidNumber and gidNumber available for creating new |
1318 | ++users and groups. The default values for those numbers are 1000. You |
1319 | ++can change it with the <TT>-u</TT> and <TT>-g</TT> option. For |
1320 | ++example, if you want the first available value for uidNumber and |
1321 | ++gidNumber to be set to 1500, you can use the following command : |
1322 | ++<PRE> |
1323 | ++smbldap-populate -u 1550 -g 1500 |
1324 | ++</PRE> |
1325 | ++<!--TOC subsection User management--> |
1326 | ++ |
1327 | ++<H3><A NAME="htoc15">4.2</A> User management</H3><!--SEC END --> |
1328 | ++ |
1329 | ++<!--TOC subsubsection Adding a user--> |
1330 | ++ |
1331 | ++<H4><A NAME="htoc16">4.2.1</A> Adding a user</H4><!--SEC END --> |
1332 | ++<A NAME="add::user"></A> |
1333 | ++To add a user, use the <TT>smbldap-useradd</TT> script. Available |
1334 | ++options are summarized in the table <A HREF="#table::add::user">2</A>. If applicable, |
1335 | ++default values are mentionned in the third column. Any string beginning with a |
1336 | ++$ symbol refers to a parameter defined in the |
1337 | ++<TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> configuration file. |
1338 | ++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> |
1339 | ++ <DIV ALIGN=center> |
1340 | ++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> |
1341 | ++<TR><TD VALIGN=top ALIGN=left>option</TD> |
1342 | ++<TD VALIGN=top ALIGN=left>definition</TD> |
1343 | ++<TD VALIGN=top ALIGN=left>example</TD> |
1344 | ++<TD VALIGN=top ALIGN=left>default value</TD> |
1345 | ++</TR> |
1346 | ++<TR><TD VALIGN=top ALIGN=left>-a</TD> |
1347 | ++<TD VALIGN=top ALIGN=left>create a Windows account. Otherwise, only a Posix account |
1348 | ++ is created</TD> |
1349 | ++<TD VALIGN=top ALIGN=left> </TD> |
1350 | ++<TD VALIGN=top ALIGN=left> </TD> |
1351 | ++</TR> |
1352 | ++<TR><TD VALIGN=top ALIGN=left>-w</TD> |
1353 | ++<TD VALIGN=top ALIGN=left>create a Windows Workstation account</TD> |
1354 | ++<TD VALIGN=top ALIGN=left> </TD> |
1355 | ++<TD VALIGN=top ALIGN=left> </TD> |
1356 | ++</TR> |
1357 | ++<TR><TD VALIGN=top ALIGN=left>-i</TD> |
1358 | ++<TD VALIGN=top ALIGN=left>create an interdomain trust account. See section |
1359 | ++ <A HREF="#trust::account">4.4</A> for more details</TD> |
1360 | ++<TD VALIGN=top ALIGN=left> </TD> |
1361 | ++<TD VALIGN=top ALIGN=left> </TD> |
1362 | ++</TR> |
1363 | ++<TR><TD VALIGN=top ALIGN=left>-u</TD> |
1364 | ++<TD VALIGN=top ALIGN=left>set a uid value</TD> |
1365 | ++<TD VALIGN=top ALIGN=left>-u 1003</TD> |
1366 | ++<TD VALIGN=top ALIGN=left>first uid available</TD> |
1367 | ++</TR> |
1368 | ++<TR><TD VALIGN=top ALIGN=left>-g</TD> |
1369 | ++<TD VALIGN=top ALIGN=left>set a gid value</TD> |
1370 | ++<TD VALIGN=top ALIGN=left>-g 1003</TD> |
1371 | ++<TD VALIGN=top ALIGN=left>first gid available</TD> |
1372 | ++</TR> |
1373 | ++<TR><TD VALIGN=top ALIGN=left>-G</TD> |
1374 | ++<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary |
1375 | ++ groups (comma-separated)</TD> |
1376 | ++<TD VALIGN=top ALIGN=left>-G 512,550</TD> |
1377 | ++<TD VALIGN=top ALIGN=left> </TD> |
1378 | ++</TR> |
1379 | ++<TR><TD VALIGN=top ALIGN=left>-d</TD> |
1380 | ++<TD VALIGN=top ALIGN=left>set the home directory</TD> |
1381 | ++<TD VALIGN=top ALIGN=left>-d /var/user</TD> |
1382 | ++<TD VALIGN=top ALIGN=left>$userHomePrefix/user</TD> |
1383 | ++</TR> |
1384 | ++<TR><TD VALIGN=top ALIGN=left>-s</TD> |
1385 | ++<TD VALIGN=top ALIGN=left>set the login shell</TD> |
1386 | ++<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD> |
1387 | ++<TD VALIGN=top ALIGN=left>$userLoginShell</TD> |
1388 | ++</TR> |
1389 | ++<TR><TD VALIGN=top ALIGN=left>-c</TD> |
1390 | ++<TD VALIGN=top ALIGN=left>set the user gecos</TD> |
1391 | ++<TD VALIGN=top ALIGN=left>-c "admin user"</TD> |
1392 | ++<TD VALIGN=top ALIGN=left>$userGecos</TD> |
1393 | ++</TR> |
1394 | ++<TR><TD VALIGN=top ALIGN=left>-m</TD> |
1395 | ++<TD VALIGN=top ALIGN=left>creates user's home directory and copies /etc/skel |
1396 | ++ into it</TD> |
1397 | ++<TD VALIGN=top ALIGN=left> </TD> |
1398 | ++<TD VALIGN=top ALIGN=left> </TD> |
1399 | ++</TR> |
1400 | ++<TR><TD VALIGN=top ALIGN=left>-k</TD> |
1401 | ++<TD VALIGN=top ALIGN=left>set the skeleton dir (with -m)</TD> |
1402 | ++<TD VALIGN=top ALIGN=left>-k /etc/skel2</TD> |
1403 | ++<TD VALIGN=top ALIGN=left>$skeletonDir</TD> |
1404 | ++</TR> |
1405 | ++<TR><TD VALIGN=top ALIGN=left>-P</TD> |
1406 | ++<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's |
1407 | ++ password</TD> |
1408 | ++<TD VALIGN=top ALIGN=left> </TD> |
1409 | ++<TD VALIGN=top ALIGN=left> </TD> |
1410 | ++</TR> |
1411 | ++<TR><TD VALIGN=top ALIGN=left>-A</TD> |
1412 | ++<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD> |
1413 | ++<TD VALIGN=top ALIGN=left>-A 1</TD> |
1414 | ++<TD VALIGN=top ALIGN=left> </TD> |
1415 | ++</TR> |
1416 | ++<TR><TD VALIGN=top ALIGN=left>-B</TD> |
1417 | ++<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1 |
1418 | ++ if yes</TD> |
1419 | ++<TD VALIGN=top ALIGN=left>-B 1</TD> |
1420 | ++<TD VALIGN=top ALIGN=left> </TD> |
1421 | ++</TR> |
1422 | ++<TR><TD VALIGN=top ALIGN=left>-C</TD> |
1423 | ++<TD VALIGN=top ALIGN=left>set the samba home share</TD> |
1424 | ++<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD> |
1425 | ++<TD VALIGN=top ALIGN=left>$userSmbHome</TD> |
1426 | ++</TR> |
1427 | ++<TR><TD VALIGN=top ALIGN=left>-D</TD> |
1428 | ++<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD> |
1429 | ++<TD VALIGN=top ALIGN=left>-D H:</TD> |
1430 | ++<TD VALIGN=top ALIGN=left>$userHomeDrive</TD> |
1431 | ++</TR> |
1432 | ++<TR><TD VALIGN=top ALIGN=left>-E</TD> |
1433 | ++<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD> |
1434 | ++<TD VALIGN=top ALIGN=left>-E common.bat</TD> |
1435 | ++<TD VALIGN=top ALIGN=left>$userScript</TD> |
1436 | ++</TR> |
1437 | ++<TR><TD VALIGN=top ALIGN=left>-F</TD> |
1438 | ++<TD VALIGN=top ALIGN=left>set the profile directory</TD> |
1439 | ++<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD> |
1440 | ++<TD VALIGN=top ALIGN=left>$userProfile</TD> |
1441 | ++</TR> |
1442 | ++<TR><TD VALIGN=top ALIGN=left>-H</TD> |
1443 | ++<TD VALIGN=top ALIGN=left>set the samba account control bits |
1444 | ++ like'[NDHTUMWSLKI]'</TD> |
1445 | ++<TD VALIGN=top ALIGN=left>-H [X]</TD> |
1446 | ++<TD VALIGN=top ALIGN=left> </TD> |
1447 | ++</TR> |
1448 | ++<TR><TD VALIGN=top ALIGN=left>-N</TD> |
1449 | ++<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD> |
1450 | ++<TD VALIGN=top ALIGN=left> </TD> |
1451 | ++<TD VALIGN=top ALIGN=left> </TD> |
1452 | ++</TR> |
1453 | ++<TR><TD VALIGN=top ALIGN=left>-S</TD> |
1454 | ++<TD VALIGN=top ALIGN=left>set the surname of the user</TD> |
1455 | ++<TD VALIGN=top ALIGN=left> </TD> |
1456 | ++<TD VALIGN=top ALIGN=left> </TD> |
1457 | ++</TR> |
1458 | ++<TR><TD VALIGN=top ALIGN=left>-M</TD> |
1459 | ++<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD> |
1460 | ++<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD> |
1461 | ++<TD VALIGN=top ALIGN=left> </TD> |
1462 | ++</TR> |
1463 | ++<TR><TD VALIGN=top ALIGN=left>-T</TD> |
1464 | ++<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD> |
1465 | ++<TD VALIGN=top ALIGN=left>-T |
1466 | ++ testuser@domain.org</TD> |
1467 | ++<TD VALIGN=top ALIGN=left> </TD> |
1468 | ++</TR></TABLE> |
1469 | ++ </DIV> |
1470 | ++ <BR> |
1471 | ++<DIV ALIGN=center>Table 2: Options available to the <TT>smbldap-useradd</TT> script</DIV><BR> |
1472 | ++ |
1473 | ++ <A NAME="table::add::user"></A> |
1474 | ++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> |
1475 | ++ |
1476 | ++For example, if you want to add a user named <I>user_admin</I> and who : |
1477 | ++<UL><LI> |
1478 | ++is a windows user |
1479 | ++<LI>must belong to the group of gid=512 ('Domain Admins' group) |
1480 | ++<LI>has a home directory |
1481 | ++<LI>does not have a login shell |
1482 | ++<LI>has a homeDirectory set to /dev/null |
1483 | ++<LI>does not have a roaming profile |
1484 | ++<LI>and for whom we want to set a first login password |
1485 | ++</UL> |
1486 | ++you must invoke: |
1487 | ++<PRE> |
1488 | ++smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin |
1489 | ++</PRE> |
1490 | ++<!--TOC subsubsection Removing a user--> |
1491 | ++ |
1492 | ++<H4><A NAME="htoc17">4.2.2</A> Removing a user</H4><!--SEC END --> |
1493 | ++ |
1494 | ++To remove a user account, use the <TT>smbldap-userdel</TT> script. |
1495 | ++Available options are |
1496 | ++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> |
1497 | ++ <DIV ALIGN=center> |
1498 | ++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> |
1499 | ++<TR><TD ALIGN=left NOWRAP>option</TD> |
1500 | ++<TD ALIGN=left NOWRAP>definition</TD> |
1501 | ++</TR> |
1502 | ++<TR><TD ALIGN=left NOWRAP>-r</TD> |
1503 | ++<TD ALIGN=left NOWRAP>remove home directory</TD> |
1504 | ++</TR> |
1505 | ++<TR><TD ALIGN=left NOWRAP>-R</TD> |
1506 | ++<TD ALIGN=left NOWRAP>remove home directory interactively</TD> |
1507 | ++</TR></TABLE> |
1508 | ++ </DIV> |
1509 | ++ <BR> |
1510 | ++<DIV ALIGN=center>Table 3: Option available to the <TT>smbldap-userdel</TT> script</DIV><BR> |
1511 | ++ |
1512 | ++ <A NAME="table::del::user"></A> |
1513 | ++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> |
1514 | ++For example, if you want to remove the <I>user1</I> account |
1515 | ++from the LDAP directory, and if you also want to delete his home |
1516 | ++directory, use the following command : |
1517 | ++<PRE> |
1518 | ++smbldap-userdel -r user1 |
1519 | ++</PRE> |
1520 | ++Note: '-r' is dangerous as it may delete precious and unbackuped data, |
1521 | ++please be careful.<BR> |
1522 | ++<BR> |
1523 | ++<!--TOC subsubsection Modifying a user--> |
1524 | ++ |
1525 | ++<H4><A NAME="htoc18">4.2.3</A> Modifying a user</H4><!--SEC END --> |
1526 | ++<A NAME="modify::user"></A> |
1527 | ++To modify a user account, use the <TT>smbldap-usermod</TT> script. |
1528 | ++Availables options are listed in the table <A HREF="#table::modify::user">4</A>. |
1529 | ++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> |
1530 | ++ <DIV ALIGN=center> |
1531 | ++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> |
1532 | ++<TR><TD VALIGN=top ALIGN=left>option</TD> |
1533 | ++<TD VALIGN=top ALIGN=left>definition</TD> |
1534 | ++<TD VALIGN=top ALIGN=left>example</TD> |
1535 | ++</TR> |
1536 | ++<TR><TD VALIGN=top ALIGN=left>-c</TD> |
1537 | ++<TD VALIGN=top ALIGN=left>set the user gecos</TD> |
1538 | ++<TD VALIGN=top ALIGN=left>-c "admin user"</TD> |
1539 | ++</TR> |
1540 | ++<TR><TD VALIGN=top ALIGN=left>-d</TD> |
1541 | ++<TD VALIGN=top ALIGN=left>set the home directory</TD> |
1542 | ++<TD VALIGN=top ALIGN=left>-d /var/user</TD> |
1543 | ++</TR> |
1544 | ++<TR><TD VALIGN=top ALIGN=left>-u</TD> |
1545 | ++<TD VALIGN=top ALIGN=left>set a uid value</TD> |
1546 | ++<TD VALIGN=top ALIGN=left>-u 1003</TD> |
1547 | ++</TR> |
1548 | ++<TR><TD VALIGN=top ALIGN=left>-g</TD> |
1549 | ++<TD VALIGN=top ALIGN=left>set a gid value</TD> |
1550 | ++<TD VALIGN=top ALIGN=left>-g 1003</TD> |
1551 | ++</TR> |
1552 | ++<TR><TD VALIGN=top ALIGN=left>-G</TD> |
1553 | ++<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary |
1554 | ++ groups (comma-separated)</TD> |
1555 | ++<TD VALIGN=top ALIGN=left>-G 512,550</TD> |
1556 | ++</TR> |
1557 | ++<TR><TD VALIGN=top ALIGN=left> </TD> |
1558 | ++<TD VALIGN=top ALIGN=left> </TD> |
1559 | ++<TD VALIGN=top ALIGN=left>-G -512,550</TD> |
1560 | ++</TR> |
1561 | ++<TR><TD VALIGN=top ALIGN=left> </TD> |
1562 | ++<TD VALIGN=top ALIGN=left> </TD> |
1563 | ++<TD VALIGN=top ALIGN=left>-G +512,550</TD> |
1564 | ++</TR> |
1565 | ++<TR><TD VALIGN=top ALIGN=left>-s</TD> |
1566 | ++<TD VALIGN=top ALIGN=left>set the login shell</TD> |
1567 | ++<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD> |
1568 | ++</TR> |
1569 | ++<TR><TD VALIGN=top ALIGN=left>-N</TD> |
1570 | ++<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD> |
1571 | ++<TD VALIGN=top ALIGN=left> </TD> |
1572 | ++</TR> |
1573 | ++<TR><TD VALIGN=top ALIGN=left>-S</TD> |
1574 | ++<TD VALIGN=top ALIGN=left>set the surname of the user</TD> |
1575 | ++<TD VALIGN=top ALIGN=left> </TD> |
1576 | ++</TR> |
1577 | ++<TR><TD VALIGN=top ALIGN=left>-P</TD> |
1578 | ++<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's password</TD> |
1579 | ++<TD VALIGN=top ALIGN=left> </TD> |
1580 | ++</TR> |
1581 | ++<TR><TD VALIGN=top ALIGN=left>-a</TD> |
1582 | ++<TD VALIGN=top ALIGN=left>add sambaSAMAccount objectclass</TD> |
1583 | ++<TD VALIGN=top ALIGN=left> </TD> |
1584 | ++</TR> |
1585 | ++<TR><TD VALIGN=top ALIGN=left>-e</TD> |
1586 | ++<TD VALIGN=top ALIGN=left>set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)</TD> |
1587 | ++<TD VALIGN=top ALIGN=left> </TD> |
1588 | ++</TR> |
1589 | ++<TR><TD VALIGN=top ALIGN=left>-A</TD> |
1590 | ++<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD> |
1591 | ++<TD VALIGN=top ALIGN=left>-A 1</TD> |
1592 | ++</TR> |
1593 | ++<TR><TD VALIGN=top ALIGN=left>-B</TD> |
1594 | ++<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1 |
1595 | ++ if yes</TD> |
1596 | ++<TD VALIGN=top ALIGN=left>-B 1</TD> |
1597 | ++</TR> |
1598 | ++<TR><TD VALIGN=top ALIGN=left>-C</TD> |
1599 | ++<TD VALIGN=top ALIGN=left>set the samba home share</TD> |
1600 | ++<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD> |
1601 | ++</TR> |
1602 | ++<TR><TD VALIGN=top ALIGN=left> </TD> |
1603 | ++<TD VALIGN=top ALIGN=left> </TD> |
1604 | ++<TD VALIGN=top ALIGN=left>-C ""</TD> |
1605 | ++</TR> |
1606 | ++<TR><TD VALIGN=top ALIGN=left>-D</TD> |
1607 | ++<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD> |
1608 | ++<TD VALIGN=top ALIGN=left>-D H:</TD> |
1609 | ++</TR> |
1610 | ++<TR><TD VALIGN=top ALIGN=left> </TD> |
1611 | ++<TD VALIGN=top ALIGN=left> </TD> |
1612 | ++<TD VALIGN=top ALIGN=left>-D ""</TD> |
1613 | ++</TR> |
1614 | ++<TR><TD VALIGN=top ALIGN=left>-E</TD> |
1615 | ++<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD> |
1616 | ++<TD VALIGN=top ALIGN=left>-E common.bat</TD> |
1617 | ++</TR> |
1618 | ++<TR><TD VALIGN=top ALIGN=left> </TD> |
1619 | ++<TD VALIGN=top ALIGN=left> </TD> |
1620 | ++<TD VALIGN=top ALIGN=left>-E ""</TD> |
1621 | ++</TR> |
1622 | ++<TR><TD VALIGN=top ALIGN=left>-F</TD> |
1623 | ++<TD VALIGN=top ALIGN=left>set the profile directory</TD> |
1624 | ++<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD> |
1625 | ++</TR> |
1626 | ++<TR><TD VALIGN=top ALIGN=left> </TD> |
1627 | ++<TD VALIGN=top ALIGN=left> </TD> |
1628 | ++<TD VALIGN=top ALIGN=left>-F ""</TD> |
1629 | ++</TR> |
1630 | ++<TR><TD VALIGN=top ALIGN=left>-H</TD> |
1631 | ++<TD VALIGN=top ALIGN=left>set the samba account control bits like'[NDHTUMWSLKI]'</TD> |
1632 | ++<TD VALIGN=top ALIGN=left>-H [X]</TD> |
1633 | ++</TR> |
1634 | ++<TR><TD VALIGN=top ALIGN=left>-I</TD> |
1635 | ++<TD VALIGN=top ALIGN=left>disable a user account</TD> |
1636 | ++<TD VALIGN=top ALIGN=left>-I 1</TD> |
1637 | ++</TR> |
1638 | ++<TR><TD VALIGN=top ALIGN=left>-J</TD> |
1639 | ++<TD VALIGN=top ALIGN=left>enable a user</TD> |
1640 | ++<TD VALIGN=top ALIGN=left>-J 1</TD> |
1641 | ++</TR> |
1642 | ++<TR><TD VALIGN=top ALIGN=left>-M</TD> |
1643 | ++<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD> |
1644 | ++<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD> |
1645 | ++</TR> |
1646 | ++<TR><TD VALIGN=top ALIGN=left>-T</TD> |
1647 | ++<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD> |
1648 | ++<TD VALIGN=top ALIGN=left>-T |
1649 | ++ testuser@domain.org</TD> |
1650 | ++</TR></TABLE> |
1651 | ++ </DIV> |
1652 | ++ <BR> |
1653 | ++<DIV ALIGN=center>Table 4: Options available to the <TT>smbldap-usermod</TT> script</DIV><BR> |
1654 | ++ |
1655 | ++ <A NAME="table::modify::user"></A> |
1656 | ++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> |
1657 | ++You can also use the <TT>smbldap-userinfo</TT> script to update user's information. This script can |
1658 | ++also be used by users themselves to update their own informations listed in the tables |
1659 | ++<A HREF="#table::modify::self::user">5</A> (adequats ACL must be set in the directory server). Available |
1660 | ++options are : |
1661 | ++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> |
1662 | ++ <DIV ALIGN=center> |
1663 | ++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> |
1664 | ++<TR><TD VALIGN=top ALIGN=left>option</TD> |
1665 | ++<TD VALIGN=top ALIGN=left>definition</TD> |
1666 | ++<TD VALIGN=top ALIGN=left>example</TD> |
1667 | ++</TR> |
1668 | ++<TR><TD VALIGN=top ALIGN=left>-f</TD> |
1669 | ++<TD VALIGN=top ALIGN=left>set the full name's user</TD> |
1670 | ++<TD VALIGN=top ALIGN=left>-f MyName</TD> |
1671 | ++</TR> |
1672 | ++<TR><TD VALIGN=top ALIGN=left>-r</TD> |
1673 | ++<TD VALIGN=top ALIGN=left>set the room number</TD> |
1674 | ++<TD VALIGN=top ALIGN=left>-r 99</TD> |
1675 | ++</TR> |
1676 | ++<TR><TD VALIGN=top ALIGN=left>-w</TD> |
1677 | ++<TD VALIGN=top ALIGN=left>set the work phone number</TD> |
1678 | ++<TD VALIGN=top ALIGN=left>-w 111111111</TD> |
1679 | ++</TR> |
1680 | ++<TR><TD VALIGN=top ALIGN=left>-h</TD> |
1681 | ++<TD VALIGN=top ALIGN=left>set the home phone number</TD> |
1682 | ++<TD VALIGN=top ALIGN=left>-h 222222222</TD> |
1683 | ++</TR> |
1684 | ++<TR><TD VALIGN=top ALIGN=left>-o</TD> |
1685 | ++<TD VALIGN=top ALIGN=left>set other information (in gecos definition)</TD> |
1686 | ++<TD VALIGN=top ALIGN=left>-o "second stage"</TD> |
1687 | ++</TR> |
1688 | ++<TR><TD VALIGN=top ALIGN=left>-s</TD> |
1689 | ++<TD VALIGN=top ALIGN=left>set the default bash</TD> |
1690 | ++<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD> |
1691 | ++</TR></TABLE> |
1692 | ++ </DIV> |
1693 | ++ <BR> |
1694 | ++<DIV ALIGN=center>Table 5: Options available to the <TT>smbldap-userinfo</TT> script</DIV><BR> |
1695 | ++ |
1696 | ++ <A NAME="table::modify::self::user"></A> |
1697 | ++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> |
1698 | ++<!--TOC subsection Group management--> |
1699 | ++ |
1700 | ++<H3><A NAME="htoc19">4.3</A> Group management</H3><!--SEC END --> |
1701 | ++ |
1702 | ++<!--TOC subsubsection Adding a group--> |
1703 | ++ |
1704 | ++<H4><A NAME="htoc20">4.3.1</A> Adding a group</H4><!--SEC END --> |
1705 | ++ |
1706 | ++To add a new group in the LDAP directory, use the <TT>smbldap-groupadd</TT> |
1707 | ++script. Available options are listed in the table |
1708 | ++<A HREF="#table::add::group">6</A>. |
1709 | ++<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> |
1710 | ++ <DIV ALIGN=center> |
1711 | ++ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> |
1712 | ++<TR><TD VALIGN=top ALIGN=left NOWRAP>option</TD> |
1713 | ++<TD VALIGN=top ALIGN=left>definition</TD> |
1714 | ++<TD VALIGN=top ALIGN=left NOWRAP>example</TD> |
1715 | ++</TR> |
1716 | ++<TR><TD VALIGN=top ALIGN=left NOWRAP>-a</TD> |
1717 | ++<TD VALIGN=top ALIGN=left>add automatic group mapping entry</TD> |
1718 | ++<TD VALIGN=top ALIGN=left NOWRAP> </TD> |
1719 | ++</TR> |
1720 | ++<TR><TD VALIGN=top ALIGN=left NOWRAP>-g <TT>gid</TT></TD> |
1721 | ++<TD VALIGN=top ALIGN=left>set the <I>gidNumer</I> for this group to |
1722 | ++ <I>gid</I></TD> |
1723 | ++<TD VALIGN=top ALIGN=left NOWRAP><TT>-g 1002</TT></TD> |
1724 | ++</TR> |
1725 | ++<TR><TD VALIGN=top ALIGN=left NOWRAP>-o</TD> |
1726 | ++<TD VALIGN=top ALIGN=left>gidNumber is not unique</TD> |
1727 | ++<TD VALIGN=top ALIGN=left NOWRAP> </TD> |
1728 | ++</TR> |
1729 | ++<TR><TD VALIGN=top ALIGN=left NOWRAP>-r <TT>group-rid</TT></TD> |
1730 | ++<TD VALIGN=top ALIGN=left>set the rid of the group to |
1731 | ++ <I>group-rid</I></TD> |
1732 | ++<TD VALIGN=top ALIGN=left NOWRAP><TT>-r 1002</TT></TD> |
1733 | ++</TR> |
1734 | ++<TR><TD VALIGN=top ALIGN=left NOWRAP>-s <TT>group-sid</TT></TD> |
1735 | ++<TD VALIGN=top ALIGN=left>set the sid of the group to |
1736 | ++ <I>group-sid</I></TD> |
1737 | ++<TD VALIGN=top ALIGN=left NOWRAP><TT><FONT SIZE=1>-s |
1738 | ++ S-1-5-21-3703471949-3718591838-2324585696-1002</FONT></TT></TD> |
1739 | ++</TR> |
1740 | ++<TR><TD VALIGN=top ALIGN=left NOWRAP>-t <TT>group-type</TT></TD> |
1741 | ++<TD VALIGN=top ALIGN=left>set the <I>sambaGroupType</I> to |
1742 | ++ <I>group-type</I></TD> |
1743 | ++<TD VALIGN=top ALIGN=left NOWRAP><TT>-t 2</TT></TD> |
1744 | ++</TR> |
1745 | ++<TR><TD VALIGN=top ALIGN=left NOWRAP>-p</TD> |
1746 | ++<TD VALIGN=top ALIGN=left>print the gidNumber to stdout</TD> |
1747 | ++<TD VALIGN=top ALIGN=left NOWRAP> </TD> |
1748 | ++</TR></TABLE> |
1749 | ++ </DIV> |
1750 | ++ <BR> |
1751 | ++<DIV ALIGN=center>Table 6: Options available for the <TT>smbldap-groupadd</TT> script</DIV><BR> |
1752 | ++ |
1753 | ++ <A NAME="table::add::group"></A> |
1754 | ++<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> |
1755 | ++<!--TOC subsubsection Removing a group--> |
1756 | ++ |
1757 | ++<H4><A NAME="htoc21">4.3.2</A> Removing a group</H4><!--SEC END --> |
1758 | ++ |
1759 | ++To remove the group named <TT>group1</TT>, just use the following |
1760 | ++command : |
1761 | ++<PRE> |
1762 | ++smbldap-userdel group1 |
1763 | ++</PRE> |
1764 | ++<!--TOC subsection Adding a interdomain trust account--> |
1765 | ++ |
1766 | ++<H3><A NAME="htoc22">4.4</A> Adding a interdomain trust account</H3><!--SEC END --> |
1767 | ++<A NAME="trust::account"></A> |
1768 | ++To add an interdomain trust account to the primary controller <I>trust-pdc</I>, use the <TT>-i</TT> option of |
1769 | ++<TT>smbldap-useradd</TT> as follows : |
1770 | ++<PRE> |
1771 | ++[root@etoile root]# smbldap-useradd -i trust-pdc |
1772 | ++New password : ******* |
1773 | ++Retype new password : ******* |
1774 | ++</PRE> |
1775 | ++The script will terminate asking for a password for this trust |
1776 | ++account. The account will be created in the directory branch where |
1777 | ++all computer accounts are stored (<TT>ou=Computers</TT> by |
1778 | ++default). The only two particularities of this account are that you are |
1779 | ++setting a password for this account, and the flags of this account are |
1780 | ++<TT>[I ]</TT>. |
1781 | ++ <!--TOC section Samba and the smbldap-tools scripts--> |
1782 | ++ |
1783 | ++<H2><A NAME="htoc23">5</A> Samba and the smbldap-tools scripts</H2><!--SEC END --> |
1784 | ++ |
1785 | ++<!--TOC subsection General configuration--> |
1786 | ++ |
1787 | ++<H3><A NAME="htoc24">5.1</A> General configuration</H3><!--SEC END --> |
1788 | ++ |
1789 | ++Samba can be configured to use the <FONT COLOR=purple>smbldap-tools</FONT> scripts. This allows |
1790 | ++administrators to add, delete or modify user and group accounts for <FONT COLOR=purple>Microsoft Windows</FONT> |
1791 | ++operating systems using, for example, User Manager utility under MS-Windows. |
1792 | ++To enable the use of this utility, samba needs to be configured correctly. The |
1793 | ++<TT>smb.conf</TT> configuration file must contain the following directives : |
1794 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
1795 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
1796 | ++ CELLSPACING=0> |
1797 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1798 | ++<TR><TD> |
1799 | ++ </TD> |
1800 | ++</TR></TABLE></TD> |
1801 | ++</TR> |
1802 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1803 | ++<TR><TD> |
1804 | ++ </TD> |
1805 | ++</TR></TABLE></TD> |
1806 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
1807 | ++<TR><TD><PRE> |
1808 | ++ldap delete dn = Yes |
1809 | ++add user script = /usr/local/sbin/smbldap-useradd -m "%u" |
1810 | ++add machine script = /usr/local/sbin/smbldap-useradd -w "%u" |
1811 | ++add group script = /usr/local/sbin/smbldap-groupadd -p "%g" |
1812 | ++add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" |
1813 | ++delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" |
1814 | ++set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" |
1815 | ++</PRE></TD> |
1816 | ++</TR></TABLE></TD> |
1817 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1818 | ++<TR><TD> |
1819 | ++ </TD> |
1820 | ++</TR></TABLE></TD> |
1821 | ++</TR> |
1822 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1823 | ++<TR><TD> |
1824 | ++ </TD> |
1825 | ++</TR></TABLE></TD> |
1826 | ++</TR></TABLE></TD> |
1827 | ++</TR></TABLE><BR> |
1828 | ++Remark: the two directives <TT>delete user script</TT> et <TT>delete group |
1829 | ++script</TT> can also be used. However, an error message can appear in User Manager |
1830 | ++even if the operations actually succeed. |
1831 | ++If you want to enable this behaviour, you need to add |
1832 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
1833 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
1834 | ++ CELLSPACING=0> |
1835 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1836 | ++<TR><TD> |
1837 | ++ </TD> |
1838 | ++</TR></TABLE></TD> |
1839 | ++</TR> |
1840 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1841 | ++<TR><TD> |
1842 | ++ </TD> |
1843 | ++</TR></TABLE></TD> |
1844 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
1845 | ++<TR><TD><PRE> |
1846 | ++delete user script = /usr/local/sbin/smbldap-userdel "%u" |
1847 | ++delete group script = /usr/local/sbin/smbldap-groupdel "%g" |
1848 | ++</PRE></TD> |
1849 | ++</TR></TABLE></TD> |
1850 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1851 | ++<TR><TD> |
1852 | ++ </TD> |
1853 | ++</TR></TABLE></TD> |
1854 | ++</TR> |
1855 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1856 | ++<TR><TD> |
1857 | ++ </TD> |
1858 | ++</TR></TABLE></TD> |
1859 | ++</TR></TABLE></TD> |
1860 | ++</TR></TABLE><BR> |
1861 | ++<!--TOC subsection Migrating an NT4 PDC to Samba3--> |
1862 | ++ |
1863 | ++<H3><A NAME="htoc25">5.2</A> Migrating an NT4 PDC to Samba3</H3><!--SEC END --> |
1864 | ++ |
1865 | ++The account migration procedure becomes really simple when samba is configured to use |
1866 | ++the <FONT COLOR=purple>smbldap-tools</FONT>. Samba configuration (smb.conf file) must contain the |
1867 | ++directive defined above to properly call the script for managing users, groups and computer accounts. |
1868 | ++The migration process is outlined in the chapter 30 of the samba howto |
1869 | ++<A HREF="http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html"><TT>http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html</TT></A>. |
1870 | ++ <BR> |
1871 | ++<BR> |
1872 | ++<!--TOC section Frequently Asked Questions--> |
1873 | ++ |
1874 | ++<H2><A NAME="htoc26">6</A> Frequently Asked Questions</H2><!--SEC END --> |
1875 | ++ |
1876 | ++<!--TOC subsection How can i use old released uidNumber and gidNumber ?--> |
1877 | ++ |
1878 | ++<H3><A NAME="htoc27">6.1</A> How can i use old released uidNumber and gidNumber ?</H3><!--SEC END --> |
1879 | ++ |
1880 | ++There are two way to do this : |
1881 | ++<UL><LI> |
1882 | ++modify the <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> and |
1883 | ++ change the <TT>uidNumber</TT> and/or <TT>gidNumber</TT> value. This |
1884 | ++ must be done manually. For example, if you want to use all available |
1885 | ++ uidNumber and gidNumber higher then 1500, you need to create a |
1886 | ++ <TT>update-NextFreeUnixId.ldif</TT> file containing : |
1887 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
1888 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
1889 | ++ CELLSPACING=0> |
1890 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1891 | ++<TR><TD> |
1892 | ++ </TD> |
1893 | ++</TR></TABLE></TD> |
1894 | ++</TR> |
1895 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1896 | ++<TR><TD> |
1897 | ++ </TD> |
1898 | ++</TR></TABLE></TD> |
1899 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
1900 | ++<TR><TD><PRE>dn: cn=NextFreeUnixId,dc=idealx,dc=org |
1901 | ++changetype: modify |
1902 | ++uidNumber: 1500 |
1903 | ++gidNumber: 1500 |
1904 | ++</PRE></TD> |
1905 | ++</TR></TABLE></TD> |
1906 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1907 | ++<TR><TD> |
1908 | ++ </TD> |
1909 | ++</TR></TABLE></TD> |
1910 | ++</TR> |
1911 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1912 | ++<TR><TD> |
1913 | ++ </TD> |
1914 | ++</TR></TABLE></TD> |
1915 | ++</TR></TABLE></TD> |
1916 | ++</TR></TABLE> |
1917 | ++and then update the directory : |
1918 | ++<PRE> |
1919 | ++ldapmodify -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f update-NextFreeUnixId.ldif |
1920 | ++</PRE><LI>use the <TT>-u</TT> or <TT>-g</TT> option to the script you need to set the value you |
1921 | ++ want to use |
1922 | ++</UL> |
1923 | ++<!--TOC subsection I always have this error: "Can't locate IO/Socket/SSL.pm"--> |
1924 | ++ |
1925 | ++<H3><A NAME="htoc28">6.2</A> I always have this error: "Can't locate IO/Socket/SSL.pm"</H3><!--SEC END --> |
1926 | ++ |
1927 | ++This happens when you want to use a certificate. In this case, you need to install the |
1928 | ++IO-Socket-SSL Perl module.<BR> |
1929 | ++<BR> |
1930 | ++<!--TOC subsection I can't initialize the directory with <TT>smbldap-populate</TT>--> |
1931 | ++ |
1932 | ++<H3><A NAME="htoc29">6.3</A> I can't initialize the directory with <TT>smbldap-populate</TT></H3><!--SEC END --> |
1933 | ++ |
1934 | ++When I want to initialize the directory using the <TT>smbldap-populate</TT> |
1935 | ++script, I get |
1936 | ++<PRE> |
1937 | ++[root@slave sbin]# smbldap-populate.pl |
1938 | ++ Using builtin directory structure |
1939 | ++ adding new entry: dc=IDEALX,dc=COM |
1940 | ++ Can't call method "code" without a package or object reference at |
1941 | ++ /usr/local/sbin/smbldap-populate.pl line 270, <GEN1> line 2. |
1942 | ++</PRE>Answer: check the TLS configuration |
1943 | ++<UL><LI> |
1944 | ++if you don't want to use TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file |
1945 | ++with |
1946 | ++<PRE> |
1947 | ++ldapSSL="0" |
1948 | ++</PRE><LI>if you want TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file with |
1949 | ++<PRE> |
1950 | ++ldapSSL="1" |
1951 | ++</PRE>and check that the directory server is configured to accept TLS connections. |
1952 | ++</UL> |
1953 | ++<!--TOC subsection I can't join the domain with the <TT>root</TT> account--> |
1954 | ++ |
1955 | ++<H3><A NAME="htoc30">6.4</A> I can't join the domain with the <TT>root</TT> account</H3><!--SEC END --> |
1956 | ++ |
1957 | ++<UL><LI> |
1958 | ++check that the root account has the sambaSamAccount objectclass |
1959 | ++<LI>check that the directive <TT>add machine script</TT> is present and configured |
1960 | ++</UL> |
1961 | ++<!--TOC subsection I have the <TT>sambaSamAccount</TT> but i can't logged in--> |
1962 | ++ |
1963 | ++<H3><A NAME="htoc31">6.5</A> I have the <TT>sambaSamAccount</TT> but i can't logged in</H3><!--SEC END --> |
1964 | ++ |
1965 | ++Check that the <TT>sambaPwdLastSet</TT> attribute is not null (equal to 0)<BR> |
1966 | ++<BR> |
1967 | ++<!--TOC subsection I want to create machine account on the fly, but it does |
1968 | ++ not works or I must do it twice--> |
1969 | ++ |
1970 | ++<H3><A NAME="htoc32">6.6</A> I want to create machine account on the fly, but it does |
1971 | ++ not works or I must do it twice</H3><!--SEC END --> |
1972 | ++ |
1973 | ++<UL><LI> |
1974 | ++The script defined with the <TT>add machine script</TT> must not add |
1975 | ++the <TT>sambaSAMAccount</TT> objectclass of the machine account. The |
1976 | ++script must only add the Posix machine account. Samba will add the <TT>sambaSAMAccount</TT> when |
1977 | ++joining the domain. |
1978 | ++<LI>Check that the <TT>add <B>machine</B> script</TT> is present in samba |
1979 | ++ configuration file. |
1980 | ++</UL> |
1981 | ++<!--TOC subsection I can't manage the Oracle Internet Database--> |
1982 | ++ |
1983 | ++<H3><A NAME="htoc33">6.7</A> I can't manage the Oracle Internet Database</H3><!--SEC END --> |
1984 | ++ |
1985 | ++If you have an error message like : |
1986 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
1987 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
1988 | ++ CELLSPACING=0> |
1989 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1990 | ++<TR><TD> |
1991 | ++ </TD> |
1992 | ++</TR></TABLE></TD> |
1993 | ++</TR> |
1994 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
1995 | ++<TR><TD> |
1996 | ++ </TD> |
1997 | ++</TR></TABLE></TD> |
1998 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
1999 | ++<TR><TD><PRE> |
2000 | ++Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187. |
2001 | ++Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627. |
2002 | ++</PRE></TD> |
2003 | ++</TR></TABLE></TD> |
2004 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2005 | ++<TR><TD> |
2006 | ++ </TD> |
2007 | ++</TR></TABLE></TD> |
2008 | ++</TR> |
2009 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2010 | ++<TR><TD> |
2011 | ++ </TD> |
2012 | ++</TR></TABLE></TD> |
2013 | ++</TR></TABLE></TD> |
2014 | ++</TR></TABLE>For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a |
2015 | ++new index for samba attributes and make sure that the following attributes are also indexed : |
2016 | ++ uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...<BR> |
2017 | ++<BR> |
2018 | ++<!--TOC subsection The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not |
2019 | ++called, or i got a error message when changing the password from windows--> |
2020 | ++ |
2021 | ++<H3><A NAME="htoc34">6.8</A> The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not |
2022 | ++called, or i got a error message when changing the password from windows</H3><!--SEC END --> |
2023 | ++ |
2024 | ++The directive is called if you also set <TT>unix password sync = Yes</TT>. |
2025 | ++Notes: |
2026 | ++<UL><LI> |
2027 | ++if you use OpenLDAP, none of those two options are needed. You just need <TT>ldap |
2028 | ++passwd sync = Yes</TT>. |
2029 | ++<LI>the script called here must only update the <TT>userPassword</TT> attribute. This is the |
2030 | ++reason of the <TT>-u</TT> option. Samba passwords will be updated by samba itself. |
2031 | ++<LI>the <TT>passwd chat</TT> directive must match what is prompted when using the |
2032 | ++<TT>smbldap-passwd</TT> command |
2033 | ++</UL> |
2034 | ++<!--TOC subsection New computers account can't be set in ou=computers--> |
2035 | ++ |
2036 | ++<H3><A NAME="htoc35">6.9</A> New computers account can't be set in ou=computers</H3><!--SEC END --> |
2037 | ++<A NAME="sec::bug::ou::computer"></A> |
2038 | ++This is a known samba bug. There's a workarround: look at |
2039 | ++<A HREF="http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2"><TT>http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2</TT></A><BR> |
2040 | ++<BR> |
2041 | ++<!--TOC subsection I can join the domain, but i can't log on--> |
2042 | ++ |
2043 | ++<H3><A NAME="htoc36">6.10</A> I can join the domain, but i can't log on</H3><!--SEC END --> |
2044 | ++ |
2045 | ++look at section <A HREF="#sec::bug::ou::computer">6.9</A><BR> |
2046 | ++<BR> |
2047 | ++<!--TOC subsection I can't create a user with <TT>smbldap-useradd</TT>--> |
2048 | ++ |
2049 | ++<H3><A NAME="htoc37">6.11</A> I can't create a user with <TT>smbldap-useradd</TT></H3><!--SEC END --> |
2050 | ++ |
2051 | ++When creating a new user account I get the following error message: |
2052 | ++<PRE> |
2053 | ++/usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513 |
2054 | ++</PRE>Answer: |
2055 | ++<UL><LI> |
2056 | ++is nss_ldap correctly configured ? |
2057 | ++<LI>is the default group's users mapped to the 'Domain Users' NT group ? |
2058 | ++<PRE> |
2059 | ++net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users" |
2060 | ++</PRE></UL> |
2061 | ++<!--TOC subsection smbldap-useradd: Can't call method "get_value" on an undefined value at |
2062 | ++/usr/local/sbin/smbldap-useradd line 154--> |
2063 | ++ |
2064 | ++<H3><A NAME="htoc38">6.12</A> smbldap-useradd: Can't call method "get_value" on an undefined value at |
2065 | ++/usr/local/sbin/smbldap-useradd line 154</H3><!--SEC END --> |
2066 | ++ |
2067 | ++<UL><LI> |
2068 | ++does the default group defined in smbldap.conf exist |
2069 | ++ (defaultUserGid="513") ? |
2070 | ++<LI>does the NT "Domain Users" group mapped to a unix |
2071 | ++ group of rid 513 (see option <I>-r</I> of <TT>smbldap-groupadd</TT> and |
2072 | ++ <TT>smbldap-groupmod</TT> to set a rid) ? |
2073 | ++</UL> |
2074 | ++<!--TOC subsection Typical errors on creating a new user or a new group--> |
2075 | ++ |
2076 | ++<H3><A NAME="htoc39">6.13</A> Typical errors on creating a new user or a new group</H3><!--SEC END --> |
2077 | ++<A NAME="faq::error::add::user"></A> |
2078 | ++<UL><LI> |
2079 | ++i've got the following error: |
2080 | ++<PRE> |
2081 | ++Could not find base dn, to get next uidNumber at /usr/local/sbin//smbldap_tools.pm line 909 |
2082 | ++</PRE><OL type=1><LI> |
2083 | ++ you do not have created the object to defined the next uidNumber and gidNumber available. |
2084 | ++ <UL><LI> |
2085 | ++ for version 0.8.7 : you can just run the <TT>smbldap-populate</TT> script that will |
2086 | ++ update the sambaDomain entry to store those informations |
2087 | ++ <LI>for version before 0.8.7 : |
2088 | ++ You have updated the smbldap-tools to version 0.8.5 or newer. |
2089 | ++ You have to do this manually. Create an file called <TT>add.ldif</TT> and containing |
2090 | ++<PRE> |
2091 | ++dn: cn=NextFreeUnixId,dc=idealx,dc=org |
2092 | ++objectClass: inetOrgPerson |
2093 | ++objectClass: sambaUnixIdPool |
2094 | ++uidNumber: 1000 |
2095 | ++gidNumber: 1000 |
2096 | ++cn: NextFreeUnixId |
2097 | ++sn: NextFreeUnixId |
2098 | ++</PRE> and then add the object with the ldapadd utility: |
2099 | ++<PRE> |
2100 | ++$ ldapadd -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f add.ldif |
2101 | ++</PRE> Here, 1000 is the first available value for uidNumber and gidNumber (of course, if this value is |
2102 | ++ already used by a user or a group, the first available after 1000 will be used). |
2103 | ++ </UL><BR> |
2104 | ++<BR> |
2105 | ++<LI>The error also appear when there is a need for TLS (ldapTLS=1 in <TT>smbldap.conf</TT>) and |
2106 | ++something is wrong with certificate naming or path settings. |
2107 | ++</OL><BR> |
2108 | ++<BR> |
2109 | ++<LI>i've got the following error: |
2110 | ++<PRE> |
2111 | ++Use of uninitialized value in string at |
2112 | ++/usr/local/sbin//smbldap\_tools.pm line 914. |
2113 | ++Error: No DN specified at /usr/local/sbin//smbldap\_tools.pm line 919 |
2114 | ++</PRE>You have not updated the configuration file to defined the object where are sotred the next |
2115 | ++uidNumber and gidNumber available. In our example, you have to add a nex entry in |
2116 | ++<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I> containing : |
2117 | ++<PRE> |
2118 | ++# Where to store next uidNumber and gidNumber available |
2119 | ++sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" |
2120 | ++</PRE>btw, a new option is now available too: the domain to append to users. You can add to the |
2121 | ++configuration file the following lines: |
2122 | ++<PRE> |
2123 | ++# Domain appended to the users "mail"-attribute |
2124 | ++# when smbldap-useradd -M is used mailDomain="idealx.com" |
2125 | ++</PRE><BR> |
2126 | ++<BR> |
2127 | ++<LI>i've got the following error: |
2128 | ++<PRE> |
2129 | ++Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/smbldap-useradd line 183. |
2130 | ++Use of uninitialized value in substitution (s///) at /usr/local/sbin/smbldap-useradd line 185. |
2131 | ++Use of uninitialized value in string at /usr/local/sbin/smbldap-useradd line 264. |
2132 | ++failed to add entry: homedirectory: value #0 invalid per syntax at /usr/local/sbin/smbldap-useradd line 280. |
2133 | ++userHomeDirectory=User "jto" already member of the group "513". |
2134 | ++failed to add entry: No such object at /usr/local/sbin/smbldap-useradd line 382. |
2135 | ++</PRE>you have to change the variable name <TT>userHomePrefix</TT> to <TT>userHome</TT> in |
2136 | ++<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I><BR> |
2137 | ++<BR> |
2138 | ++<LI>i've got the following error: |
2139 | ++<PRE> |
2140 | ++failed to add entry: referral missing at /usr/local/sbin/smbldap-useradd line 279, <DATA> line 283. |
2141 | ++</PRE>you have to update the configuration file that defined users, groups and computers dn. Those |
2142 | ++parameters must not be relative to the <TT>suffix</TT> parameter. A typical |
2143 | ++configuration look like this : |
2144 | ++<PRE> |
2145 | ++usersdn="ou=Users,${suffix}" |
2146 | ++computersdn="ou=Computers,${suffix}" |
2147 | ++groupsdn="ou=Groups,${suffix}" |
2148 | ++</PRE><BR> |
2149 | ++<BR> |
2150 | ++<LI>i've got the following error: |
2151 | ++<PRE> |
2152 | ++erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad protocol 'tcp') |
2153 | ++at /usr/local/sbin//smbldap_tools.pm line 153. |
2154 | ++</PRE>remove <I>ldap</I> from <I>/etc/nsswitch.conf</I> for <I>services</I> list of possible check. For |
2155 | ++example, if your ldap directory is not configured to give services information, you must have |
2156 | ++<PRE> |
2157 | ++services files |
2158 | ++</PRE>and not |
2159 | ++<PRE> |
2160 | ++services: ldap [NOTFOUND=return] files |
2161 | ++</PRE></UL> |
2162 | ++ |
2163 | ++ |
2164 | ++<!--TOC section Thanks--> |
2165 | ++ |
2166 | ++<H2><A NAME="htoc40">7</A> Thanks</H2><!--SEC END --> |
2167 | ++ |
2168 | ++<A NAME="thanks"></A> |
2169 | ++People who have worked on this document are |
2170 | ++<UL><LI> |
2171 | ++Jérôme Tournier <jerome.tournier@IDEALX.com> |
2172 | ++<LI>David Barth <david.barth@IDEALX.com> |
2173 | ++<LI>Nat Makarevitch <nat@IDEALX.com> |
2174 | ++</UL> |
2175 | ++The authors would like to thank the following people for providing help with |
2176 | ++some of the more complicated subjects, for clarifying some of the internal |
2177 | ++workings of <FONT COLOR=purple>Samba</FONT> or <FONT COLOR=purple>OpenLDAP</FONT>, for pointing out errors or mistakes in |
2178 | ++previous versions of this document, or generally for making |
2179 | ++suggestions : |
2180 | ++<UL><LI> |
2181 | ++IDEALX team : |
2182 | ++ <UL><LI> |
2183 | ++ Roméo Adekambi <romeo.adekambi@IDEALX.com> |
2184 | ++ <LI>Aurelien Degremont <adegremont@IDEALX.com> |
2185 | ++ <LI>Renaud Renard <rrenard@IDEALX.com> |
2186 | ++ </UL> |
2187 | ++<LI>John H Terpstra <jht@samba.org> |
2188 | ++</UL> |
2189 | ++ <!--TOC section Annexes--> |
2190 | ++ |
2191 | ++<H2><A NAME="htoc41">8</A> Annexes</H2><!--SEC END --> |
2192 | ++ |
2193 | ++<!--TOC subsection Full configuration files--> |
2194 | ++ |
2195 | ++<H3><A NAME="htoc42">8.1</A> Full configuration files</H3><!--SEC END --> |
2196 | ++<A NAME="configuration::files"></A> |
2197 | ++<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file--> |
2198 | ++ |
2199 | ++<H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><!--SEC END --> |
2200 | ++<A NAME="configuration::file::smbldap"></A> |
2201 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
2202 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
2203 | ++ CELLSPACING=0> |
2204 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2205 | ++<TR><TD> |
2206 | ++ </TD> |
2207 | ++</TR></TABLE></TD> |
2208 | ++</TR> |
2209 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2210 | ++<TR><TD> |
2211 | ++ </TD> |
2212 | ++</TR></TABLE></TD> |
2213 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
2214 | ++<TR><TD><PRE># $Source: $ |
2215 | ++# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $ |
2216 | ++# |
2217 | ++# smbldap-tools.conf : Q & D configuration file for smbldap-tools |
2218 | ++ |
2219 | ++# This code was developped by IDEALX (http://IDEALX.org/) and |
2220 | ++# contributors (their names can be found in the CONTRIBUTORS file). |
2221 | ++# |
2222 | ++# Copyright (C) 2001-2002 IDEALX |
2223 | ++# |
2224 | ++# This program is free software; you can redistribute it and/or |
2225 | ++# modify it under the terms of the GNU General Public License |
2226 | ++# as published by the Free Software Foundation; either version 2 |
2227 | ++# of the License, or (at your option) any later version. |
2228 | ++# |
2229 | ++# This program is distributed in the hope that it will be useful, |
2230 | ++# but WITHOUT ANY WARRANTY; without even the implied warranty of |
2231 | ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
2232 | ++# GNU General Public License for more details. |
2233 | ++# |
2234 | ++# You should have received a copy of the GNU General Public License |
2235 | ++# along with this program; if not, write to the Free Software |
2236 | ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, |
2237 | ++# USA. |
2238 | ++ |
2239 | ++# Purpose : |
2240 | ++# . be the configuration file for all smbldap-tools scripts |
2241 | ++ |
2242 | ++############################################################################## |
2243 | ++# |
2244 | ++# General Configuration |
2245 | ++# |
2246 | ++############################################################################## |
2247 | ++ |
2248 | ++# Put your own SID. To obtain this number do: "net getlocalsid". |
2249 | ++# If not defined, parameter is taking from "net getlocalsid" return |
2250 | ++SID="S-1-5-21-2252255531-4061614174-2474224977" |
2251 | ++ |
2252 | ++# Domain name the Samba server is in charged. |
2253 | ++# If not defined, parameter is taking from smb.conf configuration file |
2254 | ++# Ex: sambaDomain="IDEALX-NT" |
2255 | ++sambaDomain="DOMSMB" |
2256 | ++ |
2257 | ++############################################################################## |
2258 | ++# |
2259 | ++# LDAP Configuration |
2260 | ++# |
2261 | ++############################################################################## |
2262 | ++ |
2263 | ++# Notes: to use to dual ldap servers backend for Samba, you must patch |
2264 | ++# Samba with the dual-head patch from IDEALX. If not using this patch |
2265 | ++# just use the same server for slaveLDAP and masterLDAP. |
2266 | ++# Those two servers declarations can also be used when you have |
2267 | ++# . one master LDAP server where all writing operations must be done |
2268 | ++# . one slave LDAP server where all reading operations must be done |
2269 | ++# (typically a replication directory) |
2270 | ++ |
2271 | ++# Slave LDAP server |
2272 | ++# Ex: slaveLDAP=127.0.0.1 |
2273 | ++# If not defined, parameter is set to "127.0.0.1" |
2274 | ++slaveLDAP="127.0.0.1" |
2275 | ++ |
2276 | ++# Slave LDAP port |
2277 | ++# If not defined, parameter is set to "389" |
2278 | ++slavePort="389" |
2279 | ++ |
2280 | ++# Master LDAP server: needed for write operations |
2281 | ++# Ex: masterLDAP=127.0.0.1 |
2282 | ++# If not defined, parameter is set to "127.0.0.1" |
2283 | ++masterLDAP="127.0.0.1" |
2284 | ++ |
2285 | ++# Master LDAP port |
2286 | ++# If not defined, parameter is set to "389" |
2287 | ++masterPort="389" |
2288 | ++ |
2289 | ++# Use TLS for LDAP |
2290 | ++# If set to 1, this option will use start_tls for connection |
2291 | ++# (you should also used the port 389) |
2292 | ++# If not defined, parameter is set to "1" |
2293 | ++ldapTLS="0" |
2294 | ++ |
2295 | ++# How to verify the server's certificate (none, optional or require) |
2296 | ++# see "man Net::LDAP" in start_tls section for more details |
2297 | ++verify="require" |
2298 | ++ |
2299 | ++# CA certificate |
2300 | ++# see "man Net::LDAP" in start_tls section for more details |
2301 | ++cafile="/etc/smbldap-tools/ca.pem" |
2302 | ++ |
2303 | ++# certificate to use to connect to the ldap server |
2304 | ++# see "man Net::LDAP" in start_tls section for more details |
2305 | ++clientcert="/etc/smbldap-tools/smbldap-tools.pem" |
2306 | ++ |
2307 | ++# key certificate to use to connect to the ldap server |
2308 | ++# see "man Net::LDAP" in start_tls section for more details |
2309 | ++clientkey="/etc/smbldap-tools/smbldap-tools.key" |
2310 | ++ |
2311 | ++# LDAP Suffix |
2312 | ++# Ex: suffix=dc=IDEALX,dc=ORG |
2313 | ++suffix="dc=company,dc=com" |
2314 | ++ |
2315 | ++# Where are stored Users |
2316 | ++# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" |
2317 | ++# Warning: if 'suffix' is not set here, you must set the full dn for usersdn |
2318 | ++usersdn="ou=Users,${suffix}" |
2319 | ++ |
2320 | ++# Where are stored Computers |
2321 | ++# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" |
2322 | ++# Warning: if 'suffix' is not set here, you must set the full dn for computersdn |
2323 | ++computersdn="ou=Computers,${suffix}" |
2324 | ++ |
2325 | ++# Where are stored Groups |
2326 | ++# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" |
2327 | ++# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn |
2328 | ++groupsdn="ou=Groups,${suffix}" |
2329 | ++ |
2330 | ++# Where are stored Idmap entries (used if samba is a domain member server) |
2331 | ++# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" |
2332 | ++# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn |
2333 | ++idmapdn="ou=Idmap,${suffix}" |
2334 | ++ |
2335 | ++# Where to store next uidNumber and gidNumber available for new users and groups |
2336 | ++# If not defined, entries are stored in sambaDomainName object. |
2337 | ++# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" |
2338 | ++# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" |
2339 | ++sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" |
2340 | ++ |
2341 | ++# Default scope Used |
2342 | ++scope="sub" |
2343 | ++ |
2344 | ++# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) |
2345 | ++hash_encrypt="SSHA" |
2346 | ++ |
2347 | ++# if hash_encrypt is set to CRYPT, you may set a salt format. |
2348 | ++# default is "%s", but many systems will generate MD5 hashed |
2349 | ++# passwords if you use "$1$%.8s". This parameter is optional! |
2350 | ++crypt_salt_format="%s" |
2351 | ++ |
2352 | ++############################################################################## |
2353 | ++# |
2354 | ++# Unix Accounts Configuration |
2355 | ++# |
2356 | ++############################################################################## |
2357 | ++ |
2358 | ++# Login defs |
2359 | ++# Default Login Shell |
2360 | ++# Ex: userLoginShell="/bin/bash" |
2361 | ++userLoginShell="/bin/bash" |
2362 | ++ |
2363 | ++# Home directory |
2364 | ++# Ex: userHome="/home/%U" |
2365 | ++userHome="/home/%U" |
2366 | ++ |
2367 | ++# Default mode used for user homeDirectory |
2368 | ++userHomeDirectoryMode="700" |
2369 | ++ |
2370 | ++# Gecos |
2371 | ++userGecos="System User" |
2372 | ++ |
2373 | ++# Default User (POSIX and Samba) GID |
2374 | ++defaultUserGid="513" |
2375 | ++ |
2376 | ++# Default Computer (Samba) GID |
2377 | ++defaultComputerGid="515" |
2378 | ++ |
2379 | ++# Skel dir |
2380 | ++skeletonDir="/etc/skel" |
2381 | ++ |
2382 | ++# Default password validation time (time in days) Comment the next line if |
2383 | ++# you don't want password to be enable for defaultMaxPasswordAge days (be |
2384 | ++# careful to the sambaPwdMustChange attribute's value) |
2385 | ++defaultMaxPasswordAge="45" |
2386 | ++ |
2387 | ++############################################################################## |
2388 | ++# |
2389 | ++# SAMBA Configuration |
2390 | ++# |
2391 | ++############################################################################## |
2392 | ++ |
2393 | ++# The UNC path to home drives location (%U username substitution) |
2394 | ++# Just set it to a null string if you want to use the smb.conf 'logon home' |
2395 | ++# directive and/or disable roaming profiles |
2396 | ++# Ex: userSmbHome="\\PDC-SMB3\%U" |
2397 | ++userSmbHome="\\PDC-SRV\%U" |
2398 | ++ |
2399 | ++# The UNC path to profiles locations (%U username substitution) |
2400 | ++# Just set it to a null string if you want to use the smb.conf 'logon path' |
2401 | ++# directive and/or disable roaming profiles |
2402 | ++# Ex: userProfile="\\PDC-SMB3\profiles\%U" |
2403 | ++userProfile="\\PDC-SRV\profiles\%U" |
2404 | ++ |
2405 | ++# The default Home Drive Letter mapping |
2406 | ++# (will be automatically mapped at logon time if home directory exist) |
2407 | ++# Ex: userHomeDrive="H:" |
2408 | ++userHomeDrive="H:" |
2409 | ++ |
2410 | ++# The default user netlogon script name (%U username substitution) |
2411 | ++# if not used, will be automatically username.cmd |
2412 | ++# make sure script file is edited under dos |
2413 | ++# Ex: userScript="startup.cmd" # make sure script file is edited under dos |
2414 | ++userScript="logon.bat" |
2415 | ++ |
2416 | ++# Domain appended to the users "mail"-attribute |
2417 | ++# when smbldap-useradd -M is used |
2418 | ++# Ex: mailDomain="idealx.com" |
2419 | ++mailDomain="idealx.com" |
2420 | ++ |
2421 | ++############################################################################## |
2422 | ++# |
2423 | ++# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) |
2424 | ++# |
2425 | ++############################################################################## |
2426 | ++ |
2427 | ++# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but |
2428 | ++# prefer Crypt::SmbHash library |
2429 | ++with_smbpasswd="0" |
2430 | ++smbpasswd="/usr/bin/smbpasswd" |
2431 | ++ |
2432 | ++# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) |
2433 | ++# but prefer Crypt:: libraries |
2434 | ++with_slappasswd="0" |
2435 | ++slappasswd="/usr/sbin/slappasswd" |
2436 | ++ |
2437 | ++# comment out the following line to get rid of the default banner |
2438 | ++# no_banner="1" |
2439 | ++ |
2440 | ++</PRE></TD> |
2441 | ++</TR></TABLE></TD> |
2442 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2443 | ++<TR><TD> |
2444 | ++ </TD> |
2445 | ++</TR></TABLE></TD> |
2446 | ++</TR> |
2447 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2448 | ++<TR><TD> |
2449 | ++ </TD> |
2450 | ++</TR></TABLE></TD> |
2451 | ++</TR></TABLE></TD> |
2452 | ++</TR></TABLE><BR> |
2453 | ++<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file--> |
2454 | ++ |
2455 | ++<H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><!--SEC END --> |
2456 | ++<A NAME="configuration::file::smbldap::bind"></A> |
2457 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
2458 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
2459 | ++ CELLSPACING=0> |
2460 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2461 | ++<TR><TD> |
2462 | ++ </TD> |
2463 | ++</TR></TABLE></TD> |
2464 | ++</TR> |
2465 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2466 | ++<TR><TD> |
2467 | ++ </TD> |
2468 | ++</TR></TABLE></TD> |
2469 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
2470 | ++<TR><TD><PRE>############################ |
2471 | ++# Credential Configuration # |
2472 | ++############################ |
2473 | ++# Notes: you can specify two differents configuration if you use a |
2474 | ++# master ldap for writing access and a slave ldap server for reading access |
2475 | ++# By default, we will use the same DN (so it will work for standard Samba |
2476 | ++# release) |
2477 | ++slaveDN="cn=Manager,dc=company,dc=com" |
2478 | ++slavePw="secret" |
2479 | ++masterDN="cn=Manager,dc=company,dc=com" |
2480 | ++masterPw="secret" |
2481 | ++ |
2482 | ++</PRE></TD> |
2483 | ++</TR></TABLE></TD> |
2484 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2485 | ++<TR><TD> |
2486 | ++ </TD> |
2487 | ++</TR></TABLE></TD> |
2488 | ++</TR> |
2489 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2490 | ++<TR><TD> |
2491 | ++ </TD> |
2492 | ++</TR></TABLE></TD> |
2493 | ++</TR></TABLE></TD> |
2494 | ++</TR></TABLE><BR> |
2495 | ++<!--TOC subsubsection The samba configuration file : <TT>/etc/samba/smb.conf</TT> --> |
2496 | ++ |
2497 | ++<H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4><!--SEC END --> |
2498 | ++ |
2499 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
2500 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
2501 | ++ CELLSPACING=0> |
2502 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2503 | ++<TR><TD> |
2504 | ++ </TD> |
2505 | ++</TR></TABLE></TD> |
2506 | ++</TR> |
2507 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2508 | ++<TR><TD> |
2509 | ++ </TD> |
2510 | ++</TR></TABLE></TD> |
2511 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
2512 | ++<TR><TD><PRE># Global parameters |
2513 | ++[global] |
2514 | ++ workgroup = DOMSMB |
2515 | ++ netbios name = PDC-SRV |
2516 | ++ security = user |
2517 | ++ enable privileges = yes |
2518 | ++ #interfaces = 192.168.5.11 |
2519 | ++ #username map = /etc/samba/smbusers |
2520 | ++ server string = Samba Server %v |
2521 | ++ #security = ads |
2522 | ++ encrypt passwords = Yes |
2523 | ++ min passwd length = 3 |
2524 | ++ #pam password change = no |
2525 | ++ #obey pam restrictions = No |
2526 | ++ |
2527 | ++ # method 1: |
2528 | ++ #unix password sync = no |
2529 | ++ #ldap passwd sync = yes |
2530 | ++ |
2531 | ++ # method 2: |
2532 | ++ unix password sync = yes |
2533 | ++ ldap passwd sync = no |
2534 | ++ passwd program = /usr/sbin/smbldap-passwd -u "%u" |
2535 | ++ passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n" |
2536 | ++ |
2537 | ++ log level = 0 |
2538 | ++ syslog = 0 |
2539 | ++ log file = /var/log/samba/log.%U |
2540 | ++ max log size = 100000 |
2541 | ++ time server = Yes |
2542 | ++ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 |
2543 | ++ mangling method = hash2 |
2544 | ++ Dos charset = 850 |
2545 | ++ Unix charset = ISO8859-1 |
2546 | ++ |
2547 | ++ logon script = logon.bat |
2548 | ++ logon drive = H: |
2549 | ++ logon home = |
2550 | ++ logon path = |
2551 | ++ |
2552 | ++ domain logons = Yes |
2553 | ++ domain master = Yes |
2554 | ++ os level = 65 |
2555 | ++ preferred master = Yes |
2556 | ++ wins support = yes |
2557 | ++ passdb backend = ldapsam:ldap://127.0.0.1/ |
2558 | ++ ldap admin dn = cn=Manager,dc=company,dc=com |
2559 | ++ #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com |
2560 | ++ ldap suffix = dc=company,dc=com |
2561 | ++ ldap group suffix = ou=Groups |
2562 | ++ ldap user suffix = ou=Users |
2563 | ++ ldap machine suffix = ou=Computers |
2564 | ++ #ldap idmap suffix = ou=Idmap |
2565 | ++ add user script = /usr/sbin/smbldap-useradd -m "%u" |
2566 | ++ #ldap delete dn = Yes |
2567 | ++ delete user script = /usr/sbin/smbldap-userdel "%u" |
2568 | ++ add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" |
2569 | ++ add group script = /usr/sbin/smbldap-groupadd -p "%g" |
2570 | ++ #delete group script = /usr/sbin/smbldap-groupdel "%g" |
2571 | ++ add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" |
2572 | ++ delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" |
2573 | ++ set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' |
2574 | ++ |
2575 | ++ # printers configuration |
2576 | ++ #printer admin = @"Print Operators" |
2577 | ++ load printers = Yes |
2578 | ++ create mask = 0640 |
2579 | ++ directory mask = 0750 |
2580 | ++ #force create mode = 0640 |
2581 | ++ #force directory mode = 0750 |
2582 | ++ nt acl support = No |
2583 | ++ printing = cups |
2584 | ++ printcap name = cups |
2585 | ++ deadtime = 10 |
2586 | ++ guest account = nobody |
2587 | ++ map to guest = Bad User |
2588 | ++ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd |
2589 | ++ show add printer wizard = yes |
2590 | ++ ; to maintain capital letters in shortcuts in any of the profile folders: |
2591 | ++ preserve case = yes |
2592 | ++ short preserve case = yes |
2593 | ++ case sensitive = no |
2594 | ++ |
2595 | ++[netlogon] |
2596 | ++ path = /home/netlogon/ |
2597 | ++ browseable = No |
2598 | ++ read only = yes |
2599 | ++ |
2600 | ++[profiles] |
2601 | ++ path = /home/profiles |
2602 | ++ read only = no |
2603 | ++ create mask = 0600 |
2604 | ++ directory mask = 0700 |
2605 | ++ browseable = No |
2606 | ++ guest ok = Yes |
2607 | ++ profile acls = yes |
2608 | ++ csc policy = disable |
2609 | ++ # next line is a great way to secure the profiles |
2610 | ++ #force user = %U |
2611 | ++ # next line allows administrator to access all profiles |
2612 | ++ #valid users = %U "Domain Admins" |
2613 | ++ |
2614 | ++[printers] |
2615 | ++ comment = Network Printers |
2616 | ++ #printer admin = @"Print Operators" |
2617 | ++ guest ok = yes |
2618 | ++ printable = yes |
2619 | ++ path = /home/spool/ |
2620 | ++ browseable = No |
2621 | ++ read only = Yes |
2622 | ++ printable = Yes |
2623 | ++ print command = /usr/bin/lpr -P%p -r %s |
2624 | ++ lpq command = /usr/bin/lpq -P%p |
2625 | ++ lprm command = /usr/bin/lprm -P%p %j |
2626 | ++ # print command = /usr/bin/lpr -U%U@%M -P%p -r %s |
2627 | ++ # lpq command = /usr/bin/lpq -U%U@%M -P%p |
2628 | ++ # lprm command = /usr/bin/lprm -U%U@%M -P%p %j |
2629 | ++ # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j |
2630 | ++ # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j |
2631 | ++ # queuepause command = /usr/sbin/lpc -U%U@%M stop %p |
2632 | ++ # queueresume command = /usr/sbin/lpc -U%U@%M start %p |
2633 | ++ |
2634 | ++[print$] |
2635 | ++ path = /home/printers |
2636 | ++ guest ok = No |
2637 | ++ browseable = Yes |
2638 | ++ read only = Yes |
2639 | ++ valid users = @"Print Operators" |
2640 | ++ write list = @"Print Operators" |
2641 | ++ create mask = 0664 |
2642 | ++ directory mask = 0775 |
2643 | ++ |
2644 | ++[public] |
2645 | ++ path = /tmp |
2646 | ++ guest ok = yes |
2647 | ++ browseable = Yes |
2648 | ++ writable = yes |
2649 | ++</PRE></TD> |
2650 | ++</TR></TABLE></TD> |
2651 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2652 | ++<TR><TD> |
2653 | ++ </TD> |
2654 | ++</TR></TABLE></TD> |
2655 | ++</TR> |
2656 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2657 | ++<TR><TD> |
2658 | ++ </TD> |
2659 | ++</TR></TABLE></TD> |
2660 | ++</TR></TABLE></TD> |
2661 | ++</TR></TABLE><BR> |
2662 | ++<!--TOC subsubsection The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT>--> |
2663 | ++ |
2664 | ++<H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4><!--SEC END --> |
2665 | ++ |
2666 | ++<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
2667 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
2668 | ++ CELLSPACING=0> |
2669 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2670 | ++<TR><TD> |
2671 | ++ </TD> |
2672 | ++</TR></TABLE></TD> |
2673 | ++</TR> |
2674 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2675 | ++<TR><TD> |
2676 | ++ </TD> |
2677 | ++</TR></TABLE></TD> |
2678 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
2679 | ++<TR><TD><PRE># |
2680 | ++# See slapd.conf(5) for details on configuration options. |
2681 | ++# This file should NOT be world readable. |
2682 | ++# |
2683 | ++include /etc/openldap/schema/core.schema |
2684 | ++include /etc/openldap/schema/cosine.schema |
2685 | ++include /etc/openldap/schema/inetorgperson.schema |
2686 | ++include /etc/openldap/schema/nis.schema |
2687 | ++include /etc/openldap/schema/samba.schema |
2688 | ++ |
2689 | ++schemacheck on |
2690 | ++ |
2691 | ++# Allow LDAPv2 client connections. This is NOT the default. |
2692 | ++allow bind_v2 |
2693 | ++ |
2694 | ++# Do not enable referrals until AFTER you have a working directory |
2695 | ++# service AND an understanding of referrals. |
2696 | ++#referral ldap://root.openldap.org |
2697 | ++ |
2698 | ++pidfile /var/run/slapd.pid |
2699 | ++argsfile /var/run/slapd.args |
2700 | ++ |
2701 | ++# Load dynamic backend modules: |
2702 | ++# modulepath /usr/sbin/openldap |
2703 | ++# moduleload back_bdb.la |
2704 | ++# moduleload back_ldap.la |
2705 | ++# moduleload back_ldbm.la |
2706 | ++# moduleload back_passwd.la |
2707 | ++# moduleload back_shell.la |
2708 | ++ |
2709 | ++# The next three lines allow use of TLS for encrypting connections using a |
2710 | ++# dummy test certificate which you can generate by changing to |
2711 | ++# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on |
2712 | ++# slapd.pem so that the ldap user or group can read it. Your client software |
2713 | ++# may balk at self-signed certificates, however. |
2714 | ++#TLSCertificateFile /etc/openldap/ldap.company.com.pem |
2715 | ++#TLSCertificateKeyFile /etc/openldap/ldap.company.com.key |
2716 | ++#TLSCACertificateFile /etc/openldap/ca.pem |
2717 | ++#TLSCipherSuite :SSLv3 |
2718 | ++ |
2719 | ++# Sample security restrictions |
2720 | ++# Require integrity protection (prevent hijacking) |
2721 | ++# Require 112-bit (3DES or better) encryption for updates |
2722 | ++# Require 63-bit encryption for simple bind |
2723 | ++# security ssf=1 update_ssf=112 simple_bind=64 |
2724 | ++ |
2725 | ++# Sample access control policy: |
2726 | ++# Root DSE: allow anyone to read it |
2727 | ++# Subschema (sub)entry DSE: allow anyone to read it |
2728 | ++# Other DSEs: |
2729 | ++# Allow self write access |
2730 | ++# Allow authenticated users read access |
2731 | ++# Allow anonymous users to authenticate |
2732 | ++# Directives needed to implement policy: |
2733 | ++# access to dn.base="" by * read |
2734 | ++# access to dn.base="cn=Subschema" by * read |
2735 | ++# access to * |
2736 | ++# by self write |
2737 | ++# by users read |
2738 | ++# by anonymous auth |
2739 | ++# |
2740 | ++# if no access controls are present, the default policy |
2741 | ++# allows anyone and everyone to read anything but restricts |
2742 | ++# updates to rootdn. (e.g., "access to * by * read") |
2743 | ++# |
2744 | ++# rootdn can always read and write EVERYTHING! |
2745 | ++ |
2746 | ++####################################################################### |
2747 | ++# ldbm and/or bdb database definitions |
2748 | ++####################################################################### |
2749 | ++ |
2750 | ++database bdb |
2751 | ++suffix "dc=company,dc=com" |
2752 | ++rootdn "cn=Manager,dc=company,dc=com" |
2753 | ++# Cleartext passwords, especially for the rootdn, should |
2754 | ++# be avoided. See slappasswd(8) and slapd.conf(5) for details. |
2755 | ++# Use of strong authentication encouraged. |
2756 | ++rootpw secret |
2757 | ++# rootpw {crypt}ijFYNcSNctBYg |
2758 | ++ |
2759 | ++# The database directory MUST exist prior to running slapd AND |
2760 | ++# should only be accessible by the slapd and slap tools. |
2761 | ++# Mode 700 recommended. |
2762 | ++directory /var/lib/ldap |
2763 | ++lastmod on |
2764 | ++ |
2765 | ++# Indices to maintain for this database |
2766 | ++index objectClass eq,pres |
2767 | ++index ou,cn,sn,mail,givenname eq,pres,sub |
2768 | ++index uidNumber,gidNumber,memberUid eq,pres |
2769 | ++index loginShell eq,pres |
2770 | ++## required to support pdb_getsampwnam |
2771 | ++index uid pres,sub,eq |
2772 | ++## required to support pdb_getsambapwrid() |
2773 | ++index displayName pres,sub,eq |
2774 | ++index nisMapName,nisMapEntry eq,pres,sub |
2775 | ++index sambaSID eq,sub |
2776 | ++index sambaPrimaryGroupSID eq |
2777 | ++index sambaDomainName eq |
2778 | ++index default sub |
2779 | ++ |
2780 | ++ |
2781 | ++# users can authenticate and change their password |
2782 | ++access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet |
2783 | ++ by dn="cn=Manager,dc=company,dc=com" write |
2784 | ++ by self write |
2785 | ++ by anonymous auth |
2786 | ++ by * none |
2787 | ++ |
2788 | ++# those 2 parameters must be world readable for password aging to work correctly |
2789 | ++# (or use a priviledge account in /etc/ldap.conf to bind to the directory) |
2790 | ++access to attrs=shadowLastChange,shadowMax |
2791 | ++ by dn="cn=Manager,dc=company,dc=com" write |
2792 | ++ by self write |
2793 | ++ by * read |
2794 | ++ |
2795 | ++ |
2796 | ++# all others attributes are readable to everybody |
2797 | ++access to * |
2798 | ++ by * read |
2799 | ++ |
2800 | ++# Replicas of this database |
2801 | ++#replogfile /var/lib/ldap/openldap-master-replog |
2802 | ++#replica host=ldap-1.example.com:389 starttls=critical |
2803 | ++# bindmethod=sasl saslmech=GSSAPI |
2804 | ++# authcId=host/ldap-master.example.com@EXAMPLE.COM |
2805 | ++</PRE></TD> |
2806 | ++</TR></TABLE></TD> |
2807 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2808 | ++<TR><TD> |
2809 | ++ </TD> |
2810 | ++</TR></TABLE></TD> |
2811 | ++</TR> |
2812 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2813 | ++<TR><TD> |
2814 | ++ </TD> |
2815 | ++</TR></TABLE></TD> |
2816 | ++</TR></TABLE></TD> |
2817 | ++</TR></TABLE><BR> |
2818 | ++<!--TOC subsection Changing the administrative account (<TT>ldap admin |
2819 | ++ dn</TT> in <TT>smb.conf</TT> file)--> |
2820 | ++ |
2821 | ++<H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin |
2822 | ++ dn</TT> in <TT>smb.conf</TT> file)</H3><!--SEC END --> |
2823 | ++<A NAME="change::manager"></A> |
2824 | ++If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT> |
2825 | ++account anymore, you can create a dedicated account for Samba and the |
2826 | ++smbldap-tools scripts. To do |
2827 | ++this, create an account named <I>samba</I> as follows (see |
2828 | ++section <A HREF="#add::user">4.2.1</A> for a more detailed syntax) : |
2829 | ++<PRE> |
2830 | ++smbldap-useradd -s /bin/false -d /dev/null -P samba |
2831 | ++</PRE>This command will ask you to set a password for this account. Let's |
2832 | ++set it to <I>samba</I> for this example. |
2833 | ++You then need to modify configuration files: |
2834 | ++<UL><LI> |
2835 | ++file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> |
2836 | ++ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
2837 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
2838 | ++ CELLSPACING=0> |
2839 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2840 | ++<TR><TD> |
2841 | ++ </TD> |
2842 | ++</TR></TABLE></TD> |
2843 | ++</TR> |
2844 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2845 | ++<TR><TD> |
2846 | ++ </TD> |
2847 | ++</TR></TABLE></TD> |
2848 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
2849 | ++<TR><TD><PRE> |
2850 | ++ slaveDN="uid=samba,ou=Users,dc=idealx,dc=com" |
2851 | ++ slavePw="samba" |
2852 | ++ masterDN="uid=samba,ou=Users,dc=idealx,dc=com" |
2853 | ++ masterPw="samba" |
2854 | ++ </PRE></TD> |
2855 | ++</TR></TABLE></TD> |
2856 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2857 | ++<TR><TD> |
2858 | ++ </TD> |
2859 | ++</TR></TABLE></TD> |
2860 | ++</TR> |
2861 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2862 | ++<TR><TD> |
2863 | ++ </TD> |
2864 | ++</TR></TABLE></TD> |
2865 | ++</TR></TABLE></TD> |
2866 | ++</TR></TABLE><LI>file <TT>/etc/samba/smb.conf</TT> |
2867 | ++ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
2868 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
2869 | ++ CELLSPACING=0> |
2870 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2871 | ++<TR><TD> |
2872 | ++ </TD> |
2873 | ++</TR></TABLE></TD> |
2874 | ++</TR> |
2875 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2876 | ++<TR><TD> |
2877 | ++ </TD> |
2878 | ++</TR></TABLE></TD> |
2879 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
2880 | ++<TR><TD><PRE> |
2881 | ++ ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com |
2882 | ++ </PRE></TD> |
2883 | ++</TR></TABLE></TD> |
2884 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2885 | ++<TR><TD> |
2886 | ++ </TD> |
2887 | ++</TR></TABLE></TD> |
2888 | ++</TR> |
2889 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2890 | ++<TR><TD> |
2891 | ++ </TD> |
2892 | ++</TR></TABLE></TD> |
2893 | ++</TR></TABLE></TD> |
2894 | ++</TR></TABLE>don't forget to also set the samba account password in |
2895 | ++ <TT>secrets.tdb</TT> file : |
2896 | ++<PRE> |
2897 | ++smbpasswd -w samba |
2898 | ++</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the |
2899 | ++ <I>samba</I> user permissions to modify some attributes: this |
2900 | ++ user needs to be able to modify all the samba attributes and some |
2901 | ++ others (uidNumber, gidNumber ...) : |
2902 | ++ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0> |
2903 | ++<TR><TD><TABLE BORDER=0 CELLPADDING=0 |
2904 | ++ CELLSPACING=0> |
2905 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2906 | ++<TR><TD> |
2907 | ++ </TD> |
2908 | ++</TR></TABLE></TD> |
2909 | ++</TR> |
2910 | ++<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2911 | ++<TR><TD> |
2912 | ++ </TD> |
2913 | ++</TR></TABLE></TD> |
2914 | ++<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0> |
2915 | ++<TR><TD><PRE> |
2916 | ++# users can authenticate and change their password |
2917 | ++access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange |
2918 | ++ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write |
2919 | ++ by self write |
2920 | ++ by anonymous auth |
2921 | ++ by * none |
2922 | ++# some attributes need to be readable anonymously so that 'id user' can answer correctly |
2923 | ++access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid |
2924 | ++ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write |
2925 | ++ by * read |
2926 | ++# somme attributes can be writable by users themselves |
2927 | ++access to attrs=description,telephoneNumber |
2928 | ++ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write |
2929 | ++ by self write |
2930 | ++ by * read |
2931 | ++# some attributes need to be writable for samba |
2932 | ++access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase |
2933 | ++ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write |
2934 | ++ by self read |
2935 | ++ by * none |
2936 | ++# samba need to be able to create the samba domain account |
2937 | ++access to dn.base="dc=idealx,dc=com" |
2938 | ++ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write |
2939 | ++ by * none |
2940 | ++# samba need to be able to create new users account |
2941 | ++access to dn="ou=Users,dc=idealx,dc=com" |
2942 | ++ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write |
2943 | ++ by * none |
2944 | ++# samba need to be able to create new groups account |
2945 | ++access to dn="ou=Groups,dc=idealx,dc=com" |
2946 | ++ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write |
2947 | ++ by * none |
2948 | ++# samba need to be able to create new computers account |
2949 | ++access to dn="ou=Computers,dc=idealx,dc=com" |
2950 | ++ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write |
2951 | ++ by * none |
2952 | ++# this can be omitted but we leave it: there could be other branch |
2953 | ++# in the directory |
2954 | ++access to * |
2955 | ++ by self read |
2956 | ++ by * none |
2957 | ++ </PRE></TD> |
2958 | ++</TR></TABLE></TD> |
2959 | ++<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2960 | ++<TR><TD> |
2961 | ++ </TD> |
2962 | ++</TR></TABLE></TD> |
2963 | ++</TR> |
2964 | ++<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0> |
2965 | ++<TR><TD> |
2966 | ++ </TD> |
2967 | ++</TR></TABLE></TD> |
2968 | ++</TR></TABLE></TD> |
2969 | ++</TR></TABLE></UL> |
2970 | ++<!--TOC subsection known bugs--> |
2971 | ++ |
2972 | ++<H3><A NAME="htoc48">8.3</A> known bugs</H3><!--SEC END --> |
2973 | ++ |
2974 | ++<UL><LI> |
2975 | ++Option <I>-B</I> (user must change password) of |
2976 | ++ <TT>smbldap-useradd</TT> does not have effect: when |
2977 | ++ <TT>smbldap-passwd</TT> script is called, |
2978 | ++ <I>sambaPwdMustChange</I> attribute is rewrite. |
2979 | ++</UL> |
2980 | ++ |
2981 | ++<!--BEGIN NOTES document--> |
2982 | ++<HR WIDTH="50%" SIZE=1><DL><DT><A NAME="note1" HREF="#text1"><FONT SIZE=5>1</FONT></A><DD><A HREF="http://IDEALX.com/"><TT>http://IDEALX.com/</TT></A> |
2983 | ++</DL> |
2984 | ++<!--END NOTES--> |
2985 | ++<!--HTMLFOOT--> |
2986 | ++ |
2987 | ++ |
2988 | ++<DIV class="piedpage"> |
2989 | ++<HR> |
2990 | ++<P>Documents : Copyright © 2002 IDEALX S.A.S.. |
2991 | ++'IDEALX' is the property of IDEALX. |
2992 | ++'Samba' is the property of Samba Team. All other trademarks belong to their respective owners. |
2993 | ++</DIV> |
2994 | ++ |
2995 | ++<!--ENDHTML--> |
2996 | ++<!--FOOTER--> |
2997 | ++<HR SIZE=2> |
2998 | ++<BLOCKQUOTE><EM>This document was translated from L<sup>A</sup>T<sub>E</sub>X by |
2999 | ++</EM><A HREF="http://pauillac.inria.fr/~maranget/hevea/index.html"><EM>H<FONT SIZE=2><sup>E</sup></FONT>V<FONT SIZE=2><sup>E</sup></FONT>A</EM></A><EM>. |
3000 | ++</EM></BLOCKQUOTE> |
3001 | ++</BODY> |
3002 | ++</HTML> |
3003 | |
3004 | === added file 'debian/patches/0021_smbldap-useradd_flush_nscd_cache.patch' |
3005 | --- debian/patches/0021_smbldap-useradd_flush_nscd_cache.patch 1970-01-01 00:00:00 +0000 |
3006 | +++ debian/patches/0021_smbldap-useradd_flush_nscd_cache.patch 2012-09-21 15:41:28 +0000 |
3007 | @@ -0,0 +1,19 @@ |
3008 | +Description: Force an nss flush to fix failure to join a Windows 7 or Windows 2008 machine to Samba domain |
3009 | +Forwarded: no |
3010 | +Author: rdratlos |
3011 | +Origin: rdratlos, https://bugs.launchpad.net/ubuntu/+source/smbldap-tools/+bug/814898/+attachment/2226951/+files/smbldap-useradd_flush_nscd_cache.patch |
3012 | +Reviewed-By: Daniel T Chen <crimsun@ubuntu.com> |
3013 | +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/smbldap-tools/+bug/814898 |
3014 | +Last-Update: 2011-08-01 |
3015 | +--- a/smbldap-useradd.pl |
3016 | ++++ b/smbldap-useradd.pl |
3017 | +@@ -402,6 +402,9 @@ |
3018 | + } |
3019 | + |
3020 | + $ldap_master->unbind; |
3021 | ++ # Flush nscd cache to be aligned with the LDAP directory change |
3022 | ++ system "[ -x /usr/sbin/nscd ] && /usr/sbin/nscd -i passwd 2>/dev/null"; |
3023 | ++ system "[ -x /usr/sbin/nscd ] && /usr/sbin/nscd -i group 2>/dev/null"; |
3024 | + exit 0; |
3025 | + } |
3026 | + |
3027 | |
3028 | === modified file 'debian/patches/series' |
3029 | --- debian/patches/series 2012-08-07 20:28:37 +0000 |
3030 | +++ debian/patches/series 2012-09-21 15:41:28 +0000 |
3031 | @@ -1,1 +1,3 @@ |
3032 | 0001_debian_nobody.patch |
3033 | +0020_original_doc_html_index.patch |
3034 | +0021_smbldap-useradd_flush_nscd_cache.patch |
3035 | |
3036 | === added directory 'doc/html' |
3037 | === modified file 'smbldap-populate.pl' |
3038 | --- smbldap-populate.pl 2012-08-07 20:28:37 +0000 |
3039 | +++ smbldap-populate.pl 2012-09-21 15:41:28 +0000 |
3040 | @@ -114,7 +114,7 @@ |
3041 | my $guestUidNumber=$Options{'l'}; |
3042 | my $guestRid = 501; |
3043 | if (!defined($guestUidNumber)) { |
3044 | - $guestUidNumber = "65534"; |
3045 | + $guestUidNumber = "999"; |
3046 | } else { |
3047 | if (defined($algorithmicRidBase)) { |
3048 | ## For backward compatibility with smbldap-tools 0.9.6 and older |