File: smbldap-tools009.html

package info (click to toggle)
smbldap-tools 0.9.2-3
links: PTS
area: main
in suites: etch, etch-m68k
size: 780 kB
ctags: 409
sloc: perl: 3,864; makefile: 92; sh: 20
file content (534 lines) | stat: -rw-r--r-- 19,200 bytes
parent folder | download | duplicates (3)
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
            "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>

<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<META name="GENERATOR" content="hevea 1.06">
<TITLE>
 Annexes
</TITLE>
</HEAD>
<BODY >
<A HREF="smbldap-tools008.html"><IMG SRC ="previous_motif.gif" ALT="Prcdent"></A>
<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
<HR>

<H2><A NAME="htoc41">8</A>&nbsp;&nbsp;Annexes</H2><UL>
<LI><A HREF="smbldap-tools009.html#toc27"> Full configuration files</A>
<LI><A HREF="smbldap-tools009.html#toc28"> Changing the administrative account (<TT>ldap admin
 dn</TT> in <TT>smb.conf</TT> file)</A>
<LI><A HREF="smbldap-tools009.html#toc29"> known bugs</A>
</UL>

<A NAME="toc27"></A>
<H3><A NAME="htoc42">8.1</A>&nbsp;&nbsp;Full configuration files</H3><A NAME="configuration::files"></A>

<H4><A NAME="htoc43">8.1.1</A>&nbsp;&nbsp;The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><A NAME="configuration::file::smbldap"></A>
<PRE># $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $
#
# smbldap-tools.conf : Q &amp; D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-4205727931-4131263253-1851132061"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="IDEALX-NT"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have 
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"

# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"

# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "1"
ldapTLS="1"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=idealx,dc=org"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
# 
# Unix Accounts Configuration
# 
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\PDC-SRV\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\PDC-SRV\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="idealx.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
# no_banner="1"

</PRE>

<H4><A NAME="htoc44">8.1.2</A>&nbsp;&nbsp;The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><A NAME="configuration::file::smbldap::bind"></A>
<PRE>############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
slaveDN="cn=Manager,dc=idealx,dc=org"
slavePw="secret"
masterDN="cn=Manager,dc=idealx,dc=org"
masterPw="secret"

</PRE>

<H4><A NAME="htoc45">8.1.3</A>&nbsp;&nbsp;The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4>
<PRE># Global parameters
[global]
        workgroup = IDEALX-NT
        netbios name = PDC-SRV
        #interfaces = 192.168.5.11
        username map = /etc/samba/smbusers
 enable privileges = yes
        server string = Samba Server %v
        security = user
        encrypt passwords = Yes
        min passwd length = 3
        obey pam restrictions = No
        ldap passwd sync = Yes
        #unix password sync = Yes
        #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
        #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
        ldap passwd sync = Yes
        log level = 0
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1

        logon script = logon.bat
        logon drive = H:
        logon home =
        logon path =

        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
 # ldap filter = (&amp;(objectclass=sambaSamAccount)(uid=%u))
        ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
        ldap suffix = dc=idealx,dc=com
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
        ldap ssl = start tls
        add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
        add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u"
        add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" 
        #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
        add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"

        # printers configuration
        printer admin = @"Print Operators"
        load printers = Yes
        create mask = 0640
        directory mask = 0750
        nt acl support = No
        printing = cups
        printcap name = cups
        deadtime = 10
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes
        ; to maintain capital letters in shortcuts in any of the profile folders:
        preserve case = yes
        short preserve case = yes
        case sensitive = no

[homes]
        comment = repertoire de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No

[netlogon]
        path = /home/netlogon/
 browseable = No
        read only = yes

[profiles]
        path = /home/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles 
        force user = %U 
        # next line allows administrator to access all profiles 
        valid users = %U "Domain Admins"

[printers]
        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes 
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j

[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

[public]
        comment = Repertoire public
        path = /home/public
 browseable = Yes
        guest ok = Yes
        read only = No
        directory mask = 0775
        create mask = 0664

</PRE>

<H4><A NAME="htoc46">8.1.4</A>&nbsp;&nbsp;The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4>
<PRE>include  /etc/openldap/schema/core.schema
include  /etc/openldap/schema/cosine.schema
include  /etc/openldap/schema/inetorgperson.schema
include  /etc/openldap/schema/nis.schema
include  /etc/openldap/schema/samba.schema

schemacheck on
lastmod  on

TLSCertificateFile /etc/openldap/ldap.idealx.com.pem
TLSCertificateKeyFile /etc/openldap/ldap.idealx.com.key
TLSCACertificateFile /etc/openldap/ca.pem
TLSCipherSuite :SSLv3
#TLSVerifyClient demand

#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix  dc=idealx,dc=com
rootdn  "cn=Manager,dc=idealx,dc=com"
rootpw  secret
directory /var/lib/ldap
index    sambaSID    eq
index    sambaPrimaryGroupSID    eq
index    sambaDomainName    eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname   eq,subinitial

# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
      by dn="cn=Manager,dc=idealx,dc=com" write
      by self write
      by anonymous auth
      by * none
# all others attributes are readable to everybody
access to *
      by * read
</PRE>
<A NAME="toc28"></A>
<H3><A NAME="htoc47">8.2</A>&nbsp;&nbsp;Changing the administrative account (<TT>ldap admin
 dn</TT> in <TT>smb.conf</TT> file)</H3><A NAME="change::manager"></A>
If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
account anymore, you can create a dedicated account for Samba and the
smbldap-tools scripts. To do
this, create an account named <I>samba</I> as follows (see
section <A HREF="smbldap-tools005.html#add::user">4.2.1</A> for a more detailed syntax) :
<PRE>
smbldap-useradd -s /bin/false -d /dev/null -P samba
</PRE>This command will ask you to set a password for this account. Let's
set it to <I>samba</I> for this example.
You then need to modify configuration files:
<UL><LI>
file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT>
 <PRE>
    slaveDN="uid=samba,ou=Users,dc=idealx,dc=com"
    slavePw="samba"
    masterDN="uid=samba,ou=Users,dc=idealx,dc=com"
    masterPw="samba"
  </PRE><LI>file <TT>/etc/samba/smb.conf</TT>
 <PRE>
    ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
  </PRE>don't forget to also set the samba account password in
 <TT>secrets.tdb</TT> file : 
<PRE>
smbpasswd -w samba
</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the
 <I>samba</I> user permissions to modify some attributes: this
 user needs to be able to modify all the samba attributes and some
 others (uidNumber, gidNumber ...) :
 <PRE>
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
      by self write
      by anonymous auth
      by * none
# some attributes need to be readable anonymously so that 'id user' can answer correctly
access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
      by * read
# somme attributes can be writable by users themselves
access to attrs=description,telephoneNumber
      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
      by self write
      by * read
# some attributes need to be writable for samba
access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
      by self read
      by * none
# samba need to be able to create the samba domain account
access to dn.base="dc=idealx,dc=com"
      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
      by * none
# samba need to be able to create new users account
access to dn="ou=Users,dc=idealx,dc=com"
      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
      by * none
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=idealx,dc=com"
      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
      by * none
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=idealx,dc=com"
      by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
      by * none
# this can be omitted but we leave it: there could be other branch
# in the directory
access to *
      by self read
      by * none
  </PRE></UL>
<A NAME="toc29"></A>
<H3><A NAME="htoc48">8.3</A>&nbsp;&nbsp;known bugs</H3>
<UL><LI>
Option <I>-B</I> (user must change password) of
 <TT>smbldap-useradd</TT> does not have effect: when 
 <TT>smbldap-passwd</TT> script is called,
 <I>sambaPwdMustChange</I> attribute is rewrite.
</UL>
 
<HR>
<A HREF="smbldap-tools008.html"><IMG SRC ="previous_motif.gif" ALT="Prcdent"></A>
<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
</BODY>
</HTML>