1
--- smbldap-tools-0.9.4.orig/doc/html/index.html
2
+++ smbldap-tools-0.9.4/doc/html/index.html
4
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
5
+ "http://www.w3.org/TR/REC-html40/loose.dtd">
7
+<HEAD><TITLE>Smbldap-tools User Manual
8
+(Release: 0.9.3 )</TITLE>
10
+<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
11
+<META name="GENERATOR" content="hevea 1.07">
13
+<link rel="stylesheet" href="IDXDOC.css">
16
+<!--HEVEA command line is: hevea -fix -I ./styles -exec xxdate.exe -pedantic IDXDOC.hva smbldap-tools.tex -o smbldap-tools.html -->
20
+ <DIV class="entete">
21
+ Copyright 2002 © IDEALX S.A.S. -
22
+ Contact: <A href="mailto:samba@IDEALX.org">samba@IDEALX.org</A>
26
+<!--PREFIX <ARG ></ARG>-->
27
+<!--CUT DEF section 1 -->
33
+<H1 ALIGN=center>Smbldap-tools User Manual<BR>
34
+(<I>Release</I>: 0.9.3 )</H1>
36
+<H3 ALIGN=center>J�r�me Tournier</H3>
38
+<H3 ALIGN=center><I>Revision</I>: 1.7 , generated July 12, 2007<BR>
42
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
43
+<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Release:</TD>
44
+<TD ALIGN=left NOWRAP> </TD>
46
+<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Reference:</TD>
47
+<TD ALIGN=left NOWRAP> </TD>
49
+<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Publication date:</TD>
50
+<TD ALIGN=left NOWRAP> </TD>
52
+<TR><TD ALIGN=left NOWRAP bgcolor="#f2f2f2">Print date:</TD>
53
+<TD ALIGN=left NOWRAP>July 12, 2007</TD>
58
+This document is the property of IDEALX<SUP><A NAME="text1" HREF="#note1">1</A></SUP>.
59
+Permission is granted to distribute this document under the terms of the GNU
60
+Free Documentation License (<A HREF="http://www.gnu.org/copyleft/fdl.html"><TT>http://www.gnu.org/copyleft/fdl.html</TT></A>).<BR>
62
+<!--TOC section Table of Contents-->
64
+<H2>Table of Contents</H2><!--SEC END -->
67
+<A HREF="#htoc1">1 Introduction</A>
69
+<A HREF="#htoc2">1.1 Software requirements</A>
70
+<LI><A HREF="#htoc3">1.2 Updates of this document</A>
71
+<LI><A HREF="#htoc4">1.3 Availability of this document</A>
73
+<LI><A HREF="#htoc5">2 Installation</A>
75
+<A HREF="#htoc6">2.1 Requirements</A>
76
+<LI><A HREF="#htoc7">2.2 Installation</A>
78
+<A HREF="#htoc8">2.2.1 Installing from rpm</A>
79
+<LI><A HREF="#htoc9">2.2.2 Installing from a tarball</A>
82
+<LI><A HREF="#htoc10">3 Configuring the smbldap-tools</A>
84
+<A HREF="#htoc11">3.1 The smbldap.conf file</A>
85
+<LI><A HREF="#htoc12">3.2 The smbldap_bind.conf file</A>
87
+<LI><A HREF="#htoc13">4 Using the scripts</A>
89
+<A HREF="#htoc14">4.1 Initial directory's population</A>
90
+<LI><A HREF="#htoc15">4.2 User management</A>
92
+<A HREF="#htoc16">4.2.1 Adding a user</A>
93
+<LI><A HREF="#htoc17">4.2.2 Removing a user</A>
94
+<LI><A HREF="#htoc18">4.2.3 Modifying a user</A>
96
+<LI><A HREF="#htoc19">4.3 Group management</A>
98
+<A HREF="#htoc20">4.3.1 Adding a group</A>
99
+<LI><A HREF="#htoc21">4.3.2 Removing a group</A>
101
+<LI><A HREF="#htoc22">4.4 Adding a interdomain trust account</A>
103
+<LI><A HREF="#htoc23">5 Samba and the smbldap-tools scripts</A>
105
+<A HREF="#htoc24">5.1 General configuration</A>
106
+<LI><A HREF="#htoc25">5.2 Migrating an NT4 PDC to Samba3</A>
108
+<LI><A HREF="#htoc26">6 Frequently Asked Questions</A>
110
+<A HREF="#htoc27">6.1 How can i use old released uidNumber and gidNumber ?</A>
111
+<LI><A HREF="#htoc28">6.2 I always have this error: "Can't locate IO/Socket/SSL.pm"</A>
112
+<LI><A HREF="#htoc29">6.3 I can't initialize the directory with <TT>smbldap-populate</TT></A>
113
+<LI><A HREF="#htoc30">6.4 I can't join the domain with the <TT>root</TT> account</A>
114
+<LI><A HREF="#htoc31">6.5 I have the <TT>sambaSamAccount</TT> but i can't logged in</A>
115
+<LI><A HREF="#htoc32">6.6 I want to create machine account on the fly, but it does
116
+ not works or I must do it twice</A>
117
+<LI><A HREF="#htoc33">6.7 I can't manage the Oracle Internet Database</A>
118
+<LI><A HREF="#htoc34">6.8 The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
119
+called, or i got a error message when changing the password from windows</A>
120
+<LI><A HREF="#htoc35">6.9 New computers account can't be set in ou=computers</A>
121
+<LI><A HREF="#htoc36">6.10 I can join the domain, but i can't log on</A>
122
+<LI><A HREF="#htoc37">6.11 I can't create a user with <TT>smbldap-useradd</TT></A>
123
+<LI><A HREF="#htoc38">6.12 smbldap-useradd: Can't call method "get_value" on an undefined value at
124
+/usr/local/sbin/smbldap-useradd line 154</A>
125
+<LI><A HREF="#htoc39">6.13 Typical errors on creating a new user or a new group</A>
127
+<LI><A HREF="#htoc40">7 Thanks</A>
128
+<LI><A HREF="#htoc41">8 Annexes</A>
130
+<A HREF="#htoc42">8.1 Full configuration files</A>
132
+<A HREF="#htoc43">8.1.1 The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</A>
133
+<LI><A HREF="#htoc44">8.1.2 The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</A>
134
+<LI><A HREF="#htoc45">8.1.3 The samba configuration file : <TT>/etc/samba/smb.conf</TT> </A>
135
+<LI><A HREF="#htoc46">8.1.4 The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></A>
137
+<LI><A HREF="#htoc47">8.2 Changing the administrative account (<TT>ldap admin
138
+ dn</TT> in <TT>smb.conf</TT> file)</A>
139
+<LI><A HREF="#htoc48">8.3 known bugs</A>
145
+<!--TOC section Introduction-->
147
+<H2><A NAME="htoc1">1</A> Introduction</H2><!--SEC END -->
149
+<A NAME="sec:intro"></A>
150
+Smbldap-tools is a set of scripts designed to help integrate Samba and a
151
+LDAP directory. They target both users and administrators of Linux systems.<BR>
153
+Users can change their password in a way similar to the standard ``passwd''
156
+Administrators can perform user and group management command line actions
157
+and synchronise Samba account management consistently.<BR>
159
+This document presents:
161
+a detailled view of the smbldap-tools scripts
162
+<LI>a step by step explanation of how to set up a Samba3 domain controller
164
+<!--TOC subsection Software requirements-->
166
+<H3><A NAME="htoc2">1.1</A> Software requirements</H3><!--SEC END -->
168
+The smbldap-tools have been developped and tested with the following configuration :
170
+<FONT COLOR=purple><I>Linux</I></FONT> CentOS4 (be should work on any <FONT COLOR=purple><I>Linux</I></FONT> distribution)
171
+<LI> <FONT COLOR=purple>Samba</FONT> release 3.0.10,
172
+<LI><FONT COLOR=purple>OpenLDAP</FONT> release 2.2.13
173
+<LI><FONT COLOR=purple>Microsoft Windows NT</FONT> 4.0, Windows 2000 and Windows XP Workstations and Servers,
175
+This guide applies to <FONT COLOR=purple>smbldap-tools</FONT> <I>Release</I>: 0.9.3 .<BR>
177
+<!--TOC subsection Updates of this document-->
179
+<H3><A NAME="htoc3">1.2</A> Updates of this document</H3><!--SEC END -->
181
+The most up to date release of this document may be found on the
182
+smbldap-tools project page available at <A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>.<BR>
184
+If you find any bugs in this document, or if you want this document to
185
+integrate some additional infos, please drop me a mail with your bug report
186
+and/or change request at <U>jtournier@gmail.com</U>.<BR>
188
+<!--TOC subsection Availability of this document-->
190
+<H3><A NAME="htoc4">1.3</A> Availability of this document</H3><!--SEC END -->
192
+This document is the property of <FONT COLOR=purple>IDEALX</FONT> (<A HREF="http://www.IDEALX.com/"><TT>http://www.IDEALX.com/</TT></A>). <BR>
194
+Permission is granted to distribute this document under the terms of the GNU
195
+Free Documentation License (See <A HREF="http://www.gnu.org/copyleft/fdl.html"><TT>http://www.gnu.org/copyleft/fdl.html</TT></A>).
196
+ <!--TOC section Installation-->
198
+<H2><A NAME="htoc5">2</A> Installation</H2><!--SEC END -->
200
+<!--TOC subsection Requirements-->
202
+<H3><A NAME="htoc6">2.1</A> Requirements</H3><!--SEC END -->
204
+The main requirement for using smbldap-tools are the two perl module:
205
+Net::LDAP and Crypt::SmbHash.
206
+In most cases, you'll also need the IO-Socket-SSL Perl module to use
207
+TLS functionnality.<BR>
209
+If you want samba to call the scripts so that you can use the User
210
+Manager (or any other) under MS-Windows (to add, delete modify users and
211
+groups), <FONT COLOR=purple>Samba</FONT> must be installed on the same computer.
212
+Finally, <FONT COLOR=purple>OpenLDAP</FONT> can be installed on any computer. Please check that it
213
+can be contacted by a standard LDAP client software.<BR>
215
+<FONT COLOR=purple>Samba</FONT> and <FONT COLOR=purple>OpenLDAP</FONT> installations will not be discussed
216
+here. You can consult the howto also available on the
217
+project page (<A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>).<BR>
219
+<!--TOC subsection Installation-->
221
+<H3><A NAME="htoc7">2.2</A> Installation</H3><!--SEC END -->
223
+An archive of the <FONT COLOR=purple>smbldap-tools</FONT> scripts can be downloaded on our project
224
+page <A HREF="http://sourceforge.net/projects/smbldap-tools/"><TT>http://sourceforge.net/projects/smbldap-tools/</TT></A>. Archive and RedHat packages are
227
+If you are upgrading, look at the <TT>INSTALL</TT> file or read the link
228
+<A HREF="#faq::error::add::user">6.13</A>.<BR>
230
+<!--TOC subsubsection Installing from rpm-->
232
+<H4><A NAME="htoc8">2.2.1</A> Installing from rpm</H4><!--SEC END -->
234
+To install the scripts on a RedHat system, download the RPM
235
+package and run the following command:
237
+rpm -Uvh smbldap-tools-0.9.3-1.i386.rpm
239
+<!--TOC subsubsection Installing from a tarball-->
241
+<H4><A NAME="htoc9">2.2.2</A> Installing from a tarball</H4><!--SEC END -->
243
+On non RedHat system, download a source archive of the scripts. The current
244
+archive is <TT>smbldap-tools-0.9.3.tar.gz</TT>.
245
+Uncompress it and copy all of the Perl scripts in <TT>/usr/sbin</TT>
246
+directory, and the two configuration files in
247
+<TT>/etc/smbldap-tools/</TT> directory:
249
+mkdir /etc/smbldap-tools/
250
+cp *.conf /etc//smbldap-tools/
251
+cp smbldap-* /usr/sbin/
253
+The configuration is now based on two differents files:
255
+<TT>smbldap.conf</TT>: define global parameter
256
+<LI><TT>smbldap_bind.conf</TT>: define an administrative account to
257
+ bind to the directory
259
+The second file <B>must</B> be readable only for 'root', as it contains
260
+credentials allowing modifications on all the directory. Make sure the
261
+files are protected by running the following commands:
263
+chmod 644 /etc/smbldap-tools/smbldap.conf
264
+chmod 600 /etc/smbldap-tools/smbldap_bind.conf
265
+</PRE> <!--TOC section Configuring the smbldap-tools-->
267
+<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><!--SEC END -->
269
+As mentioned in the previous section, you'll have to update two
270
+configuration files. The first (<TT>smbldap.conf</TT>) allows you to
271
+set global parameter that are readable by everybody, and the second
272
+(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to
273
+bind to a slave and a master ldap server: this file must thus be
274
+readable only by root.<BR>
276
+A script named <TT>configure.pl</TT> can help you to set their contents
277
+up. It is located in the tarball
278
+downloaded or in the documentation directory if you got the RPM
279
+archive (see <TT>/usr/share/doc/smbldap-tools-0.9.3/</TT>). Just invoke it:
281
+/usr/share/doc/smbldap-tools-0.9.3/configure.pl
282
+</PRE>It will ask for the default values defined in your
283
+<TT>smb.conf</TT> file, and will update the two configuration files used
284
+by the scripts. Samba configuration file should then be already configured.
285
+Note that you can stop the script at any moment with
286
+the <TT>Crtl-c</TT> keys.<BR>
287
+Before using this script :
289
+the two configuration files <B>must</B> be present in the
290
+ <TT>/etc/smbldap-tools/</TT> directory
291
+<LI>check that samba is configured and running, as the script will try to
292
+ get your workgroup's domain secure id (SID).
294
+In those files, parameters are defined like this:
297
+</PRE>Full example configuration files can be found at
298
+<A HREF="#configuration::files">8.1</A>.<BR>
300
+<!--TOC subsection The smbldap.conf file-->
302
+<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3><!--SEC END -->
304
+This file is used to define parameters that can be readable by
305
+everybody. A full example file is available in section <A HREF="#configuration::file::smbldap">8.1.1</A>.<BR>
307
+Let's have a look at all available parameters.
309
+<TT>UID_START</TT> and <TT>GID_START</TT> : parameters deprecated
311
+ Those parameters must be removed or commented.
312
+ <LI>Available uid and gid are now defined in the default
313
+ new entry <TT>sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"</TT>.
314
+ See later for <TT>${sambaDomain}</TT> and <TT>${suffix}</TT> definitions.
316
+<LI><TT>SID</TT> : Secure Identifier Domain
318
+ Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT>
319
+ <LI>Remark: you can get the SID for your domain using the "<TT>net getlocalsid</TT>"
320
+ command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers).
322
+<LI><TT>sambaDomain</TT> : Samba Domain the Samba server is in charge
324
+ Example: <TT>sambaDomain="DOMSMB"</TT>
325
+ <LI>Remark: if not defined, parameter is taking from smb.conf configuration file
327
+<LI><TT>slaveLDAP</TT> : slave LDAP server
329
+ Example: <TT>slaveLDAP="127.0.0.1"</TT>
330
+ <LI>Remark: must be a resolvable DNS name or it's IP address
332
+<LI><TT>slavePort</TT> : port to contact the slave server
334
+ Example: <TT>slavePort="389"</TT>
336
+<LI><TT>masterLDAP</TT> : master LDAP server
338
+ Example: <TT>masterLDAP="127.0.0.1"</TT>
340
+<LI><TT>masterPort</TT> : port to contact the master server
342
+ Example: <TT>masterPort="389"</TT>
344
+<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the
347
+ Example: <TT>ldapTLS="1"</TT>
348
+ <LI>Remark: the LDAP severs must be configured to accept TLS
349
+ connections. See section the Samba-LDAP Howto for more
350
+ details (<A HREF="http://samba.idealx.org/smbldap-howto.fr.html"><TT>http://samba.idealx.org/smbldap-howto.fr.html</TT></A>). If you are using TLS support, select port 389 to connect to
351
+ the master and slave directories.
353
+<LI><TT>verify</TT> : How to verify the server's certificate (none, optional or require).
355
+ Example: <TT>verify="require"</TT>
356
+ <LI>Remarl: See ``man Net::LDAP'' in start_tls section for more details
358
+<LI><TT>cafile</TT> : the PEM-format file containing certificates
359
+ for the CA that slapd will trust
361
+ Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT>
363
+<LI><TT>clientcert</TT> : the file that contains the client certificate
365
+ Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT>
367
+<LI><TT>clientkey</TT> : the file that contains the private key that
368
+ matches the certificate stored in the clientcert file
370
+ Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT>
372
+<LI><TT>suffix</TT> : The distinguished name of the search base
374
+ Example: <TT>suffix="dc=idealx,dc=com"</TT>
376
+<LI><TT>usersdn</TT> : branch in which users account can be found or
379
+ Example: <TT>usersdn="ou=Users,${suffix}"</TT>
380
+ <LI>Remark: this branch is <B>not</B> relative to the suffix value
382
+<LI><TT>computersdn</TT> : branch in which computers account can be
383
+ found or must be added
385
+ Example: <TT>computersdn"ou=Computers,${suffix}"</TT>
386
+ <LI>Remark: this branch is <B>not</B> relative to the suffix value
388
+<LI><TT>groupsdn</TT> : branch in which groups account can be found
391
+ Example: <TT>groupsdn="ou=Groups,${suffix}"</TT>
392
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
394
+<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server)
396
+ Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT>
397
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
399
+<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored
401
+ Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT>
402
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
404
+<LI><TT>scope</TT> : the search scope.
406
+ Example: <TT>scope="sub"</TT>
408
+<LI><TT>hash_encrypt</TT> : hash to be used when generating a
411
+ Example: <TT>hash_encrypt="SSHA"</TT>
412
+ <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute.
414
+<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to
415
+ CRYPT, you may set a salt format. Default is "%s", but many systems
416
+ will generate MD5 hashed passwords if you use "$1$%.8s". This
417
+ parameter is optional.
418
+<LI><TT>userLoginShell</TT> : default shell given to users.
420
+ Example: <TT>userLoginShell="/bin/bash"</TT>
421
+ <LI>Remark: This is stored in <I>loginShell</I> attribute.
423
+<LI><TT>userHome</TT> : default directory where users's home
424
+ directory are located.
426
+ Example: <TT>userHome="/home/%U"</TT>
427
+ <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute.
429
+<LI><TT>userGecos</TT> : gecos used for users
431
+ Example: <TT>userGecos="System User"</TT>
433
+<LI><TT>defaultUserGid</TT> : default primary group set to users accounts
435
+ Example: <TT>defaultUserGid="513"</TT>
436
+ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
438
+<LI><TT>defaultComputerGid</TT> : default primary group set to
441
+ Example: <TT>defaultComputerGid="550"</TT>
442
+ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
444
+<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts
446
+ Example: <TT>skeletonDir="/etc/skel"</TT>
447
+ <LI>Remark: this option is used only if you ask for home directory creation when adding a new user.
449
+<LI><TT>defaultMaxPasswordAge</TT> : default validation time for Samba password (in days)
451
+ Example: <TT>defaultMaxPassword="55"</TT>
453
+<LI><TT>userSmbHome</TT> : samba share used to store user's home directory
456
+ <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT>
457
+ <LI>Remark: this is stored in <I>sambaHomePath</I> attribute.
459
+<LI><TT>userProfile</TT> : samba share used to store user's profile
462
+ <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT>
463
+ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
465
+<LI><TT>userHomeDrive</TT> : letter used on windows system to map
468
+ Example: <TT>userHomeDrive="K:"</TT>
470
+<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I>
473
+ <TT>userScript="%U"</TT>
474
+ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
476
+<LI><TT>mailDomain</TT> : Domain appended to the users "mail"
479
+ Example: <TT>mailDomain="idealx.org"</TT>
481
+<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command
482
+ to set the user's password (instead of the <I>mkntpwd</I> utility) ?
484
+ Example: <TT>with_smbpasswd="0"</TT>
485
+ <LI>Remark: must be a boolean value (0 or 1).
487
+<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary
489
+ Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT>
491
+<LI><TT>with_slappasswd</TT> : should we use the <I>slappasswd</I> command
492
+ to set the Unix user's password (instead of the <I>Crypt::</I> librairies) ?
494
+ Example: <TT>with_smbpasswd="0"</TT>
495
+ <LI>Remark: must be a boolean value (0 or 1).
497
+<LI><TT>slappasswd</TT> : path to the <TT>slappasswd</TT> binary
499
+ Example: <TT>smbpasswd="/usr/sbin/slappasswd"</TT>
502
+<!--TOC subsection The smbldap_bind.conf file-->
504
+<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3><!--SEC END -->
506
+This file is only used by <I>root</I> to give bind parameters to the directory when modifications are asked.
507
+It contains distinguised names and credentials to connect to
508
+both the master and slave directories. A full example file is available
509
+in section <A HREF="#configuration::file::smbldap::bind">8.1.2</A>.<BR>
511
+Let's have a look at all available parameters.
513
+<TT>slaveDN</TT> : distinguished name used to bind to the slave server
515
+ Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT>
516
+ <LI>Example 2: <TT>slaveDN=""</TT>
517
+ <LI>Remark: this can be the manager account of the directory or
518
+ any LDAP account that has sufficient permissions to read the full
519
+ directory (Slave directory is only used for reading). Anonymous
520
+ connections uses the second example form.
522
+<LI><TT>slavePw</TT> : the credentials to bind to the slave server
524
+ Example 1: <TT>slavePw="secret"</TT>
525
+ <LI>Example 2: <TT>slavePw=""</TT>
526
+ <LI>Remark: the password must be stored here in clear form. This
527
+ file must then be readable only by root! All anonymous connections
528
+ use the second form provided in our example.
530
+<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server
532
+ Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT>
533
+ <LI>Remark: this can be the manager account of the directory or
534
+ any LDAP account that has enough permissions to modify the content
535
+ of the directory. Anonymous access does not make any sense here.
537
+<LI><TT>masterPw</TT> : the credentials to bind to the master server
539
+ Example: <TT>masterPw="secret"</TT>
540
+ <LI>Remark: the password must be in clear text. Be sure to protect
541
+ this file against unauthorized readers!
544
+ <!--TOC section Using the scripts-->
546
+<H2><A NAME="htoc13">4</A> Using the scripts</H2><!--SEC END -->
548
+<!--TOC subsection Initial directory's population-->
550
+<H3><A NAME="htoc14">4.1</A> Initial directory's population</H3><!--SEC END -->
552
+You can initialize the LDAP directory using the
553
+<TT>smbldap-populate</TT> script. To do that, the account defined in
554
+the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> to access the
555
+master directory <B>must</B> must be the manager account defined in the
556
+directory configuration. On RedHat system, this file is
557
+<TT>/etc/openldap/slapd.conf</TT> and the account is defined with
558
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
559
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
561
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
566
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
570
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
572
+ rootdn "cn=Manager,dc=idealx,dc=com"
576
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
581
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
586
+</TR></TABLE>The <TT>smbldap_bind.conf</TT> file must then be configured so that
587
+the parameters to connect to the master LDAP server match the previous ones:
588
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
589
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
591
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
596
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
600
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
602
+ masterDN="cn=Manager,dc=idealx,dc=com"
606
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
611
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
617
+Available options for this script are summarized in the table <A HREF="#table::populate">1</A>:
618
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
619
+ <A NAME="code_epsilon_var"></A>
621
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
622
+<TR><TD ALIGN=left NOWRAP>option</TD>
623
+<TD ALIGN=left NOWRAP>definition</TD>
624
+<TD ALIGN=left NOWRAP>default value</TD>
626
+<TR><TD ALIGN=left NOWRAP>-u <I>uidNumber</I></TD>
627
+<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
628
+<TD ALIGN=left NOWRAP>1000</TD>
630
+<TR><TD ALIGN=left NOWRAP>-g <I>gidNumber</I></TD>
631
+<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
632
+<TD ALIGN=left NOWRAP>1000</TD>
634
+<TR><TD ALIGN=left NOWRAP>-a <I>user</I></TD>
635
+<TD ALIGN=left NOWRAP>administrator login name</TD>
636
+<TD ALIGN=left NOWRAP>Administrator</TD>
638
+<TR><TD ALIGN=left NOWRAP>-b <I>user</I></TD>
639
+<TD ALIGN=left NOWRAP>guest login name</TD>
640
+<TD ALIGN=left NOWRAP>nobody</TD>
642
+<TR><TD ALIGN=left NOWRAP>-e <I>file</I></TD>
643
+<TD ALIGN=left NOWRAP>export a init file</TD>
644
+<TD ALIGN=left NOWRAP> </TD>
646
+<TR><TD ALIGN=left NOWRAP>-i <I>file</I></TD>
647
+<TD ALIGN=left NOWRAP>import a init file</TD>
648
+<TD ALIGN=left NOWRAP> </TD>
652
+<DIV ALIGN=center>Table 1: Options available for the <TT>smbldap-populate</TT> script</DIV><BR>
654
+ <A NAME="table::populate"></A>
655
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
656
+In the more general case, to set up your directory, simply use the
659
+[root@etoile root]# smbldap-populate
660
+Using builtin directory structure
661
+adding new entry: dc=idealx,dc=com
662
+adding new entry: ou=Users,dc=idealx,dc=com
663
+adding new entry: ou=Groups,dc=idealx,dc=com
664
+adding new entry: ou=Computers,dc=idealx,dc=com
665
+adding new entry: ou=Idmap,dc=idealx,dc=org
666
+adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org
667
+adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com
668
+adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com
669
+adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com
670
+adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com
671
+adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com
672
+adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com
673
+adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com
674
+adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com
675
+adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com
677
+After this step, if you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
678
+account anymore, you can create a dedicated account for Samba and the
679
+smbldap-tools. See section <A HREF="#change::manager">8.2</A> for more details.<BR>
681
+The <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> entry is only used to
682
+defined the next uidNumber and gidNumber available for creating new
683
+users and groups. The default values for those numbers are 1000. You
684
+can change it with the <TT>-u</TT> and <TT>-g</TT> option. For
685
+example, if you want the first available value for uidNumber and
686
+gidNumber to be set to 1500, you can use the following command :
688
+smbldap-populate -u 1550 -g 1500
690
+<!--TOC subsection User management-->
692
+<H3><A NAME="htoc15">4.2</A> User management</H3><!--SEC END -->
694
+<!--TOC subsubsection Adding a user-->
696
+<H4><A NAME="htoc16">4.2.1</A> Adding a user</H4><!--SEC END -->
697
+<A NAME="add::user"></A>
698
+To add a user, use the <TT>smbldap-useradd</TT> script. Available
699
+options are summarized in the table <A HREF="#table::add::user">2</A>. If applicable,
700
+default values are mentionned in the third column. Any string beginning with a
701
+$ symbol refers to a parameter defined in the
702
+<TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> configuration file.
703
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
705
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
706
+<TR><TD VALIGN=top ALIGN=left>option</TD>
707
+<TD VALIGN=top ALIGN=left>definition</TD>
708
+<TD VALIGN=top ALIGN=left>example</TD>
709
+<TD VALIGN=top ALIGN=left>default value</TD>
711
+<TR><TD VALIGN=top ALIGN=left>-a</TD>
712
+<TD VALIGN=top ALIGN=left>create a Windows account. Otherwise, only a Posix account
714
+<TD VALIGN=top ALIGN=left> </TD>
715
+<TD VALIGN=top ALIGN=left> </TD>
717
+<TR><TD VALIGN=top ALIGN=left>-w</TD>
718
+<TD VALIGN=top ALIGN=left>create a Windows Workstation account</TD>
719
+<TD VALIGN=top ALIGN=left> </TD>
720
+<TD VALIGN=top ALIGN=left> </TD>
722
+<TR><TD VALIGN=top ALIGN=left>-i</TD>
723
+<TD VALIGN=top ALIGN=left>create an interdomain trust account. See section
724
+ <A HREF="#trust::account">4.4</A> for more details</TD>
725
+<TD VALIGN=top ALIGN=left> </TD>
726
+<TD VALIGN=top ALIGN=left> </TD>
728
+<TR><TD VALIGN=top ALIGN=left>-u</TD>
729
+<TD VALIGN=top ALIGN=left>set a uid value</TD>
730
+<TD VALIGN=top ALIGN=left>-u 1003</TD>
731
+<TD VALIGN=top ALIGN=left>first uid available</TD>
733
+<TR><TD VALIGN=top ALIGN=left>-g</TD>
734
+<TD VALIGN=top ALIGN=left>set a gid value</TD>
735
+<TD VALIGN=top ALIGN=left>-g 1003</TD>
736
+<TD VALIGN=top ALIGN=left>first gid available</TD>
738
+<TR><TD VALIGN=top ALIGN=left>-G</TD>
739
+<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
740
+ groups (comma-separated)</TD>
741
+<TD VALIGN=top ALIGN=left>-G 512,550</TD>
742
+<TD VALIGN=top ALIGN=left> </TD>
744
+<TR><TD VALIGN=top ALIGN=left>-d</TD>
745
+<TD VALIGN=top ALIGN=left>set the home directory</TD>
746
+<TD VALIGN=top ALIGN=left>-d /var/user</TD>
747
+<TD VALIGN=top ALIGN=left>$userHomePrefix/user</TD>
749
+<TR><TD VALIGN=top ALIGN=left>-s</TD>
750
+<TD VALIGN=top ALIGN=left>set the login shell</TD>
751
+<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
752
+<TD VALIGN=top ALIGN=left>$userLoginShell</TD>
754
+<TR><TD VALIGN=top ALIGN=left>-c</TD>
755
+<TD VALIGN=top ALIGN=left>set the user gecos</TD>
756
+<TD VALIGN=top ALIGN=left>-c "admin user"</TD>
757
+<TD VALIGN=top ALIGN=left>$userGecos</TD>
759
+<TR><TD VALIGN=top ALIGN=left>-m</TD>
760
+<TD VALIGN=top ALIGN=left>creates user's home directory and copies /etc/skel
762
+<TD VALIGN=top ALIGN=left> </TD>
763
+<TD VALIGN=top ALIGN=left> </TD>
765
+<TR><TD VALIGN=top ALIGN=left>-k</TD>
766
+<TD VALIGN=top ALIGN=left>set the skeleton dir (with -m)</TD>
767
+<TD VALIGN=top ALIGN=left>-k /etc/skel2</TD>
768
+<TD VALIGN=top ALIGN=left>$skeletonDir</TD>
770
+<TR><TD VALIGN=top ALIGN=left>-P</TD>
771
+<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's
773
+<TD VALIGN=top ALIGN=left> </TD>
774
+<TD VALIGN=top ALIGN=left> </TD>
776
+<TR><TD VALIGN=top ALIGN=left>-A</TD>
777
+<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
778
+<TD VALIGN=top ALIGN=left>-A 1</TD>
779
+<TD VALIGN=top ALIGN=left> </TD>
781
+<TR><TD VALIGN=top ALIGN=left>-B</TD>
782
+<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
784
+<TD VALIGN=top ALIGN=left>-B 1</TD>
785
+<TD VALIGN=top ALIGN=left> </TD>
787
+<TR><TD VALIGN=top ALIGN=left>-C</TD>
788
+<TD VALIGN=top ALIGN=left>set the samba home share</TD>
789
+<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
790
+<TD VALIGN=top ALIGN=left>$userSmbHome</TD>
792
+<TR><TD VALIGN=top ALIGN=left>-D</TD>
793
+<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
794
+<TD VALIGN=top ALIGN=left>-D H:</TD>
795
+<TD VALIGN=top ALIGN=left>$userHomeDrive</TD>
797
+<TR><TD VALIGN=top ALIGN=left>-E</TD>
798
+<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
799
+<TD VALIGN=top ALIGN=left>-E common.bat</TD>
800
+<TD VALIGN=top ALIGN=left>$userScript</TD>
802
+<TR><TD VALIGN=top ALIGN=left>-F</TD>
803
+<TD VALIGN=top ALIGN=left>set the profile directory</TD>
804
+<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
805
+<TD VALIGN=top ALIGN=left>$userProfile</TD>
807
+<TR><TD VALIGN=top ALIGN=left>-H</TD>
808
+<TD VALIGN=top ALIGN=left>set the samba account control bits
809
+ like'[NDHTUMWSLKI]'</TD>
810
+<TD VALIGN=top ALIGN=left>-H [X]</TD>
811
+<TD VALIGN=top ALIGN=left> </TD>
813
+<TR><TD VALIGN=top ALIGN=left>-N</TD>
814
+<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
815
+<TD VALIGN=top ALIGN=left> </TD>
816
+<TD VALIGN=top ALIGN=left> </TD>
818
+<TR><TD VALIGN=top ALIGN=left>-S</TD>
819
+<TD VALIGN=top ALIGN=left>set the surname of the user</TD>
820
+<TD VALIGN=top ALIGN=left> </TD>
821
+<TD VALIGN=top ALIGN=left> </TD>
823
+<TR><TD VALIGN=top ALIGN=left>-M</TD>
824
+<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
825
+<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
826
+<TD VALIGN=top ALIGN=left> </TD>
828
+<TR><TD VALIGN=top ALIGN=left>-T</TD>
829
+<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
830
+<TD VALIGN=top ALIGN=left>-T
831
+ testuser@domain.org</TD>
832
+<TD VALIGN=top ALIGN=left> </TD>
836
+<DIV ALIGN=center>Table 2: Options available to the <TT>smbldap-useradd</TT> script</DIV><BR>
838
+ <A NAME="table::add::user"></A>
839
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
841
+For example, if you want to add a user named <I>user_admin</I> and who :
844
+<LI>must belong to the group of gid=512 ('Domain Admins' group)
845
+<LI>has a home directory
846
+<LI>does not have a login shell
847
+<LI>has a homeDirectory set to /dev/null
848
+<LI>does not have a roaming profile
849
+<LI>and for whom we want to set a first login password
853
+smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin
855
+<!--TOC subsubsection Removing a user-->
857
+<H4><A NAME="htoc17">4.2.2</A> Removing a user</H4><!--SEC END -->
859
+To remove a user account, use the <TT>smbldap-userdel</TT> script.
860
+Available options are
861
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
863
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
864
+<TR><TD ALIGN=left NOWRAP>option</TD>
865
+<TD ALIGN=left NOWRAP>definition</TD>
867
+<TR><TD ALIGN=left NOWRAP>-r</TD>
868
+<TD ALIGN=left NOWRAP>remove home directory</TD>
870
+<TR><TD ALIGN=left NOWRAP>-R</TD>
871
+<TD ALIGN=left NOWRAP>remove home directory interactively</TD>
875
+<DIV ALIGN=center>Table 3: Option available to the <TT>smbldap-userdel</TT> script</DIV><BR>
877
+ <A NAME="table::del::user"></A>
878
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
879
+For example, if you want to remove the <I>user1</I> account
880
+from the LDAP directory, and if you also want to delete his home
881
+directory, use the following command :
883
+smbldap-userdel -r user1
885
+Note: '-r' is dangerous as it may delete precious and unbackuped data,
886
+please be careful.<BR>
888
+<!--TOC subsubsection Modifying a user-->
890
+<H4><A NAME="htoc18">4.2.3</A> Modifying a user</H4><!--SEC END -->
891
+<A NAME="modify::user"></A>
892
+To modify a user account, use the <TT>smbldap-usermod</TT> script.
893
+Availables options are listed in the table <A HREF="#table::modify::user">4</A>.
894
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
896
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
897
+<TR><TD VALIGN=top ALIGN=left>option</TD>
898
+<TD VALIGN=top ALIGN=left>definition</TD>
899
+<TD VALIGN=top ALIGN=left>example</TD>
901
+<TR><TD VALIGN=top ALIGN=left>-c</TD>
902
+<TD VALIGN=top ALIGN=left>set the user gecos</TD>
903
+<TD VALIGN=top ALIGN=left>-c "admin user"</TD>
905
+<TR><TD VALIGN=top ALIGN=left>-d</TD>
906
+<TD VALIGN=top ALIGN=left>set the home directory</TD>
907
+<TD VALIGN=top ALIGN=left>-d /var/user</TD>
909
+<TR><TD VALIGN=top ALIGN=left>-u</TD>
910
+<TD VALIGN=top ALIGN=left>set a uid value</TD>
911
+<TD VALIGN=top ALIGN=left>-u 1003</TD>
913
+<TR><TD VALIGN=top ALIGN=left>-g</TD>
914
+<TD VALIGN=top ALIGN=left>set a gid value</TD>
915
+<TD VALIGN=top ALIGN=left>-g 1003</TD>
917
+<TR><TD VALIGN=top ALIGN=left>-G</TD>
918
+<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
919
+ groups (comma-separated)</TD>
920
+<TD VALIGN=top ALIGN=left>-G 512,550</TD>
922
+<TR><TD VALIGN=top ALIGN=left> </TD>
923
+<TD VALIGN=top ALIGN=left> </TD>
924
+<TD VALIGN=top ALIGN=left>-G -512,550</TD>
926
+<TR><TD VALIGN=top ALIGN=left> </TD>
927
+<TD VALIGN=top ALIGN=left> </TD>
928
+<TD VALIGN=top ALIGN=left>-G +512,550</TD>
930
+<TR><TD VALIGN=top ALIGN=left>-s</TD>
931
+<TD VALIGN=top ALIGN=left>set the login shell</TD>
932
+<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
934
+<TR><TD VALIGN=top ALIGN=left>-N</TD>
935
+<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
936
+<TD VALIGN=top ALIGN=left> </TD>
938
+<TR><TD VALIGN=top ALIGN=left>-S</TD>
939
+<TD VALIGN=top ALIGN=left>set the surname of the user</TD>
940
+<TD VALIGN=top ALIGN=left> </TD>
942
+<TR><TD VALIGN=top ALIGN=left>-P</TD>
943
+<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's password</TD>
944
+<TD VALIGN=top ALIGN=left> </TD>
946
+<TR><TD VALIGN=top ALIGN=left>-a</TD>
947
+<TD VALIGN=top ALIGN=left>add sambaSAMAccount objectclass</TD>
948
+<TD VALIGN=top ALIGN=left> </TD>
950
+<TR><TD VALIGN=top ALIGN=left>-e</TD>
951
+<TD VALIGN=top ALIGN=left>set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)</TD>
952
+<TD VALIGN=top ALIGN=left> </TD>
954
+<TR><TD VALIGN=top ALIGN=left>-A</TD>
955
+<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
956
+<TD VALIGN=top ALIGN=left>-A 1</TD>
958
+<TR><TD VALIGN=top ALIGN=left>-B</TD>
959
+<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
961
+<TD VALIGN=top ALIGN=left>-B 1</TD>
963
+<TR><TD VALIGN=top ALIGN=left>-C</TD>
964
+<TD VALIGN=top ALIGN=left>set the samba home share</TD>
965
+<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
967
+<TR><TD VALIGN=top ALIGN=left> </TD>
968
+<TD VALIGN=top ALIGN=left> </TD>
969
+<TD VALIGN=top ALIGN=left>-C ""</TD>
971
+<TR><TD VALIGN=top ALIGN=left>-D</TD>
972
+<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
973
+<TD VALIGN=top ALIGN=left>-D H:</TD>
975
+<TR><TD VALIGN=top ALIGN=left> </TD>
976
+<TD VALIGN=top ALIGN=left> </TD>
977
+<TD VALIGN=top ALIGN=left>-D ""</TD>
979
+<TR><TD VALIGN=top ALIGN=left>-E</TD>
980
+<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
981
+<TD VALIGN=top ALIGN=left>-E common.bat</TD>
983
+<TR><TD VALIGN=top ALIGN=left> </TD>
984
+<TD VALIGN=top ALIGN=left> </TD>
985
+<TD VALIGN=top ALIGN=left>-E ""</TD>
987
+<TR><TD VALIGN=top ALIGN=left>-F</TD>
988
+<TD VALIGN=top ALIGN=left>set the profile directory</TD>
989
+<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
991
+<TR><TD VALIGN=top ALIGN=left> </TD>
992
+<TD VALIGN=top ALIGN=left> </TD>
993
+<TD VALIGN=top ALIGN=left>-F ""</TD>
995
+<TR><TD VALIGN=top ALIGN=left>-H</TD>
996
+<TD VALIGN=top ALIGN=left>set the samba account control bits like'[NDHTUMWSLKI]'</TD>
997
+<TD VALIGN=top ALIGN=left>-H [X]</TD>
999
+<TR><TD VALIGN=top ALIGN=left>-I</TD>
1000
+<TD VALIGN=top ALIGN=left>disable a user account</TD>
1001
+<TD VALIGN=top ALIGN=left>-I 1</TD>
1003
+<TR><TD VALIGN=top ALIGN=left>-J</TD>
1004
+<TD VALIGN=top ALIGN=left>enable a user</TD>
1005
+<TD VALIGN=top ALIGN=left>-J 1</TD>
1007
+<TR><TD VALIGN=top ALIGN=left>-M</TD>
1008
+<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
1009
+<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
1011
+<TR><TD VALIGN=top ALIGN=left>-T</TD>
1012
+<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
1013
+<TD VALIGN=top ALIGN=left>-T
1014
+ testuser@domain.org</TD>
1018
+<DIV ALIGN=center>Table 4: Options available to the <TT>smbldap-usermod</TT> script</DIV><BR>
1020
+ <A NAME="table::modify::user"></A>
1021
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
1022
+You can also use the <TT>smbldap-userinfo</TT> script to update user's information. This script can
1023
+also be used by users themselves to update their own informations listed in the tables
1024
+<A HREF="#table::modify::self::user">5</A> (adequats ACL must be set in the directory server). Available
1026
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
1027
+ <DIV ALIGN=center>
1028
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
1029
+<TR><TD VALIGN=top ALIGN=left>option</TD>
1030
+<TD VALIGN=top ALIGN=left>definition</TD>
1031
+<TD VALIGN=top ALIGN=left>example</TD>
1033
+<TR><TD VALIGN=top ALIGN=left>-f</TD>
1034
+<TD VALIGN=top ALIGN=left>set the full name's user</TD>
1035
+<TD VALIGN=top ALIGN=left>-f MyName</TD>
1037
+<TR><TD VALIGN=top ALIGN=left>-r</TD>
1038
+<TD VALIGN=top ALIGN=left>set the room number</TD>
1039
+<TD VALIGN=top ALIGN=left>-r 99</TD>
1041
+<TR><TD VALIGN=top ALIGN=left>-w</TD>
1042
+<TD VALIGN=top ALIGN=left>set the work phone number</TD>
1043
+<TD VALIGN=top ALIGN=left>-w 111111111</TD>
1045
+<TR><TD VALIGN=top ALIGN=left>-h</TD>
1046
+<TD VALIGN=top ALIGN=left>set the home phone number</TD>
1047
+<TD VALIGN=top ALIGN=left>-h 222222222</TD>
1049
+<TR><TD VALIGN=top ALIGN=left>-o</TD>
1050
+<TD VALIGN=top ALIGN=left>set other information (in gecos definition)</TD>
1051
+<TD VALIGN=top ALIGN=left>-o "second stage"</TD>
1053
+<TR><TD VALIGN=top ALIGN=left>-s</TD>
1054
+<TD VALIGN=top ALIGN=left>set the default bash</TD>
1055
+<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
1059
+<DIV ALIGN=center>Table 5: Options available to the <TT>smbldap-userinfo</TT> script</DIV><BR>
1061
+ <A NAME="table::modify::self::user"></A>
1062
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
1063
+<!--TOC subsection Group management-->
1065
+<H3><A NAME="htoc19">4.3</A> Group management</H3><!--SEC END -->
1067
+<!--TOC subsubsection Adding a group-->
1069
+<H4><A NAME="htoc20">4.3.1</A> Adding a group</H4><!--SEC END -->
1071
+To add a new group in the LDAP directory, use the <TT>smbldap-groupadd</TT>
1072
+script. Available options are listed in the table
1073
+<A HREF="#table::add::group">6</A>.
1074
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
1075
+ <DIV ALIGN=center>
1076
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
1077
+<TR><TD VALIGN=top ALIGN=left NOWRAP>option</TD>
1078
+<TD VALIGN=top ALIGN=left>definition</TD>
1079
+<TD VALIGN=top ALIGN=left NOWRAP>example</TD>
1081
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-a</TD>
1082
+<TD VALIGN=top ALIGN=left>add automatic group mapping entry</TD>
1083
+<TD VALIGN=top ALIGN=left NOWRAP> </TD>
1085
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-g <TT>gid</TT></TD>
1086
+<TD VALIGN=top ALIGN=left>set the <I>gidNumer</I> for this group to
1088
+<TD VALIGN=top ALIGN=left NOWRAP><TT>-g 1002</TT></TD>
1090
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-o</TD>
1091
+<TD VALIGN=top ALIGN=left>gidNumber is not unique</TD>
1092
+<TD VALIGN=top ALIGN=left NOWRAP> </TD>
1094
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-r <TT>group-rid</TT></TD>
1095
+<TD VALIGN=top ALIGN=left>set the rid of the group to
1096
+ <I>group-rid</I></TD>
1097
+<TD VALIGN=top ALIGN=left NOWRAP><TT>-r 1002</TT></TD>
1099
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-s <TT>group-sid</TT></TD>
1100
+<TD VALIGN=top ALIGN=left>set the sid of the group to
1101
+ <I>group-sid</I></TD>
1102
+<TD VALIGN=top ALIGN=left NOWRAP><TT><FONT SIZE=1>-s
1103
+ S-1-5-21-3703471949-3718591838-2324585696-1002</FONT></TT></TD>
1105
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-t <TT>group-type</TT></TD>
1106
+<TD VALIGN=top ALIGN=left>set the <I>sambaGroupType</I> to
1107
+ <I>group-type</I></TD>
1108
+<TD VALIGN=top ALIGN=left NOWRAP><TT>-t 2</TT></TD>
1110
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-p</TD>
1111
+<TD VALIGN=top ALIGN=left>print the gidNumber to stdout</TD>
1112
+<TD VALIGN=top ALIGN=left NOWRAP> </TD>
1116
+<DIV ALIGN=center>Table 6: Options available for the <TT>smbldap-groupadd</TT> script</DIV><BR>
1118
+ <A NAME="table::add::group"></A>
1119
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
1120
+<!--TOC subsubsection Removing a group-->
1122
+<H4><A NAME="htoc21">4.3.2</A> Removing a group</H4><!--SEC END -->
1124
+To remove the group named <TT>group1</TT>, just use the following
1127
+smbldap-userdel group1
1129
+<!--TOC subsection Adding a interdomain trust account-->
1131
+<H3><A NAME="htoc22">4.4</A> Adding a interdomain trust account</H3><!--SEC END -->
1132
+<A NAME="trust::account"></A>
1133
+To add an interdomain trust account to the primary controller <I>trust-pdc</I>, use the <TT>-i</TT> option of
1134
+<TT>smbldap-useradd</TT> as follows :
1136
+[root@etoile root]# smbldap-useradd -i trust-pdc
1137
+New password : *******
1138
+Retype new password : *******
1140
+The script will terminate asking for a password for this trust
1141
+account. The account will be created in the directory branch where
1142
+all computer accounts are stored (<TT>ou=Computers</TT> by
1143
+default). The only two particularities of this account are that you are
1144
+setting a password for this account, and the flags of this account are
1146
+ <!--TOC section Samba and the smbldap-tools scripts-->
1148
+<H2><A NAME="htoc23">5</A> Samba and the smbldap-tools scripts</H2><!--SEC END -->
1150
+<!--TOC subsection General configuration-->
1152
+<H3><A NAME="htoc24">5.1</A> General configuration</H3><!--SEC END -->
1154
+Samba can be configured to use the <FONT COLOR=purple>smbldap-tools</FONT> scripts. This allows
1155
+administrators to add, delete or modify user and group accounts for <FONT COLOR=purple>Microsoft Windows</FONT>
1156
+operating systems using, for example, User Manager utility under MS-Windows.
1157
+To enable the use of this utility, samba needs to be configured correctly. The
1158
+<TT>smb.conf</TT> configuration file must contain the following directives :
1159
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1160
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1162
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1167
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1171
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1173
+ldap delete dn = Yes
1174
+add user script = /usr/local/sbin/smbldap-useradd -m "%u"
1175
+add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
1176
+add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
1177
+add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
1178
+delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
1179
+set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
1182
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1187
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1193
+Remark: the two directives <TT>delete user script</TT> et <TT>delete group
1194
+script</TT> can also be used. However, an error message can appear in User Manager
1195
+even if the operations actually succeed.
1196
+If you want to enable this behaviour, you need to add
1197
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1198
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1200
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1205
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1209
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1211
+delete user script = /usr/local/sbin/smbldap-userdel "%u"
1212
+delete group script = /usr/local/sbin/smbldap-groupdel "%g"
1215
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1220
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1226
+<!--TOC subsection Migrating an NT4 PDC to Samba3-->
1228
+<H3><A NAME="htoc25">5.2</A> Migrating an NT4 PDC to Samba3</H3><!--SEC END -->
1230
+The account migration procedure becomes really simple when samba is configured to use
1231
+the <FONT COLOR=purple>smbldap-tools</FONT>. Samba configuration (smb.conf file) must contain the
1232
+directive defined above to properly call the script for managing users, groups and computer accounts.
1233
+The migration process is outlined in the chapter 30 of the samba howto
1234
+<A HREF="http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html"><TT>http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html</TT></A>.
1237
+<!--TOC section Frequently Asked Questions-->
1239
+<H2><A NAME="htoc26">6</A> Frequently Asked Questions</H2><!--SEC END -->
1241
+<!--TOC subsection How can i use old released uidNumber and gidNumber ?-->
1243
+<H3><A NAME="htoc27">6.1</A> How can i use old released uidNumber and gidNumber ?</H3><!--SEC END -->
1245
+There are two way to do this :
1247
+modify the <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> and
1248
+ change the <TT>uidNumber</TT> and/or <TT>gidNumber</TT> value. This
1249
+ must be done manually. For example, if you want to use all available
1250
+ uidNumber and gidNumber higher then 1500, you need to create a
1251
+ <TT>update-NextFreeUnixId.ldif</TT> file containing :
1252
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1253
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1255
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1260
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1264
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1265
+<TR><TD><PRE>dn: cn=NextFreeUnixId,dc=idealx,dc=org
1271
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1276
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1282
+and then update the directory :
1284
+ldapmodify -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f update-NextFreeUnixId.ldif
1285
+</PRE><LI>use the <TT>-u</TT> or <TT>-g</TT> option to the script you need to set the value you
1288
+<!--TOC subsection I always have this error: "Can't locate IO/Socket/SSL.pm"-->
1290
+<H3><A NAME="htoc28">6.2</A> I always have this error: "Can't locate IO/Socket/SSL.pm"</H3><!--SEC END -->
1292
+This happens when you want to use a certificate. In this case, you need to install the
1293
+IO-Socket-SSL Perl module.<BR>
1295
+<!--TOC subsection I can't initialize the directory with <TT>smbldap-populate</TT>-->
1297
+<H3><A NAME="htoc29">6.3</A> I can't initialize the directory with <TT>smbldap-populate</TT></H3><!--SEC END -->
1299
+When I want to initialize the directory using the <TT>smbldap-populate</TT>
1302
+[root@slave sbin]# smbldap-populate.pl
1303
+ Using builtin directory structure
1304
+ adding new entry: dc=IDEALX,dc=COM
1305
+ Can't call method "code" without a package or object reference at
1306
+ /usr/local/sbin/smbldap-populate.pl line 270, <GEN1> line 2.
1307
+</PRE>Answer: check the TLS configuration
1309
+if you don't want to use TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file
1313
+</PRE><LI>if you want TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file with
1316
+</PRE>and check that the directory server is configured to accept TLS connections.
1318
+<!--TOC subsection I can't join the domain with the <TT>root</TT> account-->
1320
+<H3><A NAME="htoc30">6.4</A> I can't join the domain with the <TT>root</TT> account</H3><!--SEC END -->
1323
+check that the root account has the sambaSamAccount objectclass
1324
+<LI>check that the directive <TT>add machine script</TT> is present and configured
1326
+<!--TOC subsection I have the <TT>sambaSamAccount</TT> but i can't logged in-->
1328
+<H3><A NAME="htoc31">6.5</A> I have the <TT>sambaSamAccount</TT> but i can't logged in</H3><!--SEC END -->
1330
+Check that the <TT>sambaPwdLastSet</TT> attribute is not null (equal to 0)<BR>
1332
+<!--TOC subsection I want to create machine account on the fly, but it does
1333
+ not works or I must do it twice-->
1335
+<H3><A NAME="htoc32">6.6</A> I want to create machine account on the fly, but it does
1336
+ not works or I must do it twice</H3><!--SEC END -->
1339
+The script defined with the <TT>add machine script</TT> must not add
1340
+the <TT>sambaSAMAccount</TT> objectclass of the machine account. The
1341
+script must only add the Posix machine account. Samba will add the <TT>sambaSAMAccount</TT> when
1342
+joining the domain.
1343
+<LI>Check that the <TT>add <B>machine</B> script</TT> is present in samba
1344
+ configuration file.
1346
+<!--TOC subsection I can't manage the Oracle Internet Database-->
1348
+<H3><A NAME="htoc33">6.7</A> I can't manage the Oracle Internet Database</H3><!--SEC END -->
1350
+If you have an error message like :
1351
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1352
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1354
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1359
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1363
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1365
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187.
1366
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627.
1369
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1374
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1379
+</TR></TABLE>For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a
1380
+new index for samba attributes and make sure that the following attributes are also indexed :
1381
+ uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...<BR>
1383
+<!--TOC subsection The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
1384
+called, or i got a error message when changing the password from windows-->
1386
+<H3><A NAME="htoc34">6.8</A> The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
1387
+called, or i got a error message when changing the password from windows</H3><!--SEC END -->
1389
+The directive is called if you also set <TT>unix password sync = Yes</TT>.
1392
+if you use OpenLDAP, none of those two options are needed. You just need <TT>ldap
1393
+passwd sync = Yes</TT>.
1394
+<LI>the script called here must only update the <TT>userPassword</TT> attribute. This is the
1395
+reason of the <TT>-u</TT> option. Samba passwords will be updated by samba itself.
1396
+<LI>the <TT>passwd chat</TT> directive must match what is prompted when using the
1397
+<TT>smbldap-passwd</TT> command
1399
+<!--TOC subsection New computers account can't be set in ou=computers-->
1401
+<H3><A NAME="htoc35">6.9</A> New computers account can't be set in ou=computers</H3><!--SEC END -->
1402
+<A NAME="sec::bug::ou::computer"></A>
1403
+This is a known samba bug. There's a workarround: look at
1404
+<A HREF="http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2"><TT>http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2</TT></A><BR>
1406
+<!--TOC subsection I can join the domain, but i can't log on-->
1408
+<H3><A NAME="htoc36">6.10</A> I can join the domain, but i can't log on</H3><!--SEC END -->
1410
+look at section <A HREF="#sec::bug::ou::computer">6.9</A><BR>
1412
+<!--TOC subsection I can't create a user with <TT>smbldap-useradd</TT>-->
1414
+<H3><A NAME="htoc37">6.11</A> I can't create a user with <TT>smbldap-useradd</TT></H3><!--SEC END -->
1416
+When creating a new user account I get the following error message:
1418
+/usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513
1421
+is nss_ldap correctly configured ?
1422
+<LI>is the default group's users mapped to the 'Domain Users' NT group ?
1424
+net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users"
1426
+<!--TOC subsection smbldap-useradd: Can't call method "get_value" on an undefined value at
1427
+/usr/local/sbin/smbldap-useradd line 154-->
1429
+<H3><A NAME="htoc38">6.12</A> smbldap-useradd: Can't call method "get_value" on an undefined value at
1430
+/usr/local/sbin/smbldap-useradd line 154</H3><!--SEC END -->
1433
+does the default group defined in smbldap.conf exist
1434
+ (defaultUserGid="513") ?
1435
+<LI>does the NT "Domain Users" group mapped to a unix
1436
+ group of rid 513 (see option <I>-r</I> of <TT>smbldap-groupadd</TT> and
1437
+ <TT>smbldap-groupmod</TT> to set a rid) ?
1439
+<!--TOC subsection Typical errors on creating a new user or a new group-->
1441
+<H3><A NAME="htoc39">6.13</A> Typical errors on creating a new user or a new group</H3><!--SEC END -->
1442
+<A NAME="faq::error::add::user"></A>
1444
+i've got the following error:
1446
+Could not find base dn, to get next uidNumber at /usr/local/sbin//smbldap_tools.pm line 909
1447
+</PRE><OL type=1><LI>
1448
+ you do not have created the object to defined the next uidNumber and gidNumber available.
1450
+ for version 0.8.7 : you can just run the <TT>smbldap-populate</TT> script that will
1451
+ update the sambaDomain entry to store those informations
1452
+ <LI>for version before 0.8.7 :
1453
+ You have updated the smbldap-tools to version 0.8.5 or newer.
1454
+ You have to do this manually. Create an file called <TT>add.ldif</TT> and containing
1456
+dn: cn=NextFreeUnixId,dc=idealx,dc=org
1457
+objectClass: inetOrgPerson
1458
+objectClass: sambaUnixIdPool
1463
+</PRE> and then add the object with the ldapadd utility:
1465
+$ ldapadd -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f add.ldif
1466
+</PRE> Here, 1000 is the first available value for uidNumber and gidNumber (of course, if this value is
1467
+ already used by a user or a group, the first available after 1000 will be used).
1470
+<LI>The error also appear when there is a need for TLS (ldapTLS=1 in <TT>smbldap.conf</TT>) and
1471
+something is wrong with certificate naming or path settings.
1474
+<LI>i've got the following error:
1476
+Use of uninitialized value in string at
1477
+/usr/local/sbin//smbldap\_tools.pm line 914.
1478
+Error: No DN specified at /usr/local/sbin//smbldap\_tools.pm line 919
1479
+</PRE>You have not updated the configuration file to defined the object where are sotred the next
1480
+uidNumber and gidNumber available. In our example, you have to add a nex entry in
1481
+<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I> containing :
1483
+# Where to store next uidNumber and gidNumber available
1484
+sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1485
+</PRE>btw, a new option is now available too: the domain to append to users. You can add to the
1486
+configuration file the following lines:
1488
+# Domain appended to the users "mail"-attribute
1489
+# when smbldap-useradd -M is used mailDomain="idealx.com"
1492
+<LI>i've got the following error:
1494
+Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/smbldap-useradd line 183.
1495
+Use of uninitialized value in substitution (s///) at /usr/local/sbin/smbldap-useradd line 185.
1496
+Use of uninitialized value in string at /usr/local/sbin/smbldap-useradd line 264.
1497
+failed to add entry: homedirectory: value #0 invalid per syntax at /usr/local/sbin/smbldap-useradd line 280.
1498
+userHomeDirectory=User "jto" already member of the group "513".
1499
+failed to add entry: No such object at /usr/local/sbin/smbldap-useradd line 382.
1500
+</PRE>you have to change the variable name <TT>userHomePrefix</TT> to <TT>userHome</TT> in
1501
+<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I><BR>
1503
+<LI>i've got the following error:
1505
+failed to add entry: referral missing at /usr/local/sbin/smbldap-useradd line 279, <DATA> line 283.
1506
+</PRE>you have to update the configuration file that defined users, groups and computers dn. Those
1507
+parameters must not be relative to the <TT>suffix</TT> parameter. A typical
1508
+configuration look like this :
1510
+usersdn="ou=Users,${suffix}"
1511
+computersdn="ou=Computers,${suffix}"
1512
+groupsdn="ou=Groups,${suffix}"
1515
+<LI>i've got the following error:
1517
+erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad protocol 'tcp')
1518
+at /usr/local/sbin//smbldap_tools.pm line 153.
1519
+</PRE>remove <I>ldap</I> from <I>/etc/nsswitch.conf</I> for <I>services</I> list of possible check. For
1520
+example, if your ldap directory is not configured to give services information, you must have
1525
+services: ldap [NOTFOUND=return] files
1529
+<!--TOC section Thanks-->
1531
+<H2><A NAME="htoc40">7</A> Thanks</H2><!--SEC END -->
1533
+<A NAME="thanks"></A>
1534
+People who have worked on this document are
1536
+J�r�me Tournier <jerome.tournier@IDEALX.com>
1537
+<LI>David Barth <david.barth@IDEALX.com>
1538
+<LI>Nat Makarevitch <nat@IDEALX.com>
1540
+The authors would like to thank the following people for providing help with
1541
+some of the more complicated subjects, for clarifying some of the internal
1542
+workings of <FONT COLOR=purple>Samba</FONT> or <FONT COLOR=purple>OpenLDAP</FONT>, for pointing out errors or mistakes in
1543
+previous versions of this document, or generally for making
1548
+ Rom�o Adekambi <romeo.adekambi@IDEALX.com>
1549
+ <LI>Aurelien Degremont <adegremont@IDEALX.com>
1550
+ <LI>Renaud Renard <rrenard@IDEALX.com>
1552
+<LI>John H Terpstra <jht@samba.org>
1554
+ <!--TOC section Annexes-->
1556
+<H2><A NAME="htoc41">8</A> Annexes</H2><!--SEC END -->
1558
+<!--TOC subsection Full configuration files-->
1560
+<H3><A NAME="htoc42">8.1</A> Full configuration files</H3><!--SEC END -->
1561
+<A NAME="configuration::files"></A>
1562
+<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file-->
1564
+<H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><!--SEC END -->
1565
+<A NAME="configuration::file::smbldap"></A>
1566
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1567
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1569
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1574
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1578
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1579
+<TR><TD><PRE># $Source: $
1580
+# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
1582
+# smbldap-tools.conf : Q & D configuration file for smbldap-tools
1584
+# This code was developped by IDEALX (http://IDEALX.org/) and
1585
+# contributors (their names can be found in the CONTRIBUTORS file).
1587
+# Copyright (C) 2001-2002 IDEALX
1589
+# This program is free software; you can redistribute it and/or
1590
+# modify it under the terms of the GNU General Public License
1591
+# as published by the Free Software Foundation; either version 2
1592
+# of the License, or (at your option) any later version.
1594
+# This program is distributed in the hope that it will be useful,
1595
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
1596
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1597
+# GNU General Public License for more details.
1599
+# You should have received a copy of the GNU General Public License
1600
+# along with this program; if not, write to the Free Software
1601
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
1605
+# . be the configuration file for all smbldap-tools scripts
1607
+##############################################################################
1609
+# General Configuration
1611
+##############################################################################
1613
+# Put your own SID. To obtain this number do: "net getlocalsid".
1614
+# If not defined, parameter is taking from "net getlocalsid" return
1615
+SID="S-1-5-21-2252255531-4061614174-2474224977"
1617
+# Domain name the Samba server is in charged.
1618
+# If not defined, parameter is taking from smb.conf configuration file
1619
+# Ex: sambaDomain="IDEALX-NT"
1620
+sambaDomain="DOMSMB"
1622
+##############################################################################
1624
+# LDAP Configuration
1626
+##############################################################################
1628
+# Notes: to use to dual ldap servers backend for Samba, you must patch
1629
+# Samba with the dual-head patch from IDEALX. If not using this patch
1630
+# just use the same server for slaveLDAP and masterLDAP.
1631
+# Those two servers declarations can also be used when you have
1632
+# . one master LDAP server where all writing operations must be done
1633
+# . one slave LDAP server where all reading operations must be done
1634
+# (typically a replication directory)
1636
+# Slave LDAP server
1637
+# Ex: slaveLDAP=127.0.0.1
1638
+# If not defined, parameter is set to "127.0.0.1"
1639
+slaveLDAP="127.0.0.1"
1642
+# If not defined, parameter is set to "389"
1645
+# Master LDAP server: needed for write operations
1646
+# Ex: masterLDAP=127.0.0.1
1647
+# If not defined, parameter is set to "127.0.0.1"
1648
+masterLDAP="127.0.0.1"
1651
+# If not defined, parameter is set to "389"
1655
+# If set to 1, this option will use start_tls for connection
1656
+# (you should also used the port 389)
1657
+# If not defined, parameter is set to "1"
1660
+# How to verify the server's certificate (none, optional or require)
1661
+# see "man Net::LDAP" in start_tls section for more details
1665
+# see "man Net::LDAP" in start_tls section for more details
1666
+cafile="/etc/smbldap-tools/ca.pem"
1668
+# certificate to use to connect to the ldap server
1669
+# see "man Net::LDAP" in start_tls section for more details
1670
+clientcert="/etc/smbldap-tools/smbldap-tools.pem"
1672
+# key certificate to use to connect to the ldap server
1673
+# see "man Net::LDAP" in start_tls section for more details
1674
+clientkey="/etc/smbldap-tools/smbldap-tools.key"
1677
+# Ex: suffix=dc=IDEALX,dc=ORG
1678
+suffix="dc=company,dc=com"
1680
+# Where are stored Users
1681
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
1682
+# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
1683
+usersdn="ou=Users,${suffix}"
1685
+# Where are stored Computers
1686
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
1687
+# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
1688
+computersdn="ou=Computers,${suffix}"
1690
+# Where are stored Groups
1691
+# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
1692
+# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
1693
+groupsdn="ou=Groups,${suffix}"
1695
+# Where are stored Idmap entries (used if samba is a domain member server)
1696
+# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
1697
+# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
1698
+idmapdn="ou=Idmap,${suffix}"
1700
+# Where to store next uidNumber and gidNumber available for new users and groups
1701
+# If not defined, entries are stored in sambaDomainName object.
1702
+# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
1703
+# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1704
+sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
1706
+# Default scope Used
1709
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
1710
+hash_encrypt="SSHA"
1712
+# if hash_encrypt is set to CRYPT, you may set a salt format.
1713
+# default is "%s", but many systems will generate MD5 hashed
1714
+# passwords if you use "$1$%.8s". This parameter is optional!
1715
+crypt_salt_format="%s"
1717
+##############################################################################
1719
+# Unix Accounts Configuration
1721
+##############################################################################
1724
+# Default Login Shell
1725
+# Ex: userLoginShell="/bin/bash"
1726
+userLoginShell="/bin/bash"
1729
+# Ex: userHome="/home/%U"
1730
+userHome="/home/%U"
1732
+# Default mode used for user homeDirectory
1733
+userHomeDirectoryMode="700"
1736
+userGecos="System User"
1738
+# Default User (POSIX and Samba) GID
1739
+defaultUserGid="513"
1741
+# Default Computer (Samba) GID
1742
+defaultComputerGid="515"
1745
+skeletonDir="/etc/skel"
1747
+# Default password validation time (time in days) Comment the next line if
1748
+# you don't want password to be enable for defaultMaxPasswordAge days (be
1749
+# careful to the sambaPwdMustChange attribute's value)
1750
+defaultMaxPasswordAge="45"
1752
+##############################################################################
1754
+# SAMBA Configuration
1756
+##############################################################################
1758
+# The UNC path to home drives location (%U username substitution)
1759
+# Just set it to a null string if you want to use the smb.conf 'logon home'
1760
+# directive and/or disable roaming profiles
1761
+# Ex: userSmbHome="\\PDC-SMB3\%U"
1762
+userSmbHome="\\PDC-SRV\%U"
1764
+# The UNC path to profiles locations (%U username substitution)
1765
+# Just set it to a null string if you want to use the smb.conf 'logon path'
1766
+# directive and/or disable roaming profiles
1767
+# Ex: userProfile="\\PDC-SMB3\profiles\%U"
1768
+userProfile="\\PDC-SRV\profiles\%U"
1770
+# The default Home Drive Letter mapping
1771
+# (will be automatically mapped at logon time if home directory exist)
1772
+# Ex: userHomeDrive="H:"
1775
+# The default user netlogon script name (%U username substitution)
1776
+# if not used, will be automatically username.cmd
1777
+# make sure script file is edited under dos
1778
+# Ex: userScript="startup.cmd" # make sure script file is edited under dos
1779
+userScript="logon.bat"
1781
+# Domain appended to the users "mail"-attribute
1782
+# when smbldap-useradd -M is used
1783
+# Ex: mailDomain="idealx.com"
1784
+mailDomain="idealx.com"
1786
+##############################################################################
1788
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
1790
+##############################################################################
1792
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
1793
+# prefer Crypt::SmbHash library
1795
+smbpasswd="/usr/bin/smbpasswd"
1797
+# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
1798
+# but prefer Crypt:: libraries
1799
+with_slappasswd="0"
1800
+slappasswd="/usr/sbin/slappasswd"
1802
+# comment out the following line to get rid of the default banner
1807
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1812
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1818
+<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file-->
1820
+<H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><!--SEC END -->
1821
+<A NAME="configuration::file::smbldap::bind"></A>
1822
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1823
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1825
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1830
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1834
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1835
+<TR><TD><PRE>############################
1836
+# Credential Configuration #
1837
+############################
1838
+# Notes: you can specify two differents configuration if you use a
1839
+# master ldap for writing access and a slave ldap server for reading access
1840
+# By default, we will use the same DN (so it will work for standard Samba
1842
+slaveDN="cn=Manager,dc=company,dc=com"
1844
+masterDN="cn=Manager,dc=company,dc=com"
1849
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1854
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1860
+<!--TOC subsubsection The samba configuration file : <TT>/etc/samba/smb.conf</TT> -->
1862
+<H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4><!--SEC END -->
1864
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
1865
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
1867
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1872
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
1876
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
1877
+<TR><TD><PRE># Global parameters
1879
+ workgroup = DOMSMB
1880
+ netbios name = PDC-SRV
1882
+ enable privileges = yes
1883
+ #interfaces = 192.168.5.11
1884
+ #username map = /etc/samba/smbusers
1885
+ server string = Samba Server %v
1887
+ encrypt passwords = Yes
1888
+ min passwd length = 3
1889
+ #pam password change = no
1890
+ #obey pam restrictions = No
1893
+ #unix password sync = no
1894
+ #ldap passwd sync = yes
1897
+ unix password sync = yes
1898
+ ldap passwd sync = no
1899
+ passwd program = /usr/sbin/smbldap-passwd -u "%u"
1900
+ passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
1904
+ log file = /var/log/samba/log.%U
1905
+ max log size = 100000
1907
+ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
1908
+ mangling method = hash2
1910
+ Unix charset = ISO8859-1
1912
+ logon script = logon.bat
1917
+ domain logons = Yes
1918
+ domain master = Yes
1920
+ preferred master = Yes
1921
+ wins support = yes
1922
+ passdb backend = ldapsam:ldap://127.0.0.1/
1923
+ ldap admin dn = cn=Manager,dc=company,dc=com
1924
+ #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
1925
+ ldap suffix = dc=company,dc=com
1926
+ ldap group suffix = ou=Groups
1927
+ ldap user suffix = ou=Users
1928
+ ldap machine suffix = ou=Computers
1929
+ #ldap idmap suffix = ou=Idmap
1930
+ add user script = /usr/sbin/smbldap-useradd -m "%u"
1931
+ #ldap delete dn = Yes
1932
+ delete user script = /usr/sbin/smbldap-userdel "%u"
1933
+ add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
1934
+ add group script = /usr/sbin/smbldap-groupadd -p "%g"
1935
+ #delete group script = /usr/sbin/smbldap-groupdel "%g"
1936
+ add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
1937
+ delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
1938
+ set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
1940
+ # printers configuration
1941
+ #printer admin = @"Print Operators"
1942
+ load printers = Yes
1943
+ create mask = 0640
1944
+ directory mask = 0750
1945
+ #force create mode = 0640
1946
+ #force directory mode = 0750
1947
+ nt acl support = No
1949
+ printcap name = cups
1951
+ guest account = nobody
1952
+ map to guest = Bad User
1953
+ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
1954
+ show add printer wizard = yes
1955
+ ; to maintain capital letters in shortcuts in any of the profile folders:
1956
+ preserve case = yes
1957
+ short preserve case = yes
1958
+ case sensitive = no
1961
+ path = /home/netlogon/
1966
+ path = /home/profiles
1968
+ create mask = 0600
1969
+ directory mask = 0700
1972
+ profile acls = yes
1973
+ csc policy = disable
1974
+ # next line is a great way to secure the profiles
1976
+ # next line allows administrator to access all profiles
1977
+ #valid users = %U "Domain Admins"
1980
+ comment = Network Printers
1981
+ #printer admin = @"Print Operators"
1984
+ path = /home/spool/
1988
+ print command = /usr/bin/lpr -P%p -r %s
1989
+ lpq command = /usr/bin/lpq -P%p
1990
+ lprm command = /usr/bin/lprm -P%p %j
1991
+ # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
1992
+ # lpq command = /usr/bin/lpq -U%U@%M -P%p
1993
+ # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
1994
+ # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
1995
+ # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
1996
+ # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
1997
+ # queueresume command = /usr/sbin/lpc -U%U@%M start %p
2000
+ path = /home/printers
2004
+ valid users = @"Print Operators"
2005
+ write list = @"Print Operators"
2006
+ create mask = 0664
2007
+ directory mask = 0775
2016
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2021
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2027
+<!--TOC subsubsection The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT>-->
2029
+<H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4><!--SEC END -->
2031
+<TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
2032
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
2034
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2039
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2043
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
2045
+# See slapd.conf(5) for details on configuration options.
2046
+# This file should NOT be world readable.
2048
+include /etc/openldap/schema/core.schema
2049
+include /etc/openldap/schema/cosine.schema
2050
+include /etc/openldap/schema/inetorgperson.schema
2051
+include /etc/openldap/schema/nis.schema
2052
+include /etc/openldap/schema/samba.schema
2056
+# Allow LDAPv2 client connections. This is NOT the default.
2059
+# Do not enable referrals until AFTER you have a working directory
2060
+# service AND an understanding of referrals.
2061
+#referral ldap://root.openldap.org
2063
+pidfile /var/run/slapd.pid
2064
+argsfile /var/run/slapd.args
2066
+# Load dynamic backend modules:
2067
+# modulepath /usr/sbin/openldap
2068
+# moduleload back_bdb.la
2069
+# moduleload back_ldap.la
2070
+# moduleload back_ldbm.la
2071
+# moduleload back_passwd.la
2072
+# moduleload back_shell.la
2074
+# The next three lines allow use of TLS for encrypting connections using a
2075
+# dummy test certificate which you can generate by changing to
2076
+# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
2077
+# slapd.pem so that the ldap user or group can read it. Your client software
2078
+# may balk at self-signed certificates, however.
2079
+#TLSCertificateFile /etc/openldap/ldap.company.com.pem
2080
+#TLSCertificateKeyFile /etc/openldap/ldap.company.com.key
2081
+#TLSCACertificateFile /etc/openldap/ca.pem
2082
+#TLSCipherSuite :SSLv3
2084
+# Sample security restrictions
2085
+# Require integrity protection (prevent hijacking)
2086
+# Require 112-bit (3DES or better) encryption for updates
2087
+# Require 63-bit encryption for simple bind
2088
+# security ssf=1 update_ssf=112 simple_bind=64
2090
+# Sample access control policy:
2091
+# Root DSE: allow anyone to read it
2092
+# Subschema (sub)entry DSE: allow anyone to read it
2094
+# Allow self write access
2095
+# Allow authenticated users read access
2096
+# Allow anonymous users to authenticate
2097
+# Directives needed to implement policy:
2098
+# access to dn.base="" by * read
2099
+# access to dn.base="cn=Subschema" by * read
2103
+# by anonymous auth
2105
+# if no access controls are present, the default policy
2106
+# allows anyone and everyone to read anything but restricts
2107
+# updates to rootdn. (e.g., "access to * by * read")
2109
+# rootdn can always read and write EVERYTHING!
2111
+#######################################################################
2112
+# ldbm and/or bdb database definitions
2113
+#######################################################################
2116
+suffix "dc=company,dc=com"
2117
+rootdn "cn=Manager,dc=company,dc=com"
2118
+# Cleartext passwords, especially for the rootdn, should
2119
+# be avoided. See slappasswd(8) and slapd.conf(5) for details.
2120
+# Use of strong authentication encouraged.
2122
+# rootpw {crypt}ijFYNcSNctBYg
2124
+# The database directory MUST exist prior to running slapd AND
2125
+# should only be accessible by the slapd and slap tools.
2126
+# Mode 700 recommended.
2127
+directory /var/lib/ldap
2130
+# Indices to maintain for this database
2131
+index objectClass eq,pres
2132
+index ou,cn,sn,mail,givenname eq,pres,sub
2133
+index uidNumber,gidNumber,memberUid eq,pres
2134
+index loginShell eq,pres
2135
+## required to support pdb_getsampwnam
2136
+index uid pres,sub,eq
2137
+## required to support pdb_getsambapwrid()
2138
+index displayName pres,sub,eq
2139
+index nisMapName,nisMapEntry eq,pres,sub
2140
+index sambaSID eq,sub
2141
+index sambaPrimaryGroupSID eq
2142
+index sambaDomainName eq
2146
+# users can authenticate and change their password
2147
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
2148
+ by dn="cn=Manager,dc=company,dc=com" write
2153
+# those 2 parameters must be world readable for password aging to work correctly
2154
+# (or use a priviledge account in /etc/ldap.conf to bind to the directory)
2155
+access to attrs=shadowLastChange,shadowMax
2156
+ by dn="cn=Manager,dc=company,dc=com" write
2161
+# all others attributes are readable to everybody
2165
+# Replicas of this database
2166
+#replogfile /var/lib/ldap/openldap-master-replog
2167
+#replica host=ldap-1.example.com:389 starttls=critical
2168
+# bindmethod=sasl saslmech=GSSAPI
2169
+# authcId=host/ldap-master.example.com@EXAMPLE.COM
2172
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2177
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2183
+<!--TOC subsection Changing the administrative account (<TT>ldap admin
2184
+ dn</TT> in <TT>smb.conf</TT> file)-->
2186
+<H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin
2187
+ dn</TT> in <TT>smb.conf</TT> file)</H3><!--SEC END -->
2188
+<A NAME="change::manager"></A>
2189
+If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
2190
+account anymore, you can create a dedicated account for Samba and the
2191
+smbldap-tools scripts. To do
2192
+this, create an account named <I>samba</I> as follows (see
2193
+section <A HREF="#add::user">4.2.1</A> for a more detailed syntax) :
2195
+smbldap-useradd -s /bin/false -d /dev/null -P samba
2196
+</PRE>This command will ask you to set a password for this account. Let's
2197
+set it to <I>samba</I> for this example.
2198
+You then need to modify configuration files:
2200
+file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT>
2201
+ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
2202
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
2204
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2209
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2213
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
2215
+ slaveDN="uid=samba,ou=Users,dc=idealx,dc=com"
2217
+ masterDN="uid=samba,ou=Users,dc=idealx,dc=com"
2221
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2226
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2231
+</TR></TABLE><LI>file <TT>/etc/samba/smb.conf</TT>
2232
+ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
2233
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
2235
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2240
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2244
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
2246
+ ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
2249
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2254
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2259
+</TR></TABLE>don't forget to also set the samba account password in
2260
+ <TT>secrets.tdb</TT> file :
2263
+</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the
2264
+ <I>samba</I> user permissions to modify some attributes: this
2265
+ user needs to be able to modify all the samba attributes and some
2266
+ others (uidNumber, gidNumber ...) :
2267
+ <TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0>
2268
+<TR><TD><TABLE BORDER=0 CELLPADDING=0
2270
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2275
+<TR><TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2279
+<TD><TABLE BORDER=0 CELLPADDING="1" CELLSPACING=0>
2281
+# users can authenticate and change their password
2282
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
2283
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2287
+# some attributes need to be readable anonymously so that 'id user' can answer correctly
2288
+access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
2289
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2291
+# somme attributes can be writable by users themselves
2292
+access to attrs=description,telephoneNumber
2293
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2296
+# some attributes need to be writable for samba
2297
+access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
2298
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2301
+# samba need to be able to create the samba domain account
2302
+access to dn.base="dc=idealx,dc=com"
2303
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2305
+# samba need to be able to create new users account
2306
+access to dn="ou=Users,dc=idealx,dc=com"
2307
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2309
+# samba need to be able to create new groups account
2310
+access to dn="ou=Groups,dc=idealx,dc=com"
2311
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2313
+# samba need to be able to create new computers account
2314
+access to dn="ou=Computers,dc=idealx,dc=com"
2315
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
2317
+# this can be omitted but we leave it: there could be other branch
2324
+<TD BGCOLOR=black COLSPAN="1"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2329
+<TR><TD BGCOLOR=black COLSPAN="3"><TABLE CELLSPACING="1" CELLPADDING=0 BORDER=0>
2335
+<!--TOC subsection known bugs-->
2337
+<H3><A NAME="htoc48">8.3</A> known bugs</H3><!--SEC END -->
2340
+Option <I>-B</I> (user must change password) of
2341
+ <TT>smbldap-useradd</TT> does not have effect: when
2342
+ <TT>smbldap-passwd</TT> script is called,
2343
+ <I>sambaPwdMustChange</I> attribute is rewrite.
2346
+<!--BEGIN NOTES document-->
2347
+<HR WIDTH="50%" SIZE=1><DL><DT><A NAME="note1" HREF="#text1"><FONT SIZE=5>1</FONT></A><DD><A HREF="http://IDEALX.com/"><TT>http://IDEALX.com/</TT></A>
2353
+<DIV class="piedpage">
2355
+<P>Documents : Copyright � 2002 IDEALX S.A.S..
2356
+'IDEALX' is the property of IDEALX.
2357
+'Samba' is the property of Samba Team. All other trademarks belong to their respective owners.
2363
+<BLOCKQUOTE><EM>This document was translated from L<sup>A</sup>T<sub>E</sub>X by
2364
+</EM><A HREF="http://pauillac.inria.fr/~maranget/hevea/index.html"><EM>H<FONT SIZE=2><sup>E</sup></FONT>V<FONT SIZE=2><sup>E</sup></FONT>A</EM></A><EM>.