~ubuntu-branches/ubuntu/precise/smbldap-tools/precise
» Revision
5
: debian/patches/0009_original_doc_html_index.patch
« back to all changes in this revision
Viewing changes to debian/patches/0009_original_doc_html_index.patch
- browse files at revision 5
- compare with another revision
- download diff
- download tarball
- view history from revision 5
- Committer: Bazaar Package Importer
- Author(s): Sergio Talens-Oliag
- Date: 2007-09-24 13:24:18 UTC
- mfrom: (1.2.3 upstream)
- Revision ID: james.westby@ubuntu.com-20070924132418-8iass9n5fa0zikvc
Tags: 0.9.4-1
* New upstream release, development has moved to a new place:
https://gna.org/projects/smbldap-tools/.
The new upstream version closes some bugs:
- smbldap-passwd (make_salt): update shadowMax (to
$config{defaultMaxPasswordAge}) entry if script used with root
priviledge (Closes: Bug#404109).
- current smbldap-groupadd man page documents -o and -p options
(Closes: Bug#358381).
* Fix README.Debian according to Daniel Lawson's patch (Closes: #359314).
* Added Stefan Pfetzing's patch to create a nobody user following the Debian
style (Closes: #354092).
* The html version of the documentation is missing from the original
tarball, I've included a patch that provides a copy downloaded from the
web (Closes: Bug#425402, as the updated docs are right).
* Thanks to David Schmitt <david@schmitt.edv-bus.at> for providing a set of
patches for the package.
https://gna.org/projects/smbldap-tools/.
The new upstream version closes some bugs:
- smbldap-passwd (make_salt): update shadowMax (to
$config{defaultMaxPasswordAge}) entry if script used with root
priviledge (Closes: Bug#404109).
- current smbldap-groupadd man page documents -o and -p options
(Closes: Bug#358381).
* Fix README.Debian according to Daniel Lawson's patch (Closes: #359314).
* Added Stefan Pfetzing's patch to create a nobody user following the Debian
style (Closes: #354092).
* The html version of the documentation is missing from the original
tarball, I've included a patch that provides a copy downloaded from the
web (Closes: Bug#425402, as the updated docs are right).
* Thanks to David Schmitt <david@schmitt.edv-bus.at> for providing a set of
patches for the package.
- files added:
- debian/patches/0001_debian_nobody.patch
- doc/migration_scripts
- files removed:
- debian/patches/smbldap-usermod.patch
- files modified:
- CONTRIBUTORS
added
removed
debian/patches/0009_original_doc_html_index.patch
1
--- smbldap-tools-0.9.4.orig/doc/html/index.html
2
+++ smbldap-tools-0.9.4/doc/html/index.html
3
@@ -0,0 +1,2364 @@
4
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
5
+ "http://www.w3.org/TR/REC-html40/loose.dtd">
6
+<HTML>
7
+<HEAD><TITLE>Smbldap-tools User Manual
8
+(Release: 0.9.3 )</TITLE>
9
+
10
+<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
11
+<META name="GENERATOR" content="hevea 1.07">
12
+
13
+<link rel="stylesheet" href="IDXDOC.css">
14
+</HEAD>
15
+<BODY >
16
+<!--HEVEA command line is: hevea -fix -I ./styles -exec xxdate.exe -pedantic IDXDOC.hva smbldap-tools.tex -o smbldap-tools.html -->
17
+<!--HTMLHEAD-->
18
+
19
+
20
+ <DIV class="entete">
21
+ Copyright 2002 © IDEALX S.A.S. -
22
+ Contact: <A href="mailto:samba@IDEALX.org">samba@IDEALX.org</A>
23
+ </DIV>
24
+ <HR>
25
+<!--ENDHTML-->
26
+<!--PREFIX <ARG ></ARG>-->
27
+<!--CUT DEF section 1 -->
28
+
29
+
30
+
31
+
32
+
33
+<H1 ALIGN=center>Smbldap-tools User Manual<BR>
34
+(<I>Release</I>: 0.9.3 )</H1>
35
+
36
+<H3 ALIGN=center>J�r�me Tournier</H3>
37
+
38
+<H3 ALIGN=center><I>Revision</I>: 1.7 , generated July 12, 2007<BR>
39
+</H3>
40
+<DIV ALIGN=center>
41
+
42
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
43
+<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Release:</TD>
44
+<TD ALIGN=left NOWRAP> </TD>
45
+</TR>
46
+<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Reference:</TD>
47
+<TD ALIGN=left NOWRAP> </TD>
48
+</TR>
49
+<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Publication date:</TD>
50
+<TD ALIGN=left NOWRAP> </TD>
51
+</TR>
52
+<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Print date:</TD>
53
+<TD ALIGN=left NOWRAP>July 12, 2007</TD>
54
+</TR></TABLE>
55
+ </DIV>
56
+
57
+<BR>
58
+This document is the property of IDEALX<SUP><A NAME="text1" HREF="#note1">1</A></SUP>.
59
+Permission is granted to distribute this document under the terms of the GNU
60
+Free Documentation License (<A HREF="http://www.gnu.org/copyleft/fdl.html"><TT>http://www.gnu.org/copyleft/fdl.html</TT></A>).<BR>
61
+<BR>
62
+<!--TOC section Table of Contents-->
63
+
64
+<H2>Table of Contents</H2><!--SEC END -->
65
+
66
+<UL><LI>
67
+<A HREF="#htoc1">1 Introduction</A>
68
+<UL><LI>
69
+<A HREF="#htoc2">1.1 Software requirements</A>
70
+<LI><A HREF="#htoc3">1.2 Updates of this document</A>
71
+<LI><A HREF="#htoc4">1.3 Availability of this document</A>
72
+</UL>
73
+<LI><A HREF="#htoc5">2 Installation</A>
74
+<UL><LI>
75
+<A HREF="#htoc6">2.1 Requirements</A>
76
+<LI><A HREF="#htoc7">2.2 Installation</A>
77
+<UL><LI>
78
+<A HREF="#htoc8">2.2.1 Installing from rpm</A>
79
+<LI><A HREF="#htoc9">2.2.2 Installing from a tarball</A>
80
+</UL>
81
+</UL>
82
+<LI><A HREF="#htoc10">3 Configuring the smbldap-tools</A>
83
+<UL><LI>
84
+<A HREF="#htoc11">3.1 The smbldap.conf file</A>
85
+<LI><A HREF="#htoc12">3.2 The smbldap_bind.conf file</A>
86
+</UL>
87
+<LI><A HREF="#htoc13">4 Using the scripts</A>
88
+<UL><LI>
89
+<A HREF="#htoc14">4.1 Initial directory's population</A>
90
+<LI><A HREF="#htoc15">4.2 User management</A>
91
+<UL><LI>
92
+<A HREF="#htoc16">4.2.1 Adding a user</A>
93
+<LI><A HREF="#htoc17">4.2.2 Removing a user</A>
94
+<LI><A HREF="#htoc18">4.2.3 Modifying a user</A>
95
+</UL>
96
+<LI><A HREF="#htoc19">4.3 Group management</A>
97
+<UL><LI>
98
+<A HREF="#htoc20">4.3.1 Adding a group</A>
99
+<LI><A HREF="#htoc21">4.3.2 Removing a group</A>
100
+</UL>
101
+<LI><A HREF="#htoc22">4.4 Adding a interdomain trust account</A>
102
+</UL>
103
+<LI><A HREF="#htoc23">5 Samba and the smbldap-tools scripts</A>
104
+<UL><LI>
105
+<A HREF="#htoc24">5.1 General configuration</A>
106
+<LI><A HREF="#htoc25">5.2 Migrating an NT4 PDC to Samba3</A>
107
+</UL>
108
+<LI><A HREF="#htoc26">6 Frequently Asked Questions</A>
109
+<UL><LI>
110
+<A HREF="#htoc27">6.1 How can i use old released uidNumber and gidNumber ?</A>
111
+<LI><A HREF="#htoc28">6.2 I always have this error: "Can't locate IO/Socket/SSL.pm"</A>
112
+<LI><A HREF="#htoc29">6.3 I can't initialize the directory with <TT>smbldap-populate</TT></A>
113
+<LI><A HREF="#htoc30">6.4 I can't join the domain with the <TT>root</TT> account</A>
114
+<LI><A HREF="#htoc31">6.5 I have the <TT>sambaSamAccount</TT> but i can't logged in</A>
115
+<LI><A HREF="#htoc32">6.6 I want to create machine account on the fly, but it does
116
+ not works or I must do it twice</A>
117
+<LI><A HREF="#htoc33">6.7 I can't manage the Oracle Internet Database</A>
118
+<LI><A HREF="#htoc34">6.8 The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
119
+called, or i got a error message when changing the password from windows</A>
120
+<LI><A HREF="#htoc35">6.9 New computers account can't be set in ou=computers</A>
121
+<LI><A HREF="#htoc36">6.10 I can join the domain, but i can't log on</A>
122
+<LI><A HREF="#htoc37">6.11 I can't create a user with <TT>smbldap-useradd</TT></A>
123
+<LI><A HREF="#htoc38">6.12 smbldap-useradd: Can't call method "get_value" on an undefined value at
124
+/usr/local/sbin/smbldap-useradd line 154</A>
125
+<LI><A HREF="#htoc39">6.13 Typical errors on creating a new user or a new group</A>
126
+</UL>
127
+<LI><A HREF="#htoc40">7 Thanks</A>
128
+<LI><A HREF="#htoc41">8 Annexes</A>
129
+<UL><LI>
130
+<A HREF="#htoc42">8.1 Full configuration files</A>
131
+<UL><LI>
132
+<A HREF="#htoc43">8.1.1 The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</A>
133
+<LI><A HREF="#htoc44">8.1.2 The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</A>
134
+<LI><A HREF="#htoc45">8.1.3 The samba configuration file : <TT>/etc/samba/smb.conf</TT> </A>
135
+<LI><A HREF="#htoc46">8.1.4 The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></A>
136
+</UL>
137
+<LI><A HREF="#htoc47">8.2 Changing the administrative account (<TT>ldap admin
138
+ dn</TT> in <TT>smb.conf</TT> file)</A>
139
+<LI><A HREF="#htoc48">8.3 known bugs</A>
140
+</UL>
141
+</UL>
142
+
143
+
144
+
145
+<!--TOC section Introduction-->
146
+
147
+<H2><A NAME="htoc1">1</A> Introduction</H2><!--SEC END -->
148
+
149
+<A NAME="sec:intro"></A>
150
+Smbldap-tools is a set of scripts designed to help integrate Samba and a
151
+LDAP directory. They target both users and administrators of Linux systems.<BR>
152
+<BR>
153
+Users can change their password in a way similar to the standard ``passwd''
154
+command.<BR>
155
+<BR>
156
+Administrators can perform user and group management command line actions
157
+and synchronise Samba account management consistently.<BR>
158
+<BR>
159
+This document presents:
160
+<UL><LI>
161
+a detailled view of the smbldap-tools scripts
162
+<LI>a step by step explanation of how to set up a Samba3 domain controller
163
+</UL>
164
+<!--TOC subsection Software requirements-->
165
+
166
+<H3><A NAME="htoc2">1.1</A> Software requirements</H3><!--SEC END -->
167
+
168
+The smbldap-tools have been developped and tested with the following configuration :
169
+<UL><LI>
170
+<FONT COLOR=purple><I>Linux</I></FONT> CentOS4 (be should work on any <FONT COLOR=purple><I>Linux</I></FONT> distribution)
171
+<LI> <FONT COLOR=purple>Samba</FONT> release 3.0.10,
172
+<LI><FONT COLOR=purple>OpenLDAP</FONT> release 2.2.13
173
+<LI><FONT COLOR=purple>Microsoft Windows NT</FONT> 4.0, Windows 2000 and Windows XP Workstations and Servers,
174
+</UL>
175
+This guide applies to <FONT COLOR=purple>smbldap-tools</FONT> <I>Release</I>: 0.9.3 .<BR>
176
+<BR>
177
+<!--TOC subsection Updates of this document-->
178
+
179
+<H3><A NAME="htoc3">1.2</A> Updates of this document</H3><!--SEC END -->
180
+
181
+The most up to date release of this document may be found on the
182
+smbldap-tools project page available at <A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>.<BR>
183
+<BR>
184
+If you find any bugs in this document, or if you want this document to
185
+integrate some additional infos, please drop me a mail with your bug report
186
+and/or change request at <U>jtournier@gmail.com</U>.<BR>
187
+<BR>
188
+<!--TOC subsection Availability of this document-->
189
+
190
+<H3><A NAME="htoc4">1.3</A> Availability of this document</H3><!--SEC END -->
191
+
192
+This document is the property of <FONT COLOR=purple>IDEALX</FONT> (<A HREF="http://www.IDEALX.com/"><TT>http://www.IDEALX.com/</TT></A>). <BR>
193
+<BR>
194
+Permission is granted to distribute this document under the terms of the GNU
195
+Free Documentation License (See <A HREF="http://www.gnu.org/copyleft/fdl.html"><TT>http://www.gnu.org/copyleft/fdl.html</TT></A>).
196
+ <!--TOC section Installation-->
197
+
198
+<H2><A NAME="htoc5">2</A> Installation</H2><!--SEC END -->
199
+
200
+<!--TOC subsection Requirements-->
201
+
202
+<H3><A NAME="htoc6">2.1</A> Requirements</H3><!--SEC END -->
203
+
204
+The main requirement for using smbldap-tools are the two perl module:
205
+Net::LDAP and Crypt::SmbHash.
206
+In most cases, you'll also need the IO-Socket-SSL Perl module to use
207
+TLS functionnality.<BR>
208
+<BR>
209
+If you want samba to call the scripts so that you can use the User
210
+Manager (or any other) under MS-Windows (to add, delete modify users and
211
+groups), <FONT COLOR=purple>Samba</FONT> must be installed on the same computer.
212
+Finally, <FONT COLOR=purple>OpenLDAP</FONT> can be installed on any computer. Please check that it
213
+can be contacted by a standard LDAP client software.<BR>
214
+<BR>
215
+<FONT COLOR=purple>Samba</FONT> and <FONT COLOR=purple>OpenLDAP</FONT> installations will not be discussed
216
+here. You can consult the howto also available on the
217
+project page (<A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>).<BR>
218
+<BR>
219
+<!--TOC subsection Installation-->
220
+
221
+<H3><A NAME="htoc7">2.2</A> Installation</H3><!--SEC END -->
222
+
223
+An archive of the <FONT COLOR=purple>smbldap-tools</FONT> scripts can be downloaded on our project
224
+page <A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>. Archive and RedHat packages are
225
+available.
226
+<BR>
227
+If you are upgrading, look at the <TT>INSTALL</TT> file or read the link
228
+<A HREF="#faq::error::add::user">6.13</A>.<BR>
229
+<BR>
230
+<!--TOC subsubsection Installing from rpm-->
231
+
232
+<H4><A NAME="htoc8">2.2.1</A> Installing from rpm</H4><!--SEC END -->
233
+
234
+To install the scripts on a RedHat system, download the RPM
235
+package and run the following command:
236
+<PRE>
237
+rpm -Uvh smbldap-tools-0.9.3-1.i386.rpm
238
+</PRE>
239
+<!--TOC subsubsection Installing from a tarball-->
240
+
241
+<H4><A NAME="htoc9">2.2.2</A> Installing from a tarball</H4><!--SEC END -->
242
+
243
+On non RedHat system, download a source archive of the scripts. The current
244
+archive is <TT>smbldap-tools-0.9.3.tar.gz</TT>.
245
+Uncompress it and copy all of the Perl scripts in <TT>/usr/sbin</TT>
246
+directory, and the two configuration files in
247
+<TT>/etc/smbldap-tools/</TT> directory:
248
+<PRE>
249
+mkdir /etc/smbldap-tools/
250
+cp *.conf /etc//smbldap-tools/
251
+cp smbldap-* /usr/sbin/
252
+</PRE>
253
+The configuration is now based on two differents files:
254
+<UL><LI>
255
+<TT>smbldap.conf</TT>: define global parameter
256
+<LI><TT>smbldap_bind.conf</TT>: define an administrative account to
257
+ bind to the directory
258
+</UL>
259
+The second file <B>must</B> be readable only for 'root', as it contains
260
+credentials allowing modifications on all the directory. Make sure the
261
+files are protected by running the following commands:
262
+<PRE>
263
+chmod 644 /etc/smbldap-tools/smbldap.conf
264
+chmod 600 /etc/smbldap-tools/smbldap_bind.conf
265
+</PRE> <!--TOC section Configuring the smbldap-tools-->
266
+
267
+<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><!--SEC END -->
268
+
269
+As mentioned in the previous section, you'll have to update two
270
+configuration files. The first (<TT>smbldap.conf</TT>) allows you to
271
+set global parameter that are readable by everybody, and the second
272
+(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to
273
+bind to a slave and a master ldap server: this file must thus be
274
+readable only by root.<BR>
275
+<BR>
276
+A script named <TT>configure.pl</TT> can help you to set their contents
277
+up. It is located in the tarball
278
+downloaded or in the documentation directory if you got the RPM
279
+archive (see <TT>/usr/share/doc/smbldap-tools-0.9.3/</TT>). Just invoke it:
280
+<PRE>
281
+/usr/share/doc/smbldap-tools-0.9.3/configure.pl
282
+</PRE>It will ask for the default values defined in your
283
+<TT>smb.conf</TT> file, and will update the two configuration files used
284
+by the scripts. Samba configuration file should then be already configured.
285
+Note that you can stop the script at any moment with
286
+the <TT>Crtl-c</TT> keys.<BR>
287
+Before using this script :
288
+<UL><LI>
289
+the two configuration files <B>must</B> be present in the
290
+ <TT>/etc/smbldap-tools/</TT> directory
291
+<LI>check that samba is configured and running, as the script will try to
292
+ get your workgroup's domain secure id (SID).
293
+</UL>
294
+In those files, parameters are defined like this:
295
+<PRE>
296
+key="value"
297
+</PRE>Full example configuration files can be found at
298
+<A HREF="#configuration::files">8.1</A>.<BR>
299
+<BR>
300
+<!--TOC subsection The smbldap.conf file-->
301
+
302
+<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3><!--SEC END -->
303
+
304
+This file is used to define parameters that can be readable by
305
+everybody. A full example file is available in section <A HREF="#configuration::file::smbldap">8.1.1</A>.<BR>
306
+<BR>
307
+Let's have a look at all available parameters.
308
+<UL><LI>
309
+<TT>UID_START</TT> and <TT>GID_START</TT> : parameters deprecated
310
+ <UL><LI>
311
+ Those parameters must be removed or commented.
312
+ <LI>Available uid and gid are now defined in the default
313
+ new entry <TT>sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"</TT>.
314
+ See later for <TT>${sambaDomain}</TT> and <TT>${suffix}</TT> definitions.
315
+ </UL>
316
+<LI><TT>SID</TT> : Secure Identifier Domain
317
+ <UL><LI>
318
+ Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT>
319
+ <LI>Remark: you can get the SID for your domain using the "<TT>net getlocalsid</TT>"
320
+ command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers).
321
+ </UL>
322
+<LI><TT>sambaDomain</TT> : Samba Domain the Samba server is in charge
323
+ <UL><LI>
324
+ Example: <TT>sambaDomain="DOMSMB"</TT>
325
+ <LI>Remark: if not defined, parameter is taking from smb.conf configuration file
326
+ </UL>
327
+<LI><TT>slaveLDAP</TT> : slave LDAP server
328
+ <UL><LI>
329
+ Example: <TT>slaveLDAP="127.0.0.1"</TT>
330
+ <LI>Remark: must be a resolvable DNS name or it's IP address
331
+ </UL>
332
+<LI><TT>slavePort</TT> : port to contact the slave server
333
+ <UL><LI>
334
+ Example: <TT>slavePort="389"</TT>
335
+ </UL>
336
+<LI><TT>masterLDAP</TT> : master LDAP server
337
+ <UL><LI>
338
+ Example: <TT>masterLDAP="127.0.0.1"</TT>
339
+ </UL>
340
+<LI><TT>masterPort</TT> : port to contact the master server
341
+ <UL><LI>
342
+ Example: <TT>masterPort="389"</TT>
343
+ </UL>
344
+<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the
345
+ ldap servers ?
346
+ <UL><LI>
347
+ Example: <TT>ldapTLS="1"</TT>
348
+ <LI>Remark: the LDAP severs must be configured to accept TLS
349
+ connections. See section the Samba-LDAP Howto for more
350
+ details (<A HREF="http://samba.idealx.org/smbldap-howto.fr.html"><TT>http://samba.idealx.org/smbldap-howto.fr.html</TT></A>). If you are using TLS support, select port 389 to connect to
351
+ the master and slave directories.
352
+ </UL>
353
+<LI><TT>verify</TT> : How to verify the server's certificate (none, optional or require).
354
+ <UL><LI>
355
+ Example: <TT>verify="require"</TT>
356
+ <LI>Remarl: See ``man Net::LDAP'' in start_tls section for more details
357
+ </UL>
358
+<LI><TT>cafile</TT> : the PEM-format file containing certificates
359
+ for the CA that slapd will trust
360
+ <UL><LI>
361
+ Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT>
362
+ </UL>
363
+<LI><TT>clientcert</TT> : the file that contains the client certificate
364
+ <UL><LI>
365
+ Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT>
366
+ </UL>
367
+<LI><TT>clientkey</TT> : the file that contains the private key that
368
+ matches the certificate stored in the clientcert file
369
+ <UL><LI>
370
+ Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT>
371
+ </UL>
372
+<LI><TT>suffix</TT> : The distinguished name of the search base
373
+ <UL><LI>
374
+ Example: <TT>suffix="dc=idealx,dc=com"</TT>
375
+ </UL>
376
+<LI><TT>usersdn</TT> : branch in which users account can be found or
377
+ must be added
378
+ <UL><LI>
379
+ Example: <TT>usersdn="ou=Users,${suffix}"</TT>
380
+ <LI>Remark: this branch is <B>not</B> relative to the suffix value
381
+ </UL>
382
+<LI><TT>computersdn</TT> : branch in which computers account can be
383
+ found or must be added
384
+ <UL><LI>
385
+ Example: <TT>computersdn"ou=Computers,${suffix}"</TT>
386
+ <LI>Remark: this branch is <B>not</B> relative to the suffix value
387
+ </UL>
388
+<LI><TT>groupsdn</TT> : branch in which groups account can be found
389
+ or must be added
390
+ <UL><LI>
391
+ Example: <TT>groupsdn="ou=Groups,${suffix}"</TT>
392
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
393
+ </UL>
394
+<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server)
395
+<UL><LI>
396
+ Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT>
397
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
398
+</UL>
399
+<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored
400
+<UL><LI>
401
+ Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT>
402
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
403
+</UL>
404
+<LI><TT>scope</TT> : the search scope.
405
+<UL><LI>
406
+ Example: <TT>scope="sub"</TT>
407
+</UL>
408
+<LI><TT>hash_encrypt</TT> : hash to be used when generating a
409
+ user password.
410
+ <UL><LI>
411
+ Example: <TT>hash_encrypt="SSHA"</TT>
412
+ <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute.
413
+ </UL>
414
+<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to
415
+ CRYPT, you may set a salt format. Default is "%s", but many systems
416
+ will generate MD5 hashed passwords if you use "$1$%.8s". This
417
+ parameter is optional.
418
+<LI><TT>userLoginShell</TT> : default shell given to users.
419
+ <UL><LI>
420
+ Example: <TT>userLoginShell="/bin/bash"</TT>
421
+ <LI>Remark: This is stored in <I>loginShell</I> attribute.
422
+ </UL>
423
+<LI><TT>userHome</TT> : default directory where users's home
424
+ directory are located.
425
+ <UL><LI>
426
+ Example: <TT>userHome="/home/%U"</TT>
427
+ <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute.
428
+ </UL>
429
+<LI><TT>userGecos</TT> : gecos used for users
430
+ <UL><LI>
431
+ Example: <TT>userGecos="System User"</TT>
432
+ </UL>
433
+<LI><TT>defaultUserGid</TT> : default primary group set to users accounts
434
+ <UL><LI>
435
+ Example: <TT>defaultUserGid="513"</TT>
436
+ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
437
+</UL>
438
+<LI><TT>defaultComputerGid</TT> : default primary group set to
439
+ computers accounts
440
+ <UL><LI>
441
+ Example: <TT>defaultComputerGid="550"</TT>
442
+ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
443
+</UL>
444
+<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts
445
+ <UL><LI>
446
+ Example: <TT>skeletonDir="/etc/skel"</TT>
447
+ <LI>Remark: this option is used only if you ask for home directory creation when adding a new user.
448
+ </UL>
449
+<LI><TT>defaultMaxPasswordAge</TT> : default validation time for Samba password (in days)
450
+ <UL><LI>
451
+ Example: <TT>defaultMaxPassword="55"</TT>
452
+ </UL>
453
+<LI><TT>userSmbHome</TT> : samba share used to store user's home directory
454
+ <UL><LI>
455
+ Example:
456
+ <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT>
457
+ <LI>Remark: this is stored in <I>sambaHomePath</I> attribute.
458
+</UL>
459
+<LI><TT>userProfile</TT> : samba share used to store user's profile
460
+ <UL><LI>
461
+ Example:
462
+ <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT>
463
+ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
464
+ </UL>
465
+<LI><TT>userHomeDrive</TT> : letter used on windows system to map
466
+ the home directory
467
+ <UL><LI>
468
+ Example: <TT>userHomeDrive="K:"</TT>
469
+ </UL>
470
+<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I>
471
+ <UL><LI>
472
+ Example:
473
+ <TT>userScript="%U"</TT>
474
+ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
475
+ </UL>
476
+<LI><TT>mailDomain</TT> : Domain appended to the users "mail"
477
+ attribute.
478
+ <UL><LI>
479
+ Example: <TT>mailDomain="idealx.org"</TT>
480
+ </UL>
481
+<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command
482
+ to set the user's password (instead of the <I>mkntpwd</I> utility) ?
483
+ <UL><LI>
484
+ Example: <TT>with_smbpasswd="0"</TT>
485
+ <LI>Remark: must be a boolean value (0 or 1).
486
+ </UL>
487
+<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary
488
+ <UL><LI>
489
+ Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT>
490
+ </UL>
491
+<LI><TT>with_slappasswd</TT> : should we use the <I>slappasswd</I> command
492
+ to set the Unix user's password (instead of the <I>Crypt::</I> librairies) ?
493
+ <UL><LI>
494
+ Example: <TT>with_smbpasswd="0"</TT>
495
+ <LI>Remark: must be a boolean value (0 or 1).
496
+ </UL>
497
+<LI><TT>slappasswd</TT> : path to the <TT>slappasswd</TT> binary
498
+ <UL><LI>
499
+ Example: <TT>smbpasswd="/usr/sbin/slappasswd"</TT>
500
+ </UL>
501
+</UL>
502
+<!--TOC subsection The smbldap_bind.conf file-->
503
+
504
+<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3><!--SEC END -->
505
+
506
+This file is only used by <I>root</I> to give bind parameters to the directory when modifications are asked.
507
+It contains distinguised names and credentials to connect to
508
+both the master and slave directories. A full example file is available
509
+in section <A HREF="#configuration::file::smbldap::bind">8.1.2</A>.<BR>
510
+<BR>
511
+Let's have a look at all available parameters.
512
+<UL><LI>
513
+<TT>slaveDN</TT> : distinguished name used to bind to the slave server
514
+ <UL><LI>
515
+ Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT>
516
+ <LI>Example 2: <TT>slaveDN=""</TT>
517
+ <LI>Remark: this can be the manager account of the directory or
518
+ any LDAP account that has sufficient permissions to read the full
519
+ directory (Slave directory is only used for reading). Anonymous
520
+ connections uses the second example form.
521
+ </UL>
522
+<LI><TT>slavePw</TT> : the credentials to bind to the slave server
523
+ <UL><LI>
524
+ Example 1: <TT>slavePw="secret"</TT>
525
+ <LI>Example 2: <TT>slavePw=""</TT>
526
+ <LI>Remark: the password must be stored here in clear form. This
527
+ file must then be readable only by root! All anonymous connections
528
+ use the second form provided in our example.
529
+ </UL>
530
+<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server
531
+ <UL><LI>
532
+ Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT>
533
+ <LI>Remark: this can be the manager account of the directory or
534
+ any LDAP account that has enough permissions to modify the content
535
+ of the directory. Anonymous access does not make any sense here.
536
+</UL>
537
+<LI><TT>masterPw</TT> : the credentials to bind to the master server
538
+ <UL><LI>
539
+ Example: <TT>masterPw="secret"</TT>
540
+ <LI>Remark: the password must be in clear text. Be sure to protect
541
+ this file against unauthorized readers!
542
+ </UL>
543
+</UL>
544
+ <!--TOC section Using the scripts-->
545
+
546
+<H2><A NAME="htoc13">4</A> Using the scripts</H2><!--SEC END -->
547
+
548
+<!--TOC subsection Initial directory's population-->
549
+
550
+<H3><A NAME="htoc14">4.1</A> Initial directory's population</H3><!--SEC END -->
551
+
552
+You can initialize the LDAP directory using the
553
+<TT>smbldap-populate</TT> script. To do that, the account defined in
554
+the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> to access the
555
+master directory <B>must</B> must be the manager account defined in the
556
+directory configuration. On RedHat system, this file is
557
+<TT>/etc/openldap/slapd.conf</TT> and the account is defined with
558
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
559
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
560
+ CELLSPACING=0>
561
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
562
+<TR><TD>
563
+ </TD>
564
+</TR></TABLE></TD>
565
+</TR>
566
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
567
+<TR><TD>
568
+ </TD>
569
+</TR></TABLE></TD>
570
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
571
+<TR><TD><PRE>
572
+ rootdn "cn=Manager,dc=idealx,dc=com"
573
+ rootpw secret
574
+</PRE></TD>
575
+</TR></TABLE></TD>
576
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
577
+<TR><TD>
578
+ </TD>
579
+</TR></TABLE></TD>
580
+</TR>
581
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
582
+<TR><TD>
583
+ </TD>
584
+</TR></TABLE></TD>
585
+</TR></TABLE></TD>
586
+</TR></TABLE>The <TT>smbldap_bind.conf</TT> file must then be configured so that
587
+the parameters to connect to the master LDAP server match the previous ones:
588
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
589
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
590
+ CELLSPACING=0>
591
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
592
+<TR><TD>
593
+ </TD>
594
+</TR></TABLE></TD>
595
+</TR>
596
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
597
+<TR><TD>
598
+ </TD>
599
+</TR></TABLE></TD>
600
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
601
+<TR><TD><PRE>
602
+ masterDN="cn=Manager,dc=idealx,dc=com"
603
+ masterPw="secret"
604
+</PRE></TD>
605
+</TR></TABLE></TD>
606
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
607
+<TR><TD>
608
+ </TD>
609
+</TR></TABLE></TD>
610
+</TR>
611
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
612
+<TR><TD>
613
+ </TD>
614
+</TR></TABLE></TD>
615
+</TR></TABLE></TD>
616
+</TR></TABLE><BR>
617
+Available options for this script are summarized in the table <A HREF="#table::populate">1</A>:
618
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
619
+ <A NAME="code_epsilon_var"></A>
620
+ <DIV ALIGN=center>
621
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
622
+<TR><TD ALIGN=left NOWRAP>option</TD>
623
+<TD ALIGN=left NOWRAP>definition</TD>
624
+<TD ALIGN=left NOWRAP>default value</TD>
625
+</TR>
626
+<TR><TD ALIGN=left NOWRAP>-u <I>uidNumber</I></TD>
627
+<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
628
+<TD ALIGN=left NOWRAP>1000</TD>
629
+</TR>
630
+<TR><TD ALIGN=left NOWRAP>-g <I>gidNumber</I></TD>
631
+<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
632
+<TD ALIGN=left NOWRAP>1000</TD>
633
+</TR>
634
+<TR><TD ALIGN=left NOWRAP>-a <I>user</I></TD>
635
+<TD ALIGN=left NOWRAP>administrator login name</TD>
636
+<TD ALIGN=left NOWRAP>Administrator</TD>
637
+</TR>
638
+<TR><TD ALIGN=left NOWRAP>-b <I>user</I></TD>
639
+<TD ALIGN=left NOWRAP>guest login name</TD>
640
+<TD ALIGN=left NOWRAP>nobody</TD>
641
+</TR>
642
+<TR><TD ALIGN=left NOWRAP>-e <I>file</I></TD>
643
+<TD ALIGN=left NOWRAP>export a init file</TD>
644
+<TD ALIGN=left NOWRAP> </TD>
645
+</TR>
646
+<TR><TD ALIGN=left NOWRAP>-i <I>file</I></TD>
647
+<TD ALIGN=left NOWRAP>import a init file</TD>
648
+<TD ALIGN=left NOWRAP> </TD>
649
+</TR></TABLE>
650
+ </DIV>
651
+ <BR>
652
+<DIV ALIGN=center>Table 1: Options available for the <TT>smbldap-populate</TT> script</DIV><BR>
653
+
654
+ <A NAME="table::populate"></A>
655
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
656
+In the more general case, to set up your directory, simply use the
657
+following command:
658
+<PRE>
659
+[root@etoile root]# smbldap-populate
660
+Using builtin directory structure
661
+adding new entry: dc=idealx,dc=com
662
+adding new entry: ou=Users,dc=idealx,dc=com
663
+adding new entry: ou=Groups,dc=idealx,dc=com
664
+adding new entry: ou=Computers,dc=idealx,dc=com
665
+adding new entry: ou=Idmap,dc=idealx,dc=org
666
+adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org
667
+adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com
668
+adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com
669
+adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com
670
+adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com
671
+adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com
672
+adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com
673
+adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com
674
+adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com
675
+adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com
676
+</PRE>
677
+After this step, if you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
678
+account anymore, you can create a dedicated account for Samba and the
679
+smbldap-tools. See section <A HREF="#change::manager">8.2</A> for more details.<BR>
680
+<BR>
681
+The <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> entry is only used to
682
+defined the next uidNumber and gidNumber available for creating new
683
+users and groups. The default values for those numbers are 1000. You
684
+can change it with the <TT>-u</TT> and <TT>-g</TT> option. For
685
+example, if you want the first available value for uidNumber and
686
+gidNumber to be set to 1500, you can use the following command :
687
+<PRE>
688
+smbldap-populate -u 1550 -g 1500
689
+</PRE>
690
+<!--TOC subsection User management-->
691
+
692
+<H3><A NAME="htoc15">4.2</A> User management</H3><!--SEC END -->
693
+
694
+<!--TOC subsubsection Adding a user-->
695
+
696
+<H4><A NAME="htoc16">4.2.1</A> Adding a user</H4><!--SEC END -->
697
+<A NAME="add::user"></A>
698
+To add a user, use the <TT>smbldap-useradd</TT> script. Available
699
+options are summarized in the table <A HREF="#table::add::user">2</A>. If applicable,
700
+default values are mentionned in the third column. Any string beginning with a
701
+$ symbol refers to a parameter defined in the
702
+<TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> configuration file.
703
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
704
+ <DIV ALIGN=center>
705
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
706
+<TR><TD VALIGN=top ALIGN=left>option</TD>
707
+<TD VALIGN=top ALIGN=left>definition</TD>
708
+<TD VALIGN=top ALIGN=left>example</TD>
709
+<TD VALIGN=top ALIGN=left>default value</TD>
710
+</TR>
711
+<TR><TD VALIGN=top ALIGN=left>-a</TD>
712
+<TD VALIGN=top ALIGN=left>create a Windows account. Otherwise, only a Posix account
713
+ is created</TD>
714
+<TD VALIGN=top ALIGN=left> </TD>
715
+<TD VALIGN=top ALIGN=left> </TD>
716
+</TR>
717
+<TR><TD VALIGN=top ALIGN=left>-w</TD>
718
+<TD VALIGN=top ALIGN=left>create a Windows Workstation account</TD>
719
+<TD VALIGN=top ALIGN=left> </TD>
720
+<TD VALIGN=top ALIGN=left> </TD>
721
+</TR>
722
+<TR><TD VALIGN=top ALIGN=left>-i</TD>
723
+<TD VALIGN=top ALIGN=left>create an interdomain trust account. See section
724
+ <A HREF="#trust::account">4.4</A> for more details</TD>
725
+<TD VALIGN=top ALIGN=left> </TD>
726
+<TD VALIGN=top ALIGN=left> </TD>
727
+</TR>
728
+<TR><TD VALIGN=top ALIGN=left>-u</TD>
729
+<TD VALIGN=top ALIGN=left>set a uid value</TD>
730
+<TD VALIGN=top ALIGN=left>-u 1003</TD>
731
+<TD VALIGN=top ALIGN=left>first uid available</TD>
732
+</TR>
733
+<TR><TD VALIGN=top ALIGN=left>-g</TD>
734
+<TD VALIGN=top ALIGN=left>set a gid value</TD>
735
+<TD VALIGN=top ALIGN=left>-g 1003</TD>
736
+<TD VALIGN=top ALIGN=left>first gid available</TD>
737
+</TR>
738
+<TR><TD VALIGN=top ALIGN=left>-G</TD>
739
+<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
740
+ groups (comma-separated)</TD>
741
+<TD VALIGN=top ALIGN=left>-G 512,550</TD>
742
+<TD VALIGN=top ALIGN=left> </TD>
743
+</TR>
744
+<TR><TD VALIGN=top ALIGN=left>-d</TD>
745
+<TD VALIGN=top ALIGN=left>set the home directory</TD>
746
+<TD VALIGN=top ALIGN=left>-d /var/user</TD>
747
+<TD VALIGN=top ALIGN=left>$userHomePrefix/user</TD>
748
+</TR>
749
+<TR><TD VALIGN=top ALIGN=left>-s</TD>
750
+<TD VALIGN=top ALIGN=left>set the login shell</TD>
751
+<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
752
+<TD VALIGN=top ALIGN=left>$userLoginShell</TD>
753
+</TR>
754
+<TR><TD VALIGN=top ALIGN=left>-c</TD>
755
+<TD VALIGN=top ALIGN=left>set the user gecos</TD>
756
+<TD VALIGN=top ALIGN=left>-c "admin user"</TD>
757
+<TD VALIGN=top ALIGN=left>$userGecos</TD>
758
+</TR>
759
+<TR><TD VALIGN=top ALIGN=left>-m</TD>
760
+<TD VALIGN=top ALIGN=left>creates user's home directory and copies /etc/skel
761
+ into it</TD>
762
+<TD VALIGN=top ALIGN=left> </TD>
763
+<TD VALIGN=top ALIGN=left> </TD>
764
+</TR>
765
+<TR><TD VALIGN=top ALIGN=left>-k</TD>
766
+<TD VALIGN=top ALIGN=left>set the skeleton dir (with -m)</TD>
767
+<TD VALIGN=top ALIGN=left>-k /etc/skel2</TD>
768
+<TD VALIGN=top ALIGN=left>$skeletonDir</TD>
769
+</TR>
770
+<TR><TD VALIGN=top ALIGN=left>-P</TD>
771
+<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's
772
+ password</TD>
773
+<TD VALIGN=top ALIGN=left> </TD>
774
+<TD VALIGN=top ALIGN=left> </TD>
775
+</TR>
776
+<TR><TD VALIGN=top ALIGN=left>-A</TD>
777
+<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
778
+<TD VALIGN=top ALIGN=left>-A 1</TD>
779
+<TD VALIGN=top ALIGN=left> </TD>
780
+</TR>
781
+<TR><TD VALIGN=top ALIGN=left>-B</TD>
782
+<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
783
+ if yes</TD>
784
+<TD VALIGN=top ALIGN=left>-B 1</TD>
785
+<TD VALIGN=top ALIGN=left> </TD>
786
+</TR>
787
+<TR><TD VALIGN=top ALIGN=left>-C</TD>
788
+<TD VALIGN=top ALIGN=left>set the samba home share</TD>
789
+<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
790
+<TD VALIGN=top ALIGN=left>$userSmbHome</TD>
791
+</TR>
792
+<TR><TD VALIGN=top ALIGN=left>-D</TD>
793
+<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
794
+<TD VALIGN=top ALIGN=left>-D H:</TD>
795
+<TD VALIGN=top ALIGN=left>$userHomeDrive</TD>
796
+</TR>
797
+<TR><TD VALIGN=top ALIGN=left>-E</TD>
798
+<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
799
+<TD VALIGN=top ALIGN=left>-E common.bat</TD>
800
+<TD VALIGN=top ALIGN=left>$userScript</TD>
801
+</TR>
802
+<TR><TD VALIGN=top ALIGN=left>-F</TD>
803
+<TD VALIGN=top ALIGN=left>set the profile directory</TD>
804
+<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
805
+<TD VALIGN=top ALIGN=left>$userProfile</TD>
806
+</TR>
807
+<TR><TD VALIGN=top ALIGN=left>-H</TD>
808
+<TD VALIGN=top ALIGN=left>set the samba account control bits
809
+ like'[NDHTUMWSLKI]'</TD>
810
+<TD VALIGN=top ALIGN=left>-H [X]</TD>
811
+<TD VALIGN=top ALIGN=left> </TD>
812
+</TR>
813
+<TR><TD VALIGN=top ALIGN=left>-N</TD>
814
+<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
815
+<TD VALIGN=top ALIGN=left> </TD>
816
+<TD VALIGN=top ALIGN=left> </TD>
817
+</TR>
818
+<TR><TD VALIGN=top ALIGN=left>-S</TD>
819
+<TD VALIGN=top ALIGN=left>set the surname of the user</TD>
820
+<TD VALIGN=top ALIGN=left> </TD>
821
+<TD VALIGN=top ALIGN=left> </TD>
822
+</TR>
823
+<TR><TD VALIGN=top ALIGN=left>-M</TD>
824
+<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
825
+<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
826
+<TD VALIGN=top ALIGN=left> </TD>
827
+</TR>
828
+<TR><TD VALIGN=top ALIGN=left>-T</TD>
829
+<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
830
+<TD VALIGN=top ALIGN=left>-T
831
+ testuser@domain.org</TD>
832
+<TD VALIGN=top ALIGN=left> </TD>
833
+</TR></TABLE>
834
+ </DIV>
835
+ <BR>
836
+<DIV ALIGN=center>Table 2: Options available to the <TT>smbldap-useradd</TT> script</DIV><BR>
837
+
838
+ <A NAME="table::add::user"></A>
839
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
840
+
841
+For example, if you want to add a user named <I>user_admin</I> and who :
842
+<UL><LI>
843
+is a windows user
844
+<LI>must belong to the group of gid=512 ('Domain Admins' group)
845
+<LI>has a home directory
846
+<LI>does not have a login shell
847
+<LI>has a homeDirectory set to /dev/null
848
+<LI>does not have a roaming profile
849
+<LI>and for whom we want to set a first login password
850
+</UL>
851
+you must invoke:
852
+<PRE>
853
+smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin
854
+</PRE>
855
+<!--TOC subsubsection Removing a user-->
856
+
857
+<H4><A NAME="htoc17">4.2.2</A> Removing a user</H4><!--SEC END -->
858
+
859
+To remove a user account, use the <TT>smbldap-userdel</TT> script.
860
+Available options are
861
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
862
+ <DIV ALIGN=center>
863
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
864
+<TR><TD ALIGN=left NOWRAP>option</TD>
865
+<TD ALIGN=left NOWRAP>definition</TD>
866
+</TR>
867
+<TR><TD ALIGN=left NOWRAP>-r</TD>
868
+<TD ALIGN=left NOWRAP>remove home directory</TD>
869
+</TR>
870
+<TR><TD ALIGN=left NOWRAP>-R</TD>
871
+<TD ALIGN=left NOWRAP>remove home directory interactively</TD>
872
+</TR></TABLE>
873
+ </DIV>
874
+ <BR>
875
+<DIV ALIGN=center>Table 3: Option available to the <TT>smbldap-userdel</TT> script</DIV><BR>
876
+
877
+ <A NAME="table::del::user"></A>
878
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
879
+For example, if you want to remove the <I>user1</I> account
880
+from the LDAP directory, and if you also want to delete his home
881
+directory, use the following command :
882
+<PRE>
883
+smbldap-userdel -r user1
884
+</PRE>
885
+Note: '-r' is dangerous as it may delete precious and unbackuped data,
886
+please be careful.<BR>
887
+<BR>
888
+<!--TOC subsubsection Modifying a user-->
889
+
890
+<H4><A NAME="htoc18">4.2.3</A> Modifying a user</H4><!--SEC END -->
891
+<A NAME="modify::user"></A>
892
+To modify a user account, use the <TT>smbldap-usermod</TT> script.
893
+Availables options are listed in the table <A HREF="#table::modify::user">4</A>.
894
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
895
+ <DIV ALIGN=center>
896
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
897
+<TR><TD VALIGN=top ALIGN=left>option</TD>
898
+<TD VALIGN=top ALIGN=left>definition</TD>
899
+<TD VALIGN=top ALIGN=left>example</TD>
900
+</TR>
901
+<TR><TD VALIGN=top ALIGN=left>-c</TD>
902
+<TD VALIGN=top ALIGN=left>set the user gecos</TD>
903
+<TD VALIGN=top ALIGN=left>-c "admin user"</TD>
904
+</TR>
905
+<TR><TD VALIGN=top ALIGN=left>-d</TD>
906
+<TD VALIGN=top ALIGN=left>set the home directory</TD>
907
+<TD VALIGN=top ALIGN=left>-d /var/user</TD>
908
+</TR>
909
+<TR><TD VALIGN=top ALIGN=left>-u</TD>
910
+<TD VALIGN=top ALIGN=left>set a uid value</TD>
911
+<TD VALIGN=top ALIGN=left>-u 1003</TD>
912
+</TR>
913
+<TR><TD VALIGN=top ALIGN=left>-g</TD>
914
+<TD VALIGN=top ALIGN=left>set a gid value</TD>
915
+<TD VALIGN=top ALIGN=left>-g 1003</TD>
916
+</TR>
917
+<TR><TD VALIGN=top ALIGN=left>-G</TD>
918
+<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
919
+ groups (comma-separated)</TD>
920
+<TD VALIGN=top ALIGN=left>-G 512,550</TD>
921
+</TR>
922
+<TR><TD VALIGN=top ALIGN=left> </TD>
923
+<TD VALIGN=top ALIGN=left> </TD>
924
+<TD VALIGN=top ALIGN=left>-G -512,550</TD>
925
+</TR>
926
+<TR><TD VALIGN=top ALIGN=left> </TD>
927
+<TD VALIGN=top ALIGN=left> </TD>
928
+<TD VALIGN=top ALIGN=left>-G +512,550</TD>
929
+</TR>
930
+<TR><TD VALIGN=top ALIGN=left>-s</TD>
931
+<TD VALIGN=top ALIGN=left>set the login shell</TD>
932
+<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
933
+</TR>
934
+<TR><TD VALIGN=top ALIGN=left>-N</TD>
935
+<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
936
+<TD VALIGN=top ALIGN=left> </TD>
937
+</TR>
938
+<TR><TD VALIGN=top ALIGN=left>-S</TD>
939
+<TD VALIGN=top ALIGN=left>set the surname of the user</TD>
940
+<TD VALIGN=top ALIGN=left> </TD>
941
+</TR>
942
+<TR><TD VALIGN=top ALIGN=left>-P</TD>
943
+<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's password</TD>
944
+<TD VALIGN=top ALIGN=left> </TD>
945
+</TR>
946
+<TR><TD VALIGN=top ALIGN=left>-a</TD>
947
+<TD VALIGN=top ALIGN=left>add sambaSAMAccount objectclass</TD>
948
+<TD VALIGN=top ALIGN=left> </TD>
949
+</TR>
950
+<TR><TD VALIGN=top ALIGN=left>-e</TD>
951
+<TD VALIGN=top ALIGN=left>set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)</TD>
952
+<TD VALIGN=top ALIGN=left> </TD>
953
+</TR>
954
+<TR><TD VALIGN=top ALIGN=left>-A</TD>
955
+<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
956
+<TD VALIGN=top ALIGN=left>-A 1</TD>
957
+</TR>
958
+<TR><TD VALIGN=top ALIGN=left>-B</TD>
959
+<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
960
+ if yes</TD>
961
+<TD VALIGN=top ALIGN=left>-B 1</TD>
962
+</TR>
963
+<TR><TD VALIGN=top ALIGN=left>-C</TD>
964
+<TD VALIGN=top ALIGN=left>set the samba home share</TD>
965
+<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
966
+</TR>
967
+<TR><TD VALIGN=top ALIGN=left> </TD>
968
+<TD VALIGN=top ALIGN=left> </TD>
969
+<TD VALIGN=top ALIGN=left>-C ""</TD>
970
+</TR>
971
+<TR><TD VALIGN=top ALIGN=left>-D</TD>
972
+<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
973
+<TD VALIGN=top ALIGN=left>-D H:</TD>
974
+</TR>
975
+<TR><TD VALIGN=top ALIGN=left> </TD>
976
+<TD VALIGN=top ALIGN=left> </TD>
977
+<TD VALIGN=top ALIGN=left>-D ""</TD>
978
+</TR>
979
+<TR><TD VALIGN=top ALIGN=left>-E</TD>
980
+<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
981
+<TD VALIGN=top ALIGN=left>-E common.bat</TD>
982
+</TR>
983
+<TR><TD VALIGN=top ALIGN=left> </TD>
984
+<TD VALIGN=top ALIGN=left> </TD>
985
+<TD VALIGN=top ALIGN=left>-E ""</TD>
986
+</TR>
987
+<TR><TD VALIGN=top ALIGN=left>-F</TD>
988
+<TD VALIGN=top ALIGN=left>set the profile directory</TD>
989
+<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
990
+</TR>
991
+<TR><TD VALIGN=top ALIGN=left> </TD>
992
+<TD VALIGN=top ALIGN=left> </TD>
993
+<TD VALIGN=top ALIGN=left>-F ""</TD>
994
+</TR>
995
+<TR><TD VALIGN=top ALIGN=left>-H</TD>
996
+<TD VALIGN=top ALIGN=left>set the samba account control bits like'[NDHTUMWSLKI]'</TD>
997
+<TD VALIGN=top ALIGN=left>-H [X]</TD>
998
+</TR>
999
+<TR><TD VALIGN=top ALIGN=left>-I</TD>
1000
+<TD VALIGN=top ALIGN=left>disable a user account</TD>
1001
+<TD VALIGN=top ALIGN=left>-I 1</TD>
1002
+</TR>
1003
+<TR><TD VALIGN=top ALIGN=left>-J</TD>
1004
+<TD VALIGN=top ALIGN=left>enable a user</TD>
1005
+<TD VALIGN=top ALIGN=left>-J 1</TD>
1006
+</TR>
1007
+<TR><TD VALIGN=top ALIGN=left>-M</TD>
1008
+<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
1009
+<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
1010
+</TR>
1011
+<TR><TD VALIGN=top ALIGN=left>-T</TD>
1012
+<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
1013
+<TD VALIGN=top ALIGN=left>-T
1014
+ testuser@domain.org</TD>
1015
+</TR></TABLE>
1016
+ </DIV>
1017
+ <BR>
1018
+<DIV ALIGN=center>Table 4: Options available to the <TT>smbldap-usermod</TT> script</DIV><BR>
1019
+
1020
+ <A NAME="table::modify::user"></A>
1021
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
1022
+You can also use the <TT>smbldap-userinfo</TT> script to update user's information. This script can
1023
+also be used by users themselves to update their own informations listed in the tables
1024
+<A HREF="#table::modify::self::user">5</A> (adequats ACL must be set in the directory server). Available
1025
+options are :
1026
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
1027
+ <DIV ALIGN=center>
1028
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
1029
+<TR><TD VALIGN=top ALIGN=left>option</TD>
1030
+<TD VALIGN=top ALIGN=left>definition</TD>
1031
+<TD VALIGN=top ALIGN=left>example</TD>
1032
+</TR>
1033
+<TR><TD VALIGN=top ALIGN=left>-f</TD>
1034
+<TD VALIGN=top ALIGN=left>set the full name's user</TD>
1035
+<TD VALIGN=top ALIGN=left>-f MyName</TD>
1036
+</TR>
1037
+<TR><TD VALIGN=top ALIGN=left>-r</TD>
1038
+<TD VALIGN=top ALIGN=left>set the room number</TD>
1039
+<TD VALIGN=top ALIGN=left>-r 99</TD>
1040
+</TR>
1041
+<TR><TD VALIGN=top ALIGN=left>-w</TD>
1042
+<TD VALIGN=top ALIGN=left>set the work phone number</TD>
1043
+<TD VALIGN=top ALIGN=left>-w 111111111</TD>
1044
+</TR>
1045
+<TR><TD VALIGN=top ALIGN=left>-h</TD>
1046
+<TD VALIGN=top ALIGN=left>set the home phone number</TD>
1047
+<TD VALIGN=top ALIGN=left>-h 222222222</TD>
1048
+</TR>
1049
+<TR><TD VALIGN=top ALIGN=left>-o</TD>
1050
+<TD VALIGN=top ALIGN=left>set other information (in gecos definition)</TD>
1051
+<TD VALIGN=top ALIGN=left>-o "second stage"</TD>
1052
+</TR>
1053
+<TR><TD VALIGN=top ALIGN=left>-s</TD>
1054
+<TD VALIGN=top ALIGN=left>set the default bash</TD>
1055
+<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
1056
+</TR></TABLE>
1057
+ </DIV>
1058
+ <BR>
1059
+<DIV ALIGN=center>Table 5: Options available to the <TT>smbldap-userinfo</TT> script</DIV><BR>
1060
+
1061
+ <A NAME="table::modify::self::user"></A>
1062
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
1063
+<!--TOC subsection Group management-->
1064
+
1065
+<H3><A NAME="htoc19">4.3</A> Group management</H3><!--SEC END -->
1066
+
1067
+<!--TOC subsubsection Adding a group-->
1068
+
1069
+<H4><A NAME="htoc20">4.3.1</A> Adding a group</H4><!--SEC END -->
1070
+
1071
+To add a new group in the LDAP directory, use the <TT>smbldap-groupadd</TT>
1072
+script. Available options are listed in the table
1073
+<A HREF="#table::add::group">6</A>.
1074
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
1075
+ <DIV ALIGN=center>
1076
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
1077
+<TR><TD VALIGN=top ALIGN=left NOWRAP>option</TD>
1078
+<TD VALIGN=top ALIGN=left>definition</TD>
1079
+<TD VALIGN=top ALIGN=left NOWRAP>example</TD>
1080
+</TR>
1081
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-a</TD>
1082
+<TD VALIGN=top ALIGN=left>add automatic group mapping entry</TD>
1083
+<TD VALIGN=top ALIGN=left NOWRAP> </TD>
1084
+</TR>
1085
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-g <TT>gid</TT></TD>
1086
+<TD VALIGN=top ALIGN=left>set the <I>gidNumer</I> for this group to
1087
+ <I>gid</I></TD>
1088
+<TD VALIGN=top ALIGN=left NOWRAP><TT>-g 1002</TT></TD>
1089
+</TR>
1090
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-o</TD>
1091
+<TD VALIGN=top ALIGN=left>gidNumber is not unique</TD>
1092
+<TD VALIGN=top ALIGN=left NOWRAP> </TD>
1093
+</TR>
1094
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-r <TT>group-rid</TT></TD>
1095
+<TD VALIGN=top ALIGN=left>set the rid of the group to
1096
+ <I>group-rid</I></TD>
1097
+<TD VALIGN=top ALIGN=left NOWRAP><TT>-r 1002</TT></TD>
1098
+</TR>
1099
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-s <TT>group-sid</TT></TD>
1100
+<TD VALIGN=top ALIGN=left>set the sid of the group to
1101
+ <I>group-sid</I></TD>
1102
+<TD VALIGN=top ALIGN=left NOWRAP><TT><FONT SIZE=1>-s
1103
+ S-1-5-21-3703471949-3718591838-2324585696-1002</FONT></TT></TD>
1104
+</TR>
1105
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-t <TT>group-type</TT></TD>
1106
+<TD VALIGN=top ALIGN=left>set the <I>sambaGroupType</I> to
1107
+ <I>group-type</I></TD>
1108
+<TD VALIGN=top ALIGN=left NOWRAP><TT>-t 2</TT></TD>
1109
+</TR>
1110
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-p</TD>
1111
+<TD VALIGN=top ALIGN=left>print the gidNumber to stdout</TD>
1112
+<TD VALIGN=top ALIGN=left NOWRAP> </TD>
1113
+</TR></TABLE>
1114
+ </DIV>
1115
+ <BR>
1116
+<DIV ALIGN=center>Table 6: Options available for the <TT>smbldap-groupadd</TT> script</DIV><BR>
1117
+
1118
+ <A NAME="table::add::group"></A>
1119
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
1120
+<!--TOC subsubsection Removing a group-->
1121
+
1122
+<H4><A NAME="htoc21">4.3.2</A> Removing a group</H4><!--SEC END -->
1123
+
1124
+To remove the group named <TT>group1</TT>, just use the following
1125
+command :
1126
+<PRE>
1127
+smbldap-userdel group1
1128
+</PRE>
1129
+<!--TOC subsection Adding a interdomain trust account-->
1130
+
1131
+<H3><A NAME="htoc22">4.4</A> Adding a interdomain trust account</H3><!--SEC END -->
1132
+<A NAME="trust::account"></A>
1133
+To add an interdomain trust account to the primary controller <I>trust-pdc</I>, use the <TT>-i</TT> option of
1134
+<TT>smbldap-useradd</TT> as follows :
1135
+<PRE>
1136
+[root@etoile root]# smbldap-useradd -i trust-pdc
1137
+New password : *******
1138
+Retype new password : *******
1139
+</PRE>
1140
+The script will terminate asking for a password for this trust
1141
+account. The account will be created in the directory branch where
1142
+all computer accounts are stored (<TT>ou=Computers</TT> by
1143
+default). The only two particularities of this account are that you are
1144
+setting a password for this account, and the flags of this account are
1145
+<TT>[I ]</TT>.
1146
+ <!--TOC section Samba and the smbldap-tools scripts-->
1147
+
1148
+<H2><A NAME="htoc23">5</A> Samba and the smbldap-tools scripts</H2><!--SEC END -->
1149
+
1150
+<!--TOC subsection General configuration-->
1151
+
1152
+<H3><A NAME="htoc24">5.1</A> General configuration</H3><!--SEC END -->
1153
+
1154
+Samba can be configured to use the <FONT COLOR=purple>smbldap-tools</FONT> scripts. This allows
1155
+administrators to add, delete or modify user and group accounts for <FONT COLOR=purple>Microsoft Windows</FONT>
1156
+operating systems using, for example, User Manager utility under MS-Windows.
1157
+To enable the use of this utility, samba needs to be configured correctly. The
1158
+<TT>smb.conf</TT> configuration file must contain the following directives :
1159
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1160
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1161
+ CELLSPACING=0>
1162
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1163
+<TR><TD>
1164
+ </TD>
1165
+</TR></TABLE></TD>
1166
+</TR>
1167
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1168
+<TR><TD>
1169
+ </TD>
1170
+</TR></TABLE></TD>
1171
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1172
+<TR><TD><PRE>
1173
+ldap delete dn = Yes
1174
+add user script = /usr/local/sbin/smbldap-useradd -m "%u"
1175
+add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
1176
+add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
1177
+add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
1178
+delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
1179
+set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
1180
+</PRE></TD>
1181
+</TR></TABLE></TD>
1182
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1183
+<TR><TD>
1184
+ </TD>
1185
+</TR></TABLE></TD>
1186
+</TR>
1187
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1188
+<TR><TD>
1189
+ </TD>
1190
+</TR></TABLE></TD>
1191
+</TR></TABLE></TD>
1192
+</TR></TABLE><BR>
1193
+Remark: the two directives <TT>delete user script</TT> et <TT>delete group
1194
+script</TT> can also be used. However, an error message can appear in User Manager
1195
+even if the operations actually succeed.
1196
+If you want to enable this behaviour, you need to add
1197
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1198
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1199
+ CELLSPACING=0>
1200
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1201
+<TR><TD>
1202
+ </TD>
1203
+</TR></TABLE></TD>
1204
+</TR>
1205
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1206
+<TR><TD>
1207
+ </TD>
1208
+</TR></TABLE></TD>
1209
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1210
+<TR><TD><PRE>
1211
+delete user script = /usr/local/sbin/smbldap-userdel "%u"
1212
+delete group script = /usr/local/sbin/smbldap-groupdel "%g"
1213
+</PRE></TD>
1214
+</TR></TABLE></TD>
1215
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1216
+<TR><TD>
1217
+ </TD>
1218
+</TR></TABLE></TD>
1219
+</TR>
1220
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1221
+<TR><TD>
1222
+ </TD>
1223
+</TR></TABLE></TD>
1224
+</TR></TABLE></TD>
1225
+</TR></TABLE><BR>
1226
+<!--TOC subsection Migrating an NT4 PDC to Samba3-->
1227
+
1228
+<H3><A NAME="htoc25">5.2</A> Migrating an NT4 PDC to Samba3</H3><!--SEC END -->
1229
+
1230
+The account migration procedure becomes really simple when samba is configured to use
1231
+the <FONT COLOR=purple>smbldap-tools</FONT>. Samba configuration (smb.conf file) must contain the
1232
+directive defined above to properly call the script for managing users, groups and computer accounts.
1233
+The migration process is outlined in the chapter 30 of the samba howto
1234
+<A HREF="http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html"><TT>http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html</TT></A>.
1235
+ <BR>
1236
+<BR>
1237
+<!--TOC section Frequently Asked Questions-->
1238
+
1239
+<H2><A NAME="htoc26">6</A> Frequently Asked Questions</H2><!--SEC END -->
1240
+
1241
+<!--TOC subsection How can i use old released uidNumber and gidNumber ?-->
1242
+
1243
+<H3><A NAME="htoc27">6.1</A> How can i use old released uidNumber and gidNumber ?</H3><!--SEC END -->
1244
+
1245
+There are two way to do this :
1246
+<UL><LI>
1247
+modify the <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> and
1248
+ change the <TT>uidNumber</TT> and/or <TT>gidNumber</TT> value. This
1249
+ must be done manually. For example, if you want to use all available
1250
+ uidNumber and gidNumber higher then 1500, you need to create a
1251
+ <TT>update-NextFreeUnixId.ldif</TT> file containing :
1252
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1253
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1254
+ CELLSPACING=0>
1255
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1256
+<TR><TD>
1257
+ </TD>
1258
+</TR></TABLE></TD>
1259
+</TR>
1260
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1261
+<TR><TD>
1262
+ </TD>
1263
+</TR></TABLE></TD>
1264
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1265
+<TR><TD><PRE>dn: cn=NextFreeUnixId,dc=idealx,dc=org
1266
+changetype: modify
1267
+uidNumber: 1500
1268
+gidNumber: 1500
1269
+</PRE></TD>
1270
+</TR></TABLE></TD>
1271
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1272
+<TR><TD>
1273
+ </TD>
1274
+</TR></TABLE></TD>
1275
+</TR>
1276
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1277
+<TR><TD>
1278
+ </TD>
1279
+</TR></TABLE></TD>
1280
+</TR></TABLE></TD>
1281
+</TR></TABLE>
1282
+and then update the directory :
1283
+<PRE>
1284
+ldapmodify -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f update-NextFreeUnixId.ldif
1285
+</PRE><LI>use the <TT>-u</TT> or <TT>-g</TT> option to the script you need to set the value you
1286
+ want to use
1287
+</UL>
1288
+<!--TOC subsection I always have this error: "Can't locate IO/Socket/SSL.pm"-->
1289
+
1290
+<H3><A NAME="htoc28">6.2</A> I always have this error: "Can't locate IO/Socket/SSL.pm"</H3><!--SEC END -->
1291
+
1292
+This happens when you want to use a certificate. In this case, you need to install the
1293
+IO-Socket-SSL Perl module.<BR>
1294
+<BR>
1295
+<!--TOC subsection I can't initialize the directory with <TT>smbldap-populate</TT>-->
1296
+
1297
+<H3><A NAME="htoc29">6.3</A> I can't initialize the directory with <TT>smbldap-populate</TT></H3><!--SEC END -->
1298
+
1299
+When I want to initialize the directory using the <TT>smbldap-populate</TT>
1300
+script, I get
1301
+<PRE>
1302
+[root@slave sbin]# smbldap-populate.pl
1303
+ Using builtin directory structure
1304
+ adding new entry: dc=IDEALX,dc=COM
1305
+ Can't call method "code" without a package or object reference at
1306
+ /usr/local/sbin/smbldap-populate.pl line 270, <GEN1> line 2.
1307
+</PRE>Answer: check the TLS configuration
1308
+<UL><LI>
1309
+if you don't want to use TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file
1310
+with
1311
+<PRE>
1312
+ldapSSL="0"
1313
+</PRE><LI>if you want TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file with
1314
+<PRE>
1315
+ldapSSL="1"
1316
+</PRE>and check that the directory server is configured to accept TLS connections.
1317
+</UL>
1318
+<!--TOC subsection I can't join the domain with the <TT>root</TT> account-->
1319
+
1320
+<H3><A NAME="htoc30">6.4</A> I can't join the domain with the <TT>root</TT> account</H3><!--SEC END -->
1321
+
1322
+<UL><LI>
1323
+check that the root account has the sambaSamAccount objectclass
1324
+<LI>check that the directive <TT>add machine script</TT> is present and configured
1325
+</UL>
1326
+<!--TOC subsection I have the <TT>sambaSamAccount</TT> but i can't logged in-->
1327
+
1328
+<H3><A NAME="htoc31">6.5</A> I have the <TT>sambaSamAccount</TT> but i can't logged in</H3><!--SEC END -->
1329
+
1330
+Check that the <TT>sambaPwdLastSet</TT> attribute is not null (equal to 0)<BR>
1331
+<BR>
1332
+<!--TOC subsection I want to create machine account on the fly, but it does
1333
+ not works or I must do it twice-->
1334
+
1335
+<H3><A NAME="htoc32">6.6</A> I want to create machine account on the fly, but it does
1336
+ not works or I must do it twice</H3><!--SEC END -->
1337
+
1338
+<UL><LI>
1339
+The script defined with the <TT>add machine script</TT> must not add
1340
+the <TT>sambaSAMAccount</TT> objectclass of the machine account. The
1341
+script must only add the Posix machine account. Samba will add the <TT>sambaSAMAccount</TT> when
1342
+joining the domain.
1343
+<LI>Check that the <TT>add <B>machine</B> script</TT> is present in samba
1344
+ configuration file.
1345
+</UL>
1346
+<!--TOC subsection I can't manage the Oracle Internet Database-->
1347
+
1348
+<H3><A NAME="htoc33">6.7</A> I can't manage the Oracle Internet Database</H3><!--SEC END -->
1349
+
1350
+If you have an error message like :
1351
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1352
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1353
+ CELLSPACING=0>
1354
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1355
+<TR><TD>
1356
+ </TD>
1357
+</TR></TABLE></TD>
1358
+</TR>
1359
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1360
+<TR><TD>
1361
+ </TD>
1362
+</TR></TABLE></TD>
1363
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1364
+<TR><TD><PRE>
1365
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187.
1366
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627.
1367
+</PRE></TD>
1368
+</TR></TABLE></TD>
1369
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1370
+<TR><TD>
1371
+ </TD>
1372
+</TR></TABLE></TD>
1373
+</TR>
1374
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1375
+<TR><TD>
1376
+ </TD>
1377
+</TR></TABLE></TD>
1378
+</TR></TABLE></TD>
1379
+</TR></TABLE>For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a
1380
+new index for samba attributes and make sure that the following attributes are also indexed :
1381
+ uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...<BR>
1382
+<BR>
1383
+<!--TOC subsection The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
1384
+called, or i got a error message when changing the password from windows-->
1385
+
1386
+<H3><A NAME="htoc34">6.8</A> The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
1387
+called, or i got a error message when changing the password from windows</H3><!--SEC END -->
1388
+
1389
+The directive is called if you also set <TT>unix password sync = Yes</TT>.
1390
+Notes:
1391
+<UL><LI>
1392
+if you use OpenLDAP, none of those two options are needed. You just need <TT>ldap
1393
+passwd sync = Yes</TT>.
1394
+<LI>the script called here must only update the <TT>userPassword</TT> attribute. This is the
1395
+reason of the <TT>-u</TT> option. Samba passwords will be updated by samba itself.
1396
+<LI>the <TT>passwd chat</TT> directive must match what is prompted when using the
1397
+<TT>smbldap-passwd</TT> command
1398
+</UL>
1399
+<!--TOC subsection New computers account can't be set in ou=computers-->
1400
+
1401
+<H3><A NAME="htoc35">6.9</A> New computers account can't be set in ou=computers</H3><!--SEC END -->
1402
+<A NAME="sec::bug::ou::computer"></A>
1403
+This is a known samba bug. There's a workarround: look at
1404
+<A HREF="http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2"><TT>http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2</TT></A><BR>
1405
+<BR>
1406
+<!--TOC subsection I can join the domain, but i can't log on-->
1407
+
1408
+<H3><A NAME="htoc36">6.10</A> I can join the domain, but i can't log on</H3><!--SEC END -->
1409
+
1410
+look at section <A HREF="#sec::bug::ou::computer">6.9</A><BR>
1411
+<BR>
1412
+<!--TOC subsection I can't create a user with <TT>smbldap-useradd</TT>-->
1413
+
1414
+<H3><A NAME="htoc37">6.11</A> I can't create a user with <TT>smbldap-useradd</TT></H3><!--SEC END -->
1415
+
1416
+When creating a new user account I get the following error message:
1417
+<PRE>
1418
+/usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513
1419
+</PRE>Answer:
1420
+<UL><LI>
1421
+is nss_ldap correctly configured ?
1422
+<LI>is the default group's users mapped to the 'Domain Users' NT group ?
1423
+<PRE>
1424
+net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users"
1425
+</PRE></UL>
1426
+<!--TOC subsection smbldap-useradd: Can't call method "get_value" on an undefined value at
1427
+/usr/local/sbin/smbldap-useradd line 154-->
1428
+
1429
+<H3><A NAME="htoc38">6.12</A> smbldap-useradd: Can't call method "get_value" on an undefined value at
1430
+/usr/local/sbin/smbldap-useradd line 154</H3><!--SEC END -->
1431
+
1432
+<UL><LI>
1433
+does the default group defined in smbldap.conf exist
1434
+ (defaultUserGid="513") ?
1435
+<LI>does the NT "Domain Users" group mapped to a unix
1436
+ group of rid 513 (see option <I>-r</I> of <TT>smbldap-groupadd</TT> and
1437
+ <TT>smbldap-groupmod</TT> to set a rid) ?
1438
+</UL>
1439
+<!--TOC subsection Typical errors on creating a new user or a new group-->
1440
+
1441
+<H3><A NAME="htoc39">6.13</A> Typical errors on creating a new user or a new group</H3><!--SEC END -->
1442
+<A NAME="faq::error::add::user"></A>
1443
+<UL><LI>
1444
+i've got the following error:
1445
+<PRE>
1446
+Could not find base dn, to get next uidNumber at /usr/local/sbin//smbldap_tools.pm line 909
1447
+</PRE><OL type=1><LI>
1448
+ you do not have created the object to defined the next uidNumber and gidNumber available.
1449
+ <UL><LI>
1450
+ for version 0.8.7 : you can just run the <TT>smbldap-populate</TT> script that will
1451
+ update the sambaDomain entry to store those informations
1452
+ <LI>for version before 0.8.7 :
1453
+ You have updated the smbldap-tools to version 0.8.5 or newer.
1454
+ You have to do this manually. Create an file called <TT>add.ldif</TT> and containing
1455
+<PRE>
1456
+dn: cn=NextFreeUnixId,dc=idealx,dc=org
1457
+objectClass: inetOrgPerson
1458
+objectClass: sambaUnixIdPool
1459
+uidNumber: 1000
1460
+gidNumber: 1000
1461
+cn: NextFreeUnixId
1462
+sn: NextFreeUnixId
1463
+</PRE> and then add the object with the ldapadd utility:
1464
+<PRE>
1465
+$ ldapadd -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f add.ldif
1466
+</PRE> Here, 1000 is the first available value for uidNumber and gidNumber (of course, if this value is
1467
+ already used by a user or a group, the first available after 1000 will be used).
1468
+ </UL><BR>
1469
+<BR>
1470
+<LI>The error also appear when there is a need for TLS (ldapTLS=1 in <TT>smbldap.conf</TT>) and
1471
+something is wrong with certificate naming or path settings.
1472
+</OL><BR>
1473
+<BR>
1474
+<LI>i've got the following error:
1475
+<PRE>
1476
+Use of uninitialized value in string at
1477
+/usr/local/sbin//smbldap\_tools.pm line 914.
1478
+Error: No DN specified at /usr/local/sbin//smbldap\_tools.pm line 919
1479
+</PRE>You have not updated the configuration file to defined the object where are sotred the next
1480
+uidNumber and gidNumber available. In our example, you have to add a nex entry in
1481
+<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I> containing :
1482
+<PRE>
1483
+# Where to store next uidNumber and gidNumber available
1484
+sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1485
+</PRE>btw, a new option is now available too: the domain to append to users. You can add to the
1486
+configuration file the following lines:
1487
+<PRE>
1488
+# Domain appended to the users "mail"-attribute
1489
+# when smbldap-useradd -M is used mailDomain="idealx.com"
1490
+</PRE><BR>
1491
+<BR>
1492
+<LI>i've got the following error:
1493
+<PRE>
1494
+Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/smbldap-useradd line 183.
1495
+Use of uninitialized value in substitution (s///) at /usr/local/sbin/smbldap-useradd line 185.
1496
+Use of uninitialized value in string at /usr/local/sbin/smbldap-useradd line 264.
1497
+failed to add entry: homedirectory: value #0 invalid per syntax at /usr/local/sbin/smbldap-useradd line 280.
1498
+userHomeDirectory=User "jto" already member of the group "513".
1499
+failed to add entry: No such object at /usr/local/sbin/smbldap-useradd line 382.
1500
+</PRE>you have to change the variable name <TT>userHomePrefix</TT> to <TT>userHome</TT> in
1501
+<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I><BR>
1502
+<BR>
1503
+<LI>i've got the following error:
1504
+<PRE>
1505
+failed to add entry: referral missing at /usr/local/sbin/smbldap-useradd line 279, <DATA> line 283.
1506
+</PRE>you have to update the configuration file that defined users, groups and computers dn. Those
1507
+parameters must not be relative to the <TT>suffix</TT> parameter. A typical
1508
+configuration look like this :
1509
+<PRE>
1510
+usersdn="ou=Users,${suffix}"
1511
+computersdn="ou=Computers,${suffix}"
1512
+groupsdn="ou=Groups,${suffix}"
1513
+</PRE><BR>
1514
+<BR>
1515
+<LI>i've got the following error:
1516
+<PRE>
1517
+erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad protocol 'tcp')
1518
+at /usr/local/sbin//smbldap_tools.pm line 153.
1519
+</PRE>remove <I>ldap</I> from <I>/etc/nsswitch.conf</I> for <I>services</I> list of possible check. For
1520
+example, if your ldap directory is not configured to give services information, you must have
1521
+<PRE>
1522
+services files
1523
+</PRE>and not
1524
+<PRE>
1525
+services: ldap [NOTFOUND=return] files
1526
+</PRE></UL>
1527
+
1528
+
1529
+<!--TOC section Thanks-->
1530
+
1531
+<H2><A NAME="htoc40">7</A> Thanks</H2><!--SEC END -->
1532
+
1533
+<A NAME="thanks"></A>
1534
+People who have worked on this document are
1535
+<UL><LI>
1536
+J�r�me Tournier <jerome.tournier@IDEALX.com>
1537
+<LI>David Barth <david.barth@IDEALX.com>
1538
+<LI>Nat Makarevitch <nat@IDEALX.com>
1539
+</UL>
1540
+The authors would like to thank the following people for providing help with
1541
+some of the more complicated subjects, for clarifying some of the internal
1542
+workings of <FONT COLOR=purple>Samba</FONT> or <FONT COLOR=purple>OpenLDAP</FONT>, for pointing out errors or mistakes in
1543
+previous versions of this document, or generally for making
1544
+suggestions :
1545
+<UL><LI>
1546
+IDEALX team :
1547
+ <UL><LI>
1548
+ Rom�o Adekambi <romeo.adekambi@IDEALX.com>
1549
+ <LI>Aurelien Degremont <adegremont@IDEALX.com>
1550
+ <LI>Renaud Renard <rrenard@IDEALX.com>
1551
+ </UL>
1552
+<LI>John H Terpstra <jht@samba.org>
1553
+</UL>
1554
+ <!--TOC section Annexes-->
1555
+
1556
+<H2><A NAME="htoc41">8</A> Annexes</H2><!--SEC END -->
1557
+
1558
+<!--TOC subsection Full configuration files-->
1559
+
1560
+<H3><A NAME="htoc42">8.1</A> Full configuration files</H3><!--SEC END -->
1561
+<A NAME="configuration::files"></A>
1562
+<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file-->
1563
+
1564
+<H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><!--SEC END -->
1565
+<A NAME="configuration::file::smbldap"></A>
1566
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1567
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1568
+ CELLSPACING=0>
1569
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1570
+<TR><TD>
1571
+ </TD>
1572
+</TR></TABLE></TD>
1573
+</TR>
1574
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1575
+<TR><TD>
1576
+ </TD>
1577
+</TR></TABLE></TD>
1578
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1579
+<TR><TD><PRE># $Source: $
1580
+# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
1581
+#
1582
+# smbldap-tools.conf : Q & D configuration file for smbldap-tools
1583
+
1584
+# This code was developped by IDEALX (http://IDEALX.org/) and
1585
+# contributors (their names can be found in the CONTRIBUTORS file).
1586
+#
1587
+# Copyright (C) 2001-2002 IDEALX
1588
+#
1589
+# This program is free software; you can redistribute it and/or
1590
+# modify it under the terms of the GNU General Public License
1591
+# as published by the Free Software Foundation; either version 2
1592
+# of the License, or (at your option) any later version.
1593
+#
1594
+# This program is distributed in the hope that it will be useful,
1595
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
1596
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1597
+# GNU General Public License for more details.
1598
+#
1599
+# You should have received a copy of the GNU General Public License
1600
+# along with this program; if not, write to the Free Software
1601
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
1602
+# USA.
1603
+
1604
+# Purpose :
1605
+# . be the configuration file for all smbldap-tools scripts
1606
+
1607
+##############################################################################
1608
+#
1609
+# General Configuration
1610
+#
1611
+##############################################################################
1612
+
1613
+# Put your own SID. To obtain this number do: "net getlocalsid".
1614
+# If not defined, parameter is taking from "net getlocalsid" return
1615
+SID="S-1-5-21-2252255531-4061614174-2474224977"
1616
+
1617
+# Domain name the Samba server is in charged.
1618
+# If not defined, parameter is taking from smb.conf configuration file
1619
+# Ex: sambaDomain="IDEALX-NT"
1620
+sambaDomain="DOMSMB"
1621
+
1622
+##############################################################################
1623
+#
1624
+# LDAP Configuration
1625
+#
1626
+##############################################################################
1627
+
1628
+# Notes: to use to dual ldap servers backend for Samba, you must patch
1629
+# Samba with the dual-head patch from IDEALX. If not using this patch
1630
+# just use the same server for slaveLDAP and masterLDAP.
1631
+# Those two servers declarations can also be used when you have
1632
+# . one master LDAP server where all writing operations must be done
1633
+# . one slave LDAP server where all reading operations must be done
1634
+# (typically a replication directory)
1635
+
1636
+# Slave LDAP server
1637
+# Ex: slaveLDAP=127.0.0.1
1638
+# If not defined, parameter is set to "127.0.0.1"
1639
+slaveLDAP="127.0.0.1"
1640
+
1641
+# Slave LDAP port
1642
+# If not defined, parameter is set to "389"
1643
+slavePort="389"
1644
+
1645
+# Master LDAP server: needed for write operations
1646
+# Ex: masterLDAP=127.0.0.1
1647
+# If not defined, parameter is set to "127.0.0.1"
1648
+masterLDAP="127.0.0.1"
1649
+
1650
+# Master LDAP port
1651
+# If not defined, parameter is set to "389"
1652
+masterPort="389"
1653
+
1654
+# Use TLS for LDAP
1655
+# If set to 1, this option will use start_tls for connection
1656
+# (you should also used the port 389)
1657
+# If not defined, parameter is set to "1"
1658
+ldapTLS="0"
1659
+
1660
+# How to verify the server's certificate (none, optional or require)
1661
+# see "man Net::LDAP" in start_tls section for more details
1662
+verify="require"
1663
+
1664
+# CA certificate
1665
+# see "man Net::LDAP" in start_tls section for more details
1666
+cafile="/etc/smbldap-tools/ca.pem"
1667
+
1668
+# certificate to use to connect to the ldap server
1669
+# see "man Net::LDAP" in start_tls section for more details
1670
+clientcert="/etc/smbldap-tools/smbldap-tools.pem"
1671
+
1672
+# key certificate to use to connect to the ldap server
1673
+# see "man Net::LDAP" in start_tls section for more details
1674
+clientkey="/etc/smbldap-tools/smbldap-tools.key"
1675
+
1676
+# LDAP Suffix
1677
+# Ex: suffix=dc=IDEALX,dc=ORG
1678
+suffix="dc=company,dc=com"
1679
+
1680
+# Where are stored Users
1681
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
1682
+# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
1683
+usersdn="ou=Users,${suffix}"
1684
+
1685
+# Where are stored Computers
1686
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
1687
+# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
1688
+computersdn="ou=Computers,${suffix}"
1689
+
1690
+# Where are stored Groups
1691
+# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
1692
+# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
1693
+groupsdn="ou=Groups,${suffix}"
1694
+
1695
+# Where are stored Idmap entries (used if samba is a domain member server)
1696
+# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
1697
+# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
1698
+idmapdn="ou=Idmap,${suffix}"
1699
+
1700
+# Where to store next uidNumber and gidNumber available for new users and groups
1701
+# If not defined, entries are stored in sambaDomainName object.
1702
+# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
1703
+# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1704
+sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
1705
+
1706
+# Default scope Used
1707
+scope="sub"
1708
+
1709
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
1710
+hash_encrypt="SSHA"
1711
+
1712
+# if hash_encrypt is set to CRYPT, you may set a salt format.
1713
+# default is "%s", but many systems will generate MD5 hashed
1714
+# passwords if you use "$1$%.8s". This parameter is optional!
1715
+crypt_salt_format="%s"
1716
+
1717
+##############################################################################
1718
+#
1719
+# Unix Accounts Configuration
1720
+#
1721
+##############################################################################
1722
+
1723
+# Login defs
1724
+# Default Login Shell
1725
+# Ex: userLoginShell="/bin/bash"
1726
+userLoginShell="/bin/bash"
1727
+
1728
+# Home directory
1729
+# Ex: userHome="/home/%U"
1730
+userHome="/home/%U"
1731
+
1732
+# Default mode used for user homeDirectory
1733
+userHomeDirectoryMode="700"
1734
+
1735
+# Gecos
1736
+userGecos="System User"
1737
+
1738
+# Default User (POSIX and Samba) GID
1739
+defaultUserGid="513"
1740
+
1741
+# Default Computer (Samba) GID
1742
+defaultComputerGid="515"
1743
+
1744
+# Skel dir
1745
+skeletonDir="/etc/skel"
1746
+
1747
+# Default password validation time (time in days) Comment the next line if
1748
+# you don't want password to be enable for defaultMaxPasswordAge days (be
1749
+# careful to the sambaPwdMustChange attribute's value)
1750
+defaultMaxPasswordAge="45"
1751
+
1752
+##############################################################################
1753
+#
1754
+# SAMBA Configuration
1755
+#
1756
+##############################################################################
1757
+
1758
+# The UNC path to home drives location (%U username substitution)
1759
+# Just set it to a null string if you want to use the smb.conf 'logon home'
1760
+# directive and/or disable roaming profiles
1761
+# Ex: userSmbHome="\\PDC-SMB3\%U"
1762
+userSmbHome="\\PDC-SRV\%U"
1763
+
1764
+# The UNC path to profiles locations (%U username substitution)
1765
+# Just set it to a null string if you want to use the smb.conf 'logon path'
1766
+# directive and/or disable roaming profiles
1767
+# Ex: userProfile="\\PDC-SMB3\profiles\%U"
1768
+userProfile="\\PDC-SRV\profiles\%U"
1769
+
1770
+# The default Home Drive Letter mapping
1771
+# (will be automatically mapped at logon time if home directory exist)
1772
+# Ex: userHomeDrive="H:"
1773
+userHomeDrive="H:"
1774
+
1775
+# The default user netlogon script name (%U username substitution)
1776
+# if not used, will be automatically username.cmd
1777
+# make sure script file is edited under dos
1778
+# Ex: userScript="startup.cmd" # make sure script file is edited under dos
1779
+userScript="logon.bat"
1780
+
1781
+# Domain appended to the users "mail"-attribute
1782
+# when smbldap-useradd -M is used
1783
+# Ex: mailDomain="idealx.com"
1784
+mailDomain="idealx.com"
1785
+
1786
+##############################################################################
1787
+#
1788
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
1789
+#
1790
+##############################################################################
1791
+
1792
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
1793
+# prefer Crypt::SmbHash library
1794
+with_smbpasswd="0"
1795
+smbpasswd="/usr/bin/smbpasswd"
1796
+
1797
+# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
1798
+# but prefer Crypt:: libraries
1799
+with_slappasswd="0"
1800
+slappasswd="/usr/sbin/slappasswd"
1801
+
1802
+# comment out the following line to get rid of the default banner
1803
+# no_banner="1"
1804
+
1805
+</PRE></TD>
1806
+</TR></TABLE></TD>
1807
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1808
+<TR><TD>
1809
+ </TD>
1810
+</TR></TABLE></TD>
1811
+</TR>
1812
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1813
+<TR><TD>
1814
+ </TD>
1815
+</TR></TABLE></TD>
1816
+</TR></TABLE></TD>
1817
+</TR></TABLE><BR>
1818
+<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file-->
1819
+
1820
+<H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><!--SEC END -->
1821
+<A NAME="configuration::file::smbldap::bind"></A>
1822
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1823
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1824
+ CELLSPACING=0>
1825
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1826
+<TR><TD>
1827
+ </TD>
1828
+</TR></TABLE></TD>
1829
+</TR>
1830
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1831
+<TR><TD>
1832
+ </TD>
1833
+</TR></TABLE></TD>
1834
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1835
+<TR><TD><PRE>############################
1836
+# Credential Configuration #
1837
+############################
1838
+# Notes: you can specify two differents configuration if you use a
1839
+# master ldap for writing access and a slave ldap server for reading access
1840
+# By default, we will use the same DN (so it will work for standard Samba
1841
+# release)
1842
+slaveDN="cn=Manager,dc=company,dc=com"
1843
+slavePw="secret"
1844
+masterDN="cn=Manager,dc=company,dc=com"
1845
+masterPw="secret"
1846
+
1847
+</PRE></TD>
1848
+</TR></TABLE></TD>
1849
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1850
+<TR><TD>
1851
+ </TD>
1852
+</TR></TABLE></TD>
1853
+</TR>
1854
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1855
+<TR><TD>
1856
+ </TD>
1857
+</TR></TABLE></TD>
1858
+</TR></TABLE></TD>
1859
+</TR></TABLE><BR>
1860
+<!--TOC subsubsection The samba configuration file : <TT>/etc/samba/smb.conf</TT> -->
1861
+
1862
+<H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4><!--SEC END -->
1863
+
1864
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1865
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1866
+ CELLSPACING=0>
1867
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1868
+<TR><TD>
1869
+ </TD>
1870
+</TR></TABLE></TD>
1871
+</TR>
1872
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1873
+<TR><TD>
1874
+ </TD>
1875
+</TR></TABLE></TD>
1876
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1877
+<TR><TD><PRE># Global parameters
1878
+[global]
1879
+ workgroup = DOMSMB
1880
+ netbios name = PDC-SRV
1881
+ security = user
1882
+ enable privileges = yes
1883
+ #interfaces = 192.168.5.11
1884
+ #username map = /etc/samba/smbusers
1885
+ server string = Samba Server %v
1886
+ #security = ads
1887
+ encrypt passwords = Yes
1888
+ min passwd length = 3
1889
+ #pam password change = no
1890
+ #obey pam restrictions = No
1891
+
1892
+ # method 1:
1893
+ #unix password sync = no
1894
+ #ldap passwd sync = yes
1895
+
1896
+ # method 2:
1897
+ unix password sync = yes
1898
+ ldap passwd sync = no
1899
+ passwd program = /usr/sbin/smbldap-passwd -u "%u"
1900
+ passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
1901
+
1902
+ log level = 0
1903
+ syslog = 0
1904
+ log file = /var/log/samba/log.%U
1905
+ max log size = 100000
1906
+ time server = Yes
1907
+ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
1908
+ mangling method = hash2
1909
+ Dos charset = 850
1910
+ Unix charset = ISO8859-1
1911
+
1912
+ logon script = logon.bat
1913
+ logon drive = H:
1914
+ logon home =
1915
+ logon path =
1916
+
1917
+ domain logons = Yes
1918
+ domain master = Yes
1919
+ os level = 65
1920
+ preferred master = Yes
1921
+ wins support = yes
1922
+ passdb backend = ldapsam:ldap://127.0.0.1/
1923
+ ldap admin dn = cn=Manager,dc=company,dc=com
1924
+ #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
1925
+ ldap suffix = dc=company,dc=com
1926
+ ldap group suffix = ou=Groups
1927
+ ldap user suffix = ou=Users
1928
+ ldap machine suffix = ou=Computers
1929
+ #ldap idmap suffix = ou=Idmap
1930
+ add user script = /usr/sbin/smbldap-useradd -m "%u"
1931
+ #ldap delete dn = Yes
1932
+ delete user script = /usr/sbin/smbldap-userdel "%u"
1933
+ add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
1934
+ add group script = /usr/sbin/smbldap-groupadd -p "%g"
1935
+ #delete group script = /usr/sbin/smbldap-groupdel "%g"
1936
+ add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
1937
+ delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
1938
+ set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
1939
+
1940
+ # printers configuration
1941
+ #printer admin = @"Print Operators"
1942
+ load printers = Yes
1943
+ create mask = 0640
1944
+ directory mask = 0750
1945
+ #force create mode = 0640
1946
+ #force directory mode = 0750
1947
+ nt acl support = No
1948
+ printing = cups
1949
+ printcap name = cups
1950
+ deadtime = 10
1951
+ guest account = nobody
1952
+ map to guest = Bad User
1953
+ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
1954
+ show add printer wizard = yes
1955
+ ; to maintain capital letters in shortcuts in any of the profile folders:
1956
+ preserve case = yes
1957
+ short preserve case = yes
1958
+ case sensitive = no
1959
+
1960
+[netlogon]
1961
+ path = /home/netlogon/
1962
+ browseable = No
1963
+ read only = yes
1964
+
1965
+[profiles]
1966
+ path = /home/profiles
1967
+ read only = no
1968
+ create mask = 0600
1969
+ directory mask = 0700
1970
+ browseable = No
1971
+ guest ok = Yes
1972
+ profile acls = yes
1973
+ csc policy = disable
1974
+ # next line is a great way to secure the profiles
1975
+ #force user = %U
1976
+ # next line allows administrator to access all profiles
1977
+ #valid users = %U "Domain Admins"
1978
+
1979
+[printers]
1980
+ comment = Network Printers
1981
+ #printer admin = @"Print Operators"
1982
+ guest ok = yes
1983
+ printable = yes
1984
+ path = /home/spool/
1985
+ browseable = No
1986
+ read only = Yes
1987
+ printable = Yes
1988
+ print command = /usr/bin/lpr -P%p -r %s
1989
+ lpq command = /usr/bin/lpq -P%p
1990
+ lprm command = /usr/bin/lprm -P%p %j
1991
+ # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
1992
+ # lpq command = /usr/bin/lpq -U%U@%M -P%p
1993
+ # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
1994
+ # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
1995
+ # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
1996
+ # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
1997
+ # queueresume command = /usr/sbin/lpc -U%U@%M start %p
1998
+
1999
+[print$]
2000
+ path = /home/printers
2001
+ guest ok = No
2002
+ browseable = Yes
2003
+ read only = Yes
2004
+ valid users = @"Print Operators"
2005
+ write list = @"Print Operators"
2006
+ create mask = 0664
2007
+ directory mask = 0775
2008
+
2009
+[public]
2010
+ path = /tmp
2011
+ guest ok = yes
2012
+ browseable = Yes
2013
+ writable = yes
2014
+</PRE></TD>
2015
+</TR></TABLE></TD>
2016
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2017
+<TR><TD>
2018
+ </TD>
2019
+</TR></TABLE></TD>
2020
+</TR>
2021
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2022
+<TR><TD>
2023
+ </TD>
2024
+</TR></TABLE></TD>
2025
+</TR></TABLE></TD>
2026
+</TR></TABLE><BR>
2027
+<!--TOC subsubsection The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT>-->
2028
+
2029
+<H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4><!--SEC END -->
2030
+
2031
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
2032
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
2033
+ CELLSPACING=0>
2034
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2035
+<TR><TD>
2036
+ </TD>
2037
+</TR></TABLE></TD>
2038
+</TR>
2039
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2040
+<TR><TD>
2041
+ </TD>
2042
+</TR></TABLE></TD>
2043
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
2044
+<TR><TD><PRE>#
2045
+# See slapd.conf(5) for details on configuration options.
2046
+# This file should NOT be world readable.
2047
+#
2048
+include /etc/openldap/schema/core.schema
2049
+include /etc/openldap/schema/cosine.schema
2050
+include /etc/openldap/schema/inetorgperson.schema
2051
+include /etc/openldap/schema/nis.schema
2052
+include /etc/openldap/schema/samba.schema
2053
+
2054
+schemacheck on
2055
+
2056
+# Allow LDAPv2 client connections. This is NOT the default.
2057
+allow bind_v2
2058
+
2059
+# Do not enable referrals until AFTER you have a working directory
2060
+# service AND an understanding of referrals.
2061
+#referral ldap://root.openldap.org
2062
+
2063
+pidfile /var/run/slapd.pid
2064
+argsfile /var/run/slapd.args
2065
+
2066
+# Load dynamic backend modules:
2067
+# modulepath /usr/sbin/openldap
2068
+# moduleload back_bdb.la
2069
+# moduleload back_ldap.la
2070
+# moduleload back_ldbm.la
2071
+# moduleload back_passwd.la
2072
+# moduleload back_shell.la
2073
+
2074
+# The next three lines allow use of TLS for encrypting connections using a
2075
+# dummy test certificate which you can generate by changing to
2076
+# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
2077
+# slapd.pem so that the ldap user or group can read it. Your client software
2078
+# may balk at self-signed certificates, however.
2079
+#TLSCertificateFile /etc/openldap/ldap.company.com.pem
2080
+#TLSCertificateKeyFile /etc/openldap/ldap.company.com.key
2081
+#TLSCACertificateFile /etc/openldap/ca.pem
2082
+#TLSCipherSuite :SSLv3
2083
+
2084
+# Sample security restrictions
2085
+# Require integrity protection (prevent hijacking)
2086
+# Require 112-bit (3DES or better) encryption for updates
2087
+# Require 63-bit encryption for simple bind
2088
+# security ssf=1 update_ssf=112 simple_bind=64
2089
+
2090
+# Sample access control policy:
2091
+# Root DSE: allow anyone to read it
2092
+# Subschema (sub)entry DSE: allow anyone to read it
2093
+# Other DSEs:
2094
+# Allow self write access
2095
+# Allow authenticated users read access
2096
+# Allow anonymous users to authenticate
2097
+# Directives needed to implement policy:
2098
+# access to dn.base="" by * read
2099
+# access to dn.base="cn=Subschema" by * read
2100
+# access to *
2101
+# by self write
2102
+# by users read
2103
+# by anonymous auth
2104
+#
2105
+# if no access controls are present, the default policy
2106
+# allows anyone and everyone to read anything but restricts
2107
+# updates to rootdn. (e.g., "access to * by * read")
2108
+#
2109
+# rootdn can always read and write EVERYTHING!
2110
+
2111
+#######################################################################
2112
+# ldbm and/or bdb database definitions
2113
+#######################################################################
2114
+
2115
+database bdb
2116
+suffix "dc=company,dc=com"
2117
+rootdn "cn=Manager,dc=company,dc=com"
2118
+# Cleartext passwords, especially for the rootdn, should
2119
+# be avoided. See slappasswd(8) and slapd.conf(5) for details.
2120
+# Use of strong authentication encouraged.
2121
+rootpw secret
2122
+# rootpw {crypt}ijFYNcSNctBYg
2123
+
2124
+# The database directory MUST exist prior to running slapd AND
2125
+# should only be accessible by the slapd and slap tools.
2126
+# Mode 700 recommended.
2127
+directory /var/lib/ldap
2128
+lastmod on
2129
+
2130
+# Indices to maintain for this database
2131
+index objectClass eq,pres
2132
+index ou,cn,sn,mail,givenname eq,pres,sub
2133
+index uidNumber,gidNumber,memberUid eq,pres
2134
+index loginShell eq,pres
2135
+## required to support pdb_getsampwnam
2136
+index uid pres,sub,eq
2137
+## required to support pdb_getsambapwrid()
2138
+index displayName pres,sub,eq
2139
+index nisMapName,nisMapEntry eq,pres,sub
2140
+index sambaSID eq,sub
2141
+index sambaPrimaryGroupSID eq
2142
+index sambaDomainName eq
2143
+index default sub
2144
+
2145
+
2146
+# users can authenticate and change their password
2147
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
2148
+ by dn="cn=Manager,dc=company,dc=com" write
2149
+ by self write
2150
+ by anonymous auth
2151
+ by * none
2152
+
2153
+# those 2 parameters must be world readable for password aging to work correctly
2154
+# (or use a priviledge account in /etc/ldap.conf to bind to the directory)
2155
+access to attrs=shadowLastChange,shadowMax
2156
+ by dn="cn=Manager,dc=company,dc=com" write
2157
+ by self write
2158
+ by * read
2159
+
2160
+
2161
+# all others attributes are readable to everybody
2162
+access to *
2163
+ by * read
2164
+
2165
+# Replicas of this database
2166
+#replogfile /var/lib/ldap/openldap-master-replog
2167
+#replica host=ldap-1.example.com:389 starttls=critical
2168
+# bindmethod=sasl saslmech=GSSAPI
2169
+# authcId=host/ldap-master.example.com@EXAMPLE.COM
2170
+</PRE></TD>
2171
+</TR></TABLE></TD>
2172
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2173
+<TR><TD>
2174
+ </TD>
2175
+</TR></TABLE></TD>
2176
+</TR>
2177
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2178
+<TR><TD>
2179
+ </TD>
2180
+</TR></TABLE></TD>
2181
+</TR></TABLE></TD>
2182
+</TR></TABLE><BR>
2183
+<!--TOC subsection Changing the administrative account (<TT>ldap admin
2184
+ dn</TT> in <TT>smb.conf</TT> file)-->
2185
+
2186
+<H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin
2187
+ dn</TT> in <TT>smb.conf</TT> file)</H3><!--SEC END -->
2188
+<A NAME="change::manager"></A>
2189
+If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
2190
+account anymore, you can create a dedicated account for Samba and the
2191
+smbldap-tools scripts. To do
2192
+this, create an account named <I>samba</I> as follows (see
2193
+section <A HREF="#add::user">4.2.1</A> for a more detailed syntax) :
2194
+<PRE>
2195
+smbldap-useradd -s /bin/false -d /dev/null -P samba
2196
+</PRE>This command will ask you to set a password for this account. Let's
2197
+set it to <I>samba</I> for this example.
2198
+You then need to modify configuration files:
2199
+<UL><LI>
2200
+file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT>
2201
+ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
2202
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
2203
+ CELLSPACING=0>
2204
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2205
+<TR><TD>
2206
+ </TD>
2207
+</TR></TABLE></TD>
2208
+</TR>
2209
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2210
+<TR><TD>
2211
+ </TD>
2212
+</TR></TABLE></TD>
2213
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
2214
+<TR><TD><PRE>
2215
+ slaveDN="uid=samba,ou=Users,dc=idealx,dc=com"
2216
+ slavePw="samba"
2217
+ masterDN="uid=samba,ou=Users,dc=idealx,dc=com"
2218
+ masterPw="samba"
2219
+ </PRE></TD>
2220
+</TR></TABLE></TD>
2221
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2222
+<TR><TD>
2223
+ </TD>
2224
+</TR></TABLE></TD>
2225
+</TR>
2226
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2227
+<TR><TD>
2228
+ </TD>
2229
+</TR></TABLE></TD>
2230
+</TR></TABLE></TD>
2231
+</TR></TABLE><LI>file <TT>/etc/samba/smb.conf</TT>
2232
+ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
2233
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
2234
+ CELLSPACING=0>
2235
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2236
+<TR><TD>
2237
+ </TD>
2238
+</TR></TABLE></TD>
2239
+</TR>
2240
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2241
+<TR><TD>
2242
+ </TD>
2243
+</TR></TABLE></TD>
2244
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
2245
+<TR><TD><PRE>
2246
+ ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
2247
+ </PRE></TD>
2248
+</TR></TABLE></TD>
2249
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2250
+<TR><TD>
2251
+ </TD>
2252
+</TR></TABLE></TD>
2253
+</TR>
2254
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2255
+<TR><TD>
2256
+ </TD>
2257
+</TR></TABLE></TD>
2258
+</TR></TABLE></TD>
2259
+</TR></TABLE>don't forget to also set the samba account password in
2260
+ <TT>secrets.tdb</TT> file :
2261
+<PRE>
2262
+smbpasswd -w samba
2263
+</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the
2264
+ <I>samba</I> user permissions to modify some attributes: this
2265
+ user needs to be able to modify all the samba attributes and some
2266
+ others (uidNumber, gidNumber ...) :
2267
+ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
2268
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
2269
+ CELLSPACING=0>
2270
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2271
+<TR><TD>
2272
+ </TD>
2273
+</TR></TABLE></TD>
2274
+</TR>
2275
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2276
+<TR><TD>
2277
+ </TD>
2278
+</TR></TABLE></TD>
2279
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
2280
+<TR><TD><PRE>
2281
+# users can authenticate and change their password
2282
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
2283
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2284
+ by self write
2285
+ by anonymous auth
2286
+ by * none
2287
+# some attributes need to be readable anonymously so that 'id user' can answer correctly
2288
+access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
2289
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2290
+ by * read
2291
+# somme attributes can be writable by users themselves
2292
+access to attrs=description,telephoneNumber
2293
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2294
+ by self write
2295
+ by * read
2296
+# some attributes need to be writable for samba
2297
+access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
2298
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2299
+ by self read
2300
+ by * none
2301
+# samba need to be able to create the samba domain account
2302
+access to dn.base="dc=idealx,dc=com"
2303
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2304
+ by * none
2305
+# samba need to be able to create new users account
2306
+access to dn="ou=Users,dc=idealx,dc=com"
2307
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2308
+ by * none
2309
+# samba need to be able to create new groups account
2310
+access to dn="ou=Groups,dc=idealx,dc=com"
2311
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2312
+ by * none
2313
+# samba need to be able to create new computers account
2314
+access to dn="ou=Computers,dc=idealx,dc=com"
2315
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2316
+ by * none
2317
+# this can be omitted but we leave it: there could be other branch
2318
+# in the directory
2319
+access to *
2320
+ by self read
2321
+ by * none
2322
+ </PRE></TD>
2323
+</TR></TABLE></TD>
2324
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2325
+<TR><TD>
2326
+ </TD>
2327
+</TR></TABLE></TD>
2328
+</TR>
2329
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2330
+<TR><TD>
2331
+ </TD>
2332
+</TR></TABLE></TD>
2333
+</TR></TABLE></TD>
2334
+</TR></TABLE></UL>
2335
+<!--TOC subsection known bugs-->
2336
+
2337
+<H3><A NAME="htoc48">8.3</A> known bugs</H3><!--SEC END -->
2338
+
2339
+<UL><LI>
2340
+Option <I>-B</I> (user must change password) of
2341
+ <TT>smbldap-useradd</TT> does not have effect: when
2342
+ <TT>smbldap-passwd</TT> script is called,
2343
+ <I>sambaPwdMustChange</I> attribute is rewrite.
2344
+</UL>
2345
+
2346
+<!--BEGIN NOTES document-->
2347
+<HR WIDTH="50%" SIZE=1><DL><DT><A NAME="note1" HREF="#text1"><FONT SIZE=5>1</FONT></A><DD><A HREF="http://IDEALX.com/"><TT>http://IDEALX.com/</TT></A>
2348
+</DL>
2349
+<!--END NOTES-->
2350
+<!--HTMLFOOT-->
2351
+
2352
+
2353
+<DIV class="piedpage">
2354
+<HR>
2355
+<P>Documents : Copyright � 2002 IDEALX S.A.S..
2356
+'IDEALX' is the property of IDEALX.
2357
+'Samba' is the property of Samba Team. All other trademarks belong to their respective owners.
2358
+</DIV>
2359
+
2360
+<!--ENDHTML-->
2361
+<!--FOOTER-->
2362
+<HR SIZE=2>
2363
+<BLOCKQUOTE><EM>This document was translated from L<sup>A</sup>T<sub>E</sub>X by
2364
+</EM><A HREF="http://pauillac.inria.fr/~maranget/hevea/index.html"><EM>H<FONT SIZE=2><sup>E</sup></FONT>V<FONT SIZE=2><sup>E</sup></FONT>A</EM></A><EM>.
2365
+</EM></BLOCKQUOTE>
2366
+</BODY>
2367
+</HTML>
Loggerhead is a web-based interface for Breezy
Version: 2.0.1