1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" 2 "http://www.w3.org/TR/REC-html40/loose.dtd"> 3<HTML> 4<HEAD> 5 6<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 7<META name="GENERATOR" content="hevea 1.06"> 8<TITLE> 9 Annexes 10</TITLE> 11</HEAD> 12<BODY > 13<A HREF="smbldap-tools008.html"><IMG SRC ="previous_motif.gif" ALT="Pr�c�dent"></A> 14<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A> 15<HR> 16 17<H2><A NAME="htoc41">8</A> Annexes</H2><UL> 18<LI><A HREF="smbldap-tools009.html#toc27"> Full configuration files</A> 19<LI><A HREF="smbldap-tools009.html#toc28"> Changing the administrative account (<TT>ldap admin 20 dn</TT> in <TT>smb.conf</TT> file)</A> 21<LI><A HREF="smbldap-tools009.html#toc29"> known bugs</A> 22</UL> 23 24<A NAME="toc27"></A> 25<H3><A NAME="htoc42">8.1</A> Full configuration files</H3><A NAME="configuration::files"></A> 26 27<H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><A NAME="configuration::file::smbldap"></A> 28<PRE># $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ 29# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $ 30# 31# smbldap-tools.conf : Q & D configuration file for smbldap-tools 32 33# This code was developped by IDEALX (http://IDEALX.org/) and 34# contributors (their names can be found in the CONTRIBUTORS file). 35# 36# Copyright (C) 2001-2002 IDEALX 37# 38# This program is free software; you can redistribute it and/or 39# modify it under the terms of the GNU General Public License 40# as published by the Free Software Foundation; either version 2 41# of the License, or (at your option) any later version. 42# 43# This program is distributed in the hope that it will be useful, 44# but WITHOUT ANY WARRANTY; without even the implied warranty of 45# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 46# GNU General Public License for more details. 47# 48# You should have received a copy of the GNU General Public License 49# along with this program; if not, write to the Free Software 50# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, 51# USA. 52 53# Purpose : 54# . be the configuration file for all smbldap-tools scripts 55 56############################################################################## 57# 58# General Configuration 59# 60############################################################################## 61 62# Put your own SID. To obtain this number do: "net getlocalsid". 63# If not defined, parameter is taking from "net getlocalsid" return 64SID="S-1-5-21-4205727931-4131263253-1851132061" 65 66# Domain name the Samba server is in charged. 67# If not defined, parameter is taking from smb.conf configuration file 68# Ex: sambaDomain="IDEALX-NT" 69sambaDomain="IDEALX-NT" 70 71############################################################################## 72# 73# LDAP Configuration 74# 75############################################################################## 76 77# Notes: to use to dual ldap servers backend for Samba, you must patch 78# Samba with the dual-head patch from IDEALX. If not using this patch 79# just use the same server for slaveLDAP and masterLDAP. 80# Those two servers declarations can also be used when you have 81# . one master LDAP server where all writing operations must be done 82# . one slave LDAP server where all reading operations must be done 83# (typically a replication directory) 84 85# Slave LDAP server 86# Ex: slaveLDAP=127.0.0.1 87# If not defined, parameter is set to "127.0.0.1" 88slaveLDAP="127.0.0.1" 89 90# Slave LDAP port 91# If not defined, parameter is set to "389" 92slavePort="389" 93 94# Master LDAP server: needed for write operations 95# Ex: masterLDAP=127.0.0.1 96# If not defined, parameter is set to "127.0.0.1" 97masterLDAP="127.0.0.1" 98 99# Master LDAP port 100# If not defined, parameter is set to "389" 101masterPort="389" 102 103# Use TLS for LDAP 104# If set to 1, this option will use start_tls for connection 105# (you should also used the port 389) 106# If not defined, parameter is set to "1" 107ldapTLS="1" 108 109# How to verify the server's certificate (none, optional or require) 110# see "man Net::LDAP" in start_tls section for more details 111verify="require" 112 113# CA certificate 114# see "man Net::LDAP" in start_tls section for more details 115cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem" 116 117# certificate to use to connect to the ldap server 118# see "man Net::LDAP" in start_tls section for more details 119clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem" 120 121# key certificate to use to connect to the ldap server 122# see "man Net::LDAP" in start_tls section for more details 123clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key" 124 125# LDAP Suffix 126# Ex: suffix=dc=IDEALX,dc=ORG 127suffix="dc=idealx,dc=org" 128 129# Where are stored Users 130# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" 131# Warning: if 'suffix' is not set here, you must set the full dn for usersdn 132usersdn="ou=Users,${suffix}" 133 134# Where are stored Computers 135# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" 136# Warning: if 'suffix' is not set here, you must set the full dn for computersdn 137computersdn="ou=Computers,${suffix}" 138 139# Where are stored Groups 140# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" 141# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn 142groupsdn="ou=Groups,${suffix}" 143 144# Where are stored Idmap entries (used if samba is a domain member server) 145# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" 146# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn 147idmapdn="ou=Idmap,${suffix}" 148 149# Where to store next uidNumber and gidNumber available for new users and groups 150# If not defined, entries are stored in sambaDomainName object. 151# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" 152# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 153sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}" 154 155# Default scope Used 156scope="sub" 157 158# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) 159hash_encrypt="SSHA" 160 161# if hash_encrypt is set to CRYPT, you may set a salt format. 162# default is "%s", but many systems will generate MD5 hashed 163# passwords if you use "$1$%.8s". This parameter is optional! 164crypt_salt_format="%s" 165 166############################################################################## 167# 168# Unix Accounts Configuration 169# 170############################################################################## 171 172# Login defs 173# Default Login Shell 174# Ex: userLoginShell="/bin/bash" 175userLoginShell="/bin/bash" 176 177# Home directory 178# Ex: userHome="/home/%U" 179userHome="/home/%U" 180 181# Default mode used for user homeDirectory 182userHomeDirectoryMode="700" 183 184# Gecos 185userGecos="System User" 186 187# Default User (POSIX and Samba) GID 188defaultUserGid="513" 189 190# Default Computer (Samba) GID 191defaultComputerGid="515" 192 193# Skel dir 194skeletonDir="/etc/skel" 195 196# Default password validation time (time in days) Comment the next line if 197# you don't want password to be enable for defaultMaxPasswordAge days (be 198# careful to the sambaPwdMustChange attribute's value) 199defaultMaxPasswordAge="45" 200 201############################################################################## 202# 203# SAMBA Configuration 204# 205############################################################################## 206 207# The UNC path to home drives location (%U username substitution) 208# Just set it to a null string if you want to use the smb.conf 'logon home' 209# directive and/or disable roaming profiles 210# Ex: userSmbHome="\\PDC-SMB3\%U" 211userSmbHome="\\PDC-SRV\%U" 212 213# The UNC path to profiles locations (%U username substitution) 214# Just set it to a null string if you want to use the smb.conf 'logon path' 215# directive and/or disable roaming profiles 216# Ex: userProfile="\\PDC-SMB3\profiles\%U" 217userProfile="\\PDC-SRV\profiles\%U" 218 219# The default Home Drive Letter mapping 220# (will be automatically mapped at logon time if home directory exist) 221# Ex: userHomeDrive="H:" 222userHomeDrive="H:" 223 224# The default user netlogon script name (%U username substitution) 225# if not used, will be automatically username.cmd 226# make sure script file is edited under dos 227# Ex: userScript="startup.cmd" # make sure script file is edited under dos 228userScript="logon.bat" 229 230# Domain appended to the users "mail"-attribute 231# when smbldap-useradd -M is used 232# Ex: mailDomain="idealx.com" 233mailDomain="idealx.com" 234 235############################################################################## 236# 237# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) 238# 239############################################################################## 240 241# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but 242# prefer Crypt::SmbHash library 243with_smbpasswd="0" 244smbpasswd="/usr/bin/smbpasswd" 245 246# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) 247# but prefer Crypt:: libraries 248with_slappasswd="0" 249slappasswd="/usr/sbin/slappasswd" 250 251# comment out the following line to get rid of the default banner 252# no_banner="1" 253 254</PRE> 255 256<H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><A NAME="configuration::file::smbldap::bind"></A> 257<PRE>############################ 258# Credential Configuration # 259############################ 260# Notes: you can specify two differents configuration if you use a 261# master ldap for writing access and a slave ldap server for reading access 262# By default, we will use the same DN (so it will work for standard Samba 263# release) 264slaveDN="cn=Manager,dc=idealx,dc=org" 265slavePw="secret" 266masterDN="cn=Manager,dc=idealx,dc=org" 267masterPw="secret" 268 269</PRE> 270 271<H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4> 272<PRE># Global parameters 273[global] 274 workgroup = IDEALX-NT 275 netbios name = PDC-SRV 276 #interfaces = 192.168.5.11 277 username map = /etc/samba/smbusers 278 enable privileges = yes 279 server string = Samba Server %v 280 security = user 281 encrypt passwords = Yes 282 min passwd length = 3 283 obey pam restrictions = No 284 ldap passwd sync = Yes 285 #unix password sync = Yes 286 #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u 287 #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" 288 ldap passwd sync = Yes 289 log level = 0 290 syslog = 0 291 log file = /var/log/samba/log.%m 292 max log size = 100000 293 time server = Yes 294 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 295 mangling method = hash2 296 Dos charset = 850 297 Unix charset = ISO8859-1 298 299 logon script = logon.bat 300 logon drive = H: 301 logon home = 302 logon path = 303 304 domain logons = Yes 305 os level = 65 306 preferred master = Yes 307 domain master = Yes 308 wins support = Yes 309 passdb backend = ldapsam:ldap://127.0.0.1/ 310 # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com" 311 # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u)) 312 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com 313 ldap suffix = dc=idealx,dc=com 314 ldap group suffix = ou=Groups 315 ldap user suffix = ou=Users 316 ldap machine suffix = ou=Computers 317 ldap idmap suffix = ou=Users 318 ldap ssl = start tls 319 add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" 320 ldap delete dn = Yes 321 #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" 322 add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u" 323 add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" 324 #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g" 325 add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" 326 delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" 327 set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u" 328 329 # printers configuration 330 printer admin = @"Print Operators" 331 load printers = Yes 332 create mask = 0640 333 directory mask = 0750 334 nt acl support = No 335 printing = cups 336 printcap name = cups 337 deadtime = 10 338 guest account = nobody 339 map to guest = Bad User 340 dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd 341 show add printer wizard = yes 342 ; to maintain capital letters in shortcuts in any of the profile folders: 343 preserve case = yes 344 short preserve case = yes 345 case sensitive = no 346 347[homes] 348 comment = repertoire de %U, %u 349 read only = No 350 create mask = 0644 351 directory mask = 0775 352 browseable = No 353 354[netlogon] 355 path = /home/netlogon/ 356 browseable = No 357 read only = yes 358 359[profiles] 360 path = /home/profiles 361 read only = no 362 create mask = 0600 363 directory mask = 0700 364 browseable = No 365 guest ok = Yes 366 profile acls = yes 367 csc policy = disable 368 # next line is a great way to secure the profiles 369 force user = %U 370 # next line allows administrator to access all profiles 371 valid users = %U "Domain Admins" 372 373[printers] 374 comment = Network Printers 375 printer admin = @"Print Operators" 376 guest ok = yes 377 printable = yes 378 path = /home/spool/ 379 browseable = No 380 read only = Yes 381 printable = Yes 382 print command = /usr/bin/lpr -P%p -r %s 383 lpq command = /usr/bin/lpq -P%p 384 lprm command = /usr/bin/lprm -P%p %j 385 386[print$] 387 path = /home/printers 388 guest ok = No 389 browseable = Yes 390 read only = Yes 391 valid users = @"Print Operators" 392 write list = @"Print Operators" 393 create mask = 0664 394 directory mask = 0775 395 396[public] 397 comment = Repertoire public 398 path = /home/public 399 browseable = Yes 400 guest ok = Yes 401 read only = No 402 directory mask = 0775 403 create mask = 0664 404 405</PRE> 406 407<H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4> 408<PRE>include /etc/openldap/schema/core.schema 409include /etc/openldap/schema/cosine.schema 410include /etc/openldap/schema/inetorgperson.schema 411include /etc/openldap/schema/nis.schema 412include /etc/openldap/schema/samba.schema 413 414schemacheck on 415lastmod on 416 417TLSCertificateFile /etc/openldap/ldap.idealx.com.pem 418TLSCertificateKeyFile /etc/openldap/ldap.idealx.com.key 419TLSCACertificateFile /etc/openldap/ca.pem 420TLSCipherSuite :SSLv3 421#TLSVerifyClient demand 422 423####################################################################### 424# ldbm database definitions 425####################################################################### 426database ldbm 427suffix dc=idealx,dc=com 428rootdn "cn=Manager,dc=idealx,dc=com" 429rootpw secret 430directory /var/lib/ldap 431index sambaSID eq 432index sambaPrimaryGroupSID eq 433index sambaDomainName eq 434index objectClass,uid,uidNumber,gidNumber,memberUid eq 435index cn,mail,surname,givenname eq,subinitial 436 437# users can authenticate and change their password 438access to attrs=userPassword,sambaNTPassword,sambaLMPassword 439 by dn="cn=Manager,dc=idealx,dc=com" write 440 by self write 441 by anonymous auth 442 by * none 443# all others attributes are readable to everybody 444access to * 445 by * read 446</PRE> 447<A NAME="toc28"></A> 448<H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin 449 dn</TT> in <TT>smb.conf</TT> file)</H3><A NAME="change::manager"></A> 450If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT> 451account anymore, you can create a dedicated account for Samba and the 452smbldap-tools scripts. To do 453this, create an account named <I>samba</I> as follows (see 454section <A HREF="smbldap-tools005.html#add::user">4.2.1</A> for a more detailed syntax) : 455<PRE> 456smbldap-useradd -s /bin/false -d /dev/null -P samba 457</PRE>This command will ask you to set a password for this account. Let's 458set it to <I>samba</I> for this example. 459You then need to modify configuration files: 460<UL><LI> 461file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> 462 <PRE> 463 slaveDN="uid=samba,ou=Users,dc=idealx,dc=com" 464 slavePw="samba" 465 masterDN="uid=samba,ou=Users,dc=idealx,dc=com" 466 masterPw="samba" 467 </PRE><LI>file <TT>/etc/samba/smb.conf</TT> 468 <PRE> 469 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com 470 </PRE>don't forget to also set the samba account password in 471 <TT>secrets.tdb</TT> file : 472<PRE> 473smbpasswd -w samba 474</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the 475 <I>samba</I> user permissions to modify some attributes: this 476 user needs to be able to modify all the samba attributes and some 477 others (uidNumber, gidNumber ...) : 478 <PRE> 479# users can authenticate and change their password 480access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange 481 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 482 by self write 483 by anonymous auth 484 by * none 485# some attributes need to be readable anonymously so that 'id user' can answer correctly 486access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid 487 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 488 by * read 489# somme attributes can be writable by users themselves 490access to attrs=description,telephoneNumber 491 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 492 by self write 493 by * read 494# some attributes need to be writable for samba 495access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase 496 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 497 by self read 498 by * none 499# samba need to be able to create the samba domain account 500access to dn.base="dc=idealx,dc=com" 501 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 502 by * none 503# samba need to be able to create new users account 504access to dn="ou=Users,dc=idealx,dc=com" 505 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 506 by * none 507# samba need to be able to create new groups account 508access to dn="ou=Groups,dc=idealx,dc=com" 509 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 510 by * none 511# samba need to be able to create new computers account 512access to dn="ou=Computers,dc=idealx,dc=com" 513 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 514 by * none 515# this can be omitted but we leave it: there could be other branch 516# in the directory 517access to * 518 by self read 519 by * none 520 </PRE></UL> 521<A NAME="toc29"></A> 522<H3><A NAME="htoc48">8.3</A> known bugs</H3> 523<UL><LI> 524Option <I>-B</I> (user must change password) of 525 <TT>smbldap-useradd</TT> does not have effect: when 526 <TT>smbldap-passwd</TT> script is called, 527 <I>sambaPwdMustChange</I> attribute is rewrite. 528</UL> 529 530<HR> 531<A HREF="smbldap-tools008.html"><IMG SRC ="previous_motif.gif" ALT="Pr�c�dent"></A> 532<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A> 533</BODY> 534</HTML> 535
