Great job...
Maybe you should think of a better structure for your document, but ist okay
and filled with information... now I have a few questions for you...
What is SID actually used for?? Should I set it as UIDNR under Linux?
Do I need the scripts for adding users and changing passwords in smb.conf?
Does PDC means that the Samba is administrating all user accounts and
computernames for Network Neighbourhood? Why is wins proxy set to OFF?
Last but not least - does Samba creates your home dirs when users log on?
TIA
SEFEROVIC Edvin
-----Urspr?ngliche Nachricht-----
Von: samba-bounces+edvin.seferovic=kolp.at@lists.samba.org
[mailto:samba-bounces+edvin.seferovic=kolp.at@lists.samba.org] Im Auftrag
von Carl Weiss
Gesendet: Dienstag, 11. November 2003 01:40
An: samba@lists.samba.org
Betreff: [Samba] Samba 3 Redhat 9 Openldap doc
Hello I'd like to thank you all for helping my setup of samba3 with Ldap,
here are my notes on configuring samba3 openldap on redhat 9.
Hopefully this information will help all of you who are trying to preform a
similar setup.
-=Carl=-
this can also be found at:
http://www.carlweiss.com/Samba3-redhat9-openldap.html
Installing Samba 3 With OpenLDAP on Redhat 9
Commands are listed in italics they can be copied directly to your terminal.
This example shows a configuration of a windows PDC with samba 3 on redhat 9
using openldap.
The example uses test.com as the ldap suffix.
Any comments can be sent to carl@carlweiss.com Hope this helps.
Check for installed packages
- Redhat Shrike (9) installs many packages from the default install check to
see what packages your system has.
[root@SAMBA root]# rpm -q openssl cyrus-sasl perl openldap krb5-devel samba
samba-client
openssl-0.9.7a-2
cyrus-sasl-2.1.10-4
perl-5.8.0-88
openldap-2.0.27-8
krb5-devel-1.2.7-10
samba-2.2.7a-7.9.0
samba-client-2.2.7a-7.9.0
Remove the samba 2 packages
[root@SAMBA root]# rpm -e samba
[root@SAMBA root]# rpm -e samba-client
# more might be installed. samba-devel etc.
----------------------------------------------------------------------------
----
Download Software packages
BDB 4.1.25 current release
db-4.1.25.tar.gz
http://www.sleepycat.com/download/index.shtml
openLDAP 2.1.23 current release
openldap-2.1.23.tgz
http://www.openldap.org/software/download/
Samba 3
samba-latest.tar.gz
http://us1.samba.org/samba/download.html
GQ
http://rpmfind.net/linux/RPM/freshrpms/redhat/9/gq/gq-0.6.0-fr2.i386.html
Perl
Convert-ASN1-0.17.tar.gz
http://sourceforge.net/project/showfiles.php?group_id=5050
perl-ldap-0.29.tar.gz
http://sourceforge.net/project/showfiles.php?group_id=5050
IO-Socket-SSL-0.95.tar.gz
http://www.cpan.org/modules/by-module/IO/BEHROOZI/
Net_SSLeay.pm-1.25.tar.gz
http://www.cpan.org/authors/id/S/SA/SAMPO/
smbldap-tools
http://samba.idealx.org/index.en.html
----------------------------------------------------------------------------
----
Install
-BDB 4.x
-sasl2 --maybe installed verify with rpm -q
-kerberos --maybe installed verify with rpm -q
-openldap 2.1
-Samba 3
Extras
--GQ ldap GUI
--Swat
--smbldap-tools
--Requires
----Perl
---- Convert-ASN1-0.17.tar.gz
---- perl-ldap-0.29.tar.gz
---- IO-Socket-SSL-0.95.tar.gz
---- Net_SSLeay.pm-1.25.tar.gz
Configure
create sldap.conf
copy samba-3.0.0/examples/LDAP/samba.schema from samba source to
/usr/local/etc/openldap/schema
create smb.conf
set smbpasswd -w LDAP_ROOTDN_PASSWORD to store the password for the LDAP
rootdn
smbldap_conf.pm --modify scrips as needed.
make and extract the mkntpwd file to /usr/local/sbin/
---To find sid net domainsid
GQ
Setup LDAP for Samba
---create user account for root in ldap with SIDxxxxxxxx-1000 and uid =0
Setup startup scripts
/etc/init.d/smb
/etc/init.d/ldap
make sure there executable
enable services in chkconfig
Install smbldap-tools
Populate the LDAP databse with the default Windows accounts OU's and groups.
Using smbldap-populate.pl
User management
To add users:
sbmldap-useradd.pl -a -P username
-a (add a Samba account) -P prompt for passwd after account is created
To change password:
smbldap-passwd.pl username
To delete User:
smbldap-userdel.pl username
To add computer accounts:
smbldap-useradd.pl -a -w computername
----------------------------------------------------------------------------
----
Test
On windows computer
Ping the samba server, by ip address, then by name
If name is not resolving add the samba server to the windows host file or
create an entry in DNS or set WINS to you samba server(if enabled in
smb.conf).
Log on as administrator to your windows computer and attempt to add the
computer to the samba domain as specified in the smb.conf file.
Log in as administrator and try to change your password.
----------------------------------------------------------------------------
----
Install
Installing Berkly Data Base
Download db-4.1.25.tar.gz
tar -zxf db-4.1.25.tar.gz
cd db-4.1.25/dist/
./configure
make
make install
cd ..
Installing OpenLDAP server
download openldap-2.1.23.tgz
tar -zxf openldap-2.1.23.tgz
cd openldap-2.1.23
Copy /usr/local/BerkeleyDB.4.1/include/db.h to /usr/include/db.h
cp /usr/local/BerkeleyDB.4.1/include/db.h /usr/include/db.h
In /etc/ld.so.conf, add the line:
/usr/local/BerkeleyDB.4.1/lib and run ldconfig.
Configure Script pointing to your krb.h file and your BDB directories.
env CPPFLAGS='-I/usr/local/BerkeleyDB.4.1/include \
-I/usr/kerberos/include' LDFLAGS=-L/usr/local/BerkeleyDB.4.1/lib \
./configure --enable-ldbm --with-tls=openssl
make depend
make
make test #(scripts that will verify the installation)
make install
cd ..
Installing Samba 3
Download samba-latest.tar.gz (at this time is samba-3.0.0)
tar -zxf samba-latest.tar.gz
cd samba-3.0.0/source/
./configure --with-krb5=/usr/kerberos/ --with-winbind --with-ldap \
--with-logfilebase=/var/log/samba/ --enable-cups --with-ads
make
make install
cd ..
#this might take a while best to move on and let this run
Additional Installs
GQ - LDAP GUI, very helpful
download gq-0.6.0-fr2.i386.rpm
[root@SAMBA project]# rpm -iv gq-0.6.0-fr2.i386.rpm
To run GQ
[root@SAMBA init.d]# gq &
[1] 28576
smbldap-tools
the tools used to manage smb with LDAP.
The source of Samba 3 comes with these tools located in
samba-3.0.0/examples/LDAP/smbldap-tools
They can also be downloaded from http://www.idealx.org/prj/samba/dist/
Location of Perl Modules
###################
http://www.cpan.org/modules/01modules.index.html
##############################################
Install Perl LDAP and Convert ANS1
These are required for smbldap tools.
Install in the following order.
This can be copied and pasted in your terminal.
Convert-ASN1-0.17.tar.gz
tar -zxf Convert-ASN1-0.17.tar.gz
cd Convert-ASN1-0.17
perl Makefile.PL
make
make test
make install
cd ..
If you want to use TSL or SSL the following packages are needed Before Perl
LDAP
Net_SSLeay.pm-1.25.tar.gz
tar -zxf Net_SSLeay.pm-1.25.tar.gz
cd Net_SSLeay.pm-1.25
perl Makefile.PL -t
make install
cd ..
IO-Socket-SSL-0.95.tar.gz
tar -zxf IO-Socket-SSL-0.95.tar.gz
cd IO-Socket-SSL-0.95
perl Makefile.PL
make
make test
make install
cd ..
perl-ldap-0.29.tar.gz
tar -zxf perl-ldap-0.29.tar.gz
cd perl-ldap-0.29
perl Makefile.PL
make
make test
make install
cd ..
Installing SAWT - web management interface for Samba
vi /etc/services #add the following
swat 901/tcp #Insert this line in your /etc/services
vi /etc/xinetd.conf and add this
--snip--
# description: SWAT is the Samba Web Admin Tool. Use swat \
# to configure your Samba server. To use SWAT, \
# connect to port 901 with your favorite web browser.
# Insert in /etc/xinetd.conf
service swat
{
port = 901
socket_type = stream
wait = no
only_from = localhost
user = root
server = /usr/sbin/swat
log_on_failure += USERID
disable = no
}
--snip--
restart xinet.d
/etc/init.d/xinetd restart
----------------------------------------------------------------------------
----
Next Configuring the Services slapd, slurpd, smb, samba
Now we create the startup scripts..
create the file /etc/init.d/ldap and add these contents.
vi /etc/init.d/ldap
----snip-------
#!/bin/sh
#
# ldap This shell script takes care of starting and stopping
# ldap servers (slapd and slurpd).
#
# chkconfig: - 39 61
# description: LDAP stands for Lightweight Directory Access Protocol, used \
# for implementing the industry standard directory services.
# processname: slapd
# config: /usr/local/etc/openldap/slapd.conf
# pidfile: /usr/local/var/slapd.pid
#old pidfile location before cw /var/run/slapd.pid
# Source function library.
. /etc/init.d/functions
# Source networking configuration and check that networking is up.
if [ -r /etc/sysconfig/network ] ; then
. /etc/sysconfig/network
[ ${NETWORKING} = "no" ] && exit 0
fi
# Source an auxiliary options file if we have one, and pick up OPTIONS,
# SLAPD_OPTIONS, and SLURPD_OPTIONS.
if [ -r /etc/sysconfig/ldap ] ; then
. /etc/sysconfig/ldap
fi
slapd=/usr/local/libexec/slapd
slurpd=/usr/local/libexec/slurpd
[ -x ${slapd} ] || exit 0
[ -x ${slurpd} ] || exit 0
RETVAL=0
function start() {
# Start daemons.
prog=`basename ${slapd}`
echo -n $"Starting $prog: "
if grep -q ^TLS /usr/local/etc/openldap/slapd.conf ; then
daemon ${slapd} -u root -h '"ldap:/// ldaps:///"' $OPTIONS
$SLAPD_OPTIONS
RETVAL=$?
else
daemon ${slapd} -u root $OPTIONS $SLAPD_OPTIONS
RETVAL=$?
fi
echo
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /usr/local/etc/openldap/slapd.conf ; then
prog=`basename ${slurpd}`
echo -n $"Starting $prog: "
daemon ${slurpd} $OPTIONS $SLURPD_OPTIONS
RETVAL=$?
echo
fi
fi
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/ldap
return $RETVAL
}
function stop() {
# Stop daemons.
prog=`basename ${slapd}`
echo -n $"Stopping $prog: "
killproc ${slapd}
RETVAL=$?
echo
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /usr/local/etc/openldap/slapd.conf ; then
prog=`basename ${slurpd}`
echo -n $"Stopping $prog: "
killproc ${slurpd}
RETVAL=$?
echo
fi
fi
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/ldap
/usr/local/var/slapd.args
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status ${slapd}
if grep -q "^replogfile" /usr/local/etc/openldap/slapd.conf ; then
status ${slurpd}
fi
;;
restart)
stop
start
;;
reload)
killproc ${slapd} -HUP
RETVAL=$?
if [ $RETVAL -eq 0 ]; then
if grep -q "^replogfile" /etc/openldap/slapd.conf; then
killproc ${slurpd} -HUP
RETVAL=$?
fi
fi
;;
condrestart)
if [ -f /var/lock/subsys/ldap ] ; then
stop
start
fi
;;
*)
echo $"Usage: $0 {start|stop|restart|status|condrestart}"
RETVAL=1
esac
exit $RETVAL
----snip----
make the script executable
chmod +x /etc/init.d/ldap
#add the service to startup
[root@SAMBA init.d]#chkconfig --list | grep ldap
#no results add the service
[root@SAMBA init.d]# chkconfig --add ldap
[root@SAMBA init.d]# chkconfig --level 345 ldap on
[root@SAMBA init.d]# chkconfig --list | grep ldap
ldap 0:off 1:off 2:off 3:on 4:on 5:on 6:off
[root@SAMBA init.d]#
check service
[root@SAMBA init.d]# /etc/init.d/ldap start
Starting slapd: [ OK ]
[root@SAMBA init.d]#
verify it came up with gq
Click Browse localhost
you should see dc=my-domain,dc=com
this is the default configuration.
Now were ready to configure LDAP slapd.conf
Samba Startup Script
create the file /etc/init.d/smb
vi /etc/init.d/smb
---snip---
#!/bin/sh
#
# chkconfig: - 91 35
# description: Starts and stops the Samba smbd and nmbd daemons \
# used to provide SMB network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
# Check that smb.conf exists.
[ -f /usr/local/samba/lib/smb.conf ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
echo -n "Starting SMB services: "
daemon /usr/local/samba/sbin/smbd -D -d 3
RETVAL=$?
echo
echo -n "Starting NMB services: "
daemon /usr/local/samba/sbin/nmbd -D -d 3
RETVAL2=$?
echo
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 ] && touch /var/lock/subsys/smb || \
RETVAL=1
;;
stop)
echo -n "Shutting down SMB services: "
killproc smbd
RETVAL=$?
echo
echo -n "Shutting down NMB services: "
killproc nmbd
RETVAL2=$?
[ $RETVAL -eq 0 -a $RETVAL2 -eq 0 ] && rm -f /var/lock/subsys/smb
echo ""
;;
restart)
$0 stop
$0 start
RETVAL=$?
;;
reload)
echo -n "Reloading smb.conf file: "
killproc -HUP smbd
RETVAL=$?
echo
;;
status)
status smbd
status nmbd
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 1
esac
exit $RETVAL
---snip----
chmod +x /etc/init.d/smb
[root@SAMBA /]# chkconfig --list | grep smb
[root@SAMBA /]# chkconfig --add smb
[root@SAMBA /]# chkconfig --level 345 smb on
[root@SAMBA /]# chkconfig --list | grep smb
smb 0:off 1:off 2:off 3:on 4:on 5:on 6:off
[root@SAMBA /]#
Before Samba will start we need to create a /usr/local/samba/lib/smb.conf
testparm will verify the config file
We will have some legacy stuff from the samba 2 install
To remove those files:
rm -f /etc/smb.conf
rm -f /usr/bin/testparm
rm -f /usr/bin/smbpasswd
lets add the samba path to our PATH
add the following to /etc/profile
pathmunge /usr/local/samba/bin
you have to reload your profile for this to take effect
[root@SAMBA-PDC .ssh]# su -
[root@SAMBA-PDC root]# echo $PATH
/usr/local/samba/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local
/sbin:/usr/bin/X11:/usr/X11R6/bin:/root/bin
Setup LDAP
Copy the necessary schema's to the /usr/local/etc/openldap/schema directory
we specifically need the samba 3 schema
The schema can be copied from the samba3 source directory
cp /samba-3.0.0/examples/LDAP/samba.schema
/usr/local/etc/openldap/schema/samba.schema
Now we'll set up the slapd.conf file location
slapd.conf file
--snip-------
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24
23:19:14 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
#
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/samba.schema
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
#######################################################################
# ldbm database definitions
#######################################################################
database bdb
suffix "dc=test,dc=com"
rootdn "cn=Manager,dc=test,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw welcome
#rootpw {MD5}QL5OWbmiorXf+5GMDoaz1w=# The database directory MUST exist prior to
running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
#################################################################
# Indices to maintain
## required by OpenLDAP
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
## required to support pdb_getsampwnam
index uid pres,sub,eq
## required to support pdb_getsambapwrid()
index displayName pres,sub,eq
## uncomment these if you are storing posixAccount and
## posixGroup entries in the directory as well
index uidNumber eq
index gidNumber eq
index memberUid eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index default sub
----snip-----
Configure Samba
Before Samba will start we need to create a /usr/local/samba/lib/smb.conf
testparm will verify the config file
We will have some legacy stuff from the samba 2 install
To remove those files:
rm -f /etc/smb.conf
rm -f /usr/bin/testparm
rm -f /usr/bin/smbpasswd
lets add the samba path to our PATH
add the following to /etc/profile
vi /etc/profile
pathmunge /usr/local/samba/bin
you have to reload your profile for this to take effect
[root@SAMBA .ssh]# su -
[root@SAMBA root]# echo $PATH
/usr/local/samba/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local
/sbin:/usr/bin/X11:/usr/X11R6/bin:/root/bin
Create the log directory
mkdir /var/log/samba
Sample smb.conf file
vi /usr/local/samba/lib/smb.conf
---snip----
# CTI, Universidad de Navarra
# Ignacio Coupeau 001011.01;
#
[global]
passdb backend = ldapsam
ldap suffix = dc=test,dc=com
ldap machine suffix = ou=COMPUTERS
ldap user suffix = ou=USERS
ldap admin dn = "cn=Manager,dc=test,dc=com"
#not using ssl because this is all happening on the localhost
ldap ssl = no
#ldap ssl = Yes
#ldap ssl = start tls
passwd chat debug = Yes
passwd program =/usr/local/bin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
#mentioned that these options improve performance
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
######################################################################
######################User Add Scripts################################
add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w "%m"
add user script = /usr/local/sbin/smbldap-useradd.pl -a "%u"
delete user script = /usr/local/sbin/smbldap-useradd.pl -d "%u"
add group script = /usr/local/sbin/smbldap-useradd.pl -a -g "%g"
delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g "%g"
add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u
"%u" -g
"%g"
delete user from group script = /usr/local/sbin/smbldap-useradd.pl -j -u
"%u" -g "%g"
set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u
"%u" -gid "%g"
#####################################################################
workgroup = SambaGroup
netbios name = SAMBA-PDC
comment = Samba-PDC Server
security = user
null passwords = yes
encrypt passwords = yes
logon script=logon.bat
### These left Blank will force local profiles but will not override LDAP
config
##if set LDAP takes precedence.
logon drive logon path
domain master = yes
domain logons = yes
preferred master = yes
os level = 22
wins support = yes
wins proxy = no
log file = /var/log/samba/%m.log
public = No
browseable = yes
writable = No
; necessary share for domain controller
[netlogon]
path = /usr/local/samba/lib/netlogon
locking = no
read only = yes
write list = ntadmin
;test share
[tmp]
path = /tmp
read only = yes
guest ok = yes
; share for storing user profiles
[profiles]
path = /profiles
read only = no
writeable = yes
create mask = 0600
directory mask = 0700
--snip---
Don't forget to set your LDAP PASSWD
set the password for the rootdn
in the smb.conf it is "cn=Manager,dc=test,dc=com"
root@SAMBA init.d]# /usr/local/samba/bin/smbpasswd -w welcome
Setting stored password for "cn=Manager,dc=test,dc=com" in secrets.tdb
Installing - Other Applications
smbldap-tools - Idealix.org
These files also come packaged with the Samba 3 source code under the
samba-3.0.0/examples/LDAP/smbldap-tools directory.
Read the README!!!
tar -zxf smbldap-tools-0.8.1.tgz
cd smbldap-tools-0.8.1
tar -zxf mkntpwd.tar.gz
cd mkntpwd
make
make install
cp /sbin/mkntpwd /usr/local/sbin/mkntpwd
vi smbldap_conf.pm
configure smbldap_conf.pm to your settings.
Notably your SID, this can be found by running: /usr/local/samba/bin/net
getlocalsid
If no SID is returned use:
net setlocalsid S-1-5-21-3516781642-1962875130-3438800523
Your LDAP suffix
You binddn and password
Copy the files to /usr/local/sbin
cp -Pr smbldap-tools-0.8.1/* /usr/local/sbin/
rm -rf mkntpwd
cp /sbin/mkntpwd /usr/local/sbin/mkntpwd
Allow domain admin to change user from scripts in smb.conf
chmod 753 smbldap_conf.pm
chmod 750 smbldap-useradd.pl
chgrp 512 smbldap_conf.pm smbldap-useradd.pl
Then run the smbldap-populate.pl script. This will create the initial LDAP
entries creating the groups and default user accounts.
use the commands smbldap-useradd.pl to create users
and smbldap-passwd.pl to set their passwd.
In order for the smbldap scripts to work you need to install perl and
perl:NET:LDAP modules as shown above.
#setup of the
smbldap-tools
To add workstations to the domain create an account in LDAP with uid 0 and
sambaSID S-1-5-21...-1000
smbldap-useradd.pl -a -P root
Then open GQ and edit root's properties. Gq must be configured with write
permission, check the gq section.
Set as follows for the Root user Windows Domain Master account.
uidNumber =0
gidNumber =512
sambaSID = S-1-5-21-3516781642-1962875130-3438800523-1000
Setup groups within Samba
Before setting up group mappings you must set linux to authenticate to LDAP
In Redhat you can use authconfig
In order to get NT groups to work you need to create the group mappings.
Copy and paste to create the group mappings.
net groupmap add rid=512 ntgroup="Domain Admins"
UNIXgroup="Domain Admins"
net groupmap add rid=513 ntgroup="Domain Users" UNIXgroup="Domain
Users"
net groupmap add rid=515 ntgroup="Domain Computers"
UNIXgroup="Domain
Computers"
net groupmap add rid=514 ntgroup="Domain Guests"
UNIXgroup="Domain Guests"
net groupmap list
List current group map
[root@SAMBA bin]# net groupmap list
[root@SAMBA bin]# net groupmap add rid=512 ntgroup="Domain Admins"
UNIXgroup="Domain Admins"
Successully added group Domain Admins to the mapping db
[root@SAMBA bin]# net groupmap list
Domain Admins (S-1-5-21-2736449221-2024960558-2283625391-512) -> Domain
Admins
[root@SAMBA bin]# net groupmap add rid=513 ntgroup="Domain Users"
UNIXgroup="Domain Users"
Successully added group Domain Users to the mapping db
[root@SAMBA bin]# net groupmap list
Domain Admins (S-1-5-21-2736449221-2024960558-2283625391-512) -> Domain
Admins
Domain Users (S-1-5-21-2736449221-2024960558-2283625391-513) -> Domain Users
[root@SAMBA bin]# net groupmap add rid=515 ntgroup="Domain Computers"
UNIXgroup="Domain Computers"
Successully added group Domain Computers to the mapping db
[root@SAMBA bin]# net groupmap add rid=514 ntgroup="Domain Guests"
UNIXgroup="Domain Guests"
Successully added group Domain Guests to the mapping db
[root@SAMBA bin]# net groupmap list
Domain Admins (S-1-5-21-2736449221-2024960558-2283625391-512) -> Domain
Admins
Domain Users (S-1-5-21-2736449221-2024960558-2283625391-513) -> Domain Users
Domain Guests (S-1-5-21-2736449221-2024960558-2283625391-514) -> Domain
Guests
Domain Computers (S-1-5-21-2736449221-2024960558-2283625391-515) -> Domain
Computers
[root@SAMBA bin]#
Setting up GQ with authentication
Start gq
gq &
File -> preferences -> server -> localhost -> edit -> details
Enter your binddn cn=Manager,dc=test,dc=com and password
Now we can add computers following the normal Windows method.
sbmldap-useradd.pl
I edited my smbldap-useradd.pl script so that the accounts are created
normally, no startup scripts, or home drive mappings.
----- snip ---
#!/usr/bin/perl -w
# $Id: smbldap-useradd.pl,v 1.32 2003/09/19 12:36:44 jtournier Exp $
#
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-useradd : user (posix,shadow,samba) add
use strict;
use FindBin;
use FindBin qw($RealBin);
use lib "$RealBin/";
use smbldap_tools;
use smbldap_conf;
#####################
use Getopt::Std;
my %Options;
my $ok = getopts('axnmwPG:u:g:d:s:c:k:A:B:C:D:E:F:H:N:S:?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
print "Usage: $0 [-awmugdsckGPABCDEFH?] username\n";
print " -a is a Windows User (otherwise, Posix stuff only)\n";
print " -w is a Windows Workstation (otherwise, Posix stuff only)\n";
print " -x creates rid and primaryGroupID in hex instead of
decimal\n";
print " -u uid\n";
print " -g gid\n";
print " -G supplementary comma-separated groups\n";
print " -n do not create a group\n";
print " -d home\n";
print " -s shell\n";
print " -c gecos\n";
print " -m creates home directory and copies /etc/skel\n";
print " -k skeleton dir (with -m)\n";
print " -P ends by invoking smbldap-passwd.pl\n";
print " -A can change password ? 0 if no, 1 if yes\n";
print " -B must change password ? 0 if no, 1 if yes\n";
print " -C sambaHomePath (SMB home share, like
'\\\\PDC-SRV\\homes')\n";
print " -D sambaHomeDrive (letter associated with home share, like
'H:')\n";
print " -E sambaLogonScript (DOS script to execute on login)\n";
print " -F sambaProfilePath (profile directory, like
'\\\\PDC-SRV\\profiles\\foo')\n";
print " -H sambaAcctFlags (samba account control bits like
'[NDHTUMWSLKI]')\n";
print " -N canonical name\n";
print " -S surname\n";
print " -? show this help message\n";
exit (1);
}
# cause problems when dealing with getpwuid because of the
# negative ttl and ldap modification
my $nscd_status = system "/etc/init.d/nscd status >/dev/null
2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd stop > /dev/null 2>&1";
}
# Read options
my $userUidNumber = $Options{'u'};
if (!defined($userUidNumber)) {
my ($highestUID) = get_last_user_ID();
$UID_START = $highestUID + 1;
$userUidNumber = $UID_START;
#print " UID # is ..$UID_START";
# find first unused uid starting from $UID_START
# while (defined(getpwuid($UID_START))) {
# $UID_START++;
# }
#printf "middle UID start $UID_START.\n";
#} elsif (getpwuid($userUidNumber)) {
# die "Uid already exists.\n";
}
#finial
#printf "finial UID start $UID_START.\n";
if ($nscd_status == 0) {
system "/etc/init.d/nscd start > /dev/null 2>&1";
}
# as rid we use 2 * uid + 1000
my $userRid = 2 * $userUidNumber + 1000;
if (defined($Options{'x'})) {
$userRid= sprint("%x", $userRid);
}
my $createGroup = 0;
my $userGidNumber = $Options{'g'};
# gid not specified ?
if (!defined($userGidNumber)) {
# windows machine => $_defaultComputerGid
if (defined($Options{'w'})) {
$userGidNumber = $_defaultComputerGid;
# } elsif (!defined($Options{'n'})) {
# create new group (redhat style)
# find first unused gid starting from $GID_START
# while (defined(getgrgid($GID_START))) {
# $GID_START++;
# }
# $userGidNumber = $GID_START;
# $createGroup = 1;
} else {
# user will have gid = $_defaultUserGid
$userGidNumber = $_defaultUserGid;
}
} else {
my $gid;
if (($gid = parse_group($userGidNumber)) < 0) {
print "$0: unknown group $userGidNumber\n";
exit (6);
}
$userGidNumber = $gid;
}
# as grouprid we use 2 * gid + 1001
my $userGroupRid = 2 * $userGidNumber + 1001;
if (defined($Options{'x'})) {
$userGroupRid = sprint("%x", $userGroupRid);
}
# Read only first @ARGV
my $userName = $ARGV[0];
# untaint $userName (can finish with one or two $)
if ($userName =~ /^([\w -]+\$?)$/) {
$userName = $1;
} else {
print "$0: illegal username\n";
exit (1);
}
# user must not exist in LDAP (should it be nss-wide ?)
my ($rc, $dn) = get_user_dn2($userName);
if ($rc and defined($dn)) {
print "$0: user $userName exists\n";
exit (9);
} elsif (!$rc) {
print "$0: error in get_user_dn2\n";
exit(10);
}
my $userHomeDirectory;
my ($userCN, $userSN);
my $tmp;
if (!defined($userHomeDirectory = $Options{'d'})) {
$userHomeDirectory = $_userHomePrefix."/".$userName;
}
$_userLoginShell = $tmp if (defined($tmp = $Options{'s'}));
$_userGecos = $tmp if (defined($tmp = $Options{'c'}));
$_skeletonDir = $tmp if (defined($tmp = $Options{'k'}));
$userCN = ($Options{'c'} || $userName);
$userCN = $tmp if (defined($tmp = $Options{'N'}));
$userSN = $userName;
$userSN = $tmp if (defined($tmp = $Options{'S'}));
########################
my $ldap_master=connect_ldap_master();
# MACHINE ACCOUNT
if (defined($tmp = $Options{'w'})) {
# add a trailing dollar if missing
if ($userName =~ /[^\$]$/s) {
$userName .= "\$";
}
#print "About to create machine $userName:\n";
if (!add_posix_machine ($userName, $userUidNumber, $userGidNumber)) {
die "$0: error while adding posix account\n";
}
if (!$with_smbpasswd) {
# (jtournier)
# Objectclass sambaSAMAccount is now added directly by samba when joigning
the domain (for samba3)
# if (!add_samba_machine_mkntpwd($userName, $userUidNumber)) {
# die "$0: error while adding samba account\n";
# }
# } else {
# if (!add_samba_machine($userName)) {
# die "$0: error while adding samba account\n";
# }
my $modify = $ldap_master->modify ( "$dn",
changes => [
replace => [sambaAcctFlags => '[W ]']
]
);
$modify->code && warn "failed to modify entry: ",
$modify->error ;
}
exit 0;
}
# USER ACCOUNT
# add posix account first
my $add = $ldap_master->add ("uid=$userName,$usersdn",
attr => [
'objectclass' => ['top','inetOrgPerson',
'posixAccount'],
'cn' => "$userCN",
'sn' => "$userSN",
'uid' => "$userName",
'uidNumber' => "$userUidNumber",
'gidNumber' => "$userGidNumber",
'homeDirectory' => "$userHomeDirectory",
'loginShell' => "$_userLoginShell",
'gecos' => "$_userGecos",
'description' => "$_userGecos",
'userPassword' => "{crypt}x"
]
);
$add->code && warn "failed to add entry: ", $add->error
;
#if ($createGroup) {
# group_add($userName, $userGidNumber);
#}
group_add_user($userGidNumber, $userName);
my $grouplist;
# adds to supplementary groups
if (defined($grouplist = $Options{'G'})) {
add_grouplist_user($grouplist, $userName);
}
# If user was created successfully then we should create his/her home dir
if (defined($tmp = $Options{'m'})) {
unless ( $userName =~ /\$$/ ) {
if ( !(-e $userHomeDirectory) ) {
system "mkdir $userHomeDirectory 2>/dev/null";
system "cp -a $_skeletonDir/.[a-z,A-Z]* $_skeletonDir/* $userHomeDirectory
2>/dev/null";
system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory
2>/dev/null";
system "chmod 700 $userHomeDirectory 2>/dev/null";
}
}
}
# Add Samba user infos
if (defined($Options{'a'})) {
if (!$with_smbpasswd) {
my $winmagic = 2147483647;
my $valpwdcanchange = 0;
my $valpwdmustchange = $winmagic;
my $valacctflags = "[UX]";
if (defined($tmp = $Options{'A'})) {
if ($tmp != 0) {
$valpwdcanchange = "0";
} else {
$valpwdcanchange = "$winmagic";
}
}
if (defined($tmp = $Options{'B'})) {
if ($tmp != 0) {
$valpwdmustchange = "0";
} else {
$valpwdmustchange = "$winmagic";
}
}
if (defined($tmp = $Options{'H'})) {
$valacctflags = "$tmp";
}
my $modify = $ldap_master->modify ( "uid=$userName,$usersdn",
changes => [
add => [objectClass => 'sambaSAMAccount'],
add => [sambaPwdLastSet => '0'],
add => [sambaLogonTime => '0'],
add => [sambaLogoffTime => '2147483647'],
add => [sambaKickoffTime => '2147483647'],
add => [sambaPwdCanChange => "$valpwdcanchange"],
add => [sambaPwdMustChange => "$valpwdmustchange"],
add => [displayName => "$_userGecos"],
add => [sambaAcctFlags => "$valacctflags"],
add => [sambaSID => "$SID-$userRid"]
]
);
$modify->code && die "failed to add entry: ",
$modify->error ;
} else {
my $FILE="|smbpasswd -s -a $userName >/dev/null" ;
open (FILE, $FILE) || die "$!\n";
print FILE <<EOF;
x
x
EOF
;
close FILE;
if ($?) {
print "$0: error adding samba account\n";
exit (10);
}
} # with_smbpasswd
my $valscriptpath = "logon.bat"; #"$userName.cmd";
my $valprofilepath = "$_userProfile$userName";
my $valsmbhome = "$_userSmbHome";
my $valhomedrive = "$_userHomeDrive";
if (defined($tmp = $Options{'C'})) {
$valsmbhome = "$tmp";
}
if (defined($tmp = $Options{'D'})) {
$tmp = $tmp.":" unless ($tmp =~ /:/);
$valhomedrive = "$tmp";
}
if (defined($tmp = $Options{'E'})) {
$valscriptpath = "$tmp";
}
if (defined($tmp = $Options{'F'})) {
$valprofilepath = "$tmp";
}
my $modify = $ldap_master->modify ( "uid=$userName,$usersdn",
changes => [
add => [sambaPrimaryGroupSID => "$SID-$userGroupRid"],
# add => [sambaHomeDrive => "$valhomedrive"],
# add => [sambaHomePath => "$valsmbhome"],
# add => [sambaProfilePath => "$valprofilepath"],
# add => [sambaLogonScript => "$valscriptpath"],
add => [sambaLMPassword => 'XXX'],
add => [sambaNTPassword => 'XXX']
]
);
$modify->code && die "failed to add entry: ",
$modify->error ;
}
$ldap_master->unbind; # take down session
if (defined($Options{'P'})) {
exec "/usr/local/bin/smbldap-passwd.pl $userName"
}
exit 0;
########################################
=head1 NAME
smbldap-useradd.pl - Create a new user or update default new
user information
=head1 SYNOPSIS
smbldap-useradd.pl [-c comment] [-d home_dir]
[-g initial_group] [-G group[,...]]
[-m [-k skeleton_dir]]
[-s shell] [-u uid [ -o]] [-P]
[-A canchange] [-B mustchange] [-C smbhome]
[-D homedrive] [-E scriptpath] [-F profilepath]
[-H acctflags] login
=head1 DESCRIPTION
Creating New Users
The smbldap-useradd.pl command creates a new user account using
the values specified on the command line and the default
values from the system.
The new user account will be entered into the system
files as needed, the home directory will be created, and
initial files copied, depending on the command line options.
You have to use smbldap-passwd to set the user password.
For Samba users, rid is 2*uidNumber+1000, and primaryGroupID
is 2*gidNumber+1001. Thus you may want to use
smbldap-useradd.pl -a -g "Domain Admins" -u 500 Administrator
to create a sambaDomainName administrator (admin rid is 0x1F4 = 500 and
grouprid is 0x200 = 512)
Without any option, the account created will be an Unix (Posix)
account. The following options may be used to add information:
-a The user will have a Samba account (and Unix).
-w Creates an account for a Samba machine (Workstation), so that
it can join a sambaDomainName.
-x Creates rid and primaryGroupID in hex (for Samba 2.2.2 bug). Else
decimal (2.2.2 patched from cvs or 2.2.x, x > 2)
-c comment
The new user's comment field (gecos).
-d home_dir
The new user will be created using home_dir as the value for the
user's login directory. The default is to append the login name
to default_home and use that as the login directory name.
-g initial_group
The group name or number of the user's initial login group. The
group name must exist. A group number must refer to an already
existing group. The default group number is 1.
-G group,[...]
A list of supplementary groups which the user is also a member
of. Each group is separated from the next by a comma, with no
intervening whitespace. The groups are subject to the same
restrictions as the group given with the -g option. The default
is for the user to belong only to the initial group.
-m The user's home directory will be created if it does not exist.
The files contained in skeleton_dir will be copied to the home
directory if the -k option is used, otherwise the files con
tained in /etc/skel will be used instead. Any directories con
tained in skeleton_dir or /etc/skel will be created in the
user's home directory as well. The -k option is only valid in
conjunction with the -m option. The default is to not create
the directory and to not copy any files.
-s shell
The name of the user's login shell. The default is to leave
this field blank, which causes the system to select the default
login shell.
-u uid The numerical value of the user's ID. This value must be
unique, unless the -o option is used. The value must be non-
negative. The default is to use the smallest ID value greater
than 1000 and greater than every other user.
-P ends by invoking smbldap-passwd.pl
-A can change password ? 0 if no, 1 if yes
-B must change password ? 0 if no, 1 if yes
-C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')
-D sambaHomeDrive (letter associated with home share, like 'H:')
-E sambaLogonScript, relative to the [netlogon] share (DOS script to execute
on login, like 'foo.bat')
-F sambaProfilePath (profile directory, like
'\\\\PDC-SRV\\profiles\\foo')
-H sambaAcctFlags, spaces and trailing bracket are ignored (samba account
control bits like '[NDHTUMWSLKI]')
-N canonical name (defaults to gecos or username, if gecos not set)
-S surname (defaults to username)
=head1 SEE ALSO
useradd(1)
=cut
#'
---- snip ----
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba