[Samba-it] Aggiornamento di sambaLogonTime?

Marco Gaiarin gaio at sv.lnf.it
Thu Jun 29 12:55:01 MDT 2006 

> Odio rispondermi da solo, ma mi piace fare progressi... ;)))

...inizio a essere monotono... ;)))


Prima una premessa:

> Poi ho aggiunto allo share [netlogon]
>         root preexec = /usr/local/sbin/smbldap-useraccess -n "%u"
>         root postexec = /usr/local/sbin/smbldap-useraccess -f "%u"

Ciccia, non funziona; non ho capito perchè ma sembra che per lo share
netlogon root preexec e root postexec non vengano eseguiti, ho spostato
quelle righe negli altri share e funziona perfettamente. Boh.


Aggiungo l'altro script, che non fa altro che far spirare gli account
in base alle informazioni di accesso inserite con smbldap-useraccess,
ma che può essere usato per dare una sistemata ai dati e anche per far
spirare l'account POSIX).

Ovviamente come prima volta usateli con -v e soprattutto -d, in una
normale installazione di samba usato così com'è disabiliterebbe
all'istante tutti gli account. ;)


Allego.


Permane questo PS, of course:
> PS: brute-force hack, il file ha ancora in testa il banner GPL che
> assegna il copyright a IDEALIX, e soprattutto non ho ancora contattato
> la idealix stessa, a cui ovviamente ho intenzione di contribuire gli
> script.

Ed inoltre...

PPS: se in 'root preexec' devo eseguire due comandi, come posso fare?
Posso riportare due righe 'root preexec', oppure posso separare i due
comandi con ';' ? Oppure che?

-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  marco.gaiarin(at)sv.lnf.it	  tel +39-0434-842711  fax +39-0434-842797
-------------- next part --------------
#!/usr/bin/perl -w

# $Id: smbldap-usermod,v 1.11 2005/01/08 12:04:45 jtournier Exp $
#
#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

# Purpose of smbldap-usermod : user (posix,shadow,samba) modification

use strict;
use smbldap_tools;

#####################

use Getopt::Std;
my %Options;

# getting some info from config file
#
my $pwdage = 90;
if (defined $config{defaultMaxPasswordAge}) {
  $pwdage = $config{defaultMaxPasswordAge};
}
my $acctage = 180;
if (defined $config{defaultMaxInactivityAge}) {
  $acctage = $config{defaultMaxInactivityAge};
}
my $pxacctage = 360;
if (defined $config{defaultMaxPOSIXInactivityAge}) {
  $pxacctage = $config{defaultMaxPOSIXInactivityAge};
}
 

my $ok = getopts('vdfsp:a:x:h?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) || ($Options{'h'}) ) {
  print_banner;
  print "Usage: $0 [-vdfs?h] [-p days] [-a days] [-x days] username\n";
  print "Available options are:\n";
  print "  -v    verbose mode\n";
  print "  -d    dry-run (do all the checks but just not update)\n";
  print "  -f    fix broken/impossible value\n";
  print "  -s    fix also POSIX/shadow account information\n";
  print "  -p    password age, default $pwdage (in days)\n";
  print "  -a    account age, default $acctage (in days)\n";
  print "  -x    POSIX account age, default $pxacctage (in days)\n";
  print "  -?|-h show this help message\n";
  exit (1);
}

if ($< != 0) {
  print "You must be root to modify an user\n";
  exit (1);
}
# Read only first @ARGV
my $user = $ARGV[0];

# Let's connect to the directory first
my $ldap_master=connect_ldap_master();

# Read user data
my $user_entry = read_user_entry($user);
if (!defined($user_entry)) {
  if ($Options{'v'}) {
    print "$0: user $user doesn't exist\n";
  }
  exit (1);
}
my $dn = $user_entry->dn();

# no samba? no party!
if ( ! grep ($_ =~ /^sambaSamAccount$/i, $user_entry->get_value('objectClass'))) {
  if ($Options{'v'}) {
    print "$0: user $user doesn't have samba data, nothing to do.\n";
  }
  exit(1);
}

# some vars...
my @mods;
my $tmp;
my constant $max = 2147483647;
my $retval = 0;
my $curdate = time;

# reapup account ages on commandline...
if (defined($tmp = $Options{'p'})) {
  $pwdage = int($tmp);
}
if (defined($tmp = $Options{'a'})) {
  $acctage = int($tmp);
}
if (defined($tmp = $Options{'x'})) {
  $pxacctage = int($tmp);
}

# Eventually adding missing shadowAccount OC
if ( ($Options{'s'}) && (! grep ($_ =~ /^shadowAccount$/i, $user_entry->get_value('objectClass'))) ) {
  my @objectclass = $user_entry->get_value('objectClass');
  push(@mods, 'objectClass' => [ @objectclass, 'shadowAccount' ]);
  if ($Options{'v'}) {
    print "$0: user $user shadowAccount ObjectClass missing added\n";
  }
}

# Password expiration are handled automatically by samba, here we do only
# some check... note that we use a theresold value of one day for password
# expiration...
my $pls = $user_entry->get_value('sambaPwdLastSet');
my $pmc = $user_entry->get_value('sambaPwdMustChange');
if (! defined($pmc) ) {
  $pmc = 0;
}
my $af = $user_entry->get_value('sambaAcctFlags');
if ($Options{'f'}) {
  if ( $pls > $curdate ) {
    $pls = $curdate;  
    if ($Options{'v'}) {
      print "$0: user $user sambaPwdLastSet invalid, resetting to $pls\n";
    }
    push(@mods, 'sambaPwdLastSet' => $pls);
  }

  if ( $pmc > $curdate + (($pwdage+1)*24*60*60) ) {
    $pmc = $curdate;
    if ($Options{'v'}) {
      print "$0: user $user sambaPwdMustChange too high, resetting to $pmc\n";
    }
    push(@mods, 'sambaPwdMustChange' => $pmc);
  }

  if ( $af =~ /X/ ) {
    if ($Options{'v'}) {
      print "$0: user $user sambaAcctFlags 'X' enabled, resetting it\n";
    }
    $af =~ s/X//;
    push(@mods, 'sambaAcctFlags' => $af);
  }
}


# account expiration/disabling...
my $lot = $user_entry->get_value('sambaLogonTime');
if (! defined($lot) ) {
  $lot = 0;
}
my $up = $user_entry->get_value('userPassword');
if ( ($lot < $curdate - ($acctage*24*60*60)) && ($af !~ /D/) ) {
  if ($Options{'v'}) {
    print "$0: user $user sambaLogonTime too low, disabling account\n";
  }
  $af =~ s/U/DU/;
  push(@mods, 'sambaAcctFlags' => $af);
  $retval = 2;

  my $up = $user_entry->get_value('userPassword');
  if ( ($Options{'s'}) && ($lot < $curdate - ($pxacctage*24*60*60)) && ($up !~ /^{crypt}x$/) ) {
    if ($Options{'v'}) {
      print "$0: user $user sambaLogonTime really too low, disabling POSIX account\n";
    }
    $up = "{crypt}x";
    push(@mods, 'userPassword' => $up);
  }
}

# poking POSIX shadow data...
if ( $Options{'s'} ) {
  my $lc = $user_entry->get_value('shadowLastChange');
  if ( ! defined($lc) ) {
    $lc = 0;
  }
  my $slc = int ($pls/(24*60*60));
  if ( $lc != $slc ) {
    if ($Options{'v'}) {
      print "$0: user $user setting up shadow data\n";
    }
    push(@mods, 'shadowLastChange' => $slc);
    push(@mods, 'shadowMin' => 0);
    push(@mods, 'shadowMax' => $pwdage);
    push(@mods, 'shadowWarning' => $acctage);
    push(@mods, 'shadowInactive' => $pxacctage);
  }
}

# apply changes
if ( (@mods) && (! $Options{'d'}) ) {
  my $modify = $ldap_master->modify ( "$dn",
				    'replace' => { @mods }
				  );
  $modify->code && warn "failed to modify entry: ", $modify->error ;
}

# take down session
$ldap_master->unbind;

# need to tackle with nscd...
if ( (@mods) && (! $Options{'d'}) ) {
  my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
  if ($nscd_status == 0) {
    system "/etc/init.d/nscd restart > /dev/null 2>&1";
  }
} 

# we exit with a well-known exit status, so if we change something
# important we can warn users...
exit($retval);

############################################################

=head1 NAME

smbldap-userexpire - Expire user account based on last access time

=head1 SYNOPSIS

smbldap-userexpire [-v] [-d] [-f] [-s] [-p days] [-a days] [-x days] login

=head1 DESCRIPTION

The  smbldap-userexpire  command  check for account access timestamp, and update account info accordingly, typically disabling account if not used by some time.

-v
 Verbose mode, print any action taken

-d
 Dry-run, actually compute all needed modification but not apply them; usually used in conjunction with -v

-f
 Fix broken/impossible data, that can prevent an account to expire

-s
 Fix also POSIX/shadow data; note that LDAP shadow data are rarely used, so this script also set the POSIX password invalid

-p days
 Password age in days (also use defaultMaxPasswordAge in smbldap.conf)

-a days
 Samba Account age in days (also use defaultMaxInactivityAge in smbldap.conf)

-x days
 POSIX Account age in days (also use defaultMaxPOSIXInactivityAge in smbldap.conf)

=head1 RETURN VALUES

This script return 0 if all goes well, 1 if something goes wrong and 2 if all goes well and a Samba account was disabled.

This is intended so you can catch return value, and do something (send an email, ...) to user. For the same reason Samba account age <> POSIX account age, with the latter better to be highest then the former.

=head1 SEE ALSO

       smbldap-usermod(1) smbldap-useraccess(1)

=cut

#'

More information about the samba-it mailing list