1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" 2 "http://www.w3.org/TR/REC-html40/loose.dtd"> 3<HTML> 4<HEAD> 5 6<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 7<META name="GENERATOR" content="hevea 1.06"> 8<TITLE> 9 Annexes 10</TITLE> 11</HEAD> 12<BODY > 13<A HREF="smbldap-tools008.html"><IMG SRC ="previous_motif.gif" ALT="Pr�c�dent"></A> 14<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A> 15<HR> 16 17<H2><A NAME="htoc41">8</A> Annexes</H2><UL> 18<LI><A HREF="smbldap-tools009.html#toc27"> Full configuration files</A> 19<LI><A HREF="smbldap-tools009.html#toc28"> Changing the administrative account (<TT>ldap admin 20 dn</TT> in <TT>smb.conf</TT> file)</A> 21<LI><A HREF="smbldap-tools009.html#toc29"> known bugs</A> 22</UL> 23 24<A NAME="toc27"></A> 25<H3><A NAME="htoc42">8.1</A> Full configuration files</H3><A NAME="configuration::files"></A> 26 27<H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><A NAME="configuration::file::smbldap"></A> 28<PRE># $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ 29# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $ 30# 31# smbldap-tools.conf : Q & D configuration file for smbldap-tools 32 33# This code was developped by IDEALX (http://IDEALX.org/) and 34# contributors (their names can be found in the CONTRIBUTORS file). 35# 36# Copyright (C) 2001-2002 IDEALX 37# 38# This program is free software; you can redistribute it and/or 39# modify it under the terms of the GNU General Public License 40# as published by the Free Software Foundation; either version 2 41# of the License, or (at your option) any later version. 42# 43# This program is distributed in the hope that it will be useful, 44# but WITHOUT ANY WARRANTY; without even the implied warranty of 45# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 46# GNU General Public License for more details. 47# 48# You should have received a copy of the GNU General Public License 49# along with this program; if not, write to the Free Software 50# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, 51# USA. 52 53# Purpose : 54# . be the configuration file for all smbldap-tools scripts 55 56############################################################################## 57# 58# General Configuration 59# 60############################################################################## 61 62# Put your own SID 63# to obtain this number do: net getlocalsid 64SID="S-1-5-21-2139989288-483860436-2398042574" 65 66############################################################################## 67# 68# LDAP Configuration 69# 70############################################################################## 71 72# Notes: to use to dual ldap servers backend for Samba, you must patch 73# Samba with the dual-head patch from IDEALX. If not using this patch 74# just use the same server for slaveLDAP and masterLDAP. 75# Those two servers declarations can also be used when you have 76# . one master LDAP server where all writing operations must be done 77# . one slave LDAP server where all reading operations must be done 78# (typically a replication directory) 79 80# Ex: slaveLDAP=127.0.0.1 81slaveLDAP="127.0.0.1" 82slavePort="389" 83 84# Master LDAP : needed for write operations 85# Ex: masterLDAP=127.0.0.1 86masterLDAP="127.0.0.1" 87masterPort="389" 88 89# Use TLS for LDAP 90# If set to 1, this option will use start_tls for connection 91# (you should also used the port 389) 92ldapTLS="0" 93 94# How to verify the server's certificate (none, optional or require) 95# see "man Net::LDAP" in start_tls section for more details 96verify="require" 97 98# CA certificate 99# see "man Net::LDAP" in start_tls section for more details 100cafile="/etc/smbldap-tools/ca.pem" 101 102# certificate to use to connect to the ldap server 103# see "man Net::LDAP" in start_tls section for more details 104clientcert="/etc/smbldap-tools/smbldap-tools.pem" 105 106# key certificate to use to connect to the ldap server 107# see "man Net::LDAP" in start_tls section for more details 108clientkey="/etc/smbldap-tools/smbldap-tools.key" 109 110# LDAP Suffix 111# Ex: suffix=dc=IDEALX,dc=ORG 112suffix="dc=idealx,dc=org" 113 114# Where are stored Users 115# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" 116usersdn="ou=Users,${suffix}" 117 118# Where are stored Computers 119# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" 120computersdn="ou=Computers,${suffix}" 121 122# Where are stored Groups 123# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" 124groupsdn="ou=Groups,${suffix}" 125 126# Where are stored Idmap entries (used if samba is a domain member server) 127# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" 128idmapdn="ou=Idmap,${suffix}" 129 130# Where to store next uidNumber and gidNumber available 131sambaUnixIdPooldn="sambaDomainName=SMB3,${suffix}" 132 133# Default scope Used 134scope="sub" 135 136# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) 137hash_encrypt="SSHA" 138 139# if hash_encrypt is set to CRYPT, you may set a salt format. 140# default is "%s", but many systems will generate MD5 hashed 141# passwords if you use "$1$%.8s". This parameter is optional! 142crypt_salt_format="%s" 143 144############################################################################## 145# 146# Unix Accounts Configuration 147# 148############################################################################## 149 150# Login defs 151# Default Login Shell 152# Ex: userLoginShell="/bin/bash" 153userLoginShell="/bin/bash" 154 155# Home directory 156# Ex: userHome="/home/%U" 157userHome="/home/%U" 158 159# Gecos 160userGecos="System User" 161 162# Default User (POSIX and Samba) GID 163defaultUserGid="513" 164 165# Default Computer (Samba) GID 166defaultComputerGid="515" 167 168# Skel dir 169skeletonDir="/etc/skel" 170 171# Default password validation time (time in days) Comment the next line if 172# you don't want password to be enable for defaultMaxPasswordAge days (be 173# careful to the sambaPwdMustChange attribute's value) 174defaultMaxPasswordAge="99" 175 176############################################################################## 177# 178# SAMBA Configuration 179# 180############################################################################## 181 182# The UNC path to home drives location (%U username substitution) 183# Ex: \\My-PDC-netbios-name\homes\%U 184# Just set it to a null string if you want to use the smb.conf 'logon home' 185# directive and/or disable roaming profiles 186userSmbHome="\\PDC-SMB3\homes\%U" 187 188# The UNC path to profiles locations (%U username substitution) 189# Ex: \\My-PDC-netbios-name\profiles\%U 190# Just set it to a null string if you want to use the smb.conf 'logon path' 191# directive and/or disable roaming profiles 192userProfile="\\PDC-SMB3\profiles\%U" 193 194# The default Home Drive Letter mapping 195# (will be automatically mapped at logon time if home directory exist) 196# Ex: H: for H: 197userHomeDrive="H:" 198 199# The default user netlogon script name (%U username substitution) 200# if not used, will be automatically username.cmd 201# make sure script file is edited under dos 202# Ex: %U.cmd 203# userScript="startup.cmd" # make sure script file is edited under dos 204userScript="%U.cmd" 205 206# Domain appended to the users "mail"-attribute 207# when smbldap-useradd -M is used 208mailDomain="idealx.com" 209 210############################################################################## 211# 212# SMBLDAP-TOOLS Configuration (default are ok for a RedHat) 213# 214############################################################################## 215 216# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but 217# prefer Crypt::SmbHash library 218with_smbpasswd="0" 219smbpasswd="/usr/bin/smbpasswd" 220 221# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) 222# but prefer Crypt:: libraries 223with_slappasswd="0" 224slappasswd="/usr/sbin/slappasswd" 225 226</PRE> 227 228<H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><A NAME="configuration::file::smbldap::bind"></A> 229<PRE>############################ 230# Credential Configuration # 231############################ 232# Notes: you can specify two differents configuration if you use a 233# master ldap for writing access and a slave ldap server for reading access 234# By default, we will use the same DN (so it will work for standard Samba 235# release) 236slaveDN="cn=Manager,dc=idealx,dc=org" 237slavePw="secret" 238masterDN="cn=Manager,dc=idealx,dc=org" 239masterPw="secret" 240 241</PRE> 242 243<H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4> 244<PRE># Global parameters 245[global] 246 workgroup = IDEALX-NT 247 netbios name = PDC-SRV 248 #interfaces = 192.168.5.11 249 username map = /etc/samba/smbusers 250 enable privileges = yes 251 server string = Samba Server %v 252 security = user 253 encrypt passwords = Yes 254 min passwd length = 3 255 obey pam restrictions = No 256 ldap passwd sync = Yes 257 #unix password sync = Yes 258 #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u 259 #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n" 260 ldap passwd sync = Yes 261 log level = 0 262 syslog = 0 263 log file = /var/log/samba/log.%m 264 max log size = 100000 265 time server = Yes 266 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 267 mangling method = hash2 268 Dos charset = 850 269 Unix charset = ISO8859-1 270 271 logon script = logon.bat 272 logon drive = H: 273 logon home = 274 logon path = 275 276 domain logons = Yes 277 os level = 65 278 preferred master = Yes 279 domain master = Yes 280 wins support = Yes 281 passdb backend = ldapsam:ldap://127.0.0.1/ 282 # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com" 283 # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u)) 284 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com 285 ldap suffix = dc=idealx,dc=com 286 ldap group suffix = ou=Groups 287 ldap user suffix = ou=Users 288 ldap machine suffix = ou=Computers 289 ldap idmap suffix = ou=Users 290 ldap ssl = start tls 291 add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u" 292 ldap delete dn = Yes 293 #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u" 294 add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u" 295 add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" 296 #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g" 297 add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g" 298 delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g" 299 set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u" 300 301 # printers configuration 302 printer admin = @"Print Operators" 303 load printers = Yes 304 create mask = 0640 305 directory mask = 0750 306 nt acl support = No 307 printing = cups 308 printcap name = cups 309 deadtime = 10 310 guest account = nobody 311 map to guest = Bad User 312 dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd 313 show add printer wizard = yes 314 ; to maintain capital letters in shortcuts in any of the profile folders: 315 preserve case = yes 316 short preserve case = yes 317 case sensitive = no 318 319[homes] 320 comment = repertoire de %U, %u 321 read only = No 322 create mask = 0644 323 directory mask = 0775 324 browseable = No 325 326[netlogon] 327 path = /home/netlogon/ 328 browseable = No 329 read only = yes 330 331[profiles] 332 path = /home/profiles 333 read only = no 334 create mask = 0600 335 directory mask = 0700 336 browseable = No 337 guest ok = Yes 338 profile acls = yes 339 csc policy = disable 340 # next line is a great way to secure the profiles 341 force user = %U 342 # next line allows administrator to access all profiles 343 valid users = %U "Domain Admins" 344 345[printers] 346 comment = Network Printers 347 printer admin = @"Print Operators" 348 guest ok = yes 349 printable = yes 350 path = /home/spool/ 351 browseable = No 352 read only = Yes 353 printable = Yes 354 print command = /usr/bin/lpr -P%p -r %s 355 lpq command = /usr/bin/lpq -P%p 356 lprm command = /usr/bin/lprm -P%p %j 357 358[print$] 359 path = /home/printers 360 guest ok = No 361 browseable = Yes 362 read only = Yes 363 valid users = @"Print Operators" 364 write list = @"Print Operators" 365 create mask = 0664 366 directory mask = 0775 367 368[public] 369 comment = Repertoire public 370 path = /home/public 371 browseable = Yes 372 guest ok = Yes 373 read only = No 374 directory mask = 0775 375 create mask = 0664 376 377</PRE> 378 379<H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4> 380<PRE>include /etc/openldap/schema/core.schema 381include /etc/openldap/schema/cosine.schema 382include /etc/openldap/schema/inetorgperson.schema 383include /etc/openldap/schema/nis.schema 384include /etc/openldap/schema/samba.schema 385 386schemacheck on 387lastmod on 388 389TLSCertificateFile /etc/openldap/ldap.idealx.com.pem 390TLSCertificateKeyFile /etc/openldap/ldap.idealx.com.key 391TLSCACertificateFile /etc/openldap/ca.pem 392TLSCipherSuite :SSLv3 393#TLSVerifyClient demand 394 395####################################################################### 396# ldbm database definitions 397####################################################################### 398database ldbm 399suffix dc=idealx,dc=com 400rootdn "cn=Manager,dc=idealx,dc=com" 401rootpw secret 402directory /var/lib/ldap 403index sambaSID eq 404index sambaPrimaryGroupSID eq 405index sambaDomainName eq 406index objectClass,uid,uidNumber,gidNumber,memberUid eq 407index cn,mail,surname,givenname eq,subinitial 408 409# users can authenticate and change their password 410access to attrs=userPassword,sambaNTPassword,sambaLMPassword 411 by dn="cn=Manager,dc=idealx,dc=com" write 412 by self write 413 by anonymous auth 414 by * none 415# all others attributes are readable to everybody 416access to * 417 by * read 418</PRE> 419<A NAME="toc28"></A> 420<H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin 421 dn</TT> in <TT>smb.conf</TT> file)</H3><A NAME="change::manager"></A> 422If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT> 423account anymore, you can create a dedicated account for Samba and the 424smbldap-tools scripts. To do 425this, create an account named <I>samba</I> as follows (see 426section <A HREF="smbldap-tools005.html#add::user">4.2.1</A> for a more detailed syntax) : 427<PRE> 428smbldap-useradd -s /bin/false -d /dev/null -P samba 429</PRE>This command will ask you to set a password for this account. Let's 430set it to <I>samba</I> for this example. 431You then need to modify configuration files: 432<UL><LI> 433file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> 434 <PRE> 435 slaveDN="uid=samba,ou=Users,dc=idealx,dc=com" 436 slavePw="samba" 437 masterDN="uid=samba,ou=Users,dc=idealx,dc=com" 438 masterPw="samba" 439 </PRE><LI>file <TT>/etc/samba/smb.conf</TT> 440 <PRE> 441 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com 442 </PRE>don't forget to also set the samba account password in 443 <TT>secrets.tdb</TT> file : 444<PRE> 445smbpasswd -w samba 446</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the 447 <I>samba</I> user permissions to modify some attributes: this 448 user needs to be able to modify all the samba attributes and some 449 others (uidNumber, gidNumber ...) : 450 <PRE> 451# users can authenticate and change their password 452access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange 453 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 454 by self write 455 by anonymous auth 456 by * none 457# some attributes need to be readable anonymously so that 'id user' can answer correctly 458access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid 459 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 460 by * read 461# somme attributes can be writable by users themselves 462access to attrs=description,telephoneNumber 463 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 464 by self write 465 by * read 466# some attributes need to be writable for samba 467access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase 468 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 469 by self read 470 by * none 471# samba need to be able to create the samba domain account 472access to dn.base="dc=idealx,dc=com" 473 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 474 by * none 475# samba need to be able to create new users account 476access to dn="ou=Users,dc=idealx,dc=com" 477 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 478 by * none 479# samba need to be able to create new groups account 480access to dn="ou=Groups,dc=idealx,dc=com" 481 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 482 by * none 483# samba need to be able to create new computers account 484access to dn="ou=Computers,dc=idealx,dc=com" 485 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write 486 by * none 487# this can be omitted but we leave it: there could be other branch 488# in the directory 489access to * 490 by self read 491 by * none 492 </PRE></UL> 493<A NAME="toc29"></A> 494<H3><A NAME="htoc48">8.3</A> known bugs</H3> 495<UL><LI> 496Option <I>-B</I> (user must change password) of 497 <TT>smbldap-useradd</TT> does not have effect: when 498 <TT>smbldap-passwd</TT> script is called, 499 <I>sambaPwdMustChange</I> attribute is rewrite. 500</UL> 501 502<HR> 503<A HREF="smbldap-tools008.html"><IMG SRC ="previous_motif.gif" ALT="Pr�c�dent"></A> 504<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A> 505</BODY> 506</HTML> 507