--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
+ "http://www.w3.org/TR/REC-html40/loose.dtd">
+<HTML>
+<HEAD><TITLE>Smbldap-tools User Manual
+(Release: 0.8.7 )</TITLE>
+
+<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<META name="GENERATOR" content="hevea 1.06">
+</HEAD>
+<BODY >
+<!--HEVEA command line is: /usr/bin/hevea -exec xxdate.exe -pedantic -nosymb smbldap-tools.tex -o html/smbldap-tools.html -->
+<!--HTMLHEAD-->
+<!--ENDHTML-->
+<!--PREFIX <ARG ></ARG>-->
+<!--CUT DEF section 1 -->
+
+
+<H1 ALIGN=center>Smbldap-tools User Manual<BR>
+(<I>Release</I>: 0.8.7 )</H1>
+
+<H3 ALIGN=center>Jérôme Tournier</H3>
+
+<H3 ALIGN=center><I>Revision</I>: 1.6 , generated May 25, 2005<BR>
+</H3>
+This document is the property of IDEALX<SUP><A NAME="text1" HREF="#note1">1</A></SUP>.
+Permission is granted to distribute this document under the terms of the GNU
+Free Documentation License (<TT>http://www.gnu.org/copyleft/fdl.html</TT>).<BR>
+<BR>
+<!--TOC section Table of Contents-->
+
+<H2>Table of Contents</H2><!--SEC END -->
+
+
+
+
+<!--TOC section Introduction-->
+
+<H2><A NAME="htoc1">1</A> Introduction</H2><!--SEC END -->
+
+<A NAME="sec:intro"></A>
+Smbldap-tools is a set of scripts designed to help integrate Samba and a
+LDAP directory. They target both users and administrators of Linux systems.<BR>
+<BR>
+Users can change their password in a way similar to the standard ``passwd''
+command.<BR>
+<BR>
+Administrators can perform user and group management command line actions
+and synchronise Samba account management consistently.<BR>
+<BR>
+This document presents:
+<UL><LI>
+a detailled view of the smbldap-tools scripts
+<LI>a step by step explanation of how to set up a Samba3 domain controller
+</UL>
+<!--TOC subsection Software requirements-->
+
+<H3><A NAME="htoc2">1.1</A> Software requirements</H3><!--SEC END -->
+
+The smbldap-tools have been developped and tested with the following configuration :
+<UL><LI>
+<FONT COLOR=purple><I>Linux</I></FONT> RedHat 9 (be should work on any <FONT COLOR=purple><I>Linux</I></FONT> distribution)
+<LI> <FONT COLOR=purple>Samba</FONT> release 3.0.2pre1,
+<LI><FONT COLOR=purple>OpenLDAP</FONT> release 2.1.22
+<LI><FONT COLOR=purple>Microsoft Windows NT</FONT> 4.0, Windows 2000 and Windows XP Workstations and Servers,
+</UL>
+This guide applies to <FONT COLOR=purple>smbldap-tools</FONT> <I>Release</I>: 0.8.7 .<BR>
+<BR>
+<!--TOC subsection Updates of this document-->
+
+<H3><A NAME="htoc3">1.2</A> Updates of this document</H3><!--SEC END -->
+
+The most up to date release of this document may be found on the
+smbldap-tools project page available at <TT>http://samba.IDEALX.org/</TT>.<BR>
+<BR>
+If you find any bugs in this document, or if you want this document to
+integrate some additional infos, please drop us a mail with your bug report
+and/or change request at <U>samba@IDEALX.org</U>.<BR>
+<BR>
+<!--TOC subsection Availability of this document-->
+
+<H3><A NAME="htoc4">1.3</A> Availability of this document</H3><!--SEC END -->
+
+This document is the property of
+<B><I>IDEALX</I></B> (<TT>http://www.IDEALX.com/</TT>). <BR>
+<BR>
+Permission is granted to distribute this document under the terms of the GNU
+Free Documentation License (See <TT>http://www.gnu.org/copyleft/fdl.html</TT>).
+ <!--TOC section Installation-->
+
+<H2><A NAME="htoc5">2</A> Installation</H2><!--SEC END -->
+
+<!--TOC subsection Requirements-->
+
+<H3><A NAME="htoc6">2.1</A> Requirements</H3><!--SEC END -->
+
+The main requirement for using smbldap-tools are the two perl module:
+Net::LDAP and Crypt::SmbHash.
+In most cases, you'll also need the IO-Socket-SSL Perl module to use
+TLS functionnality.<BR>
+<BR>
+If you want samba to call the scripts so that you can use the User
+Manager (or any other) under MS-Windows (to add, delete modify users and
+groups), <FONT COLOR=purple>Samba</FONT> must be installed on the same computer.
+Finally, <FONT COLOR=purple>OpenLDAP</FONT> can be installed on any computer. Please check that it
+can be contacted by a standard LDAP client software.<BR>
+<BR>
+<FONT COLOR=purple>Samba</FONT> and <FONT COLOR=purple>OpenLDAP</FONT> installations will not be discussed
+here. You can consult the howto also available on the
+project page (<TT>http://samba.IDEALX.org</TT>). Altought is has been
+written for Samba2, most of its content still apply to Samba3. The main
+difference stands in LDAP schema's definitions.<BR>
+<BR>
+<!--TOC subsection Installation-->
+
+<H3><A NAME="htoc7">2.2</A> Installation</H3><!--SEC END -->
+
+An archive of the <FONT COLOR=purple>smbldap-tools</FONT> scripts can be downloaded on our project
+page <TT>http://samba.IDEALX.org/</TT>. Archive and RedHat packages are
+available.
+<BR>
+If you are upgrading, look at the <TT>INSTALL</TT> file or read the link
+<A HREF="#faq::error::add::user">6.13</A>.<BR>
+<BR>
+<!--TOC subsubsection Installing from rpm-->
+
+<H4><A NAME="htoc8">2.2.1</A> Installing from rpm</H4><!--SEC END -->
+
+To install the scripts on a RedHat system, download the RPM
+package and run the following command:
+<PRE>
+rpm -Uvh smbldap-tools-0.8.5-1.i386.rpm
+</PRE>
+<!--TOC subsubsection Installing from a tarball-->
+
+<H4><A NAME="htoc9">2.2.2</A> Installing from a tarball</H4><!--SEC END -->
+
+On non RedHat system, download a source archive of the scripts. The current
+archive is <TT>smbldap-tools-0.8.5.tar.gz</TT>.
+Uncompress it and copy all of the Perl scripts in <TT>/usr/local/sbin</TT>
+directory, and the two configuration files in
+<TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory:
+<PRE>
+mkdir /etc/opt/IDEALX/smbldap-tools/
+cp *.conf /etc/opt/IDEALX/smbldap-tools/
+cp smbldap-* /usr/local/sbin/
+</PRE>
+The configuration is now based on two differents files:
+<UL><LI>
+<TT>smbldap.conf</TT>: define global parameter
+<LI><TT>smbldap_bind.conf</TT>: define an administrative account to
+ bind to the directory
+</UL>
+The second file <B>must</B> be readable only for 'root', as it contains
+credentials allowing modifications on all the directory. Make sure the
+files are protected by running the following commands:
+<PRE>
+chmod 644 /etc/opt/IDEALX/smbldap-tools/smbldap.conf
+chmod 600 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf
+</PRE> <!--TOC section Configuring the smbldap-tools-->
+
+<H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><!--SEC END -->
+
+As mentioned in the previous section, you'll have to update two
+configuration files. The first (<TT>smbldap.conf</TT>) allows you to
+set global parameter that are readable by everybody, and the second
+(<TT>smbldap_bind.conf</TT>) defines two administrative accounts to
+bind to a slave and a master ldap server: this file must thus be
+readable only by root.<BR>
+<BR>
+A script is named <TT>configure.pl</TT> can help you to set their contents
+up. It is located in the tarball
+downloaded or in the documentation directory if you got the RPM
+archive (see <TT>/usr/share/doc/smbldap-tools/</TT>). Just invoke it:
+<PRE>
+/usr/share/doc/smbldap-tools/configure.pl
+</PRE>It will ask for the default values defined in your
+<TT>smb.conf</TT> file, and will update the two configuration files used
+by the scripts. Note that you can stop the script at any moment with
+the <TT>Crtl-c</TT> keys.<BR>
+Before using this script :
+<UL><LI>
+the two configuration files <B>must</B> be present in the
+ <TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory
+<LI>check that samba is configured and running, as the script will try to
+ get your workgroup's domain secure id (SID).
+</UL>
+In those files are parameters are defined like this:
+<PRE>
+key="value"
+</PRE>Full example configuration files can be found at
+<A HREF="#configuration::files">8.1</A>.<BR>
+<BR>
+<!--TOC subsection The smbldap.conf file-->
+
+<H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3><!--SEC END -->
+
+This file is used to define parameters that can be readable by
+everybody. A full example file is available in section <A HREF="#configuration::file::smbldap">8.1.1</A>.<BR>
+<BR>
+Let's have a look at all available parameters.
+<UL><LI>
+<TT>UID_START</TT> and <TT>GID_START</TT> : those parameters
+ are deprecated. Available uid and gid are now defined in the default
+ new entry <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT>.
+<LI><TT>SID</TT> : Secure Identifier Domain
+ <UL><LI>
+ Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT>
+ <LI>Remark: you can get the SID for your domain using the <TT>net getlocalsid</TT>
+ command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers).
+</UL>
+<LI><TT>slaveLDAP</TT> : slave LDAP server
+ <UL><LI>
+ Example: <TT>slaveLDAP="127.0.0.1"</TT>
+ <LI>Remark: must be a resolvable DNS name or it's IP address
+ </UL>
+<LI><TT>slavePort</TT> : port to contact the slave server
+ <UL><LI>
+ Example: <TT>slavePort="389"</TT>
+ </UL>
+<LI><TT>masterLDAP</TT> : master LDAP server
+ <UL><LI>
+ Example: <TT>masterLDAP="127.0.0.1"</TT>
+ </UL>
+<LI><TT>masterPort</TT> : port to contact the master server
+ <UL><LI>
+ Example: <TT>masterPort="389"</TT>
+ </UL>
+<LI><TT>ldapTLS</TT> : should we use TLS connection to contact the
+ ldap servers ?
+ <UL><LI>
+ Example: <TT>ldapTLS="1"</TT>
+ <LI>Remark: the LDAP severs must be configured to accept TLS
+ connections. See section the Samba-LDAP Howto for more
+ details (<TT>http://samba.idealx.org/smbldap-howto.fr.html</TT>). If you are using TLS support, select port 389 to connect to
+ the master and slave directories.
+ </UL>
+<LI><TT>verify</TT> : How to verify the server's certificate (none,
+ optional or require). See "man Net::LDAP" in start_tls section for
+ more details
+ <UL><LI>
+ Example: <TT>verify="require"</TT>
+ </UL>
+<LI><TT>cafile</TT> : the PEM-format file containing certificates
+ for the CA that slapd will trust
+ <UL><LI>
+ Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT>
+ </UL>
+<LI><TT>clientcert</TT> : the file that contains the client certificate
+ <UL><LI>
+ Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT>
+ </UL>
+<LI><TT>clientkey</TT> : the file that contains the private key that
+ matches the certificate stored in the clientcert file
+ <UL><LI>
+ Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT>
+ </UL>
+<LI><TT>suffix</TT> : The distinguished name of the search base
+ <UL><LI>
+ Example: <TT>suffix="dc=idealx,dc=com"</TT>
+ </UL>
+<LI><TT>usersdn</TT> : branch in which users account can be found or
+ must be added
+ <UL><LI>
+ Example: <TT>usersdn="ou=Users,${suffix}"</TT>
+ <LI>Remark: this branch is <B>not</B> relative to the suffix value
+ </UL>
+<LI><TT>computersdn</TT> : branch in which computers account can be
+ found or must be added
+ <UL><LI>
+ Example: <TT>computersdn"ou=Computers,${suffix}"</TT>
+ <LI>Remark: this branch is <B>not</B> relative to the suffix value
+ </UL>
+<LI><TT>groupsdn</TT> : branch in which groups account can be found
+ or must be added
+ <UL><LI>
+ Example: <TT>groupsdn="ou=Groups,${suffix}"</TT>
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
+ </UL>
+<LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server)
+<UL><LI>
+ Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT>
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
+</UL>
+<LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored
+<UL><LI>
+ Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT>
+ <LI>Remarks: this branch is <B>not</B> relative to the suffix value
+</UL>
+<LI><TT>scope</TT> : the search scope.
+<UL><LI>
+ Example: <TT>scope="sub"</TT>
+</UL>
+<LI><TT>hash_encrypt</TT> : hash to be used when generating a
+ user password.
+ <UL><LI>
+ Example: <TT>hash_encrypt="SSHA"</TT>
+ <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute.
+ </UL>
+<LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to
+ CRYPT, you may set a salt format. Default is "%s", but many systems
+ will generate MD5 hashed passwords if you use "$1$%.8s". This
+ parameter is optional.
+<LI><TT>userLoginShell</TT> : default shell given to users.
+ <UL><LI>
+ Example: <TT>userLoginShell="/bin/bash"</TT>
+ <LI>Remark: This is stored in <I>loginShell</I> attribute.
+ </UL>
+<LI><TT>userHome</TT> : default directory where users's home
+ directory are located.
+ <UL><LI>
+ Example: <TT>userHome="/home/%U"</TT>
+ <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute.
+ </UL>
+<LI><TT>userGecos</TT> : gecos used for users
+ <UL><LI>
+ Example: <TT>userGecos="System User"</TT>
+ </UL>
+<LI><TT>defaultUserGid</TT> : default primary group set to users accounts
+ <UL><LI>
+ Example: <TT>defaultUserGid="513"</TT>
+ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
+</UL>
+<LI><TT>defaultComputerGid</TT> : default primary group set to
+ computers accounts
+ <UL><LI>
+ Example: <TT>defaultComputerGid="550"</TT>
+ <LI>Remark: this is stored in <I>gidNumber</I> attribute.
+</UL>
+<LI><TT>skeletonDir</TT> : skeleton directory used for users accounts
+ <UL><LI>
+ Example: <TT>skeletonDir="/etc/skel"</TT>
+ <LI>Remark: this option is used only if you ask for home directory creation when adding a new user.
+ </UL>
+<LI><TT>defaultMaxPasswordAge</TT> : default validation time for a
+ password (in days)
+ <UL><LI>
+ Example: <TT>defaultMaxPassword="55"</TT>
+ </UL>
+<LI><TT>userSmbHome</TT> : samba share used to store user's home directory
+ <UL><LI>
+ Example:
+ <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT>
+ <LI>Remark: this is stored in <I>sambaHomePath</I> attribute.
+</UL>
+<LI><TT>userProfile</TT> : samba share used to store user's profile
+ <UL><LI>
+ Example:
+ <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT>
+ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
+ </UL>
+<LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I>
+ <UL><LI>
+ Example:
+ <TT>userScript="%U"</TT>
+ <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
+ </UL>
+<LI><TT>userHomeDrive</TT> : letter used on windows system to map
+ the home directory
+ <UL><LI>
+ Example: <TT>userHomeDrive="K:"</TT>
+ </UL>
+<LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command
+ to set the user's password (instead of the <I>mkntpwd</I> utility) ?
+ <UL><LI>
+ Example: <TT>with_smbpasswd="0"</TT>
+ <LI>Remark: must be a boolean value (0 or 1).
+ </UL>
+<LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary
+ <UL><LI>
+ Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT>
+ </UL>
+<LI><TT>mk_ntpasswd</TT> : path to the mkntpwd binary
+ <UL><LI>
+ Example: <TT>mk_ntpasswd="/usr/local/sbin/mkntpwd"</TT>
+ <LI>Remark: the rpm package of the smbldap-tools will install this
+ utility. If you are using the tarball archive, you have to install
+ it yourself (sources are also in the smbldap-tools archive).
+ </UL>
+<LI><TT>mailDomain</TT> : Domain appended to the users "mail"
+ attribute.
+ <UL><LI>
+ Example: <TT>mailDomain="idealx.org"</TT>
+ </UL>
+</UL>
+<!--TOC subsection The smbldap_bind.conf file-->
+
+<H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3><!--SEC END -->
+
+This file is only used by <I>root</I> to modify the content of the directory.
+It contains distinguised names and credentials to connect to
+both the master and slave directories. A full example file is available
+in section <A HREF="#configuration::file::smbldap::bind">8.1.2</A>.<BR>
+<BR>
+Let's have a look at all available parameters.
+<UL><LI>
+<TT>slaveDN</TT> : distinguished name used to bind to the slave server
+ <UL><LI>
+ Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT>
+ <LI>Example 2: <TT>slaveDN=""</TT>
+ <LI>Remark: this can be the manager account of the directory or
+ any LDAP account that has sufficient permissions to read the full
+ directory (Slave directory is only used for reading). Anonymous
+ connections uses the second example form.
+ </UL>
+<LI><TT>slavePw</TT> : the credentials to bind to the slave server
+ <UL><LI>
+ Example 1: <TT>slavePw="secret"</TT>
+ <LI>Example 2: <TT>slavePw=""</TT>
+ <LI>Remark: the password must be stored here in clear form. This
+ file must then be readable only by root! All anonymous connections
+ use the second form provided in our example.
+ </UL>
+<LI><TT>masterDN</TT> : the distinguished name used to bind to the master server
+ <UL><LI>
+ Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT>
+ <LI>Remark: this can be the manager account of the directory or
+ any LDAP account that has enough permissions to modify the content
+ of the directory. Anonymous access does not make any sense here.
+</UL>
+<LI><TT>masterPw</TT> : the credentials to bind to the master server
+ <UL><LI>
+ Example: <TT>masterPw="secret"</TT>
+ <LI>Remark: the password must be in clear text. Be sure to protect
+ this file against unauthorized readers!
+ </UL>
+</UL>
+ <!--TOC section Using the scripts-->
+
+<H2><A NAME="htoc13">4</A> Using the scripts</H2><!--SEC END -->
+
+<!--TOC subsection Initial directory's population-->
+
+<H3><A NAME="htoc14">4.1</A> Initial directory's population</H3><!--SEC END -->
+
+You can initialize the LDAP directory using the
+<TT>smbldap-populate</TT> script. To do that, the account defined in
+the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> to access the
+master directory <B>must</B> must be the manager account defined in the
+directory configuration. On RedHat system, this file is
+<TT>/etc/openldap/slapd.conf</TT> and the account is defined with
+<PRE>
+ rootdn "cn=Manager,dc=idealx,dc=com"
+ rootpw secret
+</PRE>The <TT>smbldap_bind.conf</TT> file must then be configured so that
+the parameters to connect to the master LDAP server match the previous ones:
+<PRE>
+ masterDN="cn=Manager,dc=idealx,dc=com"
+ masterPw="secret"
+</PRE>
+Available options for this script are summarized in the table <A HREF="#table::populate">1</A>:
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+ <A NAME="code_epsilon_var"></A>
+ <DIV ALIGN=center>
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+<TR><TD ALIGN=left NOWRAP>option</TD>
+<TD ALIGN=left NOWRAP>definition</TD>
+<TD ALIGN=left NOWRAP>default value</TD>
+</TR>
+<TR><TD ALIGN=left NOWRAP>-u <I>uidNumber</I></TD>
+<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
+<TD ALIGN=left NOWRAP>1000</TD>
+</TR>
+<TR><TD ALIGN=left NOWRAP>-g <I>gidNumber</I></TD>
+<TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
+<TD ALIGN=left NOWRAP>1000</TD>
+</TR>
+<TR><TD ALIGN=left NOWRAP>-a <I>user</I></TD>
+<TD ALIGN=left NOWRAP>administrator login name</TD>
+<TD ALIGN=left NOWRAP>Administrator</TD>
+</TR>
+<TR><TD ALIGN=left NOWRAP>-b <I>user</I></TD>
+<TD ALIGN=left NOWRAP>guest login name</TD>
+<TD ALIGN=left NOWRAP>nobody</TD>
+</TR>
+<TR><TD ALIGN=left NOWRAP>-e <I>file</I></TD>
+<TD ALIGN=left NOWRAP>export a init file</TD>
+<TD ALIGN=left NOWRAP> </TD>
+</TR>
+<TR><TD ALIGN=left NOWRAP>-i <I>file</I></TD>
+<TD ALIGN=left NOWRAP>import a init file</TD>
+<TD ALIGN=left NOWRAP> </TD>
+</TR></TABLE>
+ </DIV>
+ <BR>
+<DIV ALIGN=center>Table 1: Options available for the <TT>smbldap-populate</TT> script</DIV><BR>
+
+ <A NAME="table::populate"></A>
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+In the more general case, to set up your directory, simply use the
+following command:
+<PRE>
+[root@etoile root]# smbldap-populate
+Using builtin directory structure
+adding new entry: dc=idealx,dc=com
+adding new entry: ou=Users,dc=idealx,dc=com
+adding new entry: ou=Groups,dc=idealx,dc=com
+adding new entry: ou=Computers,dc=idealx,dc=com
+adding new entry: ou=Idmap,dc=idealx,dc=org
+adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org
+adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com
+adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com
+adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com
+adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com
+</PRE>
+After this step, if you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
+account anymore, you can create a dedicated account for Samba and the
+smbldap-tools. See section <A HREF="#change::manager">8.2</A> for more details.<BR>
+<BR>
+The <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> entry is only used to
+defined the next uidNumber and gidNumber available for creating new
+users and groups. The default values for those numbers are 1000. You
+can change it with the <TT>-u</TT> and <TT>-g</TT> option. For
+example, if you want the first available value for uidNumber and
+gidNumber to be set to 1500, you can use the following command :
+<PRE>
+smbldap-populate -u 1550 -g 1500
+</PRE>
+<!--TOC subsection User management-->
+
+<H3><A NAME="htoc15">4.2</A> User management</H3><!--SEC END -->
+
+<!--TOC subsubsection Adding a user-->
+
+<H4><A NAME="htoc16">4.2.1</A> Adding a user</H4><!--SEC END -->
+<A NAME="add::user"></A>
+To add a user, use the <TT>smbldap-useradd</TT> script. Available
+options are summarized in the table <A HREF="#table::add::user">2</A>. If applicable,
+default values are mentionned in the third column. Any string beginning with a
+$ symbol refers to a parameter defined in the
+<TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> configuration file.
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+ <DIV ALIGN=center>
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+<TR><TD VALIGN=top ALIGN=left>option</TD>
+<TD VALIGN=top ALIGN=left>definition</TD>
+<TD VALIGN=top ALIGN=left>example</TD>
+<TD VALIGN=top ALIGN=left>default value</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-a</TD>
+<TD VALIGN=top ALIGN=left>create a Windows account. Otherwise, only a Posix account
+ is created</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-w</TD>
+<TD VALIGN=top ALIGN=left>create a Windows Workstation account</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-i</TD>
+<TD VALIGN=top ALIGN=left>create an interdomain trust account. See section
+ <A HREF="#trust::account">4.4</A> for more details</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-u</TD>
+<TD VALIGN=top ALIGN=left>set a uid value</TD>
+<TD VALIGN=top ALIGN=left>-u 1003</TD>
+<TD VALIGN=top ALIGN=left>first uid available</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-g</TD>
+<TD VALIGN=top ALIGN=left>set a gid value</TD>
+<TD VALIGN=top ALIGN=left>-g 1003</TD>
+<TD VALIGN=top ALIGN=left>first gid available</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-G</TD>
+<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
+ groups (comma-separated)</TD>
+<TD VALIGN=top ALIGN=left>-G 512,550</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-d</TD>
+<TD VALIGN=top ALIGN=left>set the home directory</TD>
+<TD VALIGN=top ALIGN=left>-d /var/user</TD>
+<TD VALIGN=top ALIGN=left>$userHomePrefix/user</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-s</TD>
+<TD VALIGN=top ALIGN=left>set the login shell</TD>
+<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
+<TD VALIGN=top ALIGN=left>$userLoginShell</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-c</TD>
+<TD VALIGN=top ALIGN=left>set the user gecos</TD>
+<TD VALIGN=top ALIGN=left>-c "admin user"</TD>
+<TD VALIGN=top ALIGN=left>$userGecos</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-m</TD>
+<TD VALIGN=top ALIGN=left>creates user's home directory and copies /etc/skel
+ into it</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-k</TD>
+<TD VALIGN=top ALIGN=left>set the skeleton dir (with -m)</TD>
+<TD VALIGN=top ALIGN=left>-k /etc/skel2</TD>
+<TD VALIGN=top ALIGN=left>$skeletonDir</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-P</TD>
+<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's
+ password</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-A</TD>
+<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
+<TD VALIGN=top ALIGN=left>-A 1</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-B</TD>
+<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
+ if yes</TD>
+<TD VALIGN=top ALIGN=left>-B 1</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-C</TD>
+<TD VALIGN=top ALIGN=left>set the samba home share</TD>
+<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
+<TD VALIGN=top ALIGN=left>$userSmbHome</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-D</TD>
+<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
+<TD VALIGN=top ALIGN=left>-D H:</TD>
+<TD VALIGN=top ALIGN=left>$userHomeDrive</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-E</TD>
+<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
+<TD VALIGN=top ALIGN=left>-E common.bat</TD>
+<TD VALIGN=top ALIGN=left>$userScript</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-F</TD>
+<TD VALIGN=top ALIGN=left>set the profile directory</TD>
+<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
+<TD VALIGN=top ALIGN=left>$userProfile</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-H</TD>
+<TD VALIGN=top ALIGN=left>set the samba account control bits
+ like'[NDHTUMWSLKI]'</TD>
+<TD VALIGN=top ALIGN=left>-H [X]</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-N</TD>
+<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-S</TD>
+<TD VALIGN=top ALIGN=left>set the surname of the user</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-M</TD>
+<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
+<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-T</TD>
+<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
+<TD VALIGN=top ALIGN=left>-T
+ testuser@domain.org</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR></TABLE>
+ </DIV>
+ <BR>
+<DIV ALIGN=center>Table 2: Options available to the <TT>smbldap-useradd</TT> script</DIV><BR>
+
+ <A NAME="table::add::user"></A>
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+
+For example, if you want to add a user named <I>user_admin</I> and who :
+<UL><LI>
+is a windows user
+<LI>must belong to the group of gid=512 ('Domain Admins' group)
+<LI>has a home directory
+<LI>does not have a login shell
+<LI>has a homeDirectory set to /dev/null
+<LI>does not have a roaming profile
+<LI>and for whom we want to set a first login password
+</UL>
+you must invoke:
+<PRE>
+smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin
+</PRE>
+<!--TOC subsubsection Removing a user-->
+
+<H4><A NAME="htoc17">4.2.2</A> Removing a user</H4><!--SEC END -->
+
+To remove a user account, use the <TT>smbldap-userdel</TT> script.
+Available options are
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+ <DIV ALIGN=center>
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+<TR><TD ALIGN=left NOWRAP>option</TD>
+<TD ALIGN=left NOWRAP>definition</TD>
+</TR>
+<TR><TD ALIGN=left NOWRAP>-r</TD>
+<TD ALIGN=left NOWRAP>remove home directory</TD>
+</TR>
+<TR><TD ALIGN=left NOWRAP>-R</TD>
+<TD ALIGN=left NOWRAP>remove home directory interactively</TD>
+</TR></TABLE>
+ </DIV>
+ <BR>
+<DIV ALIGN=center>Table 3: Option available to the <TT>smbldap-userdel</TT> script</DIV><BR>
+
+ <A NAME="table::del::user"></A>
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+For example, if you want to remove the <I>user1</I> account
+from the LDAP directory, and if you also want to delete his home
+directory, use the following command :
+<PRE>
+smbldap-userdel -r user1
+</PRE>
+Note: '-r' is dangerous as it may delete precious and unbackuped data,
+please be careful.<BR>
+<BR>
+<!--TOC subsubsection Modifying a user-->
+
+<H4><A NAME="htoc18">4.2.3</A> Modifying a user</H4><!--SEC END -->
+<A NAME="modify::user"></A>
+To modify a user account, use the <TT>smbldap-usermod</TT> script.
+Availables options are listed in the table <A HREF="#table::modify::user">4</A>.
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+ <DIV ALIGN=center>
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+<TR><TD VALIGN=top ALIGN=left>option</TD>
+<TD VALIGN=top ALIGN=left>definition</TD>
+<TD VALIGN=top ALIGN=left>example</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-c</TD>
+<TD VALIGN=top ALIGN=left>set the user gecos</TD>
+<TD VALIGN=top ALIGN=left>-c "admin user"</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-d</TD>
+<TD VALIGN=top ALIGN=left>set the home directory</TD>
+<TD VALIGN=top ALIGN=left>-d /var/user</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-u</TD>
+<TD VALIGN=top ALIGN=left>set a uid value</TD>
+<TD VALIGN=top ALIGN=left>-u 1003</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-g</TD>
+<TD VALIGN=top ALIGN=left>set a gid value</TD>
+<TD VALIGN=top ALIGN=left>-g 1003</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-G</TD>
+<TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
+ groups (comma-separated)</TD>
+<TD VALIGN=top ALIGN=left>-G 512,550</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left>-G -512,550</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left>-G +512,550</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-s</TD>
+<TD VALIGN=top ALIGN=left>set the login shell</TD>
+<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-N</TD>
+<TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-S</TD>
+<TD VALIGN=top ALIGN=left>set the surname of the user</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-P</TD>
+<TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's password</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-a</TD>
+<TD VALIGN=top ALIGN=left>add sambaSAMAccount objectclass</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-e</TD>
+<TD VALIGN=top ALIGN=left>set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)</TD>
+<TD VALIGN=top ALIGN=left> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-A</TD>
+<TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
+<TD VALIGN=top ALIGN=left>-A 1</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-B</TD>
+<TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
+ if yes</TD>
+<TD VALIGN=top ALIGN=left>-B 1</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-C</TD>
+<TD VALIGN=top ALIGN=left>set the samba home share</TD>
+<TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left>-C ""</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-D</TD>
+<TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
+<TD VALIGN=top ALIGN=left>-D H:</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left>-D ""</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-E</TD>
+<TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
+<TD VALIGN=top ALIGN=left>-E common.bat</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left>-E ""</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-F</TD>
+<TD VALIGN=top ALIGN=left>set the profile directory</TD>
+<TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left> </TD>
+<TD VALIGN=top ALIGN=left>-F ""</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-H</TD>
+<TD VALIGN=top ALIGN=left>set the samba account control bits like'[NDHTUMWSLKI]'</TD>
+<TD VALIGN=top ALIGN=left>-H [X]</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-I</TD>
+<TD VALIGN=top ALIGN=left>disable a user account</TD>
+<TD VALIGN=top ALIGN=left>-I 1</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-J</TD>
+<TD VALIGN=top ALIGN=left>enable a user</TD>
+<TD VALIGN=top ALIGN=left>-J 1</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-M</TD>
+<TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
+<TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-T</TD>
+<TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
+<TD VALIGN=top ALIGN=left>-T
+ testuser@domain.org</TD>
+</TR></TABLE>
+ </DIV>
+ <BR>
+<DIV ALIGN=center>Table 4: Options available to the <TT>smbldap-usermod</TT> script</DIV><BR>
+
+ <A NAME="table::modify::user"></A>
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+You can also use the <TT>smbldap-userinfo</TT> script to update user's information. This script can
+also be used by users themselves to update their own informations listed in the tables
+<A HREF="#table::modify::self::user">5</A> (adequats ACL must be set in the directory server). Available
+options are :
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+ <DIV ALIGN=center>
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+<TR><TD VALIGN=top ALIGN=left>option</TD>
+<TD VALIGN=top ALIGN=left>definition</TD>
+<TD VALIGN=top ALIGN=left>example</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-f</TD>
+<TD VALIGN=top ALIGN=left>set the full name's user</TD>
+<TD VALIGN=top ALIGN=left>-f MyName</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-r</TD>
+<TD VALIGN=top ALIGN=left>set the room number</TD>
+<TD VALIGN=top ALIGN=left>-r 99</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-w</TD>
+<TD VALIGN=top ALIGN=left>set the work phone number</TD>
+<TD VALIGN=top ALIGN=left>-w 111111111</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-h</TD>
+<TD VALIGN=top ALIGN=left>set the home phone number</TD>
+<TD VALIGN=top ALIGN=left>-h 222222222</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-o</TD>
+<TD VALIGN=top ALIGN=left>set other information (in gecos definition)</TD>
+<TD VALIGN=top ALIGN=left>-o "second stage"</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left>-s</TD>
+<TD VALIGN=top ALIGN=left>set the default bash</TD>
+<TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
+</TR></TABLE>
+ </DIV>
+ <BR>
+<DIV ALIGN=center>Table 5: Options available to the <TT>smbldap-userinfo</TT> script</DIV><BR>
+
+ <A NAME="table::modify::self::user"></A>
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+<!--TOC subsection Group management-->
+
+<H3><A NAME="htoc19">4.3</A> Group management</H3><!--SEC END -->
+
+<!--TOC subsubsection Adding a group-->
+
+<H4><A NAME="htoc20">4.3.1</A> Adding a group</H4><!--SEC END -->
+
+To add a new group in the LDAP directory, use the <TT>smbldap-groupadd</TT>
+script. Available options are listed in the table
+<A HREF="#table::add::group">6</A>.
+<BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
+ <DIV ALIGN=center>
+ <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
+<TR><TD VALIGN=top ALIGN=left NOWRAP>option</TD>
+<TD VALIGN=top ALIGN=left>definition</TD>
+<TD VALIGN=top ALIGN=left NOWRAP>example</TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-a</TD>
+<TD VALIGN=top ALIGN=left>add automatic group mapping entry</TD>
+<TD VALIGN=top ALIGN=left NOWRAP> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-g <TT>gid</TT></TD>
+<TD VALIGN=top ALIGN=left>set the <I>gidNumer</I> for this group to
+ <I>gid</I></TD>
+<TD VALIGN=top ALIGN=left NOWRAP><TT>-g 1002</TT></TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-o</TD>
+<TD VALIGN=top ALIGN=left>gidNumber is not unique</TD>
+<TD VALIGN=top ALIGN=left NOWRAP> </TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-r <TT>group-rid</TT></TD>
+<TD VALIGN=top ALIGN=left>set the rid of the group to
+ <I>group-rid</I></TD>
+<TD VALIGN=top ALIGN=left NOWRAP><TT>-r 1002</TT></TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-s <TT>group-sid</TT></TD>
+<TD VALIGN=top ALIGN=left>set the sid of the group to
+ <I>group-sid</I></TD>
+<TD VALIGN=top ALIGN=left NOWRAP><TT><FONT SIZE=1>-s
+ S-1-5-21-3703471949-3718591838-2324585696-1002</FONT></TT></TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-t <TT>group-type</TT></TD>
+<TD VALIGN=top ALIGN=left>set the <I>sambaGroupType</I> to
+ <I>group-type</I></TD>
+<TD VALIGN=top ALIGN=left NOWRAP><TT>-t 2</TT></TD>
+</TR>
+<TR><TD VALIGN=top ALIGN=left NOWRAP>-p</TD>
+<TD VALIGN=top ALIGN=left>print the gidNumber to stdout</TD>
+<TD VALIGN=top ALIGN=left NOWRAP> </TD>
+</TR></TABLE>
+ </DIV>
+ <BR>
+<DIV ALIGN=center>Table 6: Options available for the <TT>smbldap-groupadd</TT> script</DIV><BR>
+
+ <A NAME="table::add::group"></A>
+<DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
+<!--TOC subsubsection Removing a group-->
+
+<H4><A NAME="htoc21">4.3.2</A> Removing a group</H4><!--SEC END -->
+
+To remove the group named <TT>group1</TT>, just use the following
+command :
+<PRE>
+smbldap-userdel group1
+</PRE>
+<!--TOC subsection Adding a interdomain trust account-->
+
+<H3><A NAME="htoc22">4.4</A> Adding a interdomain trust account</H3><!--SEC END -->
+<A NAME="trust::account"></A>
+To add an interdomain trust account to the primary controller <I>trust-pdc</I>, use the <TT>-i</TT> option of
+<TT>smbldap-useradd</TT> as follows :
+<PRE>
+[root@etoile root]# smbldap-useradd -i trust-pdc
+New password : *******
+Retype new password : *******
+</PRE>
+The script will terminate asking for a password for this trust
+account. The account will be created in the directory branch where
+all computer accounts are stored (<TT>ou=Computers</TT> by
+default). The only two particularities of this account are that you are
+setting a password for this account, and the flags of this account are
+<TT>[I ]</TT>.
+ <!--TOC section Samba and the smbldap-tools scripts-->
+
+<H2><A NAME="htoc23">5</A> Samba and the smbldap-tools scripts</H2><!--SEC END -->
+
+<!--TOC subsection General configuration-->
+
+<H3><A NAME="htoc24">5.1</A> General configuration</H3><!--SEC END -->
+
+Samba can be configured to use the <FONT COLOR=purple>smbldap-tools</FONT> scripts. This allows
+administrators to add, delete or modify user and group accounts for <FONT COLOR=purple>Microsoft Windows</FONT>
+operating systems using, for example, User Manager utility under MS-Windows.
+To enable the use of this utility, samba needs to be configured correctly. The
+<TT>smb.conf</TT> configuration file must contain the following directives :
+<PRE>
+ldap delete dn = Yes
+add user script = /usr/local/sbin/smbldap-useradd -m "%u"
+add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
+add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
+add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
+delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
+set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
+</PRE>
+Remark: the two directives <TT>delete user script</TT> et <TT>delete group
+script</TT> can also be used. However, an error message can appear in User Manager
+even if the operations actually succeed.
+If you want to enable this behaviour, you need to add
+<PRE>
+delete user script = /usr/local/sbin/smbldap-userdel "%u"
+delete group script = /usr/local/sbin/smbldap-groupdel "%g"
+</PRE>
+<!--TOC subsection Migrating an NT4 PDC to Samba3-->
+
+<H3><A NAME="htoc25">5.2</A> Migrating an NT4 PDC to Samba3</H3><!--SEC END -->
+
+The account migration procedure becomes really simple when samba is configured to use
+the <FONT COLOR=purple>smbldap-tools</FONT>. Samba configuration (smb.conf file) must contain the
+directive defined above to properly call the script for managing users, groups and computer accounts.
+The migration process is outlined in the chapter 30 of the samba howto
+<TT>http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html</TT>.
+ <BR>
+<BR>
+<!--TOC section Frequently Asked Questions-->
+
+<H2><A NAME="htoc26">6</A> Frequently Asked Questions</H2><!--SEC END -->
+
+<!--TOC subsection How can i use old released uidNumber and gidNumber ?-->
+
+<H3><A NAME="htoc27">6.1</A> How can i use old released uidNumber and gidNumber ?</H3><!--SEC END -->
+
+There are two way to do this :
+<UL><LI>
+modify the <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> and
+ change the <TT>uidNumber</TT> and/or <TT>gidNumber</TT> value. This
+ must be done manually. For example, if you want to use all available
+ uidNumber and gidNumber higher then 1500, you need to create a
+ <TT>update-NextFreeUnixId.ldif</TT> file containing :
+<PRE>dn: cn=NextFreeUnixId,dc=idealx,dc=org
+changetype: modify
+uidNumber: 1500
+gidNumber: 1500
+</PRE>
+and then update the directory :
+<PRE>
+ldapmodify -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f update-NextFreeUnixId.ldif
+</PRE><LI>use the <TT>-u</TT> or <TT>-g</TT> option to the script you need to set the value you
+ want to use
+</UL>
+<!--TOC subsection I always have this error: "Can't locate IO/Socket/SSL.pm"-->
+
+<H3><A NAME="htoc28">6.2</A> I always have this error: "Can't locate IO/Socket/SSL.pm"</H3><!--SEC END -->
+
+This happens when you want to use a certificate. In this case, you need to install the
+IO-Socket-SSL Perl module.<BR>
+<BR>
+<!--TOC subsection I can't initialize the directory with <TT>smbldap-populate</TT>-->
+
+<H3><A NAME="htoc29">6.3</A> I can't initialize the directory with <TT>smbldap-populate</TT></H3><!--SEC END -->
+
+When I want to initialize the directory using the <TT>smbldap-populate</TT>
+script, I get
+<PRE>
+[root@slave sbin]# smbldap-populate.pl
+ Using builtin directory structure
+ adding new entry: dc=IDEALX,dc=COM
+ Can't call method "code" without a package or object reference at
+ /usr/local/sbin/smbldap-populate.pl line 270, <GEN1> line 2.
+</PRE>Answer: check the TLS configuration
+<UL><LI>
+if you don't want to use TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file
+with
+<PRE>
+ldapSSL="0"
+</PRE><LI>if you want TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file with
+<PRE>
+ldapSSL="1"
+</PRE>and check that the directory server is configured to accept TLS connections.
+</UL>
+<!--TOC subsection I can't join the domain with the <TT>root</TT> account-->
+
+<H3><A NAME="htoc30">6.4</A> I can't join the domain with the <TT>root</TT> account</H3><!--SEC END -->
+
+<UL><LI>
+check that the root account has the sambaSamAccount objectclass
+<LI>check that the directive <TT>add machine script</TT> is present and configured
+</UL>
+<!--TOC subsection I have the <TT>sambaSamAccount</TT> but i can't logged in-->
+
+<H3><A NAME="htoc31">6.5</A> I have the <TT>sambaSamAccount</TT> but i can't logged in</H3><!--SEC END -->
+
+Check that the <TT>sambaPwdLastSet</TT> attribute is not null (equal to 0)<BR>
+<BR>
+<!--TOC subsection I want to create machine account on the fly, but it does
+ not works or I must do it twice-->
+
+<H3><A NAME="htoc32">6.6</A> I want to create machine account on the fly, but it does
+ not works or I must do it twice</H3><!--SEC END -->
+
+<UL><LI>
+The script defined with the <TT>add machine script</TT> must not add
+the <TT>sambaSAMAccount</TT> objectclass of the machine account. The
+script must only add the Posix machine account. Samba will add the <TT>sambaSAMAccount</TT> when
+joining the domain.
+<LI>Check that the <TT>add <B>machine</B> script</TT> is present in samba
+ configuration file.
+</UL>
+<!--TOC subsection I can't manage the Oracle Internet Database-->
+
+<H3><A NAME="htoc33">6.7</A> I can't manage the Oracle Internet Database</H3><!--SEC END -->
+
+If you have an error message like :
+<PRE>
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187.
+Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627.
+</PRE>For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a
+new index for samba attributes and make sure that the following attributes are also indexed :
+ uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...<BR>
+<BR>
+<!--TOC subsection The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
+called, or i got a error message when changing the password from windows-->
+
+<H3><A NAME="htoc34">6.8</A> The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
+called, or i got a error message when changing the password from windows</H3><!--SEC END -->
+
+The directive is called if you also set <TT>unix password sync = Yes</TT>.
+Notes:
+<UL><LI>
+if you use OpenLDAP, none of those two options are needed. You just need <TT>ldap
+passwd sync = Yes</TT>.
+<LI>the script called here must only update the <TT>userPassword</TT> attribute. This is the
+reason of the <TT>-u</TT> option. Samba passwords will be updated by samba itself.
+<LI>the <TT>passwd chat</TT> directive must match what is prompted when using the
+<TT>smbldap-passwd</TT> command
+</UL>
+<!--TOC subsection New computers account can't be set in ou=computers-->
+
+<H3><A NAME="htoc35">6.9</A> New computers account can't be set in ou=computers</H3><!--SEC END -->
+<A NAME="sec::bug::ou::computer"></A>
+This is a known samba bug. There's a workarround: look at
+<TT>http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2</TT><BR>
+<BR>
+<!--TOC subsection I can join the domain, but i can't log on-->
+
+<H3><A NAME="htoc36">6.10</A> I can join the domain, but i can't log on</H3><!--SEC END -->
+
+look at section <A HREF="#sec::bug::ou::computer">6.9</A><BR>
+<BR>
+<!--TOC subsection I can't create a user with <TT>smbldap-useradd</TT>-->
+
+<H3><A NAME="htoc37">6.11</A> I can't create a user with <TT>smbldap-useradd</TT></H3><!--SEC END -->
+
+When creating a new user account I get the following error message:
+<PRE>
+/usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513
+</PRE>Answer:
+<UL><LI>
+is nss_ldap correctly configured ?
+<LI>is the default group's users mapped to the 'Domain Users' NT group ?
+<PRE>
+net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users"
+</PRE></UL>
+<!--TOC subsection smbldap-useradd: Can't call method "get_value" on an undefined value at
+/usr/local/sbin/smbldap-useradd line 154-->
+
+<H3><A NAME="htoc38">6.12</A> smbldap-useradd: Can't call method "get_value" on an undefined value at
+/usr/local/sbin/smbldap-useradd line 154</H3><!--SEC END -->
+
+<UL><LI>
+does the default group defined in smbldap.conf exist
+ (defaultUserGid="513") ?
+<LI>does the NT "Domain Users" group mapped to a unix
+ group of rid 513 (see option <I>-r</I> of <TT>smbldap-groupadd</TT> and
+ <TT>smbldap-groupmod</TT> to set a rid) ?
+</UL>
+<!--TOC subsection Typical errors on creating a new user or a new group-->
+
+<H3><A NAME="htoc39">6.13</A> Typical errors on creating a new user or a new group</H3><!--SEC END -->
+<A NAME="faq::error::add::user"></A>
+<UL><LI>
+i've got the following error:
+<PRE>
+Could not find base dn, to get next uidNumber at /usr/local/sbin//smbldap_tools.pm line 909
+</PRE><OL type=1><LI>
+ you do not have created the object to defined the next uidNumber and gidNumber available.
+ <UL><LI>
+ for version 0.8.7 : you can just run the <TT>smbldap-populate</TT> script that will
+ update the sambaDomain entry to store those informations
+ <LI>for version before 0.8.7 :
+ You have updated the smbldap-tools to version 0.8.5 or newer.
+ You have to do this manually. Create an file called <TT>add.ldif</TT> and containing
+<PRE>
+dn: cn=NextFreeUnixId,dc=idealx,dc=org
+objectClass: inetOrgPerson
+objectClass: sambaUnixIdPool
+uidNumber: 1000
+gidNumber: 1000
+cn: NextFreeUnixId
+sn: NextFreeUnixId
+</PRE> and then add the object with the ldapadd utility:
+<PRE>
+$ ldapadd -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f add.ldif
+</PRE> Here, 1000 is the first available value for uidNumber and gidNumber (of course, if this value is
+ already used by a user or a group, the first available after 1000 will be used).
+ </UL><BR>
+<BR>
+<LI>The error also appear when there is a need for TLS (ldapTLS=1 in <TT>smbldap.conf</TT>) and
+something is wrong with certificate naming or path settings.
+</OL><BR>
+<BR>
+<LI>i've got the following error:
+<PRE>
+Use of uninitialized value in string at
+/usr/local/sbin//smbldap\_tools.pm line 914.
+Error: No DN specified at /usr/local/sbin//smbldap\_tools.pm line 919
+</PRE>You have not updated the configuration file to defined the object where are sotred the next
+uidNumber and gidNumber available. In our example, you have to add a nex entry in
+<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I> containing :
+<PRE>
+# Where to store next uidNumber and gidNumber available
+sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+</PRE>btw, a new option is now available too: the domain to append to users. You can add to the
+configuration file the following lines:
+<PRE>
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used mailDomain="idealx.com"
+</PRE><BR>
+<BR>
+<LI>i've got the following error:
+<PRE>
+Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/smbldap-useradd line 183.
+Use of uninitialized value in substitution (s///) at /usr/local/sbin/smbldap-useradd line 185.
+Use of uninitialized value in string at /usr/local/sbin/smbldap-useradd line 264.
+failed to add entry: homedirectory: value #0 invalid per syntax at /usr/local/sbin/smbldap-useradd line 280.
+userHomeDirectory=User "jto" already member of the group "513".
+failed to add entry: No such object at /usr/local/sbin/smbldap-useradd line 382.
+</PRE>you have to change the variable name <TT>userHomePrefix</TT> to <TT>userHome</TT> in
+<I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I><BR>
+<BR>
+<LI>i've got the following error:
+<PRE>
+failed to add entry: referral missing at /usr/local/sbin/smbldap-useradd line 279, <DATA> line 283.
+</PRE>you have to update the configuration file that defined users, groups and computers dn. Those
+parameters must not be relative to the <TT>suffix</TT> parameter. A typical
+configuration look like this :
+<PRE>
+usersdn="ou=Users,${suffix}"
+computersdn="ou=Computers,${suffix}"
+groupsdn="ou=Groups,${suffix}"
+</PRE><BR>
+<BR>
+<LI>i've got the following error:
+<PRE>
+erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad protocol 'tcp')
+at /usr/local/sbin//smbldap_tools.pm line 153.
+</PRE>remove <I>ldap</I> from <I>/etc/nsswitch.conf</I> for <I>services</I> list of possible check. For
+example, if your ldap directory is not configured to give services information, you must have
+<PRE>
+services files
+</PRE>and not
+<PRE>
+services: ldap [NOTFOUND=return] files
+</PRE></UL>
+
+
+<!--TOC section Thanks-->
+
+<H2><A NAME="htoc40">7</A> Thanks</H2><!--SEC END -->
+
+<A NAME="thanks"></A>
+People who have worked on this document are
+<UL><LI>
+Jérôme Tournier <jerome.tournier@IDEALX.com>
+<LI>David Barth <david.barth@IDEALX.com>
+<LI>Nat Makarevitch <nat@IDEALX.com>
+</UL>
+The authors would like to thank the following people for providing help with
+some of the more complicated subjects, for clarifying some of the internal
+workings of <FONT COLOR=purple>Samba</FONT> or <FONT COLOR=purple>OpenLDAP</FONT>, for pointing out errors or mistakes in
+previous versions of this document, or generally for making
+suggestions :
+<UL><LI>
+IDEALX team :
+ <UL><LI>
+ Roméo Adekambi <romeo.adekambi@IDEALX.com>
+ <LI>Aurelien Degremont <adegremont@IDEALX.com>
+ <LI>Renaud Renard <rrenard@IDEALX.com>
+ </UL>
+<LI>John H Terpstra <jht@samba.org>
+</UL>
+ <!--TOC section Annexes-->
+
+<H2><A NAME="htoc41">8</A> Annexes</H2><!--SEC END -->
+
+<!--TOC subsection Full configuration files-->
+
+<H3><A NAME="htoc42">8.1</A> Full configuration files</H3><!--SEC END -->
+<A NAME="configuration::files"></A>
+<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file-->
+
+<H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><!--SEC END -->
+<A NAME="configuration::file::smbldap"></A>
+<PRE># $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
+# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $
+#
+# smbldap-tools.conf : Q & D configuration file for smbldap-tools
+
+# This code was developped by IDEALX (http://IDEALX.org/) and
+# contributors (their names can be found in the CONTRIBUTORS file).
+#
+# Copyright (C) 2001-2002 IDEALX
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+# Purpose :
+# . be the configuration file for all smbldap-tools scripts
+
+##############################################################################
+#
+# General Configuration
+#
+##############################################################################
+
+# Put your own SID. To obtain this number do: "net getlocalsid".
+# If not defined, parameter is taking from "net getlocalsid" return
+SID="S-1-5-21-4205727931-4131263253-1851132061"
+
+# Domain name the Samba server is in charged.
+# If not defined, parameter is taking from smb.conf configuration file
+# Ex: sambaDomain="IDEALX-NT"
+sambaDomain="IDEALX-NT"
+
+##############################################################################
+#
+# LDAP Configuration
+#
+##############################################################################
+
+# Notes: to use to dual ldap servers backend for Samba, you must patch
+# Samba with the dual-head patch from IDEALX. If not using this patch
+# just use the same server for slaveLDAP and masterLDAP.
+# Those two servers declarations can also be used when you have
+# . one master LDAP server where all writing operations must be done
+# . one slave LDAP server where all reading operations must be done
+# (typically a replication directory)
+
+# Slave LDAP server
+# Ex: slaveLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+slaveLDAP="127.0.0.1"
+
+# Slave LDAP port
+# If not defined, parameter is set to "389"
+slavePort="389"
+
+# Master LDAP server: needed for write operations
+# Ex: masterLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+masterLDAP="127.0.0.1"
+
+# Master LDAP port
+# If not defined, parameter is set to "389"
+masterPort="389"
+
+# Use TLS for LDAP
+# If set to 1, this option will use start_tls for connection
+# (you should also used the port 389)
+# If not defined, parameter is set to "1"
+ldapTLS="1"
+
+# How to verify the server's certificate (none, optional or require)
+# see "man Net::LDAP" in start_tls section for more details
+verify="require"
+
+# CA certificate
+# see "man Net::LDAP" in start_tls section for more details
+cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"
+
+# certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"
+
+# key certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"
+
+# LDAP Suffix
+# Ex: suffix=dc=IDEALX,dc=ORG
+suffix="dc=idealx,dc=org"
+
+# Where are stored Users
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
+usersdn="ou=Users,${suffix}"
+
+# Where are stored Computers
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
+computersdn="ou=Computers,${suffix}"
+
+# Where are stored Groups
+# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
+groupsdn="ou=Groups,${suffix}"
+
+# Where are stored Idmap entries (used if samba is a domain member server)
+# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
+idmapdn="ou=Idmap,${suffix}"
+
+# Where to store next uidNumber and gidNumber available for new users and groups
+# If not defined, entries are stored in sambaDomainName object.
+# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}"
+
+# Default scope Used
+scope="sub"
+
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
+hash_encrypt="SSHA"
+
+# if hash_encrypt is set to CRYPT, you may set a salt format.
+# default is "%s", but many systems will generate MD5 hashed
+# passwords if you use "$1$%.8s". This parameter is optional!
+crypt_salt_format="%s"
+
+##############################################################################
+#
+# Unix Accounts Configuration
+#
+##############################################################################
+
+# Login defs
+# Default Login Shell
+# Ex: userLoginShell="/bin/bash"
+userLoginShell="/bin/bash"
+
+# Home directory
+# Ex: userHome="/home/%U"
+userHome="/home/%U"
+
+# Default mode used for user homeDirectory
+userHomeDirectoryMode="700"
+
+# Gecos
+userGecos="System User"
+
+# Default User (POSIX and Samba) GID
+defaultUserGid="513"
+
+# Default Computer (Samba) GID
+defaultComputerGid="515"
+
+# Skel dir
+skeletonDir="/etc/skel"
+
+# Default password validation time (time in days) Comment the next line if
+# you don't want password to be enable for defaultMaxPasswordAge days (be
+# careful to the sambaPwdMustChange attribute's value)
+defaultMaxPasswordAge="45"
+
+##############################################################################
+#
+# SAMBA Configuration
+#
+##############################################################################
+
+# The UNC path to home drives location (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon home'
+# directive and/or disable roaming profiles
+# Ex: userSmbHome="\\PDC-SMB3\%U"
+userSmbHome="\\PDC-SRV\%U"
+
+# The UNC path to profiles locations (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon path'
+# directive and/or disable roaming profiles
+# Ex: userProfile="\\PDC-SMB3\profiles\%U"
+userProfile="\\PDC-SRV\profiles\%U"
+
+# The default Home Drive Letter mapping
+# (will be automatically mapped at logon time if home directory exist)
+# Ex: userHomeDrive="H:"
+userHomeDrive="H:"
+
+# The default user netlogon script name (%U username substitution)
+# if not used, will be automatically username.cmd
+# make sure script file is edited under dos
+# Ex: userScript="startup.cmd" # make sure script file is edited under dos
+userScript="logon.bat"
+
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used
+# Ex: mailDomain="idealx.com"
+mailDomain="idealx.com"
+
+##############################################################################
+#
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+#
+##############################################################################
+
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer Crypt::SmbHash library
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+
+# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
+# but prefer Crypt:: libraries
+with_slappasswd="0"
+slappasswd="/usr/sbin/slappasswd"
+
+# comment out the following line to get rid of the default banner
+# no_banner="1"
+
+</PRE>
+<!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file-->
+
+<H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><!--SEC END -->
+<A NAME="configuration::file::smbldap::bind"></A>
+<PRE>############################
+# Credential Configuration #
+############################
+# Notes: you can specify two differents configuration if you use a
+# master ldap for writing access and a slave ldap server for reading access
+# By default, we will use the same DN (so it will work for standard Samba
+# release)
+slaveDN="cn=Manager,dc=idealx,dc=org"
+slavePw="secret"
+masterDN="cn=Manager,dc=idealx,dc=org"
+masterPw="secret"
+
+</PRE>
+<!--TOC subsubsection The samba configuration file : <TT>/etc/samba/smb.conf</TT> -->
+
+<H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4><!--SEC END -->
+
+<PRE># Global parameters
+[global]
+ workgroup = IDEALX-NT
+ netbios name = PDC-SRV
+ #interfaces = 192.168.5.11
+ username map = /etc/samba/smbusers
+ enable privileges = yes
+ server string = Samba Server %v
+ security = user
+ encrypt passwords = Yes
+ min passwd length = 3
+ obey pam restrictions = No
+ ldap passwd sync = Yes
+ #unix password sync = Yes
+ #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
+ #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
+ ldap passwd sync = Yes
+ log level = 0
+ syslog = 0
+ log file = /var/log/samba/log.%m
+ max log size = 100000
+ time server = Yes
+ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
+ mangling method = hash2
+ Dos charset = 850
+ Unix charset = ISO8859-1
+
+ logon script = logon.bat
+ logon drive = H:
+ logon home =
+ logon path =
+
+ domain logons = Yes
+ os level = 65
+ preferred master = Yes
+ domain master = Yes
+ wins support = Yes
+ passdb backend = ldapsam:ldap://127.0.0.1/
+ # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
+ # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
+ ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
+ ldap suffix = dc=idealx,dc=com
+ ldap group suffix = ou=Groups
+ ldap user suffix = ou=Users
+ ldap machine suffix = ou=Computers
+ ldap idmap suffix = ou=Users
+ ldap ssl = start tls
+ add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
+ ldap delete dn = Yes
+ #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
+ add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u"
+ add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
+ #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
+ add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
+ delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
+ set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
+
+ # printers configuration
+ printer admin = @"Print Operators"
+ load printers = Yes
+ create mask = 0640
+ directory mask = 0750
+ nt acl support = No
+ printing = cups
+ printcap name = cups
+ deadtime = 10
+ guest account = nobody
+ map to guest = Bad User
+ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
+ show add printer wizard = yes
+ ; to maintain capital letters in shortcuts in any of the profile folders:
+ preserve case = yes
+ short preserve case = yes
+ case sensitive = no
+
+[homes]
+ comment = repertoire de %U, %u
+ read only = No
+ create mask = 0644
+ directory mask = 0775
+ browseable = No
+
+[netlogon]
+ path = /home/netlogon/
+ browseable = No
+ read only = yes
+
+[profiles]
+ path = /home/profiles
+ read only = no
+ create mask = 0600
+ directory mask = 0700
+ browseable = No
+ guest ok = Yes
+ profile acls = yes
+ csc policy = disable
+ # next line is a great way to secure the profiles
+ force user = %U
+ # next line allows administrator to access all profiles
+ valid users = %U "Domain Admins"
+
+[printers]
+ comment = Network Printers
+ printer admin = @"Print Operators"
+ guest ok = yes
+ printable = yes
+ path = /home/spool/
+ browseable = No
+ read only = Yes
+ printable = Yes
+ print command = /usr/bin/lpr -P%p -r %s
+ lpq command = /usr/bin/lpq -P%p
+ lprm command = /usr/bin/lprm -P%p %j
+
+[print$]
+ path = /home/printers
+ guest ok = No
+ browseable = Yes
+ read only = Yes
+ valid users = @"Print Operators"
+ write list = @"Print Operators"
+ create mask = 0664
+ directory mask = 0775
+
+[public]
+ comment = Repertoire public
+ path = /home/public
+ browseable = Yes
+ guest ok = Yes
+ read only = No
+ directory mask = 0775
+ create mask = 0664
+
+</PRE>
+<!--TOC subsubsection The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT>-->
+
+<H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4><!--SEC END -->
+
+<PRE>include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+
+schemacheck on
+lastmod on
+
+TLSCertificateFile /etc/openldap/ldap.idealx.com.pem
+TLSCertificateKeyFile /etc/openldap/ldap.idealx.com.key
+TLSCACertificateFile /etc/openldap/ca.pem
+TLSCipherSuite :SSLv3
+#TLSVerifyClient demand
+
+#######################################################################
+# ldbm database definitions
+#######################################################################
+database ldbm
+suffix dc=idealx,dc=com
+rootdn "cn=Manager,dc=idealx,dc=com"
+rootpw secret
+directory /var/lib/ldap
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index objectClass,uid,uidNumber,gidNumber,memberUid eq
+index cn,mail,surname,givenname eq,subinitial
+
+# users can authenticate and change their password
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword
+ by dn="cn=Manager,dc=idealx,dc=com" write
+ by self write
+ by anonymous auth
+ by * none
+# all others attributes are readable to everybody
+access to *
+ by * read
+</PRE>
+<!--TOC subsection Changing the administrative account (<TT>ldap admin
+ dn</TT> in <TT>smb.conf</TT> file)-->
+
+<H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin
+ dn</TT> in <TT>smb.conf</TT> file)</H3><!--SEC END -->
+<A NAME="change::manager"></A>
+If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
+account anymore, you can create a dedicated account for Samba and the
+smbldap-tools scripts. To do
+this, create an account named <I>samba</I> as follows (see
+section <A HREF="#add::user">4.2.1</A> for a more detailed syntax) :
+<PRE>
+smbldap-useradd -s /bin/false -d /dev/null -P samba
+</PRE>This command will ask you to set a password for this account. Let's
+set it to <I>samba</I> for this example.
+You then need to modify configuration files:
+<UL><LI>
+file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT>
+ <PRE>
+ slaveDN="uid=samba,ou=Users,dc=idealx,dc=com"
+ slavePw="samba"
+ masterDN="uid=samba,ou=Users,dc=idealx,dc=com"
+ masterPw="samba"
+ </PRE><LI>file <TT>/etc/samba/smb.conf</TT>
+ <PRE>
+ ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
+ </PRE>don't forget to also set the samba account password in
+ <TT>secrets.tdb</TT> file :
+<PRE>
+smbpasswd -w samba
+</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the
+ <I>samba</I> user permissions to modify some attributes: this
+ user needs to be able to modify all the samba attributes and some
+ others (uidNumber, gidNumber ...) :
+ <PRE>
+# users can authenticate and change their password
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by self write
+ by anonymous auth
+ by * none
+# some attributes need to be readable anonymously so that 'id user' can answer correctly
+access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * read
+# somme attributes can be writable by users themselves
+access to attrs=description,telephoneNumber
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by self write
+ by * read
+# some attributes need to be writable for samba
+access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by self read
+ by * none
+# samba need to be able to create the samba domain account
+access to dn.base="dc=idealx,dc=com"
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * none
+# samba need to be able to create new users account
+access to dn="ou=Users,dc=idealx,dc=com"
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * none
+# samba need to be able to create new groups account
+access to dn="ou=Groups,dc=idealx,dc=com"
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * none
+# samba need to be able to create new computers account
+access to dn="ou=Computers,dc=idealx,dc=com"
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * none
+# this can be omitted but we leave it: there could be other branch
+# in the directory
+access to *
+ by self read
+ by * none
+ </PRE></UL>
+<!--TOC subsection known bugs-->
+
+<H3><A NAME="htoc48">8.3</A> known bugs</H3><!--SEC END -->
+
+<UL><LI>
+Option <I>-B</I> (user must change password) of
+ <TT>smbldap-useradd</TT> does not have effect: when
+ <TT>smbldap-passwd</TT> script is called,
+ <I>sambaPwdMustChange</I> attribute is rewrite.
+</UL>
+
+<!--BEGIN NOTES document-->
+<HR WIDTH="50%" SIZE=1><DL><DT><A NAME="note1" HREF="#text1"><FONT SIZE=5>1</FONT></A><DD><TT>http://IDEALX.com/</TT>
+</DL>
+<!--END NOTES-->
+<!--HTMLFOOT-->
+<!--ENDHTML-->
+<!--FOOTER-->
+<HR SIZE=2>
+<BLOCKQUOTE><EM>This document was translated from L<sup>A</sup>T<sub>E</sub>X by
+</EM><A HREF="http://pauillac.inria.fr/~maranget/hevea/index.html"><EM>H<FONT SIZE=2><sup>E</sup></FONT>V<FONT SIZE=2><sup>E</sup></FONT>A</EM></A><EM>.
+</EM></BLOCKQUOTE>
+</BODY>
+</HTML>
projects / samba / blobdiff