1# $Source: /ramdisk/repositories/20_cvs_clean_up/2011-02-11_sj/src/router/samba/samba-3.0.25b/examples/LDAP/smbldap-tools-0.9.2/ChangeLog,v $ 2# $id: $ 3# 4## ChangeLog for SMBLDAP-TOOLS 5 6 7 8 92005-01-03: new tag (v0-9-2 for rpm version 0.9.2) 102005-10-31 11 . Option 'P' to set password was not possible in smbldap-useradd when usernames contained 12 space character 13 . smbldap-populate and smbldap_tools.pm: classes hierarchical is specified completly to avoid 14 problem with others directories then OpenLDAP. 15 . smbldap-useradd: users are not added to to group if the group is their primary one 16 . smbldap-useradd and smbldap_tools: new function is_nonldap_unix_user to allow adding non 17 ldap users to group. This is typically used to add users from a trusted domains (winbind) 18 . when adding trusted account (smbldap-useraddd -i) '$' caracter is added to the name if 19 not present 20 . if with_smbpasswd="1", we let samba adding the sambaPrimaryGroupSID entry 21 . smbldap-passwd: new option -s and -u to only update samba password or unix password 22 . smbldap-passwd: regular users can change their passwords when TLS is forced 23 . parsing smb.conf is correct if parameters are defined in several lines (using \ caracter) 24 . automatic creation of the OU of a new user if it does not exist (smbldap-useradd -o ou=xxx) 25 The new OU must me relative to the $config{usersdn} parameter 262005-07-12 27 . sambaPrimaryGroupSID for samba users is set to DOMAIN_SID-513, whatever is 28 the defaultUserGid parameter value defined in smbldap.conf 292005-06-07 30 . sambaBadPasswordCount is set to 0 when using smbldap-passwd 31 . update for respect with RFC 2256: 32 sn <-> nom (option S) 33 givenName <-> prenom (option N) 34 cn <-> person's full name 35 . UTF8 support for givenName (option N) and sn (option S) 362005-05-26: new tag (v0-9-1 for rpm version 0.9.1) 37 . bugs correction and updates in configure.pl 382005-05-17: new tag (v0-9-0 for rpm version 0.9.0) 392005-05-16 40 . update release version 0.9.0 for synchronisation with examples of the "Samba3 by examples" 41 book of John H Terpstra. 42 . default configuration files for the smbldap-tools can be place in 43 /etc/opt/IDEALX/smbldap-tools or /etc/smbldap-tools/ 44 . default configuration file for samba can be /etc/samba/smb.conf or 45 /usr/local/samba/lib/smb.conf 46 . new parameter userHomeDirectoryMode in smbldap.conf to set the default directory mode used 47 for user's homeDirectory 48 . enhancements and fixes in configure.pl 492005-04-27 50 . error in group type documentation in smbldap-groupadd 512005-04-17 52 . warnings was displayed when samba configuraton file (smb.conf) had single quotes in 53 parameters definition (thanks to Tom Burkart <samba@aussec.com>) 54 . 'idmapdn' is now also optional in smbldap.conf (if needed and defined in smb.conf) 552005-04-03: new tag (v0-8-8 for rpm version 0.8.8) 562005-03-09 57 . Four more options are now optional in smbldap.conf. Default values are: 58 > slaveLDAP="127.0.0.1" 59 > slavePort="389" 60 > masterLDAP="127.0.0.1" 61 > masterPort="389" 62 > ldapTLS="0" 63 . the following suffix can be used with the smbldap-tools: 64 > suffix="dc=dpt,dc=idealx,dc=org", suffix="dc=idealx,dc=org" or suffix="dc=idealx" 65 . update to smbldap-populate: 66 . administrator account is now called 'root' 67 . default uidNumber for root is set to 0 68 . default rid for root is set to 500 69 . default gidNumber for administrator is set to 0 70 uidNumber and gidNumber can be changed with option -k and -m 712005-03-08 72 . Four parameters in smbldap.conf are now optional: 73 'suffix', 'usersdn', 'computersdn' and 'groupsdn' 74 If those parameters are not set, they are respectivly taken from the following 75 parameters in smb.conf : 76 'ldap suffix', 'ldap user suffix', 'ldap machine suffix' and 'ldap group suffix' 77 . renaming two files: 78 $ mv smbldap-migrate-accounts smbldap-migrate-pwdump-accounts 79 $ mv smbldap-migrate-groups smbldap-migrate-pwdump-groups 802005-02-26 81 . New option '-t time' to smbldap-useradd: wait <time> seconds before exiting script when 82 adding computer's account. This is useful when Master/PDC and Slaves/BDCs are connected 83 through the internet (replication is not real time). 84 The Samba smb.conf configuration file should then look like this : 85 > add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 30 -w "%u" 86 This options can only be used with the -w to add computers's account. 87 bug report: https://bugzilla.samba.org/show_bug.cgi?id=2384 88 . three parameters are now optional in smbldap.conf 89 . 'sambaUnixIdPooldn': If not defined, next uidNumber and gidNumber available for new 90 users and groups are stored in sambaDomainName object 91 . 'SID': If not defined, parameter is taking from "net getlocalsid" return 92 . 'sambaDomain': If not defined, parameter is taking from smb.conf configuration file 93 . add 'sambaDomain' parameter in smbldap.conf. If not defined 'workgroup' parameter in 94 smb.conf is used 952005-02-13: new tag (v0-8-7 for rpm version 0.8.7) 96 . update smbldap-populate: check previously if entries exist. If the sambaDomain entry 97 already exist when using smbldap-populate, we just modify it to add the sambaUnixIdPool 98 objectclass which store the first uidNumber and gidNumber available. 99 . update connection procedure to the directory in smbldap-passwd 100 . new script smbldap-userinfo from Pawel Wieleba to allow people update their own 101 informations like telephoneNumber, name and some others (need proper ACL in ldap 102 configuration) 103 . new migration scripts from Pawel Wieleba smbldap-migrate-unix-accounts and 104 smbldap-migrate-unix-groups to help migrating users and groups defined in /etc/passwd (and/or 105 /etc/shadow) and /etc/group. 1062005-01-29 107 . bug in smbldap-populate: the -b option (guest login name) was broken 108 . new option '-k' and '-l' to smbldap-populate to defined the uidNumber of administrator and 109 guest accounts 110 . group "Account Operators" is now created with smbldap-populate 111 . Administrator account does not need anymore uidNumber=0 (using 998) 112 . update in smbldap-populate and smbldap.conf: 113 . next uidNumber and gidNumber available for new users and new groups are now 114 stored in the sambaDomainName object. This allow the sambaUnixIdPooldn to not 115 been viewed as a real user under IMC (http://www.idealx.org/prj/imc/) 116 sambaUnixIdPooldn in configuration file smbldap.conf must look like 117 > sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}" 118 . the sambaDomainName is determine by 119 - the sambaUnixIdPooldn parameter of smbldap.conf, or 120 - the workgroup parameter of smb.conf if sambaUnixIdPooldn is not a sambaDomainName 121 object 122 . patch to smbldap-useradd: $modify->code was executed even if no modification was required, 123 this can cause error mesage with some ldap directory. 124 . small typo corrections 1252005-16-01: new tag (v0-8-6 for rpm version 0.8.6) 1262005-06-01: 127 . new location /opt/IDEALX and /etc/opt/IDEALX/ (instead of /usr/local and /etc) 128 to conform to FHS/LSB 129 . update typo correction in documentation 130 . patch to smbldap-passwd from Pawel Wieleba <wielebap@volt.iem.pw.edu.pl>: 131 see www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-tools_doc.pdf 132 . use of slappasswd was insecure as external program. Now slappasswd is run in 133 a child process and shell is not used 134 . it is now possible to not use slappasswd but perl module only 135 . new parameter 'with_slappasswd' in smbldap.conf to allow not use 'slappasswd' 136 but perl module only 137 . new option '-r' to smbldap-usermod for renaming a user. Exemple: 138 $ smbldap-usermod -d /home/new_user -r new_user old_user 1392004-10-28: new tag (v0-8-5-3 for rpm version 0.8.5-3) 1402004-10-07: 141 . smbldap-useradd: set sambaPwdLastSet to the current date, and sambaPwdMustChange 142 to 2147483647 for trust account to work 143 . patch from Quentin Delance <quentin.delance@insalien.org>: 144 added test to not being able to remove primary group of a user 1452004-08-29: new tag (v0-8-5-2 for rpm version 0.8.5-2) 146 . small corrections 147 . computer's account have the 'gecos' attribute set to 'computer': computers may not 148 join the domain if this attribute is not defined (thanks to "Dominik 'Rathann' Mierzejewski") 1492004-06-25: 150 . patch to smbldap_tools.pm: the 'search' to sambaUnixIdPool objectclass is done 151 directly to the object defined in the configuration file (sambaUnixIdPooldn="..."). 152 This allow to have more then one object having the sambaUnixIdPool objectclass. 153 . patch smbldap-useradd. The -P and -T options had no effect if the -a was not used. 154 . update configure.pl 1552004-06-21: 156 . new '-o' option in smbldap-useradd to set the organizatinal unit where the account 157 will be created. It is relative of the user suffix dn ($usersdn) defined in the 158 configuration file 1592004-06-17: new tag (v0-8-5-1 for rpm version 0.8.5-1) 160 . update documentation 1612004-05-25: 162 . patch to smbldap-populate: 163 fix sambaSID and sambaGroupType error for builtin groups 164 . new entry in /etc/smbldap-tools/smbldap.conf for idmap ou: 165 > idmapdn="ou=Idmap,${suffix}" 1662004-05-10: 167 . patch from Ross Becker <ross@rbecker.org> : 168 new option in smbldap.conf to set the salt format if CRYPT hash is used. 169 . add a check to see if STDIN is connected to tty by using if (-t STDIN) ... 170 This allow the unsecure use of "echo -e 'password\npassword' | smbldap-passwd jto" 1712004-04-30: 172 . patch for smbldap-useradd and smbldap-groupadd: next uidNumber and gidNumber available 173 are now stored in cn=NextFreeUnixId 174 WARNING: 175 . when upgrading, you need to create the new object manually (see INSTALL file) 176 . this object's name is defined in /etc/smbldap-tools/smbldap.conf 177 you can defined another name as desired, for example: 178 > sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 1792004-04-07: 180 . patch from Emmanuel Lacour <elacour@home-dn.net> : 181 no more use of mkntpwd, use of Crypt::SmbHash perl module instead 1822004-04-04: 183 . patchs from Alexander Bergolth <leo@strike.wu-wien.ac.at> : 184 . variable substitution to the config-file parser. 185 This new feature allows configurations like that 186 > suffix="dc=idealx,dc=com" 187 > usersdn="ou=Users,${suffix}" 188 Username substitution is done via %U: 189 > userHome="/home/%U" 190 ==> smbldap.conf file can now use the samba %U definition 191 . change in smbldap-userdel refuses deleting a home directory that doesn't contain 192 the username, more precisely that doesn't look like /^\/.+\/(.*)$user/ 193 This avoids deleting-disasters when the homeDirectory attribute is 194 erroneous set to a wrong value like "/" or "/home". 195 . adds mail-forwarding and mail-alias capabilities (for use by MTAs like sendmail or 196 postfix). Two new options "-M" and "-T" allow specifying mail-aliases and mail-forward 197 addresses in smbldap-useradd and smbldap-usermod. If those options are used, the 198 objectclass "inetLocalMailRecipient" is used 199 . patch to allows adding new mail-aliases (-M), mail-forward addresses (-T) or 200 supplementary groups (-G) without overwriting the existing ones using a syntax like 201 smbldap-usermod -G +wheel testuser 202 Removing only the specified attributes without deleting all of them works the same way 203 using a syntax like 204 smbldap-usermod -G -wheel testuser 205 . patch that fixes a small problem when using userHomeDrive without the ":" symbol 206 . test if a user is unique in get_homedir function. Replace the regular expression that check 207 the homeDirectory attribute's value with the exact query response. 2082004-03-05: 209 . add the displayName attribut when using 'smbldap-groupadd -a' 210 . update smbldap-populate (set the username for the guest account and the 211 administrative account in sambaProfilePath instead of $adminName and $guestName) 2122004-03-01: 213 . update smbldap-populate to allow setting userHomeDrive="" in configuration file 2142004-02-22: 215 . it is now possible to delete the following entries with smbldap-usermod : 216 sambaHomePath (option -C), sambaHomeDrive (option -D) 217 sambaLogonScript (option -E) and sambaProfilePath (option -F) 218 ex: smbldap-usermod -C "" user 219 . update documentation 2202004-02-07: new tag v0-8-4 221 . include documentation in smbldap-tools.spec file 2222004-01-22: 223 . config.pl: usersdn, groupsdn and computersdn was not updated 224 . config.pl: empty value can be set with the "." caracter 2252004-01-19: 226 . certificates for TLS support can now be declared in the smbldap.conf 227 configuration file. 4 new options: verify, cafile, clientcert and clientkey 2282004-01-17: 229 . remove OpenLDAP requirement in smbldap-tools spec file as the LDAP server 230 can be on another computer 2312004-01-14: 232 . patch to smbldap-populate to not take into account attributes that has a null 233 definition in smbldap.conf (sambaProfilePath and sambaHomePath) 2342004-01-10: 235 . shadowAccount objectclass added for users account (needed for users on Solaris 236 system to authenticate) 237 . configuration is now split in two files 238 > smbldap.conf : globals parameters 239 > smbldap_bind.conf: connection parameters to the directory 240 . patch in smbldap-password that allow users to use this script to change their 241 own passwords 2422003-12-29: 243 . new script configure.pl to help setting up the smbldap_conf.pl file 244 . bug: smbldap_conf.pm now allow to set _userSmbHome and _userProfile to a null string 245 to disable homedirectory and roaming profiles 2462003-12-19: 247 . new option '-i' to smbldap-useradd to create a trust account (domain membership) 248 . rename all scripts: remove the '.pl' 2492003-12-11: 250 . new option '-i' to smbldap-populate to import an ldif file 251 . new option '-e' to smbldap-populate to export an ldif file 2522003-11-18: new tag v0-8-2 253 . new option '-a' to smbldap-usermod.pl that allow adding the sambaSAMAccount 254 objectclass to an existing posixAccount 2552003-11-07: 256 . patch that allow adding user to a group when the group is in a higher level depth 257 then ou=Groups (for example, ou=grp1,ou=Groups,...) 258 . check the unicity of a group when adding/removing a user to this group 2592003-10-28: 260 . new option '-p' in smbldap-groupadd.pl to 'print' the gidNumber 261 of the group to STDOUT. This is needed by samba (see the man page) 2622003-10-19: 263 . new function does_sid_exist that check if samaSID sttribute is already 264 defined for another use or another group 2652003-10-13: 266 . smbldap-populate.pl now also add the group mapping 2672003-10-01: new tag v0-8-1 268 . one can now comment the two directives '$_userSmbHome' and '$_userProfile' 269 if you want to use the smb.conf directives instead ('logon home' and 270 'logon path' respectively), or if you want to desable roaming profiles 271 . Patch from Alexander Bergolth <leo@strike.wu-wien.ac.at>: the sambaPrimaryGroupSID 272 of a user is now set to the sambaSID of his primary group 2732003-09-29: 274 . added new option '$_defaultMaxPasswordAge' in smbldap_conf.pm to specifie 275 how long a password is valid 276 . The '-B' option was not always valid: to force a user to change his password: 277 . the attribut sambaPwdLastSet must be != 0 278 . the attribut sambaAcctFlags must not match the 'X' flag 279 . logon script is set (for every one) to the default '_userScript' value if it is defined 280 . Patch from Alexander Bergolth <leo@strike.wu-wien.ac.at>: 281 gid-sid group mapping to smbldap-groupadd.pl and smbldap-groupmod.pl 2822003-09-19: Patch from Marc Schoechlin <ms@LF.net> 283 . load the perl-modules without setting environment-variables or making symlinks 2842003-09-18: Patch from Alexander Bergolth <leo@strike.wu-wien.ac.at> 285 . options "-u", "-g", "-s" and "-c" are now functionnal 286 . the existence of samba account was made on sambaAccount and 287 not sambaSAMAccount as it should be for samba3 288 . new function read_user_entry to smbldap_tools.pm that returns 289 a Net::LDAP:Entry object of the user 290 . Use this object to get the dn and user attributes instead of 291 producing an ldif and searching for attributes within that ldif 2922003-09-15: 293 . change machine account creation to not add the sambaSAMAccount objectclass. 294 It is now added directly by samba when joigning the domain 295 . new option in smbldap-usermod.pl: '-e' to set an expire date 296 . Start_tls support activated when ldapSSL is set to 1 297 . Net::LDAP support more scripts 298 . bugs correction 2992003-09-02: 300 . sambaPwdLastSet is updated when smbldap-passwd.pl is used 301 . add a function is_group_member to test the existence of a 302 user in a particular group 303 . add a function is_unix_user to test if a particular user exist 304 . Net::LDAP support more scripts 3052003-08-15: 306 . Samba3.0 support 3072003-08-01: 308 . Final version for samba 2.2.8a (cvs tag SAMBA-2-2-8a-FINAL) 309 . OpenLDAP 2.1 support (only one structural objectclass allowed) 3102002-07-24: top and account objectclasses replaced with inetorgperson 3112002-06-03: notes to webmin.idealx.org (idxldapaccounts) 3122002-06-01: release 0.7. tested with 2.2.4 3132002-05-31: fixed smbldap-populate compliance to smbldap_conf 314 cleaned up smbldap_conf to be more readable 315 some more documentation 316 bugfixes on smbldap-passwd and smbldap-populate 3172002-05-16: modified default mode on homes: now 700 3182002-05-13: fixed spec (relocation and reqs) 3192002-03-02: fixed 2.2.3 sambaAccount bug with smbldap-useradd.pl 320 (rid is now mandatory in the sambaAccount objectClass) 3212002-02-14: just modified default populate for Administrator 3222002-02-05: release 0.6. enable/disable user in usermod 3232002-02-04: release 0.5. added smbldap-migrate-groups to migrate NT groups 324 from a net group dump. added samba parameters to smbldap-useradd 325 and smbldap-usermod. 3262002-01-12: added smbldap-migrate-accounts to migrate users/machines 327 accounts from a PWDUMP dump 3282001-12-13: added smbldap-populate to create the initial base 3292001-12-13: initial release 0.1 3302001-12-12: fixed the SPEC file for RedHat 3312001-12-03: cleaned the code and use strict; 3322001-11-20: initial needs (for testing purpose on Samba-2.2.2 an Samba-TNG) 333 334 335# - The End 336