1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" 2 "http://www.w3.org/TR/REC-html40/loose.dtd"> 3<HTML> 4<HEAD><TITLE>Smbldap-tools User Manual 5(Release: 0.8.7 )</TITLE> 6 7<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 8<META name="GENERATOR" content="hevea 1.06"> 9</HEAD> 10<BODY > 11<!--HEVEA command line is: /usr/bin/hevea -exec xxdate.exe -pedantic -nosymb smbldap-tools.tex -o html/smbldap-tools.html --> 12<!--HTMLHEAD--> 13<!--ENDHTML--> 14<!--PREFIX <ARG ></ARG>--> 15<!--CUT DEF section 1 --> 16 17 18<H1 ALIGN=center>Smbldap-tools User Manual<BR> 19(<I>Release</I>: 0.8.7 )</H1> 20 21<H3 ALIGN=center>J�r�me Tournier</H3> 22 23<H3 ALIGN=center><I>Revision</I>: 1.6 , generated May 25, 2005<BR> 24</H3> 25This document is the property of IDEALX<SUP><A NAME="text1" HREF="#note1">1</A></SUP>. 26Permission is granted to distribute this document under the terms of the GNU 27Free Documentation License (<TT>http://www.gnu.org/copyleft/fdl.html</TT>).<BR> 28<BR> 29<!--TOC section Table of Contents--> 30 31<H2>Table of Contents</H2><!--SEC END --> 32 33 34 35 36<!--TOC section Introduction--> 37 38<H2><A NAME="htoc1">1</A> Introduction</H2><!--SEC END --> 39 40<A NAME="sec:intro"></A> 41Smbldap-tools is a set of scripts designed to help integrate Samba and a 42LDAP directory. They target both users and administrators of Linux systems.<BR> 43<BR> 44Users can change their password in a way similar to the standard ``passwd'' 45command.<BR> 46<BR> 47Administrators can perform user and group management command line actions 48and synchronise Samba account management consistently.<BR> 49<BR> 50This document presents: 51<UL><LI> 52a detailled view of the smbldap-tools scripts 53<LI>a step by step explanation of how to set up a Samba3 domain controller 54</UL> 55<!--TOC subsection Software requirements--> 56 57<H3><A NAME="htoc2">1.1</A> Software requirements</H3><!--SEC END --> 58 59The smbldap-tools have been developped and tested with the following configuration : 60<UL><LI> 61<FONT COLOR=purple><I>Linux</I></FONT> RedHat 9 (be should work on any <FONT COLOR=purple><I>Linux</I></FONT> distribution) 62<LI> <FONT COLOR=purple>Samba</FONT> release 3.0.2pre1, 63<LI><FONT COLOR=purple>OpenLDAP</FONT> release 2.1.22 64<LI><FONT COLOR=purple>Microsoft Windows NT</FONT> 4.0, Windows 2000 and Windows XP Workstations and Servers, 65</UL> 66This guide applies to <FONT COLOR=purple>smbldap-tools</FONT> <I>Release</I>: 0.8.7 .<BR> 67<BR> 68<!--TOC subsection Updates of this document--> 69 70<H3><A NAME="htoc3">1.2</A> Updates of this document</H3><!--SEC END --> 71 72The most up to date release of this document may be found on the 73smbldap-tools project page available at <TT>http://samba.IDEALX.org/</TT>.<BR> 74<BR> 75If you find any bugs in this document, or if you want this document to 76integrate some additional infos, please drop us a mail with your bug report 77and/or change request at <U>samba@IDEALX.org</U>.<BR> 78<BR> 79<!--TOC subsection Availability of this document--> 80 81<H3><A NAME="htoc4">1.3</A> Availability of this document</H3><!--SEC END --> 82 83This document is the property of 84<B><I>IDEALX</I></B> (<TT>http://www.IDEALX.com/</TT>). <BR> 85<BR> 86Permission is granted to distribute this document under the terms of the GNU 87Free Documentation License (See <TT>http://www.gnu.org/copyleft/fdl.html</TT>). 88 <!--TOC section Installation--> 89 90<H2><A NAME="htoc5">2</A> Installation</H2><!--SEC END --> 91 92<!--TOC subsection Requirements--> 93 94<H3><A NAME="htoc6">2.1</A> Requirements</H3><!--SEC END --> 95 96The main requirement for using smbldap-tools are the two perl module: 97Net::LDAP and Crypt::SmbHash. 98In most cases, you'll also need the IO-Socket-SSL Perl module to use 99TLS functionnality.<BR> 100<BR> 101If you want samba to call the scripts so that you can use the User 102Manager (or any other) under MS-Windows (to add, delete modify users and 103groups), <FONT COLOR=purple>Samba</FONT> must be installed on the same computer. 104Finally, <FONT COLOR=purple>OpenLDAP</FONT> can be installed on any computer. Please check that it 105can be contacted by a standard LDAP client software.<BR> 106<BR> 107<FONT COLOR=purple>Samba</FONT> and <FONT COLOR=purple>OpenLDAP</FONT> installations will not be discussed 108here. You can consult the howto also available on the 109project page (<TT>http://samba.IDEALX.org</TT>). Altought is has been 110written for Samba2, most of its content still apply to Samba3. The main 111difference stands in LDAP schema's definitions.<BR> 112<BR> 113<!--TOC subsection Installation--> 114 115<H3><A NAME="htoc7">2.2</A> Installation</H3><!--SEC END --> 116 117An archive of the <FONT COLOR=purple>smbldap-tools</FONT> scripts can be downloaded on our project 118page <TT>http://samba.IDEALX.org/</TT>. Archive and RedHat packages are 119available. 120<BR> 121If you are upgrading, look at the <TT>INSTALL</TT> file or read the link 122<A HREF="#faq::error::add::user">6.13</A>.<BR> 123<BR> 124<!--TOC subsubsection Installing from rpm--> 125 126<H4><A NAME="htoc8">2.2.1</A> Installing from rpm</H4><!--SEC END --> 127 128To install the scripts on a RedHat system, download the RPM 129package and run the following command: 130<PRE> 131rpm -Uvh smbldap-tools-0.8.5-1.i386.rpm 132</PRE> 133<!--TOC subsubsection Installing from a tarball--> 134 135<H4><A NAME="htoc9">2.2.2</A> Installing from a tarball</H4><!--SEC END --> 136 137On non RedHat system, download a source archive of the scripts. The current 138archive is <TT>smbldap-tools-0.8.5.tar.gz</TT>. 139Uncompress it and copy all of the Perl scripts in <TT>/usr/local/sbin</TT> 140directory, and the two configuration files in 141<TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory: 142<PRE> 143mkdir /etc/opt/IDEALX/smbldap-tools/ 144cp *.conf /etc/opt/IDEALX/smbldap-tools/ 145cp smbldap-* /usr/local/sbin/ 146</PRE> 147The configuration is now based on two differents files: 148<UL><LI> 149<TT>smbldap.conf</TT>: define global parameter 150<LI><TT>smbldap_bind.conf</TT>: define an administrative account to 151 bind to the directory 152</UL> 153The second file <B>must</B> be readable only for 'root', as it contains 154credentials allowing modifications on all the directory. Make sure the 155files are protected by running the following commands: 156<PRE> 157chmod 644 /etc/opt/IDEALX/smbldap-tools/smbldap.conf 158chmod 600 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf 159</PRE> <!--TOC section Configuring the smbldap-tools--> 160 161<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><!--SEC END --> 162 163As mentioned in the previous section, you'll have to update two 164configuration files. The first (<TT>smbldap.conf</TT>) allows you to 165set global parameter that are readable by everybody, and the second 166(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to 167bind to a slave and a master ldap server: this file must thus be 168readable only by root.<BR> 169<BR> 170A script is named <TT>configure.pl</TT> can help you to set their contents 171up. It is located in the tarball 172downloaded or in the documentation directory if you got the RPM 173archive (see <TT>/usr/share/doc/smbldap-tools/</TT>). Just invoke it: 174<PRE> 175/usr/share/doc/smbldap-tools/configure.pl 176</PRE>It will ask for the default values defined in your 177<TT>smb.conf</TT> file, and will update the two configuration files used 178by the scripts. Note that you can stop the script at any moment with 179the <TT>Crtl-c</TT> keys.<BR> 180Before using this script : 181<UL><LI> 182the two configuration files <B>must</B> be present in the 183 <TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory 184<LI>check that samba is configured and running, as the script will try to 185 get your workgroup's domain secure id (SID). 186</UL> 187In those files are parameters are defined like this: 188<PRE> 189key="value" 190</PRE>Full example configuration files can be found at 191<A HREF="#configuration::files">8.1</A>.<BR> 192<BR> 193<!--TOC subsection The smbldap.conf file--> 194 195<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3><!--SEC END --> 196 197This file is used to define parameters that can be readable by 198everybody. A full example file is available in section <A HREF="#configuration::file::smbldap">8.1.1</A>.<BR> 199<BR> 200Let's have a look at all available parameters. 201<UL><LI> 202<TT>UID_START</TT> and <TT>GID_START</TT> : those parameters 203 are deprecated. Available uid and gid are now defined in the default 204 new entry <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT>. 205<LI><TT>SID</TT> : Secure Identifier Domain 206 <UL><LI> 207 Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT> 208 <LI>Remark: you can get the SID for your domain using the <TT>net getlocalsid</TT> 209 command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers). 210</UL> 211<LI><TT>slaveLDAP</TT> : slave LDAP server 212 <UL><LI> 213 Example: <TT>slaveLDAP="127.0.0.1"</TT> 214 <LI>Remark: must be a resolvable DNS name or it's IP address 215 </UL> 216<LI><TT>slavePort</TT> : port to contact the slave server 217 <UL><LI> 218 Example: <TT>slavePort="389"</TT> 219 </UL> 220<LI><TT>masterLDAP</TT> : master LDAP server 221 <UL><LI> 222 Example: <TT>masterLDAP="127.0.0.1"</TT> 223 </UL> 224<LI><TT>masterPort</TT> : port to contact the master server 225 <UL><LI> 226 Example: <TT>masterPort="389"</TT> 227 </UL> 228<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the 229 ldap servers ? 230 <UL><LI> 231 Example: <TT>ldapTLS="1"</TT> 232 <LI>Remark: the LDAP severs must be configured to accept TLS 233 connections. See section the Samba-LDAP Howto for more 234 details (<TT>http://samba.idealx.org/smbldap-howto.fr.html</TT>). If you are using TLS support, select port 389 to connect to 235 the master and slave directories. 236 </UL> 237<LI><TT>verify</TT> : How to verify the server's certificate (none, 238 optional or require). See "man Net::LDAP" in start_tls section for 239 more details 240 <UL><LI> 241 Example: <TT>verify="require"</TT> 242 </UL> 243<LI><TT>cafile</TT> : the PEM-format file containing certificates 244 for the CA that slapd will trust 245 <UL><LI> 246 Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT> 247 </UL> 248<LI><TT>clientcert</TT> : the file that contains the client certificate 249 <UL><LI> 250 Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT> 251 </UL> 252<LI><TT>clientkey</TT> : the file that contains the private key that 253 matches the certificate stored in the clientcert file 254 <UL><LI> 255 Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT> 256 </UL> 257<LI><TT>suffix</TT> : The distinguished name of the search base 258 <UL><LI> 259 Example: <TT>suffix="dc=idealx,dc=com"</TT> 260 </UL> 261<LI><TT>usersdn</TT> : branch in which users account can be found or 262 must be added 263 <UL><LI> 264 Example: <TT>usersdn="ou=Users,${suffix}"</TT> 265 <LI>Remark: this branch is <B>not</B> relative to the suffix value 266 </UL> 267<LI><TT>computersdn</TT> : branch in which computers account can be 268 found or must be added 269 <UL><LI> 270 Example: <TT>computersdn"ou=Computers,${suffix}"</TT> 271 <LI>Remark: this branch is <B>not</B> relative to the suffix value 272 </UL> 273<LI><TT>groupsdn</TT> : branch in which groups account can be found 274 or must be added 275 <UL><LI> 276 Example: <TT>groupsdn="ou=Groups,${suffix}"</TT> 277 <LI>Remarks: this branch is <B>not</B> relative to the suffix value 278 </UL> 279<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server) 280<UL><LI> 281 Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT> 282 <LI>Remarks: this branch is <B>not</B> relative to the suffix value 283</UL> 284<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored 285<UL><LI> 286 Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT> 287 <LI>Remarks: this branch is <B>not</B> relative to the suffix value 288</UL> 289<LI><TT>scope</TT> : the search scope. 290<UL><LI> 291 Example: <TT>scope="sub"</TT> 292</UL> 293<LI><TT>hash_encrypt</TT> : hash to be used when generating a 294 user password. 295 <UL><LI> 296 Example: <TT>hash_encrypt="SSHA"</TT> 297 <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute. 298 </UL> 299<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to 300 CRYPT, you may set a salt format. Default is "%s", but many systems 301 will generate MD5 hashed passwords if you use "$1$%.8s". This 302 parameter is optional. 303<LI><TT>userLoginShell</TT> : default shell given to users. 304 <UL><LI> 305 Example: <TT>userLoginShell="/bin/bash"</TT> 306 <LI>Remark: This is stored in <I>loginShell</I> attribute. 307 </UL> 308<LI><TT>userHome</TT> : default directory where users's home 309 directory are located. 310 <UL><LI> 311 Example: <TT>userHome="/home/%U"</TT> 312 <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute. 313 </UL> 314<LI><TT>userGecos</TT> : gecos used for users 315 <UL><LI> 316 Example: <TT>userGecos="System User"</TT> 317 </UL> 318<LI><TT>defaultUserGid</TT> : default primary group set to users accounts 319 <UL><LI> 320 Example: <TT>defaultUserGid="513"</TT> 321 <LI>Remark: this is stored in <I>gidNumber</I> attribute. 322</UL> 323<LI><TT>defaultComputerGid</TT> : default primary group set to 324 computers accounts 325 <UL><LI> 326 Example: <TT>defaultComputerGid="550"</TT> 327 <LI>Remark: this is stored in <I>gidNumber</I> attribute. 328</UL> 329<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts 330 <UL><LI> 331 Example: <TT>skeletonDir="/etc/skel"</TT> 332 <LI>Remark: this option is used only if you ask for home directory creation when adding a new user. 333 </UL> 334<LI><TT>defaultMaxPasswordAge</TT> : default validation time for a 335 password (in days) 336 <UL><LI> 337 Example: <TT>defaultMaxPassword="55"</TT> 338 </UL> 339<LI><TT>userSmbHome</TT> : samba share used to store user's home directory 340 <UL><LI> 341 Example: 342 <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT> 343 <LI>Remark: this is stored in <I>sambaHomePath</I> attribute. 344</UL> 345<LI><TT>userProfile</TT> : samba share used to store user's profile 346 <UL><LI> 347 Example: 348 <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT> 349 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute. 350 </UL> 351<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I> 352 <UL><LI> 353 Example: 354 <TT>userScript="%U"</TT> 355 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute. 356 </UL> 357<LI><TT>userHomeDrive</TT> : letter used on windows system to map 358 the home directory 359 <UL><LI> 360 Example: <TT>userHomeDrive="K:"</TT> 361 </UL> 362<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command 363 to set the user's password (instead of the <I>mkntpwd</I> utility) ? 364 <UL><LI> 365 Example: <TT>with_smbpasswd="0"</TT> 366 <LI>Remark: must be a boolean value (0 or 1). 367 </UL> 368<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary 369 <UL><LI> 370 Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT> 371 </UL> 372<LI><TT>mk_ntpasswd</TT> : path to the mkntpwd binary 373 <UL><LI> 374 Example: <TT>mk_ntpasswd="/usr/local/sbin/mkntpwd"</TT> 375 <LI>Remark: the rpm package of the smbldap-tools will install this 376 utility. If you are using the tarball archive, you have to install 377 it yourself (sources are also in the smbldap-tools archive). 378 </UL> 379<LI><TT>mailDomain</TT> : Domain appended to the users "mail" 380 attribute. 381 <UL><LI> 382 Example: <TT>mailDomain="idealx.org"</TT> 383 </UL> 384</UL> 385<!--TOC subsection The smbldap_bind.conf file--> 386 387<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3><!--SEC END --> 388 389This file is only used by <I>root</I> to modify the content of the directory. 390It contains distinguised names and credentials to connect to 391both the master and slave directories. A full example file is available 392in section <A HREF="#configuration::file::smbldap::bind">8.1.2</A>.<BR> 393<BR> 394Let's have a look at all available parameters. 395<UL><LI> 396<TT>slaveDN</TT> : distinguished name used to bind to the slave server 397 <UL><LI> 398 Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT> 399 <LI>Example 2: <TT>slaveDN=""</TT> 400 <LI>Remark: this can be the manager account of the directory or 401 any LDAP account that has sufficient permissions to read the full 402 directory (Slave directory is only used for reading). Anonymous 403 connections uses the second example form. 404 </UL> 405<LI><TT>slavePw</TT> : the credentials to bind to the slave server 406 <UL><LI> 407 Example 1: <TT>slavePw="secret"</TT> 408 <LI>Example 2: <TT>slavePw=""</TT> 409 <LI>Remark: the password must be stored here in clear form. This 410 file must then be readable only by root! All anonymous connections 411 use the second form provided in our example. 412 </UL> 413<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server 414 <UL><LI> 415 Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT> 416 <LI>Remark: this can be the manager account of the directory or 417 any LDAP account that has enough permissions to modify the content 418 of the directory. Anonymous access does not make any sense here. 419</UL> 420<LI><TT>masterPw</TT> : the credentials to bind to the master server 421 <UL><LI> 422 Example: <TT>masterPw="secret"</TT> 423 <LI>Remark: the password must be in clear text. Be sure to protect 424 this file against unauthorized readers! 425 </UL> 426</UL> 427 <!--TOC section Using the scripts--> 428 429<H2><A NAME="htoc13">4</A> Using the scripts</H2><!--SEC END --> 430 431<!--TOC subsection Initial directory's population--> 432 433<H3><A NAME="htoc14">4.1</A> Initial directory's population</H3><!--SEC END --> 434 435You can initialize the LDAP directory using the 436<TT>smbldap-populate</TT> script. To do that, the account defined in 437the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> to access the 438master directory <B>must</B> must be the manager account defined in the 439directory configuration. On RedHat system, this file is 440<TT>/etc/openldap/slapd.conf</TT> and the account is defined with 441<PRE> 442 rootdn "cn=Manager,dc=idealx,dc=com" 443 rootpw secret 444</PRE>The <TT>smbldap_bind.conf</TT> file must then be configured so that 445the parameters to connect to the master LDAP server match the previous ones: 446<PRE> 447 masterDN="cn=Manager,dc=idealx,dc=com" 448 masterPw="secret" 449</PRE> 450Available options for this script are summarized in the table <A HREF="#table::populate">1</A>: 451<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 452 <A NAME="code_epsilon_var"></A> 453 <DIV ALIGN=center> 454 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 455<TR><TD ALIGN=left NOWRAP>option</TD> 456<TD ALIGN=left NOWRAP>definition</TD> 457<TD ALIGN=left NOWRAP>default value</TD> 458</TR> 459<TR><TD ALIGN=left NOWRAP>-u <I>uidNumber</I></TD> 460<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD> 461<TD ALIGN=left NOWRAP>1000</TD> 462</TR> 463<TR><TD ALIGN=left NOWRAP>-g <I>gidNumber</I></TD> 464<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD> 465<TD ALIGN=left NOWRAP>1000</TD> 466</TR> 467<TR><TD ALIGN=left NOWRAP>-a <I>user</I></TD> 468<TD ALIGN=left NOWRAP>administrator login name</TD> 469<TD ALIGN=left NOWRAP>Administrator</TD> 470</TR> 471<TR><TD ALIGN=left NOWRAP>-b <I>user</I></TD> 472<TD ALIGN=left NOWRAP>guest login name</TD> 473<TD ALIGN=left NOWRAP>nobody</TD> 474</TR> 475<TR><TD ALIGN=left NOWRAP>-e <I>file</I></TD> 476<TD ALIGN=left NOWRAP>export a init file</TD> 477<TD ALIGN=left NOWRAP> </TD> 478</TR> 479<TR><TD ALIGN=left NOWRAP>-i <I>file</I></TD> 480<TD ALIGN=left NOWRAP>import a init file</TD> 481<TD ALIGN=left NOWRAP> </TD> 482</TR></TABLE> 483 </DIV> 484 <BR> 485<DIV ALIGN=center>Table 1: Options available for the <TT>smbldap-populate</TT> script</DIV><BR> 486 487 <A NAME="table::populate"></A> 488<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 489In the more general case, to set up your directory, simply use the 490following command: 491<PRE> 492[root@etoile root]# smbldap-populate 493Using builtin directory structure 494adding new entry: dc=idealx,dc=com 495adding new entry: ou=Users,dc=idealx,dc=com 496adding new entry: ou=Groups,dc=idealx,dc=com 497adding new entry: ou=Computers,dc=idealx,dc=com 498adding new entry: ou=Idmap,dc=idealx,dc=org 499adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org 500adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com 501adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com 502adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com 503adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com 504adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com 505adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com 506adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com 507adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com 508adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com 509</PRE> 510After this step, if you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT> 511account anymore, you can create a dedicated account for Samba and the 512smbldap-tools. See section <A HREF="#change::manager">8.2</A> for more details.<BR> 513<BR> 514The <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> entry is only used to 515defined the next uidNumber and gidNumber available for creating new 516users and groups. The default values for those numbers are 1000. You 517can change it with the <TT>-u</TT> and <TT>-g</TT> option. For 518example, if you want the first available value for uidNumber and 519gidNumber to be set to 1500, you can use the following command : 520<PRE> 521smbldap-populate -u 1550 -g 1500 522</PRE> 523<!--TOC subsection User management--> 524 525<H3><A NAME="htoc15">4.2</A> User management</H3><!--SEC END --> 526 527<!--TOC subsubsection Adding a user--> 528 529<H4><A NAME="htoc16">4.2.1</A> Adding a user</H4><!--SEC END --> 530<A NAME="add::user"></A> 531To add a user, use the <TT>smbldap-useradd</TT> script. Available 532options are summarized in the table <A HREF="#table::add::user">2</A>. If applicable, 533default values are mentionned in the third column. Any string beginning with a 534$ symbol refers to a parameter defined in the 535<TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> configuration file. 536<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 537 <DIV ALIGN=center> 538 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 539<TR><TD VALIGN=top ALIGN=left>option</TD> 540<TD VALIGN=top ALIGN=left>definition</TD> 541<TD VALIGN=top ALIGN=left>example</TD> 542<TD VALIGN=top ALIGN=left>default value</TD> 543</TR> 544<TR><TD VALIGN=top ALIGN=left>-a</TD> 545<TD VALIGN=top ALIGN=left>create a Windows account. Otherwise, only a Posix account 546 is created</TD> 547<TD VALIGN=top ALIGN=left> </TD> 548<TD VALIGN=top ALIGN=left> </TD> 549</TR> 550<TR><TD VALIGN=top ALIGN=left>-w</TD> 551<TD VALIGN=top ALIGN=left>create a Windows Workstation account</TD> 552<TD VALIGN=top ALIGN=left> </TD> 553<TD VALIGN=top ALIGN=left> </TD> 554</TR> 555<TR><TD VALIGN=top ALIGN=left>-i</TD> 556<TD VALIGN=top ALIGN=left>create an interdomain trust account. See section 557 <A HREF="#trust::account">4.4</A> for more details</TD> 558<TD VALIGN=top ALIGN=left> </TD> 559<TD VALIGN=top ALIGN=left> </TD> 560</TR> 561<TR><TD VALIGN=top ALIGN=left>-u</TD> 562<TD VALIGN=top ALIGN=left>set a uid value</TD> 563<TD VALIGN=top ALIGN=left>-u 1003</TD> 564<TD VALIGN=top ALIGN=left>first uid available</TD> 565</TR> 566<TR><TD VALIGN=top ALIGN=left>-g</TD> 567<TD VALIGN=top ALIGN=left>set a gid value</TD> 568<TD VALIGN=top ALIGN=left>-g 1003</TD> 569<TD VALIGN=top ALIGN=left>first gid available</TD> 570</TR> 571<TR><TD VALIGN=top ALIGN=left>-G</TD> 572<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary 573 groups (comma-separated)</TD> 574<TD VALIGN=top ALIGN=left>-G 512,550</TD> 575<TD VALIGN=top ALIGN=left> </TD> 576</TR> 577<TR><TD VALIGN=top ALIGN=left>-d</TD> 578<TD VALIGN=top ALIGN=left>set the home directory</TD> 579<TD VALIGN=top ALIGN=left>-d /var/user</TD> 580<TD VALIGN=top ALIGN=left>$userHomePrefix/user</TD> 581</TR> 582<TR><TD VALIGN=top ALIGN=left>-s</TD> 583<TD VALIGN=top ALIGN=left>set the login shell</TD> 584<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD> 585<TD VALIGN=top ALIGN=left>$userLoginShell</TD> 586</TR> 587<TR><TD VALIGN=top ALIGN=left>-c</TD> 588<TD VALIGN=top ALIGN=left>set the user gecos</TD> 589<TD VALIGN=top ALIGN=left>-c "admin user"</TD> 590<TD VALIGN=top ALIGN=left>$userGecos</TD> 591</TR> 592<TR><TD VALIGN=top ALIGN=left>-m</TD> 593<TD VALIGN=top ALIGN=left>creates user's home directory and copies /etc/skel 594 into it</TD> 595<TD VALIGN=top ALIGN=left> </TD> 596<TD VALIGN=top ALIGN=left> </TD> 597</TR> 598<TR><TD VALIGN=top ALIGN=left>-k</TD> 599<TD VALIGN=top ALIGN=left>set the skeleton dir (with -m)</TD> 600<TD VALIGN=top ALIGN=left>-k /etc/skel2</TD> 601<TD VALIGN=top ALIGN=left>$skeletonDir</TD> 602</TR> 603<TR><TD VALIGN=top ALIGN=left>-P</TD> 604<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's 605 password</TD> 606<TD VALIGN=top ALIGN=left> </TD> 607<TD VALIGN=top ALIGN=left> </TD> 608</TR> 609<TR><TD VALIGN=top ALIGN=left>-A</TD> 610<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD> 611<TD VALIGN=top ALIGN=left>-A 1</TD> 612<TD VALIGN=top ALIGN=left> </TD> 613</TR> 614<TR><TD VALIGN=top ALIGN=left>-B</TD> 615<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1 616 if yes</TD> 617<TD VALIGN=top ALIGN=left>-B 1</TD> 618<TD VALIGN=top ALIGN=left> </TD> 619</TR> 620<TR><TD VALIGN=top ALIGN=left>-C</TD> 621<TD VALIGN=top ALIGN=left>set the samba home share</TD> 622<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD> 623<TD VALIGN=top ALIGN=left>$userSmbHome</TD> 624</TR> 625<TR><TD VALIGN=top ALIGN=left>-D</TD> 626<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD> 627<TD VALIGN=top ALIGN=left>-D H:</TD> 628<TD VALIGN=top ALIGN=left>$userHomeDrive</TD> 629</TR> 630<TR><TD VALIGN=top ALIGN=left>-E</TD> 631<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD> 632<TD VALIGN=top ALIGN=left>-E common.bat</TD> 633<TD VALIGN=top ALIGN=left>$userScript</TD> 634</TR> 635<TR><TD VALIGN=top ALIGN=left>-F</TD> 636<TD VALIGN=top ALIGN=left>set the profile directory</TD> 637<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD> 638<TD VALIGN=top ALIGN=left>$userProfile</TD> 639</TR> 640<TR><TD VALIGN=top ALIGN=left>-H</TD> 641<TD VALIGN=top ALIGN=left>set the samba account control bits 642 like'[NDHTUMWSLKI]'</TD> 643<TD VALIGN=top ALIGN=left>-H [X]</TD> 644<TD VALIGN=top ALIGN=left> </TD> 645</TR> 646<TR><TD VALIGN=top ALIGN=left>-N</TD> 647<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD> 648<TD VALIGN=top ALIGN=left> </TD> 649<TD VALIGN=top ALIGN=left> </TD> 650</TR> 651<TR><TD VALIGN=top ALIGN=left>-S</TD> 652<TD VALIGN=top ALIGN=left>set the surname of the user</TD> 653<TD VALIGN=top ALIGN=left> </TD> 654<TD VALIGN=top ALIGN=left> </TD> 655</TR> 656<TR><TD VALIGN=top ALIGN=left>-M</TD> 657<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD> 658<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD> 659<TD VALIGN=top ALIGN=left> </TD> 660</TR> 661<TR><TD VALIGN=top ALIGN=left>-T</TD> 662<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD> 663<TD VALIGN=top ALIGN=left>-T 664 testuser@domain.org</TD> 665<TD VALIGN=top ALIGN=left> </TD> 666</TR></TABLE> 667 </DIV> 668 <BR> 669<DIV ALIGN=center>Table 2: Options available to the <TT>smbldap-useradd</TT> script</DIV><BR> 670 671 <A NAME="table::add::user"></A> 672<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 673 674For example, if you want to add a user named <I>user_admin</I> and who : 675<UL><LI> 676is a windows user 677<LI>must belong to the group of gid=512 ('Domain Admins' group) 678<LI>has a home directory 679<LI>does not have a login shell 680<LI>has a homeDirectory set to /dev/null 681<LI>does not have a roaming profile 682<LI>and for whom we want to set a first login password 683</UL> 684you must invoke: 685<PRE> 686smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin 687</PRE> 688<!--TOC subsubsection Removing a user--> 689 690<H4><A NAME="htoc17">4.2.2</A> Removing a user</H4><!--SEC END --> 691 692To remove a user account, use the <TT>smbldap-userdel</TT> script. 693Available options are 694<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 695 <DIV ALIGN=center> 696 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 697<TR><TD ALIGN=left NOWRAP>option</TD> 698<TD ALIGN=left NOWRAP>definition</TD> 699</TR> 700<TR><TD ALIGN=left NOWRAP>-r</TD> 701<TD ALIGN=left NOWRAP>remove home directory</TD> 702</TR> 703<TR><TD ALIGN=left NOWRAP>-R</TD> 704<TD ALIGN=left NOWRAP>remove home directory interactively</TD> 705</TR></TABLE> 706 </DIV> 707 <BR> 708<DIV ALIGN=center>Table 3: Option available to the <TT>smbldap-userdel</TT> script</DIV><BR> 709 710 <A NAME="table::del::user"></A> 711<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 712For example, if you want to remove the <I>user1</I> account 713from the LDAP directory, and if you also want to delete his home 714directory, use the following command : 715<PRE> 716smbldap-userdel -r user1 717</PRE> 718Note: '-r' is dangerous as it may delete precious and unbackuped data, 719please be careful.<BR> 720<BR> 721<!--TOC subsubsection Modifying a user--> 722 723<H4><A NAME="htoc18">4.2.3</A> Modifying a user</H4><!--SEC END --> 724<A NAME="modify::user"></A> 725To modify a user account, use the <TT>smbldap-usermod</TT> script. 726Availables options are listed in the table <A HREF="#table::modify::user">4</A>. 727<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 728 <DIV ALIGN=center> 729 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 730<TR><TD VALIGN=top ALIGN=left>option</TD> 731<TD VALIGN=top ALIGN=left>definition</TD> 732<TD VALIGN=top ALIGN=left>example</TD> 733</TR> 734<TR><TD VALIGN=top ALIGN=left>-c</TD> 735<TD VALIGN=top ALIGN=left>set the user gecos</TD> 736<TD VALIGN=top ALIGN=left>-c "admin user"</TD> 737</TR> 738<TR><TD VALIGN=top ALIGN=left>-d</TD> 739<TD VALIGN=top ALIGN=left>set the home directory</TD> 740<TD VALIGN=top ALIGN=left>-d /var/user</TD> 741</TR> 742<TR><TD VALIGN=top ALIGN=left>-u</TD> 743<TD VALIGN=top ALIGN=left>set a uid value</TD> 744<TD VALIGN=top ALIGN=left>-u 1003</TD> 745</TR> 746<TR><TD VALIGN=top ALIGN=left>-g</TD> 747<TD VALIGN=top ALIGN=left>set a gid value</TD> 748<TD VALIGN=top ALIGN=left>-g 1003</TD> 749</TR> 750<TR><TD VALIGN=top ALIGN=left>-G</TD> 751<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary 752 groups (comma-separated)</TD> 753<TD VALIGN=top ALIGN=left>-G 512,550</TD> 754</TR> 755<TR><TD VALIGN=top ALIGN=left> </TD> 756<TD VALIGN=top ALIGN=left> </TD> 757<TD VALIGN=top ALIGN=left>-G -512,550</TD> 758</TR> 759<TR><TD VALIGN=top ALIGN=left> </TD> 760<TD VALIGN=top ALIGN=left> </TD> 761<TD VALIGN=top ALIGN=left>-G +512,550</TD> 762</TR> 763<TR><TD VALIGN=top ALIGN=left>-s</TD> 764<TD VALIGN=top ALIGN=left>set the login shell</TD> 765<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD> 766</TR> 767<TR><TD VALIGN=top ALIGN=left>-N</TD> 768<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD> 769<TD VALIGN=top ALIGN=left> </TD> 770</TR> 771<TR><TD VALIGN=top ALIGN=left>-S</TD> 772<TD VALIGN=top ALIGN=left>set the surname of the user</TD> 773<TD VALIGN=top ALIGN=left> </TD> 774</TR> 775<TR><TD VALIGN=top ALIGN=left>-P</TD> 776<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's password</TD> 777<TD VALIGN=top ALIGN=left> </TD> 778</TR> 779<TR><TD VALIGN=top ALIGN=left>-a</TD> 780<TD VALIGN=top ALIGN=left>add sambaSAMAccount objectclass</TD> 781<TD VALIGN=top ALIGN=left> </TD> 782</TR> 783<TR><TD VALIGN=top ALIGN=left>-e</TD> 784<TD VALIGN=top ALIGN=left>set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)</TD> 785<TD VALIGN=top ALIGN=left> </TD> 786</TR> 787<TR><TD VALIGN=top ALIGN=left>-A</TD> 788<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD> 789<TD VALIGN=top ALIGN=left>-A 1</TD> 790</TR> 791<TR><TD VALIGN=top ALIGN=left>-B</TD> 792<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1 793 if yes</TD> 794<TD VALIGN=top ALIGN=left>-B 1</TD> 795</TR> 796<TR><TD VALIGN=top ALIGN=left>-C</TD> 797<TD VALIGN=top ALIGN=left>set the samba home share</TD> 798<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD> 799</TR> 800<TR><TD VALIGN=top ALIGN=left> </TD> 801<TD VALIGN=top ALIGN=left> </TD> 802<TD VALIGN=top ALIGN=left>-C ""</TD> 803</TR> 804<TR><TD VALIGN=top ALIGN=left>-D</TD> 805<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD> 806<TD VALIGN=top ALIGN=left>-D H:</TD> 807</TR> 808<TR><TD VALIGN=top ALIGN=left> </TD> 809<TD VALIGN=top ALIGN=left> </TD> 810<TD VALIGN=top ALIGN=left>-D ""</TD> 811</TR> 812<TR><TD VALIGN=top ALIGN=left>-E</TD> 813<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD> 814<TD VALIGN=top ALIGN=left>-E common.bat</TD> 815</TR> 816<TR><TD VALIGN=top ALIGN=left> </TD> 817<TD VALIGN=top ALIGN=left> </TD> 818<TD VALIGN=top ALIGN=left>-E ""</TD> 819</TR> 820<TR><TD VALIGN=top ALIGN=left>-F</TD> 821<TD VALIGN=top ALIGN=left>set the profile directory</TD> 822<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD> 823</TR> 824<TR><TD VALIGN=top ALIGN=left> </TD> 825<TD VALIGN=top ALIGN=left> </TD> 826<TD VALIGN=top ALIGN=left>-F ""</TD> 827</TR> 828<TR><TD VALIGN=top ALIGN=left>-H</TD> 829<TD VALIGN=top ALIGN=left>set the samba account control bits like'[NDHTUMWSLKI]'</TD> 830<TD VALIGN=top ALIGN=left>-H [X]</TD> 831</TR> 832<TR><TD VALIGN=top ALIGN=left>-I</TD> 833<TD VALIGN=top ALIGN=left>disable a user account</TD> 834<TD VALIGN=top ALIGN=left>-I 1</TD> 835</TR> 836<TR><TD VALIGN=top ALIGN=left>-J</TD> 837<TD VALIGN=top ALIGN=left>enable a user</TD> 838<TD VALIGN=top ALIGN=left>-J 1</TD> 839</TR> 840<TR><TD VALIGN=top ALIGN=left>-M</TD> 841<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD> 842<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD> 843</TR> 844<TR><TD VALIGN=top ALIGN=left>-T</TD> 845<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD> 846<TD VALIGN=top ALIGN=left>-T 847 testuser@domain.org</TD> 848</TR></TABLE> 849 </DIV> 850 <BR> 851<DIV ALIGN=center>Table 4: Options available to the <TT>smbldap-usermod</TT> script</DIV><BR> 852 853 <A NAME="table::modify::user"></A> 854<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 855You can also use the <TT>smbldap-userinfo</TT> script to update user's information. This script can 856also be used by users themselves to update their own informations listed in the tables 857<A HREF="#table::modify::self::user">5</A> (adequats ACL must be set in the directory server). Available 858options are : 859<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 860 <DIV ALIGN=center> 861 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 862<TR><TD VALIGN=top ALIGN=left>option</TD> 863<TD VALIGN=top ALIGN=left>definition</TD> 864<TD VALIGN=top ALIGN=left>example</TD> 865</TR> 866<TR><TD VALIGN=top ALIGN=left>-f</TD> 867<TD VALIGN=top ALIGN=left>set the full name's user</TD> 868<TD VALIGN=top ALIGN=left>-f MyName</TD> 869</TR> 870<TR><TD VALIGN=top ALIGN=left>-r</TD> 871<TD VALIGN=top ALIGN=left>set the room number</TD> 872<TD VALIGN=top ALIGN=left>-r 99</TD> 873</TR> 874<TR><TD VALIGN=top ALIGN=left>-w</TD> 875<TD VALIGN=top ALIGN=left>set the work phone number</TD> 876<TD VALIGN=top ALIGN=left>-w 111111111</TD> 877</TR> 878<TR><TD VALIGN=top ALIGN=left>-h</TD> 879<TD VALIGN=top ALIGN=left>set the home phone number</TD> 880<TD VALIGN=top ALIGN=left>-h 222222222</TD> 881</TR> 882<TR><TD VALIGN=top ALIGN=left>-o</TD> 883<TD VALIGN=top ALIGN=left>set other information (in gecos definition)</TD> 884<TD VALIGN=top ALIGN=left>-o "second stage"</TD> 885</TR> 886<TR><TD VALIGN=top ALIGN=left>-s</TD> 887<TD VALIGN=top ALIGN=left>set the default bash</TD> 888<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD> 889</TR></TABLE> 890 </DIV> 891 <BR> 892<DIV ALIGN=center>Table 5: Options available to the <TT>smbldap-userinfo</TT> script</DIV><BR> 893 894 <A NAME="table::modify::self::user"></A> 895<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 896<!--TOC subsection Group management--> 897 898<H3><A NAME="htoc19">4.3</A> Group management</H3><!--SEC END --> 899 900<!--TOC subsubsection Adding a group--> 901 902<H4><A NAME="htoc20">4.3.1</A> Adding a group</H4><!--SEC END --> 903 904To add a new group in the LDAP directory, use the <TT>smbldap-groupadd</TT> 905script. Available options are listed in the table 906<A HREF="#table::add::group">6</A>. 907<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 908 <DIV ALIGN=center> 909 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 910<TR><TD VALIGN=top ALIGN=left NOWRAP>option</TD> 911<TD VALIGN=top ALIGN=left>definition</TD> 912<TD VALIGN=top ALIGN=left NOWRAP>example</TD> 913</TR> 914<TR><TD VALIGN=top ALIGN=left NOWRAP>-a</TD> 915<TD VALIGN=top ALIGN=left>add automatic group mapping entry</TD> 916<TD VALIGN=top ALIGN=left NOWRAP> </TD> 917</TR> 918<TR><TD VALIGN=top ALIGN=left NOWRAP>-g <TT>gid</TT></TD> 919<TD VALIGN=top ALIGN=left>set the <I>gidNumer</I> for this group to 920 <I>gid</I></TD> 921<TD VALIGN=top ALIGN=left NOWRAP><TT>-g 1002</TT></TD> 922</TR> 923<TR><TD VALIGN=top ALIGN=left NOWRAP>-o</TD> 924<TD VALIGN=top ALIGN=left>gidNumber is not unique</TD> 925<TD VALIGN=top ALIGN=left NOWRAP> </TD> 926</TR> 927<TR><TD VALIGN=top ALIGN=left NOWRAP>-r <TT>group-rid</TT></TD> 928<TD VALIGN=top ALIGN=left>set the rid of the group to 929 <I>group-rid</I></TD> 930<TD VALIGN=top ALIGN=left NOWRAP><TT>-r 1002</TT></TD> 931</TR> 932<TR><TD VALIGN=top ALIGN=left NOWRAP>-s <TT>group-sid</TT></TD> 933<TD VALIGN=top ALIGN=left>set the sid of the group to 934 <I>group-sid</I></TD> 935<TD VALIGN=top ALIGN=left NOWRAP><TT><FONT SIZE=1>-s 936 S-1-5-21-3703471949-3718591838-2324585696-1002</FONT></TT></TD> 937</TR> 938<TR><TD VALIGN=top ALIGN=left NOWRAP>-t <TT>group-type</TT></TD> 939<TD VALIGN=top ALIGN=left>set the <I>sambaGroupType</I> to 940 <I>group-type</I></TD> 941<TD VALIGN=top ALIGN=left NOWRAP><TT>-t 2</TT></TD> 942</TR> 943<TR><TD VALIGN=top ALIGN=left NOWRAP>-p</TD> 944<TD VALIGN=top ALIGN=left>print the gidNumber to stdout</TD> 945<TD VALIGN=top ALIGN=left NOWRAP> </TD> 946</TR></TABLE> 947 </DIV> 948 <BR> 949<DIV ALIGN=center>Table 6: Options available for the <TT>smbldap-groupadd</TT> script</DIV><BR> 950 951 <A NAME="table::add::group"></A> 952<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 953<!--TOC subsubsection Removing a group--> 954 955<H4><A NAME="htoc21">4.3.2</A> Removing a group</H4><!--SEC END --> 956 957To remove the group named <TT>group1</TT>, just use the following 958command : 959<PRE> 960smbldap-userdel group1 961</PRE> 962<!--TOC subsection Adding a interdomain trust account--> 963 964<H3><A NAME="htoc22">4.4</A> Adding a interdomain trust account</H3><!--SEC END --> 965<A NAME="trust::account"></A> 966To add an interdomain trust account to the primary controller <I>trust-pdc</I>, use the <TT>-i</TT> option of 967<TT>smbldap-useradd</TT> as follows : 968<PRE> 969[root@etoile root]# smbldap-useradd -i trust-pdc 970New password : ******* 971Retype new password : ******* 972</PRE> 973The script will terminate asking for a password for this trust 974account. The account will be created in the directory branch where 975all computer accounts are stored (<TT>ou=Computers</TT> by 976default). The only two particularities of this account are that you are 977setting a password for this account, and the flags of this account are 978<TT>[I ]</TT>. 979 <!--TOC section Samba and the smbldap-tools scripts--> 980 981<H2><A NAME="htoc23">5</A> Samba and the smbldap-tools scripts</H2><!--SEC END --> 982 983<!--TOC subsection General configuration--> 984 985<H3><A NAME="htoc24">5.1</A> General configuration</H3><!--SEC END --> 986 987Samba can be configured to use the <FONT COLOR=purple>smbldap-tools</FONT> scripts. This allows 988administrators to add, delete or modify user and group accounts for <FONT COLOR=purple>Microsoft Windows</FONT> 989operating systems using, for example, User Manager utility under MS-Windows. 990To enable the use of this utility, samba needs to be configured correctly. The 991<TT>smb.conf</TT> configuration file must contain the following directives : 992<PRE> 993ldap delete dn = Yes 994add user script = /usr/local/sbin/smbldap-useradd -m "%u" 995add machine script = /usr/local/sbin/smbldap-useradd -w "%u" 996add group script = /usr/local/sbin/smbldap-groupadd -p "%g" 997add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" 998delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" 999set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" 1000</PRE> 1001Remark: the two directives <TT>delete user script</TT> et <TT>delete group 1002script</TT> can also be used. However, an error message can appear in User Manager 1003even if the operations actually succeed. 1004If you want to enable this behaviour, you need to add 1005<PRE> 1006delete user script = /usr/local/sbin/smbldap-userdel "%u" 1007delete group script = /usr/local/sbin/smbldap-groupdel "%g" 1008</PRE> 1009<!--TOC subsection Migrating an NT4 PDC to Samba3--> 1010 1011<H3><A NAME="htoc25">5.2</A> Migrating an NT4 PDC to Samba3</H3><!--SEC END --> 1012 1013The account migration procedure becomes really simple when samba is configured to use 1014the <FONT COLOR=purple>smbldap-tools</FONT>. Samba configuration (smb.conf file) must contain the 1015directive defined above to properly call the script for managing users, groups and computer accounts. 1016The migration process is outlined in the chapter 30 of the samba howto 1017<TT>http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html</TT>. 1018 <BR> 1019<BR> 1020<!--TOC section Frequently Asked Questions--> 1021 1022<H2><A NAME="htoc26">6</A> Frequently Asked Questions</H2><!--SEC END --> 1023 1024<!--TOC subsection How can i use old released uidNumber and gidNumber ?--> 1025 1026<H3><A NAME="htoc27">6.1</A> How can i use old released uidNumber and gidNumber ?</H3><!--SEC END --> 1027 1028There are two way to do this : 1029<UL><LI> 1030modify the <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> and 1031 change the <TT>uidNumber</TT> and/or <TT>gidNumber</TT> value. This 1032 must be done manually. For example, if you want to use all available 1033 uidNumber and gidNumber higher then 1500, you need to create a 1034 <TT>update-NextFreeUnixId.ldif</TT> file containing : 1035<PRE>dn: cn=NextFreeUnixId,dc=idealx,dc=org 1036changetype: modify 1037uidNumber: 1500 1038gidNumber: 1500 1039</PRE> 1040and then update the directory : 1041<PRE> 1042ldapmodify -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f update-NextFreeUnixId.ldif 1043</PRE><LI>use the <TT>-u</TT> or <TT>-g</TT> option to the script you need to set the value you 1044 want to use 1045</UL> 1046<!--TOC subsection I always have this error: "Can't locate IO/Socket/SSL.pm"--> 1047 1048<H3><A NAME="htoc28">6.2</A> I always have this error: "Can't locate IO/Socket/SSL.pm"</H3><!--SEC END --> 1049 1050This happens when you want to use a certificate. In this case, you need to install the 1051IO-Socket-SSL Perl module.<BR> 1052<BR> 1053<!--TOC subsection I can't initialize the directory with <TT>smbldap-populate</TT>--> 1054 1055<H3><A NAME="htoc29">6.3</A> I can't initialize the directory with <TT>smbldap-populate</TT></H3><!--SEC END --> 1056 1057When I want to initialize the directory using the <TT>smbldap-populate</TT> 1058script, I get 1059<PRE> 1060[root@slave sbin]# smbldap-populate.pl 1061 Using builtin directory structure 1062 adding new entry: dc=IDEALX,dc=COM 1063 Can't call method "code" without a package or object reference at 1064 /usr/local/sbin/smbldap-populate.pl line 270, <GEN1> line 2. 1065</PRE>Answer: check the TLS configuration 1066<UL><LI> 1067if you don't want to use TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file 1068with 1069<PRE> 1070ldapSSL="0" 1071</PRE><LI>if you want TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file with 1072<PRE> 1073ldapSSL="1" 1074</PRE>and check that the directory server is configured to accept TLS connections. 1075</UL> 1076<!--TOC subsection I can't join the domain with the <TT>root</TT> account--> 1077 1078<H3><A NAME="htoc30">6.4</A> I can't join the domain with the <TT>root</TT> account</H3><!--SEC END --> 1079 1080<UL><LI> 1081check that the root account has the sambaSamAccount objectclass 1082<LI>check that the directive <TT>add machine script</TT> is present and configured 1083</UL> 1084<!--TOC subsection I have the <TT>sambaSamAccount</TT> but i can't logged in--> 1085 1086<H3><A NAME="htoc31">6.5</A> I have the <TT>sambaSamAccount</TT> but i can't logged in</H3><!--SEC END --> 1087 1088Check that the <TT>sambaPwdLastSet</TT> attribute is not null (equal to 0)<BR> 1089<BR> 1090<!--TOC subsection I want to create machine account on the fly, but it does 1091 not works or I must do it twice--> 1092 1093<H3><A NAME="htoc32">6.6</A> I want to create machine account on the fly, but it does 1094 not works or I must do it twice</H3><!--SEC END --> 1095 1096<UL><LI> 1097The script defined with the <TT>add machine script</TT> must not add 1098the <TT>sambaSAMAccount</TT> objectclass of the machine account. The 1099script must only add the Posix machine account. Samba will add the <TT>sambaSAMAccount</TT> when 1100joining the domain. 1101<LI>Check that the <TT>add <B>machine</B> script</TT> is present in samba 1102 configuration file. 1103</UL> 1104<!--TOC subsection I can't manage the Oracle Internet Database--> 1105 1106<H3><A NAME="htoc33">6.7</A> I can't manage the Oracle Internet Database</H3><!--SEC END --> 1107 1108If you have an error message like : 1109<PRE> 1110Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187. 1111Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627. 1112</PRE>For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a 1113new index for samba attributes and make sure that the following attributes are also indexed : 1114 uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...<BR> 1115<BR> 1116<!--TOC subsection The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not 1117called, or i got a error message when changing the password from windows--> 1118 1119<H3><A NAME="htoc34">6.8</A> The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not 1120called, or i got a error message when changing the password from windows</H3><!--SEC END --> 1121 1122The directive is called if you also set <TT>unix password sync = Yes</TT>. 1123Notes: 1124<UL><LI> 1125if you use OpenLDAP, none of those two options are needed. You just need <TT>ldap 1126passwd sync = Yes</TT>. 1127<LI>the script called here must only update the <TT>userPassword</TT> attribute. This is the 1128reason of the <TT>-u</TT> option. Samba passwords will be updated by samba itself. 1129<LI>the <TT>passwd chat</TT> directive must match what is prompted when using the 1130<TT>smbldap-passwd</TT> command 1131</UL> 1132<!--TOC subsection New computers account can't be set in ou=computers--> 1133 1134<H3><A NAME="htoc35">6.9</A> New computers account can't be set in ou=computers</H3><!--SEC END --> 1135<A NAME="sec::bug::ou::computer"></A> 1136This is a known samba bug. There's a workarround: look at 1137<TT>http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2</TT><BR> 1138<BR> 1139<!--TOC subsection I can join the domain, but i can't log on--> 1140 1141<H3><A NAME="htoc36">6.10</A> I can join the domain, but i can't log on</H3><!--SEC END --> 1142 1143look at section <A HREF="#sec::bug::ou::computer">6.9</A><BR> 1144<BR> 1145<!--TOC subsection I can't create a user with <TT>smbldap-useradd</TT>--> 1146 1147<H3><A NAME="htoc37">6.11</A> I can't create a user with <TT>smbldap-useradd</TT></H3><!--SEC END --> 1148 1149When creating a new user account I get the following error message: 1150<PRE> 1151/usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513 1152</PRE>Answer: 1153<UL><LI> 1154is nss_ldap correctly configured ? 1155<LI>is the default group's users mapped to the 'Domain Users' NT group ? 1156<PRE> 1157net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users" 1158</PRE></UL> 1159<!--TOC subsection smbldap-useradd: Can't call method "get_value" on an undefined value at 1160/usr/local/sbin/smbldap-useradd line 154--> 1161 1162<H3><A NAME="htoc38">6.12</A> smbldap-useradd: Can't call method "get_value" on an undefined value at 1163/usr/local/sbin/smbldap-useradd line 154</H3><!--SEC END --> 1164 1165<UL><LI> 1166does the default group defined in smbldap.conf exist 1167 (defaultUserGid="513") ? 1168<LI>does the NT "Domain Users" group mapped to a unix 1169 group of rid 513 (see option <I>-r</I> of <TT>smbldap-groupadd</TT> and 1170 <TT>smbldap-groupmod</TT> to set a rid) ? 1171</UL> 1172<!--TOC subsection Typical errors on creating a new user or a new group--> 1173 1174<H3><A NAME="htoc39">6.13</A> Typical errors on creating a new user or a new group</H3><!--SEC END --> 1175<A NAME="faq::error::add::user"></A> 1176<UL><LI> 1177i've got the following error: 1178<PRE> 1179Could not find base dn, to get next uidNumber at /usr/local/sbin//smbldap_tools.pm line 909 1180</PRE><OL type=1><LI> 1181 you do not have created the object to defined the next uidNumber and gidNumber available. 1182 <UL><LI> 1183 for version 0.8.7 : you can just run the <TT>smbldap-populate</TT> script that will 1184 update the sambaDomain entry to store those informations 1185 <LI>for version before 0.8.7 : 1186 You have updated the smbldap-tools to version 0.8.5 or newer. 1187 You have to do this manually. Create an file called <TT>add.ldif</TT> and containing 1188<PRE> 1189dn: cn=NextFreeUnixId,dc=idealx,dc=org 1190objectClass: inetOrgPerson 1191objectClass: sambaUnixIdPool 1192uidNumber: 1000 1193gidNumber: 1000 1194cn: NextFreeUnixId 1195sn: NextFreeUnixId 1196</PRE> and then add the object with the ldapadd utility: 1197<PRE> 1198$ ldapadd -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f add.ldif 1199</PRE> Here, 1000 is the first available value for uidNumber and gidNumber (of course, if this value is 1200 already used by a user or a group, the first available after 1000 will be used). 1201 </UL><BR> 1202<BR> 1203<LI>The error also appear when there is a need for TLS (ldapTLS=1 in <TT>smbldap.conf</TT>) and 1204something is wrong with certificate naming or path settings. 1205</OL><BR> 1206<BR> 1207<LI>i've got the following error: 1208<PRE> 1209Use of uninitialized value in string at 1210/usr/local/sbin//smbldap\_tools.pm line 914. 1211Error: No DN specified at /usr/local/sbin//smbldap\_tools.pm line 919 1212</PRE>You have not updated the configuration file to defined the object where are sotred the next 1213uidNumber and gidNumber available. In our example, you have to add a nex entry in 1214<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I> containing : 1215<PRE> 1216# Where to store next uidNumber and gidNumber available 1217sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 1218</PRE>btw, a new option is now available too: the domain to append to users. You can add to the 1219configuration file the following lines: 1220<PRE> 1221# Domain appended to the users "mail"-attribute 1222# when smbldap-useradd -M is used mailDomain="idealx.com" 1223</PRE><BR> 1224<BR> 1225<LI>i've got the following error: 1226<PRE> 1227Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/smbldap-useradd line 183. 1228Use of uninitialized value in substitution (s///) at /usr/local/sbin/smbldap-useradd line 185. 1229Use of uninitialized value in string at /usr/local/sbin/smbldap-useradd line 264. 1230failed to add entry: homedirectory: value #0 invalid per syntax at /usr/local/sbin/smbldap-useradd line 280. 1231userHomeDirectory=User "jto" already member of the group "513". 1232failed to add entry: No such object at /usr/local/sbin/smbldap-useradd line 382. 1233</PRE>you have to change the variable name <TT>userHomePrefix</TT> to <TT>userHome</TT> in 1234<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I><BR> 1235<BR> 1236<LI>i've got the following error: 1237<PRE> 1238failed to add entry: referral missing at /usr/local/sbin/smbldap-useradd line 279, <DATA> line 283. 1239</PRE>you have to update the configuration file that defined users, groups and computers dn. Those 1240parameters must not be relative to the <TT>suffix</TT> parameter. A typical 1241configuration look like this : 1242<PRE> 1243usersdn="ou=Users,${suffix}" 1244computersdn="ou=Computers,${suffix}" 1245groupsdn="ou=Groups,${suffix}" 1246</PRE><BR> 1247<BR> 1248<LI>i've got the following error: 1249<PRE> 1250erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad protocol 'tcp') 1251at /usr/local/sbin//smbldap_tools.pm line 153. 1252</PRE>remove <I>ldap</I> from <I>/etc/nsswitch.conf</I> for <I>services</I> list of possible check. For 1253example, if your ldap directory is not configured to give services information, you must have 1254<PRE> 1255services files 1256</PRE>and not 1257<PRE> 1258services: ldap [NOTFOUND=return] files 1259</PRE></UL> 1260 1261 1262<!--TOC section Thanks--> 1263 1264<H2><A NAME="htoc40">7</A> Thanks</H2><!--SEC END --> 1265 1266<A NAME="thanks"></A> 1267People who have worked on this document are 1268<UL><LI> 1269J�r�me Tournier <jerome.tournier@IDEALX.com> 1270<LI>David Barth <david.barth@IDEALX.com> 1271<LI>Nat Makarevitch <nat@IDEALX.com> 1272</UL> 1273The authors would like to thank the following people for providing help with 1274some of the more complicated subjects, for clarifying some of the internal 1275workings of <FONT COLOR=purple>Samba</FONT> or <FONT COLOR=purple>OpenLDAP</FONT>, for pointing out errors or mistakes in 1276previous versions of this document, or generally for making 1277suggestions : 1278<UL><LI> 1279IDEALX team : 1280 <UL><LI> 1281 Rom�o Adekambi <romeo.adekambi@IDEALX.com> 1282 <LI>Aurelien Degremont <adegremont@IDEALX.com> 1283 <LI>Renaud Renard <rrenard@IDEALX.com> 1284 </UL> 1285<LI>John H Terpstra <jht@samba.org> 1286</UL> 1287 <!--TOC section Annexes--> 1288 1289<H2><A NAME="htoc41">8</A> Annexes</H2><!--SEC END --> 1290 1291<!--TOC subsection Full configuration files--> 1292 1293<H3><A NAME="htoc42">8.1</A> Full configuration files</H3><!--SEC END --> 1294<A NAME="configuration::files"></A> 1295<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file--> 1296 1297<H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><!--SEC END --> 1298<A NAME="configuration::file::smbldap"></A> 1299<PRE># $Source: /ramdisk/repositories/20_cvs_clean_up/2011-02-11_sj/src/router/samba/samba-3.0.25b/examples/LDAP/smbldap-tools-0.9.2/doc/html/smbldap-tools.html,v $ 1300# $Id: smbldap-tools.html,v 1.1.1.1 2010-07-16 07:33:12 winniec Exp $ 1301# 1302# smbldap-tools.conf : Q & D configuration file for smbldap-tools 1303 1304# This code was developped by IDEALX (http://IDEALX.org/) and 1305# contributors (their names can be found in the CONTRIBUTORS file). 1306# 1307# Copyright (C) 2001-2002 IDEALX 1308# 1309# This program is free software; you can redistribute it and/or 1310# modify it under the terms of the GNU General Public License 1311# as published by the Free Software Foundation; either version 2 1312# of the License, or (at your option) any later version. 1313# 1314# This program is distributed in the hope that it will be useful, 1315# but WITHOUT ANY WARRANTY; without even the implied warranty of 1316# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 1317# GNU General Public License for more details. 1318# 1319# You should have received a copy of the GNU General Public License 1320# along with this program; if not, write to the Free Software 1321# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, 1322# USA. 1323 1324# Purpose : 1325# . be the configuration file for all smbldap-tools scripts 1326 1327############################################################################## 1328# 1329# General Configuration 1330# 1331############################################################################## 1332 1333# Put your own SID. To obtain this number do: "net getlocalsid". 1334# If not defined, parameter is taking from "net getlocalsid" return 1335SID="S-1-5-21-4205727931-4131263253-1851132061" 1336 1337# Domain name the Samba server is in charged. 1338# If not defined, parameter is taking from smb.conf configuration file 1339# Ex: sambaDomain="IDEALX-NT" 1340sambaDomain="IDEALX-NT" 1341 1342############################################################################## 1343# 1344# LDAP Configuration 1345# 1346############################################################################## 1347 1348# Notes: to use to dual ldap servers backend for Samba, you must patch 1349# Samba with the dual-head patch from IDEALX. If not using this patch 1350# just use the same server for slaveLDAP and masterLDAP. 1351# Those two servers declarations can also be used when you have 1352# . one master LDAP server where all writing operations must be done 1353# . one slave LDAP server where all reading operations must be done 1354# (typically a replication directory) 1355 1356# Slave LDAP server 1357# Ex: slaveLDAP=127.0.0.1 1358# If not defined, parameter is set to "127.0.0.1" 1359slaveLDAP="127.0.0.1" 1360 1361# Slave LDAP port 1362# If not defined, parameter is set to "389" 1363slavePort="389" 1364 1365# Master LDAP server: needed for write operations 1366# Ex: masterLDAP=127.0.0.1 1367# If not defined, parameter is set to "127.0.0.1" 1368masterLDAP="127.0.0.1" 1369 1370# Master LDAP port 1371# If not defined, parameter is set to "389" 1372masterPort="389" 1373 1374# Use TLS for LDAP 1375# If set to 1, this option will use start_tls for connection 1376# (you should also used the port 389) 1377# If not defined, parameter is set to "1" 1378ldapTLS="1" 1379 1380# How to verify the server's certificate (none, optional or require) 1381# see "man Net::LDAP" in start_tls section for more details 1382verify="require" 1383 1384# CA certificate 1385# see "man Net::LDAP" in start_tls section for more details 1386cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem" 1387 1388# certificate to use to connect to the ldap server 1389# see "man Net::LDAP" in start_tls section for more details 1390clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem" 1391 1392# key certificate to use to connect to the ldap server 1393# see "man Net::LDAP" in start_tls section for more details 1394clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key" 1395 1396# LDAP Suffix 1397# Ex: suffix=dc=IDEALX,dc=ORG 1398suffix="dc=idealx,dc=org" 1399 1400# Where are stored Users 1401# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" 1402# Warning: if 'suffix' is not set here, you must set the full dn for usersdn 1403usersdn="ou=Users,${suffix}" 1404 1405# Where are stored Computers 1406# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" 1407# Warning: if 'suffix' is not set here, you must set the full dn for computersdn 1408computersdn="ou=Computers,${suffix}" 1409 1410# Where are stored Groups 1411# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG" 1412# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn 1413groupsdn="ou=Groups,${suffix}" 1414 1415# Where are stored Idmap entries (used if samba is a domain member server) 1416# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" 1417# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn 1418idmapdn="ou=Idmap,${suffix}" 1419 1420# Where to store next uidNumber and gidNumber available for new users and groups 1421# If not defined, entries are stored in sambaDomainName object. 1422# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" 1423# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 1424sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}" 1425 1426# Default scope Used 1427scope="sub" 1428 1429# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) 1430hash_encrypt="SSHA" 1431 1432# if hash_encrypt is set to CRYPT, you may set a salt format. 1433# default is "%s", but many systems will generate MD5 hashed 1434# passwords if you use "$1$%.8s". This parameter is optional! 1435crypt_salt_format="%s" 1436 1437############################################################################## 1438# 1439# Unix Accounts Configuration 1440# 1441############################################################################## 1442 1443# Login defs 1444# Default Login Shell 1445# Ex: userLoginShell="/bin/bash" 1446userLoginShell="/bin/bash" 1447 1448# Home directory 1449# Ex: userHome="/home/%U" 1450userHome="/home/%U" 1451 1452# Default mode used for user homeDirectory 1453userHomeDirectoryMode="700" 1454 1455# Gecos 1456userGecos="System User" 1457 1458# Default User (POSIX and Samba) GID 1459defaultUserGid="513" 1460 1461# Default Computer (Samba) GID 1462defaultComputerGid="515" 1463 1464# Skel dir 1465skeletonDir="/etc/skel" 1466 1467# Default password validation time (time in days) Comment the next line if 1468# you don't want password to be enable for defaultMaxPasswordAge days (be 1469# careful to the sambaPwdMustChange attribute's value) 1470defaultMaxPasswordAge="45" 1471 1472############################################################################## 1473# 1474# SAMBA Configuration 1475# 1476############################################################################## 1477 1478# The UNC path to home drives location (%U username substitution) 1479# Just set it to a null string if you want to use the smb.conf 'logon home' 1480# directive and/or disable roaming profiles 1481# Ex: userSmbHome="\\PDC-SMB3\%U" 1482userSmbHome="\\PDC-SRV\%U" 1483 1484# The UNC path to profiles locations (%U username substitution) 1485# Just set it to a null string if you want to use the smb.conf 'logon path' 1486# directive and/or disable roaming profiles 1487# Ex: userProfile="\\PDC-SMB3\profiles\%U" 1488userProfile="\\PDC-SRV\profiles\%U" 1489 1490# The default Home Drive Letter mapping 1491# (will be automatically mapped at logon time if home directory exist) 1492# Ex: userHomeDrive="H:" 1493userHomeDrive="H:" 1494 1495# The default user netlogon script name (%U username substitution) 1496# if not used, will be automatically username.cmd 1497# make sure script file is edited under dos 1498# Ex: userScript="startup.cmd" # make sure script file is edited under dos 1499userScript="logon.bat" 1500 1501# Domain appended to the users "mail"-attribute 1502# when smbldap-useradd -M is used 1503# Ex: mailDomain="idealx.com" 1504mailDomain="idealx.com" 1505 1506############################################################################## 1507# 1508# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) 1509# 1510############################################################################## 1511 1512# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but 1513# prefer Crypt::SmbHash library 1514with_smbpasswd="0" 1515smbpasswd="/usr/bin/smbpasswd" 1516 1517# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) 1518# but prefer Crypt:: libraries 1519with_slappasswd="0" 1520slappasswd="/usr/sbin/slappasswd" 1521 1522# comment out the following line to get rid of the default banner 1523# no_banner="1" 1524 1525</PRE> 1526<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file--> 1527 1528<H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><!--SEC END --> 1529<A NAME="configuration::file::smbldap::bind"></A> 1530<PRE>############################ 1531# Credential Configuration # 1532############################ 1533# Notes: you can specify two differents configuration if you use a 1534# master ldap for writing access and a slave ldap server for reading access 1535# By default, we will use the same DN (so it will work for standard Samba 1536# release) 1537slaveDN="cn=Manager,dc=idealx,dc=org" 1538slavePw="secret" 1539masterDN="cn=Manager,dc=idealx,dc=org" 1540masterPw="secret" 1541 1542</PRE> 1543<!--TOC subsubsection The samba configuration file : <TT>/etc/samba/smb.conf</TT> --> 1544 1545<H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4><!--SEC END --> 1546 1547<PRE># Global parameters 1548[global] 1549 workgroup = IDEALX-NT 1550 netbios name = PDC-SRV 1551 #interfaces = 192.168.5.11 1552 username map = /etc/samba/smbusers 1553 enable privileges = yes 1554 server string = Samba Server %v 1555 security = user 1556 encrypt passwords = Yes 1557 min passwd length = 3 1558 obey pam restrictions = No 1559 ldap passwd sync = Yes 1560 #unix password sync = Yes 1561 #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u 1562 #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" 1563 ldap passwd sync = Yes 1564 log level = 0 1565 syslog = 0 1566 log file = /var/log/samba/log.%m 1567 max log size = 100000 1568 time server = Yes 1569 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 1570 mangling method = hash2 1571 Dos charset = 850 1572 Unix charset = ISO8859-1 1573 1574 logon script = logon.bat 1575 logon drive = H: 1576 logon home = 1577 logon path = 1578 1579 domain logons = Yes 1580 os level = 65 1581 preferred master = Yes 1582 domain master = Yes 1583 wins support = Yes 1584 passdb backend = ldapsam:ldap://127.0.0.1/ 1585 # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com" 1586 # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u)) 1587 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com 1588 ldap suffix = dc=idealx,dc=com 1589 ldap group suffix = ou=Groups 1590 ldap user suffix = ou=Users 1591 ldap machine suffix = ou=Computers 1592 ldap idmap suffix = ou=Users 1593 ldap ssl = start tls 1594 add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" 1595 ldap delete dn = Yes 1596 #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" 1597 add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u" 1598 add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" 1599 #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g" 1600 add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" 1601 delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" 1602 set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u" 1603 1604 # printers configuration 1605 printer admin = @"Print Operators" 1606 load printers = Yes 1607 create mask = 0640 1608 directory mask = 0750 1609 nt acl support = No 1610 printing = cups 1611 printcap name = cups 1612 deadtime = 10 1613 guest account = nobody 1614 map to guest = Bad User 1615 dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd 1616 show add printer wizard = yes 1617 ; to maintain capital letters in shortcuts in any of the profile folders: 1618 preserve case = yes 1619 short preserve case = yes 1620 case sensitive = no 1621 1622[homes] 1623 comment = repertoire de %U, %u 1624 read only = No 1625 create mask = 0644 1626 directory mask = 0775 1627 browseable = No 1628 1629[netlogon] 1630 path = /home/netlogon/ 1631 browseable = No 1632 read only = yes 1633 1634[profiles] 1635 path = /home/profiles 1636 read only = no 1637 create mask = 0600 1638 directory mask = 0700 1639 browseable = No 1640 guest ok = Yes 1641 profile acls = yes 1642 csc policy = disable 1643 # next line is a great way to secure the profiles 1644 force user = %U 1645 # next line allows administrator to access all profiles 1646 valid users = %U "Domain Admins" 1647 1648[printers] 1649 comment = Network Printers 1650 printer admin = @"Print Operators" 1651 guest ok = yes 1652 printable = yes 1653 path = /home/spool/ 1654 browseable = No 1655 read only = Yes 1656 printable = Yes 1657 print command = /usr/bin/lpr -P%p -r %s 1658 lpq command = /usr/bin/lpq -P%p 1659 lprm command = /usr/bin/lprm -P%p %j 1660 1661[print$] 1662 path = /home/printers 1663 guest ok = No 1664 browseable = Yes 1665 read only = Yes 1666 valid users = @"Print Operators" 1667 write list = @"Print Operators" 1668 create mask = 0664 1669 directory mask = 0775 1670 1671[public] 1672 comment = Repertoire public 1673 path = /home/public 1674 browseable = Yes 1675 guest ok = Yes 1676 read only = No 1677 directory mask = 0775 1678 create mask = 0664 1679 1680</PRE> 1681<!--TOC subsubsection The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT>--> 1682 1683<H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4><!--SEC END --> 1684 1685<PRE>include /etc/openldap/schema/core.schema 1686include /etc/openldap/schema/cosine.schema 1687include /etc/openldap/schema/inetorgperson.schema 1688include /etc/openldap/schema/nis.schema 1689include /etc/openldap/schema/samba.schema 1690 1691schemacheck on 1692lastmod on 1693 1694TLSCertificateFile /etc/openldap/ldap.idealx.com.pem 1695TLSCertificateKeyFile /etc/openldap/ldap.idealx.com.key 1696TLSCACertificateFile /etc/openldap/ca.pem 1697TLSCipherSuite :SSLv3 1698#TLSVerifyClient demand 1699 1700####################################################################### 1701# ldbm database definitions 1702####################################################################### 1703database ldbm 1704suffix dc=idealx,dc=com 1705rootdn "cn=Manager,dc=idealx,dc=com" 1706rootpw secret 1707directory /var/lib/ldap 1708index sambaSID eq 1709index sambaPrimaryGroupSID eq 1710index sambaDomainName eq 1711index objectClass,uid,uidNumber,gidNumber,memberUid eq 1712index cn,mail,surname,givenname eq,subinitial 1713 1714# users can authenticate and change their password 1715access to attrs=userPassword,sambaNTPassword,sambaLMPassword 1716 by dn="cn=Manager,dc=idealx,dc=com" write 1717 by self write 1718 by anonymous auth 1719 by * none 1720# all others attributes are readable to everybody 1721access to * 1722 by * read 1723</PRE> 1724<!--TOC subsection Changing the administrative account (<TT>ldap admin 1725 dn</TT> in <TT>smb.conf</TT> file)--> 1726 1727<H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin 1728 dn</TT> in <TT>smb.conf</TT> file)</H3><!--SEC END --> 1729<A NAME="change::manager"></A> 1730If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT> 1731account anymore, you can create a dedicated account for Samba and the 1732smbldap-tools scripts. To do 1733this, create an account named <I>samba</I> as follows (see 1734section <A HREF="#add::user">4.2.1</A> for a more detailed syntax) : 1735<PRE> 1736smbldap-useradd -s /bin/false -d /dev/null -P samba 1737</PRE>This command will ask you to set a password for this account. Let's 1738set it to <I>samba</I> for this example. 1739You then need to modify configuration files: 1740<UL><LI> 1741file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> 1742 <PRE> 1743 slaveDN="uid=samba,ou=Users,dc=idealx,dc=com" 1744 slavePw="samba" 1745 masterDN="uid=samba,ou=Users,dc=idealx,dc=com" 1746 masterPw="samba" 1747 </PRE><LI>file <TT>/etc/samba/smb.conf</TT> 1748 <PRE> 1749 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com 1750 </PRE>don't forget to also set the samba account password in 1751 <TT>secrets.tdb</TT> file : 1752<PRE> 1753smbpasswd -w samba 1754</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the 1755 <I>samba</I> user permissions to modify some attributes: this 1756 user needs to be able to modify all the samba attributes and some 1757 others (uidNumber, gidNumber ...) : 1758 <PRE> 1759# users can authenticate and change their password 1760access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange 1761 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1762 by self write 1763 by anonymous auth 1764 by * none 1765# some attributes need to be readable anonymously so that 'id user' can answer correctly 1766access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid 1767 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1768 by * read 1769# somme attributes can be writable by users themselves 1770access to attrs=description,telephoneNumber 1771 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1772 by self write 1773 by * read 1774# some attributes need to be writable for samba 1775access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase 1776 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1777 by self read 1778 by * none 1779# samba need to be able to create the samba domain account 1780access to dn.base="dc=idealx,dc=com" 1781 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1782 by * none 1783# samba need to be able to create new users account 1784access to dn="ou=Users,dc=idealx,dc=com" 1785 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1786 by * none 1787# samba need to be able to create new groups account 1788access to dn="ou=Groups,dc=idealx,dc=com" 1789 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1790 by * none 1791# samba need to be able to create new computers account 1792access to dn="ou=Computers,dc=idealx,dc=com" 1793 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1794 by * none 1795# this can be omitted but we leave it: there could be other branch 1796# in the directory 1797access to * 1798 by self read 1799 by * none 1800 </PRE></UL> 1801<!--TOC subsection known bugs--> 1802 1803<H3><A NAME="htoc48">8.3</A> known bugs</H3><!--SEC END --> 1804 1805<UL><LI> 1806Option <I>-B</I> (user must change password) of 1807 <TT>smbldap-useradd</TT> does not have effect: when 1808 <TT>smbldap-passwd</TT> script is called, 1809 <I>sambaPwdMustChange</I> attribute is rewrite. 1810</UL> 1811 1812<!--BEGIN NOTES document--> 1813<HR WIDTH="50%" SIZE=1><DL><DT><A NAME="note1" HREF="#text1"><FONT SIZE=5>1</FONT></A><DD><TT>http://IDEALX.com/</TT> 1814</DL> 1815<!--END NOTES--> 1816<!--HTMLFOOT--> 1817<!--ENDHTML--> 1818<!--FOOTER--> 1819<HR SIZE=2> 1820<BLOCKQUOTE><EM>This document was translated from L<sup>A</sup>T<sub>E</sub>X by 1821</EM><A HREF="http://pauillac.inria.fr/~maranget/hevea/index.html"><EM>H<FONT SIZE=2><sup>E</sup></FONT>V<FONT SIZE=2><sup>E</sup></FONT>A</EM></A><EM>. 1822</EM></BLOCKQUOTE> 1823</BODY> 1824</HTML> 1825