[debian-edu-commits] r82026 - in branches/wheezy/debian-edu-config: debian etc/samba
sunweaver at alioth.debian.org
sunweaver at alioth.debian.org
Tue Aug 13 12:39:31 UTC 2013
Author: sunweaver
Date: 2013-08-13 12:39:31 +0000 (Tue, 13 Aug 2013)
New Revision: 82026
Modified:
branches/wheezy/debian-edu-config/debian/changelog
branches/wheezy/debian-edu-config/etc/samba/smb-debian-edu.conf
branches/wheezy/debian-edu-config/etc/samba/smbldap-machineadd-gosa
Log:
Remove obsolete options from the main-server's smb(-debian-edu).conf
file.
Modified: branches/wheezy/debian-edu-config/debian/changelog
===================================================================
--- branches/wheezy/debian-edu-config/debian/changelog 2013-08-13 10:32:51 UTC (rev 82025)
+++ branches/wheezy/debian-edu-config/debian/changelog 2013-08-13 12:39:31 UTC (rev 82026)
@@ -5,6 +5,10 @@
default setup is already correct and not calling wpad-proxy-update
shave 3 seconds from the boot.
+ [ Mike Gabriel ]
+ * Remove obsolete options from the main-server's smb(-debian-edu).conf
+ file.
+
-- Petter Reinholdtsen <pere at debian.org> Mon, 12 Aug 2013 10:56:34 +0200
debian-edu-config (1.712~svn81960) wheezy-test; urgency=low
Modified: branches/wheezy/debian-edu-config/etc/samba/smb-debian-edu.conf
===================================================================
--- branches/wheezy/debian-edu-config/etc/samba/smb-debian-edu.conf 2013-08-13 10:32:51 UTC (rev 82025)
+++ branches/wheezy/debian-edu-config/etc/samba/smb-debian-edu.conf 2013-08-13 12:39:31 UTC (rev 82026)
@@ -38,12 +38,10 @@
security = USER
# security setting
- null passwords = no
map to guest = Bad User
guest ok = No
# server/client spnego
- use spnego = yes
client use spnego = yes
# Workgroup/NT-domain name
Modified: branches/wheezy/debian-edu-config/etc/samba/smbldap-machineadd-gosa
===================================================================
--- branches/wheezy/debian-edu-config/etc/samba/smbldap-machineadd-gosa 2013-08-13 10:32:51 UTC (rev 82025)
+++ branches/wheezy/debian-edu-config/etc/samba/smbldap-machineadd-gosa 2013-08-13 12:39:31 UTC (rev 82026)
@@ -1,813 +1,494 @@
-#!/usr/bin/perl -w
+#!/usr/bin/perl
-# This script has been taken von smbldap-tools 0.9.5, its original name
-# is smbldap-useradd. It has been modified so that machine accounts can
-# be created and so that they will be compliant to the pre-requisites of
-# GOsa as in Debian Edu squeeze.
-#
-# This script depends on package smbldap-tools (i.e. on its
-# smbldap_tool.pm).
-#
-# Modifcations have been done by several people, initially by
-# Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
-#
-
-# This code was developped by Jerome Tournier (jtournier at gmail.com) and
-# contributors (their names can be found in the CONTRIBUTORS file).
-
-# This was first contributed by IDEALX (http://www.opentrust.com/)
-
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
-# USA.
-
-# Purpose of smbldap-useradd : user (posix,shadow,samba) add
-
use strict;
+use warnings;
-use FindBin;
-use FindBin qw($RealBin);
-use lib "$RealBin/";
-use smbldap_tools;
-use Crypt::SmbHash;
-#####################
+#use Encode;
+#use POSIX qw(:termios_h);
+#use IO::File;
+use Net::LDAP;
+#use Net::LDAP::Extension::SetPassword;
+#use Crypt::SmbHash;
+#use Digest::MD5 qw(md5);
+#use Digest::SHA qw(sha1);
+#use MIME::Base64 qw(encode_base64);
-use Getopt::Std;
-my %Options;
+use constant true => 1;
+use constant false => 0;
-# success = add_posix_machine($user, $uid, $gid)
-sub add_posix_machine_gosa {
- my ( $user, $uid, $gid, $wait ) = @_;
- if ( !defined $wait ) {
- $wait = 0;
- }
+my %conf_renamed_by = (
+ password_hash => 'hash_encrypt',
+ password_crypt_salt_format => 'crypt_salt_format',
+);
- # bind to a directory with dn and password
- my $add = $smbldap_tools::ldap->add(
- "uid=$user,$config{computersdn}",
- attr => [
+my $smbldap_conf =
+ $ENV{'SMBLDAP_CONF'} ||
+ '/etc/samba/smbldap-machineadd-gosa.conf';
+my $smbldap_bind_conf =
+ $ENV{'SMBLDAP_BIND_CONF'} ||
+ '/etc/samba/smbldap-machineadd-gosa_bind.conf';
+my $samba_conf =
+ $ENV{'SMBLDAP_SMB_CONF'} ||
+ $ENV{'SMB_CONF_PATH'} ||
+ '/etc/samba/smb.conf';
+my $samba_bindir =
+ $ENV{'SMBLDAP_SAMBA_BINDIR'} ||
+ '/usr/bin';
- 'objectclass' => ['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'gotoWorkstation'],
- #'objectclass' => [ 'top', 'account', 'posixAccount' ],
- 'cn' => "$user",
+my $VERSION = 1.7;
- 'sn' => "$user",
- 'uid' => "$user",
- 'uidNumber' => "$uid",
- 'gidNumber' => "$gid",
- 'homeDirectory' => '/dev/null',
- 'loginShell' => '/bin/false',
- 'description' => 'Computer',
- 'gecos' => 'Computer',
- 'sn' => 'Computer',
- ]
- );
+# let's read the configurations file...
+my %config = (
+ masterLDAP => '127.0.0.7',
+ masterPort => 389,
+ ldapTLS => false,
+ ldapSSL => false,
+ password_hash => 'SSHA',
+ clientcert => '',
+ clientkey => '',
+ password_crypt_salt_format=>'%s',
+ read_conf()
+);
- $add->code && warn "failed to add entry: ", $add->error;
- sleep($wait);
- return 1;
+my $ldap;
+
+sub read_parameter {
+ my $line = shift;
+ ## check for a param = value
+ if ( $line =~ /=/ ) {
+ my ( $param, $val );
+ if ( $line =~ /\s*(.*?)\s*=\s*"(.*)"/ ) {
+ ( $param, $val ) = ($1, $2);
+ } elsif ( $line =~ /\s*(.*?)\s*=\s*'(.*)'/ ) {
+ ( $param, $val ) = ($1, $2);
+ } else {
+ ( $param, $val ) = $line =~ /\s*(.*?)\s*=\s*(.*)/;
+ }
+ return ( $param, $val );
+ }
}
+sub subst_configvar {
+ my $value = shift;
+ my $vars = shift;
-my $ok =
- getopts( 'o:abnmwWiPG:u:g:d:s:c:k:t:A:B:C:D:E:F:H:L:M:N:S:T:Z:?', \%Options );
-
-if ( ( !$ok ) || ( @ARGV < 1 ) || ( $Options{'?'} ) ) {
- print_banner;
- print "Usage: $0 [-awmugdsckABCDEFGHMNPST?] username\n";
- print " -a is a Windows User (otherwise, Posix stuff only)\n";
- print " -b is a AIX User\n";
- print " -c gecos\n";
- print " -d home\n";
- print " -g gid\n";
- print " -i is a trust account (Windows Workstation)\n";
- print " -k skeleton dir (with -m)\n";
- print " -m creates home directory and copies /etc/skel\n";
- print " -n do not create a group\n";
- print
-" -o add the user in the organizational unit (relative to the user suffix. Ex: 'ou=admin,ou=all')\n";
- print " -u uid\n";
- print " -s shell\n";
- print
-" -t time. Wait 'time' seconds before exiting (when adding Windows Workstation)\n";
- print " -w is a Windows Workstation (otherwise, Posix stuff only)\n";
- print
-" -W is a Windows Workstation, with Samba atributes (otherwise, Posix stuff only)\n";
- print " -A can change password ? 0 if no, 1 if yes\n";
- print " -B must change password ? 0 if no, 1 if yes\n";
- print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n";
- print
- " -D sambaHomeDrive (letter associated with home share, like 'H:')\n";
- print " -E sambaLogonScript (DOS script to execute on login)\n";
- print
-" -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n";
- print " -G supplementary comma-separated groups\n";
- print
- " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n";
- print " -M local mailAddress (comma seperated)\n";
- print " -N given name \n";
- print " -P ends by invoking smbldap-passwd\n";
- print " -S surname (Family name)\n";
- print " -T mailToAddress (forward address) (comma seperated)\n";
- print " -Z set custom LDAP attributes, name=value pairs comma separated\n";
- print " -? show this help message\n";
- exit(1);
+ $value =~ s/\$\{([^}]+)\}/$vars->{$1} ? $vars->{$1} : $1/eg;
+ return $value;
}
-my $ldap_master = connect_ldap_master();
+sub getLocalSID {
+ open my $fh, "-|" or exec("$samba_bindir/net", "getlocalsid") || exit(1);
-# cause problems when dealing with getpwuid because of the
-# negative ttl and ldap modification
-my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
+ my $line = <$fh>;
+ if (!defined($line)) {
+ die "Failed to get SID from Samba net command";
+ }
-if ( $nscd_status == 0 ) {
- system "/etc/init.d/nscd stop > /dev/null 2>&1";
+ my ($sid) = ($line =~ m/^SID for domain \S+ is: (\S+)$/);
+ if (!defined($sid)) {
+ die "Samba net command returns invalid output: $line";
+ }
+
+ return $sid;
}
-# Read only first @ARGV
-my $userName = $ARGV[0];
+sub read_conf {
+ my %conf;
+ open( CONFIGFILE, "$smbldap_conf" ) || die "Unable to open $smbldap_conf for reading !\n";
+ while (<CONFIGFILE>) {
+ chomp($_);
+ ## throw away comments
+ next if ( /^\s*#/ || /^\s*$/ || /^\s*\;/ );
+ ## check for a param = value
+ my ( $parameter, $value ) = read_parameter($_);
+ $value = &subst_configvar( $value, \%conf );
+ $conf{$parameter} = $value;
+ }
+ close(CONFIGFILE);
-# For computers account, add a trailing dollar if missing
-if ( defined( $Options{'w'} ) or defined( $Options{'W'} ) ) {
- if ( $userName =~ /[^\$]$/s ) {
- $userName .= "\$";
- }
-}
+ if ( $< == 0 ) {
+ open( CONFIGFILE, "$smbldap_bind_conf" ) || die "Unable to open $smbldap_bind_conf for reading !\n";
+ while (<CONFIGFILE>) {
+ chomp($_);
+ ## throw away comments
+ next if ( /^\s*#/ || /^\s*$/ || /^\s*\;/ );
+ ## check for a param = value
+ my ( $parameter, $value ) = read_parameter($_);
+ $value = &subst_configvar( $value, \%conf );
+ $conf{$parameter} = $value;
+ }
+ close(CONFIGFILE);
+ }
+ else {
+ $conf{slaveDN} = $conf{slavePw} = $conf{masterDN} = $conf{masterPw} = "";
+ }
-# untaint $userName (can finish with one or two $)
-if ( $userName =~ /^([\w -.]+\$?)$/ ) {
- $userName = $1;
-}
-else {
- print "$0: illegal username\n";
- exit(1);
-}
+ while (my ($new, $old) = each(%conf_renamed_by)) {
+ if (exists($conf{$old})) {
+ $conf{$new} = delete($conf{$old});
+ }
+ }
-# user must not exist in LDAP (should it be nss-wide ?)
-my ( $rc, $dn ) = get_user_dn2($userName);
-if ( $rc and defined($dn) ) {
- print "$0: user $userName exists\n";
- exit(9);
+ # automatically find SID
+ if ( not $conf{SID} ) {
+ $conf{SID} = getLocalSID() || die "Unable to determine domain SID: please edit your smbldap.conf, or start your samba server for a few minutes to allow for SID generation to proceed\n";
+ }
+ return (%conf);
}
-elsif ( !$rc ) {
- print "$0: error in get_user_dn2\n";
- exit(10);
-}
-# Read options
-# we create the user in the specified ou (relative to the users suffix)
-my $user_ou = $Options{'o'};
-my $node;
-if ( defined $user_ou ) {
+# success = add_posix_machine($user, $uid, $gid)
+sub add_posix_machine_gosa {
+ my ( $user, $uid, $gid ) = @_;
-# admin can specify a organizational unit like '-o ou=admin,ou=all'. We need to check that
-# each ou exist
- my @path;
- while ( $user_ou =~ m/(ou=)?([^,]+),?/g ) {
- push( @path, $2 );
- }
- foreach $node ( reverse @path ) {
+ # bind to a directory with dn and password
+ my $add = $ldap->add(
+ "uid=$user,$config{computersdn}",
+ attr => [
+ 'objectclass' => ['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'gotoWorkstation'],
+ 'cn' => "$user",
+ 'sn' => "$user",
+ 'uid' => "$user",
+ 'uidNumber' => "$uid",
+ 'gidNumber' => "$gid",
+ 'homeDirectory' => '/dev/null',
+ 'loginShell' => '/bin/false',
+ 'description' => 'Windows Computer',
+ 'gecos' => 'Windows Computer',
+ 'sn' => 'Windows Computer',
+ ]
+ );
- # if the ou does not exist, we create it
- my $mesg = $ldap_master->search(
- base => "$config{usersdn}",
- scope => "one",
- filter => "(&(objectClass=organizationalUnit)(ou=$node))"
- );
- $mesg->code && die $mesg->error;
- if ( $mesg->count eq 0 ) {
- print
-"ou=$node,$config{usersdn} does not exist. Creating it (Y/[N]) ? ";
- chomp( my $answ = <STDIN> );
- if ( $answ eq "y" || $answ eq "Y" ) {
-
- # add organizational unit
- my $add = $ldap_master->add(
- "ou=$node,$config{usersdn}",
- attr => [
- 'objectclass' => [ 'top', 'organizationalUnit' ],
- 'ou' => "$node"
- ]
- );
- $add->code && die "failed to add entry: ", $add->error;
- print "$user_ou,$config{usersdn} created \n";
-
- }
- else {
- print "exiting.\n";
- exit;
- }
- }
- $config{usersdn} = "ou=$node,$config{usersdn}";
- }
+ $add->code && warn "failed to add entry: ", $add->error;
+ return 1;
}
-my $userUidNumber = $Options{'u'};
-if ( !defined($userUidNumber) ) {
- $userUidNumber = user_next_uid();
-}
-elsif ( getpwuid($userUidNumber) ) {
- die "Uid already exists.\n";
-}
+sub get_user_dn2 {
+ my $user = shift;
+ my $dn = '';
+ my $mesg = $ldap->search(
+ base => $config{suffix},
+ scope => $config{scope},
+ filter => "(&(objectclass=posixAccount)(uid=$user))"
+ );
+ $mesg->code && warn "failed to perform search; ", $mesg->error;
-if ( $nscd_status == 0 ) {
- system "/etc/init.d/nscd start > /dev/null 2>&1";
+ foreach my $entry ( $mesg->all_entries ) {
+ $dn = $entry->dn;
+ }
+ chomp($dn);
+ if ( $dn eq '' ) {
+ return ( 1, undef );
+ }
+ $dn = "dn: " . $dn;
+ return ( 1, $dn );
}
-my $createGroup = 0;
-my $userGidNumber = $Options{'g'};
+sub user_next_rid
+{
+ my $uid = shift;
+ my $domain = shift || $config{sambaDomain};
+ my $checker = shift || \&rid_is_free;
-# gid not specified ?
-if ( !defined($userGidNumber) ) {
+ if (defined(my $rid_base = account_base_rid($domain))) {
+ ## Use legacy algorithmic RID generator
+ return $uid * 2 + $rid_base;
+ }
- # windows machine => $config{defaultComputerGid}
- if ( defined( $Options{'w'} ) or defined( $Options{'W'} ) ) {
- $userGidNumber = $config{defaultComputerGid};
+ return account_next_rid($domain, $checker);
+}
- # } elsif (!defined($Options{'n'})) {
- # create new group (redhat style)
- # find first unused gid starting from $config{GID_START}
- # while (defined(getgrgid($config{GID_START}))) {
- # $config{GID_START}++;
- # }
- # $userGidNumber = $config{GID_START};
+sub rid_is_free
+{
+ my $rid = shift;
+ my $domain_sid = shift || $config{SID};
- # $createGroup = 1;
+ return !defined(account_by_rid($rid, $domain_sid));
+}
- }
- else {
+sub account_next_rid
+{
+ my $domain = shift || $config{sambaDomain};
+ my $checker = shift || \&rid_is_free;
- # user will have gid = $config{defaultUserGid}
- $userGidNumber = $config{defaultUserGid};
- }
+ return account_next_id("sambaNextRid", $domain, $checker);
}
-else {
- my $gid;
- if ( ( $gid = parse_group($userGidNumber) ) < 0 ) {
- print "$0: unknown group $userGidNumber\n";
- exit(6);
- }
- $userGidNumber = $gid;
+
+sub user_next_uid
+{
+ my $domain = shift || $config{sambaDomain};
+ my $checker = shift || \&uid_is_free;
+ return account_next_id("uidNumber", $domain, $checker);
}
-my $group_entry;
-my $userGroupSID;
-my $userRid;
-my $user_sid;
-if ( defined $Options{'a'}
- or defined $Options{'i'}
- or defined $Options{'w'}
- or defined( $Options{'W'} ) )
+sub user_by_uid
{
+ my $uid = shift;
- # as grouprid we use the value of the sambaSID attribute for
- # group of gidNumber=$userGidNumber
- $group_entry = read_group_entry_gid($userGidNumber);
- $userGroupSID = $group_entry->get_value('sambaSID');
- unless ($userGroupSID) {
- print "Error: SID not set for unix group $userGidNumber\n";
- print "check if your unix group is mapped to an NT group\n";
- exit(7);
- }
-
- # as rid we use 2 * uid + 1000
- $userRid = 2 * $userUidNumber + 1000;
-
- # let's test if this SID already exist
- $user_sid = "$config{SID}-$userRid";
- my $test_exist_sid = does_sid_exist( $user_sid, $config{usersdn} );
- if ( $test_exist_sid->count == 1 ) {
- print "User SID already owned by\n";
-
- # there should not exist more than one entry, but ...
- foreach my $entry ( $test_exist_sid->all_entries ) {
- my $dn = $entry->dn;
- chomp($dn);
- print "$dn\n";
- }
- exit(7);
- }
+ my $search = $ldap->search(
+ base => $config{suffix},
+ filter => "(&(objectClass=posixAccount)(uidNumber=$uid))",
+ scope => "sub",
+ );
+ if ($search->code) {
+ die "Failed to search entries by UID: $uid: " . $search->error;
+ }
+ return ($search->entries)[0];
}
-my $userHomeDirectory;
-my ( $givenName, $userCN, $userSN, $displayName );
-my @userMailLocal;
-my @userMailTo;
-my $tmp;
-if ( !defined( $userHomeDirectory = $Options{'d'} ) ) {
- $userHomeDirectory = &subst_user( $config{userHome}, $userName );
+sub uid_is_free
+{
+ my ($uid) = @_;
+ return !defined(user_by_uid($uid));
}
-# RFC 2256 & RFC 2798
-# sn: family name (option S) # RFC 2256: family name of a person.
-# givenName: prenom (option N) # RFC 2256: part of a person's name which is not their surname nor middle name.
-# cn: person's full name # RFC 2256: person's full name.
-# displayName: perferably displayed name # RFC 2798: preferred name of a person to be used when displaying entries.
+sub account_base_rid
+{
+ my $domain = shift || $config{sambaDomain};
-#givenname is the forename of a person (not famiy name) => http://en.wikipedia.org/wiki/Given_name
-#surname (or sn) is the familiy name => http://en.wikipedia.org/wiki/Surname
-# my surname (or sn): Tournier
-# my givenname: Jerome
+ my $search = $ldap->search(
+ base => $config{suffix},
+ filter => "(&(objectClass=sambaDomain)(sambaDomainName=$domain))",
+ scope => "sub",
+ attrs => ["sambaAlgorithmicRidBase", "sambaNextRid"],
+ );
+ if ($search->code) {
+ die "Failed to search sambaDomain object to get sambaAlgorithmicRidBase: " . $search->error;
+ }
+ if ($search->count != 1) {
+ die "Failed to find sambaDomain object to get sambaAlgorithmicRidBase";
+ }
-$userHomeDirectory =~ s/\/\//\//;
-$config{userLoginShell} = $tmp if ( defined( $tmp = $Options{'s'} ) );
-$config{userGecos} = $tmp if ( defined( $tmp = $Options{'c'} ) );
-$config{skeletonDir} = $tmp if ( defined( $tmp = $Options{'k'} ) );
-$givenName = ( utf8Encode( $Options{'N'} ) || $userName );
-$userSN = ( utf8Encode( $Options{'S'} ) || $userName );
-if ( $Options{'N'} and $Options{'S'} ) {
- $displayName = $userCN = "$givenName" . " $userSN";
+ my $entry = $search->entry(0);
+ my $rid_base = $entry->get_value("sambaAlgorithmicRidBase");
+ if (!defined($rid_base) && !defined($entry->get_value("sambaNextRid"))) {
+ return 1000;
+ }
+
+ return $rid_base;
}
-else {
- $displayName = $userCN = $userName;
-}
- at userMailLocal = &split_arg_comma( $Options{'M'} );
- at userMailTo = &split_arg_comma( $Options{'T'} );
-
-########################
-
-# MACHINE ACCOUNT
-if ( defined( $Options{'w'} )
- or defined( $Options{'i'} )
- or defined( $Options{'W'} ) )
+sub account_next_id
{
+ my $attr = shift;
+ my $domain = shift || $config{sambaDomain};
+ my $checker = shift;
- # if Options{'i'} and username does not end with $ caracter => we add it
- if ( $Options{'i'} and !( $userName =~ m/\$$/ ) ) {
- $userName .= "\$";
- }
+ my $base = $config{sambaUnixIdPooldn};
+ my $oc = "sambaUnixIdPool";
+ my $filter = "(objectClass=sambaUnixIdPool)";
+ my $scope = "base";
+ my $id_bias = 0;
+ if ($attr =~ /rid$/i) {
+ $base = $config{suffix};
+ $oc = "sambaDomain";
+ $filter = "(&(objectClass=sambaDomain)(sambaDomainName=$domain))",
+ $scope = "sub";
+ ## NOTE: sambaNextRid has "latest RID", not "next RID"!
+ $id_bias = 1;
+ }
- if (
- !add_posix_machine_gosa(
- $userName, $userUidNumber, $userGidNumber, $Options{'t'}
- )
- )
- {
- die "$0: error while adding posix account\n";
- }
+ for (;;) {
+ my $search = $ldap->search(
+ base => $base,
+ filter => $filter,
+ scope => $scope,
+ attrs => [$attr],
+ );
+ if ($search->code) {
+ die "Failed to search $oc to get next $attr: " . $search->error;
+ }
+ if ($search->count != 1) {
+ die "Failed to find $oc to get next $attr";
+ }
- if ( defined( $Options{'i'} ) ) {
+ my $entry = $search->entry(0);
+ my $id = $entry->get_value($attr);
- # For machine trust account
- # Objectclass sambaSAMAccount must be added now !
- my $pass;
- my $pass2;
+ my $modify = $ldap->modify($entry->dn,
+ changes => [ replace => [ $attr=> $id + 1 ] ]
+ );
+ if ($modify->code) {
+ die "Failed to update $attr in $oc: " . $modify->error;
+ }
- system "stty -echo";
- print "New password : ";
- chomp( $pass = <STDIN> );
- print "\n";
- system "stty echo";
+ $id += $id_bias;
+ unless ($checker && !$checker->($id)) {
+ return $id;
+ }
+ }
+}
- system "stty -echo";
- print "Retype new password : ";
- chomp( $pass2 = <STDIN> );
- print "\n";
- system "stty echo";
+sub connect_ldap_master {
+ my $mesg;
- if ( $pass ne $pass2 ) {
- print "New passwords don't match!\n";
- exit(10);
- }
- my ( $lmpassword, $ntpassword ) = ntlmgen $pass;
- my $date = time;
- my $modify = $ldap_master->modify(
- "uid=$userName,$config{computersdn}",
- changes => [
- replace => [
- objectClass =>
- [ 'top', 'posixAccount', 'person', 'organizationalPerson', 'inetOrgPerson', 'gosaAccount', 'sambaSamAccount', 'shadowAccount' ]
- ],
- add => [ sn => 'Computer' ],
- add => [ sambaLogonTime => '0' ],
- add => [ sambaLogoffTime => '2147483647' ],
- add => [ sambaKickoffTime => '2147483647' ],
- add => [ sambaPwdCanChange => '0' ],
- add => [ sambaPwdMustChange => '2147483647' ],
- add => [ sambaPwdLastSet => "$date" ],
- add => [ sambaAcctFlags => '[I ]' ],
- add => [ sambaLMPassword => "$lmpassword" ],
- add => [ sambaNTPassword => "$ntpassword" ],
- add => [ sambaSID => "$user_sid" ],
- add => [ sambaPrimaryGroupSID => "$config{SID}-515" ]
- ]
- );
+ # bind to a directory with dn and password
+ my $ldap_master;
+ if ( $config{ldapSSL} ) {
+ $ldap_master = Net::LDAP->new(
+ "ldaps://$config{masterLDAP}:$config{masterPort}",
+ verify => "$config{verify}",
+ cafife => "$config{cafile}"
+ ) or die "LDAP error: Can't contact master ldap server with SSL ($@)";
+ } else {
+ $ldap_master = Net::LDAP->new(
+ "$config{masterLDAP}",
+ port => "$config{masterPort}",
+ version => 3,
+ timeout => 60,
+ # debug => 0xffff,
+ ) or die "LDAP error: Can't contact master ldap server for writing ($@)";
+ }
+ if ( $config{ldapTLS} == 1 ) {
+ $mesg = $ldap_master->start_tls(
+ verify => "$config{verify}",
+ clientcert => "$config{clientcert}",
+ clientkey => "$config{clientkey}",
+ cafile => "$config{cafile}"
+ );
+ if ( $mesg->code ) {
+ die( "Could not start_tls: " . $mesg->error );
+ }
+ }
+ $mesg = $ldap_master->bind( "$config{masterDN}",
+ password => "$config{masterPw}"
+ );
+ $ldap = $ldap_master;
+ return ($ldap_master);
+}
- $modify->code && die "failed to add entry: ", $modify->error;
- }
- elsif ( defined( $Options{'W'} ) ) {
- my $date = time;
- my $modify = $ldap_master->modify(
- "uid=$userName,$config{computersdn}",
- changes => [
- replace => [
- objectClass =>
- [ 'top', 'posixAccount', 'person', 'organizationalPerson', 'inetOrgPerson', 'gosaAccount', 'sambaSamAccount', 'shadowAccount' ]
- ],
- add => [ sn => 'Computer' ],
- add => [ sambaLogonTime => '0' ],
- add => [ sambaLogoffTime => '2147483647' ],
- add => [ sambaKickoffTime => '2147483647' ],
- add => [ sambaPwdCanChange => '0' ],
- add => [ sambaPwdMustChange => '2147483647' ],
- add => [ sambaPwdLastSet => "$date" ],
- add => [ sambaAcctFlags => '[W ]' ],
- add => [ sambaSID => "$user_sid" ],
- add => [ sambaPrimaryGroupSID => "$config{SID}-515" ],
- add => [ displayName => "$userName" ],
- add => [ sambaDomainName => "$config{sambaDomain}" ]
- ]
- );
+sub read_group_entry_gid {
+ my $group = shift;
+ my %res;
+ my $mesg = $ldap->search( # perform a search
+ base => $config{groupsdn},
+ scope => $config{scope},
+ filter => "(&(objectclass=posixGroup)(gidNumber=$group))"
+ );
- $modify->code && die "failed to add entry: ", $modify->error;
- }
-
- $ldap_master->unbind;
- exit 0;
+ $mesg->code && die $mesg->error;
+ my $entry = $mesg->shift_entry();
+ return $entry;
}
-# USER ACCOUNT
-# add posix account first
-my $add;
+sub read_group_entry {
+ my $group = shift;
+ my $entry;
+ my %res;
+ my $mesg = $ldap->search( # perform a search
+ base => $config{groupsdn},
+ scope => $config{scope},
+ filter => "(&(objectclass=posixGroup)(cn=$group))"
+ );
-# if AIX account, inetOrgPerson obectclass can't be used
-if ( defined( $Options{'b'} ) ) {
- $add = $ldap_master->add(
- "uid=$userName,$config{usersdn}",
- attr => [
- 'objectclass' => [
- 'top', 'person',
- 'organizationalPerson', 'posixAccount',
- 'shadowAccount'
- ],
- 'cn' => "$userCN",
- 'sn' => "$userSN",
- 'uid' => "$userName",
- 'uidNumber' => "$userUidNumber",
- 'gidNumber' => "$userGidNumber",
- 'homeDirectory' => "$userHomeDirectory",
- 'loginShell' => "$config{userLoginShell}",
- 'gecos' => "$config{userGecos}",
- 'userPassword' => "{crypt}x"
- ]
- );
+ $mesg->code && die $mesg->error;
+ my $nb = $mesg->count;
+ if ( $nb > 1 ) {
+ print "Error: $nb groups exist \"cn=$group\"\n";
+ foreach $entry ( $mesg->all_entries ) {
+ my $dn = $entry->dn;
+ print " $dn\n";
+ }
+ exit 11;
+ } else {
+ $entry = $mesg->shift_entry();
+ }
+ return $entry;
}
-else {
- $add = $ldap_master->add(
- "uid=$userName,$config{usersdn}",
- attr => [
- 'objectclass' => [
- 'top', 'person',
- 'organizationalPerson', 'inetOrgPerson',
- 'posixAccount', 'shadowAccount'
- ],
- 'cn' => "$userCN",
- 'sn' => "$userSN",
- 'givenName' => "$givenName",
- 'uid' => "$userName",
- 'uidNumber' => "$userUidNumber",
- 'gidNumber' => "$userGidNumber",
- 'homeDirectory' => "$userHomeDirectory",
- 'loginShell' => "$config{userLoginShell}",
- 'gecos' => "$config{userGecos}",
- 'userPassword' => "{crypt}x"
- ]
- );
-}
-$add->code && warn "failed to add entry: ", $add->error;
-#if ($createGroup) {
-# group_add($userName, $userGidNumber);
-#}
+##############
+#### MAIN ####
+##############
-if ( $userGidNumber != $config{defaultUserGid} ) {
- group_add_user( $userGidNumber, $userName );
-}
+### PREPARING ###
-my $grouplist;
+my $ldap_master = connect_ldap_master();
-# adds to supplementary groups
-if ( defined( $grouplist = $Options{'G'} ) ) {
- add_grouplist_user( $grouplist, $userName );
+# Read only first @ARGV
+my $userName = "";
+
+if ( defined $ARGV[0] ) {
+ $userName = $ARGV[0];
}
-# If user was created successfully then we should create his/her home dir
-if ( defined( $tmp = $Options{'m'} ) ) {
- unless ( $userName =~ /\$$/ ) {
- if ( !( -d $userHomeDirectory ) ) {
- if ( $config{skeletonDir} ne "" ) {
- system
- "cp -r $config{skeletonDir} $userHomeDirectory 2>/dev/null";
- }
- else {
- system "mkdir $userHomeDirectory 2>/dev/null";
- }
- system
-"chown -R $userName:$userGidNumber $userHomeDirectory 2>/dev/null";
- if ( defined $config{userHomeDirectoryMode} ) {
- system
-"chmod $config{userHomeDirectoryMode} $userHomeDirectory 2>/dev/null";
- }
- else {
- system "chmod 700 $userHomeDirectory 2>/dev/null";
- }
- }
- else {
- print
-"Warning: homedirectory $userHomeDirectory already exist. Check manually\n";
- }
- }
+# add a trailing dollar if missing
+if ( $userName =~ /[^\$]$/s ) {
+ $userName .= "\$";
}
-# we start to defined mail adresses if option M or T is given in option
-my @adds;
-if (@userMailLocal) {
- my @mail;
- foreach my $m (@userMailLocal) {
- my $domain = $config{mailDomain};
- if ( $m =~ /^(.+)@/ ) {
- push( @mail, $m );
-
- # mailLocalAddress contains only the first part
- $m = $1;
- }
- else {
- push( @mail, $m . ( $domain ? '@' . $domain : '' ) );
- }
- }
- push( @adds, 'mailLocalAddress' => [@userMailLocal] );
- push( @adds, 'mail' => [@mail] );
+# untaint $userName (can finish with one or two $)
+if ( $userName =~ /^([\w -.]+\$?)$/ ) {
+ $userName = $1;
}
-if (@userMailTo) {
- push( @adds, 'mailRoutingAddress' => [@userMailTo] );
+else {
+ print "$0: illegal username\n";
+ exit(1);
}
-if ( @userMailLocal || @userMailTo ) {
- push( @adds, 'objectClass' => 'inetLocalMailRecipient' );
-}
-# Custom modification - MPK
-if ( $Options{'Z'} ) {
- my @namval = split /,/, $Options{'Z'};
- if (@namval) {
- foreach my $pair (@namval) {
- my ( $name, $value ) = split /=/, $pair;
- next if ( !$name or !$value );
- push( @adds, $name => $value );
- }
- }
+# user must not exist in LDAP (should it be nss-wide ?)
+my ( $rc, $dn ) = get_user_dn2($userName);
+if ( $rc and defined($dn) ) {
+ print "$0: user $userName exists\n";
+ exit(9);
}
+elsif ( !$rc ) {
+ print "$0: error in get_user_dn2\n";
+ exit(10);
+}
-# Add Samba user infos
-if ( defined( $Options{'a'} ) ) {
- if ( !$config{with_smbpasswd} ) {
+my $userUidNumber = user_next_uid();
- my $winmagic = 2147483647;
- my $valpwdcanchange = 0;
- my $valpwdmustchange = $winmagic;
- my $valpwdlastset = 0;
- my $valacctflags = "[UX]";
+# windows machine always get assigned the $config{defaultComputerGid}
+my $userGidNumber = $config{defaultComputerGid};
- if ( defined( $tmp = $Options{'A'} ) ) {
- if ( $tmp != 0 ) {
- $valpwdcanchange = "0";
- }
- else {
- $valpwdcanchange = "$winmagic";
- }
- }
+# as grouprid we use the value of the sambaSID attribute for
+# group of gidNumber=$userGidNumber
+my $group_entry = read_group_entry_gid($userGidNumber);
+my $userGroupSID = $group_entry->get_value('sambaSID');
+unless ($userGroupSID) {
+ print "Error: SID not set for unix group $userGidNumber\n";
+ print "check if your unix group is mapped to an NT group\n";
+ exit(7);
+}
- if ( defined( $tmp = $Options{'B'} ) ) {
- if ( $tmp != 0 ) {
- $valpwdmustchange = "0";
+my $userRid = user_next_rid($userUidNumber);
+my $user_sid = "$config{SID}-$userRid";
- # To force a user to change his password:
- # . the attribut sambaAcctFlags must not match the 'X' flag
- $valacctflags = "[U]";
- }
- else {
- $valpwdmustchange = "$winmagic";
- }
- }
- if ( defined( $tmp = $Options{'H'} ) ) {
- $valacctflags = "$tmp";
- }
+### ADD THE GOSA MACHINE ACCOUNT ###
- my $modify = $ldap_master->modify(
- "uid=$userName,$config{usersdn}",
- changes => [
- add => [ objectClass => 'sambaSAMAccount' ],
- add => [ sambaPwdLastSet => "$valpwdlastset" ],
- add => [ sambaLogonTime => '0' ],
- add => [ sambaLogoffTime => '2147483647' ],
- add => [ sambaKickoffTime => '2147483647' ],
- add => [ sambaPwdCanChange => "$valpwdcanchange" ],
- add => [ sambaPwdMustChange => "$valpwdmustchange" ],
- add => [ displayName => "$displayName" ],
- add => [ sambaAcctFlags => "$valacctflags" ],
- add => [ sambaSID => "$config{SID}-$userRid" ]
- ]
- );
-
- $modify->code && die "failed to add entry: ", $modify->error;
-
- }
- else {
- my $FILE = "|smbpasswd -s -a $userName >/dev/null";
- open( FILE, $FILE ) || die "$!\n";
- print FILE <<EOF;
-x
-x
-EOF
- close FILE;
- if ($?) {
- print "$0: error adding samba account\n";
- exit(10);
- }
- } # with_smbpasswd
-
- $tmp = defined( $Options{'E'} ) ? $Options{'E'} : $config{userScript};
- my $valscriptpath = &subst_user( $tmp, $userName );
-
- $tmp = defined( $Options{'C'} ) ? $Options{'C'} : $config{userSmbHome};
- my $valsmbhome = &subst_user( $tmp, $userName );
-
- my $valhomedrive =
- defined( $Options{'D'} ) ? $Options{'D'} : $config{userHomeDrive};
-
- # if the letter is given without the ":" symbol, we add it
- $valhomedrive .= ':' if ( $valhomedrive && $valhomedrive !~ /:$/ );
-
- $tmp = defined( $Options{'F'} ) ? $Options{'F'} : $config{userProfile};
- my $valprofilepath = &subst_user( $tmp, $userName );
-
- if ($valhomedrive) {
- push( @adds, 'sambaHomeDrive' => $valhomedrive );
- }
- if ($valsmbhome) {
- push( @adds, 'sambaHomePath' => $valsmbhome );
- }
-
- if ($valprofilepath) {
- push( @adds, 'sambaProfilePath' => $valprofilepath );
- }
- if ($valscriptpath) {
- push( @adds, 'sambaLogonScript' => $valscriptpath );
- }
- if ( !$config{with_smbpasswd} ) {
- push( @adds, 'sambaPrimaryGroupSID' => $userGroupSID );
- push( @adds, 'sambaLMPassword' => "XXX" );
- push( @adds, 'sambaNTPassword' => "XXX" );
- }
- my $modify =
- $ldap_master->modify( "uid=$userName,$config{usersdn}", add => {@adds} );
-
- $modify->code && die "failed to add entry: ", $modify->error;
+if (
+ !add_posix_machine_gosa(
+ $userName, $userUidNumber, $userGidNumber
+ )
+)
+{
+ die "$0: error while adding posix account\n";
}
-# add AIX user
-if ( defined( $Options{'b'} ) ) {
- my $modify = $ldap_master->modify(
- "uid=$userName,$config{usersdn}",
- changes => [
- add => [ objectClass => 'aixAuxAccount' ],
- add => [ passwordChar => "!" ],
- add => [ isAdministrator => "false" ]
- ]
- );
+my $date = time;
+my $modify = $ldap_master->modify(
+ "uid=$userName,$config{computersdn}",
+ changes => [
+ replace => [
+ objectClass =>
+ [ 'top', 'posixAccount', 'person', 'organizationalPerson', 'inetOrgPerson', 'gosaAccount', 'sambaSAMAccount', 'shadowAccount', ]
+ ],
+ add => [ sambaLogonTime => '0' ],
+ add => [ sambaLogoffTime => '2147483647' ],
+ add => [ sambaKickoffTime => '2147483647' ],
+ add => [ sambaPwdCanChange => '0' ],
+ add => [ sambaPwdMustChange => '2147483647' ],
+ add => [ sambaPwdLastSet => "$date" ],
+ add => [ sambaAcctFlags => '[W ]' ],
+ add => [ sambaSID => "$user_sid" ],
+ add => [ sambaPrimaryGroupSID => "$config{SID}-515" ],
+ add => [ displayName => "$userName" ],
+ add => [ sambaDomainName => "$config{sambaDomain}" ],
+ ]
+);
- $modify->code && die "failed to add entry: ", $modify->error;
-}
+$modify->code && die "failed to add entry: ", $modify->error;
+$ldap_master->unbind;
-$ldap_master->unbind; # take down session
-
-if ( defined( $Options{'P'} ) ) {
- if ( defined( $tmp = $Options{'B'} ) and $tmp != 0 ) {
- exec "$RealBin/smbldap-passwd -B \"$userName\"";
- }
- else {
- exec "$RealBin/smbldap-passwd \"$userName\"";
- }
-}
-
exit 0;
-########################################
-
-=head1 NAME
-
-smbldap-useradd - Create a new user
-
-=head1 SYNOPSIS
-
-smbldap-useradd [-o user_ou] [-c comment] [-d home_dir] [-g initial_group] [-G group[,...]] [-m [-k skeleton_dir]] [-s shell] [-u uid [ -o]] [-P] [-A canchange] [-B mustchange] [-C smbhome] [-D homedrive] [-E scriptpath] [-F profilepath] [-H acctflags] login
-
-=head1 DESCRIPTION
-
-Creating New Users
-The smbldap-useradd command creates a new user account using the values specified on the command line and the default values from the system and from the configuration files (in /etc/smbldap-tools directory).
-
-For Samba users, rid is '2*uidNumber+1000', and sambaPrimaryGroupSID is '$SID-2*gidNumber+1001', where $SID is the domain SID. Thus you may want to use :
-$ smbldap-useradd -a -g "Domain Admins" -u 500 Administrator
-to create an domain administrator account (admin rid is 0x1F4 = 500 and grouprid is 0x200 = 512).
-
-Without any option, the account created will be an Unix (Posix) account. The following options may be used to add information:
-
--o node
- The user's account will be created in the specified organazional unit. It is relative to the user suffix dn ($usersdn) defined in the configuration file.
-Ex: 'ou=admin,ou=all'
-
--a
- The user will have a Samba account (and Unix).
-
--b
- The usrer is an AIX acount
-
--w
- Creates an account for a Samba machine (Workstation), so that it can join a sambaDomainName.
-
--i
- Creates an interdomain trust account (machine Workstation). A password will be asked for the trust account.
-
--c "comment"
- The new user's comment field (gecos). This option is for gecos only! To set as user's full name use the -N and -S options.
-
--d home_dir
- The new user will be created using home_dir as the value for the user's login directory. The default is to append the login name to userHomePrefix (defined in the configuration file) and use that as the login directory name.
-
--g initial_group
- The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. The default group number is defined in the configuration file (defaultUserGid="513").
-
--G group,[...]
- A list of supplementary groups which the user is also a member of. Each group is separated to the next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option. The default is for the user to belong only to the initial group.
-
--m
- The user's home directory will be created if it does not exist. The files contained in skeletonDir will be copied to the home directory if the -k option is used, otherwise the files contained in /etc/skel will be used instead. Any directories contained in skeletonDir or /etc/skel will be created in the user's home directory as well. The -k option is only valid in conjunction with the -m option. The default is to not create the directory and to not copy any files.
-
--s shell
- The name of the user's login shell. The default is to leave this field blank, which causes the system to select the default login shell.
-
--t time
- Wait <time> seconds before exiting script when adding computer's account. This is useful when Master/PDC and Slaves/BDCs are connected through the internet (replication is not real time)
-
--u uid
- The numerical value of the user's ID. This value must be unique, unless the -o option is used. The value must be nonnegative. The default is to use the smallest ID value greater than 1000 and greater than every other user.
-
--P
- ends by invoking smbldap-passwd
-
--A
- can change password ? 0 if no, 1 if yes
-
--B
- must change password ? 0 if no, 1 if yes
-
--C sambaHomePath
- SMB home share, like '\\\\PDC-SRV\\homes'
-
--D sambaHomeDrive
- letter associated with home share, like 'H:'
-
--E sambaLogonScript
- relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat'
-
--F sambaProfilePath
- profile directory, like '\\\\PDC-SRV\\profiles\\foo'
-
--H sambaAcctFlags
- spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]'
-
--M mail
- local mail aliases (multiple addresses are seperated by spaces)
-
--N givenname
- family name. Defaults to username
-
--S surname
- defaults to username
-
--T mailToAddress
- Forward address (multiple addresses are seperated by spaces)
-
--n
- do not print banner message
-
-=head1 SEE ALSO
-
-useradd(1)
-
-=cut
-
-#'
More information about the debian-edu-commits
mailing list