5
# This code was developped by Jerome Tournier (jtournier@gmail.com) and
6
# contributors (their names can be found in the CONTRIBUTORS file).
8
# This was first contributed by IDEALX (http://www.opentrust.com/)
10
# This program is free software: you can redistribute it and/or modify
11
# it under the terms of the GNU General Public License as published by
12
# the Free Software Foundation, either version 2 of the License, or
13
# (at your option) any later version.
15
# This program is distributed in the hope that it will be useful,
16
# but WITHOUT ANY WARRANTY; without even the implied warranty of
17
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18
# GNU General Public License for more details.
20
# You should have received a copy of the GNU General Public License
21
# along with this program. If not, see <http://www.gnu.org/licenses/>.
23
# Purpose of smbldap-groupmod : group (posix) modification
35
my $ok = getopts('ag:n:m:or:s:t:x:?', \%Options);
36
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
38
print "Usage: $0 [-a] [-g gid] [-n name] [-m members(,)] [-o] [-r rid] [-s sid] [-t type] [-x members (,)] groupname\n";
39
print " -a add automatic group mapping entry\n";
40
print " -g new gid\n";
41
print " -n new group name\n";
42
print " -m add members (comma delimited)\n";
43
print " -o gid is not unique\n";
44
print " -r group-rid\n";
45
print " -s group-sid\n";
46
print " -t group-type\n";
47
print " -x delete members (comma delimted)\n";
48
print " -? show this help message\n";
52
my $groupName = $ARGV[0];
55
my $ldap_master=connect_ldap_master();
57
if (! ($group_entry = read_group_entry($groupName))) {
58
print "$0: group $groupName doesn't exist\n";
62
nsc_invalidate("group");
64
my $gid=$group_entry->get_value('gidNumber');
66
unless (defined ($gid)) {
67
print "$0: group $groupName not found!\n";
72
if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) {
73
if (!defined($Options{'o'})) {
74
if (defined(getgrgid($tmp))) {
75
print "$0: gid $tmp exists\n";
79
if (!($gid == $tmp)) {
80
my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
82
replace => [gidNumber => $tmp]
85
$modify->code && die "failed to modify entry: ", $modify->error ;
89
if (defined(my $newname = $Options{'n'})) {
90
my $modify = $ldap_master->moddn (
91
"cn=$groupName,$config{groupsdn}",
92
newrdn => "cn=$newname",
94
newsuperior => "$config{groupsdn}"
96
$modify->code && die "failed to modify entry: ", $modify->error ;
97
$groupName = $newname;
98
$group_entry = read_group_entry($groupName)
102
if (defined($Options{'m'})) {
104
foreach my $member (split(/,/, $Options{'m'})) {
105
if (my $user_entry = read_user_entry($member)) {
107
$member = $user_entry->get_value('uid');
108
} elsif (my @user_entry = getpwnam($member)) {
110
$member = $user_entry[0];
112
warn "User does not exist: $member\n";
116
if (is_group_member($group_entry->dn, $member)) {
117
warn "User already in the group: $member\n";
121
push(@members, $member);
125
my $modify = $ldap_master->modify($group_entry->dn,
126
add => {memberUid => \@members},
128
$modify->code && warn "Failed to add memberUid: ", $modify->error;
133
if (defined($Options{'x'})) {
135
foreach my $member (split(/,/, $Options{'x'})) {
136
if (my $user_entry = read_user_entry($member)) {
138
$member = $user_entry->get_value('uid');
140
my $user_pgroup_sid = $group_entry->get_value('sambaPrimaryGroupSID');
141
my $group_sid = $group_entry->get_value('sambaSID');
142
if (defined($user_pgroup_sid) && defined($group_sid) &&
143
$user_pgroup_sid eq $group_sid) {
144
warn "Cannot delete user from its primary group: $member\n";
147
} elsif (my @user_entry = getpwnam($member)) {
149
$member = $user_entry[0];
152
if (!is_group_member($group_entry->dn, $member)) {
153
warn "User is not in the group: $member\n";
157
push(@members, $member);
161
my $modify = $ldap_master->modify($group_entry->dn,
162
delete => {memberUid => \@members},
164
$modify->code && warn "Failed to delete memberUid: ", $modify->error;
169
if ($tmp= $Options{'s'}) {
170
if ($tmp =~ /^S-(?:\d+-)+\d+$/) {
173
print "$0: illegal group-rid $tmp\n";
176
} elsif ($Options{'r'} || $Options{'a'}) {
178
if ($tmp= $Options{'r'}) {
179
if ($tmp =~ /^\d+$/) {
182
print "$0: illegal group-rid $tmp\n";
186
$group_rid = group_next_rid($gid);
188
$group_sid = $config{SID}.'-'.$group_rid;
194
push(@mods, 'sambaSID' => $group_sid);
196
if ($tmp= $Options{'t'}) {
198
if (defined($group_type = &group_type_by_name($tmp))) {
199
push(@mods, 'sambaGroupType' => $group_type);
201
print "$0: unknown group type $tmp\n";
205
if (! defined($group_entry->get_value('sambaGroupType'))) {
206
push(@mods, 'sambaGroupType' => group_type_by_name('domain'));
210
my @oc = $group_entry->get_value('objectClass');
211
unless (grep($_ =~ /^sambaGroupMapping$/i, @oc)) {
212
push (@adds, 'objectClass' => 'sambaGroupMapping');
215
my $modify = $ldap_master->modify ( "cn=$groupName,$config{groupsdn}",
218
'replace' => [ @mods ]
221
$modify->code && warn "failed to delete entry: ", $modify->error ;
224
nsc_invalidate("group");
227
$ldap_master->unbind;
231
############################################################
235
smbldap-groupmod - Modify a group
239
smbldap-groupmod [-g gid [-o]] [-a] [-r rid] [-s sid] [-t group type] [-n group_name ] [-m members(,)] [-x members (,)] group
243
The smbldap-groupmod command modifies the system account files to reflect the changes that are specified on the command line. The options which apply to the smbldap-groupmod command are
245
-g gid The numerical value of the group's ID. This value must be unique, unless the -o option is used. The value must be non negative. Any files which the old group ID is the file roup ID must have the file group ID changed manually.
248
The name of the group will be changed from group to group_name.
251
The members to be added to the group in comma-delimeted form.
254
The members to be removed from the group in comma-delimted form.
257
add an automatic Security ID for the group (SID).
261
The SID must be unique and defined with the domain Security ID ($SID) like sid=$SID-rid where rid is the group rid.
265
The SID is then calculated as sid=$SID-rid where $SID is the domain Security ID.
268
set the NT Group type for the new group. Available values are 2 (domain group), 4 (local group) and 5 (builtin group). The default group type is 2.
272
smbldap-groupmod -g 253 development
273
This will change the GID of the 'development' group to '253'.
275
smbldap-groupmod -n Idiots Managers
276
This will change the name of the 'Managers' group to 'Idiots'.
278
smbldap-groupmod -m "jdoe,jsmith" "Domain Admins"
279
This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group.
281
smbldap-groupmod -x "jdoe,jsmith" "Domain Admins"
282
This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group.