debian/0000775000000000000000000000000012060344313007164 5ustar debian/rules0000775000000000000000000000022112060344277010250 0ustar #!/usr/bin/make -f # -*- mode: makefile; coding: utf-8 -*- # Copyright © 2009-2011 Sergio Talens-Oliag %: dh --with quilt $@ debian/dirs0000664000000000000000000000002312060344277010054 0ustar /etc/smbldap-tools debian/README.source0000664000000000000000000000022712060344277011355 0ustar This package uses quilt to manage all modifications to the upstream source, see /usr/share/doc/quilt/README.source for an explanation of how it works. debian/control0000664000000000000000000000151612060344277010603 0ustar Source: smbldap-tools Section: admin Priority: extra Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Sergio Talens-Oliag Build-Depends: debhelper (>= 7.0.50~), quilt Build-Depends-Indep: perl Standards-Version: 3.9.3.0 Package: smbldap-tools Architecture: all Depends: ${misc:Depends}, ${perl:Depends}, libnet-ldap-perl, libio-socket-ssl-perl, libcrypt-smbhash-perl, libunicode-maputf8-perl Description: Scripts to manage Unix and Samba accounts stored on LDAP Set of scripts to manage data relative to users and groups stored in an LDAP server. The tools manage POSIX, shadow and Samba (3.0 series) accounts and groups. . This package is used to add/del/mod users and groups in the Linux Samba-OpenLDAP Howto debian/copyright0000664000000000000000000000257112060344277011135 0ustar This package was debianized by Sergio Talens-Oliag It was downloaded from http://download.gna.org/smbldap-tools/packages/ Upstream Authors: Jérôme Tournier , Terry Davis , David Le Corfec , Olivier Lemaire Copyright: 2001-2006 IDEALIX 2006-2008 Jérôme Tournier This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. On Debian systems, the complete text of the GNU General Public License, version 2, can be found in /usr/share/common-licenses/GPL-2. The Debian packaging is (C) 2009, Sergio Talens-Oliag and is licensed under the GPL, see above. debian/doc-base0000664000000000000000000000070612060344277010600 0ustar Document: smbldap-tools Title: Smbldap-tools User Manual Author: Jérôme Tournier Abstract: This document presents a detailled view of the smbldap-tools scripts and a a step by step explanation of how to set up a Samba3 domain controller. Section: System/Administration Format: pdf Files: /usr/share/doc/smbldap-tools/smbldap-tools.pdf.gz Format: html Index: /usr/share/doc/smbldap-tools/smbldap-tools.html Files: /usr/share/doc/smbldap-tools/*.html debian/README.Debian0000664000000000000000000001200312060344277011232 0ustar smbldap-tools for Debian ------------------------ This package comes without config files, adding debconf support is in my TODO list. To use the tools you need to configure your LDAP server to support the SAMBA Schema, configure the SAMBA server to use LDAP as the password database and create the smbldap-tools config files to match your installation. You can find a detailed guide of how to do that reading the *smbldap-tools user manual*, available from: http://download.gna.org/smbldap-tools/docs/smbldap-tools/ If you don't want to RTFM, here you have a quick guide, but please, if you plan to use the tool seriously read the real docs... ;) LDAP Server Configuration ========================= 1. Copy the 'samba.schema' to be used in your LDAP server (you can find it in '/usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz' after installing the samba-doc package): zcat /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz > \ /etc/ldap/schema/samba.schema 2. Modify the file '/etc/ldap/slapd.conf' to include the samba schema: include /etc/ldap/schema/samba.schema 3. Optionally add indexes to optimize SAMBA access: index uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq 4. Allow users to change their NT and LM Passwords changing the line: access to attribute=userPassword by: access to attrs=userPassword,sambaNTPassword,sambaLMPassword 5. Restart the LDAP server. SAMBA Server Configuration ========================== 1. Edit the '/etc/samba/smb.conf' to change the passdb backend from the original: passdb backend = tdbsam guest to: passdb backend = ldapsam:ldap://127.0.0.1/ (put the correct ldap server address). 2. Add configuration directives for the passdb system (the example assumes the 'example.com' domain and admin DN 'cn=admin,dc=example,dc=com' and no TLS): obey pam restrictions = no ldap admin dn = cn=admin,dc=example,dc=com ldap suffix = dc=example, dc=com ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users 3. More to use the smbldap-tools to change passwords: ; Don't use samba's internal LDAP password sync ldap passwd sync = No ; Use an external program to sync the LDAP password unix password sync = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated* 4. And if you want to administer user and groups from windows add: add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes delete user script = /usr/sbin/smbldap-userdel "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" 5. Restart samba and add the smbldap admin password to let SAMBA use it: /etc/init.d/samba restart smbpasswd -w LDAP_ADMIN_PASSWORD SMBLDAP-TOOLS Configuration =========================== 1. Start copying the files 'smbldap.conf' and 'smbldap_bind.conf' from '/usr/share/doc/smbldap-tools/examples/' to '/etc/smbldap-tools/': zcat /usr/share/doc/smbldap-tools/examples/smbldap.conf.gz > \ /etc/smbldap-tools/smbldap.conf cp /usr/share/doc/smbldap-tools/examples/smbldap_bind.conf \ /etc/smbldap-tools/smbldap_bind.conf 2. Edit the 'smbldap.conf' file; the main parameters to watch out are the 'SID', the ldap servers addresses, the TLS settings and the LDAP suffix. **NOTE**: To obtain the SID execute the following command with your SAMBA server Running: net getlocalsid 3. Edit the 'smbldap_bind.conf' file and put there the SMBLDAP administrator's DN and Password. 4. Fix file permisions: chmod 0644 /etc/smbldap-tools/smbldap.conf chmod 0600 /etc/smbldap-tools/smbldap_bind.conf 5. To initialize the LDAP database invoque the command: smbldap-populate **NOTE**: This makes the tool start adding uids and gids from 1000 (hardcoded default), if you want to start from different numbers you can use "-g " or "-u " as options to smbldap-populate. Upgrade from release 0.9.6 ========================== smbldap-tools 0.9.7 now support sambaNextRid attribute and its value in sambaDomain object for new RID allocation instead of obsolete RID algorithm by default. (It is for compatibility with Samba 3.0.23c and later.) If you are upgrading from smbldap-tools 0.9.6 (or older) and/or you want to use legacy RID algorithm for new RID allocation, you must add "sambaAlgorithmicRidBase: 1000" to your sambaDomain object. You can do that by running the `smbldap-upgrade-0.9.6.cmd` available on the `/usr/share/doc/smbldap-tools/` directory. -- Sergio Talens-Oliag , Tue, 27 Sep 2011 10:42:30 +0200 debian/examples0000664000000000000000000000013512060344277010735 0ustar doc/migration_scripts doc/*.example smbldap_bind.conf smbldap.conf smbldap-upgrade-0.9.6.cmd debian/docs0000664000000000000000000000011412060344277010044 0ustar doc/smbldap-tools.html doc/smbldap-tools.pdf CONTRIBUTORS INFRA README TODO debian/preinst0000664000000000000000000000166112060344277010610 0ustar #! /bin/sh # preinst script for smbldap-tools set -e # summary of how this script can be called: # * `install' # * `install' # * `upgrade' # * `abort-upgrade' # # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package SMBLDAP_CONF="/etc/smbldap-tools/smbldap.conf" case "$1" in install|upgrade) # Add "userHomeDirectoryMode" for old configuration files if test -n "$2" && dpkg --compare-versions "$2" lt "0.9"; then if test -f "$SMBLDAP_CONF" && ! grep -q "^userHomeDirectoryMod" "$SMBLDAP_CONF"; then cat >> $SMBLDAP_CONF << EOF # Default mode used for user homeDirectory userHomeDirectoryMode="700" EOF fi fi ;; abort-upgrade) ;; *) echo "preinst called with unknown argument \`$1'" >&2 exit 1 ;; esac #DEBHELPER# exit 0 debian/watch0000664000000000000000000000050012060344277010221 0ustar # Example watch control file for uscan # Rename this file to "watch" and then you can run the "uscan" command # to check for upstream updates and more. # See uscan(1) for format # Compulsory line, this is a version 3 file version=3 http://download.gna.org/smbldap-tools/sources/latest/smbldap-tools-([0-9].*)\.tar\.gz debian/changelog0000664000000000000000000001502612060344277011053 0ustar smbldap-tools (0.9.9-1ubuntu1) raring; urgency=low * Merge from Debian unstable (LP: #1054130). Remaining changes: - Apply patch from rdratlos to resolve being unable to join a Windows 7 or Windows 2008 machine to a Samba domain due to the use of cached nss credentials. - 0020_original_doc_html_index.patch: Add index html file. -- Logan Rosen Thu, 06 Dec 2012 23:27:14 -0500 smbldap-tools (0.9.9-1) unstable; urgency=low * New upstream release (Closes: #647860, #679935, #680939, #681350) * Previous upstream version closes: #670246 * Bumped standard version (no changes needed) -- Sergio Talens-Oliag Tue, 07 Aug 2012 20:28:37 +0200 smbldap-tools (0.9.7-1ubuntu1) precise; urgency=low * Merge from debian unstable (LP: #889308). Remaining changes: - Apply patch from rdratlos to resolve being unable to join a Windows 7 or Windows 2008 machine to a Samba domain due to the use of cached nss credentials. (LP: #814898) - 0020_original_doc_html_index.patch: Add index html file. -- Leo Iannacone Tue, 27 Sep 2011 18:05:13 +0000 smbldap-tools (0.9.7-1) unstable; urgency=low * New upstream release (Closes: #480386, #519551, #561941, #568259, #572711, #582902). -- Sergio Talens-Oliag Tue, 27 Sep 2011 15:14:48 +0200 smbldap-tools (0.9.6-1) unstable; urgency=low * New upstream release * Bumped standard version (no changes needed) * Add use-Digest-SHA.patch patch to use Digest::SHA from perl core instead of Digest::SHA1. Drop libdigest-sha1-perl from Depends (Closes: #624065). Patch from Salvatore Bonaccorso . -- Sergio Talens-Oliag Thu, 18 Aug 2011 10:55:45 +0200 smbldap-tools (0.9.5-1ubuntu1) oneiric; urgency=low * Apply patch from rdratlos to resolve being unable to join a Windows 7 or Windows 2008 machine to a Samba domain due to the use of cached nss credentials. (LP: #814898) -- Daniel T Chen Mon, 01 Aug 2011 15:14:32 -0400 smbldap-tools (0.9.5-1) unstable; urgency=low * New upstream release (Closes: Bug#548665). -- Sergio Talens-Oliag Thu, 15 Oct 2009 21:34:50 +0200 smbldap-tools (0.9.4-1) unstable; urgency=low * New upstream release, development has moved to a new place: https://gna.org/projects/smbldap-tools/. The new upstream version closes some bugs: - smbldap-passwd (make_salt): update shadowMax (to $config{defaultMaxPasswordAge}) entry if script used with root priviledge (Closes: Bug#404109). - current smbldap-groupadd man page documents -o and -p options (Closes: Bug#358381). * Fix README.Debian according to Daniel Lawson's patch (Closes: #359314). * Added Stefan Pfetzing's patch to create a nobody user following the Debian style (Closes: #354092). * The html version of the documentation is missing from the original tarball, I've included a patch that provides a copy downloaded from the web (Closes: Bug#425402, as the updated docs are right). * Thanks to David Schmitt for providing a set of patches for the package. -- Sergio Talens-Oliag Mon, 24 Sep 2007 13:24:18 +0200 smbldap-tools (0.9.2-3) unstable; urgency=low * Added patch to fix UTF-8 usage on smbldap-usermod. -- Sergio Talens-Oliag Fri, 13 Jan 2006 22:02:29 +0100 smbldap-tools (0.9.2-2) unstable; urgency=low * Added missing depends (reported by Michael Braun). -- Sergio Talens-Oliag Sat, 7 Jan 2006 17:12:02 +0100 smbldap-tools (0.9.2-1) unstable; urgency=low * New upstream release (Closes: Bug#314430). -- Sergio Talens-Oliag Tue, 3 Jan 2006 19:41:59 +0100 smbldap-tools (0.9.1-2) unstable; urgency=low * Standars updated, no changes needed. * Included 'configure.pl' with the package docs (Closes: Bug#317833). -- Sergio Talens-Oliag Tue, 12 Jul 2005 13:15:08 +0200 smbldap-tools (0.9.1-1) unstable; urgency=low * New upstream release. * Fixed README.Debian; tell the user to use -u or -g options with smbldap-populate to change initial uid or gid (Closes: Bug#314592). -- Sergio Talens-Oliag Tue, 21 Jun 2005 09:35:55 +0200 smbldap-tools (0.9.0-1) unstable; urgency=low * New upstream release. * This version adds support to change the default HOME creation mode (Closes: Bug#309303). * Removed patch to change the configuration files paths. -- Sergio Talens-Oliag Fri, 27 May 2005 00:59:40 +0200 smbldap-tools (0.8.8-1) unstable; urgency=low * New upstream release (Closes: Bug#306455). -- Sergio Talens-Oliag Tue, 26 Apr 2005 20:15:52 +0200 smbldap-tools (0.8.7-4) unstable; urgency=low * Changed package priority to extra, as it depends on packages that have priority extra; I thought lintian and/or linda looked at those things. -- Sergio Talens-Oliag Sun, 10 Apr 2005 12:49:00 +0200 smbldap-tools (0.8.7-3) unstable; urgency=high * Changed the perl dependency to a ${perl:Depends} substitution. * Added the dependency on libdigest-sha1-perl (Closes: Bug#298200). -- Sergio Talens-Oliag Sat, 5 Mar 2005 18:51:26 +0100 smbldap-tools (0.8.7-2) unstable; urgency=low * Added patch to fix configuration file locations, should have tested it better (Bug#296062). -- Sergio Talens-Oliag Sun, 20 Feb 2005 10:04:19 +0100 smbldap-tools (0.8.7-1) unstable; urgency=low * New upstream release. -- Sergio Talens-Oliag Fri, 18 Feb 2005 23:20:46 +0100 smbldap-tools (0.8.5-3-2) unstable; urgency=low * Add libio-socket-ssl-perl to Depends because it is needed to use the package with TLS. Probably it should only be recommended because it is not needed to use the Package without TLS, but in fact it is already recommended from the libnet-ldap-perl package and a bug has been filed anyway (Closes: Bug#286222). -- Sergio Talens-Oliag Thu, 30 Dec 2004 09:26:48 +0100 smbldap-tools (0.8.5-3-1) unstable; urgency=low * New upstream release, previous one should have been 0.8.5-2. Anyway I don't understand why upstream uses this numbering scheme. -- Sergio Talens-Oliag Sun, 21 Nov 2004 23:32:13 +0100 smbldap-tools (0.8.5-1) unstable; urgency=low * Initial Release (Closes: Bug#270777). * First personal package built using cdbs ... really easy ... ;) -- Sergio Talens-Oliag Thu, 9 Sep 2004 11:11:31 +0200 debian/manpages0000664000000000000000000000000412060344277010705 0ustar *.8 debian/compat0000664000000000000000000000000212060344277010373 0ustar 7 debian/source/0000775000000000000000000000000012060344311010462 5ustar debian/source/format0000664000000000000000000000001412060344277011703 0ustar 3.0 (quilt) debian/patches/0000775000000000000000000000000012060344311010611 5ustar debian/patches/0021_smbldap-useradd_flush_nscd_cache.patch0000664000000000000000000000142412060344277020712 0ustar Description: Force an nss flush to fix failure to join a Windows 7 or Windows 2008 machine to Samba domain Forwarded: no Author: rdratlos Origin: rdratlos, https://bugs.launchpad.net/ubuntu/+source/smbldap-tools/+bug/814898/+attachment/2226951/+files/smbldap-useradd_flush_nscd_cache.patch Reviewed-By: Daniel T Chen Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/smbldap-tools/+bug/814898 Last-Update: 2011-08-01 --- a/smbldap-useradd.pl +++ b/smbldap-useradd.pl @@ -402,6 +402,9 @@ } $ldap_master->unbind; + # Flush nscd cache to be aligned with the LDAP directory change + system "[ -x /usr/sbin/nscd ] && /usr/sbin/nscd -i passwd 2>/dev/null"; + system "[ -x /usr/sbin/nscd ] && /usr/sbin/nscd -i group 2>/dev/null"; exit 0; } debian/patches/0020_original_doc_html_index.patch0000664000000000000000000026251112060344277017161 0ustar --- smbldap-tools-0.9.5.orig/doc/html/index.html +++ smbldap-tools-0.9.5/doc/html/index.html @@ -0,0 +1,2364 @@ + + +Smbldap-tools User Manual +(Release: 0.9.3 ) + + + + + + + + + + + +
+ Copyright 2002 © IDEALX S.A.S. - + Contact: samba@IDEALX.org +
+
+ + + + + + + + +

Smbldap-tools User Manual
+(Release: 0.9.3 )

+ +

Jérôme Tournier

+ +

Revision: 1.7 , generated July 12, 2007
+

+
+ + + + + + + + + + + + + +
Release: 
Reference: 
Publication date: 
Print date:July 12, 2007
+
+ +
+This document is the property of IDEALX1. +Permission is granted to distribute this document under the terms of the GNU +Free Documentation License (http://www.gnu.org/copyleft/fdl.html).
+
+ + +

Table of Contents

+ + + + + + + +

1  Introduction

+ + +Smbldap-tools is a set of scripts designed to help integrate Samba and a +LDAP directory. They target both users and administrators of Linux systems.
+
+Users can change their password in a way similar to the standard ``passwd'' +command.
+
+Administrators can perform user and group management command line actions +and synchronise Samba account management consistently.
+
+This document presents: +
  • +a detailled view of the smbldap-tools scripts +
  • a step by step explanation of how to set up a Samba3 domain controller +
+ + +

1.1  Software requirements

+ +The smbldap-tools have been developped and tested with the following configuration : +
  • +Linux CentOS4 (be should work on any Linux distribution) +
  • Samba release 3.0.10, +
  • OpenLDAP release 2.2.13 +
  • Microsoft Windows NT 4.0, Windows 2000 and Windows XP Workstations and Servers, +
+This guide applies to smbldap-tools Release: 0.9.3 .
+
+ + +

1.2  Updates of this document

+ +The most up to date release of this document may be found on the +smbldap-tools project page available at http://sourceforge.net/projects/smbldap-tools/.
+
+If you find any bugs in this document, or if you want this document to +integrate some additional infos, please drop me a mail with your bug report +and/or change request at jtournier@gmail.com.
+
+ + +

1.3  Availability of this document

+ +This document is the property of IDEALX (http://www.IDEALX.com/).
+
+Permission is granted to distribute this document under the terms of the GNU +Free Documentation License (See http://www.gnu.org/copyleft/fdl.html). + + +

2  Installation

+ + + +

2.1  Requirements

+ +The main requirement for using smbldap-tools are the two perl module: +Net::LDAP and Crypt::SmbHash. +In most cases, you'll also need the IO-Socket-SSL Perl module to use +TLS functionnality.
+
+If you want samba to call the scripts so that you can use the User +Manager (or any other) under MS-Windows (to add, delete modify users and +groups), Samba must be installed on the same computer. +Finally, OpenLDAP can be installed on any computer. Please check that it +can be contacted by a standard LDAP client software.
+
+Samba and OpenLDAP installations will not be discussed +here. You can consult the howto also available on the +project page (http://sourceforge.net/projects/smbldap-tools/).
+
+ + +

2.2  Installation

+ +An archive of the smbldap-tools scripts can be downloaded on our project +page http://sourceforge.net/projects/smbldap-tools/. Archive and RedHat packages are +available. +
+If you are upgrading, look at the INSTALL file or read the link +6.13.
+
+ + +

2.2.1  Installing from rpm

+ +To install the scripts on a RedHat system, download the RPM +package and run the following command: +
+rpm -Uvh smbldap-tools-0.9.3-1.i386.rpm
+
+ + +

2.2.2  Installing from a tarball

+ +On non RedHat system, download a source archive of the scripts. The current +archive is smbldap-tools-0.9.3.tar.gz. +Uncompress it and copy all of the Perl scripts in /usr/sbin +directory, and the two configuration files in +/etc/smbldap-tools/ directory: +
+mkdir /etc/smbldap-tools/
+cp *.conf /etc//smbldap-tools/
+cp smbldap-* /usr/sbin/
+
+The configuration is now based on two differents files: +
  • +smbldap.conf: define global parameter +
  • smbldap_bind.conf: define an administrative account to + bind to the directory +
+The second file must be readable only for 'root', as it contains +credentials allowing modifications on all the directory. Make sure the +files are protected by running the following commands: +
+chmod 644 /etc/smbldap-tools/smbldap.conf
+chmod 600 /etc/smbldap-tools/smbldap_bind.conf
+
+ +

3  Configuring the smbldap-tools

+ +As mentioned in the previous section, you'll have to update two +configuration files. The first (smbldap.conf) allows you to +set global parameter that are readable by everybody, and the second +(smbldap_bind.conf) defines two administrative accounts to +bind to a slave and a master ldap server: this file must thus be +readable only by root.
+
+A script named configure.pl can help you to set their contents +up. It is located in the tarball +downloaded or in the documentation directory if you got the RPM +archive (see /usr/share/doc/smbldap-tools-0.9.3/). Just invoke it: +
+/usr/share/doc/smbldap-tools-0.9.3/configure.pl
+
It will ask for the default values defined in your +smb.conf file, and will update the two configuration files used +by the scripts. Samba configuration file should then be already configured. +Note that you can stop the script at any moment with +the Crtl-c keys.
+Before using this script : +
  • +the two configuration files must be present in the + /etc/smbldap-tools/ directory +
  • check that samba is configured and running, as the script will try to + get your workgroup's domain secure id (SID). +
+In those files, parameters are defined like this: +
+key="value"
+
Full example configuration files can be found at +8.1.
+
+ + +

3.1  The smbldap.conf file

+ +This file is used to define parameters that can be readable by +everybody. A full example file is available in section 8.1.1.
+
+Let's have a look at all available parameters. +
  • +UID_START and GID_START : parameters deprecated +
    • + Those parameters must be removed or commented. +
    • Available uid and gid are now defined in the default + new entry sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}". + See later for ${sambaDomain} and ${suffix} definitions. +
    +
  • SID : Secure Identifier Domain +
    • + Example: SID="S-1-5-21-3703471949-3718591838-2324585696" +
    • Remark: you can get the SID for your domain using the "net getlocalsid" + command. Samba must be up and running for this to work (it can take several minutes for a Samba server to correctly negotiate its status with other network servers). +
    +
  • sambaDomain : Samba Domain the Samba server is in charge +
    • + Example: sambaDomain="DOMSMB" +
    • Remark: if not defined, parameter is taking from smb.conf configuration file +
    +
  • slaveLDAP : slave LDAP server +
    • + Example: slaveLDAP="127.0.0.1" +
    • Remark: must be a resolvable DNS name or it's IP address +
    +
  • slavePort : port to contact the slave server +
    • + Example: slavePort="389" +
    +
  • masterLDAP : master LDAP server +
    • + Example: masterLDAP="127.0.0.1" +
    +
  • masterPort : port to contact the master server +
    • + Example: masterPort="389" +
    +
  • ldapTLS : should we use TLS connection to contact the + ldap servers ? +
    • + Example: ldapTLS="1" +
    • Remark: the LDAP severs must be configured to accept TLS + connections. See section the Samba-LDAP Howto for more + details (http://samba.idealx.org/smbldap-howto.fr.html). If you are using TLS support, select port 389 to connect to + the master and slave directories. +
    +
  • verify : How to verify the server's certificate (none, optional or require). +
    • + Example: verify="require" +
    • Remarl: See ``man Net::LDAP'' in start_tls section for more details +
    +
  • cafile : the PEM-format file containing certificates + for the CA that slapd will trust +
    • + Example: cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem" +
    +
  • clientcert : the file that contains the client certificate +
    • + Example: clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem" +
    +
  • clientkey : the file that contains the private key that + matches the certificate stored in the clientcert file +
    • + Example: clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key" +
    +
  • suffix : The distinguished name of the search base +
    • + Example: suffix="dc=idealx,dc=com" +
    +
  • usersdn : branch in which users account can be found or + must be added +
    • + Example: usersdn="ou=Users,${suffix}" +
    • Remark: this branch is not relative to the suffix value +
    +
  • computersdn : branch in which computers account can be + found or must be added +
    • + Example: computersdn"ou=Computers,${suffix}" +
    • Remark: this branch is not relative to the suffix value +
    +
  • groupsdn : branch in which groups account can be found + or must be added +
    • + Example: groupsdn="ou=Groups,${suffix}" +
    • Remarks: this branch is not relative to the suffix value +
    +
  • idmapdn : where are stored Idmap entries (used if samba is a domain member server) +
    • + Example: idmapdn="ou=Idmap,${suffix}" +
    • Remarks: this branch is not relative to the suffix value +
    +
  • sambaUnixIdPooldn : object in which next uidNumber and gidNumber available are stored +
    • + Example: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" +
    • Remarks: this branch is not relative to the suffix value +
    +
  • scope : the search scope. +
    • + Example: scope="sub" +
    +
  • hash_encrypt : hash to be used when generating a + user password. +
    • + Example: hash_encrypt="SSHA" +
    • Remark: This is used for the unix password stored in userPassword attribute. +
    +
  • crypt_salt_format="%s" : if hash_encrypt is set to + CRYPT, you may set a salt format. Default is "%s", but many systems + will generate MD5 hashed passwords if you use "$1$%.8s". This + parameter is optional. +
  • userLoginShell : default shell given to users. +
    • + Example: userLoginShell="/bin/bash" +
    • Remark: This is stored in loginShell attribute. +
    +
  • userHome : default directory where users's home + directory are located. +
    • + Example: userHome="/home/%U" +
    • Remark: This is stored in homeDirectory attribute. +
    +
  • userGecos : gecos used for users +
    • + Example: userGecos="System User" +
    +
  • defaultUserGid : default primary group set to users accounts +
    • + Example: defaultUserGid="513" +
    • Remark: this is stored in gidNumber attribute. +
    +
  • defaultComputerGid : default primary group set to + computers accounts +
    • + Example: defaultComputerGid="550" +
    • Remark: this is stored in gidNumber attribute. +
    +
  • skeletonDir : skeleton directory used for users accounts +
    • + Example: skeletonDir="/etc/skel" +
    • Remark: this option is used only if you ask for home directory creation when adding a new user. +
    +
  • defaultMaxPasswordAge : default validation time for Samba password (in days) +
    • + Example: defaultMaxPassword="55" +
    +
  • userSmbHome : samba share used to store user's home directory +
    • + Example: + userSmbHome="\\PDC-SMB3\ home\%U" +
    • Remark: this is stored in sambaHomePath attribute. +
    +
  • userProfile : samba share used to store user's profile +
    • + Example: + userProfile="\\PDC-SMB3\ profiles\%U" +
    • Remark: this is stored in sambaProfilePath attribute. +
    +
  • userHomeDrive : letter used on windows system to map + the home directory +
    • + Example: userHomeDrive="K:" +
    +
  • userScript : default user netlogon script name. If not used, will be automatically username.cmd +
    • + Example: + userScript="%U" +
    • Remark: this is stored in sambaProfilePath attribute. +
    +
  • mailDomain : Domain appended to the users "mail" + attribute. +
    • + Example: mailDomain="idealx.org" +
    +
  • with_smbpasswd : should we use the smbpasswd command + to set the user's password (instead of the mkntpwd utility) ? +
    • + Example: with_smbpasswd="0" +
    • Remark: must be a boolean value (0 or 1). +
    +
  • smbpasswd : path to the smbpasswd binary +
    • + Example: smbpasswd="/usr/bin/smbpasswd" +
    +
  • with_slappasswd : should we use the slappasswd command + to set the Unix user's password (instead of the Crypt:: librairies) ? +
    • + Example: with_smbpasswd="0" +
    • Remark: must be a boolean value (0 or 1). +
    +
  • slappasswd : path to the slappasswd binary +
    • + Example: smbpasswd="/usr/sbin/slappasswd" +
    +
+ + +

3.2  The smbldap_bind.conf file

+ +This file is only used by root to give bind parameters to the directory when modifications are asked. +It contains distinguised names and credentials to connect to +both the master and slave directories. A full example file is available +in section 8.1.2.
+
+Let's have a look at all available parameters. +
  • +slaveDN : distinguished name used to bind to the slave server +
    • + Example 1: slaveDN="cn=Manager,dc=idealx,dc=com" +
    • Example 2: slaveDN="" +
    • Remark: this can be the manager account of the directory or + any LDAP account that has sufficient permissions to read the full + directory (Slave directory is only used for reading). Anonymous + connections uses the second example form. +
    +
  • slavePw : the credentials to bind to the slave server +
    • + Example 1: slavePw="secret" +
    • Example 2: slavePw="" +
    • Remark: the password must be stored here in clear form. This + file must then be readable only by root! All anonymous connections + use the second form provided in our example. +
    +
  • masterDN : the distinguished name used to bind to the master server +
    • + Example: masterDN="cn=Manager,dc=idealx,dc=com" +
    • Remark: this can be the manager account of the directory or + any LDAP account that has enough permissions to modify the content + of the directory. Anonymous access does not make any sense here. +
    +
  • masterPw : the credentials to bind to the master server +
    • + Example: masterPw="secret" +
    • Remark: the password must be in clear text. Be sure to protect + this file against unauthorized readers! +
    +
+ + +

4  Using the scripts

+ + + +

4.1  Initial directory's population

+ +You can initialize the LDAP directory using the +smbldap-populate script. To do that, the account defined in +the /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf to access the +master directory must must be the manager account defined in the +directory configuration. On RedHat system, this file is +/etc/openldap/slapd.conf and the account is defined with + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+  rootdn          "cn=Manager,dc=idealx,dc=com"
+  rootpw          secret
+
 + +
+
+ +
+
The smbldap_bind.conf file must then be configured so that +the parameters to connect to the master LDAP server match the previous ones: + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+  masterDN="cn=Manager,dc=idealx,dc=com"
+  masterPw="secret"
+
 + +
+
+ +
+

+Available options for this script are summarized in the table 1: +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitiondefault value
-u uidNumberfirst uidNumber to allocate1000
-g gidNumberfirst uidNumber to allocate1000
-a useradministrator login nameAdministrator
-b userguest login namenobody
-e fileexport a init file 
-i fileimport a init file 
+
+
+
Table 1: Options available for the smbldap-populate script

+ + +
+In the more general case, to set up your directory, simply use the +following command: +
+[root@etoile root]# smbldap-populate 
+Using builtin directory structure
+adding new entry: dc=idealx,dc=com
+adding new entry: ou=Users,dc=idealx,dc=com
+adding new entry: ou=Groups,dc=idealx,dc=com
+adding new entry: ou=Computers,dc=idealx,dc=com
+adding new entry: ou=Idmap,dc=idealx,dc=org
+adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org
+adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com
+adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com
+adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com
+
+After this step, if you don't want to use the cn=Manager,dc=idealx,dc=com +account anymore, you can create a dedicated account for Samba and the +smbldap-tools. See section 8.2 for more details.
+
+The cn=NextFreeUnixId,dc=idealx,dc=org entry is only used to +defined the next uidNumber and gidNumber available for creating new +users and groups. The default values for those numbers are 1000. You +can change it with the -u and -g option. For +example, if you want the first available value for uidNumber and +gidNumber to be set to 1500, you can use the following command : +
+smbldap-populate -u 1550 -g 1500
+
+ + +

4.2  User management

+ + + +

4.2.1  Adding a user

+ +To add a user, use the smbldap-useradd script. Available +options are summarized in the table 2. If applicable, +default values are mentionned in the third column. Any string beginning with a +$ symbol refers to a parameter defined in the +/etc/opt/IDEALX/smbldap-tools/smbldap.conf configuration file. +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitionexampledefault value
-acreate a Windows account. Otherwise, only a Posix account + is created  
-wcreate a Windows Workstation account  
-icreate an interdomain trust account. See section + 4.4 for more details  
-uset a uid value-u 1003first uid available
-gset a gid value-g 1003first gid available
-Gadd the new account to one or several supplementary + groups (comma-separated)-G 512,550 
-dset the home directory-d /var/user$userHomePrefix/user
-sset the login shell-s /bin/ksh$userLoginShell
-cset the user gecos-c "admin user"$userGecos
-mcreates user's home directory and copies /etc/skel + into it  
-kset the skeleton dir (with -m)-k /etc/skel2$skeletonDir
-Pends by invoking smbldap-passwd to set the user's + password  
-Auser can change password ? 0 if no, 1 if yes-A 1 
-Buser must change password at first session ? 0 if no, 1 + if yes-B 1 
-Cset the samba home share-C \\PDC\homes$userSmbHome
-Dset a letter associated with the home share-D H:$userHomeDrive
-Eset DOS script to execute on login-E common.bat$userScript
-Fset the profile directory-F \\PDC\profiles\user$userProfile
-Hset the samba account control bits + like'[NDHTUMWSLKI]'-H [X] 
-Nset the canonical name of the user  
-Sset the surname of the user  
-Mlocal mailAddress (comma seperated)-M testuser,aliasuser 
-Tforward mail address (comma seperated)-T + testuser@domain.org 
+
+
+
Table 2: Options available to the smbldap-useradd script

+ + +
+ +For example, if you want to add a user named user_admin and who : +
  • +is a windows user +
  • must belong to the group of gid=512 ('Domain Admins' group) +
  • has a home directory +
  • does not have a login shell +
  • has a homeDirectory set to /dev/null +
  • does not have a roaming profile +
  • and for whom we want to set a first login password +
+you must invoke: +
+smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin
+
+ + +

4.2.2  Removing a user

+ +To remove a user account, use the smbldap-userdel script. +Available options are +
+
+ + + + + + + + + +
optiondefinition
-rremove home directory
-Rremove home directory interactively
+
+
+
Table 3: Option available to the smbldap-userdel script

+ + +
+For example, if you want to remove the user1 account +from the LDAP directory, and if you also want to delete his home +directory, use the following command : +
+smbldap-userdel -r user1
+
+Note: '-r' is dangerous as it may delete precious and unbackuped data, +please be careful.
+
+ + +

4.2.3  Modifying a user

+ +To modify a user account, use the smbldap-usermod script. +Availables options are listed in the table 4. +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitionexample
-cset the user gecos-c "admin user"
-dset the home directory-d /var/user
-uset a uid value-u 1003
-gset a gid value-g 1003
-Gadd the new account to one or several supplementary + groups (comma-separated)-G 512,550
-G -512,550
-G +512,550
-sset the login shell-s /bin/ksh
-Nset the canonical name of the user 
-Sset the surname of the user 
-Pends by invoking smbldap-passwd to set the user's password 
-aadd sambaSAMAccount objectclass 
-eset an expiration date for the password (format: YYYY-MM-DD HH:MM:SS) 
-Auser can change password ? 0 if no, 1 if yes-A 1
-Buser must change password at first session ? 0 if no, 1 + if yes-B 1
-Cset the samba home share-C \\PDC\homes
-C ""
-Dset a letter associated with the home share-D H:
-D ""
-Eset DOS script to execute on login-E common.bat
-E ""
-Fset the profile directory-F \\PDC\profiles\user
-F ""
-Hset the samba account control bits like'[NDHTUMWSLKI]'-H [X]
-Idisable a user account-I 1
-Jenable a user-J 1
-Mlocal mailAddress (comma seperated)-M testuser,aliasuser
-Tforward mail address (comma seperated)-T + testuser@domain.org
+
+
+
Table 4: Options available to the smbldap-usermod script

+ + +
+You can also use the smbldap-userinfo script to update user's information. This script can +also be used by users themselves to update their own informations listed in the tables +5 (adequats ACL must be set in the directory server). Available +options are : +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitionexample
-fset the full name's user-f MyName
-rset the room number-r 99
-wset the work phone number-w 111111111
-hset the home phone number-h 222222222
-oset other information (in gecos definition)-o "second stage"
-sset the default bash-s /bin/ksh
+
+
+
Table 5: Options available to the smbldap-userinfo script

+ + +
+ + +

4.3  Group management

+ + + +

4.3.1  Adding a group

+ +To add a new group in the LDAP directory, use the smbldap-groupadd +script. Available options are listed in the table +6. +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitionexample
-aadd automatic group mapping entry 
-g gidset the gidNumer for this group to + gid-g 1002
-ogidNumber is not unique 
-r group-ridset the rid of the group to + group-rid-r 1002
-s group-sidset the sid of the group to + group-sid-s + S-1-5-21-3703471949-3718591838-2324585696-1002
-t group-typeset the sambaGroupType to + group-type-t 2
-pprint the gidNumber to stdout 
+
+
+
Table 6: Options available for the smbldap-groupadd script

+ + +
+ + +

4.3.2  Removing a group

+ +To remove the group named group1, just use the following +command : +
+smbldap-userdel group1
+
+ + +

4.4  Adding a interdomain trust account

+ +To add an interdomain trust account to the primary controller trust-pdc, use the -i option of +smbldap-useradd as follows : +
+[root@etoile root]# smbldap-useradd -i trust-pdc
+New password : *******
+Retype new password : *******
+
+The script will terminate asking for a password for this trust +account. The account will be created in the directory branch where +all computer accounts are stored (ou=Computers by +default). The only two particularities of this account are that you are +setting a password for this account, and the flags of this account are +[I ]. + + +

5  Samba and the smbldap-tools scripts

+ + + +

5.1  General configuration

+ +Samba can be configured to use the smbldap-tools scripts. This allows +administrators to add, delete or modify user and group accounts for Microsoft Windows +operating systems using, for example, User Manager utility under MS-Windows. +To enable the use of this utility, samba needs to be configured correctly. The +smb.conf configuration file must contain the following directives : + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+ldap delete dn = Yes
+add user script = /usr/local/sbin/smbldap-useradd -m "%u"
+add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
+add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
+add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
+delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
+set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
+
 + +
+
+ +
+

+Remark: the two directives delete user script et delete group +script can also be used. However, an error message can appear in User Manager +even if the operations actually succeed. +If you want to enable this behaviour, you need to add + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+delete user script = /usr/local/sbin/smbldap-userdel "%u"
+delete group script = /usr/local/sbin/smbldap-groupdel "%g"
+
 + +
+
+ +
+

+ + +

5.2  Migrating an NT4 PDC to Samba3

+ +The account migration procedure becomes really simple when samba is configured to use +the smbldap-tools. Samba configuration (smb.conf file) must contain the +directive defined above to properly call the script for managing users, groups and computer accounts. +The migration process is outlined in the chapter 30 of the samba howto +http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html. +
+
+ + +

6  Frequently Asked Questions

+ + + +

6.1  How can i use old released uidNumber and gidNumber ?

+ +There are two way to do this : +
  • +modify the cn=NextFreeUnixId,dc=idealx,dc=org and + change the uidNumber and/or gidNumber value. This + must be done manually. For example, if you want to use all available + uidNumber and gidNumber higher then 1500, you need to create a + update-NextFreeUnixId.ldif file containing : + + +
    + + + + + + + +
    + +
    +
    + +
    +
    		+ +
    dn: cn=NextFreeUnixId,dc=idealx,dc=org
+changetype: modify
+uidNumber: 1500
+gidNumber: 1500
+
    		 + +
    +
    + +
    +
    +and then update the directory : +
    +ldapmodify -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f update-NextFreeUnixId.ldif
+
  • use the -u or -g option to the script you need to set the value you + want to use +
+ + +

6.2  I always have this error: "Can't locate IO/Socket/SSL.pm"

+ +This happens when you want to use a certificate. In this case, you need to install the +IO-Socket-SSL Perl module.
+
+ + +

6.3  I can't initialize the directory with smbldap-populate

+ +When I want to initialize the directory using the smbldap-populate +script, I get +
+[root@slave sbin]# smbldap-populate.pl
+  Using builtin directory structure
+  adding new entry: dc=IDEALX,dc=COM
+  Can't call method "code" without a package or object reference at
+  /usr/local/sbin/smbldap-populate.pl line 270, <GEN1> line 2.
+
Answer: check the TLS configuration +
  • +if you don't want to use TLS support, set the /etc/opt/IDEALX/smbldap-tools/smbldap.conf file +with +
    +ldapSSL="0"
+
  • if you want TLS support, set the /etc/opt/IDEALX/smbldap-tools/smbldap.conf file with +
    +ldapSSL="1"
+
    and check that the directory server is configured to accept TLS connections. +
+ + +

6.4  I can't join the domain with the root account

+ +
  • +check that the root account has the sambaSamAccount objectclass +
  • check that the directive add machine script is present and configured +
+ + +

6.5  I have the sambaSamAccount but i can't logged in

+ +Check that the sambaPwdLastSet attribute is not null (equal to 0)
+
+ + +

6.6  I want to create machine account on the fly, but it does + not works or I must do it twice

+ +
  • +The script defined with the add machine script must not add +the sambaSAMAccount objectclass of the machine account. The +script must only add the Posix machine account. Samba will add the sambaSAMAccount when +joining the domain. +
  • Check that the add machine script is present in samba + configuration file. +
+ + +

6.7  I can't manage the Oracle Internet Database

+ +If you have an error message like : + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187.
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627.
+
 + +
+
+ +
+
For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a +new index for samba attributes and make sure that the following attributes are also indexed : + uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...
+
+ + +

6.8  The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u is not +called, or i got a error message when changing the password from windows

+ +The directive is called if you also set unix password sync = Yes. +Notes: +
  • +if you use OpenLDAP, none of those two options are needed. You just need ldap +passwd sync = Yes. +
  • the script called here must only update the userPassword attribute. This is the +reason of the -u option. Samba passwords will be updated by samba itself. +
  • the passwd chat directive must match what is prompted when using the +smbldap-passwd command +
+ + +

6.9  New computers account can't be set in ou=computers

+ +This is a known samba bug. There's a workarround: look at +http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2
+
+ + +

6.10  I can join the domain, but i can't log on

+ +look at section 6.9
+
+ + +

6.11  I can't create a user with smbldap-useradd

+ +When creating a new user account I get the following error message: +
+/usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513
+
Answer: +
  • +is nss_ldap correctly configured ? +
  • is the default group's users mapped to the 'Domain Users' NT group ? +
    +net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users"
+
+ + +

6.12  smbldap-useradd: Can't call method "get_value" on an undefined value at +/usr/local/sbin/smbldap-useradd line 154

+ +
  • +does the default group defined in smbldap.conf exist + (defaultUserGid="513") ? +
  • does the NT "Domain Users" group mapped to a unix + group of rid 513 (see option -r of smbldap-groupadd and + smbldap-groupmod to set a rid) ? +
+ + +

6.13  Typical errors on creating a new user or a new group

+ +
  • +i've got the following error: +
    +Could not find base dn, to get next uidNumber at /usr/local/sbin//smbldap_tools.pm line 909
+
    1. + you do not have created the object to defined the next uidNumber and gidNumber available. +
      • + for version 0.8.7 : you can just run the smbldap-populate script that will + update the sambaDomain entry to store those informations +
      • for version before 0.8.7 : + You have updated the smbldap-tools to version 0.8.5 or newer. + You have to do this manually. Create an file called add.ldif and containing +
        +dn: cn=NextFreeUnixId,dc=idealx,dc=org
+objectClass: inetOrgPerson
+objectClass: sambaUnixIdPool
+uidNumber: 1000
+gidNumber: 1000
+cn: NextFreeUnixId
+sn: NextFreeUnixId
+
        and then add the object with the ldapadd utility: +
        +$ ldapadd -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f add.ldif
+
        Here, 1000 is the first available value for uidNumber and gidNumber (of course, if this value is + already used by a user or a group, the first available after 1000 will be used). +

      +
      +
    2. The error also appear when there is a need for TLS (ldapTLS=1 in smbldap.conf) and +something is wrong with certificate naming or path settings. +

    +
    +
  • i've got the following error: +
    +Use of uninitialized value in string at
+/usr/local/sbin//smbldap\_tools.pm line 914.
+Error: No DN specified at /usr/local/sbin//smbldap\_tools.pm line 919
+
    You have not updated the configuration file to defined the object where are sotred the next +uidNumber and gidNumber available. In our example, you have to add a nex entry in +/etc/opt/IDEALX/smbldap-tools/smbldap.conf containing : +
    +# Where to store next uidNumber and gidNumber available
+sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+
    btw, a new option is now available too: the domain to append to users. You can add to the +configuration file the following lines: +
    +# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used mailDomain="idealx.com"
+

    +
    +
  • i've got the following error: +
    +Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/smbldap-useradd line 183.
+Use of uninitialized value in substitution (s///) at /usr/local/sbin/smbldap-useradd line 185.
+Use of uninitialized value in string at /usr/local/sbin/smbldap-useradd line 264.
+failed to add entry: homedirectory: value #0 invalid per syntax at /usr/local/sbin/smbldap-useradd line 280.
+userHomeDirectory=User "jto" already member of the group "513".
+failed to add entry: No such object at /usr/local/sbin/smbldap-useradd line 382.
+
    you have to change the variable name userHomePrefix to userHome in +/etc/opt/IDEALX/smbldap-tools/smbldap.conf
    +
    +
  • i've got the following error: +
    +failed to add entry: referral missing at /usr/local/sbin/smbldap-useradd line 279, <DATA> line 283.
+
    you have to update the configuration file that defined users, groups and computers dn. Those +parameters must not be relative to the suffix parameter. A typical +configuration look like this : +
    +usersdn="ou=Users,${suffix}"
+computersdn="ou=Computers,${suffix}"
+groupsdn="ou=Groups,${suffix}"
+

    +
    +
  • i've got the following error: +
    +erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad protocol 'tcp')
+at /usr/local/sbin//smbldap_tools.pm line 153.
+
    remove ldap from /etc/nsswitch.conf for services list of possible check. For +example, if your ldap directory is not configured to give services information, you must have +
    +services    files
+
    and not +
    +services:   ldap [NOTFOUND=return] files
+
+ + + + +

7  Thanks

+ + +People who have worked on this document are +
  • +Jérôme Tournier <jerome.tournier@IDEALX.com> +
  • David Barth <david.barth@IDEALX.com> +
  • Nat Makarevitch <nat@IDEALX.com> +
+The authors would like to thank the following people for providing help with +some of the more complicated subjects, for clarifying some of the internal +workings of Samba or OpenLDAP, for pointing out errors or mistakes in +previous versions of this document, or generally for making +suggestions : +
  • +IDEALX team : +
    • + Roméo Adekambi <romeo.adekambi@IDEALX.com> +
    • Aurelien Degremont <adegremont@IDEALX.com> +
    • Renaud Renard <rrenard@IDEALX.com> +
    +
  • John H Terpstra <jht@samba.org> +
+ + +

8  Annexes

+ + + +

8.1  Full configuration files

+ + + +

8.1.1  The /etc/opt/IDEALX/smbldap-tools/smbldap.conf file

+ + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
# $Source: $
+# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
+#
+# smbldap-tools.conf : Q & D configuration file for smbldap-tools
+
+#  This code was developped by IDEALX (http://IDEALX.org/) and
+#  contributors (their names can be found in the CONTRIBUTORS file).
+#
+#                 Copyright (C) 2001-2002 IDEALX
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU General Public License
+#  as published by the Free Software Foundation; either version 2
+#  of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+#  USA.
+
+#  Purpose :
+#       . be the configuration file for all smbldap-tools scripts
+
+##############################################################################
+#
+# General Configuration
+#
+##############################################################################
+
+# Put your own SID. To obtain this number do: "net getlocalsid".
+# If not defined, parameter is taking from "net getlocalsid" return
+SID="S-1-5-21-2252255531-4061614174-2474224977"
+
+# Domain name the Samba server is in charged.
+# If not defined, parameter is taking from smb.conf configuration file
+# Ex: sambaDomain="IDEALX-NT"
+sambaDomain="DOMSMB"
+
+##############################################################################
+#
+# LDAP Configuration
+#
+##############################################################################
+
+# Notes: to use to dual ldap servers backend for Samba, you must patch
+# Samba with the dual-head patch from IDEALX. If not using this patch
+# just use the same server for slaveLDAP and masterLDAP.
+# Those two servers declarations can also be used when you have 
+# . one master LDAP server where all writing operations must be done
+# . one slave LDAP server where all reading operations must be done
+#   (typically a replication directory)
+
+# Slave LDAP server
+# Ex: slaveLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+slaveLDAP="127.0.0.1"
+
+# Slave LDAP port
+# If not defined, parameter is set to "389"
+slavePort="389"
+
+# Master LDAP server: needed for write operations
+# Ex: masterLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+masterLDAP="127.0.0.1"
+
+# Master LDAP port
+# If not defined, parameter is set to "389"
+masterPort="389"
+
+# Use TLS for LDAP
+# If set to 1, this option will use start_tls for connection
+# (you should also used the port 389)
+# If not defined, parameter is set to "1"
+ldapTLS="0"
+
+# How to verify the server's certificate (none, optional or require)
+# see "man Net::LDAP" in start_tls section for more details
+verify="require"
+
+# CA certificate
+# see "man Net::LDAP" in start_tls section for more details
+cafile="/etc/smbldap-tools/ca.pem"
+
+# certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientcert="/etc/smbldap-tools/smbldap-tools.pem"
+
+# key certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientkey="/etc/smbldap-tools/smbldap-tools.key"
+
+# LDAP Suffix
+# Ex: suffix=dc=IDEALX,dc=ORG
+suffix="dc=company,dc=com"
+
+# Where are stored Users
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
+usersdn="ou=Users,${suffix}"
+
+# Where are stored Computers
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
+computersdn="ou=Computers,${suffix}"
+
+# Where are stored Groups
+# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
+groupsdn="ou=Groups,${suffix}"
+
+# Where are stored Idmap entries (used if samba is a domain member server)
+# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
+idmapdn="ou=Idmap,${suffix}"
+
+# Where to store next uidNumber and gidNumber available for new users and groups
+# If not defined, entries are stored in sambaDomainName object.
+# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+
+# Default scope Used
+scope="sub"
+
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
+hash_encrypt="SSHA"
+
+# if hash_encrypt is set to CRYPT, you may set a salt format.
+# default is "%s", but many systems will generate MD5 hashed
+# passwords if you use "$1$%.8s". This parameter is optional!
+crypt_salt_format="%s"
+
+##############################################################################
+# 
+# Unix Accounts Configuration
+# 
+##############################################################################
+
+# Login defs
+# Default Login Shell
+# Ex: userLoginShell="/bin/bash"
+userLoginShell="/bin/bash"
+
+# Home directory
+# Ex: userHome="/home/%U"
+userHome="/home/%U"
+
+# Default mode used for user homeDirectory
+userHomeDirectoryMode="700"
+
+# Gecos
+userGecos="System User"
+
+# Default User (POSIX and Samba) GID
+defaultUserGid="513"
+
+# Default Computer (Samba) GID
+defaultComputerGid="515"
+
+# Skel dir
+skeletonDir="/etc/skel"
+
+# Default password validation time (time in days) Comment the next line if
+# you don't want password to be enable for defaultMaxPasswordAge days (be
+# careful to the sambaPwdMustChange attribute's value)
+defaultMaxPasswordAge="45"
+
+##############################################################################
+#
+# SAMBA Configuration
+#
+##############################################################################
+
+# The UNC path to home drives location (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon home'
+# directive and/or disable roaming profiles
+# Ex: userSmbHome="\\PDC-SMB3\%U"
+userSmbHome="\\PDC-SRV\%U"
+
+# The UNC path to profiles locations (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon path'
+# directive and/or disable roaming profiles
+# Ex: userProfile="\\PDC-SMB3\profiles\%U"
+userProfile="\\PDC-SRV\profiles\%U"
+
+# The default Home Drive Letter mapping
+# (will be automatically mapped at logon time if home directory exist)
+# Ex: userHomeDrive="H:"
+userHomeDrive="H:"
+
+# The default user netlogon script name (%U username substitution)
+# if not used, will be automatically username.cmd
+# make sure script file is edited under dos
+# Ex: userScript="startup.cmd" # make sure script file is edited under dos
+userScript="logon.bat"
+
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used
+# Ex: mailDomain="idealx.com"
+mailDomain="idealx.com"
+
+##############################################################################
+#
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+#
+##############################################################################
+
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer Crypt::SmbHash library
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+
+# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
+# but prefer Crypt:: libraries
+with_slappasswd="0"
+slappasswd="/usr/sbin/slappasswd"
+
+# comment out the following line to get rid of the default banner
+# no_banner="1"
+
+
 + +
+
+ +
+

+ + +

8.1.2  The /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf file

+ + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
############################
+# Credential Configuration #
+############################
+# Notes: you can specify two differents configuration if you use a
+# master ldap for writing access and a slave ldap server for reading access
+# By default, we will use the same DN (so it will work for standard Samba
+# release)
+slaveDN="cn=Manager,dc=company,dc=com"
+slavePw="secret"
+masterDN="cn=Manager,dc=company,dc=com"
+masterPw="secret"
+
+
 + +
+
+ +
+

+ + +

8.1.3  The samba configuration file : /etc/samba/smb.conf

+ + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
# Global parameters
+[global]
+ workgroup = DOMSMB
+ netbios name = PDC-SRV
+ security = user
+ enable privileges = yes
+ #interfaces = 192.168.5.11
+ #username map = /etc/samba/smbusers
+ server string = Samba Server %v
+ #security = ads
+ encrypt passwords = Yes
+ min passwd length = 3
+ #pam password change = no
+ #obey pam restrictions = No
+
+ # method 1:
+ #unix password sync = no
+ #ldap passwd sync = yes
+
+ # method 2:
+ unix password sync = yes
+ ldap passwd sync = no
+ passwd program = /usr/sbin/smbldap-passwd -u "%u"
+ passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
+
+ log level = 0
+ syslog = 0
+ log file = /var/log/samba/log.%U
+ max log size = 100000
+ time server = Yes
+ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
+ mangling method = hash2
+ Dos charset = 850
+ Unix charset = ISO8859-1
+
+ logon script = logon.bat
+ logon drive = H:
+        logon home = 
+        logon path = 
+
+ domain logons = Yes
+ domain master = Yes
+ os level = 65
+ preferred master = Yes
+ wins support = yes
+ passdb backend = ldapsam:ldap://127.0.0.1/
+ ldap admin dn = cn=Manager,dc=company,dc=com
+ #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
+ ldap suffix = dc=company,dc=com
+        ldap group suffix = ou=Groups
+        ldap user suffix = ou=Users
+        ldap machine suffix = ou=Computers
+ #ldap idmap suffix = ou=Idmap
+        add user script = /usr/sbin/smbldap-useradd -m "%u"
+        #ldap delete dn = Yes
+        delete user script = /usr/sbin/smbldap-userdel "%u"
+        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
+        add group script = /usr/sbin/smbldap-groupadd -p "%g" 
+        #delete group script = /usr/sbin/smbldap-groupdel "%g"
+        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
+        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
+ set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
+
+ # printers configuration
+ #printer admin = @"Print Operators"
+ load printers = Yes
+ create mask = 0640
+ directory mask = 0750
+ #force create mode = 0640
+ #force directory mode = 0750
+ nt acl support = No
+ printing = cups
+ printcap name = cups
+ deadtime = 10
+ guest account = nobody
+ map to guest = Bad User
+ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
+ show add printer wizard = yes
+ ; to maintain capital letters in shortcuts in any of the profile folders:
+ preserve case = yes
+ short preserve case = yes
+ case sensitive = no
+
+[netlogon]
+ path = /home/netlogon/
+ browseable = No
+ read only = yes
+
+[profiles]
+ path = /home/profiles
+ read only = no
+ create mask = 0600
+ directory mask = 0700
+ browseable = No
+ guest ok = Yes
+ profile acls = yes
+ csc policy = disable
+ # next line is a great way to secure the profiles 
+ #force user = %U 
+ # next line allows administrator to access all profiles 
+ #valid users = %U "Domain Admins"
+
+[printers]
+        comment = Network Printers
+        #printer admin = @"Print Operators"
+        guest ok = yes 
+        printable = yes
+        path = /home/spool/
+        browseable = No
+        read only  = Yes
+        printable = Yes
+        print command = /usr/bin/lpr -P%p -r %s
+        lpq command = /usr/bin/lpq -P%p
+        lprm command = /usr/bin/lprm -P%p %j
+        # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
+        # lpq command = /usr/bin/lpq -U%U@%M -P%p
+        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
+        # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
+        # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
+        # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
+        # queueresume command = /usr/sbin/lpc -U%U@%M start %p
+
+[print$]
+        path = /home/printers
+        guest ok = No
+        browseable = Yes
+        read only = Yes
+        valid users = @"Print Operators"
+        write list = @"Print Operators"
+        create mask = 0664
+        directory mask = 0775
+
+[public]
+ path = /tmp
+ guest ok = yes
+ browseable = Yes
+ writable = yes
+
 + +
+
+ +
+

+ + +

8.1.4  The OpenLDAP configuration file : /etc/openldap/slapd.conf

+ + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include  /etc/openldap/schema/core.schema
+include  /etc/openldap/schema/cosine.schema
+include  /etc/openldap/schema/inetorgperson.schema
+include  /etc/openldap/schema/nis.schema
+include  /etc/openldap/schema/samba.schema
+
+schemacheck on
+
+# Allow LDAPv2 client connections.  This is NOT the default.
+allow bind_v2
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral ldap://root.openldap.org
+
+pidfile  /var/run/slapd.pid
+argsfile /var/run/slapd.args
+
+# Load dynamic backend modules:
+# modulepath /usr/sbin/openldap
+# moduleload back_bdb.la
+# moduleload back_ldap.la
+# moduleload back_ldbm.la
+# moduleload back_passwd.la
+# moduleload back_shell.la
+
+# The next three lines allow use of TLS for encrypting connections using a
+# dummy test certificate which you can generate by changing to
+# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
+# slapd.pem so that the ldap user or group can read it.  Your client software
+# may balk at self-signed certificates, however.
+#TLSCertificateFile /etc/openldap/ldap.company.com.pem
+#TLSCertificateKeyFile /etc/openldap/ldap.company.com.key
+#TLSCACertificateFile /etc/openldap/ca.pem
+#TLSCipherSuite :SSLv3
+
+# Sample security restrictions
+# Require integrity protection (prevent hijacking)
+# Require 112-bit (3DES or better) encryption for updates
+# Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+# Root DSE: allow anyone to read it
+# Subschema (sub)entry DSE: allow anyone to read it
+# Other DSEs:
+#  Allow self write access
+#  Allow authenticated users read access
+#  Allow anonymous users to authenticate
+# Directives needed to implement policy:
+# access to dn.base="" by * read
+# access to dn.base="cn=Subschema" by * read
+# access to *
+# by self write
+# by users read
+# by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# ldbm and/or bdb database definitions
+#######################################################################
+
+database bdb
+suffix  "dc=company,dc=com"
+rootdn  "cn=Manager,dc=company,dc=com"
+# Cleartext passwords, especially for the rootdn, should
+# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+rootpw  secret
+# rootpw  {crypt}ijFYNcSNctBYg
+
+# The database directory MUST exist prior to running slapd AND 
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory /var/lib/ldap
+lastmod  on
+
+# Indices to maintain for this database
+index objectClass                       eq,pres
+index ou,cn,sn,mail,givenname    eq,pres,sub
+index uidNumber,gidNumber,memberUid     eq,pres
+index loginShell   eq,pres
+## required to support pdb_getsampwnam
+index uid                       pres,sub,eq
+## required to support pdb_getsambapwrid()
+index displayName               pres,sub,eq
+index nisMapName,nisMapEntry            eq,pres,sub
+index   sambaSID                eq,sub
+index   sambaPrimaryGroupSID   eq
+index   sambaDomainName         eq
+index   default                sub
+
+
+# users can authenticate and change their password
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
+      by dn="cn=Manager,dc=company,dc=com" write
+      by self write
+      by anonymous auth
+      by * none
+
+# those 2 parameters must be world readable for password aging to work correctly
+# (or use a priviledge account in /etc/ldap.conf to bind to the directory)
+access to attrs=shadowLastChange,shadowMax
+      by dn="cn=Manager,dc=company,dc=com" write
+      by self write
+      by * read
+
+
+# all others attributes are readable to everybody
+access to *
+      by * read
+
+# Replicas of this database
+#replogfile /var/lib/ldap/openldap-master-replog
+#replica host=ldap-1.example.com:389 starttls=critical
+#     bindmethod=sasl saslmech=GSSAPI
+#     authcId=host/ldap-master.example.com@EXAMPLE.COM
+
 + +
+
+ +
+

+ + +

8.2  Changing the administrative account (ldap admin + dn in smb.conf file)

+ +If you don't want to use the cn=Manager,dc=idealx,dc=com +account anymore, you can create a dedicated account for Samba and the +smbldap-tools scripts. To do +this, create an account named samba as follows (see +section 4.2.1 for a more detailed syntax) : +
+smbldap-useradd -s /bin/false -d /dev/null -P samba
+
This command will ask you to set a password for this account. Let's +set it to samba for this example. +You then need to modify configuration files: +
  • +file /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf + + +
    + + + + + + + +
    + +
    +
    + +
    +
    		+ +
    +    slaveDN="uid=samba,ou=Users,dc=idealx,dc=com"
+    slavePw="samba"
+    masterDN="uid=samba,ou=Users,dc=idealx,dc=com"
+    masterPw="samba"
+
    		+ +
    +
    + +
    +
  • file /etc/samba/smb.conf + + +
    + + + + + + + +
    + +
    +
    + +
    +
    		+ +
    +    ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
+
    		+ +
    +
    + +
    +
    don't forget to also set the samba account password in + secrets.tdb file : +
    +smbpasswd -w samba
+
  • file /etc/openldap/slapd.conf: give to the + samba user permissions to modify some attributes: this + user needs to be able to modify all the samba attributes and some + others (uidNumber, gidNumber ...) : + + +
    + + + + + + + +
    + +
    +
    + +
    +
    		+ +
    +# users can authenticate and change their password
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
+      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+      by self write
+      by anonymous auth
+      by * none
+# some attributes need to be readable anonymously so that 'id user' can answer correctly
+access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
+      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+      by * read
+# somme attributes can be writable by users themselves
+access to attrs=description,telephoneNumber
+      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+      by self write
+      by * read
+# some attributes need to be writable for samba
+access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
+      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+      by self read
+      by * none
+# samba need to be able to create the samba domain account
+access to dn.base="dc=idealx,dc=com"
+      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+      by * none
+# samba need to be able to create new users account
+access to dn="ou=Users,dc=idealx,dc=com"
+      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+      by * none
+# samba need to be able to create new groups account
+access to dn="ou=Groups,dc=idealx,dc=com"
+      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+      by * none
+# samba need to be able to create new computers account
+access to dn="ou=Computers,dc=idealx,dc=com"
+      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+      by * none
+# this can be omitted but we leave it: there could be other branch
+# in the directory
+access to *
+      by self read
+      by * none
+
    		+ +
    +
    + +
    +
+ + +

8.3  known bugs

+ +
  • +Option -B (user must change password) of + smbldap-useradd does not have effect: when + smbldap-passwd script is called, + sambaPwdMustChange attribute is rewrite. +
+ + +
1
http://IDEALX.com/ +
+ + + + +
+
+

Documents : Copyright © 2002 IDEALX S.A.S.. +'IDEALX' is the property of IDEALX. +'Samba' is the property of Samba Team. All other trademarks belong to their respective owners. +

+ + + +
+
This document was translated from LATEX by +HEVEA. +
+ + debian/patches/0001_debian_nobody.patch0000664000000000000000000000056712060344277015111 0ustar --- a/smbldap-populate.pl +++ b/smbldap-populate.pl @@ -114,7 +114,7 @@ if (!defined($adminUidNumber)) { my $guestUidNumber=$Options{'l'}; my $guestRid = 501; if (!defined($guestUidNumber)) { - $guestUidNumber = "999"; + $guestUidNumber = "65534"; } else { if (defined($algorithmicRidBase)) { ## For backward compatibility with smbldap-tools 0.9.6 and older debian/patches/series0000664000000000000000000000015012060344277012035 0ustar 0001_debian_nobody.patch 0020_original_doc_html_index.patch 0021_smbldap-useradd_flush_nscd_cache.patch debian/TODO.Debian0000664000000000000000000000051712060344277011051 0ustar TODO list for smbldap-tools: - Add debconf support to generate the configuration files if it makes sense (I'm not sure, you have to configure a lot of other servers and to generate the tools config file automatically we need a working samba server). -- Sergio Talens-Oliag , Fri, 10 Sep 2004 21:32:34 +0200