[debian-edu-commits] r82029 - branches/wheezy/debian-edu-config/etc/samba
sunweaver at alioth.debian.org
sunweaver at alioth.debian.org
Tue Aug 13 13:08:54 UTC 2013
Author: sunweaver
Date: 2013-08-13 13:08:54 +0000 (Tue, 13 Aug 2013)
New Revision: 82029
Modified:
branches/wheezy/debian-edu-config/etc/samba/smbldap-machineadd-gosa
Log:
revert unwanted check-in of smbldap-machineadd-gosa with rev82026
Modified: branches/wheezy/debian-edu-config/etc/samba/smbldap-machineadd-gosa
===================================================================
--- branches/wheezy/debian-edu-config/etc/samba/smbldap-machineadd-gosa 2013-08-13 13:01:12 UTC (rev 82028)
+++ branches/wheezy/debian-edu-config/etc/samba/smbldap-machineadd-gosa 2013-08-13 13:08:54 UTC (rev 82029)
@@ -1,494 +1,813 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -w
+# This script has been taken von smbldap-tools 0.9.5, its original name
+# is smbldap-useradd. It has been modified so that machine accounts can
+# be created and so that they will be compliant to the pre-requisites of
+# GOsa as in Debian Edu squeeze.
+#
+# This script depends on package smbldap-tools (i.e. on its
+# smbldap_tool.pm).
+#
+# Modifcations have been done by several people, initially by
+# Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
+#
+
+# This code was developped by Jerome Tournier (jtournier at gmail.com) and
+# contributors (their names can be found in the CONTRIBUTORS file).
+
+# This was first contributed by IDEALX (http://www.opentrust.com/)
+
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+# Purpose of smbldap-useradd : user (posix,shadow,samba) add
+
use strict;
-use warnings;
-#use Encode;
-#use POSIX qw(:termios_h);
-#use IO::File;
-use Net::LDAP;
-#use Net::LDAP::Extension::SetPassword;
-#use Crypt::SmbHash;
-#use Digest::MD5 qw(md5);
-#use Digest::SHA qw(sha1);
-#use MIME::Base64 qw(encode_base64);
+use FindBin;
+use FindBin qw($RealBin);
+use lib "$RealBin/";
+use smbldap_tools;
+use Crypt::SmbHash;
+#####################
-use constant true => 1;
-use constant false => 0;
+use Getopt::Std;
+my %Options;
-my %conf_renamed_by = (
- password_hash => 'hash_encrypt',
- password_crypt_salt_format => 'crypt_salt_format',
-);
+# success = add_posix_machine($user, $uid, $gid)
+sub add_posix_machine_gosa {
+ my ( $user, $uid, $gid, $wait ) = @_;
+ if ( !defined $wait ) {
+ $wait = 0;
+ }
-my $smbldap_conf =
- $ENV{'SMBLDAP_CONF'} ||
- '/etc/samba/smbldap-machineadd-gosa.conf';
-my $smbldap_bind_conf =
- $ENV{'SMBLDAP_BIND_CONF'} ||
- '/etc/samba/smbldap-machineadd-gosa_bind.conf';
-my $samba_conf =
- $ENV{'SMBLDAP_SMB_CONF'} ||
- $ENV{'SMB_CONF_PATH'} ||
- '/etc/samba/smb.conf';
-my $samba_bindir =
- $ENV{'SMBLDAP_SAMBA_BINDIR'} ||
- '/usr/bin';
+ # bind to a directory with dn and password
+ my $add = $smbldap_tools::ldap->add(
+ "uid=$user,$config{computersdn}",
+ attr => [
-my $VERSION = 1.7;
+ 'objectclass' => ['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'gotoWorkstation'],
+ #'objectclass' => [ 'top', 'account', 'posixAccount' ],
+ 'cn' => "$user",
-# let's read the configurations file...
-my %config = (
- masterLDAP => '127.0.0.7',
- masterPort => 389,
- ldapTLS => false,
- ldapSSL => false,
- password_hash => 'SSHA',
- clientcert => '',
- clientkey => '',
- password_crypt_salt_format=>'%s',
- read_conf()
-);
+ 'sn' => "$user",
+ 'uid' => "$user",
+ 'uidNumber' => "$uid",
+ 'gidNumber' => "$gid",
+ 'homeDirectory' => '/dev/null',
+ 'loginShell' => '/bin/false',
+ 'description' => 'Computer',
+ 'gecos' => 'Computer',
+ 'sn' => 'Computer',
+ ]
+ );
-my $ldap;
-
-sub read_parameter {
- my $line = shift;
- ## check for a param = value
- if ( $line =~ /=/ ) {
- my ( $param, $val );
- if ( $line =~ /\s*(.*?)\s*=\s*"(.*)"/ ) {
- ( $param, $val ) = ($1, $2);
- } elsif ( $line =~ /\s*(.*?)\s*=\s*'(.*)'/ ) {
- ( $param, $val ) = ($1, $2);
- } else {
- ( $param, $val ) = $line =~ /\s*(.*?)\s*=\s*(.*)/;
- }
- return ( $param, $val );
- }
+ $add->code && warn "failed to add entry: ", $add->error;
+ sleep($wait);
+ return 1;
}
-sub subst_configvar {
- my $value = shift;
- my $vars = shift;
- $value =~ s/\$\{([^}]+)\}/$vars->{$1} ? $vars->{$1} : $1/eg;
- return $value;
+my $ok =
+ getopts( 'o:abnmwWiPG:u:g:d:s:c:k:t:A:B:C:D:E:F:H:L:M:N:S:T:Z:?', \%Options );
+
+if ( ( !$ok ) || ( @ARGV < 1 ) || ( $Options{'?'} ) ) {
+ print_banner;
+ print "Usage: $0 [-awmugdsckABCDEFGHMNPST?] username\n";
+ print " -a is a Windows User (otherwise, Posix stuff only)\n";
+ print " -b is a AIX User\n";
+ print " -c gecos\n";
+ print " -d home\n";
+ print " -g gid\n";
+ print " -i is a trust account (Windows Workstation)\n";
+ print " -k skeleton dir (with -m)\n";
+ print " -m creates home directory and copies /etc/skel\n";
+ print " -n do not create a group\n";
+ print
+" -o add the user in the organizational unit (relative to the user suffix. Ex: 'ou=admin,ou=all')\n";
+ print " -u uid\n";
+ print " -s shell\n";
+ print
+" -t time. Wait 'time' seconds before exiting (when adding Windows Workstation)\n";
+ print " -w is a Windows Workstation (otherwise, Posix stuff only)\n";
+ print
+" -W is a Windows Workstation, with Samba atributes (otherwise, Posix stuff only)\n";
+ print " -A can change password ? 0 if no, 1 if yes\n";
+ print " -B must change password ? 0 if no, 1 if yes\n";
+ print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n";
+ print
+ " -D sambaHomeDrive (letter associated with home share, like 'H:')\n";
+ print " -E sambaLogonScript (DOS script to execute on login)\n";
+ print
+" -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n";
+ print " -G supplementary comma-separated groups\n";
+ print
+ " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n";
+ print " -M local mailAddress (comma seperated)\n";
+ print " -N given name \n";
+ print " -P ends by invoking smbldap-passwd\n";
+ print " -S surname (Family name)\n";
+ print " -T mailToAddress (forward address) (comma seperated)\n";
+ print " -Z set custom LDAP attributes, name=value pairs comma separated\n";
+ print " -? show this help message\n";
+ exit(1);
}
-sub getLocalSID {
- open my $fh, "-|" or exec("$samba_bindir/net", "getlocalsid") || exit(1);
+my $ldap_master = connect_ldap_master();
- my $line = <$fh>;
- if (!defined($line)) {
- die "Failed to get SID from Samba net command";
- }
+# cause problems when dealing with getpwuid because of the
+# negative ttl and ldap modification
+my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
- my ($sid) = ($line =~ m/^SID for domain \S+ is: (\S+)$/);
- if (!defined($sid)) {
- die "Samba net command returns invalid output: $line";
- }
-
- return $sid;
+if ( $nscd_status == 0 ) {
+ system "/etc/init.d/nscd stop > /dev/null 2>&1";
}
-sub read_conf {
- my %conf;
- open( CONFIGFILE, "$smbldap_conf" ) || die "Unable to open $smbldap_conf for reading !\n";
- while (<CONFIGFILE>) {
- chomp($_);
- ## throw away comments
- next if ( /^\s*#/ || /^\s*$/ || /^\s*\;/ );
- ## check for a param = value
- my ( $parameter, $value ) = read_parameter($_);
- $value = &subst_configvar( $value, \%conf );
- $conf{$parameter} = $value;
- }
- close(CONFIGFILE);
+# Read only first @ARGV
+my $userName = $ARGV[0];
- if ( $< == 0 ) {
- open( CONFIGFILE, "$smbldap_bind_conf" ) || die "Unable to open $smbldap_bind_conf for reading !\n";
- while (<CONFIGFILE>) {
- chomp($_);
- ## throw away comments
- next if ( /^\s*#/ || /^\s*$/ || /^\s*\;/ );
- ## check for a param = value
- my ( $parameter, $value ) = read_parameter($_);
- $value = &subst_configvar( $value, \%conf );
- $conf{$parameter} = $value;
- }
- close(CONFIGFILE);
- }
- else {
- $conf{slaveDN} = $conf{slavePw} = $conf{masterDN} = $conf{masterPw} = "";
- }
+# For computers account, add a trailing dollar if missing
+if ( defined( $Options{'w'} ) or defined( $Options{'W'} ) ) {
+ if ( $userName =~ /[^\$]$/s ) {
+ $userName .= "\$";
+ }
+}
- while (my ($new, $old) = each(%conf_renamed_by)) {
- if (exists($conf{$old})) {
- $conf{$new} = delete($conf{$old});
- }
- }
+# untaint $userName (can finish with one or two $)
+if ( $userName =~ /^([\w -.]+\$?)$/ ) {
+ $userName = $1;
+}
+else {
+ print "$0: illegal username\n";
+ exit(1);
+}
- # automatically find SID
- if ( not $conf{SID} ) {
- $conf{SID} = getLocalSID() || die "Unable to determine domain SID: please edit your smbldap.conf, or start your samba server for a few minutes to allow for SID generation to proceed\n";
- }
- return (%conf);
+# user must not exist in LDAP (should it be nss-wide ?)
+my ( $rc, $dn ) = get_user_dn2($userName);
+if ( $rc and defined($dn) ) {
+ print "$0: user $userName exists\n";
+ exit(9);
}
+elsif ( !$rc ) {
+ print "$0: error in get_user_dn2\n";
+ exit(10);
+}
-# success = add_posix_machine($user, $uid, $gid)
-sub add_posix_machine_gosa {
- my ( $user, $uid, $gid ) = @_;
+# Read options
+# we create the user in the specified ou (relative to the users suffix)
+my $user_ou = $Options{'o'};
+my $node;
+if ( defined $user_ou ) {
- # bind to a directory with dn and password
- my $add = $ldap->add(
- "uid=$user,$config{computersdn}",
- attr => [
- 'objectclass' => ['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount', 'gotoWorkstation'],
- 'cn' => "$user",
- 'sn' => "$user",
- 'uid' => "$user",
- 'uidNumber' => "$uid",
- 'gidNumber' => "$gid",
- 'homeDirectory' => '/dev/null',
- 'loginShell' => '/bin/false',
- 'description' => 'Windows Computer',
- 'gecos' => 'Windows Computer',
- 'sn' => 'Windows Computer',
- ]
- );
+# admin can specify a organizational unit like '-o ou=admin,ou=all'. We need to check that
+# each ou exist
+ my @path;
+ while ( $user_ou =~ m/(ou=)?([^,]+),?/g ) {
+ push( @path, $2 );
+ }
+ foreach $node ( reverse @path ) {
- $add->code && warn "failed to add entry: ", $add->error;
- return 1;
+ # if the ou does not exist, we create it
+ my $mesg = $ldap_master->search(
+ base => "$config{usersdn}",
+ scope => "one",
+ filter => "(&(objectClass=organizationalUnit)(ou=$node))"
+ );
+ $mesg->code && die $mesg->error;
+ if ( $mesg->count eq 0 ) {
+ print
+"ou=$node,$config{usersdn} does not exist. Creating it (Y/[N]) ? ";
+ chomp( my $answ = <STDIN> );
+ if ( $answ eq "y" || $answ eq "Y" ) {
+
+ # add organizational unit
+ my $add = $ldap_master->add(
+ "ou=$node,$config{usersdn}",
+ attr => [
+ 'objectclass' => [ 'top', 'organizationalUnit' ],
+ 'ou' => "$node"
+ ]
+ );
+ $add->code && die "failed to add entry: ", $add->error;
+ print "$user_ou,$config{usersdn} created \n";
+
+ }
+ else {
+ print "exiting.\n";
+ exit;
+ }
+ }
+ $config{usersdn} = "ou=$node,$config{usersdn}";
+ }
}
-sub get_user_dn2 {
- my $user = shift;
- my $dn = '';
- my $mesg = $ldap->search(
- base => $config{suffix},
- scope => $config{scope},
- filter => "(&(objectclass=posixAccount)(uid=$user))"
- );
- $mesg->code && warn "failed to perform search; ", $mesg->error;
+my $userUidNumber = $Options{'u'};
+if ( !defined($userUidNumber) ) {
+ $userUidNumber = user_next_uid();
+}
+elsif ( getpwuid($userUidNumber) ) {
+ die "Uid already exists.\n";
+}
- foreach my $entry ( $mesg->all_entries ) {
- $dn = $entry->dn;
- }
- chomp($dn);
- if ( $dn eq '' ) {
- return ( 1, undef );
- }
- $dn = "dn: " . $dn;
- return ( 1, $dn );
+if ( $nscd_status == 0 ) {
+ system "/etc/init.d/nscd start > /dev/null 2>&1";
}
-sub user_next_rid
-{
- my $uid = shift;
- my $domain = shift || $config{sambaDomain};
- my $checker = shift || \&rid_is_free;
+my $createGroup = 0;
+my $userGidNumber = $Options{'g'};
- if (defined(my $rid_base = account_base_rid($domain))) {
- ## Use legacy algorithmic RID generator
- return $uid * 2 + $rid_base;
- }
+# gid not specified ?
+if ( !defined($userGidNumber) ) {
- return account_next_rid($domain, $checker);
-}
+ # windows machine => $config{defaultComputerGid}
+ if ( defined( $Options{'w'} ) or defined( $Options{'W'} ) ) {
+ $userGidNumber = $config{defaultComputerGid};
-sub rid_is_free
-{
- my $rid = shift;
- my $domain_sid = shift || $config{SID};
+ # } elsif (!defined($Options{'n'})) {
+ # create new group (redhat style)
+ # find first unused gid starting from $config{GID_START}
+ # while (defined(getgrgid($config{GID_START}))) {
+ # $config{GID_START}++;
+ # }
+ # $userGidNumber = $config{GID_START};
- return !defined(account_by_rid($rid, $domain_sid));
-}
+ # $createGroup = 1;
-sub account_next_rid
-{
- my $domain = shift || $config{sambaDomain};
- my $checker = shift || \&rid_is_free;
+ }
+ else {
- return account_next_id("sambaNextRid", $domain, $checker);
+ # user will have gid = $config{defaultUserGid}
+ $userGidNumber = $config{defaultUserGid};
+ }
}
-
-sub user_next_uid
-{
- my $domain = shift || $config{sambaDomain};
- my $checker = shift || \&uid_is_free;
- return account_next_id("uidNumber", $domain, $checker);
+else {
+ my $gid;
+ if ( ( $gid = parse_group($userGidNumber) ) < 0 ) {
+ print "$0: unknown group $userGidNumber\n";
+ exit(6);
+ }
+ $userGidNumber = $gid;
}
-sub user_by_uid
+my $group_entry;
+my $userGroupSID;
+my $userRid;
+my $user_sid;
+if ( defined $Options{'a'}
+ or defined $Options{'i'}
+ or defined $Options{'w'}
+ or defined( $Options{'W'} ) )
{
- my $uid = shift;
- my $search = $ldap->search(
- base => $config{suffix},
- filter => "(&(objectClass=posixAccount)(uidNumber=$uid))",
- scope => "sub",
- );
- if ($search->code) {
- die "Failed to search entries by UID: $uid: " . $search->error;
- }
- return ($search->entries)[0];
+ # as grouprid we use the value of the sambaSID attribute for
+ # group of gidNumber=$userGidNumber
+ $group_entry = read_group_entry_gid($userGidNumber);
+ $userGroupSID = $group_entry->get_value('sambaSID');
+ unless ($userGroupSID) {
+ print "Error: SID not set for unix group $userGidNumber\n";
+ print "check if your unix group is mapped to an NT group\n";
+ exit(7);
+ }
+
+ # as rid we use 2 * uid + 1000
+ $userRid = 2 * $userUidNumber + 1000;
+
+ # let's test if this SID already exist
+ $user_sid = "$config{SID}-$userRid";
+ my $test_exist_sid = does_sid_exist( $user_sid, $config{usersdn} );
+ if ( $test_exist_sid->count == 1 ) {
+ print "User SID already owned by\n";
+
+ # there should not exist more than one entry, but ...
+ foreach my $entry ( $test_exist_sid->all_entries ) {
+ my $dn = $entry->dn;
+ chomp($dn);
+ print "$dn\n";
+ }
+ exit(7);
+ }
}
-sub uid_is_free
-{
- my ($uid) = @_;
- return !defined(user_by_uid($uid));
+my $userHomeDirectory;
+my ( $givenName, $userCN, $userSN, $displayName );
+my @userMailLocal;
+my @userMailTo;
+my $tmp;
+if ( !defined( $userHomeDirectory = $Options{'d'} ) ) {
+ $userHomeDirectory = &subst_user( $config{userHome}, $userName );
}
-sub account_base_rid
-{
- my $domain = shift || $config{sambaDomain};
+# RFC 2256 & RFC 2798
+# sn: family name (option S) # RFC 2256: family name of a person.
+# givenName: prenom (option N) # RFC 2256: part of a person's name which is not their surname nor middle name.
+# cn: person's full name # RFC 2256: person's full name.
+# displayName: perferably displayed name # RFC 2798: preferred name of a person to be used when displaying entries.
- my $search = $ldap->search(
- base => $config{suffix},
- filter => "(&(objectClass=sambaDomain)(sambaDomainName=$domain))",
- scope => "sub",
- attrs => ["sambaAlgorithmicRidBase", "sambaNextRid"],
- );
- if ($search->code) {
- die "Failed to search sambaDomain object to get sambaAlgorithmicRidBase: " . $search->error;
- }
- if ($search->count != 1) {
- die "Failed to find sambaDomain object to get sambaAlgorithmicRidBase";
- }
+#givenname is the forename of a person (not famiy name) => http://en.wikipedia.org/wiki/Given_name
+#surname (or sn) is the familiy name => http://en.wikipedia.org/wiki/Surname
+# my surname (or sn): Tournier
+# my givenname: Jerome
- my $entry = $search->entry(0);
- my $rid_base = $entry->get_value("sambaAlgorithmicRidBase");
- if (!defined($rid_base) && !defined($entry->get_value("sambaNextRid"))) {
- return 1000;
- }
-
- return $rid_base;
+$userHomeDirectory =~ s/\/\//\//;
+$config{userLoginShell} = $tmp if ( defined( $tmp = $Options{'s'} ) );
+$config{userGecos} = $tmp if ( defined( $tmp = $Options{'c'} ) );
+$config{skeletonDir} = $tmp if ( defined( $tmp = $Options{'k'} ) );
+$givenName = ( utf8Encode( $Options{'N'} ) || $userName );
+$userSN = ( utf8Encode( $Options{'S'} ) || $userName );
+if ( $Options{'N'} and $Options{'S'} ) {
+ $displayName = $userCN = "$givenName" . " $userSN";
}
+else {
+ $displayName = $userCN = $userName;
+}
-sub account_next_id
+ at userMailLocal = &split_arg_comma( $Options{'M'} );
+ at userMailTo = &split_arg_comma( $Options{'T'} );
+
+########################
+
+# MACHINE ACCOUNT
+if ( defined( $Options{'w'} )
+ or defined( $Options{'i'} )
+ or defined( $Options{'W'} ) )
{
- my $attr = shift;
- my $domain = shift || $config{sambaDomain};
- my $checker = shift;
- my $base = $config{sambaUnixIdPooldn};
- my $oc = "sambaUnixIdPool";
- my $filter = "(objectClass=sambaUnixIdPool)";
- my $scope = "base";
- my $id_bias = 0;
- if ($attr =~ /rid$/i) {
- $base = $config{suffix};
- $oc = "sambaDomain";
- $filter = "(&(objectClass=sambaDomain)(sambaDomainName=$domain))",
- $scope = "sub";
- ## NOTE: sambaNextRid has "latest RID", not "next RID"!
- $id_bias = 1;
- }
+ # if Options{'i'} and username does not end with $ caracter => we add it
+ if ( $Options{'i'} and !( $userName =~ m/\$$/ ) ) {
+ $userName .= "\$";
+ }
- for (;;) {
- my $search = $ldap->search(
- base => $base,
- filter => $filter,
- scope => $scope,
- attrs => [$attr],
- );
- if ($search->code) {
- die "Failed to search $oc to get next $attr: " . $search->error;
- }
- if ($search->count != 1) {
- die "Failed to find $oc to get next $attr";
- }
+ if (
+ !add_posix_machine_gosa(
+ $userName, $userUidNumber, $userGidNumber, $Options{'t'}
+ )
+ )
+ {
+ die "$0: error while adding posix account\n";
+ }
- my $entry = $search->entry(0);
- my $id = $entry->get_value($attr);
+ if ( defined( $Options{'i'} ) ) {
- my $modify = $ldap->modify($entry->dn,
- changes => [ replace => [ $attr=> $id + 1 ] ]
- );
- if ($modify->code) {
- die "Failed to update $attr in $oc: " . $modify->error;
- }
+ # For machine trust account
+ # Objectclass sambaSAMAccount must be added now !
+ my $pass;
+ my $pass2;
- $id += $id_bias;
- unless ($checker && !$checker->($id)) {
- return $id;
- }
- }
-}
+ system "stty -echo";
+ print "New password : ";
+ chomp( $pass = <STDIN> );
+ print "\n";
+ system "stty echo";
-sub connect_ldap_master {
- my $mesg;
+ system "stty -echo";
+ print "Retype new password : ";
+ chomp( $pass2 = <STDIN> );
+ print "\n";
+ system "stty echo";
- # bind to a directory with dn and password
- my $ldap_master;
- if ( $config{ldapSSL} ) {
- $ldap_master = Net::LDAP->new(
- "ldaps://$config{masterLDAP}:$config{masterPort}",
- verify => "$config{verify}",
- cafife => "$config{cafile}"
- ) or die "LDAP error: Can't contact master ldap server with SSL ($@)";
- } else {
- $ldap_master = Net::LDAP->new(
- "$config{masterLDAP}",
- port => "$config{masterPort}",
- version => 3,
- timeout => 60,
- # debug => 0xffff,
- ) or die "LDAP error: Can't contact master ldap server for writing ($@)";
- }
- if ( $config{ldapTLS} == 1 ) {
- $mesg = $ldap_master->start_tls(
- verify => "$config{verify}",
- clientcert => "$config{clientcert}",
- clientkey => "$config{clientkey}",
- cafile => "$config{cafile}"
- );
- if ( $mesg->code ) {
- die( "Could not start_tls: " . $mesg->error );
- }
- }
- $mesg = $ldap_master->bind( "$config{masterDN}",
- password => "$config{masterPw}"
- );
- $ldap = $ldap_master;
- return ($ldap_master);
-}
+ if ( $pass ne $pass2 ) {
+ print "New passwords don't match!\n";
+ exit(10);
+ }
+ my ( $lmpassword, $ntpassword ) = ntlmgen $pass;
+ my $date = time;
+ my $modify = $ldap_master->modify(
+ "uid=$userName,$config{computersdn}",
+ changes => [
+ replace => [
+ objectClass =>
+ [ 'top', 'posixAccount', 'person', 'organizationalPerson', 'inetOrgPerson', 'gosaAccount', 'sambaSamAccount', 'shadowAccount' ]
+ ],
+ add => [ sn => 'Computer' ],
+ add => [ sambaLogonTime => '0' ],
+ add => [ sambaLogoffTime => '2147483647' ],
+ add => [ sambaKickoffTime => '2147483647' ],
+ add => [ sambaPwdCanChange => '0' ],
+ add => [ sambaPwdMustChange => '2147483647' ],
+ add => [ sambaPwdLastSet => "$date" ],
+ add => [ sambaAcctFlags => '[I ]' ],
+ add => [ sambaLMPassword => "$lmpassword" ],
+ add => [ sambaNTPassword => "$ntpassword" ],
+ add => [ sambaSID => "$user_sid" ],
+ add => [ sambaPrimaryGroupSID => "$config{SID}-515" ]
+ ]
+ );
-sub read_group_entry_gid {
- my $group = shift;
- my %res;
- my $mesg = $ldap->search( # perform a search
- base => $config{groupsdn},
- scope => $config{scope},
- filter => "(&(objectclass=posixGroup)(gidNumber=$group))"
- );
+ $modify->code && die "failed to add entry: ", $modify->error;
+ }
+ elsif ( defined( $Options{'W'} ) ) {
+ my $date = time;
+ my $modify = $ldap_master->modify(
+ "uid=$userName,$config{computersdn}",
+ changes => [
+ replace => [
+ objectClass =>
+ [ 'top', 'posixAccount', 'person', 'organizationalPerson', 'inetOrgPerson', 'gosaAccount', 'sambaSamAccount', 'shadowAccount' ]
+ ],
+ add => [ sn => 'Computer' ],
+ add => [ sambaLogonTime => '0' ],
+ add => [ sambaLogoffTime => '2147483647' ],
+ add => [ sambaKickoffTime => '2147483647' ],
+ add => [ sambaPwdCanChange => '0' ],
+ add => [ sambaPwdMustChange => '2147483647' ],
+ add => [ sambaPwdLastSet => "$date" ],
+ add => [ sambaAcctFlags => '[W ]' ],
+ add => [ sambaSID => "$user_sid" ],
+ add => [ sambaPrimaryGroupSID => "$config{SID}-515" ],
+ add => [ displayName => "$userName" ],
+ add => [ sambaDomainName => "$config{sambaDomain}" ]
+ ]
+ );
- $mesg->code && die $mesg->error;
- my $entry = $mesg->shift_entry();
- return $entry;
+ $modify->code && die "failed to add entry: ", $modify->error;
+ }
+
+ $ldap_master->unbind;
+ exit 0;
}
-sub read_group_entry {
- my $group = shift;
- my $entry;
- my %res;
- my $mesg = $ldap->search( # perform a search
- base => $config{groupsdn},
- scope => $config{scope},
- filter => "(&(objectclass=posixGroup)(cn=$group))"
- );
+# USER ACCOUNT
+# add posix account first
+my $add;
- $mesg->code && die $mesg->error;
- my $nb = $mesg->count;
- if ( $nb > 1 ) {
- print "Error: $nb groups exist \"cn=$group\"\n";
- foreach $entry ( $mesg->all_entries ) {
- my $dn = $entry->dn;
- print " $dn\n";
- }
- exit 11;
- } else {
- $entry = $mesg->shift_entry();
- }
- return $entry;
+# if AIX account, inetOrgPerson obectclass can't be used
+if ( defined( $Options{'b'} ) ) {
+ $add = $ldap_master->add(
+ "uid=$userName,$config{usersdn}",
+ attr => [
+ 'objectclass' => [
+ 'top', 'person',
+ 'organizationalPerson', 'posixAccount',
+ 'shadowAccount'
+ ],
+ 'cn' => "$userCN",
+ 'sn' => "$userSN",
+ 'uid' => "$userName",
+ 'uidNumber' => "$userUidNumber",
+ 'gidNumber' => "$userGidNumber",
+ 'homeDirectory' => "$userHomeDirectory",
+ 'loginShell' => "$config{userLoginShell}",
+ 'gecos' => "$config{userGecos}",
+ 'userPassword' => "{crypt}x"
+ ]
+ );
}
+else {
+ $add = $ldap_master->add(
+ "uid=$userName,$config{usersdn}",
+ attr => [
+ 'objectclass' => [
+ 'top', 'person',
+ 'organizationalPerson', 'inetOrgPerson',
+ 'posixAccount', 'shadowAccount'
+ ],
+ 'cn' => "$userCN",
+ 'sn' => "$userSN",
+ 'givenName' => "$givenName",
+ 'uid' => "$userName",
+ 'uidNumber' => "$userUidNumber",
+ 'gidNumber' => "$userGidNumber",
+ 'homeDirectory' => "$userHomeDirectory",
+ 'loginShell' => "$config{userLoginShell}",
+ 'gecos' => "$config{userGecos}",
+ 'userPassword' => "{crypt}x"
+ ]
+ );
+}
+$add->code && warn "failed to add entry: ", $add->error;
-##############
-#### MAIN ####
-##############
+#if ($createGroup) {
+# group_add($userName, $userGidNumber);
+#}
-### PREPARING ###
+if ( $userGidNumber != $config{defaultUserGid} ) {
+ group_add_user( $userGidNumber, $userName );
+}
-my $ldap_master = connect_ldap_master();
+my $grouplist;
-# Read only first @ARGV
-my $userName = "";
-
-if ( defined $ARGV[0] ) {
- $userName = $ARGV[0];
+# adds to supplementary groups
+if ( defined( $grouplist = $Options{'G'} ) ) {
+ add_grouplist_user( $grouplist, $userName );
}
-# add a trailing dollar if missing
-if ( $userName =~ /[^\$]$/s ) {
- $userName .= "\$";
+# If user was created successfully then we should create his/her home dir
+if ( defined( $tmp = $Options{'m'} ) ) {
+ unless ( $userName =~ /\$$/ ) {
+ if ( !( -d $userHomeDirectory ) ) {
+ if ( $config{skeletonDir} ne "" ) {
+ system
+ "cp -r $config{skeletonDir} $userHomeDirectory 2>/dev/null";
+ }
+ else {
+ system "mkdir $userHomeDirectory 2>/dev/null";
+ }
+ system
+"chown -R $userName:$userGidNumber $userHomeDirectory 2>/dev/null";
+ if ( defined $config{userHomeDirectoryMode} ) {
+ system
+"chmod $config{userHomeDirectoryMode} $userHomeDirectory 2>/dev/null";
+ }
+ else {
+ system "chmod 700 $userHomeDirectory 2>/dev/null";
+ }
+ }
+ else {
+ print
+"Warning: homedirectory $userHomeDirectory already exist. Check manually\n";
+ }
+ }
}
-# untaint $userName (can finish with one or two $)
-if ( $userName =~ /^([\w -.]+\$?)$/ ) {
- $userName = $1;
+# we start to defined mail adresses if option M or T is given in option
+my @adds;
+if (@userMailLocal) {
+ my @mail;
+ foreach my $m (@userMailLocal) {
+ my $domain = $config{mailDomain};
+ if ( $m =~ /^(.+)@/ ) {
+ push( @mail, $m );
+
+ # mailLocalAddress contains only the first part
+ $m = $1;
+ }
+ else {
+ push( @mail, $m . ( $domain ? '@' . $domain : '' ) );
+ }
+ }
+ push( @adds, 'mailLocalAddress' => [@userMailLocal] );
+ push( @adds, 'mail' => [@mail] );
}
-else {
- print "$0: illegal username\n";
- exit(1);
+if (@userMailTo) {
+ push( @adds, 'mailRoutingAddress' => [@userMailTo] );
}
+if ( @userMailLocal || @userMailTo ) {
+ push( @adds, 'objectClass' => 'inetLocalMailRecipient' );
+}
-# user must not exist in LDAP (should it be nss-wide ?)
-my ( $rc, $dn ) = get_user_dn2($userName);
-if ( $rc and defined($dn) ) {
- print "$0: user $userName exists\n";
- exit(9);
+# Custom modification - MPK
+if ( $Options{'Z'} ) {
+ my @namval = split /,/, $Options{'Z'};
+ if (@namval) {
+ foreach my $pair (@namval) {
+ my ( $name, $value ) = split /=/, $pair;
+ next if ( !$name or !$value );
+ push( @adds, $name => $value );
+ }
+ }
}
-elsif ( !$rc ) {
- print "$0: error in get_user_dn2\n";
- exit(10);
-}
-my $userUidNumber = user_next_uid();
+# Add Samba user infos
+if ( defined( $Options{'a'} ) ) {
+ if ( !$config{with_smbpasswd} ) {
-# windows machine always get assigned the $config{defaultComputerGid}
-my $userGidNumber = $config{defaultComputerGid};
+ my $winmagic = 2147483647;
+ my $valpwdcanchange = 0;
+ my $valpwdmustchange = $winmagic;
+ my $valpwdlastset = 0;
+ my $valacctflags = "[UX]";
-# as grouprid we use the value of the sambaSID attribute for
-# group of gidNumber=$userGidNumber
-my $group_entry = read_group_entry_gid($userGidNumber);
-my $userGroupSID = $group_entry->get_value('sambaSID');
-unless ($userGroupSID) {
- print "Error: SID not set for unix group $userGidNumber\n";
- print "check if your unix group is mapped to an NT group\n";
- exit(7);
-}
+ if ( defined( $tmp = $Options{'A'} ) ) {
+ if ( $tmp != 0 ) {
+ $valpwdcanchange = "0";
+ }
+ else {
+ $valpwdcanchange = "$winmagic";
+ }
+ }
-my $userRid = user_next_rid($userUidNumber);
-my $user_sid = "$config{SID}-$userRid";
+ if ( defined( $tmp = $Options{'B'} ) ) {
+ if ( $tmp != 0 ) {
+ $valpwdmustchange = "0";
+ # To force a user to change his password:
+ # . the attribut sambaAcctFlags must not match the 'X' flag
+ $valacctflags = "[U]";
+ }
+ else {
+ $valpwdmustchange = "$winmagic";
+ }
+ }
-### ADD THE GOSA MACHINE ACCOUNT ###
+ if ( defined( $tmp = $Options{'H'} ) ) {
+ $valacctflags = "$tmp";
+ }
-if (
- !add_posix_machine_gosa(
- $userName, $userUidNumber, $userGidNumber
- )
-)
-{
- die "$0: error while adding posix account\n";
+ my $modify = $ldap_master->modify(
+ "uid=$userName,$config{usersdn}",
+ changes => [
+ add => [ objectClass => 'sambaSAMAccount' ],
+ add => [ sambaPwdLastSet => "$valpwdlastset" ],
+ add => [ sambaLogonTime => '0' ],
+ add => [ sambaLogoffTime => '2147483647' ],
+ add => [ sambaKickoffTime => '2147483647' ],
+ add => [ sambaPwdCanChange => "$valpwdcanchange" ],
+ add => [ sambaPwdMustChange => "$valpwdmustchange" ],
+ add => [ displayName => "$displayName" ],
+ add => [ sambaAcctFlags => "$valacctflags" ],
+ add => [ sambaSID => "$config{SID}-$userRid" ]
+ ]
+ );
+
+ $modify->code && die "failed to add entry: ", $modify->error;
+
+ }
+ else {
+ my $FILE = "|smbpasswd -s -a $userName >/dev/null";
+ open( FILE, $FILE ) || die "$!\n";
+ print FILE <<EOF;
+x
+x
+EOF
+ close FILE;
+ if ($?) {
+ print "$0: error adding samba account\n";
+ exit(10);
+ }
+ } # with_smbpasswd
+
+ $tmp = defined( $Options{'E'} ) ? $Options{'E'} : $config{userScript};
+ my $valscriptpath = &subst_user( $tmp, $userName );
+
+ $tmp = defined( $Options{'C'} ) ? $Options{'C'} : $config{userSmbHome};
+ my $valsmbhome = &subst_user( $tmp, $userName );
+
+ my $valhomedrive =
+ defined( $Options{'D'} ) ? $Options{'D'} : $config{userHomeDrive};
+
+ # if the letter is given without the ":" symbol, we add it
+ $valhomedrive .= ':' if ( $valhomedrive && $valhomedrive !~ /:$/ );
+
+ $tmp = defined( $Options{'F'} ) ? $Options{'F'} : $config{userProfile};
+ my $valprofilepath = &subst_user( $tmp, $userName );
+
+ if ($valhomedrive) {
+ push( @adds, 'sambaHomeDrive' => $valhomedrive );
+ }
+ if ($valsmbhome) {
+ push( @adds, 'sambaHomePath' => $valsmbhome );
+ }
+
+ if ($valprofilepath) {
+ push( @adds, 'sambaProfilePath' => $valprofilepath );
+ }
+ if ($valscriptpath) {
+ push( @adds, 'sambaLogonScript' => $valscriptpath );
+ }
+ if ( !$config{with_smbpasswd} ) {
+ push( @adds, 'sambaPrimaryGroupSID' => $userGroupSID );
+ push( @adds, 'sambaLMPassword' => "XXX" );
+ push( @adds, 'sambaNTPassword' => "XXX" );
+ }
+ my $modify =
+ $ldap_master->modify( "uid=$userName,$config{usersdn}", add => {@adds} );
+
+ $modify->code && die "failed to add entry: ", $modify->error;
}
-my $date = time;
-my $modify = $ldap_master->modify(
- "uid=$userName,$config{computersdn}",
- changes => [
- replace => [
- objectClass =>
- [ 'top', 'posixAccount', 'person', 'organizationalPerson', 'inetOrgPerson', 'gosaAccount', 'sambaSAMAccount', 'shadowAccount', ]
- ],
- add => [ sambaLogonTime => '0' ],
- add => [ sambaLogoffTime => '2147483647' ],
- add => [ sambaKickoffTime => '2147483647' ],
- add => [ sambaPwdCanChange => '0' ],
- add => [ sambaPwdMustChange => '2147483647' ],
- add => [ sambaPwdLastSet => "$date" ],
- add => [ sambaAcctFlags => '[W ]' ],
- add => [ sambaSID => "$user_sid" ],
- add => [ sambaPrimaryGroupSID => "$config{SID}-515" ],
- add => [ displayName => "$userName" ],
- add => [ sambaDomainName => "$config{sambaDomain}" ],
- ]
-);
+# add AIX user
+if ( defined( $Options{'b'} ) ) {
+ my $modify = $ldap_master->modify(
+ "uid=$userName,$config{usersdn}",
+ changes => [
+ add => [ objectClass => 'aixAuxAccount' ],
+ add => [ passwordChar => "!" ],
+ add => [ isAdministrator => "false" ]
+ ]
+ );
-$modify->code && die "failed to add entry: ", $modify->error;
-$ldap_master->unbind;
+ $modify->code && die "failed to add entry: ", $modify->error;
+}
+$ldap_master->unbind; # take down session
+
+if ( defined( $Options{'P'} ) ) {
+ if ( defined( $tmp = $Options{'B'} ) and $tmp != 0 ) {
+ exec "$RealBin/smbldap-passwd -B \"$userName\"";
+ }
+ else {
+ exec "$RealBin/smbldap-passwd \"$userName\"";
+ }
+}
+
exit 0;
+########################################
+
+=head1 NAME
+
+smbldap-useradd - Create a new user
+
+=head1 SYNOPSIS
+
+smbldap-useradd [-o user_ou] [-c comment] [-d home_dir] [-g initial_group] [-G group[,...]] [-m [-k skeleton_dir]] [-s shell] [-u uid [ -o]] [-P] [-A canchange] [-B mustchange] [-C smbhome] [-D homedrive] [-E scriptpath] [-F profilepath] [-H acctflags] login
+
+=head1 DESCRIPTION
+
+Creating New Users
+The smbldap-useradd command creates a new user account using the values specified on the command line and the default values from the system and from the configuration files (in /etc/smbldap-tools directory).
+
+For Samba users, rid is '2*uidNumber+1000', and sambaPrimaryGroupSID is '$SID-2*gidNumber+1001', where $SID is the domain SID. Thus you may want to use :
+$ smbldap-useradd -a -g "Domain Admins" -u 500 Administrator
+to create an domain administrator account (admin rid is 0x1F4 = 500 and grouprid is 0x200 = 512).
+
+Without any option, the account created will be an Unix (Posix) account. The following options may be used to add information:
+
+-o node
+ The user's account will be created in the specified organazional unit. It is relative to the user suffix dn ($usersdn) defined in the configuration file.
+Ex: 'ou=admin,ou=all'
+
+-a
+ The user will have a Samba account (and Unix).
+
+-b
+ The usrer is an AIX acount
+
+-w
+ Creates an account for a Samba machine (Workstation), so that it can join a sambaDomainName.
+
+-i
+ Creates an interdomain trust account (machine Workstation). A password will be asked for the trust account.
+
+-c "comment"
+ The new user's comment field (gecos). This option is for gecos only! To set as user's full name use the -N and -S options.
+
+-d home_dir
+ The new user will be created using home_dir as the value for the user's login directory. The default is to append the login name to userHomePrefix (defined in the configuration file) and use that as the login directory name.
+
+-g initial_group
+ The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. The default group number is defined in the configuration file (defaultUserGid="513").
+
+-G group,[...]
+ A list of supplementary groups which the user is also a member of. Each group is separated to the next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option. The default is for the user to belong only to the initial group.
+
+-m
+ The user's home directory will be created if it does not exist. The files contained in skeletonDir will be copied to the home directory if the -k option is used, otherwise the files contained in /etc/skel will be used instead. Any directories contained in skeletonDir or /etc/skel will be created in the user's home directory as well. The -k option is only valid in conjunction with the -m option. The default is to not create the directory and to not copy any files.
+
+-s shell
+ The name of the user's login shell. The default is to leave this field blank, which causes the system to select the default login shell.
+
+-t time
+ Wait <time> seconds before exiting script when adding computer's account. This is useful when Master/PDC and Slaves/BDCs are connected through the internet (replication is not real time)
+
+-u uid
+ The numerical value of the user's ID. This value must be unique, unless the -o option is used. The value must be nonnegative. The default is to use the smallest ID value greater than 1000 and greater than every other user.
+
+-P
+ ends by invoking smbldap-passwd
+
+-A
+ can change password ? 0 if no, 1 if yes
+
+-B
+ must change password ? 0 if no, 1 if yes
+
+-C sambaHomePath
+ SMB home share, like '\\\\PDC-SRV\\homes'
+
+-D sambaHomeDrive
+ letter associated with home share, like 'H:'
+
+-E sambaLogonScript
+ relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat'
+
+-F sambaProfilePath
+ profile directory, like '\\\\PDC-SRV\\profiles\\foo'
+
+-H sambaAcctFlags
+ spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]'
+
+-M mail
+ local mail aliases (multiple addresses are seperated by spaces)
+
+-N givenname
+ family name. Defaults to username
+
+-S surname
+ defaults to username
+
+-T mailToAddress
+ Forward address (multiple addresses are seperated by spaces)
+
+-n
+ do not print banner message
+
+=head1 SEE ALSO
+
+useradd(1)
+
+=cut
+
+#'
More information about the debian-edu-commits
mailing list