1#!/usr/bin/perl -w 2 3# $Id: configure.pl,v 1.13 2004/06/25 20:57:51 jtournier Exp $ 4# $Source: /opt/cvs/samba/smbldap-tools/configure.pl,v $ 5 6# This script can help you setting up the smbldap_conf.pl file. It will get all the defaults value 7# that are defined in the smb.conf configuration file. You should then start with this configuration 8# file. You will also need the SID for your samba domain: set up the controler domain before using 9# this script. 10 11# This code was developped by IDEALX (http://IDEALX.org/) and 12# contributors (their names can be found in the CONTRIBUTORS file). 13# 14# Copyright (C) 2002 IDEALX 15# 16# This program is free software; you can redistribute it and/or 17# modify it under the terms of the GNU General Public License 18# as published by the Free Software Foundation; either version 2 19# of the License, or (at your option) any later version. 20# 21# This program is distributed in the hope that it will be useful, 22# but WITHOUT ANY WARRANTY; without even the implied warranty of 23# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 24# GNU General Public License for more details. 25# 26# You should have received a copy of the GNU General Public License 27# along with this program; if not, write to the Free Software 28# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, 29# USA. 30 31 32use strict; 33 34# we need to be root to configure the scripts 35if ($< != 0) { 36 die "Only root can configure the smbldap-tools scripts\n"; 37} 38 39print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 40 smbldap-tools script configuration 41 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 42Before starting, check 43 . if your samba controller is up and running. 44 . if the domain SID is defined (you can get it with the 'net getlocalsid') 45 46 . you can leave the configuration using the Crtl-c key combination 47 . empty value can be set with the \".\" caracter\n"; 48print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"; 49print "Looking for configuration files...\n\n"; 50my $smb_conf; 51if (-e "/etc/samba/smb.conf") { 52 $smb_conf="/etc/samba/smb.conf"; 53} elsif (-e "/usr/local/samba/lib/smb.conf") { 54 $smb_conf="/usr/local/samba/lib/smb.conf"; 55} 56print "Samba Config File Location [$smb_conf] > "; 57chomp(my $config_smb=<STDIN>); 58if ($config_smb ne "") { 59 $smb_conf=$config_smb; 60} 61my $smbldap_conf; 62if (-e "/etc/smbldap-tools/smbldap.conf") { 63 $smbldap_conf="/etc/smbldap-tools/smbldap.conf"; 64} 65print "smbldap Config file Location (global parameters) [$smbldap_conf] > "; 66chomp(my $config_smbldap=<STDIN>); 67if ($config_smbldap ne "") { 68 $smbldap_conf=$config_smbldap; 69} 70 71my $smbldap_bind_conf; 72if (-e "/etc/smbldap-tools/smbldap_bind.conf") { 73 $smbldap_bind_conf="/etc/smbldap-tools/smbldap_bind.conf"; 74} 75print "smbldap Config file Location (bind parameters) [$smbldap_bind_conf] > "; 76chomp(my $config_smbldap_bind=<STDIN>); 77if ($config_smbldap_bind ne "") { 78 $smbldap_bind_conf=$config_smbldap_bind; 79} 80 81 82# Let's read the smb.conf configuration file 83my %config; 84open (CONFIGFILE, "$smb_conf") || die "Unable to open $smb_conf for reading !\n"; 85 86while (<CONFIGFILE>) { 87 88 chomp($_); 89 90 ## eat leading whitespace 91 $_=~s/^\s*//; 92 93 ## eat trailing whitespace 94 $_=~s/\s*$//; 95 96 97 ## throw away comments 98 next if (($_=~/^#/) || ($_=~/^;/)); 99 100 ## check for a param = value 101 if ($_=~/=/) { 102 #my ($param, $value) = split (/=/, $_); 103 my ($param, $value) = ($_=~/([^=]*)=(.*)/i); 104 $param=~s/./\l$&/g; 105 $param=~s/\s+//g; 106 $value=~s/^\s+//; 107 108 $value=~s/"//g; 109 110 $config{$param} = $value; 111 #print "param=$param\tvalue=$value\n"; 112 113 next; 114 } 115} 116close (CONFIGFILE); 117 118print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; 119print "Let's start configuring the smbldap-tools scripts ...\n\n"; 120 121# This function need 3 parameters: 122# . the description of the parameter 123# . the defaut value of the parameter or the name of the key it is related to in the %config hash 124# you can get all the available keys using this: 125# foreach my $tmp (keys %config) { 126# print "key=$tmp\t value=$config{$tmp}\n"; 127# } 128# . the 'insist' variable: if set to 1, then the script will always call for a value 129# for the parameter. In other words, there's not default value, and it can't be set 130# to a null caracter string. 131 132sub read_entry 133{ 134 my $description=shift; 135 my $value=shift; 136 my $insist=shift; 137 my $value_tmp; 138 chomp($value); 139 $insist=0 if (! defined $insist); 140 if (defined $config{$value}) { 141 print "$description [$config{$value}] > "; 142 $value_tmp=$config{$value}; 143 } else { 144 print "$description [$value] > "; 145 $value_tmp="$value"; 146 } 147 chomp(my $get=<STDIN>); 148 if ($get eq "") { 149 $value=$value_tmp; 150 } elsif ($get eq ".") { 151 $value=""; 152 } else { 153 $value=$get; 154 } 155 if ($insist == 1 and "$value" eq "") { 156 while ($insist == 1) { 157 print " Warning: You really need to set this parameter...\n"; 158 $description=~s/. / /; 159 if (defined $config{$value}) { 160 print "$description [$config{$value}] > "; 161 $value_tmp=$config{$value}; 162 } else { 163 print "$description [$value] > "; 164 $value_tmp="$value"; 165 } 166 chomp(my $get=<STDIN>); 167 if ($get eq "") { 168 $value=$value_tmp; 169 } elsif ($get eq ".") { 170 $value=""; 171 } else { 172 $value=$get; 173 $insist=0; 174 } 175 } 176 } 177 return $value; 178} 179 180print ". workgroup name: name of the domain Samba act as a PDC\n"; 181my $workgroup=read_entry(" workgroup name","workgroup",0); 182 183print ". netbios name: netbios name of the samba controler\n"; 184my $netbios_name=read_entry(" netbios name","netbiosname",0); 185 186print ". logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'\n"; 187my $logondrive=read_entry(" logon drive","logondrive",0); 188 189print ". logon home: home directory location (for Win95/98 or NT Workstation).\n (use %U as username) Ex:'\\\\$netbios_name\\home\\%U'\n"; 190my $logonhome=read_entry(" logon home (leave blank if you don't want homeDirectory)","\\\\$netbios_name\\home\\%U",0); 191#$logonhome=~s/\\/\\\\/g; 192 193print ". logon path: directory where roaming profiles are stored. Ex:'\\\\$netbios_name\\profiles\\\%U'\n"; 194my $logonpath=read_entry(" logon path (leave blank if you don't want roaming profile)","\\\\$netbios_name\\\profiles\\\%U",0); 195#$logonpath=~s/\\/\\\\/g; 196 197my $userHome=read_entry(". home directory prefix (use %U as username)","/home/\%U",0); 198 199my $userScript=read_entry(". default user netlogon script (use %U as username)","\%U.cmd",0); 200 201my $defaultMaxPasswordAge=read_entry(" default password validation time (time in days)","45",0); 202 203############################# 204# ldap directory parameters # 205############################# 206my $ldap_suffix=read_entry(". ldap suffix","ldapsuffix",0); 207my $ldap_group_suffix=read_entry(". ldap group suffix","ldapgroupsuffix",0); 208$ldap_group_suffix=~s/ou=//; 209my $ldap_user_suffix=read_entry(". ldap user suffix","ldapusersuffix",0); 210$ldap_user_suffix=~s/ou=//; 211my $ldap_machine_suffix=read_entry(". ldap machine suffix","ldapmachinesuffix",0); 212$ldap_machine_suffix=~s/ou=//; 213my $ldap_idmap_suffix=read_entry(". Idmap suffix","ldapidmapsuffix",0); 214print ". sambaUnixIdPooldn: object where you want to store the next uidNumber\n"; 215print " and gidNumber available for new users and groups\n"; 216my $sambaUnixIdPooldn=read_entry(" sambaUnixIdPooldn object (relative to \${suffix})","cn=NextFreeUnixId",0); 217 218# parameters for the master ldap server 219my ($trash1,$server); 220if (defined $config{passdbbackend}) { 221 ($trash1,$server)=($config{passdbbackend}=~m/(.*)ldap:\/\/(.*)\//); 222} else { 223 $server="127.0.0.1"; 224} 225my $ldapmasterserver; 226print ". ldap master server: IP adress or DNS name of the master (writable) ldap server\n"; 227$ldapmasterserver=read_entry(" ldap master server",$server,0); 228my $ldapmasterport; 229if (defined $config{ldapport}) { 230 $ldapmasterport=read_entry(". ldap master port","ldapport",0); 231} else { 232 $ldapmasterport=read_entry(". ldap master port",389,0); 233} 234my $ldap_master_admin_dn=read_entry(". ldap master bind dn","ldapadmindn",0); 235system "stty -echo"; 236my $ldap_master_bind_password=read_entry(". ldap master bind password","",1); 237print "\n"; 238system "stty echo"; 239 240# parameters for the slave ldap server 241print ". ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one\n"; 242my $ldap_slave_server=read_entry(" ldap slave server",$server,0); 243my $ldap_slave_port; 244if (defined $config{ldapport}) { 245 $ldap_slave_port=read_entry(". ldap slave port","ldapport",0); 246} else { 247 $ldap_slave_port=read_entry(". ldap slave port","389",0); 248} 249my $ldap_slave_admin_dn=read_entry(". ldap slave bind dn","ldapadmindn",0); 250system "stty -echo"; 251my $ldap_slave_bind_password=read_entry(". ldap slave bind password","",1); 252print "\n"; 253system "stty echo"; 254my $ldaptls=read_entry(". ldap tls support (1/0)","0",0); 255my ($cert_verify,$cert_cafile,$cert_clientcert,$cert_clientkey); 256if ($ldaptls == 1) { 257 $cert_verify=read_entry(". How to verify the server's certificate (none, optional or require)","require",0); 258 $cert_cafile=read_entry(". CA certificate file","/etc/smbldap-tools/ca.pem",0); 259 $cert_clientcert=read_entry(". certificate to use to connect to the ldap server","/etc/smbldap-tools/smbldap-tools.pem",0); 260 $cert_clientkey=read_entry(". key certificate to use to connect to the ldap server","/etc/smbldap-tools/smbldap-tools.key",0); 261} 262 263# let's test if any sid is available 264my $sid_tmp=`net getlocalsid \$netbios_name 2>/dev/null | cut -f2 -d: | sed "s/ //g"`; 265print ". SID for domain $config{workgroup}: SID of the domain (can be obtained with 'net getlocalsid $netbios_name')\n"; 266my $sid=read_entry(" SID for domain $config{workgroup}",$sid_tmp,0); 267 268print ". unix password encryption: encryption used for unix passwords\n"; 269my $cryp_algo=read_entry(" unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)","SSHA",0); 270my $crypt_salt_format; 271if ( $cryp_algo eq "CRYPT" ) { 272 print ". crypt salt format: If hash_encrypt is set to CRYPT, you may set \n"; 273 print " a salt format. The default is \"%s\", but many systems will generate\n"; 274 print " MD5 hashed passwords if you use \"\$1\$\%\.8s\"\n"; 275 $crypt_salt_format=read_entry(" crypt salt format","%s",0); 276} 277 278my $default_user_gidnumber=read_entry(". default user gidNumber","513",0); 279 280my $default_computer_gidnumber=read_entry(". default computer gidNumber","515",0); 281 282my $userLoginShell=read_entry(". default login shell","/bin/bash",0); 283 284my $mailDomain=read_entry(". default domain name to append to mail adress", "",0); 285 286### Let's now incorporate our modifications 287open (SMBLDAP, "$smbldap_conf") || die "Unable to open $smbldap_conf for reading!\n"; 288my $lines; 289my $begin_parameter=0; 290while (my $line=<SMBLDAP>) { 291 chomp($line); 292 if ($line =~ m /# General Configuration/) { 293 $begin_parameter=1; 294 } 295 if ($begin_parameter == 1) { 296 $line="SID=\"$sid\"" if ($line=~m/^SID/); 297 $line="slaveLDAP=\"$ldap_slave_server\"" if ($line=~m/^slaveLDAP/); 298 $line="slavePort=\"$ldap_slave_port\"" if ($line=~m/^slavePort/); 299 $line="masterLDAP=\"$ldapmasterserver\"" if ($line=~m/^masterLDAP/); 300 $line="masterPort=\"$ldapmasterport\"" if ($line=~m/^masterPort/); 301 $line="ldapTLS=\"$ldaptls\"" if ($line=~m/^ldapTLS/); 302 if ($ldaptls == 1) { 303 $line="verify=\"$cert_verify\"" if ($line=~m/^verify/); 304 $line="cafile=\"$cert_cafile\"" if ($line=~m/^cafile/); 305 $line="clientcert=\"$cert_clientcert\"" if ($line=~m/^clientcert/); 306 $line="clientkey=\"$cert_clientkey\"" if ($line=~m/^clientkey/); 307 } else { 308 $line="verify=\"\"" if ($line=~m/^verify/); 309 $line="cafile=\"\"" if ($line=~m/^cafile/); 310 $line="clientcert=\"\"" if ($line=~m/^clientcert/); 311 $line="clientkey=\"\"" if ($line=~m/^clientkey/); 312 } 313 $line="suffix=\"$ldap_suffix\"" if ($line=~m/^suffix/); 314 $line="usersdn=\"ou=$ldap_user_suffix,\${suffix}\"" if ($line=~m/^usersdn/); 315 $line="computersdn=\"ou=$ldap_machine_suffix,\${suffix}\"" if ($line=~m/^computersdn/); 316 $line="groupsdn=\"ou=$ldap_group_suffix,\${suffix}\"" if ($line=~m/^groupsdn/); 317 $line="idmapdn=\"$ldap_idmap_suffix,\${suffix}\"" if ($line=~m/^idmap/); 318 $line="sambaUnixIdPooldn=\"$sambaUnixIdPooldn,\${suffix}\"" if ($line=~m/^sambaUnixIdPooldn/); 319 $line="hash_encrypt=\"$cryp_algo\"" if ($line=~m/^hash_encrypt/); 320 $line="crypt_salt_format=\"$crypt_salt_format\"" if (defined($crypt_salt_format) && $line=~m/^?(\s)*crypt_salt_format/); 321 $line="userHome=\"$userHome\"" if ($line=~m/^userHome\s*=/); 322 $line="defaultUserGid=\"$default_user_gidnumber\"" if ($line=~m/^defaultUserGid/); 323 $line="defaultComputerGid=\"$default_computer_gidnumber\"" if ($line=~m/^defaultComputerGid/); 324 $line="defaultMaxPasswordAge=\"$defaultMaxPasswordAge\"" if ($line=~m/^defaultMaxPasswordAge/); 325 $line="userLoginShell=\"$userLoginShell\"" if ($line=~m/^userLoginShell/); 326 $line="userSmbHome=\"$logonhome\"" if ($line=~m/^userSmbHome/); 327 $line="userScript=\"$userScript\"" if ($line=~m/^userScript/); 328 $line="mailDomain=\"$mailDomain\"" if ($line=~m/^mailDomain/); 329 $line="userProfile=\"$logonpath\"" if ($line=~m/^userProfile/); 330 $line="userHomeDrive=\"$logondrive\"" if ($line=~m/^userHomeDrive/); 331 } 332 $lines.="$line\n"; 333} 334close(SMBLDAP); 335 336open (SMBLDAP_BIND, "$smbldap_bind_conf") || die "Unable to open $smbldap_bind_conf for reading!\n"; 337my $lines_bind; 338while (my $line_bind=<SMBLDAP_BIND>) { 339 chomp($line_bind); 340 $line_bind="masterDN=\"$ldap_master_admin_dn\"" if ($line_bind=~m/^masterDN/); 341 $line_bind="masterPw=\"$ldap_master_bind_password\"" if ($line_bind=~m/^masterPw/); 342 $line_bind="slaveDN=\"$ldap_slave_admin_dn\"" if ($line_bind=~m/^slaveDN/); 343 $line_bind="slavePw=\"$ldap_slave_bind_password\"" if ($line_bind=~m/^slavePw/); 344 $lines_bind.="$line_bind\n"; 345} 346close(SMBLDAP_BIND); 347 348print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; 349 350print "backup old configuration files:\n"; 351print " $smbldap_conf->$smbldap_conf.old\n"; 352print " $smbldap_bind_conf->$smbldap_bind_conf.old\n"; 353rename "$smbldap_conf","$smbldap_conf.old"; 354rename "$smbldap_bind_conf","$smbldap_bind_conf.old"; 355 356print "writing new configuration file:\n"; 357open (SMBLDAP,">$smbldap_conf") || die "Unable to open $smbldap_conf for writing !\n"; 358print SMBLDAP "$lines"; 359my $mode=0644; 360chmod $mode,"$smbldap_conf","$smbldap_conf.old"; 361print " $smbldap_conf done.\n"; 362close(SMBLDAP); 363 364open (SMBLDAP_BIND,">$smbldap_bind_conf") || die "Unable to open $smbldap_bind_conf for writing !\n"; 365print SMBLDAP_BIND "$lines_bind"; 366$mode=0600; 367chmod $mode,"$smbldap_bind_conf","$smbldap_bind_conf.old"; 368print " $smbldap_bind_conf done.\n"; 369close(SMBLDAP_BIND); 370 371 372 373