[Samba-it] Aggiornamento di sambaLogonTime?
Marco Gaiarin
gaio at sv.lnf.it
Thu Jun 29 12:55:01 MDT 2006
> Odio rispondermi da solo, ma mi piace fare progressi... ;)))
...inizio a essere monotono... ;)))
Prima una premessa:
> Poi ho aggiunto allo share [netlogon]
> root preexec = /usr/local/sbin/smbldap-useraccess -n "%u"
> root postexec = /usr/local/sbin/smbldap-useraccess -f "%u"
Ciccia, non funziona; non ho capito perchè ma sembra che per lo share
netlogon root preexec e root postexec non vengano eseguiti, ho spostato
quelle righe negli altri share e funziona perfettamente. Boh.
Aggiungo l'altro script, che non fa altro che far spirare gli account
in base alle informazioni di accesso inserite con smbldap-useraccess,
ma che può essere usato per dare una sistemata ai dati e anche per far
spirare l'account POSIX).
Ovviamente come prima volta usateli con -v e soprattutto -d, in una
normale installazione di samba usato così com'è disabiliterebbe
all'istante tutti gli account. ;)
Allego.
Permane questo PS, of course:
> PS: brute-force hack, il file ha ancora in testa il banner GPL che
> assegna il copyright a IDEALIX, e soprattutto non ho ancora contattato
> la idealix stessa, a cui ovviamente ho intenzione di contribuire gli
> script.
Ed inoltre...
PPS: se in 'root preexec' devo eseguire due comandi, come posso fare?
Posso riportare due righe 'root preexec', oppure posso separare i due
comandi con ';' ? Oppure che?
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
-------------- next part --------------
#!/usr/bin/perl -w
# $Id: smbldap-usermod,v 1.11 2005/01/08 12:04:45 jtournier Exp $
#
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-usermod : user (posix,shadow,samba) modification
use strict;
use smbldap_tools;
#####################
use Getopt::Std;
my %Options;
# getting some info from config file
#
my $pwdage = 90;
if (defined $config{defaultMaxPasswordAge}) {
$pwdage = $config{defaultMaxPasswordAge};
}
my $acctage = 180;
if (defined $config{defaultMaxInactivityAge}) {
$acctage = $config{defaultMaxInactivityAge};
}
my $pxacctage = 360;
if (defined $config{defaultMaxPOSIXInactivityAge}) {
$pxacctage = $config{defaultMaxPOSIXInactivityAge};
}
my $ok = getopts('vdfsp:a:x:h?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) || ($Options{'h'}) ) {
print_banner;
print "Usage: $0 [-vdfs?h] [-p days] [-a days] [-x days] username\n";
print "Available options are:\n";
print " -v verbose mode\n";
print " -d dry-run (do all the checks but just not update)\n";
print " -f fix broken/impossible value\n";
print " -s fix also POSIX/shadow account information\n";
print " -p password age, default $pwdage (in days)\n";
print " -a account age, default $acctage (in days)\n";
print " -x POSIX account age, default $pxacctage (in days)\n";
print " -?|-h show this help message\n";
exit (1);
}
if ($< != 0) {
print "You must be root to modify an user\n";
exit (1);
}
# Read only first @ARGV
my $user = $ARGV[0];
# Let's connect to the directory first
my $ldap_master=connect_ldap_master();
# Read user data
my $user_entry = read_user_entry($user);
if (!defined($user_entry)) {
if ($Options{'v'}) {
print "$0: user $user doesn't exist\n";
}
exit (1);
}
my $dn = $user_entry->dn();
# no samba? no party!
if ( ! grep ($_ =~ /^sambaSamAccount$/i, $user_entry->get_value('objectClass'))) {
if ($Options{'v'}) {
print "$0: user $user doesn't have samba data, nothing to do.\n";
}
exit(1);
}
# some vars...
my @mods;
my $tmp;
my constant $max = 2147483647;
my $retval = 0;
my $curdate = time;
# reapup account ages on commandline...
if (defined($tmp = $Options{'p'})) {
$pwdage = int($tmp);
}
if (defined($tmp = $Options{'a'})) {
$acctage = int($tmp);
}
if (defined($tmp = $Options{'x'})) {
$pxacctage = int($tmp);
}
# Eventually adding missing shadowAccount OC
if ( ($Options{'s'}) && (! grep ($_ =~ /^shadowAccount$/i, $user_entry->get_value('objectClass'))) ) {
my @objectclass = $user_entry->get_value('objectClass');
push(@mods, 'objectClass' => [ @objectclass, 'shadowAccount' ]);
if ($Options{'v'}) {
print "$0: user $user shadowAccount ObjectClass missing added\n";
}
}
# Password expiration are handled automatically by samba, here we do only
# some check... note that we use a theresold value of one day for password
# expiration...
my $pls = $user_entry->get_value('sambaPwdLastSet');
my $pmc = $user_entry->get_value('sambaPwdMustChange');
if (! defined($pmc) ) {
$pmc = 0;
}
my $af = $user_entry->get_value('sambaAcctFlags');
if ($Options{'f'}) {
if ( $pls > $curdate ) {
$pls = $curdate;
if ($Options{'v'}) {
print "$0: user $user sambaPwdLastSet invalid, resetting to $pls\n";
}
push(@mods, 'sambaPwdLastSet' => $pls);
}
if ( $pmc > $curdate + (($pwdage+1)*24*60*60) ) {
$pmc = $curdate;
if ($Options{'v'}) {
print "$0: user $user sambaPwdMustChange too high, resetting to $pmc\n";
}
push(@mods, 'sambaPwdMustChange' => $pmc);
}
if ( $af =~ /X/ ) {
if ($Options{'v'}) {
print "$0: user $user sambaAcctFlags 'X' enabled, resetting it\n";
}
$af =~ s/X//;
push(@mods, 'sambaAcctFlags' => $af);
}
}
# account expiration/disabling...
my $lot = $user_entry->get_value('sambaLogonTime');
if (! defined($lot) ) {
$lot = 0;
}
my $up = $user_entry->get_value('userPassword');
if ( ($lot < $curdate - ($acctage*24*60*60)) && ($af !~ /D/) ) {
if ($Options{'v'}) {
print "$0: user $user sambaLogonTime too low, disabling account\n";
}
$af =~ s/U/DU/;
push(@mods, 'sambaAcctFlags' => $af);
$retval = 2;
my $up = $user_entry->get_value('userPassword');
if ( ($Options{'s'}) && ($lot < $curdate - ($pxacctage*24*60*60)) && ($up !~ /^{crypt}x$/) ) {
if ($Options{'v'}) {
print "$0: user $user sambaLogonTime really too low, disabling POSIX account\n";
}
$up = "{crypt}x";
push(@mods, 'userPassword' => $up);
}
}
# poking POSIX shadow data...
if ( $Options{'s'} ) {
my $lc = $user_entry->get_value('shadowLastChange');
if ( ! defined($lc) ) {
$lc = 0;
}
my $slc = int ($pls/(24*60*60));
if ( $lc != $slc ) {
if ($Options{'v'}) {
print "$0: user $user setting up shadow data\n";
}
push(@mods, 'shadowLastChange' => $slc);
push(@mods, 'shadowMin' => 0);
push(@mods, 'shadowMax' => $pwdage);
push(@mods, 'shadowWarning' => $acctage);
push(@mods, 'shadowInactive' => $pxacctage);
}
}
# apply changes
if ( (@mods) && (! $Options{'d'}) ) {
my $modify = $ldap_master->modify ( "$dn",
'replace' => { @mods }
);
$modify->code && warn "failed to modify entry: ", $modify->error ;
}
# take down session
$ldap_master->unbind;
# need to tackle with nscd...
if ( (@mods) && (! $Options{'d'}) ) {
my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd restart > /dev/null 2>&1";
}
}
# we exit with a well-known exit status, so if we change something
# important we can warn users...
exit($retval);
############################################################
=head1 NAME
smbldap-userexpire - Expire user account based on last access time
=head1 SYNOPSIS
smbldap-userexpire [-v] [-d] [-f] [-s] [-p days] [-a days] [-x days] login
=head1 DESCRIPTION
The smbldap-userexpire command check for account access timestamp, and update account info accordingly, typically disabling account if not used by some time.
-v
Verbose mode, print any action taken
-d
Dry-run, actually compute all needed modification but not apply them; usually used in conjunction with -v
-f
Fix broken/impossible data, that can prevent an account to expire
-s
Fix also POSIX/shadow data; note that LDAP shadow data are rarely used, so this script also set the POSIX password invalid
-p days
Password age in days (also use defaultMaxPasswordAge in smbldap.conf)
-a days
Samba Account age in days (also use defaultMaxInactivityAge in smbldap.conf)
-x days
POSIX Account age in days (also use defaultMaxPOSIXInactivityAge in smbldap.conf)
=head1 RETURN VALUES
This script return 0 if all goes well, 1 if something goes wrong and 2 if all goes well and a Samba account was disabled.
This is intended so you can catch return value, and do something (send an email, ...) to user. For the same reason Samba account age <> POSIX account age, with the latter better to be highest then the former.
=head1 SEE ALSO
smbldap-usermod(1) smbldap-useraccess(1)
=cut
#'
More information about the samba-it
mailing list