3 # $Id: smbldap-useradd,v 1.27 2005/05/27 14:21:00 jtournier Exp $
5 # This code was developped by IDEALX (http://IDEALX.org/) and
6 # contributors (their names can be found in the CONTRIBUTORS file).
8 # Copyright (C) 2002 IDEALX
10 # This program is free software; you can redistribute it and/or
11 # modify it under the terms of the GNU General Public License
12 # as published by the Free Software Foundation; either version 2
13 # of the License, or (at your option) any later version.
15 # This program is distributed in the hope that it will be useful,
16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 # GNU General Public License for more details.
20 # You should have received a copy of the GNU General Public License
21 # along with this program; if not, write to the Free Software
22 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
25 # Purpose of smbldap-useradd : user (posix,shadow,samba) add
30 use FindBin qw($RealBin);
40 my $ok = getopts('o:anmwiPG:u:g:d:s:c:k:t:A:B:C:D:E:F:H:M:N:S:T:?', \%Options);
42 if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
44 print "Usage: $0 [-awmugdsckABCDEFGHMNPST?] username\n";
45 print " -o add the user in the organizational unit (relative to the user suffix)\n";
46 print " -a is a Windows User (otherwise, Posix stuff only)\n";
47 print " -w is a Windows Workstation (otherwise, Posix stuff only)\n";
48 print " -i is a trust account (Windows Workstation)\n";
51 print " -G supplementary comma-separated groups\n";
52 print " -n do not create a group\n";
56 print " -m creates home directory and copies /etc/skel\n";
57 print " -k skeleton dir (with -m)\n";
58 print " -t time. Wait 'time' seconds before exiting (when adding Windows Workstation)\n";
59 print " -P ends by invoking smbldap-passwd\n";
60 print " -A can change password ? 0 if no, 1 if yes\n";
61 print " -B must change password ? 0 if no, 1 if yes\n";
62 print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n";
63 print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n";
64 print " -E sambaLogonScript (DOS script to execute on login)\n";
65 print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n";
66 print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n";
67 print " -N canonical name\n";
68 print " -S surname\n";
69 print " -M local mailAddress (comma seperated)\n";
70 print " -T mailToAddress (forward address) (comma seperated)\n";
71 print " -? show this help message\n";
75 my $ldap_master=connect_ldap_master();
78 # cause problems when dealing with getpwuid because of the
79 # negative ttl and ldap modification
80 my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
82 if ($nscd_status == 0) {
83 system "/etc/init.d/nscd stop > /dev/null 2>&1";
87 # Read only first @ARGV
88 my $userName = $ARGV[0];
90 # For computers account, add a trailing dollar if missing
91 if (defined($Options{'w'})) {
92 if ($userName =~ /[^\$]$/s) {
97 # untaint $userName (can finish with one or two $)
98 if ($userName =~ /^([\w -.]+\$?)$/) {
101 print "$0: illegal username\n";
105 # user must not exist in LDAP (should it be nss-wide ?)
106 my ($rc, $dn) = get_user_dn2($userName);
107 if ($rc and defined($dn)) {
108 print "$0: user $userName exists\n";
111 print "$0: error in get_user_dn2\n";
116 # we create the user in the specified ou (relative to the users suffix)
117 my $user_ou=$Options{'o'};
118 if (defined $user_ou) {
119 $config{usersdn}="$user_ou,$config{usersdn}";
122 my $userUidNumber = $Options{'u'};
123 if (!defined($userUidNumber)) {
124 $userUidNumber=get_next_id($config{usersdn},"uidNumber");
125 } elsif (getpwuid($userUidNumber)) {
126 die "Uid already exists.\n";
129 if ($nscd_status == 0) {
130 system "/etc/init.d/nscd start > /dev/null 2>&1";
134 my $userGidNumber = $Options{'g'};
135 # gid not specified ?
136 if (!defined($userGidNumber)) {
137 # windows machine => $config{defaultComputerGid}
138 if (defined($Options{'w'})) {
139 $userGidNumber = $config{defaultComputerGid};
140 # } elsif (!defined($Options{'n'})) {
141 # create new group (redhat style)
142 # find first unused gid starting from $config{GID_START}
143 # while (defined(getgrgid($config{GID_START}))) {
144 # $config{GID_START}++;
146 # $userGidNumber = $config{GID_START};
151 # user will have gid = $config{defaultUserGid}
152 $userGidNumber = $config{defaultUserGid};
156 if (($gid = parse_group($userGidNumber)) < 0) {
157 print "$0: unknown group $userGidNumber\n";
160 $userGidNumber = $gid;
167 if (defined $Options{'a'} or defined $Options{'i'}) {
168 # as grouprid we use the value of the sambaSID attribute for
169 # group of gidNumber=$userGidNumber
170 $group_entry = read_group_entry_gid($userGidNumber);
171 $userGroupSID = $group_entry->get_value('sambaSID');
172 unless ($userGroupSID) {
173 print "Error: SID not set for unix group $userGidNumber\n";
174 print "check if your unix group is mapped to an NT group\n";
178 # as rid we use 2 * uid + 1000
179 $userRid = 2 * $userUidNumber + 1000;
180 # let's test if this SID already exist
181 $user_sid="$config{SID}-$userRid";
182 my $test_exist_sid=does_sid_exist($user_sid,$config{usersdn});
183 if ($test_exist_sid->count == 1) {
184 print "User SID already owned by\n";
185 # there should not exist more than one entry, but ...
186 foreach my $entry ($test_exist_sid->all_entries) {
195 my $userHomeDirectory;
196 my ($userCN, $userSN);
200 if (!defined($userHomeDirectory = $Options{'d'})) {
201 $userHomeDirectory = &subst_user($config{userHome}, $userName);
203 $userHomeDirectory=~s/\/\//\//;
204 $config{userLoginShell} = $tmp if (defined($tmp = $Options{'s'}));
205 $config{userGecos} = $tmp if (defined($tmp = $Options{'c'}));
206 $config{skeletonDir} = $tmp if (defined($tmp = $Options{'k'}));
207 $userCN = ($Options{'c'} || $userName);
208 $userCN = $tmp if (defined($tmp = $Options{'N'}));
210 $userSN = $tmp if (defined($tmp = $Options{'S'}));
211 @userMailLocal = &split_arg_comma($Options{'M'});
212 @userMailTo = &split_arg_comma($Options{'T'});
214 ########################
217 if (defined($Options{'w'}) or defined($Options{'i'})) {
219 #print "About to create machine $userName:\n";
221 if (!add_posix_machine ($userName,$userUidNumber,$userGidNumber,$Options{'t'})) {
222 die "$0: error while adding posix account\n";
225 if (defined($Options{'i'})) {
226 # For machine trust account
227 # Objectclass sambaSAMAccount must be added now !
232 print "New password : ";
233 chomp($pass=<STDIN>);
238 print "Retype new password : ";
239 chomp($pass2=<STDIN>);
243 if ($pass ne $pass2) {
244 print "New passwords don't match!\n";
247 my ($lmpassword,$ntpassword) = ntlmgen $pass;
249 my $modify = $ldap_master->modify ( "uid=$userName,$config{computersdn}",
251 replace => [objectClass => ['inetOrgPerson', 'posixAccount', 'sambaSAMAccount']],
252 add => [sambaLogonTime => '0'],
253 add => [sambaLogoffTime => '2147483647'],
254 add => [sambaKickoffTime => '2147483647'],
255 add => [sambaPwdCanChange => '0'],
256 add => [sambaPwdMustChange => '2147483647'],
257 add => [sambaPwdLastSet => "$date"],
258 add => [sambaAcctFlags => '[I ]'],
259 add => [sambaLMPassword => "$lmpassword"],
260 add => [sambaNTPassword => "$ntpassword"],
261 add => [sambaSID => "$user_sid"],
262 add => [sambaPrimaryGroupSID => "$config{SID}-515"]
266 $modify->code && die "failed to add entry: ", $modify->error ;
269 $ldap_master->unbind;
274 # add posix account first
276 my $add = $ldap_master->add ("uid=$userName,$config{usersdn}",
278 'objectclass' => ['top','inetOrgPerson','posixAccount','shadowAccount'],
281 'uid' => "$userName",
282 'uidNumber' => "$userUidNumber",
283 'gidNumber' => "$userGidNumber",
284 'homeDirectory' => "$userHomeDirectory",
285 'loginShell' => "$config{userLoginShell}",
286 'gecos' => "$config{userGecos}",
287 'description' => "$config{userGecos}",
288 'userPassword' => "{crypt}x"
292 $add->code && warn "failed to add entry: ", $add->error ;
296 # group_add($userName, $userGidNumber);
299 group_add_user($userGidNumber, $userName);
302 # adds to supplementary groups
303 if (defined($grouplist = $Options{'G'})) {
304 add_grouplist_user($grouplist, $userName);
307 # If user was created successfully then we should create his/her home dir
308 if (defined($tmp = $Options{'m'})) {
309 unless ( $userName =~ /\$$/ ) {
310 if ( !(-e $userHomeDirectory) ) {
311 system "mkdir $userHomeDirectory 2>/dev/null";
312 system "cp -a $config{skeletonDir}/.[a-z,A-Z]* $config{skeletonDir}/* $userHomeDirectory 2>/dev/null";
313 system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory 2>/dev/null";
314 if (defined $config{userHomeDirectoryMode}) {
315 system "chmod $config{userHomeDirectoryMode} $userHomeDirectory 2>/dev/null";
317 system "chmod 700 $userHomeDirectory 2>/dev/null";
323 # we start to defined mail adresses if option M or T is given in option
325 if (@userMailLocal) {
327 foreach my $m (@userMailLocal) {
328 my $domain = $config{mailDomain};
329 if ($m =~ /^(.+)@/) {
331 # mailLocalAddress contains only the first part
334 push(@mail, $m.($domain ? '@'.$domain : ''));
337 push(@adds, 'mailLocalAddress' => [ @userMailLocal ]);
338 push(@adds, 'mail' => [ @mail ]);
341 push(@adds, 'mailRoutingAddress' => [ @userMailTo ]);
343 if (@userMailLocal || @userMailTo) {
344 push(@adds, 'objectClass' => 'inetLocalMailRecipient');
347 # Add Samba user infos
348 if (defined($Options{'a'})) {
349 if (!$config{with_smbpasswd}) {
351 my $winmagic = 2147483647;
352 my $valpwdcanchange = 0;
353 my $valpwdmustchange = $winmagic;
354 my $valpwdlastset = 0;
355 my $valacctflags = "[UX]";
357 if (defined($tmp = $Options{'A'})) {
359 $valpwdcanchange = "0";
361 $valpwdcanchange = "$winmagic";
365 if (defined($tmp = $Options{'B'})) {
367 $valpwdmustchange = "0";
368 # To force a user to change his password:
369 # . the attribut sambaPwdLastSet must be != 0
370 # . the attribut sambaAcctFlags must not match the 'X' flag
371 $valpwdlastset=$winmagic;
372 $valacctflags = "[U]";
374 $valpwdmustchange = "$winmagic";
378 if (defined($tmp = $Options{'H'})) {
379 $valacctflags = "$tmp";
383 my $modify = $ldap_master->modify ( "uid=$userName,$config{usersdn}",
385 add => [objectClass => 'sambaSAMAccount'],
386 add => [sambaPwdLastSet => "$valpwdlastset"],
387 add => [sambaLogonTime => '0'],
388 add => [sambaLogoffTime => '2147483647'],
389 add => [sambaKickoffTime => '2147483647'],
390 add => [sambaPwdCanChange => "$valpwdcanchange"],
391 add => [sambaPwdMustChange => "$valpwdmustchange"],
392 add => [displayName => "$config{userGecos}"],
393 add => [sambaAcctFlags => "$valacctflags"],
394 add => [sambaSID => "$config{SID}-$userRid"]
398 $modify->code && die "failed to add entry: ", $modify->error ;
401 my $FILE="|smbpasswd -s -a $userName >/dev/null" ;
402 open (FILE, $FILE) || die "$!\n";
410 print "$0: error adding samba account\n";
415 $tmp = defined($Options{'E'}) ? $Options{'E'} : $config{userScript};
416 my $valscriptpath = &subst_user($tmp, $userName);
418 $tmp = defined($Options{'C'}) ? $Options{'C'} : $config{userSmbHome};
419 my $valsmbhome = &subst_user($tmp, $userName);
421 my $valhomedrive = defined($Options{'D'}) ? $Options{'D'} : $config{userHomeDrive};
422 # if the letter is given without the ":" symbol, we add it
423 $valhomedrive .= ':' if ($valhomedrive && $valhomedrive !~ /:$/);
425 $tmp = defined($Options{'F'}) ? $Options{'F'} : $config{userProfile};
426 my $valprofilepath = &subst_user($tmp, $userName);
429 push(@adds, 'sambaHomeDrive' => $valhomedrive);
432 push(@adds, 'sambaHomePath' => $valsmbhome);
435 if ($valprofilepath) {
436 push(@adds, 'sambaProfilePath' => $valprofilepath);
438 if ($valscriptpath) {
439 push(@adds, 'sambaLogonScript' => $valscriptpath);
441 push(@adds, 'sambaPrimaryGroupSID' => $userGroupSID);
442 push(@adds, 'sambaLMPassword' => "XXX");
443 push(@adds, 'sambaNTPassword' => "XXX");
444 my $modify = $ldap_master->modify ( "uid=$userName,$config{usersdn}",
450 $modify->code && die "failed to add entry: ", $modify->error ;
453 $ldap_master->unbind; # take down session
456 if (defined($Options{'P'})) {
457 exec "$RealBin/smbldap-passwd $userName"
462 ########################################
466 smbldap-useradd - Create a new user
470 smbldap-useradd [-o user_ou] [-c comment] [-d home_dir] [-g initial_group] [-G group[,...]] [-m [-k skeleton_dir]] [-s shell] [-u uid [ -o]] [-P] [-A canchange] [-B mustchange] [-C smbhome] [-D homedrive] [-E scriptpath] [-F profilepath] [-H acctflags] login
475 The smbldap-useradd command creates a new user account using the values specified on the command line and the default values from the system and from the configuration files (in /etc/smbldap-tools directory).
477 For Samba users, rid is '2*uidNumber+1000', and sambaPrimaryGroupSID is '$SID-2*gidNumber+1001', where $SID is the domain SID. Thus you may want to use :
478 $ smbldap-useradd -a -g "Domain Admins" -u 500 Administrator
479 to create an domain administrator account (admin rid is 0x1F4 = 500 and grouprid is 0x200 = 512).
481 Without any option, the account created will be an Unix (Posix) account. The following options may be used to add information:
484 The user's account will be created in the specified organazional unit. It is relative to the user suffix dn ($usersdn) defined in the configuration file.
487 The user will have a Samba account (and Unix).
490 Creates an account for a Samba machine (Workstation), so that it can join a sambaDomainName.
493 Creates an interdomain trust account (machine Workstation). A password will be asked for the trust account.
496 The new user's comment field (gecos).
499 The new user will be created using home_dir as the value for the user's login directory. The default is to append the login name to userHomePrefix (defined in the configuration file) and use that as the login directory name.
502 The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group. The default group number is defined in the configuration file (defaultUserGid="513").
505 A list of supplementary groups which the user is also a member of. Each group is separated to the next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option. The default is for the user to belong only to the initial group.
508 The user's home directory will be created if it does not exist. The files contained in skeletonDir will be copied to the home directory if the -k option is used, otherwise the files contained in /etc/skel will be used instead. Any directories contained in skeletonDir or /etc/skel will be created in the user's home directory as well. The -k option is only valid in conjunction with the -m option. The default is to not create the directory and to not copy any files.
511 The name of the user's login shell. The default is to leave this field blank, which causes the system to select the default login shell.
514 Wait <time> seconds before exiting script when adding computer's account. This is useful when Master/PDC and Slaves/BDCs are connected through the internet (replication is not real time)
517 The numerical value of the user's ID. This value must be unique, unless the -o option is used. The value must be nonnegative. The default is to use the smallest ID value greater than 1000 and greater than every other user.
520 ends by invoking smbldap-passwd
523 can change password ? 0 if no, 1 if yes
526 must change password ? 0 if no, 1 if yes
529 SMB home share, like '\\\\PDC-SRV\\homes'
532 letter associated with home share, like 'H:'
535 relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat'
538 profile directory, like '\\\\PDC-SRV\\profiles\\foo'
541 spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]'
543 -M local mail aliases (multiple addresses are seperated by spaces)
546 defaults to gecos or username, if gecos not set
551 -T mailToAddress (forward address) (multiple addresses are seperated by spaces)
553 -n do not print banner message