1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" 2 "http://www.w3.org/TR/REC-html40/loose.dtd"> 3<HTML> 4<HEAD><TITLE>Smbldap-tools User Manual 5(Release: 0.8.7 )</TITLE> 6 7<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 8<META name="GENERATOR" content="hevea 1.06"> 9</HEAD> 10<BODY > 11<!--HEVEA command line is: /usr/bin/hevea -exec xxdate.exe -pedantic -nosymb smbldap-tools.tex -o html/smbldap-tools.html --> 12<!--HTMLHEAD--> 13<!--ENDHTML--> 14<!--PREFIX <ARG ></ARG>--> 15<!--CUT DEF section 1 --> 16 17 18<H1 ALIGN=center>Smbldap-tools User Manual<BR> 19(<I>Release</I>: 0.8.7 )</H1> 20 21<H3 ALIGN=center>J�r�me Tournier</H3> 22 23<H3 ALIGN=center><I>Revision</I>: 1.5 , generated February 13, 2005<BR> 24</H3> 25This document is the property of IDEALX<SUP><A NAME="text1" HREF="#note1">1</A></SUP>. 26Permission is granted to distribute this document under the terms of the GNU 27Free Documentation License (<TT>http://www.gnu.org/copyleft/fdl.html</TT>).<BR> 28<BR> 29<!--TOC section Table of Contents--> 30 31<H2>Table of Contents</H2><!--SEC END --> 32 33 34 35 36<!--TOC section Introduction--> 37 38<H2><A NAME="htoc1">1</A> Introduction</H2><!--SEC END --> 39 40<A NAME="sec:intro"></A> 41Smbldap-tools is a set of scripts designed to help integrate Samba and a 42LDAP directory. They target both users and administrators of Linux systems.<BR> 43<BR> 44Users can change their password in a way similar to the standard ``passwd'' 45command.<BR> 46<BR> 47Administrators can perform user and group management command line actions 48and synchronise Samba account management consistently.<BR> 49<BR> 50This document presents: 51<UL><LI> 52a detailled view of the smbldap-tools scripts 53<LI>a step by step explanation of how to set up a Samba3 domain controller 54</UL> 55<!--TOC subsection Software requirements--> 56 57<H3><A NAME="htoc2">1.1</A> Software requirements</H3><!--SEC END --> 58 59The smbldap-tools have been developped and tested with the following configuration : 60<UL><LI> 61<FONT COLOR=purple><I>Linux</I></FONT> RedHat 9 (be should work on any <FONT COLOR=purple><I>Linux</I></FONT> distribution) 62<LI> <FONT COLOR=purple>Samba</FONT> release 3.0.2pre1, 63<LI><FONT COLOR=purple>OpenLDAP</FONT> release 2.1.22 64<LI><FONT COLOR=purple>Microsoft Windows NT</FONT> 4.0, Windows 2000 and Windows XP Workstations and Servers, 65</UL> 66This guide applies to <FONT COLOR=purple>smbldap-tools</FONT> <I>Release</I>: 0.8.7 .<BR> 67<BR> 68<!--TOC subsection Updates of this document--> 69 70<H3><A NAME="htoc3">1.2</A> Updates of this document</H3><!--SEC END --> 71 72The most up to date release of this document may be found on the 73smbldap-tools project page available at <TT>http://samba.IDEALX.org/</TT>.<BR> 74<BR> 75If you find any bugs in this document, or if you want this document to 76integrate some additional infos, please drop us a mail with your bug report 77and/or change request at <U>samba@IDEALX.org</U>.<BR> 78<BR> 79<!--TOC subsection Availability of this document--> 80 81<H3><A NAME="htoc4">1.3</A> Availability of this document</H3><!--SEC END --> 82 83This document is the property of 84<B><I>IDEALX</I></B> (<TT>http://www.IDEALX.com/</TT>). <BR> 85<BR> 86Permission is granted to distribute this document under the terms of the GNU 87Free Documentation License (See <TT>http://www.gnu.org/copyleft/fdl.html</TT>). 88 <!--TOC section Installation--> 89 90<H2><A NAME="htoc5">2</A> Installation</H2><!--SEC END --> 91 92<!--TOC subsection Requirements--> 93 94<H3><A NAME="htoc6">2.1</A> Requirements</H3><!--SEC END --> 95 96The main requirement for using smbldap-tools are the two perl module: 97Net::LDAP and Crypt::SmbHash. 98In most cases, you'll also need the IO-Socket-SSL Perl module to use 99TLS functionnality.<BR> 100<BR> 101If you want samba to call the scripts so that you can use the User 102Manager (or any other) under MS-Windows (to add, delete modify users and 103groups), <FONT COLOR=purple>Samba</FONT> must be installed on the same computer. 104Finally, <FONT COLOR=purple>OpenLDAP</FONT> can be installed on any computer. Please check that it 105can be contacted by a standard LDAP client software.<BR> 106<BR> 107<FONT COLOR=purple>Samba</FONT> and <FONT COLOR=purple>OpenLDAP</FONT> installations will not be discussed 108here. You can consult the howto also available on the 109project page (<TT>http://samba.IDEALX.org</TT>). Altought is has been 110written for Samba2, most of its content still apply to Samba3. The main 111difference stands in LDAP schema's definitions.<BR> 112<BR> 113<!--TOC subsection Installation--> 114 115<H3><A NAME="htoc7">2.2</A> Installation</H3><!--SEC END --> 116 117An archive of the <FONT COLOR=purple>smbldap-tools</FONT> scripts can be downloaded on our project 118page <TT>http://samba.IDEALX.org/</TT>. Archive and RedHat packages are 119available. 120<BR> 121If you are upgrading, look at the <TT>INSTALL</TT> file or read the link 122<A HREF="#faq::error::add::user">6.13</A>.<BR> 123<BR> 124<!--TOC subsubsection Installing from rpm--> 125 126<H4><A NAME="htoc8">2.2.1</A> Installing from rpm</H4><!--SEC END --> 127 128To install the scripts on a RedHat system, download the RPM 129package and run the following command: 130<PRE> 131rpm -Uvh smbldap-tools-0.8.5-1.i386.rpm 132</PRE> 133<!--TOC subsubsection Installing from a tarball--> 134 135<H4><A NAME="htoc9">2.2.2</A> Installing from a tarball</H4><!--SEC END --> 136 137On non RedHat system, download a source archive of the scripts. The current 138archive is <TT>smbldap-tools-0.8.5.tar.gz</TT>. 139Uncompress it and copy all of the Perl scripts in <TT>/usr/local/sbin</TT> 140directory, and the two configuration files in 141<TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory: 142<PRE> 143mkdir /etc/opt/IDEALX/smbldap-tools/ 144cp *.conf /etc/opt/IDEALX/smbldap-tools/ 145cp smbldap-* /usr/local/sbin/ 146</PRE> 147The configuration is now based on two differents files: 148<UL><LI> 149<TT>smbldap.conf</TT>: define global parameter 150<LI><TT>smbldap_bind.conf</TT>: define an administrative account to 151 bind to the directory 152</UL> 153The second file <B>must</B> be readable only for 'root', as it contains 154credentials allowing modifications on all the directory. Make sure the 155files are protected by running the following commands: 156<PRE> 157chmod 644 /etc/opt/IDEALX/smbldap-tools/smbldap.conf 158chmod 600 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf 159</PRE> <!--TOC section Configuring the smbldap-tools--> 160 161<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><!--SEC END --> 162 163As mentioned in the previous section, you'll have to update two 164configuration files. The first (<TT>smbldap.conf</TT>) allows you to 165set global parameter that are readable by everybody, and the second 166(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to 167bind to a slave and a master ldap server: this file must thus be 168readable only by root.<BR> 169<BR> 170A script is named <TT>configure.pl</TT> can help you to set their contents 171up. It is located in the tarball 172downloaded or in the documentation directory if you got the RPM 173archive (see <TT>/usr/share/doc/smbldap-tools/</TT>). Just invoke it: 174<PRE> 175/usr/share/doc/smbldap-tools/configure.pl 176</PRE>It will ask for the default values defined in your 177<TT>smb.conf</TT> file, and will update the two configuration files used 178by the scripts. Note that you can stop the script at any moment with 179the <TT>Crtl-c</TT> keys.<BR> 180Before using this script : 181<UL><LI> 182the two configuration files <B>must</B> be present in the 183 <TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory 184<LI>check that samba is configured and running, as the script will try to 185 get your workgroup's domain secure id (SID). 186</UL> 187In those files are parameters are defined like this: 188<PRE> 189key="value" 190</PRE>Full example configuration files can be found at 191<A HREF="#configuration::files">8.1</A>.<BR> 192<BR> 193<!--TOC subsection The smbldap.conf file--> 194 195<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3><!--SEC END --> 196 197This file is used to define parameters that can be readable by 198everybody. A full example file is available in section <A HREF="#configuration::file::smbldap">8.1.1</A>.<BR> 199<BR> 200Let's have a look at all available parameters. 201<UL><LI> 202<TT>UID_START</TT> and <TT>GID_START</TT> : those parameters 203 are deprecated. Available uid and gid are now defined in the default 204 new entry <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT>. 205<LI><TT>SID</TT> : Secure Identifier Domain 206 <UL><LI> 207 Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT> 208 <LI>Remark: you can get the SID for your domain using the <TT>net getlocalsid</TT> 209 command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers). 210</UL> 211<LI><TT>slaveLDAP</TT> : slave LDAP server 212 <UL><LI> 213 Example: <TT>slaveLDAP="127.0.0.1"</TT> 214 <LI>Remark: must be a resolvable DNS name or it's IP address 215 </UL> 216<LI><TT>slavePort</TT> : port to contact the slave server 217 <UL><LI> 218 Example: <TT>slavePort="389"</TT> 219 </UL> 220<LI><TT>masterLDAP</TT> : master LDAP server 221 <UL><LI> 222 Example: <TT>masterLDAP="127.0.0.1"</TT> 223 </UL> 224<LI><TT>masterPort</TT> : port to contact the master server 225 <UL><LI> 226 Example: <TT>masterPort="389"</TT> 227 </UL> 228<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the 229 ldap servers ? 230 <UL><LI> 231 Example: <TT>ldapTLS="1"</TT> 232 <LI>Remark: the LDAP severs must be configured to accept TLS 233 connections. See section the Samba-LDAP Howto for more 234 details (<TT>http://samba.idealx.org/smbldap-howto.fr.html</TT>). If you are using TLS support, select port 389 to connect to 235 the master and slave directories. 236 </UL> 237<LI><TT>verify</TT> : How to verify the server's certificate (none, 238 optional or require). See "man Net::LDAP" in start_tls section for 239 more details 240 <UL><LI> 241 Example: <TT>verify="require"</TT> 242 </UL> 243<LI><TT>cafile</TT> : the PEM-format file containing certificates 244 for the CA that slapd will trust 245 <UL><LI> 246 Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT> 247 </UL> 248<LI><TT>clientcert</TT> : the file that contains the client certificate 249 <UL><LI> 250 Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT> 251 </UL> 252<LI><TT>clientkey</TT> : the file that contains the private key that 253 matches the certificate stored in the clientcert file 254 <UL><LI> 255 Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT> 256 </UL> 257<LI><TT>suffix</TT> : The distinguished name of the search base 258 <UL><LI> 259 Example: <TT>suffix="dc=idealx,dc=com"</TT> 260 </UL> 261<LI><TT>usersdn</TT> : branch in which users account can be found or 262 must be added 263 <UL><LI> 264 Example: <TT>usersdn="ou=Users,${suffix}"</TT> 265 <LI>Remark: this branch is <B>not</B> relative to the suffix value 266 </UL> 267<LI><TT>computersdn</TT> : branch in which computers account can be 268 found or must be added 269 <UL><LI> 270 Example: <TT>computersdn"ou=Computers,${suffix}"</TT> 271 <LI>Remark: this branch is <B>not</B> relative to the suffix value 272 </UL> 273<LI><TT>groupsdn</TT> : branch in which groups account can be found 274 or must be added 275 <UL><LI> 276 Example: <TT>groupsdn="ou=Groups,${suffix}"</TT> 277 <LI>Remarks: this branch is <B>not</B> relative to the suffix value 278 </UL> 279<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server) 280<UL><LI> 281 Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT> 282 <LI>Remarks: this branch is <B>not</B> relative to the suffix value 283</UL> 284<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored 285<UL><LI> 286 Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT> 287 <LI>Remarks: this branch is <B>not</B> relative to the suffix value 288</UL> 289<LI><TT>scope</TT> : the search scope. 290<UL><LI> 291 Example: <TT>scope="sub"</TT> 292</UL> 293<LI><TT>hash_encrypt</TT> : hash to be used when generating a 294 user password. 295 <UL><LI> 296 Example: <TT>hash_encrypt="SSHA"</TT> 297 <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute. 298 </UL> 299<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to 300 CRYPT, you may set a salt format. Default is "%s", but many systems 301 will generate MD5 hashed passwords if you use "$1$%.8s". This 302 parameter is optional. 303<LI><TT>userLoginShell</TT> : default shell given to users. 304 <UL><LI> 305 Example: <TT>userLoginShell="/bin/bash"</TT> 306 <LI>Remark: This is stored in <I>loginShell</I> attribute. 307 </UL> 308<LI><TT>userHome</TT> : default directory where users's home 309 directory are located. 310 <UL><LI> 311 Example: <TT>userHome="/home/%U"</TT> 312 <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute. 313 </UL> 314<LI><TT>userGecos</TT> : gecos used for users 315 <UL><LI> 316 Example: <TT>userGecos="System User"</TT> 317 </UL> 318<LI><TT>defaultUserGid</TT> : default primary group set to users accounts 319 <UL><LI> 320 Example: <TT>defaultUserGid="513"</TT> 321 <LI>Remark: this is stored in <I>gidNumber</I> attribute. 322</UL> 323<LI><TT>defaultComputerGid</TT> : default primary group set to 324 computers accounts 325 <UL><LI> 326 Example: <TT>defaultComputerGid="550"</TT> 327 <LI>Remark: this is stored in <I>gidNumber</I> attribute. 328</UL> 329<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts 330 <UL><LI> 331 Example: <TT>skeletonDir="/etc/skel"</TT> 332 <LI>Remark: this option is used only if you ask for home directory creation when adding a new user. 333 </UL> 334<LI><TT>defaultMaxPasswordAge</TT> : default validation time for a 335 password (in days) 336 <UL><LI> 337 Example: <TT>defaultMaxPassword="55"</TT> 338 </UL> 339<LI><TT>userSmbHome</TT> : samba share used to store user's home directory 340 <UL><LI> 341 Example: 342 <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT> 343 <LI>Remark: this is stored in <I>sambaHomePath</I> attribute. 344</UL> 345<LI><TT>userProfile</TT> : samba share used to store user's profile 346 <UL><LI> 347 Example: 348 <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT> 349 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute. 350 </UL> 351<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I> 352 <UL><LI> 353 Example: 354 <TT>userScript="%U"</TT> 355 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute. 356 </UL> 357<LI><TT>userHomeDrive</TT> : letter used on windows system to map 358 the home directory 359 <UL><LI> 360 Example: <TT>userHomeDrive="K:"</TT> 361 </UL> 362<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command 363 to set the user's password (instead of the <I>mkntpwd</I> utility) ? 364 <UL><LI> 365 Example: <TT>with_smbpasswd="0"</TT> 366 <LI>Remark: must be a boolean value (0 or 1). 367 </UL> 368<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary 369 <UL><LI> 370 Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT> 371 </UL> 372<LI><TT>mk_ntpasswd</TT> : path to the mkntpwd binary 373 <UL><LI> 374 Example: <TT>mk_ntpasswd="/usr/local/sbin/mkntpwd"</TT> 375 <LI>Remark: the rpm package of the smbldap-tools will install this 376 utility. If you are using the tarball archive, you have to install 377 it yourself (sources are also in the smbldap-tools archive). 378 </UL> 379<LI><TT>mailDomain</TT> : Domain appended to the users "mail" 380 attribute. 381 <UL><LI> 382 Example: <TT>mailDomain="idealx.org"</TT> 383 </UL> 384</UL> 385<!--TOC subsection The smbldap_bind.conf file--> 386 387<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3><!--SEC END --> 388 389This file is only used by <I>root</I> to modify the content of the directory. 390It contains distinguised names and credentials to connect to 391both the master and slave directories. A full example file is available 392in section <A HREF="#configuration::file::smbldap::bind">8.1.2</A>.<BR> 393<BR> 394Let's have a look at all available parameters. 395<UL><LI> 396<TT>slaveDN</TT> : distinguished name used to bind to the slave server 397 <UL><LI> 398 Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT> 399 <LI>Example 2: <TT>slaveDN=""</TT> 400 <LI>Remark: this can be the manager account of the directory or 401 any LDAP account that has sufficient permissions to read the full 402 directory (Slave directory is only used for reading). Anonymous 403 connections uses the second example form. 404 </UL> 405<LI><TT>slavePw</TT> : the credentials to bind to the slave server 406 <UL><LI> 407 Example 1: <TT>slavePw="secret"</TT> 408 <LI>Example 2: <TT>slavePw=""</TT> 409 <LI>Remark: the password must be stored here in clear form. This 410 file must then be readable only by root! All anonymous connections 411 use the second form provided in our example. 412 </UL> 413<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server 414 <UL><LI> 415 Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT> 416 <LI>Remark: this can be the manager account of the directory or 417 any LDAP account that has enough permissions to modify the content 418 of the directory. Anonymous access does not make any sense here. 419</UL> 420<LI><TT>masterPw</TT> : the credentials to bind to the master server 421 <UL><LI> 422 Example: <TT>masterPw="secret"</TT> 423 <LI>Remark: the password must be in clear text. Be sure to protect 424 this file against unauthorized readers! 425 </UL> 426</UL> 427 <!--TOC section Using the scripts--> 428 429<H2><A NAME="htoc13">4</A> Using the scripts</H2><!--SEC END --> 430 431<!--TOC subsection Initial directory's population--> 432 433<H3><A NAME="htoc14">4.1</A> Initial directory's population</H3><!--SEC END --> 434 435You can initialize the LDAP directory using the 436<TT>smbldap-populate</TT> script. To do that, the account defined in 437the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> to access the 438master directory <B>must</B> must be the manager account defined in the 439directory configuration. On RedHat system, this file is 440<TT>/etc/openldap/slapd.conf</TT> and the account is defined with 441<PRE> 442 rootdn "cn=Manager,dc=idealx,dc=com" 443 rootpw secret 444</PRE>The <TT>smbldap_bind.conf</TT> file must then be configured so that 445the parameters to connect to the master LDAP server match the previous ones: 446<PRE> 447 masterDN="cn=Manager,dc=idealx,dc=com" 448 masterPw="secret" 449</PRE> 450Available options for this script are summarized in the table <A HREF="#table::populate">1</A>: 451<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 452 <A NAME="code_epsilon_var"></A> 453 <DIV ALIGN=center> 454 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 455<TR><TD ALIGN=left NOWRAP>option</TD> 456<TD ALIGN=left NOWRAP>definition</TD> 457<TD ALIGN=left NOWRAP>default value</TD> 458</TR> 459<TR><TD ALIGN=left NOWRAP>-u <I>uidNumber</I></TD> 460<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD> 461<TD ALIGN=left NOWRAP>1000</TD> 462</TR> 463<TR><TD ALIGN=left NOWRAP>-g <I>gidNumber</I></TD> 464<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD> 465<TD ALIGN=left NOWRAP>1000</TD> 466</TR> 467<TR><TD ALIGN=left NOWRAP>-a <I>user</I></TD> 468<TD ALIGN=left NOWRAP>administrator login name</TD> 469<TD ALIGN=left NOWRAP>Administrator</TD> 470</TR> 471<TR><TD ALIGN=left NOWRAP>-b <I>user</I></TD> 472<TD ALIGN=left NOWRAP>guest login name</TD> 473<TD ALIGN=left NOWRAP>nobody</TD> 474</TR> 475<TR><TD ALIGN=left NOWRAP>-e <I>file</I></TD> 476<TD ALIGN=left NOWRAP>export a init file</TD> 477<TD ALIGN=left NOWRAP> </TD> 478</TR> 479<TR><TD ALIGN=left NOWRAP>-i <I>file</I></TD> 480<TD ALIGN=left NOWRAP>import a init file</TD> 481<TD ALIGN=left NOWRAP> </TD> 482</TR></TABLE> 483 </DIV> 484 <BR> 485<DIV ALIGN=center>Table 1: Options available for the <TT>smbldap-populate</TT> script</DIV><BR> 486 487 <A NAME="table::populate"></A> 488<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 489In the more general case, to set up your directory, simply use the 490following command: 491<PRE> 492[root@etoile root]# smbldap-populate 493Using builtin directory structure 494adding new entry: dc=idealx,dc=com 495adding new entry: ou=Users,dc=idealx,dc=com 496adding new entry: ou=Groups,dc=idealx,dc=com 497adding new entry: ou=Computers,dc=idealx,dc=com 498adding new entry: ou=Idmap,dc=idealx,dc=org 499adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org 500adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com 501adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com 502adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com 503adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com 504adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com 505adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com 506adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com 507adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com 508adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com 509</PRE> 510After this step, if you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT> 511account anymore, you can create a dedicated account for Samba and the 512smbldap-tools. See section <A HREF="#change::manager">8.2</A> for more details.<BR> 513<BR> 514The <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> entry is only used to 515defined the next uidNumber and gidNumber available for creating new 516users and groups. The default values for those numbers are 1000. You 517can change it with the <TT>-u</TT> and <TT>-g</TT> option. For 518example, if you want the first available value for uidNumber and 519gidNumber to be set to 1500, you can use the following command : 520<PRE> 521smbldap-populate -u 1550 -g 1500 522</PRE> 523<!--TOC subsection User management--> 524 525<H3><A NAME="htoc15">4.2</A> User management</H3><!--SEC END --> 526 527<!--TOC subsubsection Adding a user--> 528 529<H4><A NAME="htoc16">4.2.1</A> Adding a user</H4><!--SEC END --> 530<A NAME="add::user"></A> 531To add a user, use the <TT>smbldap-useradd</TT> script. Available 532options are summarized in the table <A HREF="#table::add::user">2</A>. If applicable, 533default values are mentionned in the third column. Any string beginning with a 534$ symbol refers to a parameter defined in the 535<TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> configuration file. 536<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 537 <DIV ALIGN=center> 538 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 539<TR><TD VALIGN=top ALIGN=left>option</TD> 540<TD VALIGN=top ALIGN=left>definition</TD> 541<TD VALIGN=top ALIGN=left>example</TD> 542<TD VALIGN=top ALIGN=left>default value</TD> 543</TR> 544<TR><TD VALIGN=top ALIGN=left>-a</TD> 545<TD VALIGN=top ALIGN=left>create a Windows account. Otherwise, only a Posix account 546 is created</TD> 547<TD VALIGN=top ALIGN=left> </TD> 548<TD VALIGN=top ALIGN=left> </TD> 549</TR> 550<TR><TD VALIGN=top ALIGN=left>-w</TD> 551<TD VALIGN=top ALIGN=left>create a Windows Workstation account</TD> 552<TD VALIGN=top ALIGN=left> </TD> 553<TD VALIGN=top ALIGN=left> </TD> 554</TR> 555<TR><TD VALIGN=top ALIGN=left>-i</TD> 556<TD VALIGN=top ALIGN=left>create an interdomain trust account. See section 557 <A HREF="#trust::account">4.4</A> for more details</TD> 558<TD VALIGN=top ALIGN=left> </TD> 559<TD VALIGN=top ALIGN=left> </TD> 560</TR> 561<TR><TD VALIGN=top ALIGN=left>-u</TD> 562<TD VALIGN=top ALIGN=left>set a uid value</TD> 563<TD VALIGN=top ALIGN=left>-u 1003</TD> 564<TD VALIGN=top ALIGN=left>first uid available</TD> 565</TR> 566<TR><TD VALIGN=top ALIGN=left>-g</TD> 567<TD VALIGN=top ALIGN=left>set a gid value</TD> 568<TD VALIGN=top ALIGN=left>-g 1003</TD> 569<TD VALIGN=top ALIGN=left>first gid available</TD> 570</TR> 571<TR><TD VALIGN=top ALIGN=left>-G</TD> 572<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary 573 groups (comma-separated)</TD> 574<TD VALIGN=top ALIGN=left>-G 512,550</TD> 575<TD VALIGN=top ALIGN=left> </TD> 576</TR> 577<TR><TD VALIGN=top ALIGN=left>-d</TD> 578<TD VALIGN=top ALIGN=left>set the home directory</TD> 579<TD VALIGN=top ALIGN=left>-d /var/user</TD> 580<TD VALIGN=top ALIGN=left>$userHomePrefix/user</TD> 581</TR> 582<TR><TD VALIGN=top ALIGN=left>-s</TD> 583<TD VALIGN=top ALIGN=left>set the login shell</TD> 584<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD> 585<TD VALIGN=top ALIGN=left>$userLoginShell</TD> 586</TR> 587<TR><TD VALIGN=top ALIGN=left>-c</TD> 588<TD VALIGN=top ALIGN=left>set the user gecos</TD> 589<TD VALIGN=top ALIGN=left>-c "admin user"</TD> 590<TD VALIGN=top ALIGN=left>$userGecos</TD> 591</TR> 592<TR><TD VALIGN=top ALIGN=left>-m</TD> 593<TD VALIGN=top ALIGN=left>creates user's home directory and copies /etc/skel 594 into it</TD> 595<TD VALIGN=top ALIGN=left> </TD> 596<TD VALIGN=top ALIGN=left> </TD> 597</TR> 598<TR><TD VALIGN=top ALIGN=left>-k</TD> 599<TD VALIGN=top ALIGN=left>set the skeleton dir (with -m)</TD> 600<TD VALIGN=top ALIGN=left>-k /etc/skel2</TD> 601<TD VALIGN=top ALIGN=left>$skeletonDir</TD> 602</TR> 603<TR><TD VALIGN=top ALIGN=left>-P</TD> 604<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's 605 password</TD> 606<TD VALIGN=top ALIGN=left> </TD> 607<TD VALIGN=top ALIGN=left> </TD> 608</TR> 609<TR><TD VALIGN=top ALIGN=left>-A</TD> 610<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD> 611<TD VALIGN=top ALIGN=left>-A 1</TD> 612<TD VALIGN=top ALIGN=left> </TD> 613</TR> 614<TR><TD VALIGN=top ALIGN=left>-B</TD> 615<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1 616 if yes</TD> 617<TD VALIGN=top ALIGN=left>-B 1</TD> 618<TD VALIGN=top ALIGN=left> </TD> 619</TR> 620<TR><TD VALIGN=top ALIGN=left>-C</TD> 621<TD VALIGN=top ALIGN=left>set the samba home share</TD> 622<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD> 623<TD VALIGN=top ALIGN=left>$userSmbHome</TD> 624</TR> 625<TR><TD VALIGN=top ALIGN=left>-D</TD> 626<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD> 627<TD VALIGN=top ALIGN=left>-D H:</TD> 628<TD VALIGN=top ALIGN=left>$userHomeDrive</TD> 629</TR> 630<TR><TD VALIGN=top ALIGN=left>-E</TD> 631<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD> 632<TD VALIGN=top ALIGN=left>-E common.bat</TD> 633<TD VALIGN=top ALIGN=left>$userScript</TD> 634</TR> 635<TR><TD VALIGN=top ALIGN=left>-F</TD> 636<TD VALIGN=top ALIGN=left>set the profile directory</TD> 637<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD> 638<TD VALIGN=top ALIGN=left>$userProfile</TD> 639</TR> 640<TR><TD VALIGN=top ALIGN=left>-H</TD> 641<TD VALIGN=top ALIGN=left>set the samba account control bits 642 like'[NDHTUMWSLKI]'</TD> 643<TD VALIGN=top ALIGN=left>-H [X]</TD> 644<TD VALIGN=top ALIGN=left> </TD> 645</TR> 646<TR><TD VALIGN=top ALIGN=left>-N</TD> 647<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD> 648<TD VALIGN=top ALIGN=left> </TD> 649<TD VALIGN=top ALIGN=left> </TD> 650</TR> 651<TR><TD VALIGN=top ALIGN=left>-S</TD> 652<TD VALIGN=top ALIGN=left>set the surname of the user</TD> 653<TD VALIGN=top ALIGN=left> </TD> 654<TD VALIGN=top ALIGN=left> </TD> 655</TR> 656<TR><TD VALIGN=top ALIGN=left>-M</TD> 657<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD> 658<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD> 659<TD VALIGN=top ALIGN=left> </TD> 660</TR> 661<TR><TD VALIGN=top ALIGN=left>-T</TD> 662<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD> 663<TD VALIGN=top ALIGN=left>-T 664 testuser@domain.org</TD> 665<TD VALIGN=top ALIGN=left> </TD> 666</TR></TABLE> 667 </DIV> 668 <BR> 669<DIV ALIGN=center>Table 2: Options available to the <TT>smbldap-useradd</TT> script</DIV><BR> 670 671 <A NAME="table::add::user"></A> 672<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 673 674For example, if you want to add a user named <I>user_admin</I> and who : 675<UL><LI> 676is a windows user 677<LI>must belong to the group of gid=512 ('Domain Admins' group) 678<LI>has a home directory 679<LI>does not have a login shell 680<LI>has a homeDirectory set to /dev/null 681<LI>does not have a roaming profile 682<LI>and for whom we want to set a first login password 683</UL> 684you must invoke: 685<PRE> 686smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin 687</PRE> 688<!--TOC subsubsection Removing a user--> 689 690<H4><A NAME="htoc17">4.2.2</A> Removing a user</H4><!--SEC END --> 691 692To remove a user account, use the <TT>smbldap-userdel</TT> script. 693Available options are 694<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 695 <DIV ALIGN=center> 696 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 697<TR><TD ALIGN=left NOWRAP>option</TD> 698<TD ALIGN=left NOWRAP>definition</TD> 699</TR> 700<TR><TD ALIGN=left NOWRAP>-r</TD> 701<TD ALIGN=left NOWRAP>remove home directory</TD> 702</TR> 703<TR><TD ALIGN=left NOWRAP>-R</TD> 704<TD ALIGN=left NOWRAP>remove home directory interactively</TD> 705</TR></TABLE> 706 </DIV> 707 <BR> 708<DIV ALIGN=center>Table 3: Option available to the <TT>smbldap-userdel</TT> script</DIV><BR> 709 710 <A NAME="table::del::user"></A> 711<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 712For example, if you want to remove the <I>user1</I> account 713from the LDAP directory, and if you also want to delete his home 714directory, use the following command : 715<PRE> 716smbldap-userdel -r user1 717</PRE> 718Note: '-r' is dangerous as it may delete precious and unbackuped data, 719please be careful.<BR> 720<BR> 721<!--TOC subsubsection Modifying a user--> 722 723<H4><A NAME="htoc18">4.2.3</A> Modifying a user</H4><!--SEC END --> 724<A NAME="modify::user"></A> 725To modify a user account, use the <TT>smbldap-usermod</TT> script. 726Availables options are listed in the table <A HREF="#table::modify::user">4</A>. 727<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 728 <DIV ALIGN=center> 729 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 730<TR><TD VALIGN=top ALIGN=left>option</TD> 731<TD VALIGN=top ALIGN=left>definition</TD> 732<TD VALIGN=top ALIGN=left>example</TD> 733</TR> 734<TR><TD VALIGN=top ALIGN=left>-c</TD> 735<TD VALIGN=top ALIGN=left>set the user gecos</TD> 736<TD VALIGN=top ALIGN=left>-c "admin user"</TD> 737</TR> 738<TR><TD VALIGN=top ALIGN=left>-d</TD> 739<TD VALIGN=top ALIGN=left>set the home directory</TD> 740<TD VALIGN=top ALIGN=left>-d /var/user</TD> 741</TR> 742<TR><TD VALIGN=top ALIGN=left>-u</TD> 743<TD VALIGN=top ALIGN=left>set a uid value</TD> 744<TD VALIGN=top ALIGN=left>-u 1003</TD> 745</TR> 746<TR><TD VALIGN=top ALIGN=left>-g</TD> 747<TD VALIGN=top ALIGN=left>set a gid value</TD> 748<TD VALIGN=top ALIGN=left>-g 1003</TD> 749</TR> 750<TR><TD VALIGN=top ALIGN=left>-G</TD> 751<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary 752 groups (comma-separated)</TD> 753<TD VALIGN=top ALIGN=left>-G 512,550</TD> 754</TR> 755<TR><TD VALIGN=top ALIGN=left> </TD> 756<TD VALIGN=top ALIGN=left> </TD> 757<TD VALIGN=top ALIGN=left>-G -512,550</TD> 758</TR> 759<TR><TD VALIGN=top ALIGN=left> </TD> 760<TD VALIGN=top ALIGN=left> </TD> 761<TD VALIGN=top ALIGN=left>-G +512,550</TD> 762</TR> 763<TR><TD VALIGN=top ALIGN=left>-s</TD> 764<TD VALIGN=top ALIGN=left>set the login shell</TD> 765<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD> 766</TR> 767<TR><TD VALIGN=top ALIGN=left>-N</TD> 768<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD> 769<TD VALIGN=top ALIGN=left> </TD> 770</TR> 771<TR><TD VALIGN=top ALIGN=left>-S</TD> 772<TD VALIGN=top ALIGN=left>set the surname of the user</TD> 773<TD VALIGN=top ALIGN=left> </TD> 774</TR> 775<TR><TD VALIGN=top ALIGN=left>-P</TD> 776<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's password</TD> 777<TD VALIGN=top ALIGN=left> </TD> 778</TR> 779<TR><TD VALIGN=top ALIGN=left>-a</TD> 780<TD VALIGN=top ALIGN=left>add sambaSAMAccount objectclass</TD> 781<TD VALIGN=top ALIGN=left> </TD> 782</TR> 783<TR><TD VALIGN=top ALIGN=left>-e</TD> 784<TD VALIGN=top ALIGN=left>set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)</TD> 785<TD VALIGN=top ALIGN=left> </TD> 786</TR> 787<TR><TD VALIGN=top ALIGN=left>-A</TD> 788<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD> 789<TD VALIGN=top ALIGN=left>-A 1</TD> 790</TR> 791<TR><TD VALIGN=top ALIGN=left>-B</TD> 792<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1 793 if yes</TD> 794<TD VALIGN=top ALIGN=left>-B 1</TD> 795</TR> 796<TR><TD VALIGN=top ALIGN=left>-C</TD> 797<TD VALIGN=top ALIGN=left>set the samba home share</TD> 798<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD> 799</TR> 800<TR><TD VALIGN=top ALIGN=left> </TD> 801<TD VALIGN=top ALIGN=left> </TD> 802<TD VALIGN=top ALIGN=left>-C ""</TD> 803</TR> 804<TR><TD VALIGN=top ALIGN=left>-D</TD> 805<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD> 806<TD VALIGN=top ALIGN=left>-D H:</TD> 807</TR> 808<TR><TD VALIGN=top ALIGN=left> </TD> 809<TD VALIGN=top ALIGN=left> </TD> 810<TD VALIGN=top ALIGN=left>-D ""</TD> 811</TR> 812<TR><TD VALIGN=top ALIGN=left>-E</TD> 813<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD> 814<TD VALIGN=top ALIGN=left>-E common.bat</TD> 815</TR> 816<TR><TD VALIGN=top ALIGN=left> </TD> 817<TD VALIGN=top ALIGN=left> </TD> 818<TD VALIGN=top ALIGN=left>-E ""</TD> 819</TR> 820<TR><TD VALIGN=top ALIGN=left>-F</TD> 821<TD VALIGN=top ALIGN=left>set the profile directory</TD> 822<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD> 823</TR> 824<TR><TD VALIGN=top ALIGN=left> </TD> 825<TD VALIGN=top ALIGN=left> </TD> 826<TD VALIGN=top ALIGN=left>-F ""</TD> 827</TR> 828<TR><TD VALIGN=top ALIGN=left>-H</TD> 829<TD VALIGN=top ALIGN=left>set the samba account control bits like'[NDHTUMWSLKI]'</TD> 830<TD VALIGN=top ALIGN=left>-H [X]</TD> 831</TR> 832<TR><TD VALIGN=top ALIGN=left>-I</TD> 833<TD VALIGN=top ALIGN=left>disable a user account</TD> 834<TD VALIGN=top ALIGN=left>-I 1</TD> 835</TR> 836<TR><TD VALIGN=top ALIGN=left>-J</TD> 837<TD VALIGN=top ALIGN=left>enable a user</TD> 838<TD VALIGN=top ALIGN=left>-J 1</TD> 839</TR> 840<TR><TD VALIGN=top ALIGN=left>-M</TD> 841<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD> 842<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD> 843</TR> 844<TR><TD VALIGN=top ALIGN=left>-T</TD> 845<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD> 846<TD VALIGN=top ALIGN=left>-T 847 testuser@domain.org</TD> 848</TR></TABLE> 849 </DIV> 850 <BR> 851<DIV ALIGN=center>Table 4: Options available to the <TT>smbldap-usermod</TT> script</DIV><BR> 852 853 <A NAME="table::modify::user"></A> 854<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 855You can also use the <TT>smbldap-userinfo</TT> script to update user's information. This script can 856also be used by users themselves to update their own informations listed in the tables 857<A HREF="#table::modify::self::user">5</A> (adequats ACL must be set in the directory server). Available 858options are : 859<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 860 <DIV ALIGN=center> 861 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 862<TR><TD VALIGN=top ALIGN=left>option</TD> 863<TD VALIGN=top ALIGN=left>definition</TD> 864<TD VALIGN=top ALIGN=left>example</TD> 865</TR> 866<TR><TD VALIGN=top ALIGN=left>-f</TD> 867<TD VALIGN=top ALIGN=left>set the full name's user</TD> 868<TD VALIGN=top ALIGN=left>-f MyName</TD> 869</TR> 870<TR><TD VALIGN=top ALIGN=left>-r</TD> 871<TD VALIGN=top ALIGN=left>set the room number</TD> 872<TD VALIGN=top ALIGN=left>-r 99</TD> 873</TR> 874<TR><TD VALIGN=top ALIGN=left>-w</TD> 875<TD VALIGN=top ALIGN=left>set the work phone number</TD> 876<TD VALIGN=top ALIGN=left>-w 111111111</TD> 877</TR> 878<TR><TD VALIGN=top ALIGN=left>-h</TD> 879<TD VALIGN=top ALIGN=left>set the home phone number</TD> 880<TD VALIGN=top ALIGN=left>-h 222222222</TD> 881</TR> 882<TR><TD VALIGN=top ALIGN=left>-o</TD> 883<TD VALIGN=top ALIGN=left>set other information (in gecos definition)</TD> 884<TD VALIGN=top ALIGN=left>-o "second stage"</TD> 885</TR> 886<TR><TD VALIGN=top ALIGN=left>-s</TD> 887<TD VALIGN=top ALIGN=left>set the default bash</TD> 888<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD> 889</TR></TABLE> 890 </DIV> 891 <BR> 892<DIV ALIGN=center>Table 5: Options available to the <TT>smbldap-userinfo</TT> script</DIV><BR> 893 894 <A NAME="table::modify::self::user"></A> 895<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 896<!--TOC subsection Group management--> 897 898<H3><A NAME="htoc19">4.3</A> Group management</H3><!--SEC END --> 899 900<!--TOC subsubsection Adding a group--> 901 902<H4><A NAME="htoc20">4.3.1</A> Adding a group</H4><!--SEC END --> 903 904To add a new group in the LDAP directory, use the <TT>smbldap-groupadd</TT> 905script. Available options are listed in the table 906<A HREF="#table::add::group">6</A>. 907<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV> 908 <DIV ALIGN=center> 909 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1> 910<TR><TD VALIGN=top ALIGN=left NOWRAP>option</TD> 911<TD VALIGN=top ALIGN=left>definition</TD> 912<TD VALIGN=top ALIGN=left NOWRAP>example</TD> 913</TR> 914<TR><TD VALIGN=top ALIGN=left NOWRAP>-a</TD> 915<TD VALIGN=top ALIGN=left>add automatic group mapping entry</TD> 916<TD VALIGN=top ALIGN=left NOWRAP> </TD> 917</TR> 918<TR><TD VALIGN=top ALIGN=left NOWRAP>-g <TT>gid</TT></TD> 919<TD VALIGN=top ALIGN=left>set the <I>gidNumer</I> for this group to 920 <I>gid</I></TD> 921<TD VALIGN=top ALIGN=left NOWRAP><TT>-g 1002</TT></TD> 922</TR> 923<TR><TD VALIGN=top ALIGN=left NOWRAP>-o</TD> 924<TD VALIGN=top ALIGN=left>gidNumber is not unique</TD> 925<TD VALIGN=top ALIGN=left NOWRAP> </TD> 926</TR> 927<TR><TD VALIGN=top ALIGN=left NOWRAP>-r <TT>group-rid</TT></TD> 928<TD VALIGN=top ALIGN=left>set the rid of the group to 929 <I>group-rid</I></TD> 930<TD VALIGN=top ALIGN=left NOWRAP><TT>-r 1002</TT></TD> 931</TR> 932<TR><TD VALIGN=top ALIGN=left NOWRAP>-s <TT>group-sid</TT></TD> 933<TD VALIGN=top ALIGN=left>set the sid of the group to 934 <I>group-sid</I></TD> 935<TD VALIGN=top ALIGN=left NOWRAP><TT><FONT SIZE=1>-s 936 S-1-5-21-3703471949-3718591838-2324585696-1002</FONT></TT></TD> 937</TR> 938<TR><TD VALIGN=top ALIGN=left NOWRAP>-t <TT>group-type</TT></TD> 939<TD VALIGN=top ALIGN=left>set the <I>sambaGroupType</I> to 940 <I>group-type</I></TD> 941<TD VALIGN=top ALIGN=left NOWRAP><TT>-t 2</TT></TD> 942</TR> 943<TR><TD VALIGN=top ALIGN=left NOWRAP>-p</TD> 944<TD VALIGN=top ALIGN=left>print the gidNumber to stdout</TD> 945<TD VALIGN=top ALIGN=left NOWRAP> </TD> 946</TR></TABLE> 947 </DIV> 948 <BR> 949<DIV ALIGN=center>Table 6: Options available for the <TT>smbldap-groupadd</TT> script</DIV><BR> 950 951 <A NAME="table::add::group"></A> 952<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE> 953<!--TOC subsubsection Removing a group--> 954 955<H4><A NAME="htoc21">4.3.2</A> Removing a group</H4><!--SEC END --> 956 957To remove the group named <TT>group1</TT>, just use the following 958command : 959<PRE> 960smbldap-userdel group1 961</PRE> 962<!--TOC subsection Adding a interdomain trust account--> 963 964<H3><A NAME="htoc22">4.4</A> Adding a interdomain trust account</H3><!--SEC END --> 965<A NAME="trust::account"></A> 966To add an interdomain trust account to the primary controller <I>trust-pdc</I>, use the <TT>-i</TT> option of 967<TT>smbldap-useradd</TT> as follows : 968<PRE> 969[root@etoile root]# smbldap-useradd -i trust-pdc 970New password : ******* 971Retype new password : ******* 972</PRE> 973The script will terminate asking for a password for this trust 974account. The account will be created in the directory branch where 975all computer accounts are stored (<TT>ou=Computers</TT> by 976default). The only two particularities of this account are that you are 977setting a password for this account, and the flags of this account are 978<TT>[I ]</TT>. 979 <!--TOC section Samba and the smbldap-tools scripts--> 980 981<H2><A NAME="htoc23">5</A> Samba and the smbldap-tools scripts</H2><!--SEC END --> 982 983<!--TOC subsection General configuration--> 984 985<H3><A NAME="htoc24">5.1</A> General configuration</H3><!--SEC END --> 986 987Samba can be configured to use the <FONT COLOR=purple>smbldap-tools</FONT> scripts. This allows 988administrators to add, delete or modify user and group accounts for <FONT COLOR=purple>Microsoft Windows</FONT> 989operating systems using, for example, User Manager utility under MS-Windows. 990To enable the use of this utility, samba needs to be configured correctly. The 991<TT>smb.conf</TT> configuration file must contain the following directives : 992<PRE> 993ldap delete dn = Yes 994add user script = /usr/local/sbin/smbldap-useradd -m "%u" 995add machine script = /usr/local/sbin/smbldap-useradd -w "%u" 996add group script = /usr/local/sbin/smbldap-groupadd -p "%g" 997add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" 998delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" 999set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" 1000</PRE> 1001Remark: the two directives <TT>delete user script</TT> et <TT>delete group 1002script</TT> can also be used. However, an error message can appear in User Manager 1003even if the operations actually succeed. 1004If you want to enable this behaviour, you need to add 1005<PRE> 1006delete user script = /usr/local/sbin/smbldap-userdel "%u" 1007delete group script = /usr/local/sbin/smbldap-groupdel "%g" 1008</PRE> 1009<!--TOC subsection Migrating an NT4 PDC to Samba3--> 1010 1011<H3><A NAME="htoc25">5.2</A> Migrating an NT4 PDC to Samba3</H3><!--SEC END --> 1012 1013The account migration procedure becomes really simple when samba is configured to use 1014the <FONT COLOR=purple>smbldap-tools</FONT>. Samba configuration (smb.conf file) must contain the 1015directive defined above to properly call the script for managing users, groups and computer accounts. 1016The migration process is outlined in the chapter 30 of the samba howto 1017<TT>http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html</TT>. 1018 <BR> 1019<BR> 1020<!--TOC section Frequently Asked Questions--> 1021 1022<H2><A NAME="htoc26">6</A> Frequently Asked Questions</H2><!--SEC END --> 1023 1024<!--TOC subsection How can i use old released uidNumber and gidNumber ?--> 1025 1026<H3><A NAME="htoc27">6.1</A> How can i use old released uidNumber and gidNumber ?</H3><!--SEC END --> 1027 1028There are two way to do this : 1029<UL><LI> 1030modify the <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> and 1031 change the <TT>uidNumber</TT> and/or <TT>gidNumber</TT> value. This 1032 must be done manually. For example, if you want to use all available 1033 uidNumber and gidNumber higher then 1500, you need to create a 1034 <TT>update-NextFreeUnixId.ldif</TT> file containing : 1035<PRE>dn: cn=NextFreeUnixId,dc=idealx,dc=org 1036changetype: modify 1037uidNumber: 1500 1038gidNumber: 1500 1039</PRE> 1040and then update the directory : 1041<PRE> 1042ldapmodify -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f update-NextFreeUnixId.ldif 1043</PRE><LI>use the <TT>-u</TT> or <TT>-g</TT> option to the script you need to set the value you 1044 want to use 1045</UL> 1046<!--TOC subsection I always have this error: "Can't locate IO/Socket/SSL.pm"--> 1047 1048<H3><A NAME="htoc28">6.2</A> I always have this error: "Can't locate IO/Socket/SSL.pm"</H3><!--SEC END --> 1049 1050This happens when you want to use a certificate. In this case, you need to install the 1051IO-Socket-SSL Perl module.<BR> 1052<BR> 1053<!--TOC subsection I can't initialize the directory with <TT>smbldap-populate</TT>--> 1054 1055<H3><A NAME="htoc29">6.3</A> I can't initialize the directory with <TT>smbldap-populate</TT></H3><!--SEC END --> 1056 1057When I want to initialize the directory using the <TT>smbldap-populate</TT> 1058script, I get 1059<PRE> 1060[root@slave sbin]# smbldap-populate.pl 1061 Using builtin directory structure 1062 adding new entry: dc=IDEALX,dc=COM 1063 Can't call method "code" without a package or object reference at 1064 /usr/local/sbin/smbldap-populate.pl line 270, <GEN1> line 2. 1065</PRE>Answer: check the TLS configuration 1066<UL><LI> 1067if you don't want to use TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file 1068with 1069<PRE> 1070ldapSSL="0" 1071</PRE><LI>if you want TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file with 1072<PRE> 1073ldapSSL="1" 1074</PRE>and check that the directory server is configured to accept TLS connections. 1075</UL> 1076<!--TOC subsection I can't join the domain with the <TT>root</TT> account--> 1077 1078<H3><A NAME="htoc30">6.4</A> I can't join the domain with the <TT>root</TT> account</H3><!--SEC END --> 1079 1080<UL><LI> 1081check that the root account has the sambaSamAccount objectclass 1082<LI>check that the directive <TT>add machine script</TT> is present and configured 1083</UL> 1084<!--TOC subsection I have the <TT>sambaSamAccount</TT> but i can't logged in--> 1085 1086<H3><A NAME="htoc31">6.5</A> I have the <TT>sambaSamAccount</TT> but i can't logged in</H3><!--SEC END --> 1087 1088Check that the <TT>sambaPwdLastSet</TT> attribute is not null (equal to 0)<BR> 1089<BR> 1090<!--TOC subsection I want to create machine account on the fly, but it does 1091 not works or I must do it twice--> 1092 1093<H3><A NAME="htoc32">6.6</A> I want to create machine account on the fly, but it does 1094 not works or I must do it twice</H3><!--SEC END --> 1095 1096<UL><LI> 1097The script defined with the <TT>add machine script</TT> must not add 1098the <TT>sambaSAMAccount</TT> objectclass of the machine account. The 1099script must only add the Posix machine account. Samba will add the <TT>sambaSAMAccount</TT> when 1100joining the domain. 1101<LI>Check that the <TT>add <B>machine</B> script</TT> is present in samba 1102 configuration file. 1103</UL> 1104<!--TOC subsection I can't manage the Oracle Internet Database--> 1105 1106<H3><A NAME="htoc33">6.7</A> I can't manage the Oracle Internet Database</H3><!--SEC END --> 1107 1108If you have an error message like : 1109<PRE> 1110Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187. 1111Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627. 1112</PRE>For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a 1113new index for samba attributes and make sure that the following attributes are also indexed : 1114 uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...<BR> 1115<BR> 1116<!--TOC subsection The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not 1117called, or i got a error message when changing the password from windows--> 1118 1119<H3><A NAME="htoc34">6.8</A> The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not 1120called, or i got a error message when changing the password from windows</H3><!--SEC END --> 1121 1122The directive is called if you also set <TT>unix password sync = Yes</TT>. 1123Notes: 1124<UL><LI> 1125if you use OpenLDAP, none of those two options are needed. You just need <TT>ldap 1126passwd sync = Yes</TT>. 1127<LI>the script called here must only update the <TT>userPassword</TT> attribute. This is the 1128reason of the <TT>-u</TT> option. Samba passwords will be updated by samba itself. 1129<LI>the <TT>passwd chat</TT> directive must match what is prompted when using the 1130<TT>smbldap-passwd</TT> command 1131</UL> 1132<!--TOC subsection New computers account can't be set in ou=computers--> 1133 1134<H3><A NAME="htoc35">6.9</A> New computers account can't be set in ou=computers</H3><!--SEC END --> 1135<A NAME="sec::bug::ou::computer"></A> 1136This is a known samba bug. There's a workarround: look at 1137<TT>http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2</TT><BR> 1138<BR> 1139<!--TOC subsection I can join the domain, but i can't log on--> 1140 1141<H3><A NAME="htoc36">6.10</A> I can join the domain, but i can't log on</H3><!--SEC END --> 1142 1143look at section <A HREF="#sec::bug::ou::computer">6.9</A><BR> 1144<BR> 1145<!--TOC subsection I can't create a user with <TT>smbldap-useradd</TT>--> 1146 1147<H3><A NAME="htoc37">6.11</A> I can't create a user with <TT>smbldap-useradd</TT></H3><!--SEC END --> 1148 1149When creating a new user account I get the following error message: 1150<PRE> 1151/usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513 1152</PRE>Answer: 1153<UL><LI> 1154is nss_ldap correctly configured ? 1155<LI>is the default group's users mapped to the 'Domain Users' NT group ? 1156<PRE> 1157net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users" 1158</PRE></UL> 1159<!--TOC subsection smbldap-useradd: Can't call method "get_value" on an undefined value at 1160/usr/local/sbin/smbldap-useradd line 154--> 1161 1162<H3><A NAME="htoc38">6.12</A> smbldap-useradd: Can't call method "get_value" on an undefined value at 1163/usr/local/sbin/smbldap-useradd line 154</H3><!--SEC END --> 1164 1165<UL><LI> 1166does the default group defined in smbldap.conf exist 1167 (defaultUserGid="513") ? 1168<LI>does the NT "Domain Users" group mapped to a unix 1169 group of rid 513 (see option <I>-r</I> of <TT>smbldap-groupadd</TT> and 1170 <TT>smbldap-groupmod</TT> to set a rid) ? 1171</UL> 1172<!--TOC subsection Typical errors on creating a new user or a new group--> 1173 1174<H3><A NAME="htoc39">6.13</A> Typical errors on creating a new user or a new group</H3><!--SEC END --> 1175<A NAME="faq::error::add::user"></A> 1176<UL><LI> 1177i've got the following error: 1178<PRE> 1179Could not find base dn, to get next uidNumber at /usr/local/sbin//smbldap_tools.pm line 909 1180</PRE><OL type=1><LI> 1181 you do not have created the object to defined the next uidNumber and gidNumber available. 1182 <UL><LI> 1183 for version 0.8.7 : you can just run the <TT>smbldap-populate</TT> script that will 1184 update the sambaDomain entry to store those informations 1185 <LI>for version before 0.8.7 : 1186 You have updated the smbldap-tools to version 0.8.5 or newer. 1187 You have to do this manually. Create an file called <TT>add.ldif</TT> and containing 1188<PRE> 1189dn: cn=NextFreeUnixId,dc=idealx,dc=org 1190objectClass: inetOrgPerson 1191objectClass: sambaUnixIdPool 1192uidNumber: 1000 1193gidNumber: 1000 1194cn: NextFreeUnixId 1195sn: NextFreeUnixId 1196</PRE> and then add the object with the ldapadd utility: 1197<PRE> 1198$ ldapadd -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f add.ldif 1199</PRE> Here, 1000 is the first available value for uidNumber and gidNumber (of course, if this value is 1200 already used by a user or a group, the first available after 1000 will be used). 1201 </UL><BR> 1202<BR> 1203<LI>The error also appear when there is a need for TLS (ldapTLS=1 in <TT>smbldap.conf</TT>) and 1204something is wrong with certificate naming or path settings. 1205</OL><BR> 1206<BR> 1207<LI>i've got the following error: 1208<PRE> 1209Use of uninitialized value in string at 1210/usr/local/sbin//smbldap\_tools.pm line 914. 1211Error: No DN specified at /usr/local/sbin//smbldap\_tools.pm line 919 1212</PRE>You have not updated the configuration file to defined the object where are sotred the next 1213uidNumber and gidNumber available. In our example, you have to add a nex entry in 1214<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I> containing : 1215<PRE> 1216# Where to store next uidNumber and gidNumber available 1217sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" 1218</PRE>btw, a new option is now available too: the domain to append to users. You can add to the 1219configuration file the following lines: 1220<PRE> 1221# Domain appended to the users "mail"-attribute 1222# when smbldap-useradd -M is used mailDomain="idealx.com" 1223</PRE><BR> 1224<BR> 1225<LI>i've got the following error: 1226<PRE> 1227Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/smbldap-useradd line 183. 1228Use of uninitialized value in substitution (s///) at /usr/local/sbin/smbldap-useradd line 185. 1229Use of uninitialized value in string at /usr/local/sbin/smbldap-useradd line 264. 1230failed to add entry: homedirectory: value #0 invalid per syntax at /usr/local/sbin/smbldap-useradd line 280. 1231userHomeDirectory=User "jto" already member of the group "513". 1232failed to add entry: No such object at /usr/local/sbin/smbldap-useradd line 382. 1233</PRE>you have to change the variable name <TT>userHomePrefix</TT> to <TT>userHome</TT> in 1234<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I><BR> 1235<BR> 1236<LI>i've got the following error: 1237<PRE> 1238failed to add entry: referral missing at /usr/local/sbin/smbldap-useradd line 279, <DATA> line 283. 1239</PRE>you have to update the configuration file that defined users, groups and computers dn. Those 1240parameters must not be relative to the <TT>suffix</TT> parameter. A typical 1241configuration look like this : 1242<PRE> 1243usersdn="ou=Users,${suffix}" 1244computersdn="ou=Computers,${suffix}" 1245groupsdn="ou=Groups,${suffix}" 1246</PRE><BR> 1247<BR> 1248<LI>i've got the following error: 1249<PRE> 1250erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad protocol 'tcp') 1251at /usr/local/sbin//smbldap_tools.pm line 153. 1252</PRE>remove <I>ldap</I> from <I>/etc/nsswitch.conf</I> for <I>services</I> list of possible check. For 1253example, if your ldap directory is not configured to give services information, you must have 1254<PRE> 1255services files 1256</PRE>and not 1257<PRE> 1258services: ldap [NOTFOUND=return] files 1259</PRE></UL> 1260 1261 1262<!--TOC section Thanks--> 1263 1264<H2><A NAME="htoc40">7</A> Thanks</H2><!--SEC END --> 1265 1266<A NAME="thanks"></A> 1267People who have worked on this document are 1268<UL><LI> 1269J�r�me Tournier <jerome.tournier@IDEALX.com> 1270<LI>David Barth <david.barth@IDEALX.com> 1271<LI>Nat Makarevitch <nat@IDEALX.com> 1272</UL> 1273The authors would like to thank the following people for providing help with 1274some of the more complicated subjects, for clarifying some of the internal 1275workings of <FONT COLOR=purple>Samba</FONT> or <FONT COLOR=purple>OpenLDAP</FONT>, for pointing out errors or mistakes in 1276previous versions of this document, or generally for making 1277suggestions : 1278<UL><LI> 1279IDEALX team : 1280 <UL><LI> 1281 Rom�o Adekambi <romeo.adekambi@IDEALX.com> 1282 <LI>Aurelien Degremont <adegremont@IDEALX.com> 1283 <LI>Renaud Renard <rrenard@IDEALX.com> 1284 </UL> 1285<LI>John H Terpstra <jht@samba.org> 1286</UL> 1287 <!--TOC section Annexes--> 1288 1289<H2><A NAME="htoc41">8</A> Annexes</H2><!--SEC END --> 1290 1291<!--TOC subsection Full configuration files--> 1292 1293<H3><A NAME="htoc42">8.1</A> Full configuration files</H3><!--SEC END --> 1294<A NAME="configuration::files"></A> 1295<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file--> 1296 1297<H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><!--SEC END --> 1298<A NAME="configuration::file::smbldap"></A> 1299<PRE># $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ 1300# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $ 1301# 1302# smbldap-tools.conf : Q & D configuration file for smbldap-tools 1303 1304# This code was developped by IDEALX (http://IDEALX.org/) and 1305# contributors (their names can be found in the CONTRIBUTORS file). 1306# 1307# Copyright (C) 2001-2002 IDEALX 1308# 1309# This program is free software; you can redistribute it and/or 1310# modify it under the terms of the GNU General Public License 1311# as published by the Free Software Foundation; either version 2 1312# of the License, or (at your option) any later version. 1313# 1314# This program is distributed in the hope that it will be useful, 1315# but WITHOUT ANY WARRANTY; without even the implied warranty of 1316# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 1317# GNU General Public License for more details. 1318# 1319# You should have received a copy of the GNU General Public License 1320# along with this program; if not, write to the Free Software 1321# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, 1322# USA. 1323 1324# Purpose : 1325# . be the configuration file for all smbldap-tools scripts 1326 1327############################################################################## 1328# 1329# General Configuration 1330# 1331############################################################################## 1332 1333# Put your own SID 1334# to obtain this number do: net getlocalsid 1335SID="S-1-5-21-2139989288-483860436-2398042574" 1336 1337############################################################################## 1338# 1339# LDAP Configuration 1340# 1341############################################################################## 1342 1343# Notes: to use to dual ldap servers backend for Samba, you must patch 1344# Samba with the dual-head patch from IDEALX. If not using this patch 1345# just use the same server for slaveLDAP and masterLDAP. 1346# Those two servers declarations can also be used when you have 1347# . one master LDAP server where all writing operations must be done 1348# . one slave LDAP server where all reading operations must be done 1349# (typically a replication directory) 1350 1351# Ex: slaveLDAP=127.0.0.1 1352slaveLDAP="127.0.0.1" 1353slavePort="389" 1354 1355# Master LDAP : needed for write operations 1356# Ex: masterLDAP=127.0.0.1 1357masterLDAP="127.0.0.1" 1358masterPort="389" 1359 1360# Use TLS for LDAP 1361# If set to 1, this option will use start_tls for connection 1362# (you should also used the port 389) 1363ldapTLS="0" 1364 1365# How to verify the server's certificate (none, optional or require) 1366# see "man Net::LDAP" in start_tls section for more details 1367verify="require" 1368 1369# CA certificate 1370# see "man Net::LDAP" in start_tls section for more details 1371cafile="/etc/smbldap-tools/ca.pem" 1372 1373# certificate to use to connect to the ldap server 1374# see "man Net::LDAP" in start_tls section for more details 1375clientcert="/etc/smbldap-tools/smbldap-tools.pem" 1376 1377# key certificate to use to connect to the ldap server 1378# see "man Net::LDAP" in start_tls section for more details 1379clientkey="/etc/smbldap-tools/smbldap-tools.key" 1380 1381# LDAP Suffix 1382# Ex: suffix=dc=IDEALX,dc=ORG 1383suffix="dc=idealx,dc=org" 1384 1385# Where are stored Users 1386# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" 1387usersdn="ou=Users,${suffix}" 1388 1389# Where are stored Computers 1390# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" 1391computersdn="ou=Computers,${suffix}" 1392 1393# Where are stored Groups 1394# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" 1395groupsdn="ou=Groups,${suffix}" 1396 1397# Where are stored Idmap entries (used if samba is a domain member server) 1398# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" 1399idmapdn="ou=Idmap,${suffix}" 1400 1401# Where to store next uidNumber and gidNumber available 1402sambaUnixIdPooldn="sambaDomainName=SMB3,${suffix}" 1403 1404# Default scope Used 1405scope="sub" 1406 1407# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) 1408hash_encrypt="SSHA" 1409 1410# if hash_encrypt is set to CRYPT, you may set a salt format. 1411# default is "%s", but many systems will generate MD5 hashed 1412# passwords if you use "$1$%.8s". This parameter is optional! 1413crypt_salt_format="%s" 1414 1415############################################################################## 1416# 1417# Unix Accounts Configuration 1418# 1419############################################################################## 1420 1421# Login defs 1422# Default Login Shell 1423# Ex: userLoginShell="/bin/bash" 1424userLoginShell="/bin/bash" 1425 1426# Home directory 1427# Ex: userHome="/home/%U" 1428userHome="/home/%U" 1429 1430# Gecos 1431userGecos="System User" 1432 1433# Default User (POSIX and Samba) GID 1434defaultUserGid="513" 1435 1436# Default Computer (Samba) GID 1437defaultComputerGid="515" 1438 1439# Skel dir 1440skeletonDir="/etc/skel" 1441 1442# Default password validation time (time in days) Comment the next line if 1443# you don't want password to be enable for defaultMaxPasswordAge days (be 1444# careful to the sambaPwdMustChange attribute's value) 1445defaultMaxPasswordAge="99" 1446 1447############################################################################## 1448# 1449# SAMBA Configuration 1450# 1451############################################################################## 1452 1453# The UNC path to home drives location (%U username substitution) 1454# Ex: \\My-PDC-netbios-name\homes\%U 1455# Just set it to a null string if you want to use the smb.conf 'logon home' 1456# directive and/or disable roaming profiles 1457userSmbHome="\\PDC-SMB3\homes\%U" 1458 1459# The UNC path to profiles locations (%U username substitution) 1460# Ex: \\My-PDC-netbios-name\profiles\%U 1461# Just set it to a null string if you want to use the smb.conf 'logon path' 1462# directive and/or disable roaming profiles 1463userProfile="\\PDC-SMB3\profiles\%U" 1464 1465# The default Home Drive Letter mapping 1466# (will be automatically mapped at logon time if home directory exist) 1467# Ex: H: for H: 1468userHomeDrive="H:" 1469 1470# The default user netlogon script name (%U username substitution) 1471# if not used, will be automatically username.cmd 1472# make sure script file is edited under dos 1473# Ex: %U.cmd 1474# userScript="startup.cmd" # make sure script file is edited under dos 1475userScript="%U.cmd" 1476 1477# Domain appended to the users "mail"-attribute 1478# when smbldap-useradd -M is used 1479mailDomain="idealx.com" 1480 1481############################################################################## 1482# 1483# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) 1484# 1485############################################################################## 1486 1487# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but 1488# prefer Crypt::SmbHash library 1489with_smbpasswd="0" 1490smbpasswd="/usr/bin/smbpasswd" 1491 1492# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) 1493# but prefer Crypt:: libraries 1494with_slappasswd="0" 1495slappasswd="/usr/sbin/slappasswd" 1496 1497</PRE> 1498<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file--> 1499 1500<H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><!--SEC END --> 1501<A NAME="configuration::file::smbldap::bind"></A> 1502<PRE>############################ 1503# Credential Configuration # 1504############################ 1505# Notes: you can specify two differents configuration if you use a 1506# master ldap for writing access and a slave ldap server for reading access 1507# By default, we will use the same DN (so it will work for standard Samba 1508# release) 1509slaveDN="cn=Manager,dc=idealx,dc=org" 1510slavePw="secret" 1511masterDN="cn=Manager,dc=idealx,dc=org" 1512masterPw="secret" 1513 1514</PRE> 1515<!--TOC subsubsection The samba configuration file : <TT>/etc/samba/smb.conf</TT> --> 1516 1517<H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4><!--SEC END --> 1518 1519<PRE># Global parameters 1520[global] 1521 workgroup = IDEALX-NT 1522 netbios name = PDC-SRV 1523 #interfaces = 192.168.5.11 1524 username map = /etc/samba/smbusers 1525 enable privileges = yes 1526 server string = Samba Server %v 1527 security = user 1528 encrypt passwords = Yes 1529 min passwd length = 3 1530 obey pam restrictions = No 1531 ldap passwd sync = Yes 1532 #unix password sync = Yes 1533 #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u 1534 #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" 1535 ldap passwd sync = Yes 1536 log level = 0 1537 syslog = 0 1538 log file = /var/log/samba/log.%m 1539 max log size = 100000 1540 time server = Yes 1541 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 1542 mangling method = hash2 1543 Dos charset = 850 1544 Unix charset = ISO8859-1 1545 1546 logon script = logon.bat 1547 logon drive = H: 1548 logon home = 1549 logon path = 1550 1551 domain logons = Yes 1552 os level = 65 1553 preferred master = Yes 1554 domain master = Yes 1555 wins support = Yes 1556 passdb backend = ldapsam:ldap://127.0.0.1/ 1557 # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com" 1558 # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u)) 1559 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com 1560 ldap suffix = dc=idealx,dc=com 1561 ldap group suffix = ou=Groups 1562 ldap user suffix = ou=Users 1563 ldap machine suffix = ou=Computers 1564 ldap idmap suffix = ou=Users 1565 ldap ssl = start tls 1566 add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" 1567 ldap delete dn = Yes 1568 #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" 1569 add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u" 1570 add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" 1571 #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g" 1572 add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" 1573 delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" 1574 set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u" 1575 1576 # printers configuration 1577 printer admin = @"Print Operators" 1578 load printers = Yes 1579 create mask = 0640 1580 directory mask = 0750 1581 nt acl support = No 1582 printing = cups 1583 printcap name = cups 1584 deadtime = 10 1585 guest account = nobody 1586 map to guest = Bad User 1587 dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd 1588 show add printer wizard = yes 1589 ; to maintain capital letters in shortcuts in any of the profile folders: 1590 preserve case = yes 1591 short preserve case = yes 1592 case sensitive = no 1593 1594[homes] 1595 comment = repertoire de %U, %u 1596 read only = No 1597 create mask = 0644 1598 directory mask = 0775 1599 browseable = No 1600 1601[netlogon] 1602 path = /home/netlogon/ 1603 browseable = No 1604 read only = yes 1605 1606[profiles] 1607 path = /home/profiles 1608 read only = no 1609 create mask = 0600 1610 directory mask = 0700 1611 browseable = No 1612 guest ok = Yes 1613 profile acls = yes 1614 csc policy = disable 1615 # next line is a great way to secure the profiles 1616 force user = %U 1617 # next line allows administrator to access all profiles 1618 valid users = %U "Domain Admins" 1619 1620[printers] 1621 comment = Network Printers 1622 printer admin = @"Print Operators" 1623 guest ok = yes 1624 printable = yes 1625 path = /home/spool/ 1626 browseable = No 1627 read only = Yes 1628 printable = Yes 1629 print command = /usr/bin/lpr -P%p -r %s 1630 lpq command = /usr/bin/lpq -P%p 1631 lprm command = /usr/bin/lprm -P%p %j 1632 1633[print$] 1634 path = /home/printers 1635 guest ok = No 1636 browseable = Yes 1637 read only = Yes 1638 valid users = @"Print Operators" 1639 write list = @"Print Operators" 1640 create mask = 0664 1641 directory mask = 0775 1642 1643[public] 1644 comment = Repertoire public 1645 path = /home/public 1646 browseable = Yes 1647 guest ok = Yes 1648 read only = No 1649 directory mask = 0775 1650 create mask = 0664 1651 1652</PRE> 1653<!--TOC subsubsection The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT>--> 1654 1655<H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4><!--SEC END --> 1656 1657<PRE>include /etc/openldap/schema/core.schema 1658include /etc/openldap/schema/cosine.schema 1659include /etc/openldap/schema/inetorgperson.schema 1660include /etc/openldap/schema/nis.schema 1661include /etc/openldap/schema/samba.schema 1662 1663schemacheck on 1664lastmod on 1665 1666TLSCertificateFile /etc/openldap/ldap.idealx.com.pem 1667TLSCertificateKeyFile /etc/openldap/ldap.idealx.com.key 1668TLSCACertificateFile /etc/openldap/ca.pem 1669TLSCipherSuite :SSLv3 1670#TLSVerifyClient demand 1671 1672####################################################################### 1673# ldbm database definitions 1674####################################################################### 1675database ldbm 1676suffix dc=idealx,dc=com 1677rootdn "cn=Manager,dc=idealx,dc=com" 1678rootpw secret 1679directory /var/lib/ldap 1680index sambaSID eq 1681index sambaPrimaryGroupSID eq 1682index sambaDomainName eq 1683index objectClass,uid,uidNumber,gidNumber,memberUid eq 1684index cn,mail,surname,givenname eq,subinitial 1685 1686# users can authenticate and change their password 1687access to attrs=userPassword,sambaNTPassword,sambaLMPassword 1688 by dn="cn=Manager,dc=idealx,dc=com" write 1689 by self write 1690 by anonymous auth 1691 by * none 1692# all others attributes are readable to everybody 1693access to * 1694 by * read 1695</PRE> 1696<!--TOC subsection Changing the administrative account (<TT>ldap admin 1697 dn</TT> in <TT>smb.conf</TT> file)--> 1698 1699<H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin 1700 dn</TT> in <TT>smb.conf</TT> file)</H3><!--SEC END --> 1701<A NAME="change::manager"></A> 1702If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT> 1703account anymore, you can create a dedicated account for Samba and the 1704smbldap-tools scripts. To do 1705this, create an account named <I>samba</I> as follows (see 1706section <A HREF="#add::user">4.2.1</A> for a more detailed syntax) : 1707<PRE> 1708smbldap-useradd -s /bin/false -d /dev/null -P samba 1709</PRE>This command will ask you to set a password for this account. Let's 1710set it to <I>samba</I> for this example. 1711You then need to modify configuration files: 1712<UL><LI> 1713file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> 1714 <PRE> 1715 slaveDN="uid=samba,ou=Users,dc=idealx,dc=com" 1716 slavePw="samba" 1717 masterDN="uid=samba,ou=Users,dc=idealx,dc=com" 1718 masterPw="samba" 1719 </PRE><LI>file <TT>/etc/samba/smb.conf</TT> 1720 <PRE> 1721 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com 1722 </PRE>don't forget to also set the samba account password in 1723 <TT>secrets.tdb</TT> file : 1724<PRE> 1725smbpasswd -w samba 1726</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the 1727 <I>samba</I> user permissions to modify some attributes: this 1728 user needs to be able to modify all the samba attributes and some 1729 others (uidNumber, gidNumber ...) : 1730 <PRE> 1731# users can authenticate and change their password 1732access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange 1733 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1734 by self write 1735 by anonymous auth 1736 by * none 1737# some attributes need to be readable anonymously so that 'id user' can answer correctly 1738access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid 1739 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1740 by * read 1741# somme attributes can be writable by users themselves 1742access to attrs=description,telephoneNumber 1743 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1744 by self write 1745 by * read 1746# some attributes need to be writable for samba 1747access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase 1748 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1749 by self read 1750 by * none 1751# samba need to be able to create the samba domain account 1752access to dn.base="dc=idealx,dc=com" 1753 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1754 by * none 1755# samba need to be able to create new users account 1756access to dn="ou=Users,dc=idealx,dc=com" 1757 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1758 by * none 1759# samba need to be able to create new groups account 1760access to dn="ou=Groups,dc=idealx,dc=com" 1761 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1762 by * none 1763# samba need to be able to create new computers account 1764access to dn="ou=Computers,dc=idealx,dc=com" 1765 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 1766 by * none 1767# this can be omitted but we leave it: there could be other branch 1768# in the directory 1769access to * 1770 by self read 1771 by * none 1772 </PRE></UL> 1773<!--TOC subsection known bugs--> 1774 1775<H3><A NAME="htoc48">8.3</A> known bugs</H3><!--SEC END --> 1776 1777<UL><LI> 1778Option <I>-B</I> (user must change password) of 1779 <TT>smbldap-useradd</TT> does not have effect: when 1780 <TT>smbldap-passwd</TT> script is called, 1781 <I>sambaPwdMustChange</I> attribute is rewrite. 1782</UL> 1783 1784<!--BEGIN NOTES document--> 1785<HR WIDTH="50%" SIZE=1><DL><DT><A NAME="note1" HREF="#text1"><FONT SIZE=5>1</FONT></A><DD><TT>http://IDEALX.com/</TT> 1786</DL> 1787<!--END NOTES--> 1788<!--HTMLFOOT--> 1789<!--ENDHTML--> 1790<!--FOOTER--> 1791<HR SIZE=2> 1792<BLOCKQUOTE><EM>This document was translated from L<sup>A</sup>T<sub>E</sub>X by 1793</EM><A HREF="http://pauillac.inria.fr/~maranget/hevea/index.html"><EM>H<FONT SIZE=2><sup>E</sup></FONT>V<FONT SIZE=2><sup>E</sup></FONT>A</EM></A><EM>. 1794</EM></BLOCKQUOTE> 1795</BODY> 1796</HTML> 1797