1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
2 "http://www.w3.org/TR/REC-html40/loose.dtd">
4 <HEAD><TITLE>Smbldap-tools User Manual
5 (Release: 0.8.7 )</TITLE>
7 <META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8 <META name="GENERATOR" content="hevea 1.06">
11 <!--HEVEA command line is: /usr/bin/hevea -exec xxdate.exe -pedantic -nosymb smbldap-tools.tex -o html/smbldap-tools.html -->
14 <!--PREFIX <ARG ></ARG>-->
15 <!--CUT DEF section 1 -->
18 <H1 ALIGN=center>Smbldap-tools User Manual<BR>
19 (<I>Release</I>: 0.8.7 )</H1>
21 <H3 ALIGN=center>Jérôme Tournier</H3>
23 <H3 ALIGN=center><I>Revision</I>: 1.6 , generated May 25, 2005<BR>
25 This document is the property of IDEALX<SUP><A NAME="text1" HREF="#note1">1</A></SUP>.
26 Permission is granted to distribute this document under the terms of the GNU
27 Free Documentation License (<TT>http://www.gnu.org/copyleft/fdl.html</TT>).<BR>
29 <!--TOC section Table of Contents-->
31 <H2>Table of Contents</H2><!--SEC END -->
36 <!--TOC section Introduction-->
38 <H2><A NAME="htoc1">1</A> Introduction</H2><!--SEC END -->
40 <A NAME="sec:intro"></A>
41 Smbldap-tools is a set of scripts designed to help integrate Samba and a
42 LDAP directory. They target both users and administrators of Linux systems.<BR>
44 Users can change their password in a way similar to the standard ``passwd''
47 Administrators can perform user and group management command line actions
48 and synchronise Samba account management consistently.<BR>
50 This document presents:
52 a detailled view of the smbldap-tools scripts
53 <LI>a step by step explanation of how to set up a Samba3 domain controller
55 <!--TOC subsection Software requirements-->
57 <H3><A NAME="htoc2">1.1</A> Software requirements</H3><!--SEC END -->
59 The smbldap-tools have been developped and tested with the following configuration :
61 <FONT COLOR=purple><I>Linux</I></FONT> RedHat 9 (be should work on any <FONT COLOR=purple><I>Linux</I></FONT> distribution)
62 <LI> <FONT COLOR=purple>Samba</FONT> release 3.0.2pre1,
63 <LI><FONT COLOR=purple>OpenLDAP</FONT> release 2.1.22
64 <LI><FONT COLOR=purple>Microsoft Windows NT</FONT> 4.0, Windows 2000 and Windows XP Workstations and Servers,
66 This guide applies to <FONT COLOR=purple>smbldap-tools</FONT> <I>Release</I>: 0.8.7 .<BR>
68 <!--TOC subsection Updates of this document-->
70 <H3><A NAME="htoc3">1.2</A> Updates of this document</H3><!--SEC END -->
72 The most up to date release of this document may be found on the
73 smbldap-tools project page available at <TT>http://samba.IDEALX.org/</TT>.<BR>
75 If you find any bugs in this document, or if you want this document to
76 integrate some additional infos, please drop us a mail with your bug report
77 and/or change request at <U>samba@IDEALX.org</U>.<BR>
79 <!--TOC subsection Availability of this document-->
81 <H3><A NAME="htoc4">1.3</A> Availability of this document</H3><!--SEC END -->
83 This document is the property of
84 <B><I>IDEALX</I></B> (<TT>http://www.IDEALX.com/</TT>). <BR>
86 Permission is granted to distribute this document under the terms of the GNU
87 Free Documentation License (See <TT>http://www.gnu.org/copyleft/fdl.html</TT>).
88 <!--TOC section Installation-->
90 <H2><A NAME="htoc5">2</A> Installation</H2><!--SEC END -->
92 <!--TOC subsection Requirements-->
94 <H3><A NAME="htoc6">2.1</A> Requirements</H3><!--SEC END -->
96 The main requirement for using smbldap-tools are the two perl module:
97 Net::LDAP and Crypt::SmbHash.
98 In most cases, you'll also need the IO-Socket-SSL Perl module to use
99 TLS functionnality.<BR>
101 If you want samba to call the scripts so that you can use the User
102 Manager (or any other) under MS-Windows (to add, delete modify users and
103 groups), <FONT COLOR=purple>Samba</FONT> must be installed on the same computer.
104 Finally, <FONT COLOR=purple>OpenLDAP</FONT> can be installed on any computer. Please check that it
105 can be contacted by a standard LDAP client software.<BR>
107 <FONT COLOR=purple>Samba</FONT> and <FONT COLOR=purple>OpenLDAP</FONT> installations will not be discussed
108 here. You can consult the howto also available on the
109 project page (<TT>http://samba.IDEALX.org</TT>). Altought is has been
110 written for Samba2, most of its content still apply to Samba3. The main
111 difference stands in LDAP schema's definitions.<BR>
113 <!--TOC subsection Installation-->
115 <H3><A NAME="htoc7">2.2</A> Installation</H3><!--SEC END -->
117 An archive of the <FONT COLOR=purple>smbldap-tools</FONT> scripts can be downloaded on our project
118 page <TT>http://samba.IDEALX.org/</TT>. Archive and RedHat packages are
121 If you are upgrading, look at the <TT>INSTALL</TT> file or read the link
122 <A HREF="#faq::error::add::user">6.13</A>.<BR>
124 <!--TOC subsubsection Installing from rpm-->
126 <H4><A NAME="htoc8">2.2.1</A> Installing from rpm</H4><!--SEC END -->
128 To install the scripts on a RedHat system, download the RPM
129 package and run the following command:
131 rpm -Uvh smbldap-tools-0.8.5-1.i386.rpm
133 <!--TOC subsubsection Installing from a tarball-->
135 <H4><A NAME="htoc9">2.2.2</A> Installing from a tarball</H4><!--SEC END -->
137 On non RedHat system, download a source archive of the scripts. The current
138 archive is <TT>smbldap-tools-0.8.5.tar.gz</TT>.
139 Uncompress it and copy all of the Perl scripts in <TT>/usr/local/sbin</TT>
140 directory, and the two configuration files in
141 <TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory:
143 mkdir /etc/opt/IDEALX/smbldap-tools/
144 cp *.conf /etc/opt/IDEALX/smbldap-tools/
145 cp smbldap-* /usr/local/sbin/
147 The configuration is now based on two differents files:
149 <TT>smbldap.conf</TT>: define global parameter
150 <LI><TT>smbldap_bind.conf</TT>: define an administrative account to
151 bind to the directory
153 The second file <B>must</B> be readable only for 'root', as it contains
154 credentials allowing modifications on all the directory. Make sure the
155 files are protected by running the following commands:
157 chmod 644 /etc/opt/IDEALX/smbldap-tools/smbldap.conf
158 chmod 600 /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf
159 </PRE> <!--TOC section Configuring the smbldap-tools-->
161 <H2><A NAME="htoc10">3</A> Configuring the smbldap-tools</H2><!--SEC END -->
163 As mentioned in the previous section, you'll have to update two
164 configuration files. The first (<TT>smbldap.conf</TT>) allows you to
165 set global parameter that are readable by everybody, and the second
166 (<TT>smbldap_bind.conf</TT>) defines two administrative accounts to
167 bind to a slave and a master ldap server: this file must thus be
168 readable only by root.<BR>
170 A script is named <TT>configure.pl</TT> can help you to set their contents
171 up. It is located in the tarball
172 downloaded or in the documentation directory if you got the RPM
173 archive (see <TT>/usr/share/doc/smbldap-tools/</TT>). Just invoke it:
175 /usr/share/doc/smbldap-tools/configure.pl
176 </PRE>It will ask for the default values defined in your
177 <TT>smb.conf</TT> file, and will update the two configuration files used
178 by the scripts. Note that you can stop the script at any moment with
179 the <TT>Crtl-c</TT> keys.<BR>
180 Before using this script :
182 the two configuration files <B>must</B> be present in the
183 <TT>/etc/opt/IDEALX/smbldap-tools/</TT> directory
184 <LI>check that samba is configured and running, as the script will try to
185 get your workgroup's domain secure id (SID).
187 In those files are parameters are defined like this:
190 </PRE>Full example configuration files can be found at
191 <A HREF="#configuration::files">8.1</A>.<BR>
193 <!--TOC subsection The smbldap.conf file-->
195 <H3><A NAME="htoc11">3.1</A> The smbldap.conf file</H3><!--SEC END -->
197 This file is used to define parameters that can be readable by
198 everybody. A full example file is available in section <A HREF="#configuration::file::smbldap">8.1.1</A>.<BR>
200 Let's have a look at all available parameters.
202 <TT>UID_START</TT> and <TT>GID_START</TT> : those parameters
203 are deprecated. Available uid and gid are now defined in the default
204 new entry <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT>.
205 <LI><TT>SID</TT> : Secure Identifier Domain
207 Example: <TT>SID="S-1-5-21-3703471949-3718591838-2324585696"</TT>
208 <LI>Remark: you can get the SID for your domain using the <TT>net getlocalsid</TT>
209 command. Samba must be up and running for this to work (it can take <B>several</B> minutes for a Samba server to correctly negotiate its status with other network servers).
211 <LI><TT>slaveLDAP</TT> : slave LDAP server
213 Example: <TT>slaveLDAP="127.0.0.1"</TT>
214 <LI>Remark: must be a resolvable DNS name or it's IP address
216 <LI><TT>slavePort</TT> : port to contact the slave server
218 Example: <TT>slavePort="389"</TT>
220 <LI><TT>masterLDAP</TT> : master LDAP server
222 Example: <TT>masterLDAP="127.0.0.1"</TT>
224 <LI><TT>masterPort</TT> : port to contact the master server
226 Example: <TT>masterPort="389"</TT>
228 <LI><TT>ldapTLS</TT> : should we use TLS connection to contact the
231 Example: <TT>ldapTLS="1"</TT>
232 <LI>Remark: the LDAP severs must be configured to accept TLS
233 connections. See section the Samba-LDAP Howto for more
234 details (<TT>http://samba.idealx.org/smbldap-howto.fr.html</TT>). If you are using TLS support, select port 389 to connect to
235 the master and slave directories.
237 <LI><TT>verify</TT> : How to verify the server's certificate (none,
238 optional or require). See "man Net::LDAP" in start_tls section for
241 Example: <TT>verify="require"</TT>
243 <LI><TT>cafile</TT> : the PEM-format file containing certificates
244 for the CA that slapd will trust
246 Example: <TT>cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"</TT>
248 <LI><TT>clientcert</TT> : the file that contains the client certificate
250 Example: <TT>clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.pem"</TT>
252 <LI><TT>clientkey</TT> : the file that contains the private key that
253 matches the certificate stored in the clientcert file
255 Example: <TT>clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.iallanis.com.key"</TT>
257 <LI><TT>suffix</TT> : The distinguished name of the search base
259 Example: <TT>suffix="dc=idealx,dc=com"</TT>
261 <LI><TT>usersdn</TT> : branch in which users account can be found or
264 Example: <TT>usersdn="ou=Users,${suffix}"</TT>
265 <LI>Remark: this branch is <B>not</B> relative to the suffix value
267 <LI><TT>computersdn</TT> : branch in which computers account can be
268 found or must be added
270 Example: <TT>computersdn"ou=Computers,${suffix}"</TT>
271 <LI>Remark: this branch is <B>not</B> relative to the suffix value
273 <LI><TT>groupsdn</TT> : branch in which groups account can be found
276 Example: <TT>groupsdn="ou=Groups,${suffix}"</TT>
277 <LI>Remarks: this branch is <B>not</B> relative to the suffix value
279 <LI><TT>idmapdn</TT> : where are stored Idmap entries (used if samba is a domain member server)
281 Example: <TT>idmapdn="ou=Idmap,${suffix}"</TT>
282 <LI>Remarks: this branch is <B>not</B> relative to the suffix value
284 <LI><TT>sambaUnixIdPooldn</TT> : object in which next uidNumber and gidNumber available are stored
286 Example: <TT>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"</TT>
287 <LI>Remarks: this branch is <B>not</B> relative to the suffix value
289 <LI><TT>scope</TT> : the search scope.
291 Example: <TT>scope="sub"</TT>
293 <LI><TT>hash_encrypt</TT> : hash to be used when generating a
296 Example: <TT>hash_encrypt="SSHA"</TT>
297 <LI>Remark: This is used for the unix password stored in <I>userPassword</I> attribute.
299 <LI><TT>crypt_salt_format="%s"</TT> : if hash_encrypt is set to
300 CRYPT, you may set a salt format. Default is "%s", but many systems
301 will generate MD5 hashed passwords if you use "$1$%.8s". This
302 parameter is optional.
303 <LI><TT>userLoginShell</TT> : default shell given to users.
305 Example: <TT>userLoginShell="/bin/bash"</TT>
306 <LI>Remark: This is stored in <I>loginShell</I> attribute.
308 <LI><TT>userHome</TT> : default directory where users's home
309 directory are located.
311 Example: <TT>userHome="/home/%U"</TT>
312 <LI>Remark: This is stored in <TT>homeDirectory</TT> attribute.
314 <LI><TT>userGecos</TT> : gecos used for users
316 Example: <TT>userGecos="System User"</TT>
318 <LI><TT>defaultUserGid</TT> : default primary group set to users accounts
320 Example: <TT>defaultUserGid="513"</TT>
321 <LI>Remark: this is stored in <I>gidNumber</I> attribute.
323 <LI><TT>defaultComputerGid</TT> : default primary group set to
326 Example: <TT>defaultComputerGid="550"</TT>
327 <LI>Remark: this is stored in <I>gidNumber</I> attribute.
329 <LI><TT>skeletonDir</TT> : skeleton directory used for users accounts
331 Example: <TT>skeletonDir="/etc/skel"</TT>
332 <LI>Remark: this option is used only if you ask for home directory creation when adding a new user.
334 <LI><TT>defaultMaxPasswordAge</TT> : default validation time for a
337 Example: <TT>defaultMaxPassword="55"</TT>
339 <LI><TT>userSmbHome</TT> : samba share used to store user's home directory
342 <TT>userSmbHome="\\PDC-SMB3\ <I>home</I>\%<I>U</I>"</TT>
343 <LI>Remark: this is stored in <I>sambaHomePath</I> attribute.
345 <LI><TT>userProfile</TT> : samba share used to store user's profile
348 <TT>userProfile="\\PDC-SMB3\ <I>profiles</I>\%<I>U</I>"</TT>
349 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
351 <LI><TT>userScript</TT> : default user netlogon script name. If not used, will be automatically <I>username.cmd</I>
354 <TT>userScript="%U"</TT>
355 <LI>Remark: this is stored in <I>sambaProfilePath</I> attribute.
357 <LI><TT>userHomeDrive</TT> : letter used on windows system to map
360 Example: <TT>userHomeDrive="K:"</TT>
362 <LI><TT>with_smbpasswd</TT> : should we use the <I>smbpasswd</I> command
363 to set the user's password (instead of the <I>mkntpwd</I> utility) ?
365 Example: <TT>with_smbpasswd="0"</TT>
366 <LI>Remark: must be a boolean value (0 or 1).
368 <LI><TT>smbpasswd</TT> : path to the <TT>smbpasswd</TT> binary
370 Example: <TT>smbpasswd="/usr/bin/smbpasswd"</TT>
372 <LI><TT>mk_ntpasswd</TT> : path to the mkntpwd binary
374 Example: <TT>mk_ntpasswd="/usr/local/sbin/mkntpwd"</TT>
375 <LI>Remark: the rpm package of the smbldap-tools will install this
376 utility. If you are using the tarball archive, you have to install
377 it yourself (sources are also in the smbldap-tools archive).
379 <LI><TT>mailDomain</TT> : Domain appended to the users "mail"
382 Example: <TT>mailDomain="idealx.org"</TT>
385 <!--TOC subsection The smbldap_bind.conf file-->
387 <H3><A NAME="htoc12">3.2</A> The smbldap_bind.conf file</H3><!--SEC END -->
389 This file is only used by <I>root</I> to modify the content of the directory.
390 It contains distinguised names and credentials to connect to
391 both the master and slave directories. A full example file is available
392 in section <A HREF="#configuration::file::smbldap::bind">8.1.2</A>.<BR>
394 Let's have a look at all available parameters.
396 <TT>slaveDN</TT> : distinguished name used to bind to the slave server
398 Example 1: <TT>slaveDN="cn=Manager,dc=idealx,dc=com"</TT>
399 <LI>Example 2: <TT>slaveDN=""</TT>
400 <LI>Remark: this can be the manager account of the directory or
401 any LDAP account that has sufficient permissions to read the full
402 directory (Slave directory is only used for reading). Anonymous
403 connections uses the second example form.
405 <LI><TT>slavePw</TT> : the credentials to bind to the slave server
407 Example 1: <TT>slavePw="secret"</TT>
408 <LI>Example 2: <TT>slavePw=""</TT>
409 <LI>Remark: the password must be stored here in clear form. This
410 file must then be readable only by root! All anonymous connections
411 use the second form provided in our example.
413 <LI><TT>masterDN</TT> : the distinguished name used to bind to the master server
415 Example: <TT>masterDN="cn=Manager,dc=idealx,dc=com"</TT>
416 <LI>Remark: this can be the manager account of the directory or
417 any LDAP account that has enough permissions to modify the content
418 of the directory. Anonymous access does not make any sense here.
420 <LI><TT>masterPw</TT> : the credentials to bind to the master server
422 Example: <TT>masterPw="secret"</TT>
423 <LI>Remark: the password must be in clear text. Be sure to protect
424 this file against unauthorized readers!
427 <!--TOC section Using the scripts-->
429 <H2><A NAME="htoc13">4</A> Using the scripts</H2><!--SEC END -->
431 <!--TOC subsection Initial directory's population-->
433 <H3><A NAME="htoc14">4.1</A> Initial directory's population</H3><!--SEC END -->
435 You can initialize the LDAP directory using the
436 <TT>smbldap-populate</TT> script. To do that, the account defined in
437 the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> to access the
438 master directory <B>must</B> must be the manager account defined in the
439 directory configuration. On RedHat system, this file is
440 <TT>/etc/openldap/slapd.conf</TT> and the account is defined with
442 rootdn "cn=Manager,dc=idealx,dc=com"
444 </PRE>The <TT>smbldap_bind.conf</TT> file must then be configured so that
445 the parameters to connect to the master LDAP server match the previous ones:
447 masterDN="cn=Manager,dc=idealx,dc=com"
450 Available options for this script are summarized in the table <A HREF="#table::populate">1</A>:
451 <BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
452 <A NAME="code_epsilon_var"></A>
454 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
455 <TR><TD ALIGN=left NOWRAP>option</TD>
456 <TD ALIGN=left NOWRAP>definition</TD>
457 <TD ALIGN=left NOWRAP>default value</TD>
459 <TR><TD ALIGN=left NOWRAP>-u <I>uidNumber</I></TD>
460 <TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
461 <TD ALIGN=left NOWRAP>1000</TD>
463 <TR><TD ALIGN=left NOWRAP>-g <I>gidNumber</I></TD>
464 <TD ALIGN=left NOWRAP>first uidNumber to allocate</TD>
465 <TD ALIGN=left NOWRAP>1000</TD>
467 <TR><TD ALIGN=left NOWRAP>-a <I>user</I></TD>
468 <TD ALIGN=left NOWRAP>administrator login name</TD>
469 <TD ALIGN=left NOWRAP>Administrator</TD>
471 <TR><TD ALIGN=left NOWRAP>-b <I>user</I></TD>
472 <TD ALIGN=left NOWRAP>guest login name</TD>
473 <TD ALIGN=left NOWRAP>nobody</TD>
475 <TR><TD ALIGN=left NOWRAP>-e <I>file</I></TD>
476 <TD ALIGN=left NOWRAP>export a init file</TD>
477 <TD ALIGN=left NOWRAP> </TD>
479 <TR><TD ALIGN=left NOWRAP>-i <I>file</I></TD>
480 <TD ALIGN=left NOWRAP>import a init file</TD>
481 <TD ALIGN=left NOWRAP> </TD>
485 <DIV ALIGN=center>Table 1: Options available for the <TT>smbldap-populate</TT> script</DIV><BR>
487 <A NAME="table::populate"></A>
488 <DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
489 In the more general case, to set up your directory, simply use the
492 [root@etoile root]# smbldap-populate
493 Using builtin directory structure
494 adding new entry: dc=idealx,dc=com
495 adding new entry: ou=Users,dc=idealx,dc=com
496 adding new entry: ou=Groups,dc=idealx,dc=com
497 adding new entry: ou=Computers,dc=idealx,dc=com
498 adding new entry: ou=Idmap,dc=idealx,dc=org
499 adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org
500 adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com
501 adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com
502 adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com
503 adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com
504 adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com
505 adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com
506 adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com
507 adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com
508 adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com
510 After this step, if you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
511 account anymore, you can create a dedicated account for Samba and the
512 smbldap-tools. See section <A HREF="#change::manager">8.2</A> for more details.<BR>
514 The <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> entry is only used to
515 defined the next uidNumber and gidNumber available for creating new
516 users and groups. The default values for those numbers are 1000. You
517 can change it with the <TT>-u</TT> and <TT>-g</TT> option. For
518 example, if you want the first available value for uidNumber and
519 gidNumber to be set to 1500, you can use the following command :
521 smbldap-populate -u 1550 -g 1500
523 <!--TOC subsection User management-->
525 <H3><A NAME="htoc15">4.2</A> User management</H3><!--SEC END -->
527 <!--TOC subsubsection Adding a user-->
529 <H4><A NAME="htoc16">4.2.1</A> Adding a user</H4><!--SEC END -->
530 <A NAME="add::user"></A>
531 To add a user, use the <TT>smbldap-useradd</TT> script. Available
532 options are summarized in the table <A HREF="#table::add::user">2</A>. If applicable,
533 default values are mentionned in the third column. Any string beginning with a
534 $ symbol refers to a parameter defined in the
535 <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> configuration file.
536 <BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
538 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
539 <TR><TD VALIGN=top ALIGN=left>option</TD>
540 <TD VALIGN=top ALIGN=left>definition</TD>
541 <TD VALIGN=top ALIGN=left>example</TD>
542 <TD VALIGN=top ALIGN=left>default value</TD>
544 <TR><TD VALIGN=top ALIGN=left>-a</TD>
545 <TD VALIGN=top ALIGN=left>create a Windows account. Otherwise, only a Posix account
547 <TD VALIGN=top ALIGN=left> </TD>
548 <TD VALIGN=top ALIGN=left> </TD>
550 <TR><TD VALIGN=top ALIGN=left>-w</TD>
551 <TD VALIGN=top ALIGN=left>create a Windows Workstation account</TD>
552 <TD VALIGN=top ALIGN=left> </TD>
553 <TD VALIGN=top ALIGN=left> </TD>
555 <TR><TD VALIGN=top ALIGN=left>-i</TD>
556 <TD VALIGN=top ALIGN=left>create an interdomain trust account. See section
557 <A HREF="#trust::account">4.4</A> for more details</TD>
558 <TD VALIGN=top ALIGN=left> </TD>
559 <TD VALIGN=top ALIGN=left> </TD>
561 <TR><TD VALIGN=top ALIGN=left>-u</TD>
562 <TD VALIGN=top ALIGN=left>set a uid value</TD>
563 <TD VALIGN=top ALIGN=left>-u 1003</TD>
564 <TD VALIGN=top ALIGN=left>first uid available</TD>
566 <TR><TD VALIGN=top ALIGN=left>-g</TD>
567 <TD VALIGN=top ALIGN=left>set a gid value</TD>
568 <TD VALIGN=top ALIGN=left>-g 1003</TD>
569 <TD VALIGN=top ALIGN=left>first gid available</TD>
571 <TR><TD VALIGN=top ALIGN=left>-G</TD>
572 <TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
573 groups (comma-separated)</TD>
574 <TD VALIGN=top ALIGN=left>-G 512,550</TD>
575 <TD VALIGN=top ALIGN=left> </TD>
577 <TR><TD VALIGN=top ALIGN=left>-d</TD>
578 <TD VALIGN=top ALIGN=left>set the home directory</TD>
579 <TD VALIGN=top ALIGN=left>-d /var/user</TD>
580 <TD VALIGN=top ALIGN=left>$userHomePrefix/user</TD>
582 <TR><TD VALIGN=top ALIGN=left>-s</TD>
583 <TD VALIGN=top ALIGN=left>set the login shell</TD>
584 <TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
585 <TD VALIGN=top ALIGN=left>$userLoginShell</TD>
587 <TR><TD VALIGN=top ALIGN=left>-c</TD>
588 <TD VALIGN=top ALIGN=left>set the user gecos</TD>
589 <TD VALIGN=top ALIGN=left>-c "admin user"</TD>
590 <TD VALIGN=top ALIGN=left>$userGecos</TD>
592 <TR><TD VALIGN=top ALIGN=left>-m</TD>
593 <TD VALIGN=top ALIGN=left>creates user's home directory and copies /etc/skel
595 <TD VALIGN=top ALIGN=left> </TD>
596 <TD VALIGN=top ALIGN=left> </TD>
598 <TR><TD VALIGN=top ALIGN=left>-k</TD>
599 <TD VALIGN=top ALIGN=left>set the skeleton dir (with -m)</TD>
600 <TD VALIGN=top ALIGN=left>-k /etc/skel2</TD>
601 <TD VALIGN=top ALIGN=left>$skeletonDir</TD>
603 <TR><TD VALIGN=top ALIGN=left>-P</TD>
604 <TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's
606 <TD VALIGN=top ALIGN=left> </TD>
607 <TD VALIGN=top ALIGN=left> </TD>
609 <TR><TD VALIGN=top ALIGN=left>-A</TD>
610 <TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
611 <TD VALIGN=top ALIGN=left>-A 1</TD>
612 <TD VALIGN=top ALIGN=left> </TD>
614 <TR><TD VALIGN=top ALIGN=left>-B</TD>
615 <TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
617 <TD VALIGN=top ALIGN=left>-B 1</TD>
618 <TD VALIGN=top ALIGN=left> </TD>
620 <TR><TD VALIGN=top ALIGN=left>-C</TD>
621 <TD VALIGN=top ALIGN=left>set the samba home share</TD>
622 <TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
623 <TD VALIGN=top ALIGN=left>$userSmbHome</TD>
625 <TR><TD VALIGN=top ALIGN=left>-D</TD>
626 <TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
627 <TD VALIGN=top ALIGN=left>-D H:</TD>
628 <TD VALIGN=top ALIGN=left>$userHomeDrive</TD>
630 <TR><TD VALIGN=top ALIGN=left>-E</TD>
631 <TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
632 <TD VALIGN=top ALIGN=left>-E common.bat</TD>
633 <TD VALIGN=top ALIGN=left>$userScript</TD>
635 <TR><TD VALIGN=top ALIGN=left>-F</TD>
636 <TD VALIGN=top ALIGN=left>set the profile directory</TD>
637 <TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
638 <TD VALIGN=top ALIGN=left>$userProfile</TD>
640 <TR><TD VALIGN=top ALIGN=left>-H</TD>
641 <TD VALIGN=top ALIGN=left>set the samba account control bits
642 like'[NDHTUMWSLKI]'</TD>
643 <TD VALIGN=top ALIGN=left>-H [X]</TD>
644 <TD VALIGN=top ALIGN=left> </TD>
646 <TR><TD VALIGN=top ALIGN=left>-N</TD>
647 <TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
648 <TD VALIGN=top ALIGN=left> </TD>
649 <TD VALIGN=top ALIGN=left> </TD>
651 <TR><TD VALIGN=top ALIGN=left>-S</TD>
652 <TD VALIGN=top ALIGN=left>set the surname of the user</TD>
653 <TD VALIGN=top ALIGN=left> </TD>
654 <TD VALIGN=top ALIGN=left> </TD>
656 <TR><TD VALIGN=top ALIGN=left>-M</TD>
657 <TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
658 <TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
659 <TD VALIGN=top ALIGN=left> </TD>
661 <TR><TD VALIGN=top ALIGN=left>-T</TD>
662 <TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
663 <TD VALIGN=top ALIGN=left>-T
664 testuser@domain.org</TD>
665 <TD VALIGN=top ALIGN=left> </TD>
669 <DIV ALIGN=center>Table 2: Options available to the <TT>smbldap-useradd</TT> script</DIV><BR>
671 <A NAME="table::add::user"></A>
672 <DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
674 For example, if you want to add a user named <I>user_admin</I> and who :
677 <LI>must belong to the group of gid=512 ('Domain Admins' group)
678 <LI>has a home directory
679 <LI>does not have a login shell
680 <LI>has a homeDirectory set to /dev/null
681 <LI>does not have a roaming profile
682 <LI>and for whom we want to set a first login password
686 smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin
688 <!--TOC subsubsection Removing a user-->
690 <H4><A NAME="htoc17">4.2.2</A> Removing a user</H4><!--SEC END -->
692 To remove a user account, use the <TT>smbldap-userdel</TT> script.
693 Available options are
694 <BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
696 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
697 <TR><TD ALIGN=left NOWRAP>option</TD>
698 <TD ALIGN=left NOWRAP>definition</TD>
700 <TR><TD ALIGN=left NOWRAP>-r</TD>
701 <TD ALIGN=left NOWRAP>remove home directory</TD>
703 <TR><TD ALIGN=left NOWRAP>-R</TD>
704 <TD ALIGN=left NOWRAP>remove home directory interactively</TD>
708 <DIV ALIGN=center>Table 3: Option available to the <TT>smbldap-userdel</TT> script</DIV><BR>
710 <A NAME="table::del::user"></A>
711 <DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
712 For example, if you want to remove the <I>user1</I> account
713 from the LDAP directory, and if you also want to delete his home
714 directory, use the following command :
716 smbldap-userdel -r user1
718 Note: '-r' is dangerous as it may delete precious and unbackuped data,
719 please be careful.<BR>
721 <!--TOC subsubsection Modifying a user-->
723 <H4><A NAME="htoc18">4.2.3</A> Modifying a user</H4><!--SEC END -->
724 <A NAME="modify::user"></A>
725 To modify a user account, use the <TT>smbldap-usermod</TT> script.
726 Availables options are listed in the table <A HREF="#table::modify::user">4</A>.
727 <BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
729 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
730 <TR><TD VALIGN=top ALIGN=left>option</TD>
731 <TD VALIGN=top ALIGN=left>definition</TD>
732 <TD VALIGN=top ALIGN=left>example</TD>
734 <TR><TD VALIGN=top ALIGN=left>-c</TD>
735 <TD VALIGN=top ALIGN=left>set the user gecos</TD>
736 <TD VALIGN=top ALIGN=left>-c "admin user"</TD>
738 <TR><TD VALIGN=top ALIGN=left>-d</TD>
739 <TD VALIGN=top ALIGN=left>set the home directory</TD>
740 <TD VALIGN=top ALIGN=left>-d /var/user</TD>
742 <TR><TD VALIGN=top ALIGN=left>-u</TD>
743 <TD VALIGN=top ALIGN=left>set a uid value</TD>
744 <TD VALIGN=top ALIGN=left>-u 1003</TD>
746 <TR><TD VALIGN=top ALIGN=left>-g</TD>
747 <TD VALIGN=top ALIGN=left>set a gid value</TD>
748 <TD VALIGN=top ALIGN=left>-g 1003</TD>
750 <TR><TD VALIGN=top ALIGN=left>-G</TD>
751 <TD VALIGN=top ALIGN=left>add the new account to one or several supplementary
752 groups (comma-separated)</TD>
753 <TD VALIGN=top ALIGN=left>-G 512,550</TD>
755 <TR><TD VALIGN=top ALIGN=left> </TD>
756 <TD VALIGN=top ALIGN=left> </TD>
757 <TD VALIGN=top ALIGN=left>-G -512,550</TD>
759 <TR><TD VALIGN=top ALIGN=left> </TD>
760 <TD VALIGN=top ALIGN=left> </TD>
761 <TD VALIGN=top ALIGN=left>-G +512,550</TD>
763 <TR><TD VALIGN=top ALIGN=left>-s</TD>
764 <TD VALIGN=top ALIGN=left>set the login shell</TD>
765 <TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
767 <TR><TD VALIGN=top ALIGN=left>-N</TD>
768 <TD VALIGN=top ALIGN=left>set the canonical name of the user</TD>
769 <TD VALIGN=top ALIGN=left> </TD>
771 <TR><TD VALIGN=top ALIGN=left>-S</TD>
772 <TD VALIGN=top ALIGN=left>set the surname of the user</TD>
773 <TD VALIGN=top ALIGN=left> </TD>
775 <TR><TD VALIGN=top ALIGN=left>-P</TD>
776 <TD VALIGN=top ALIGN=left>ends by invoking smbldap-passwd to set the user's password</TD>
777 <TD VALIGN=top ALIGN=left> </TD>
779 <TR><TD VALIGN=top ALIGN=left>-a</TD>
780 <TD VALIGN=top ALIGN=left>add sambaSAMAccount objectclass</TD>
781 <TD VALIGN=top ALIGN=left> </TD>
783 <TR><TD VALIGN=top ALIGN=left>-e</TD>
784 <TD VALIGN=top ALIGN=left>set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)</TD>
785 <TD VALIGN=top ALIGN=left> </TD>
787 <TR><TD VALIGN=top ALIGN=left>-A</TD>
788 <TD VALIGN=top ALIGN=left>user can change password ? 0 if no, 1 if yes</TD>
789 <TD VALIGN=top ALIGN=left>-A 1</TD>
791 <TR><TD VALIGN=top ALIGN=left>-B</TD>
792 <TD VALIGN=top ALIGN=left>user must change password at first session ? 0 if no, 1
794 <TD VALIGN=top ALIGN=left>-B 1</TD>
796 <TR><TD VALIGN=top ALIGN=left>-C</TD>
797 <TD VALIGN=top ALIGN=left>set the samba home share</TD>
798 <TD VALIGN=top ALIGN=left>-C \\PDC\homes</TD>
800 <TR><TD VALIGN=top ALIGN=left> </TD>
801 <TD VALIGN=top ALIGN=left> </TD>
802 <TD VALIGN=top ALIGN=left>-C ""</TD>
804 <TR><TD VALIGN=top ALIGN=left>-D</TD>
805 <TD VALIGN=top ALIGN=left>set a letter associated with the home share</TD>
806 <TD VALIGN=top ALIGN=left>-D H:</TD>
808 <TR><TD VALIGN=top ALIGN=left> </TD>
809 <TD VALIGN=top ALIGN=left> </TD>
810 <TD VALIGN=top ALIGN=left>-D ""</TD>
812 <TR><TD VALIGN=top ALIGN=left>-E</TD>
813 <TD VALIGN=top ALIGN=left>set DOS script to execute on login</TD>
814 <TD VALIGN=top ALIGN=left>-E common.bat</TD>
816 <TR><TD VALIGN=top ALIGN=left> </TD>
817 <TD VALIGN=top ALIGN=left> </TD>
818 <TD VALIGN=top ALIGN=left>-E ""</TD>
820 <TR><TD VALIGN=top ALIGN=left>-F</TD>
821 <TD VALIGN=top ALIGN=left>set the profile directory</TD>
822 <TD VALIGN=top ALIGN=left>-F \\PDC\profiles\user</TD>
824 <TR><TD VALIGN=top ALIGN=left> </TD>
825 <TD VALIGN=top ALIGN=left> </TD>
826 <TD VALIGN=top ALIGN=left>-F ""</TD>
828 <TR><TD VALIGN=top ALIGN=left>-H</TD>
829 <TD VALIGN=top ALIGN=left>set the samba account control bits like'[NDHTUMWSLKI]'</TD>
830 <TD VALIGN=top ALIGN=left>-H [X]</TD>
832 <TR><TD VALIGN=top ALIGN=left>-I</TD>
833 <TD VALIGN=top ALIGN=left>disable a user account</TD>
834 <TD VALIGN=top ALIGN=left>-I 1</TD>
836 <TR><TD VALIGN=top ALIGN=left>-J</TD>
837 <TD VALIGN=top ALIGN=left>enable a user</TD>
838 <TD VALIGN=top ALIGN=left>-J 1</TD>
840 <TR><TD VALIGN=top ALIGN=left>-M</TD>
841 <TD VALIGN=top ALIGN=left>local mailAddress (comma seperated)</TD>
842 <TD VALIGN=top ALIGN=left>-M testuser,aliasuser</TD>
844 <TR><TD VALIGN=top ALIGN=left>-T</TD>
845 <TD VALIGN=top ALIGN=left>forward mail address (comma seperated)</TD>
846 <TD VALIGN=top ALIGN=left>-T
847 testuser@domain.org</TD>
851 <DIV ALIGN=center>Table 4: Options available to the <TT>smbldap-usermod</TT> script</DIV><BR>
853 <A NAME="table::modify::user"></A>
854 <DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
855 You can also use the <TT>smbldap-userinfo</TT> script to update user's information. This script can
856 also be used by users themselves to update their own informations listed in the tables
857 <A HREF="#table::modify::self::user">5</A> (adequats ACL must be set in the directory server). Available
859 <BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
861 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
862 <TR><TD VALIGN=top ALIGN=left>option</TD>
863 <TD VALIGN=top ALIGN=left>definition</TD>
864 <TD VALIGN=top ALIGN=left>example</TD>
866 <TR><TD VALIGN=top ALIGN=left>-f</TD>
867 <TD VALIGN=top ALIGN=left>set the full name's user</TD>
868 <TD VALIGN=top ALIGN=left>-f MyName</TD>
870 <TR><TD VALIGN=top ALIGN=left>-r</TD>
871 <TD VALIGN=top ALIGN=left>set the room number</TD>
872 <TD VALIGN=top ALIGN=left>-r 99</TD>
874 <TR><TD VALIGN=top ALIGN=left>-w</TD>
875 <TD VALIGN=top ALIGN=left>set the work phone number</TD>
876 <TD VALIGN=top ALIGN=left>-w 111111111</TD>
878 <TR><TD VALIGN=top ALIGN=left>-h</TD>
879 <TD VALIGN=top ALIGN=left>set the home phone number</TD>
880 <TD VALIGN=top ALIGN=left>-h 222222222</TD>
882 <TR><TD VALIGN=top ALIGN=left>-o</TD>
883 <TD VALIGN=top ALIGN=left>set other information (in gecos definition)</TD>
884 <TD VALIGN=top ALIGN=left>-o "second stage"</TD>
886 <TR><TD VALIGN=top ALIGN=left>-s</TD>
887 <TD VALIGN=top ALIGN=left>set the default bash</TD>
888 <TD VALIGN=top ALIGN=left>-s /bin/ksh</TD>
892 <DIV ALIGN=center>Table 5: Options available to the <TT>smbldap-userinfo</TT> script</DIV><BR>
894 <A NAME="table::modify::self::user"></A>
895 <DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
896 <!--TOC subsection Group management-->
898 <H3><A NAME="htoc19">4.3</A> Group management</H3><!--SEC END -->
900 <!--TOC subsubsection Adding a group-->
902 <H4><A NAME="htoc20">4.3.1</A> Adding a group</H4><!--SEC END -->
904 To add a new group in the LDAP directory, use the <TT>smbldap-groupadd</TT>
905 script. Available options are listed in the table
906 <A HREF="#table::add::group">6</A>.
907 <BLOCKQUOTE><DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV>
909 <TABLE BORDER=1 CELLSPACING=0 CELLPADDING=1>
910 <TR><TD VALIGN=top ALIGN=left NOWRAP>option</TD>
911 <TD VALIGN=top ALIGN=left>definition</TD>
912 <TD VALIGN=top ALIGN=left NOWRAP>example</TD>
914 <TR><TD VALIGN=top ALIGN=left NOWRAP>-a</TD>
915 <TD VALIGN=top ALIGN=left>add automatic group mapping entry</TD>
916 <TD VALIGN=top ALIGN=left NOWRAP> </TD>
918 <TR><TD VALIGN=top ALIGN=left NOWRAP>-g <TT>gid</TT></TD>
919 <TD VALIGN=top ALIGN=left>set the <I>gidNumer</I> for this group to
921 <TD VALIGN=top ALIGN=left NOWRAP><TT>-g 1002</TT></TD>
923 <TR><TD VALIGN=top ALIGN=left NOWRAP>-o</TD>
924 <TD VALIGN=top ALIGN=left>gidNumber is not unique</TD>
925 <TD VALIGN=top ALIGN=left NOWRAP> </TD>
927 <TR><TD VALIGN=top ALIGN=left NOWRAP>-r <TT>group-rid</TT></TD>
928 <TD VALIGN=top ALIGN=left>set the rid of the group to
929 <I>group-rid</I></TD>
930 <TD VALIGN=top ALIGN=left NOWRAP><TT>-r 1002</TT></TD>
932 <TR><TD VALIGN=top ALIGN=left NOWRAP>-s <TT>group-sid</TT></TD>
933 <TD VALIGN=top ALIGN=left>set the sid of the group to
934 <I>group-sid</I></TD>
935 <TD VALIGN=top ALIGN=left NOWRAP><TT><FONT SIZE=1>-s
936 S-1-5-21-3703471949-3718591838-2324585696-1002</FONT></TT></TD>
938 <TR><TD VALIGN=top ALIGN=left NOWRAP>-t <TT>group-type</TT></TD>
939 <TD VALIGN=top ALIGN=left>set the <I>sambaGroupType</I> to
940 <I>group-type</I></TD>
941 <TD VALIGN=top ALIGN=left NOWRAP><TT>-t 2</TT></TD>
943 <TR><TD VALIGN=top ALIGN=left NOWRAP>-p</TD>
944 <TD VALIGN=top ALIGN=left>print the gidNumber to stdout</TD>
945 <TD VALIGN=top ALIGN=left NOWRAP> </TD>
949 <DIV ALIGN=center>Table 6: Options available for the <TT>smbldap-groupadd</TT> script</DIV><BR>
951 <A NAME="table::add::group"></A>
952 <DIV ALIGN=center><HR WIDTH="80%" SIZE=2></DIV></BLOCKQUOTE>
953 <!--TOC subsubsection Removing a group-->
955 <H4><A NAME="htoc21">4.3.2</A> Removing a group</H4><!--SEC END -->
957 To remove the group named <TT>group1</TT>, just use the following
960 smbldap-userdel group1
962 <!--TOC subsection Adding a interdomain trust account-->
964 <H3><A NAME="htoc22">4.4</A> Adding a interdomain trust account</H3><!--SEC END -->
965 <A NAME="trust::account"></A>
966 To add an interdomain trust account to the primary controller <I>trust-pdc</I>, use the <TT>-i</TT> option of
967 <TT>smbldap-useradd</TT> as follows :
969 [root@etoile root]# smbldap-useradd -i trust-pdc
970 New password : *******
971 Retype new password : *******
973 The script will terminate asking for a password for this trust
974 account. The account will be created in the directory branch where
975 all computer accounts are stored (<TT>ou=Computers</TT> by
976 default). The only two particularities of this account are that you are
977 setting a password for this account, and the flags of this account are
979 <!--TOC section Samba and the smbldap-tools scripts-->
981 <H2><A NAME="htoc23">5</A> Samba and the smbldap-tools scripts</H2><!--SEC END -->
983 <!--TOC subsection General configuration-->
985 <H3><A NAME="htoc24">5.1</A> General configuration</H3><!--SEC END -->
987 Samba can be configured to use the <FONT COLOR=purple>smbldap-tools</FONT> scripts. This allows
988 administrators to add, delete or modify user and group accounts for <FONT COLOR=purple>Microsoft Windows</FONT>
989 operating systems using, for example, User Manager utility under MS-Windows.
990 To enable the use of this utility, samba needs to be configured correctly. The
991 <TT>smb.conf</TT> configuration file must contain the following directives :
994 add user script = /usr/local/sbin/smbldap-useradd -m "%u"
995 add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
996 add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
997 add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
998 delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
999 set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
1001 Remark: the two directives <TT>delete user script</TT> et <TT>delete group
1002 script</TT> can also be used. However, an error message can appear in User Manager
1003 even if the operations actually succeed.
1004 If you want to enable this behaviour, you need to add
1006 delete user script = /usr/local/sbin/smbldap-userdel "%u"
1007 delete group script = /usr/local/sbin/smbldap-groupdel "%g"
1009 <!--TOC subsection Migrating an NT4 PDC to Samba3-->
1011 <H3><A NAME="htoc25">5.2</A> Migrating an NT4 PDC to Samba3</H3><!--SEC END -->
1013 The account migration procedure becomes really simple when samba is configured to use
1014 the <FONT COLOR=purple>smbldap-tools</FONT>. Samba configuration (smb.conf file) must contain the
1015 directive defined above to properly call the script for managing users, groups and computer accounts.
1016 The migration process is outlined in the chapter 30 of the samba howto
1017 <TT>http://sambafr.idealx.org/samba/docs/man/Samba-HOWTO-Collection/NT4Migration.html</TT>.
1020 <!--TOC section Frequently Asked Questions-->
1022 <H2><A NAME="htoc26">6</A> Frequently Asked Questions</H2><!--SEC END -->
1024 <!--TOC subsection How can i use old released uidNumber and gidNumber ?-->
1026 <H3><A NAME="htoc27">6.1</A> How can i use old released uidNumber and gidNumber ?</H3><!--SEC END -->
1028 There are two way to do this :
1030 modify the <TT>cn=NextFreeUnixId,dc=idealx,dc=org</TT> and
1031 change the <TT>uidNumber</TT> and/or <TT>gidNumber</TT> value. This
1032 must be done manually. For example, if you want to use all available
1033 uidNumber and gidNumber higher then 1500, you need to create a
1034 <TT>update-NextFreeUnixId.ldif</TT> file containing :
1035 <PRE>dn: cn=NextFreeUnixId,dc=idealx,dc=org
1040 and then update the directory :
1042 ldapmodify -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f update-NextFreeUnixId.ldif
1043 </PRE><LI>use the <TT>-u</TT> or <TT>-g</TT> option to the script you need to set the value you
1046 <!--TOC subsection I always have this error: "Can't locate IO/Socket/SSL.pm"-->
1048 <H3><A NAME="htoc28">6.2</A> I always have this error: "Can't locate IO/Socket/SSL.pm"</H3><!--SEC END -->
1050 This happens when you want to use a certificate. In this case, you need to install the
1051 IO-Socket-SSL Perl module.<BR>
1053 <!--TOC subsection I can't initialize the directory with <TT>smbldap-populate</TT>-->
1055 <H3><A NAME="htoc29">6.3</A> I can't initialize the directory with <TT>smbldap-populate</TT></H3><!--SEC END -->
1057 When I want to initialize the directory using the <TT>smbldap-populate</TT>
1060 [root@slave sbin]# smbldap-populate.pl
1061 Using builtin directory structure
1062 adding new entry: dc=IDEALX,dc=COM
1063 Can't call method "code" without a package or object reference at
1064 /usr/local/sbin/smbldap-populate.pl line 270, <GEN1> line 2.
1065 </PRE>Answer: check the TLS configuration
1067 if you don't want to use TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file
1071 </PRE><LI>if you want TLS support, set the <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file with
1074 </PRE>and check that the directory server is configured to accept TLS connections.
1076 <!--TOC subsection I can't join the domain with the <TT>root</TT> account-->
1078 <H3><A NAME="htoc30">6.4</A> I can't join the domain with the <TT>root</TT> account</H3><!--SEC END -->
1081 check that the root account has the sambaSamAccount objectclass
1082 <LI>check that the directive <TT>add machine script</TT> is present and configured
1084 <!--TOC subsection I have the <TT>sambaSamAccount</TT> but i can't logged in-->
1086 <H3><A NAME="htoc31">6.5</A> I have the <TT>sambaSamAccount</TT> but i can't logged in</H3><!--SEC END -->
1088 Check that the <TT>sambaPwdLastSet</TT> attribute is not null (equal to 0)<BR>
1090 <!--TOC subsection I want to create machine account on the fly, but it does
1091 not works or I must do it twice-->
1093 <H3><A NAME="htoc32">6.6</A> I want to create machine account on the fly, but it does
1094 not works or I must do it twice</H3><!--SEC END -->
1097 The script defined with the <TT>add machine script</TT> must not add
1098 the <TT>sambaSAMAccount</TT> objectclass of the machine account. The
1099 script must only add the Posix machine account. Samba will add the <TT>sambaSAMAccount</TT> when
1101 <LI>Check that the <TT>add <B>machine</B> script</TT> is present in samba
1104 <!--TOC subsection I can't manage the Oracle Internet Database-->
1106 <H3><A NAME="htoc33">6.7</A> I can't manage the Oracle Internet Database</H3><!--SEC END -->
1108 If you have an error message like :
1110 Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 187.
1111 Function Not Implemented at /usr/local/sbin/smbldap_tools.pm line 627.
1112 </PRE>For Oracle Database, all attributes that will be resquested to the directory must be indexed. Add a
1113 new index for samba attributes and make sure that the following attributes are also indexed :
1114 uidNumber, gidNumber, memberUid, homedirectory, description, userPassword ...<BR>
1116 <!--TOC subsection The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
1117 called, or i got a error message when changing the password from windows-->
1119 <H3><A NAME="htoc34">6.8</A> The directive <TT>passwd program = /usr/local/sbin/smbldap-passwd -u %u</TT> is not
1120 called, or i got a error message when changing the password from windows</H3><!--SEC END -->
1122 The directive is called if you also set <TT>unix password sync = Yes</TT>.
1125 if you use OpenLDAP, none of those two options are needed. You just need <TT>ldap
1126 passwd sync = Yes</TT>.
1127 <LI>the script called here must only update the <TT>userPassword</TT> attribute. This is the
1128 reason of the <TT>-u</TT> option. Samba passwords will be updated by samba itself.
1129 <LI>the <TT>passwd chat</TT> directive must match what is prompted when using the
1130 <TT>smbldap-passwd</TT> command
1132 <!--TOC subsection New computers account can't be set in ou=computers-->
1134 <H3><A NAME="htoc35">6.9</A> New computers account can't be set in ou=computers</H3><!--SEC END -->
1135 <A NAME="sec::bug::ou::computer"></A>
1136 This is a known samba bug. There's a workarround: look at
1137 <TT>http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2</TT><BR>
1139 <!--TOC subsection I can join the domain, but i can't log on-->
1141 <H3><A NAME="htoc36">6.10</A> I can join the domain, but i can't log on</H3><!--SEC END -->
1143 look at section <A HREF="#sec::bug::ou::computer">6.9</A><BR>
1145 <!--TOC subsection I can't create a user with <TT>smbldap-useradd</TT>-->
1147 <H3><A NAME="htoc37">6.11</A> I can't create a user with <TT>smbldap-useradd</TT></H3><!--SEC END -->
1149 When creating a new user account I get the following error message:
1151 /usr/local/sbin/smbldap-useradd.pl: unknown group SID not set for unix group 513
1154 is nss_ldap correctly configured ?
1155 <LI>is the default group's users mapped to the 'Domain Users' NT group ?
1157 net groupmap add rid=513 unixgroup="Domain Users" ntgroup="Domain Users"
1159 <!--TOC subsection smbldap-useradd: Can't call method "get_value" on an undefined value at
1160 /usr/local/sbin/smbldap-useradd line 154-->
1162 <H3><A NAME="htoc38">6.12</A> smbldap-useradd: Can't call method "get_value" on an undefined value at
1163 /usr/local/sbin/smbldap-useradd line 154</H3><!--SEC END -->
1166 does the default group defined in smbldap.conf exist
1167 (defaultUserGid="513") ?
1168 <LI>does the NT "Domain Users" group mapped to a unix
1169 group of rid 513 (see option <I>-r</I> of <TT>smbldap-groupadd</TT> and
1170 <TT>smbldap-groupmod</TT> to set a rid) ?
1172 <!--TOC subsection Typical errors on creating a new user or a new group-->
1174 <H3><A NAME="htoc39">6.13</A> Typical errors on creating a new user or a new group</H3><!--SEC END -->
1175 <A NAME="faq::error::add::user"></A>
1177 i've got the following error:
1179 Could not find base dn, to get next uidNumber at /usr/local/sbin//smbldap_tools.pm line 909
1180 </PRE><OL type=1><LI>
1181 you do not have created the object to defined the next uidNumber and gidNumber available.
1183 for version 0.8.7 : you can just run the <TT>smbldap-populate</TT> script that will
1184 update the sambaDomain entry to store those informations
1185 <LI>for version before 0.8.7 :
1186 You have updated the smbldap-tools to version 0.8.5 or newer.
1187 You have to do this manually. Create an file called <TT>add.ldif</TT> and containing
1189 dn: cn=NextFreeUnixId,dc=idealx,dc=org
1190 objectClass: inetOrgPerson
1191 objectClass: sambaUnixIdPool
1196 </PRE> and then add the object with the ldapadd utility:
1198 $ ldapadd -x -D "cn=Manager,dc=idealx,dc=org" -w secret -f add.ldif
1199 </PRE> Here, 1000 is the first available value for uidNumber and gidNumber (of course, if this value is
1200 already used by a user or a group, the first available after 1000 will be used).
1203 <LI>The error also appear when there is a need for TLS (ldapTLS=1 in <TT>smbldap.conf</TT>) and
1204 something is wrong with certificate naming or path settings.
1207 <LI>i've got the following error:
1209 Use of uninitialized value in string at
1210 /usr/local/sbin//smbldap\_tools.pm line 914.
1211 Error: No DN specified at /usr/local/sbin//smbldap\_tools.pm line 919
1212 </PRE>You have not updated the configuration file to defined the object where are sotred the next
1213 uidNumber and gidNumber available. In our example, you have to add a nex entry in
1214 <I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I> containing :
1216 # Where to store next uidNumber and gidNumber available
1217 sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1218 </PRE>btw, a new option is now available too: the domain to append to users. You can add to the
1219 configuration file the following lines:
1221 # Domain appended to the users "mail"-attribute
1222 # when smbldap-useradd -M is used mailDomain="idealx.com"
1225 <LI>i've got the following error:
1227 Use of uninitialized value in concatenation (.) or string at /usr/local/sbin/smbldap-useradd line 183.
1228 Use of uninitialized value in substitution (s///) at /usr/local/sbin/smbldap-useradd line 185.
1229 Use of uninitialized value in string at /usr/local/sbin/smbldap-useradd line 264.
1230 failed to add entry: homedirectory: value #0 invalid per syntax at /usr/local/sbin/smbldap-useradd line 280.
1231 userHomeDirectory=User "jto" already member of the group "513".
1232 failed to add entry: No such object at /usr/local/sbin/smbldap-useradd line 382.
1233 </PRE>you have to change the variable name <TT>userHomePrefix</TT> to <TT>userHome</TT> in
1234 <I>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</I><BR>
1236 <LI>i've got the following error:
1238 failed to add entry: referral missing at /usr/local/sbin/smbldap-useradd line 279, <DATA> line 283.
1239 </PRE>you have to update the configuration file that defined users, groups and computers dn. Those
1240 parameters must not be relative to the <TT>suffix</TT> parameter. A typical
1241 configuration look like this :
1243 usersdn="ou=Users,${suffix}"
1244 computersdn="ou=Computers,${suffix}"
1245 groupsdn="ou=Groups,${suffix}"
1248 <LI>i've got the following error:
1250 erreur LDAP: Can't contact master ldap server (IO::Socket::INET: Bad protocol 'tcp')
1251 at /usr/local/sbin//smbldap_tools.pm line 153.
1252 </PRE>remove <I>ldap</I> from <I>/etc/nsswitch.conf</I> for <I>services</I> list of possible check. For
1253 example, if your ldap directory is not configured to give services information, you must have
1258 services: ldap [NOTFOUND=return] files
1262 <!--TOC section Thanks-->
1264 <H2><A NAME="htoc40">7</A> Thanks</H2><!--SEC END -->
1266 <A NAME="thanks"></A>
1267 People who have worked on this document are
1269 Jérôme Tournier <jerome.tournier@IDEALX.com>
1270 <LI>David Barth <david.barth@IDEALX.com>
1271 <LI>Nat Makarevitch <nat@IDEALX.com>
1273 The authors would like to thank the following people for providing help with
1274 some of the more complicated subjects, for clarifying some of the internal
1275 workings of <FONT COLOR=purple>Samba</FONT> or <FONT COLOR=purple>OpenLDAP</FONT>, for pointing out errors or mistakes in
1276 previous versions of this document, or generally for making
1281 Roméo Adekambi <romeo.adekambi@IDEALX.com>
1282 <LI>Aurelien Degremont <adegremont@IDEALX.com>
1283 <LI>Renaud Renard <rrenard@IDEALX.com>
1285 <LI>John H Terpstra <jht@samba.org>
1287 <!--TOC section Annexes-->
1289 <H2><A NAME="htoc41">8</A> Annexes</H2><!--SEC END -->
1291 <!--TOC subsection Full configuration files-->
1293 <H3><A NAME="htoc42">8.1</A> Full configuration files</H3><!--SEC END -->
1294 <A NAME="configuration::files"></A>
1295 <!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file-->
1297 <H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><!--SEC END -->
1298 <A NAME="configuration::file::smbldap"></A>
1299 <PRE># $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
1300 # $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $
1302 # smbldap-tools.conf : Q & D configuration file for smbldap-tools
1304 # This code was developped by IDEALX (http://IDEALX.org/) and
1305 # contributors (their names can be found in the CONTRIBUTORS file).
1307 # Copyright (C) 2001-2002 IDEALX
1309 # This program is free software; you can redistribute it and/or
1310 # modify it under the terms of the GNU General Public License
1311 # as published by the Free Software Foundation; either version 2
1312 # of the License, or (at your option) any later version.
1314 # This program is distributed in the hope that it will be useful,
1315 # but WITHOUT ANY WARRANTY; without even the implied warranty of
1316 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
1317 # GNU General Public License for more details.
1319 # You should have received a copy of the GNU General Public License
1320 # along with this program; if not, write to the Free Software
1321 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
1325 # . be the configuration file for all smbldap-tools scripts
1327 ##############################################################################
1329 # General Configuration
1331 ##############################################################################
1333 # Put your own SID. To obtain this number do: "net getlocalsid".
1334 # If not defined, parameter is taking from "net getlocalsid" return
1335 SID="S-1-5-21-4205727931-4131263253-1851132061"
1337 # Domain name the Samba server is in charged.
1338 # If not defined, parameter is taking from smb.conf configuration file
1339 # Ex: sambaDomain="IDEALX-NT"
1340 sambaDomain="IDEALX-NT"
1342 ##############################################################################
1344 # LDAP Configuration
1346 ##############################################################################
1348 # Notes: to use to dual ldap servers backend for Samba, you must patch
1349 # Samba with the dual-head patch from IDEALX. If not using this patch
1350 # just use the same server for slaveLDAP and masterLDAP.
1351 # Those two servers declarations can also be used when you have
1352 # . one master LDAP server where all writing operations must be done
1353 # . one slave LDAP server where all reading operations must be done
1354 # (typically a replication directory)
1357 # Ex: slaveLDAP=127.0.0.1
1358 # If not defined, parameter is set to "127.0.0.1"
1359 slaveLDAP="127.0.0.1"
1362 # If not defined, parameter is set to "389"
1365 # Master LDAP server: needed for write operations
1366 # Ex: masterLDAP=127.0.0.1
1367 # If not defined, parameter is set to "127.0.0.1"
1368 masterLDAP="127.0.0.1"
1371 # If not defined, parameter is set to "389"
1375 # If set to 1, this option will use start_tls for connection
1376 # (you should also used the port 389)
1377 # If not defined, parameter is set to "1"
1380 # How to verify the server's certificate (none, optional or require)
1381 # see "man Net::LDAP" in start_tls section for more details
1385 # see "man Net::LDAP" in start_tls section for more details
1386 cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"
1388 # certificate to use to connect to the ldap server
1389 # see "man Net::LDAP" in start_tls section for more details
1390 clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"
1392 # key certificate to use to connect to the ldap server
1393 # see "man Net::LDAP" in start_tls section for more details
1394 clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"
1397 # Ex: suffix=dc=IDEALX,dc=ORG
1398 suffix="dc=idealx,dc=org"
1400 # Where are stored Users
1401 # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
1402 # Warning: if 'suffix' is not set here, you must set the full dn for usersdn
1403 usersdn="ou=Users,${suffix}"
1405 # Where are stored Computers
1406 # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
1407 # Warning: if 'suffix' is not set here, you must set the full dn for computersdn
1408 computersdn="ou=Computers,${suffix}"
1410 # Where are stored Groups
1411 # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
1412 # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
1413 groupsdn="ou=Groups,${suffix}"
1415 # Where are stored Idmap entries (used if samba is a domain member server)
1416 # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
1417 # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
1418 idmapdn="ou=Idmap,${suffix}"
1420 # Where to store next uidNumber and gidNumber available for new users and groups
1421 # If not defined, entries are stored in sambaDomainName object.
1422 # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
1423 # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
1424 sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}"
1426 # Default scope Used
1429 # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
1432 # if hash_encrypt is set to CRYPT, you may set a salt format.
1433 # default is "%s", but many systems will generate MD5 hashed
1434 # passwords if you use "$1$%.8s". This parameter is optional!
1435 crypt_salt_format="%s"
1437 ##############################################################################
1439 # Unix Accounts Configuration
1441 ##############################################################################
1444 # Default Login Shell
1445 # Ex: userLoginShell="/bin/bash"
1446 userLoginShell="/bin/bash"
1449 # Ex: userHome="/home/%U"
1452 # Default mode used for user homeDirectory
1453 userHomeDirectoryMode="700"
1456 userGecos="System User"
1458 # Default User (POSIX and Samba) GID
1459 defaultUserGid="513"
1461 # Default Computer (Samba) GID
1462 defaultComputerGid="515"
1465 skeletonDir="/etc/skel"
1467 # Default password validation time (time in days) Comment the next line if
1468 # you don't want password to be enable for defaultMaxPasswordAge days (be
1469 # careful to the sambaPwdMustChange attribute's value)
1470 defaultMaxPasswordAge="45"
1472 ##############################################################################
1474 # SAMBA Configuration
1476 ##############################################################################
1478 # The UNC path to home drives location (%U username substitution)
1479 # Just set it to a null string if you want to use the smb.conf 'logon home'
1480 # directive and/or disable roaming profiles
1481 # Ex: userSmbHome="\\PDC-SMB3\%U"
1482 userSmbHome="\\PDC-SRV\%U"
1484 # The UNC path to profiles locations (%U username substitution)
1485 # Just set it to a null string if you want to use the smb.conf 'logon path'
1486 # directive and/or disable roaming profiles
1487 # Ex: userProfile="\\PDC-SMB3\profiles\%U"
1488 userProfile="\\PDC-SRV\profiles\%U"
1490 # The default Home Drive Letter mapping
1491 # (will be automatically mapped at logon time if home directory exist)
1492 # Ex: userHomeDrive="H:"
1495 # The default user netlogon script name (%U username substitution)
1496 # if not used, will be automatically username.cmd
1497 # make sure script file is edited under dos
1498 # Ex: userScript="startup.cmd" # make sure script file is edited under dos
1499 userScript="logon.bat"
1501 # Domain appended to the users "mail"-attribute
1502 # when smbldap-useradd -M is used
1503 # Ex: mailDomain="idealx.com"
1504 mailDomain="idealx.com"
1506 ##############################################################################
1508 # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
1510 ##############################################################################
1512 # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
1513 # prefer Crypt::SmbHash library
1515 smbpasswd="/usr/bin/smbpasswd"
1517 # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
1518 # but prefer Crypt:: libraries
1520 slappasswd="/usr/sbin/slappasswd"
1522 # comment out the following line to get rid of the default banner
1526 <!--TOC subsubsection The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file-->
1528 <H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><!--SEC END -->
1529 <A NAME="configuration::file::smbldap::bind"></A>
1530 <PRE>############################
1531 # Credential Configuration #
1532 ############################
1533 # Notes: you can specify two differents configuration if you use a
1534 # master ldap for writing access and a slave ldap server for reading access
1535 # By default, we will use the same DN (so it will work for standard Samba
1537 slaveDN="cn=Manager,dc=idealx,dc=org"
1539 masterDN="cn=Manager,dc=idealx,dc=org"
1543 <!--TOC subsubsection The samba configuration file : <TT>/etc/samba/smb.conf</TT> -->
1545 <H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4><!--SEC END -->
1547 <PRE># Global parameters
1549 workgroup = IDEALX-NT
1550 netbios name = PDC-SRV
1551 #interfaces = 192.168.5.11
1552 username map = /etc/samba/smbusers
1553 enable privileges = yes
1554 server string = Samba Server %v
1556 encrypt passwords = Yes
1557 min passwd length = 3
1558 obey pam restrictions = No
1559 ldap passwd sync = Yes
1560 #unix password sync = Yes
1561 #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
1562 #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
1563 ldap passwd sync = Yes
1566 log file = /var/log/samba/log.%m
1567 max log size = 100000
1569 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
1570 mangling method = hash2
1572 Unix charset = ISO8859-1
1574 logon script = logon.bat
1581 preferred master = Yes
1584 passdb backend = ldapsam:ldap://127.0.0.1/
1585 # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
1586 # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
1587 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
1588 ldap suffix = dc=idealx,dc=com
1589 ldap group suffix = ou=Groups
1590 ldap user suffix = ou=Users
1591 ldap machine suffix = ou=Computers
1592 ldap idmap suffix = ou=Users
1593 ldap ssl = start tls
1594 add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
1595 ldap delete dn = Yes
1596 #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
1597 add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u"
1598 add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
1599 #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
1600 add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
1601 delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
1602 set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
1604 # printers configuration
1605 printer admin = @"Print Operators"
1608 directory mask = 0750
1611 printcap name = cups
1613 guest account = nobody
1614 map to guest = Bad User
1615 dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
1616 show add printer wizard = yes
1617 ; to maintain capital letters in shortcuts in any of the profile folders:
1619 short preserve case = yes
1623 comment = repertoire de %U, %u
1626 directory mask = 0775
1630 path = /home/netlogon/
1635 path = /home/profiles
1638 directory mask = 0700
1642 csc policy = disable
1643 # next line is a great way to secure the profiles
1645 # next line allows administrator to access all profiles
1646 valid users = %U "Domain Admins"
1649 comment = Network Printers
1650 printer admin = @"Print Operators"
1657 print command = /usr/bin/lpr -P%p -r %s
1658 lpq command = /usr/bin/lpq -P%p
1659 lprm command = /usr/bin/lprm -P%p %j
1662 path = /home/printers
1666 valid users = @"Print Operators"
1667 write list = @"Print Operators"
1669 directory mask = 0775
1672 comment = Repertoire public
1677 directory mask = 0775
1681 <!--TOC subsubsection The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT>-->
1683 <H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4><!--SEC END -->
1685 <PRE>include /etc/openldap/schema/core.schema
1686 include /etc/openldap/schema/cosine.schema
1687 include /etc/openldap/schema/inetorgperson.schema
1688 include /etc/openldap/schema/nis.schema
1689 include /etc/openldap/schema/samba.schema
1694 TLSCertificateFile /etc/openldap/ldap.idealx.com.pem
1695 TLSCertificateKeyFile /etc/openldap/ldap.idealx.com.key
1696 TLSCACertificateFile /etc/openldap/ca.pem
1697 TLSCipherSuite :SSLv3
1698 #TLSVerifyClient demand
1700 #######################################################################
1701 # ldbm database definitions
1702 #######################################################################
1704 suffix dc=idealx,dc=com
1705 rootdn "cn=Manager,dc=idealx,dc=com"
1707 directory /var/lib/ldap
1709 index sambaPrimaryGroupSID eq
1710 index sambaDomainName eq
1711 index objectClass,uid,uidNumber,gidNumber,memberUid eq
1712 index cn,mail,surname,givenname eq,subinitial
1714 # users can authenticate and change their password
1715 access to attrs=userPassword,sambaNTPassword,sambaLMPassword
1716 by dn="cn=Manager,dc=idealx,dc=com" write
1720 # all others attributes are readable to everybody
1724 <!--TOC subsection Changing the administrative account (<TT>ldap admin
1725 dn</TT> in <TT>smb.conf</TT> file)-->
1727 <H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin
1728 dn</TT> in <TT>smb.conf</TT> file)</H3><!--SEC END -->
1729 <A NAME="change::manager"></A>
1730 If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
1731 account anymore, you can create a dedicated account for Samba and the
1732 smbldap-tools scripts. To do
1733 this, create an account named <I>samba</I> as follows (see
1734 section <A HREF="#add::user">4.2.1</A> for a more detailed syntax) :
1736 smbldap-useradd -s /bin/false -d /dev/null -P samba
1737 </PRE>This command will ask you to set a password for this account. Let's
1738 set it to <I>samba</I> for this example.
1739 You then need to modify configuration files:
1741 file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT>
1743 slaveDN="uid=samba,ou=Users,dc=idealx,dc=com"
1745 masterDN="uid=samba,ou=Users,dc=idealx,dc=com"
1747 </PRE><LI>file <TT>/etc/samba/smb.conf</TT>
1749 ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
1750 </PRE>don't forget to also set the samba account password in
1751 <TT>secrets.tdb</TT> file :
1754 </PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the
1755 <I>samba</I> user permissions to modify some attributes: this
1756 user needs to be able to modify all the samba attributes and some
1757 others (uidNumber, gidNumber ...) :
1759 # users can authenticate and change their password
1760 access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
1761 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
1765 # some attributes need to be readable anonymously so that 'id user' can answer correctly
1766 access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
1767 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
1769 # somme attributes can be writable by users themselves
1770 access to attrs=description,telephoneNumber
1771 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
1774 # some attributes need to be writable for samba
1775 access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
1776 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
1779 # samba need to be able to create the samba domain account
1780 access to dn.base="dc=idealx,dc=com"
1781 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
1783 # samba need to be able to create new users account
1784 access to dn="ou=Users,dc=idealx,dc=com"
1785 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
1787 # samba need to be able to create new groups account
1788 access to dn="ou=Groups,dc=idealx,dc=com"
1789 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
1791 # samba need to be able to create new computers account
1792 access to dn="ou=Computers,dc=idealx,dc=com"
1793 by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
1795 # this can be omitted but we leave it: there could be other branch
1801 <!--TOC subsection known bugs-->
1803 <H3><A NAME="htoc48">8.3</A> known bugs</H3><!--SEC END -->
1806 Option <I>-B</I> (user must change password) of
1807 <TT>smbldap-useradd</TT> does not have effect: when
1808 <TT>smbldap-passwd</TT> script is called,
1809 <I>sambaPwdMustChange</I> attribute is rewrite.
1812 <!--BEGIN NOTES document-->
1813 <HR WIDTH="50%" SIZE=1><DL><DT><A NAME="note1" HREF="#text1"><FONT SIZE=5>1</FONT></A><DD><TT>http://IDEALX.com/</TT>
1820 <BLOCKQUOTE><EM>This document was translated from L<sup>A</sup>T<sub>E</sub>X by
1821 </EM><A HREF="http://pauillac.inria.fr/~maranget/hevea/index.html"><EM>H<FONT SIZE=2><sup>E</sup></FONT>V<FONT SIZE=2><sup>E</sup></FONT>A</EM></A><EM>.