rpms/smbldap-tools
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 0.9.10

Browse Source 
smbldap-tools-slapd.conf: added missing indexes [release 0.9.10-1mamba;Fri Jul 19 2013]
This commit is contained in:
Silvan Calarco 2024-01-05 17:53:18 +01:00
parent 91b42815aa
commit 94f1eab138
8 changed files with 638 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -1,2 +1,6 @@
# smbldap-tools # smbldap-tools
Smbldap-tools is a set of perl scripts designed to manage user and group accounts stored in an LDAP directory. They can be used both by users and administrators of Linux systems:
* administrators can perform users and groups management operations, in a way similar to the standard useradd or groupmod commands
* users can change their LDAP password from the command line and get/change personnal informations

57
smbldap-tools-0.9.10-administrator_and_guest.patch Normal file
View File

@ -0,0 +1,57 @@
diff -Nru smbldap-tools-0.9.10/smbldap-populate.pl smbldap-tools-0.9.10.patched/smbldap-populate.pl
--- smbldap-tools-0.9.10/smbldap-populate.pl 2012-03-05 09:59:44.000000000 +0100
+++ smbldap-tools-0.9.10.patched/smbldap-populate.pl 2013-07-19 12:41:41.328175838 +0200
@@ -48,13 +48,13 @@
print_banner;
print "Usage: $0 [-abegiklmru?] [ldif]\n";
print " -a user administrator login name (default: root)\n";
- print " -b user guest login name (default: nobody)\n";
+ print " -b user guest login name (default: guest)\n";
print " -e file export ldif file\n";
print " -g gidNumber first uidNumber to allocate (default: 1000)\n";
print " -i file import ldif file\n";
- print " -k uidNumber administrator's uidNumber (default: 0)\n";
- print " -l uidNumber guest's uidNumber (default: 999)\n";
- print " -m gidNumber administrator's gidNumber (default: 0)\n";
+ print " -k uidNumber administrator's uidNumber (default: 65400)\n";
+ print " -l uidNumber guest's uidNumber (default:65401)\n";
+ print " -m gidNumber administrator's gidNumber (default: 512)\n";
print " -r ridNumber first sambaNextRid to allocate (default: 1000)\n";
print " -R ridBase sambaAlgorithmicRidBase (none)\n";
print " -u uidNumber first uidNumber to allocate (default: 1000)\n";
@@ -97,7 +97,7 @@
my $guestName = $Options{'b'};
if (!defined($guestName)) {
- $guestName = "nobody";
+ $guestName = "guest";
}
my $adminUidNumber=$Options{'k'};
@@ -114,7 +114,7 @@
my $guestUidNumber=$Options{'l'};
my $guestRid = 501;
if (!defined($guestUidNumber)) {
- $guestUidNumber = "999";
+ $guestUidNumber = "65401";
} else {
if (defined($algorithmicRidBase)) {
## For backward compatibility with smbldap-tools 0.9.6 and older
@@ -124,7 +124,7 @@
my $adminGidNumber=$Options{'m'};
if (!defined($adminGidNumber)) {
- $adminGidNumber = "0";
+ $adminGidNumber = "512";
}
print "Populating LDAP directory for domain $domain ($config{SID})\n";
@@ -261,7 +261,7 @@
sambaNTPassword => "XXX",
sambaAcctFlags => "[U ]",
sambaSID => "$config{SID}-$adminRid",
- loginShell => "/bin/false",
+ loginShell => "/bin/bash",
gecos => "Netbios Domain Administrator",
);
push(@entries, $entry);

49
smbldap-tools-0.9.10-fix_minUidGid.patch Normal file
View File

@ -0,0 +1,49 @@
diff -Nru smbldap-tools-0.9.10.orig/smbldap-populate.pl smbldap-tools-0.9.10/smbldap-populate.pl
--- smbldap-tools-0.9.10.orig/smbldap-populate.pl 2013-07-19 12:44:07.021667805 +0200
+++ smbldap-tools-0.9.10/smbldap-populate.pl 2013-07-19 12:49:28.371837517 +0200
@@ -50,14 +50,14 @@
print " -a user administrator login name (default: root)\n";
print " -b user guest login name (default: guest)\n";
print " -e file export ldif file\n";
- print " -g gidNumber first uidNumber to allocate (default: 1000)\n";
+ print " -g gidNumber first uidNumber to allocate (default: 10000)\n";
print " -i file import ldif file\n";
print " -k uidNumber administrator's uidNumber (default: 65400)\n";
print " -l uidNumber guest's uidNumber (default:65401)\n";
print " -m gidNumber administrator's gidNumber (default: 512)\n";
- print " -r ridNumber first sambaNextRid to allocate (default: 1000)\n";
- print " -R ridBase sambaAlgorithmicRidBase (none)\n";
- print " -u uidNumber first uidNumber to allocate (default: 1000)\n";
+ print " -r ridNumber first sambaNextRid to allocate (default: 10000)\n";
+ print " -R ridBase sambaAlgorithmicRidBase (10000)\n";
+ print " -u uidNumber first uidNumber to allocate (default: 10000)\n";
print " -? show this help message\n";
exit (1);
@@ -75,20 +75,23 @@
my $firstuidNumber=$Options{'u'};
if (!defined($firstuidNumber)) {
- $firstuidNumber=1000;
+ $firstuidNumber=10000;
}
my $firstgidNumber=$Options{'g'};
if (!defined($firstgidNumber)) {
- $firstgidNumber=1000;
+ $firstgidNumber=10000;
}
my $firstridNumber=$Options{'r'};
if (!defined($firstridNumber)) {
- $firstridNumber=1000;
+ $firstridNumber=10000;
}
my $algorithmicRidBase = $Options{'R'};
+if (!defined($algorithmicRidBase)) {
+ $algorithmicRidBase=10000;
+}
my $adminName = $Options{'a'};
if (!defined($adminName)) {

80
smbldap-tools-slapd.conf Normal file
View File

@ -0,0 +1,80 @@
#
# Configuration for Samba
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# moduleload back_bdb.la
# moduleload back_hdb.la
# moduleload back_ldap.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix __suffix__
rootdn __rootdn__
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/openldap-data
# Indices to maintain
index uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectclass eq
index sambaSIDList eq
index sambaGroupType eq
index displayName eq
loglevel none

75
smbldap-tools-smb.conf.master Normal file
View File

@ -0,0 +1,75 @@
[global]
unix charset = LOCALE
workgroup = __sambaDomain__
passdb backend = ldapsam:ldap://127.0.0.1:389
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:
domain logons = Yes
preferred master = Yes
wins support = Yes
ldap admin dn = __rootdn__
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=People
ldap suffix = __suffix__
ldap user suffix = ou=People
ldap ssl = no
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No
[profiles]
comment = Profile Share
path = /var/lib/samba/profiles
read only = No
profile acls = Yes
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = root

231
smbldap-tools-smbldap.conf Normal file
View File

@ -0,0 +1,231 @@
# $Id: smbldap.conf 26 2010-11-15 14:28:01Z mm1 $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="__SID__"
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="__sambaDomain__"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
# (typically a replication directory)
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#slaveLDAP="ldap.iallanis.info"
# Slave LDAP port
# If not defined, parameter is set to "389"
#slavePort="389"
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#masterLDAP="ldap.iallanis.info"
# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
#ldapTLS="1"
# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
#ldapSSL="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="none"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
#cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
#clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="__suffix__"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=People,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="180"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome=""
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile=""
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="scripts/logon.bat"
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="__mailDomain__"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd="0" in smbldap.conf) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd="0" in smbldap.conf)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"

13
smbldap-tools-smbldap_bind.conf Normal file
View File

@ -0,0 +1,13 @@
# $Id: smbldap_bind.conf 26 2010-11-15 14:28:01Z mm1 $
#
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="__slaveDN__"
slavePw="secret"
masterDN="__masterDN__"
masterPw="secret"

129
smbldap-tools.spec Normal file
View File

@ -0,0 +1,129 @@
Name: smbldap-tools
Version: 0.9.10
Release: 1mamba
Summary: A set of perl scripts designed to manage user and group accounts stored in an LDAP directory
Group: System/Tools
Vendor: openmamba
Distribution: openmamba
Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
URL: https://gna.org/projects/smbldap-tools/
Source: http://download.gna.org/smbldap-tools/sources/%{version}/smbldap-tools-%{version}.tar.gz
Source1: smbldap-tools-smbldap.conf
Source2: smbldap-tools-smbldap_bind.conf
Source3: smbldap-tools-slapd.conf
Source4: smbldap-tools-smb.conf.master
Patch0: smbldap-tools-0.9.10-administrator_and_guest.patch
Patch1: smbldap-tools-0.9.10-fix_minUidGid.patch
License: GPL
## AUTOBUILDREQ-BEGIN
BuildRequires: perl-Crypt-SmbHash
BuildRequires: perl-devel
BuildRequires: perl-Net-LDAP
## AUTOBUILDREQ-END
Requires(post):samba-server
Requires: samba-winbind
Requires(post):openldap-server
Requires(post):libnss_ldap
Requires(post):pam_ldap
Requires: openldap-clients
BuildArch: noarch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
%description
Smbldap-tools is a set of perl scripts designed to manage user and group accounts stored in an LDAP directory. They can be used both by users and administrators of Linux systems:
* administrators can perform users and groups management operations, in a way similar to the standard useradd or groupmod commands
* users can change their LDAP password from the command line and get/change personnal informations
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%build
%configure
%make
%install
[ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
%makeinstall
install -d -m0755 %{buildroot}%{_sysconfdir}/smbldap-tools
install -d -m0755 %{buildroot}%{_mandir}/man8
cp -a %{SOURCE1} %{buildroot}%{_sysconfdir}/smbldap-tools/smbldap.conf
cp -a %{SOURCE2} %{buildroot}%{_sysconfdir}/smbldap-tools/smbldap_bind.conf
install -D -m0644 %{SOURCE3} %{buildroot}%{_sysconfdir}/openldap/slapd-samba.conf.example
install -D -m0644 %{SOURCE4} %{buildroot}%{_sysconfdir}/samba/smb.conf.master
for i in smbldap-[gpu]*;
do
pod2man --section=8 $i > %{buildroot}%{_mandir}/man8/$i.8
done
#. initialize the ldap directory
# $ smbldap-populate
#. If not already done : "smbpasswd -w secret" to set up
# the ldap admin password in secrets.tdb
%clean
[ "%{buildroot}" != / ] && rm -rf "%{buildroot}"
%post
if [ $1 -eq 1 ]; then
# new install
. %{_sysconfdir}/sysconfig/network
conf_hostname=${HOSTNAME}
[ -e %{_sysconfdir}/openldap/slapd.conf ] && {
suffix=`grep ^suffix %{_sysconfdir}/openldap/slapd.conf | awk '{ print $2 }'`
rootdn=`grep ^rootdn %{_sysconfdir}/openldap/slapd.conf | awk '{ print $2 }'`
sid=`net getlocalsid 2>/dev/null| awk '{ print $6 }'`
sambadomain=`grep "[[:space:]]*workgroup =" %{_sysconfdir}/samba/smb.conf | awk '{ print $3 }'`
}
[ "$suffix" -a "$rootdn" ] && {
sed -i "s|\"__suffix__\"|$suffix|
s|__SID__|$sid|
s|__sambaDomain__|$sambadomain|
s|__mailDomain__|$conf_hostname|" \
%{_sysconfdir}/smbldap-tools/smbldap.conf
sed -i "s|\"__slaveDN__\"|$rootdn|
s|\"__masterDN__\"|$rootdn|" \
%{_sysconfdir}/smbldap-tools/smbldap_bind.conf
sed -i "s|__sambaDomain__|$sambadomain|
s|__suffix__|$suffix|
s|__rootdn__|$rootdn|" \
%{_sysconfdir}/samba/smb.conf.master
sed -i "s|__suffix__|$suffix|
s|__rootdn__|$rootdn|" \
%{_sysconfdir}/openldap/slapd-samba.conf.example
}
fi
:
%files
%defattr(-,root,root)
%attr(644,root,root) %config(noreplace) %{_sysconfdir}/smbldap-tools/smbldap.conf
%attr(600,root,root) %config(noreplace) %{_sysconfdir}/smbldap-tools/smbldap_bind.conf
%{_sysconfdir}/samba/smb.conf.master
%{_sysconfdir}/openldap/slapd-samba.conf.example
%{_sbindir}/smbldap-*
%{perl_vendorlib}/smbldap_tools.pm
%{_mandir}/man8/smbldap-*.8*
%doc COPYING
#ChangeLog README TODO
%changelog
* Fri Jul 19 2013 Silvan Calarco <silvan.calarco@mambasoft.it> 0.9.10-1mamba
- update to 0.9.10
- smbldap-tools-slapd.conf: added missing indexes
* Mon Apr 11 2011 Silvan Calarco <silvan.calarco@mambasoft.it> 0.9.6-4mamba
- set scripts/logon.bat as default logon script
* Tue Mar 29 2011 Silvan Calarco <silvan.calarco@mambasoft.it> 0.9.6-3mamba
- added patch to change minimum UID and GID from 1000 to 10000
* Thu Mar 17 2011 Silvan Calarco <silvan.calarco@mambasoft.it> 0.9.6-2mamba
- support automatic configuration on first install
* Wed Mar 09 2011 Silvan Calarco <silvan.calarco@mambasoft.it> 0.9.6-1mamba
- package created by autospec
smbldap-tools-0.9.6-fix_minUidGid.patch