--- smbldap-tools-0.9.5.orig/doc/html/index.html +++ smbldap-tools-0.9.5/doc/html/index.html @@ -0,0 +1,2364 @@ + + +Smbldap-tools User Manual +(Release: 0.9.3 ) + + + + + + + + + + + +
+ Copyright 2002 © IDEALX S.A.S. - + Contact: samba@IDEALX.org +
+
+ + + + + + + + +

Smbldap-tools User Manual
+(Release: 0.9.3 )

+ +

Jérôme Tournier

+ +

Revision: 1.7 , generated July 12, 2007
+

+
+ + + + + + + + + + + + + +
Release: 
Reference: 
Publication date: 
Print date:July 12, 2007
+
+ +
+This document is the property of IDEALX1. +Permission is granted to distribute this document under the terms of the GNU +Free Documentation License (http://www.gnu.org/copyleft/fdl.html).
+
+ + +

Table of Contents

+ + + + + + + +

1  Introduction

+ + +Smbldap-tools is a set of scripts designed to help integrate Samba and a +LDAP directory. They target both users and administrators of Linux systems.
+
+Users can change their password in a way similar to the standard ``passwd'' +command.
+
+Administrators can perform user and group management command line actions +and synchronise Samba account management consistently.
+
+This document presents: + + + +

1.1  Software requirements

+ +The smbldap-tools have been developped and tested with the following configuration : + +This guide applies to smbldap-tools Release: 0.9.3 .
+
+ + +

1.2  Updates of this document

+ +The most up to date release of this document may be found on the +smbldap-tools project page available at http://sourceforge.net/projects/smbldap-tools/.
+
+If you find any bugs in this document, or if you want this document to +integrate some additional infos, please drop me a mail with your bug report +and/or change request at jtournier@gmail.com.
+
+ + +

1.3  Availability of this document

+ +This document is the property of IDEALX (http://www.IDEALX.com/).
+
+Permission is granted to distribute this document under the terms of the GNU +Free Documentation License (See http://www.gnu.org/copyleft/fdl.html). + + +

2  Installation

+ + + +

2.1  Requirements

+ +The main requirement for using smbldap-tools are the two perl module: +Net::LDAP and Crypt::SmbHash. +In most cases, you'll also need the IO-Socket-SSL Perl module to use +TLS functionnality.
+
+If you want samba to call the scripts so that you can use the User +Manager (or any other) under MS-Windows (to add, delete modify users and +groups), Samba must be installed on the same computer. +Finally, OpenLDAP can be installed on any computer. Please check that it +can be contacted by a standard LDAP client software.
+
+Samba and OpenLDAP installations will not be discussed +here. You can consult the howto also available on the +project page (http://sourceforge.net/projects/smbldap-tools/).
+
+ + +

2.2  Installation

+ +An archive of the smbldap-tools scripts can be downloaded on our project +page http://sourceforge.net/projects/smbldap-tools/. Archive and RedHat packages are +available. +
+If you are upgrading, look at the INSTALL file or read the link +6.13.
+
+ + +

2.2.1  Installing from rpm

+ +To install the scripts on a RedHat system, download the RPM +package and run the following command: +
+rpm -Uvh smbldap-tools-0.9.3-1.i386.rpm
+
+ + +

2.2.2  Installing from a tarball

+ +On non RedHat system, download a source archive of the scripts. The current +archive is smbldap-tools-0.9.3.tar.gz. +Uncompress it and copy all of the Perl scripts in /usr/sbin +directory, and the two configuration files in +/etc/smbldap-tools/ directory: +
+mkdir /etc/smbldap-tools/
+cp *.conf /etc//smbldap-tools/
+cp smbldap-* /usr/sbin/
+
+The configuration is now based on two differents files: + +The second file must be readable only for 'root', as it contains +credentials allowing modifications on all the directory. Make sure the +files are protected by running the following commands: +
+chmod 644 /etc/smbldap-tools/smbldap.conf
+chmod 600 /etc/smbldap-tools/smbldap_bind.conf
+
+ +

3  Configuring the smbldap-tools

+ +As mentioned in the previous section, you'll have to update two +configuration files. The first (smbldap.conf) allows you to +set global parameter that are readable by everybody, and the second +(smbldap_bind.conf) defines two administrative accounts to +bind to a slave and a master ldap server: this file must thus be +readable only by root.
+
+A script named configure.pl can help you to set their contents +up. It is located in the tarball +downloaded or in the documentation directory if you got the RPM +archive (see /usr/share/doc/smbldap-tools-0.9.3/). Just invoke it: +
+/usr/share/doc/smbldap-tools-0.9.3/configure.pl
+
It will ask for the default values defined in your +smb.conf file, and will update the two configuration files used +by the scripts. Samba configuration file should then be already configured. +Note that you can stop the script at any moment with +the Crtl-c keys.
+Before using this script : + +In those files, parameters are defined like this: +
+key="value"
+
Full example configuration files can be found at +8.1.
+
+ + +

3.1  The smbldap.conf file

+ +This file is used to define parameters that can be readable by +everybody. A full example file is available in section 8.1.1.
+
+Let's have a look at all available parameters. + + + +

3.2  The smbldap_bind.conf file

+ +This file is only used by root to give bind parameters to the directory when modifications are asked. +It contains distinguised names and credentials to connect to +both the master and slave directories. A full example file is available +in section 8.1.2.
+
+Let's have a look at all available parameters. + + + +

4  Using the scripts

+ + + +

4.1  Initial directory's population

+ +You can initialize the LDAP directory using the +smbldap-populate script. To do that, the account defined in +the /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf to access the +master directory must must be the manager account defined in the +directory configuration. On RedHat system, this file is +/etc/openldap/slapd.conf and the account is defined with + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+  rootdn          "cn=Manager,dc=idealx,dc=com"
+  rootpw          secret
+
 + +
+
+ +
+
The smbldap_bind.conf file must then be configured so that +the parameters to connect to the master LDAP server match the previous ones: + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+  masterDN="cn=Manager,dc=idealx,dc=com"
+  masterPw="secret"
+
 + +
+
+ +
+

+Available options for this script are summarized in the table 1: +
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitiondefault value
-u uidNumberfirst uidNumber to allocate1000
-g gidNumberfirst uidNumber to allocate1000
-a useradministrator login nameAdministrator
-b userguest login namenobody
-e fileexport a init file 
-i fileimport a init file 
+
+
+
Table 1: Options available for the smbldap-populate script

+ + +
+In the more general case, to set up your directory, simply use the +following command: +
+[root@etoile root]# smbldap-populate 
+Using builtin directory structure
+adding new entry: dc=idealx,dc=com
+adding new entry: ou=Users,dc=idealx,dc=com
+adding new entry: ou=Groups,dc=idealx,dc=com
+adding new entry: ou=Computers,dc=idealx,dc=com
+adding new entry: ou=Idmap,dc=idealx,dc=org
+adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org
+adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com
+adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com
+adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com
+
+After this step, if you don't want to use the cn=Manager,dc=idealx,dc=com +account anymore, you can create a dedicated account for Samba and the +smbldap-tools. See section 8.2 for more details.
+
+The cn=NextFreeUnixId,dc=idealx,dc=org entry is only used to +defined the next uidNumber and gidNumber available for creating new +users and groups. The default values for those numbers are 1000. You +can change it with the -u and -g option. For +example, if you want the first available value for uidNumber and +gidNumber to be set to 1500, you can use the following command : +
+smbldap-populate -u 1550 -g 1500
+
+ + +

4.2  User management

+ + + +

4.2.1  Adding a user

+ +To add a user, use the smbldap-useradd script. Available +options are summarized in the table 2. If applicable, +default values are mentionned in the third column. Any string beginning with a +$ symbol refers to a parameter defined in the +/etc/opt/IDEALX/smbldap-tools/smbldap.conf configuration file. +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitionexampledefault value
-acreate a Windows account. Otherwise, only a Posix account + is created  
-wcreate a Windows Workstation account  
-icreate an interdomain trust account. See section + 4.4 for more details  
-uset a uid value-u 1003first uid available
-gset a gid value-g 1003first gid available
-Gadd the new account to one or several supplementary + groups (comma-separated)-G 512,550 
-dset the home directory-d /var/user$userHomePrefix/user
-sset the login shell-s /bin/ksh$userLoginShell
-cset the user gecos-c "admin user"$userGecos
-mcreates user's home directory and copies /etc/skel + into it  
-kset the skeleton dir (with -m)-k /etc/skel2$skeletonDir
-Pends by invoking smbldap-passwd to set the user's + password  
-Auser can change password ? 0 if no, 1 if yes-A 1 
-Buser must change password at first session ? 0 if no, 1 + if yes-B 1 
-Cset the samba home share-C \\PDC\homes$userSmbHome
-Dset a letter associated with the home share-D H:$userHomeDrive
-Eset DOS script to execute on login-E common.bat$userScript
-Fset the profile directory-F \\PDC\profiles\user$userProfile
-Hset the samba account control bits + like'[NDHTUMWSLKI]'-H [X] 
-Nset the canonical name of the user  
-Sset the surname of the user  
-Mlocal mailAddress (comma seperated)-M testuser,aliasuser 
-Tforward mail address (comma seperated)-T + testuser@domain.org 
+
+
+
Table 2: Options available to the smbldap-useradd script

+ + +
+ +For example, if you want to add a user named user_admin and who : + +you must invoke: +
+smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin
+
+ + +

4.2.2  Removing a user

+ +To remove a user account, use the smbldap-userdel script. +Available options are +
+
+ + + + + + + + + +
optiondefinition
-rremove home directory
-Rremove home directory interactively
+
+
+
Table 3: Option available to the smbldap-userdel script

+ + +
+For example, if you want to remove the user1 account +from the LDAP directory, and if you also want to delete his home +directory, use the following command : +
+smbldap-userdel -r user1
+
+Note: '-r' is dangerous as it may delete precious and unbackuped data, +please be careful.
+
+ + +

4.2.3  Modifying a user

+ +To modify a user account, use the smbldap-usermod script. +Availables options are listed in the table 4. +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitionexample
-cset the user gecos-c "admin user"
-dset the home directory-d /var/user
-uset a uid value-u 1003
-gset a gid value-g 1003
-Gadd the new account to one or several supplementary + groups (comma-separated)-G 512,550
-G -512,550
-G +512,550
-sset the login shell-s /bin/ksh
-Nset the canonical name of the user 
-Sset the surname of the user 
-Pends by invoking smbldap-passwd to set the user's password 
-aadd sambaSAMAccount objectclass 
-eset an expiration date for the password (format: YYYY-MM-DD HH:MM:SS) 
-Auser can change password ? 0 if no, 1 if yes-A 1
-Buser must change password at first session ? 0 if no, 1 + if yes-B 1
-Cset the samba home share-C \\PDC\homes
-C ""
-Dset a letter associated with the home share-D H:
-D ""
-Eset DOS script to execute on login-E common.bat
-E ""
-Fset the profile directory-F \\PDC\profiles\user
-F ""
-Hset the samba account control bits like'[NDHTUMWSLKI]'-H [X]
-Idisable a user account-I 1
-Jenable a user-J 1
-Mlocal mailAddress (comma seperated)-M testuser,aliasuser
-Tforward mail address (comma seperated)-T + testuser@domain.org
+
+
+
Table 4: Options available to the smbldap-usermod script

+ + +
+You can also use the smbldap-userinfo script to update user's information. This script can +also be used by users themselves to update their own informations listed in the tables +5 (adequats ACL must be set in the directory server). Available +options are : +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitionexample
-fset the full name's user-f MyName
-rset the room number-r 99
-wset the work phone number-w 111111111
-hset the home phone number-h 222222222
-oset other information (in gecos definition)-o "second stage"
-sset the default bash-s /bin/ksh
+
+
+
Table 5: Options available to the smbldap-userinfo script

+ + +
+ + +

4.3  Group management

+ + + +

4.3.1  Adding a group

+ +To add a new group in the LDAP directory, use the smbldap-groupadd +script. Available options are listed in the table +6. +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
optiondefinitionexample
-aadd automatic group mapping entry 
-g gidset the gidNumer for this group to + gid-g 1002
-ogidNumber is not unique 
-r group-ridset the rid of the group to + group-rid-r 1002
-s group-sidset the sid of the group to + group-sid-s + S-1-5-21-3703471949-3718591838-2324585696-1002
-t group-typeset the sambaGroupType to + group-type-t 2
-pprint the gidNumber to stdout 
+
+
+
Table 6: Options available for the smbldap-groupadd script

+ + +
+ + +

4.3.2  Removing a group

+ +To remove the group named group1, just use the following +command : +
+smbldap-userdel group1
+
+ + +

4.4  Adding a interdomain trust account

+ +To add an interdomain trust account to the primary controller trust-pdc, use the -i option of +smbldap-useradd as follows : +
+[root@etoile root]# smbldap-useradd -i trust-pdc
+New password : *******
+Retype new password : *******
+
+The script will terminate asking for a password for this trust +account. The account will be created in the directory branch where +all computer accounts are stored (ou=Computers by +default). The only two particularities of this account are that you are +setting a password for this account, and the flags of this account are +[I ]. + + +

5  Samba and the smbldap-tools scripts

+ + + +

5.1  General configuration

+ +Samba can be configured to use the smbldap-tools scripts. This allows +administrators to add, delete or modify user and group accounts for Microsoft Windows +operating systems using, for example, User Manager utility under MS-Windows. +To enable the use of this utility, samba needs to be configured correctly. The +smb.conf configuration file must contain the following directives : + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+ldap delete dn = Yes
+add user script = /usr/local/sbin/smbldap-useradd -m "%u"
+add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
+add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
+add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
+delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
+set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
+
 + +
+
+ +
+

+Remark: the two directives delete user script et delete group +script can also be used. However, an error message can appear in User Manager +even if the operations actually succeed. +If you want to enable this behaviour, you need to add + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+delete user script = /usr/local/sbin/smbldap-userdel "%u"
+delete group script = /usr/local/sbin/smbldap-groupdel "%g"
+
 + +
+
+ +
+

+ + +

5.2  Migrating an NT4 PDC to Samba3

+ +The account migration procedure becomes really simple when samba is configured to use +the smbldap-tools. Samba configuration (smb.conf file) must contain the +directive defined above to properly call the script for managing users, groups and computer accounts. +The migration process is outlined in the chapter 30 of the samba howto +http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html. +
+
+ + +

6  Frequently Asked Questions

+ + + +

6.1  How can i use old released uidNumber and gidNumber ?

+ +There are two way to do this : + + + +

6.2  I always have this error: "Can't locate IO/Socket/SSL.pm"

+ +This happens when you want to use a certificate. In this case, you need to install the +IO-Socket-SSL Perl module.
+
+ + +

6.3  I can't initialize the directory with smbldap-populate

+ +When I want to initialize the directory using the smbldap-populate +script, I get +
+[root@slave sbin]# smbldap-populate.pl
+  Using builtin directory structure
+  adding new entry: dc=IDEALX,dc=COM
+  Can't call method "code" without a package or object reference at
+  /usr/local/sbin/smbldap-populate.pl line 270, <GEN1> line 2.
+
Answer: check the TLS configuration + + + +

6.4  I can't join the domain with the root account

+ + + + +

6.5  I have the sambaSamAccount but i can't logged in

+ +Check that the sambaPwdLastSet attribute is not null (equal to 0)
+
+ + +

6.6  I want to create machine account on the fly, but it does + not works or I must do it twice

+ + + + +

6.7  I can't manage the Oracle Internet Database

+ +If you have an error message like : + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187.
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627.
+
 + +
+
+ +
+
For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a +new index for samba attributes and make sure that the following attributes are also indexed : + uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...
+
+ + +

6.8  The directive passwd program = /usr/local/sbin/smbldap-passwd -u %u is not +called, or i got a error message when changing the password from windows

+ +The directive is called if you also set unix password sync = Yes. +Notes: + + + +

6.9  New computers account can't be set in ou=computers

+ +This is a known samba bug. There's a workarround: look at +http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2
+
+ + +

6.10  I can join the domain, but i can't log on

+ +look at section 6.9
+
+ + +

6.11  I can't create a user with smbldap-useradd

+ +When creating a new user account I get the following error message: +
+/usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513
+
Answer: + + + +

6.12  smbldap-useradd: Can't call method "get_value" on an undefined value at +/usr/local/sbin/smbldap-useradd line 154

+ + + + +

6.13  Typical errors on creating a new user or a new group

+ + + + + + +

7  Thanks

+ + +People who have worked on this document are + +The authors would like to thank the following people for providing help with +some of the more complicated subjects, for clarifying some of the internal +workings of Samba or OpenLDAP, for pointing out errors or mistakes in +previous versions of this document, or generally for making +suggestions : + + + +

8  Annexes

+ + + +

8.1  Full configuration files

+ + + +

8.1.1  The /etc/opt/IDEALX/smbldap-tools/smbldap.conf file

+ + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
# $Source: $
+# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
+#
+# smbldap-tools.conf : Q & D configuration file for smbldap-tools
+
+#  This code was developped by IDEALX (http://IDEALX.org/) and
+#  contributors (their names can be found in the CONTRIBUTORS file).
+#
+#                 Copyright (C) 2001-2002 IDEALX
+#
+#  This program is free software; you can redistribute it and/or
+#  modify it under the terms of the GNU General Public License
+#  as published by the Free Software Foundation; either version 2
+#  of the License, or (at your option) any later version.
+#
+#  This program is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this program; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+#  USA.
+
+#  Purpose :
+#       . be the configuration file for all smbldap-tools scripts
+
+##############################################################################
+#
+# General Configuration
+#
+##############################################################################
+
+# Put your own SID. To obtain this number do: "net getlocalsid".
+# If not defined, parameter is taking from "net getlocalsid" return
+SID="S-1-5-21-2252255531-4061614174-2474224977"
+
+# Domain name the Samba server is in charged.
+# If not defined, parameter is taking from smb.conf configuration file
+# Ex: sambaDomain="IDEALX-NT"
+sambaDomain="DOMSMB"
+
+##############################################################################
+#
+# LDAP Configuration
+#
+##############################################################################
+
+# Notes: to use to dual ldap servers backend for Samba, you must patch
+# Samba with the dual-head patch from IDEALX. If not using this patch
+# just use the same server for slaveLDAP and masterLDAP.
+# Those two servers declarations can also be used when you have 
+# . one master LDAP server where all writing operations must be done
+# . one slave LDAP server where all reading operations must be done
+#   (typically a replication directory)
+
+# Slave LDAP server
+# Ex: slaveLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+slaveLDAP="127.0.0.1"
+
+# Slave LDAP port
+# If not defined, parameter is set to "389"
+slavePort="389"
+
+# Master LDAP server: needed for write operations
+# Ex: masterLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+masterLDAP="127.0.0.1"
+
+# Master LDAP port
+# If not defined, parameter is set to "389"
+masterPort="389"
+
+# Use TLS for LDAP
+# If set to 1, this option will use start_tls for connection
+# (you should also used the port 389)
+# If not defined, parameter is set to "1"
+ldapTLS="0"
+
+# How to verify the server's certificate (none, optional or require)
+# see "man Net::LDAP" in start_tls section for more details
+verify="require"
+
+# CA certificate
+# see "man Net::LDAP" in start_tls section for more details
+cafile="/etc/smbldap-tools/ca.pem"
+
+# certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientcert="/etc/smbldap-tools/smbldap-tools.pem"
+
+# key certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientkey="/etc/smbldap-tools/smbldap-tools.key"
+
+# LDAP Suffix
+# Ex: suffix=dc=IDEALX,dc=ORG
+suffix="dc=company,dc=com"
+
+# Where are stored Users
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
+usersdn="ou=Users,${suffix}"
+
+# Where are stored Computers
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
+computersdn="ou=Computers,${suffix}"
+
+# Where are stored Groups
+# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
+groupsdn="ou=Groups,${suffix}"
+
+# Where are stored Idmap entries (used if samba is a domain member server)
+# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
+idmapdn="ou=Idmap,${suffix}"
+
+# Where to store next uidNumber and gidNumber available for new users and groups
+# If not defined, entries are stored in sambaDomainName object.
+# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+
+# Default scope Used
+scope="sub"
+
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
+hash_encrypt="SSHA"
+
+# if hash_encrypt is set to CRYPT, you may set a salt format.
+# default is "%s", but many systems will generate MD5 hashed
+# passwords if you use "$1$%.8s". This parameter is optional!
+crypt_salt_format="%s"
+
+##############################################################################
+# 
+# Unix Accounts Configuration
+# 
+##############################################################################
+
+# Login defs
+# Default Login Shell
+# Ex: userLoginShell="/bin/bash"
+userLoginShell="/bin/bash"
+
+# Home directory
+# Ex: userHome="/home/%U"
+userHome="/home/%U"
+
+# Default mode used for user homeDirectory
+userHomeDirectoryMode="700"
+
+# Gecos
+userGecos="System User"
+
+# Default User (POSIX and Samba) GID
+defaultUserGid="513"
+
+# Default Computer (Samba) GID
+defaultComputerGid="515"
+
+# Skel dir
+skeletonDir="/etc/skel"
+
+# Default password validation time (time in days) Comment the next line if
+# you don't want password to be enable for defaultMaxPasswordAge days (be
+# careful to the sambaPwdMustChange attribute's value)
+defaultMaxPasswordAge="45"
+
+##############################################################################
+#
+# SAMBA Configuration
+#
+##############################################################################
+
+# The UNC path to home drives location (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon home'
+# directive and/or disable roaming profiles
+# Ex: userSmbHome="\\PDC-SMB3\%U"
+userSmbHome="\\PDC-SRV\%U"
+
+# The UNC path to profiles locations (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon path'
+# directive and/or disable roaming profiles
+# Ex: userProfile="\\PDC-SMB3\profiles\%U"
+userProfile="\\PDC-SRV\profiles\%U"
+
+# The default Home Drive Letter mapping
+# (will be automatically mapped at logon time if home directory exist)
+# Ex: userHomeDrive="H:"
+userHomeDrive="H:"
+
+# The default user netlogon script name (%U username substitution)
+# if not used, will be automatically username.cmd
+# make sure script file is edited under dos
+# Ex: userScript="startup.cmd" # make sure script file is edited under dos
+userScript="logon.bat"
+
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used
+# Ex: mailDomain="idealx.com"
+mailDomain="idealx.com"
+
+##############################################################################
+#
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+#
+##############################################################################
+
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer Crypt::SmbHash library
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+
+# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
+# but prefer Crypt:: libraries
+with_slappasswd="0"
+slappasswd="/usr/sbin/slappasswd"
+
+# comment out the following line to get rid of the default banner
+# no_banner="1"
+
+
 + +
+
+ +
+

+ + +

8.1.2  The /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf file

+ + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
############################
+# Credential Configuration #
+############################
+# Notes: you can specify two differents configuration if you use a
+# master ldap for writing access and a slave ldap server for reading access
+# By default, we will use the same DN (so it will work for standard Samba
+# release)
+slaveDN="cn=Manager,dc=company,dc=com"
+slavePw="secret"
+masterDN="cn=Manager,dc=company,dc=com"
+masterPw="secret"
+
+
 + +
+
+ +
+

+ + +

8.1.3  The samba configuration file : /etc/samba/smb.conf

+ + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
# Global parameters
+[global]
+ workgroup = DOMSMB
+ netbios name = PDC-SRV
+ security = user
+ enable privileges = yes
+ #interfaces = 192.168.5.11
+ #username map = /etc/samba/smbusers
+ server string = Samba Server %v
+ #security = ads
+ encrypt passwords = Yes
+ min passwd length = 3
+ #pam password change = no
+ #obey pam restrictions = No
+
+ # method 1:
+ #unix password sync = no
+ #ldap passwd sync = yes
+
+ # method 2:
+ unix password sync = yes
+ ldap passwd sync = no
+ passwd program = /usr/sbin/smbldap-passwd -u "%u"
+ passwd chat = "Changing *\nNew password*" %n\n "*Retype new password*" %n\n"
+
+ log level = 0
+ syslog = 0
+ log file = /var/log/samba/log.%U
+ max log size = 100000
+ time server = Yes
+ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
+ mangling method = hash2
+ Dos charset = 850
+ Unix charset = ISO8859-1
+
+ logon script = logon.bat
+ logon drive = H:
+        logon home = 
+        logon path = 
+
+ domain logons = Yes
+ domain master = Yes
+ os level = 65
+ preferred master = Yes
+ wins support = yes
+ passdb backend = ldapsam:ldap://127.0.0.1/
+ ldap admin dn = cn=Manager,dc=company,dc=com
+ #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
+ ldap suffix = dc=company,dc=com
+        ldap group suffix = ou=Groups
+        ldap user suffix = ou=Users
+        ldap machine suffix = ou=Computers
+ #ldap idmap suffix = ou=Idmap
+        add user script = /usr/sbin/smbldap-useradd -m "%u"
+        #ldap delete dn = Yes
+        delete user script = /usr/sbin/smbldap-userdel "%u"
+        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
+        add group script = /usr/sbin/smbldap-groupadd -p "%g" 
+        #delete group script = /usr/sbin/smbldap-groupdel "%g"
+        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
+        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
+ set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
+
+ # printers configuration
+ #printer admin = @"Print Operators"
+ load printers = Yes
+ create mask = 0640
+ directory mask = 0750
+ #force create mode = 0640
+ #force directory mode = 0750
+ nt acl support = No
+ printing = cups
+ printcap name = cups
+ deadtime = 10
+ guest account = nobody
+ map to guest = Bad User
+ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
+ show add printer wizard = yes
+ ; to maintain capital letters in shortcuts in any of the profile folders:
+ preserve case = yes
+ short preserve case = yes
+ case sensitive = no
+
+[netlogon]
+ path = /home/netlogon/
+ browseable = No
+ read only = yes
+
+[profiles]
+ path = /home/profiles
+ read only = no
+ create mask = 0600
+ directory mask = 0700
+ browseable = No
+ guest ok = Yes
+ profile acls = yes
+ csc policy = disable
+ # next line is a great way to secure the profiles 
+ #force user = %U 
+ # next line allows administrator to access all profiles 
+ #valid users = %U "Domain Admins"
+
+[printers]
+        comment = Network Printers
+        #printer admin = @"Print Operators"
+        guest ok = yes 
+        printable = yes
+        path = /home/spool/
+        browseable = No
+        read only  = Yes
+        printable = Yes
+        print command = /usr/bin/lpr -P%p -r %s
+        lpq command = /usr/bin/lpq -P%p
+        lprm command = /usr/bin/lprm -P%p %j
+        # print command = /usr/bin/lpr -U%U@%M -P%p -r %s
+        # lpq command = /usr/bin/lpq -U%U@%M -P%p
+        # lprm command = /usr/bin/lprm -U%U@%M -P%p %j
+        # lppause command = /usr/sbin/lpc -U%U@%M hold %p %j
+        # lpresume command = /usr/sbin/lpc -U%U@%M release %p %j
+        # queuepause command = /usr/sbin/lpc -U%U@%M stop %p
+        # queueresume command = /usr/sbin/lpc -U%U@%M start %p
+
+[print$]
+        path = /home/printers
+        guest ok = No
+        browseable = Yes
+        read only = Yes
+        valid users = @"Print Operators"
+        write list = @"Print Operators"
+        create mask = 0664
+        directory mask = 0775
+
+[public]
+ path = /tmp
+ guest ok = yes
+ browseable = Yes
+ writable = yes
+
 + +
+
+ +
+

+ + +

8.1.4  The OpenLDAP configuration file : /etc/openldap/slapd.conf

+ + + +
+ + + + + + + +
+ +
+
+ +
+
+ +
#
+# See slapd.conf(5) for details on configuration options.
+# This file should NOT be world readable.
+#
+include  /etc/openldap/schema/core.schema
+include  /etc/openldap/schema/cosine.schema
+include  /etc/openldap/schema/inetorgperson.schema
+include  /etc/openldap/schema/nis.schema
+include  /etc/openldap/schema/samba.schema
+
+schemacheck on
+
+# Allow LDAPv2 client connections.  This is NOT the default.
+allow bind_v2
+
+# Do not enable referrals until AFTER you have a working directory
+# service AND an understanding of referrals.
+#referral ldap://root.openldap.org
+
+pidfile  /var/run/slapd.pid
+argsfile /var/run/slapd.args
+
+# Load dynamic backend modules:
+# modulepath /usr/sbin/openldap
+# moduleload back_bdb.la
+# moduleload back_ldap.la
+# moduleload back_ldbm.la
+# moduleload back_passwd.la
+# moduleload back_shell.la
+
+# The next three lines allow use of TLS for encrypting connections using a
+# dummy test certificate which you can generate by changing to
+# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
+# slapd.pem so that the ldap user or group can read it.  Your client software
+# may balk at self-signed certificates, however.
+#TLSCertificateFile /etc/openldap/ldap.company.com.pem
+#TLSCertificateKeyFile /etc/openldap/ldap.company.com.key
+#TLSCACertificateFile /etc/openldap/ca.pem
+#TLSCipherSuite :SSLv3
+
+# Sample security restrictions
+# Require integrity protection (prevent hijacking)
+# Require 112-bit (3DES or better) encryption for updates
+# Require 63-bit encryption for simple bind
+# security ssf=1 update_ssf=112 simple_bind=64
+
+# Sample access control policy:
+# Root DSE: allow anyone to read it
+# Subschema (sub)entry DSE: allow anyone to read it
+# Other DSEs:
+#  Allow self write access
+#  Allow authenticated users read access
+#  Allow anonymous users to authenticate
+# Directives needed to implement policy:
+# access to dn.base="" by * read
+# access to dn.base="cn=Subschema" by * read
+# access to *
+# by self write
+# by users read
+# by anonymous auth
+#
+# if no access controls are present, the default policy
+# allows anyone and everyone to read anything but restricts
+# updates to rootdn.  (e.g., "access to * by * read")
+#
+# rootdn can always read and write EVERYTHING!
+
+#######################################################################
+# ldbm and/or bdb database definitions
+#######################################################################
+
+database bdb
+suffix  "dc=company,dc=com"
+rootdn  "cn=Manager,dc=company,dc=com"
+# Cleartext passwords, especially for the rootdn, should
+# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
+# Use of strong authentication encouraged.
+rootpw  secret
+# rootpw  {crypt}ijFYNcSNctBYg
+
+# The database directory MUST exist prior to running slapd AND 
+# should only be accessible by the slapd and slap tools.
+# Mode 700 recommended.
+directory /var/lib/ldap
+lastmod  on
+
+# Indices to maintain for this database
+index objectClass                       eq,pres
+index ou,cn,sn,mail,givenname    eq,pres,sub
+index uidNumber,gidNumber,memberUid     eq,pres
+index loginShell   eq,pres
+## required to support pdb_getsampwnam
+index uid                       pres,sub,eq
+## required to support pdb_getsambapwrid()
+index displayName               pres,sub,eq
+index nisMapName,nisMapEntry            eq,pres,sub
+index   sambaSID                eq,sub
+index   sambaPrimaryGroupSID   eq
+index   sambaDomainName         eq
+index   default                sub
+
+
+# users can authenticate and change their password
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet
+      by dn="cn=Manager,dc=company,dc=com" write
+      by self write
+      by anonymous auth
+      by * none
+
+# those 2 parameters must be world readable for password aging to work correctly
+# (or use a priviledge account in /etc/ldap.conf to bind to the directory)
+access to attrs=shadowLastChange,shadowMax
+      by dn="cn=Manager,dc=company,dc=com" write
+      by self write
+      by * read
+
+
+# all others attributes are readable to everybody
+access to *
+      by * read
+
+# Replicas of this database
+#replogfile /var/lib/ldap/openldap-master-replog
+#replica host=ldap-1.example.com:389 starttls=critical
+#     bindmethod=sasl saslmech=GSSAPI
+#     authcId=host/ldap-master.example.com@EXAMPLE.COM
+
 + +
+
+ +
+

+ + +

8.2  Changing the administrative account (ldap admin + dn in smb.conf file)

+ +If you don't want to use the cn=Manager,dc=idealx,dc=com +account anymore, you can create a dedicated account for Samba and the +smbldap-tools scripts. To do +this, create an account named samba as follows (see +section 4.2.1 for a more detailed syntax) : +
+smbldap-useradd -s /bin/false -d /dev/null -P samba
+
This command will ask you to set a password for this account. Let's +set it to samba for this example. +You then need to modify configuration files: + + + +

8.3  known bugs

+ + + + +
1
http://IDEALX.com/ +
+ + + + +
+
+

Documents : Copyright © 2002 IDEALX S.A.S.. +'IDEALX' is the property of IDEALX. +'Samba' is the property of Samba Team. All other trademarks belong to their respective owners. +

+ + + +
+
This document was translated from LATEX by +HEVEA. +
+ +