4 Using the scripts
4.1 Initial directory's population
You can initialize the LDAP directory using the
smbldap-populate script. To do that, the account defined in
the /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf to access the
master directory must must be the manager account defined in the
directory configuration. On RedHat system, this file is
/etc/openldap/slapd.conf and the account is defined with
rootdn "cn=Manager,dc=idealx,dc=com"
rootpw secret
The smbldap_bind.conf file must then be configured so that
the parameters to connect to the master LDAP server match the previous ones:
masterDN="cn=Manager,dc=idealx,dc=com"
masterPw="secret"
Available options for this script are summarized in the table 1:
| option |
definition |
default value |
| -u uidNumber |
first uidNumber to allocate |
1000 |
| -g gidNumber |
first uidNumber to allocate |
1000 |
| -a user |
administrator login name |
Administrator |
| -b user |
guest login name |
nobody |
| -e file |
export a init file |
|
| -i file |
import a init file |
|
Table 1: Options available for the smbldap-populate script
In the more general case, to set up your directory, simply use the
following command:
[root@etoile root]# smbldap-populate
Using builtin directory structure
adding new entry: dc=idealx,dc=com
adding new entry: ou=Users,dc=idealx,dc=com
adding new entry: ou=Groups,dc=idealx,dc=com
adding new entry: ou=Computers,dc=idealx,dc=com
adding new entry: ou=Idmap,dc=idealx,dc=org
adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org
adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com
adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com
After this step, if you don't want to use the cn=Manager,dc=idealx,dc=com
account anymore, you can create a dedicated account for Samba and the
smbldap-tools. See section 8.2 for more details.
The cn=NextFreeUnixId,dc=idealx,dc=org entry is only used to
defined the next uidNumber and gidNumber available for creating new
users and groups. The default values for those numbers are 1000. You
can change it with the -u and -g option. For
example, if you want the first available value for uidNumber and
gidNumber to be set to 1500, you can use the following command :
smbldap-populate -u 1550 -g 1500
4.2 User management
4.2.1 Adding a user
To add a user, use the smbldap-useradd script. Available
options are summarized in the table 2. If applicable,
default values are mentionned in the third column. Any string beginning with a
$ symbol refers to a parameter defined in the
/etc/opt/IDEALX/smbldap-tools/smbldap.conf configuration file.
| option |
definition |
example |
default value |
| -a |
create a Windows account. Otherwise, only a Posix account
is created |
|
|
| -w |
create a Windows Workstation account |
|
|
| -i |
create an interdomain trust account. See section
4.4 for more details |
|
|
| -u |
set a uid value |
-u 1003 |
first uid available |
| -g |
set a gid value |
-g 1003 |
first gid available |
| -G |
add the new account to one or several supplementary
groups (comma-separated) |
-G 512,550 |
|
| -d |
set the home directory |
-d /var/user |
$userHomePrefix/user |
| -s |
set the login shell |
-s /bin/ksh |
$userLoginShell |
| -c |
set the user gecos |
-c "admin user" |
$userGecos |
| -m |
creates user's home directory and copies /etc/skel
into it |
|
|
| -k |
set the skeleton dir (with -m) |
-k /etc/skel2 |
$skeletonDir |
| -P |
ends by invoking smbldap-passwd to set the user's
password |
|
|
| -A |
user can change password ? 0 if no, 1 if yes |
-A 1 |
|
| -B |
user must change password at first session ? 0 if no, 1
if yes |
-B 1 |
|
| -C |
set the samba home share |
-C \\PDC\homes |
$userSmbHome |
| -D |
set a letter associated with the home share |
-D H: |
$userHomeDrive |
| -E |
set DOS script to execute on login |
-E common.bat |
$userScript |
| -F |
set the profile directory |
-F \\PDC\profiles\user |
$userProfile |
| -H |
set the samba account control bits
like'[NDHTUMWSLKI]' |
-H [X] |
|
| -N |
set the canonical name of the user |
|
|
| -S |
set the surname of the user |
|
|
| -M |
local mailAddress (comma seperated) |
-M testuser,aliasuser |
|
| -T |
forward mail address (comma seperated) |
-T
testuser@domain.org |
|
Table 2: Options available to the smbldap-useradd script
For example, if you want to add a user named user_admin and who :
-
is a windows user
- must belong to the group of gid=512 ('Domain Admins' group)
- has a home directory
- does not have a login shell
- has a homeDirectory set to /dev/null
- does not have a roaming profile
- and for whom we want to set a first login password
you must invoke:
smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin
4.2.2 Removing a user
To remove a user account, use the smbldap-userdel script.
Available options are
| option |
definition |
| -r |
remove home directory |
| -R |
remove home directory interactively |
Table 3: Option available to the smbldap-userdel script
For example, if you want to remove the user1 account
from the LDAP directory, and if you also want to delete his home
directory, use the following command :
smbldap-userdel -r user1
Note: '-r' is dangerous as it may delete precious and unbackuped data,
please be careful.
4.2.3 Modifying a user
To modify a user account, use the smbldap-usermod script.
Availables options are listed in the table 4.
| option |
definition |
example |
| -c |
set the user gecos |
-c "admin user" |
| -d |
set the home directory |
-d /var/user |
| -u |
set a uid value |
-u 1003 |
| -g |
set a gid value |
-g 1003 |
| -G |
add the new account to one or several supplementary
groups (comma-separated) |
-G 512,550 |
| |
|
-G -512,550 |
| |
|
-G +512,550 |
| -s |
set the login shell |
-s /bin/ksh |
| -N |
set the canonical name of the user |
|
| -S |
set the surname of the user |
|
| -P |
ends by invoking smbldap-passwd to set the user's password |
|
| -a |
add sambaSAMAccount objectclass |
|
| -e |
set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS) |
|
| -A |
user can change password ? 0 if no, 1 if yes |
-A 1 |
| -B |
user must change password at first session ? 0 if no, 1
if yes |
-B 1 |
| -C |
set the samba home share |
-C \\PDC\homes |
| |
|
-C "" |
| -D |
set a letter associated with the home share |
-D H: |
| |
|
-D "" |
| -E |
set DOS script to execute on login |
-E common.bat |
| |
|
-E "" |
| -F |
set the profile directory |
-F \\PDC\profiles\user |
| |
|
-F "" |
| -H |
set the samba account control bits like'[NDHTUMWSLKI]' |
-H [X] |
| -I |
disable a user account |
-I 1 |
| -J |
enable a user |
-J 1 |
| -M |
local mailAddress (comma seperated) |
-M testuser,aliasuser |
| -T |
forward mail address (comma seperated) |
-T
testuser@domain.org |
Table 4: Options available to the smbldap-usermod script
You can also use the smbldap-userinfo script to update user's information. This script can
also be used by users themselves to update their own informations listed in the tables
5 (adequats ACL must be set in the directory server). Available
options are :
| option |
definition |
example |
| -f |
set the full name's user |
-f MyName |
| -r |
set the room number |
-r 99 |
| -w |
set the work phone number |
-w 111111111 |
| -h |
set the home phone number |
-h 222222222 |
| -o |
set other information (in gecos definition) |
-o "second stage" |
| -s |
set the default bash |
-s /bin/ksh |
Table 5: Options available to the smbldap-userinfo script
4.3 Group management
4.3.1 Adding a group
To add a new group in the LDAP directory, use the smbldap-groupadd
script. Available options are listed in the table
6.
| option |
definition |
example |
| -a |
add automatic group mapping entry |
|
| -g gid |
set the gidNumer for this group to
gid |
-g 1002 |
| -o |
gidNumber is not unique |
|
| -r group-rid |
set the rid of the group to
group-rid |
-r 1002 |
| -s group-sid |
set the sid of the group to
group-sid |
-s
S-1-5-21-3703471949-3718591838-2324585696-1002 |
| -t group-type |
set the sambaGroupType to
group-type |
-t 2 |
| -p |
print the gidNumber to stdout |
|
Table 6: Options available for the smbldap-groupadd script
4.3.2 Removing a group
To remove the group named group1, just use the following
command :
smbldap-userdel group1
4.4 Adding a interdomain trust account
To add an interdomain trust account to the primary controller trust-pdc, use the -i option of
smbldap-useradd as follows :
[root@etoile root]# smbldap-useradd -i trust-pdc
New password : *******
Retype new password : *******
The script will terminate asking for a password for this trust
account. The account will be created in the directory branch where
all computer accounts are stored (ou=Computers by
default). The only two particularities of this account are that you are
setting a password for this account, and the flags of this account are
[I ].