--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
+ "http://www.w3.org/TR/REC-html40/loose.dtd">
+<HTML>
+<HEAD>
+
+<META http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<META name="GENERATOR" content="hevea 1.06">
+<TITLE>
+ Annexes
+</TITLE>
+</HEAD>
+<BODY >
+<A HREF="smbldap-tools008.html"><IMG SRC ="previous_motif.gif" ALT="Précédent"></A>
+<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
+<HR>
+
+<H2><A NAME="htoc41">8</A> Annexes</H2><UL>
+<LI><A HREF="smbldap-tools009.html#toc27"> Full configuration files</A>
+<LI><A HREF="smbldap-tools009.html#toc28"> Changing the administrative account (<TT>ldap admin
+ dn</TT> in <TT>smb.conf</TT> file)</A>
+<LI><A HREF="smbldap-tools009.html#toc29"> known bugs</A>
+</UL>
+
+<A NAME="toc27"></A>
+<H3><A NAME="htoc42">8.1</A> Full configuration files</H3><A NAME="configuration::files"></A>
+
+<H4><A NAME="htoc43">8.1.1</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap.conf</TT> file</H4><A NAME="configuration::file::smbldap"></A>
+<PRE># $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
+# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $
+#
+# smbldap-tools.conf : Q & D configuration file for smbldap-tools
+
+# This code was developped by IDEALX (http://IDEALX.org/) and
+# contributors (their names can be found in the CONTRIBUTORS file).
+#
+# Copyright (C) 2001-2002 IDEALX
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+
+# Purpose :
+# . be the configuration file for all smbldap-tools scripts
+
+##############################################################################
+#
+# General Configuration
+#
+##############################################################################
+
+# Put your own SID. To obtain this number do: "net getlocalsid".
+# If not defined, parameter is taking from "net getlocalsid" return
+SID="S-1-5-21-4205727931-4131263253-1851132061"
+
+# Domain name the Samba server is in charged.
+# If not defined, parameter is taking from smb.conf configuration file
+# Ex: sambaDomain="IDEALX-NT"
+sambaDomain="IDEALX-NT"
+
+##############################################################################
+#
+# LDAP Configuration
+#
+##############################################################################
+
+# Notes: to use to dual ldap servers backend for Samba, you must patch
+# Samba with the dual-head patch from IDEALX. If not using this patch
+# just use the same server for slaveLDAP and masterLDAP.
+# Those two servers declarations can also be used when you have
+# . one master LDAP server where all writing operations must be done
+# . one slave LDAP server where all reading operations must be done
+# (typically a replication directory)
+
+# Slave LDAP server
+# Ex: slaveLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+slaveLDAP="127.0.0.1"
+
+# Slave LDAP port
+# If not defined, parameter is set to "389"
+slavePort="389"
+
+# Master LDAP server: needed for write operations
+# Ex: masterLDAP=127.0.0.1
+# If not defined, parameter is set to "127.0.0.1"
+masterLDAP="127.0.0.1"
+
+# Master LDAP port
+# If not defined, parameter is set to "389"
+masterPort="389"
+
+# Use TLS for LDAP
+# If set to 1, this option will use start_tls for connection
+# (you should also used the port 389)
+# If not defined, parameter is set to "1"
+ldapTLS="1"
+
+# How to verify the server's certificate (none, optional or require)
+# see "man Net::LDAP" in start_tls section for more details
+verify="require"
+
+# CA certificate
+# see "man Net::LDAP" in start_tls section for more details
+cafile="/etc/opt/IDEALX/smbldap-tools/ca.pem"
+
+# certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientcert="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.pem"
+
+# key certificate to use to connect to the ldap server
+# see "man Net::LDAP" in start_tls section for more details
+clientkey="/etc/opt/IDEALX/smbldap-tools/smbldap-tools.key"
+
+# LDAP Suffix
+# Ex: suffix=dc=IDEALX,dc=ORG
+suffix="dc=idealx,dc=org"
+
+# Where are stored Users
+# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
+usersdn="ou=Users,${suffix}"
+
+# Where are stored Computers
+# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
+computersdn="ou=Computers,${suffix}"
+
+# Where are stored Groups
+# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
+groupsdn="ou=Groups,${suffix}"
+
+# Where are stored Idmap entries (used if samba is a domain member server)
+# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
+# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
+idmapdn="ou=Idmap,${suffix}"
+
+# Where to store next uidNumber and gidNumber available for new users and groups
+# If not defined, entries are stored in sambaDomainName object.
+# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
+# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
+sambaUnixIdPooldn="sambaDomainName=IDEALX-NT,${suffix}"
+
+# Default scope Used
+scope="sub"
+
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
+hash_encrypt="SSHA"
+
+# if hash_encrypt is set to CRYPT, you may set a salt format.
+# default is "%s", but many systems will generate MD5 hashed
+# passwords if you use "$1$%.8s". This parameter is optional!
+crypt_salt_format="%s"
+
+##############################################################################
+#
+# Unix Accounts Configuration
+#
+##############################################################################
+
+# Login defs
+# Default Login Shell
+# Ex: userLoginShell="/bin/bash"
+userLoginShell="/bin/bash"
+
+# Home directory
+# Ex: userHome="/home/%U"
+userHome="/home/%U"
+
+# Default mode used for user homeDirectory
+userHomeDirectoryMode="700"
+
+# Gecos
+userGecos="System User"
+
+# Default User (POSIX and Samba) GID
+defaultUserGid="513"
+
+# Default Computer (Samba) GID
+defaultComputerGid="515"
+
+# Skel dir
+skeletonDir="/etc/skel"
+
+# Default password validation time (time in days) Comment the next line if
+# you don't want password to be enable for defaultMaxPasswordAge days (be
+# careful to the sambaPwdMustChange attribute's value)
+defaultMaxPasswordAge="45"
+
+##############################################################################
+#
+# SAMBA Configuration
+#
+##############################################################################
+
+# The UNC path to home drives location (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon home'
+# directive and/or disable roaming profiles
+# Ex: userSmbHome="\\PDC-SMB3\%U"
+userSmbHome="\\PDC-SRV\%U"
+
+# The UNC path to profiles locations (%U username substitution)
+# Just set it to a null string if you want to use the smb.conf 'logon path'
+# directive and/or disable roaming profiles
+# Ex: userProfile="\\PDC-SMB3\profiles\%U"
+userProfile="\\PDC-SRV\profiles\%U"
+
+# The default Home Drive Letter mapping
+# (will be automatically mapped at logon time if home directory exist)
+# Ex: userHomeDrive="H:"
+userHomeDrive="H:"
+
+# The default user netlogon script name (%U username substitution)
+# if not used, will be automatically username.cmd
+# make sure script file is edited under dos
+# Ex: userScript="startup.cmd" # make sure script file is edited under dos
+userScript="logon.bat"
+
+# Domain appended to the users "mail"-attribute
+# when smbldap-useradd -M is used
+# Ex: mailDomain="idealx.com"
+mailDomain="idealx.com"
+
+##############################################################################
+#
+# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
+#
+##############################################################################
+
+# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
+# prefer Crypt::SmbHash library
+with_smbpasswd="0"
+smbpasswd="/usr/bin/smbpasswd"
+
+# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
+# but prefer Crypt:: libraries
+with_slappasswd="0"
+slappasswd="/usr/sbin/slappasswd"
+
+# comment out the following line to get rid of the default banner
+# no_banner="1"
+
+</PRE>
+
+<H4><A NAME="htoc44">8.1.2</A> The <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT> file</H4><A NAME="configuration::file::smbldap::bind"></A>
+<PRE>############################
+# Credential Configuration #
+############################
+# Notes: you can specify two differents configuration if you use a
+# master ldap for writing access and a slave ldap server for reading access
+# By default, we will use the same DN (so it will work for standard Samba
+# release)
+slaveDN="cn=Manager,dc=idealx,dc=org"
+slavePw="secret"
+masterDN="cn=Manager,dc=idealx,dc=org"
+masterPw="secret"
+
+</PRE>
+
+<H4><A NAME="htoc45">8.1.3</A> The samba configuration file : <TT>/etc/samba/smb.conf</TT> </H4>
+<PRE># Global parameters
+[global]
+ workgroup = IDEALX-NT
+ netbios name = PDC-SRV
+ #interfaces = 192.168.5.11
+ username map = /etc/samba/smbusers
+ enable privileges = yes
+ server string = Samba Server %v
+ security = user
+ encrypt passwords = Yes
+ min passwd length = 3
+ obey pam restrictions = No
+ ldap passwd sync = Yes
+ #unix password sync = Yes
+ #passwd program = /opt/IDEALX/sbin/smbldap-passwd -u %u
+ #passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"
+ ldap passwd sync = Yes
+ log level = 0
+ syslog = 0
+ log file = /var/log/samba/log.%m
+ max log size = 100000
+ time server = Yes
+ socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
+ mangling method = hash2
+ Dos charset = 850
+ Unix charset = ISO8859-1
+
+ logon script = logon.bat
+ logon drive = H:
+ logon home =
+ logon path =
+
+ domain logons = Yes
+ os level = 65
+ preferred master = Yes
+ domain master = Yes
+ wins support = Yes
+ passdb backend = ldapsam:ldap://127.0.0.1/
+ # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
+ # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
+ ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
+ ldap suffix = dc=idealx,dc=com
+ ldap group suffix = ou=Groups
+ ldap user suffix = ou=Users
+ ldap machine suffix = ou=Computers
+ ldap idmap suffix = ou=Users
+ ldap ssl = start tls
+ add user script = /opt/IDEALX/sbin/smbldap-useradd -m "%u"
+ ldap delete dn = Yes
+ #delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
+ add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 5 -w "%u"
+ add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
+ #delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
+ add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
+ delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
+ set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g "%g" "%u"
+
+ # printers configuration
+ printer admin = @"Print Operators"
+ load printers = Yes
+ create mask = 0640
+ directory mask = 0750
+ nt acl support = No
+ printing = cups
+ printcap name = cups
+ deadtime = 10
+ guest account = nobody
+ map to guest = Bad User
+ dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
+ show add printer wizard = yes
+ ; to maintain capital letters in shortcuts in any of the profile folders:
+ preserve case = yes
+ short preserve case = yes
+ case sensitive = no
+
+[homes]
+ comment = repertoire de %U, %u
+ read only = No
+ create mask = 0644
+ directory mask = 0775
+ browseable = No
+
+[netlogon]
+ path = /home/netlogon/
+ browseable = No
+ read only = yes
+
+[profiles]
+ path = /home/profiles
+ read only = no
+ create mask = 0600
+ directory mask = 0700
+ browseable = No
+ guest ok = Yes
+ profile acls = yes
+ csc policy = disable
+ # next line is a great way to secure the profiles
+ force user = %U
+ # next line allows administrator to access all profiles
+ valid users = %U "Domain Admins"
+
+[printers]
+ comment = Network Printers
+ printer admin = @"Print Operators"
+ guest ok = yes
+ printable = yes
+ path = /home/spool/
+ browseable = No
+ read only = Yes
+ printable = Yes
+ print command = /usr/bin/lpr -P%p -r %s
+ lpq command = /usr/bin/lpq -P%p
+ lprm command = /usr/bin/lprm -P%p %j
+
+[print$]
+ path = /home/printers
+ guest ok = No
+ browseable = Yes
+ read only = Yes
+ valid users = @"Print Operators"
+ write list = @"Print Operators"
+ create mask = 0664
+ directory mask = 0775
+
+[public]
+ comment = Repertoire public
+ path = /home/public
+ browseable = Yes
+ guest ok = Yes
+ read only = No
+ directory mask = 0775
+ create mask = 0664
+
+</PRE>
+
+<H4><A NAME="htoc46">8.1.4</A> The OpenLDAP configuration file : <TT>/etc/openldap/slapd.conf</TT></H4>
+<PRE>include /etc/openldap/schema/core.schema
+include /etc/openldap/schema/cosine.schema
+include /etc/openldap/schema/inetorgperson.schema
+include /etc/openldap/schema/nis.schema
+include /etc/openldap/schema/samba.schema
+
+schemacheck on
+lastmod on
+
+TLSCertificateFile /etc/openldap/ldap.idealx.com.pem
+TLSCertificateKeyFile /etc/openldap/ldap.idealx.com.key
+TLSCACertificateFile /etc/openldap/ca.pem
+TLSCipherSuite :SSLv3
+#TLSVerifyClient demand
+
+#######################################################################
+# ldbm database definitions
+#######################################################################
+database ldbm
+suffix dc=idealx,dc=com
+rootdn "cn=Manager,dc=idealx,dc=com"
+rootpw secret
+directory /var/lib/ldap
+index sambaSID eq
+index sambaPrimaryGroupSID eq
+index sambaDomainName eq
+index objectClass,uid,uidNumber,gidNumber,memberUid eq
+index cn,mail,surname,givenname eq,subinitial
+
+# users can authenticate and change their password
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword
+ by dn="cn=Manager,dc=idealx,dc=com" write
+ by self write
+ by anonymous auth
+ by * none
+# all others attributes are readable to everybody
+access to *
+ by * read
+</PRE>
+<A NAME="toc28"></A>
+<H3><A NAME="htoc47">8.2</A> Changing the administrative account (<TT>ldap admin
+ dn</TT> in <TT>smb.conf</TT> file)</H3><A NAME="change::manager"></A>
+If you don't want to use the <TT>cn=Manager,dc=idealx,dc=com</TT>
+account anymore, you can create a dedicated account for Samba and the
+smbldap-tools scripts. To do
+this, create an account named <I>samba</I> as follows (see
+section <A HREF="smbldap-tools005.html#add::user">4.2.1</A> for a more detailed syntax) :
+<PRE>
+smbldap-useradd -s /bin/false -d /dev/null -P samba
+</PRE>This command will ask you to set a password for this account. Let's
+set it to <I>samba</I> for this example.
+You then need to modify configuration files:
+<UL><LI>
+file <TT>/etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf</TT>
+ <PRE>
+ slaveDN="uid=samba,ou=Users,dc=idealx,dc=com"
+ slavePw="samba"
+ masterDN="uid=samba,ou=Users,dc=idealx,dc=com"
+ masterPw="samba"
+ </PRE><LI>file <TT>/etc/samba/smb.conf</TT>
+ <PRE>
+ ldap admin dn = uid=samba,ou=Users,dc=idealx,dc=com
+ </PRE>don't forget to also set the samba account password in
+ <TT>secrets.tdb</TT> file :
+<PRE>
+smbpasswd -w samba
+</PRE><LI>file <TT>/etc/openldap/slapd.conf</TT>: give to the
+ <I>samba</I> user permissions to modify some attributes: this
+ user needs to be able to modify all the samba attributes and some
+ others (uidNumber, gidNumber ...) :
+ <PRE>
+# users can authenticate and change their password
+access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by self write
+ by anonymous auth
+ by * none
+# some attributes need to be readable anonymously so that 'id user' can answer correctly
+access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * read
+# somme attributes can be writable by users themselves
+access to attrs=description,telephoneNumber
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by self write
+ by * read
+# some attributes need to be writable for samba
+access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by self read
+ by * none
+# samba need to be able to create the samba domain account
+access to dn.base="dc=idealx,dc=com"
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * none
+# samba need to be able to create new users account
+access to dn="ou=Users,dc=idealx,dc=com"
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * none
+# samba need to be able to create new groups account
+access to dn="ou=Groups,dc=idealx,dc=com"
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * none
+# samba need to be able to create new computers account
+access to dn="ou=Computers,dc=idealx,dc=com"
+ by dn="uid=samba,ou=Users,dc=idealx,dc=com" write
+ by * none
+# this can be omitted but we leave it: there could be other branch
+# in the directory
+access to *
+ by self read
+ by * none
+ </PRE></UL>
+<A NAME="toc29"></A>
+<H3><A NAME="htoc48">8.3</A> known bugs</H3>
+<UL><LI>
+Option <I>-B</I> (user must change password) of
+ <TT>smbldap-useradd</TT> does not have effect: when
+ <TT>smbldap-passwd</TT> script is called,
+ <I>sambaPwdMustChange</I> attribute is rewrite.
+</UL>
+
+<HR>
+<A HREF="smbldap-tools008.html"><IMG SRC ="previous_motif.gif" ALT="Précédent"></A>
+<A HREF="index.html"><IMG SRC ="contents_motif.gif" ALT="Remonter"></A>
+</BODY>
+</HTML>