[Samba] Re: Need help configuring Samba3/LDAP PDC
Aaron Ogden
aogden at gxt.com
Mon Jun 14 20:44:52 GMT 2004
Craig White wrote:
>On Fri, 2004-06-11 at 13:16, rwallace at thewallacepack.net wrote:
>
>
>>Aaron Ogden wrote:
>>
>>
>>>On a related note, I've imported lots of NIS data into this LDAP
>>>directory, so I have lots of valid Unix accounts. These are working
>>>properly on LDAP-enabled linux machines, but how do I 'convert' them
>>>for use with Samba? Ideally I would like to have one record for each
>>>user that contains all of the samba data as well as the unix data. Is
>>>there an easy way to add the appropriate samba fields to 'normal'
>>>posixAccounts? Is there a FAQ that covers the procedure? Any help
>>>would be welcome.
>>>
>>>
>>That's a good question and I hope someone has an answer. I tried to do
>>the same a while back and didn't have any luck either. You can't use
>>the smbldap-useradd scripts or smbpasswd -a 'cause those will only tell
>>you that the entry already exists. Oooo... but it looks like you can
>>use "smbldap-usermod -a" to add the necessary objectclass and whatnot.
>>Play around with that and see what happens.
>>
>>
>----
>I have not played with smbldap-usermod -a but that might very well work.
>
>What I did play with was webmin - www.webmin.com
>
>Properly configured, webmin's LDAP Users & Groups can add all of the
>samba properties desired to any user by editing the user and clicking
>the samba button. I found this to be a very valuable tool for less than
>versant office manager to add/delete accounts, edit passwords, etc. This
>is the best solution that I have found to date (though LAM looks pretty
>good).
>
>Craig
>
>
>
Thanks Craig. I discovered the joys of Webmin a few weeks ago and I
agree, it's a great tool for managing LDAP data, especially for people
who don't completely understand LDAP yet. I found another tool called
LDAP Browser/Editor which has worked really well... it's java based so
it runs on anything and it allows one to easily edit or delete any
object in the LDAP tree. I have used Webmin to add the Samba fields to
my account and it works great. The problem is that I have lots of users
and I don't want to give myself carpal tunnel syndrome by clicking that
many times. Another problem is that I want to preserve the old Samba
passwords instead of resetting them to some default value. :-) I
worked out a way to do this via shell script, I have used it to enable
samba access for 250 accounts. Works like a charm.
#!/bin/sh
#
# create_samba_accounts.sh 2004-06-14 AAO
#
SMBSBIN=/var/lib/samba/sbin
SMBHOME=/etc/samba
SMBPASSWD=/etc/samba/smbpasswd.old
USERLIST=`grep -v '^#' $SMBPASSWD | awk -F':' '{print $1}'`
LDAPADMIN="<LDAP admin dn>"
LDAPPASSWD="<LDAP admin password>"
PEOPLEOU="<LDAP ou for user accounts>"
LOGFILE="/tmp/create_samba_accounts.log"
rm $LOGFILE
cd $SMBSBIN
for USER in $USERLIST
do
# grab password hashes from smbpasswd file
USERID=`grep -v '^#' $SMBPASSWD | grep ^$USER: | awk -F':' '{print $2}'`
LMPASSWD=`grep -v '^#' $SMBPASSWD | grep ^$USER: | awk -F':' '{print
$3}'`
NTPASSWD=`grep -v '^#' $SMBPASSWD | grep ^$USER: | awk -F':' '{print
$4}'`
# create LDIF file for modifications
LDIF=/tmp/$USER.LDIF
printf "dn: uid=$USER,$PEOPLEOU\nchangetype: modify\nreplace:
sambaLMPassword\nsambaLMPassword: $LMPASSWD\n-\nreplace:
sambaNTPassword\nsambaNTPassword: $NTPASSWD\n-\n" > $LDIF
#
# print variables to stdout (sanity check)
printf "username: $USER\nuser id : $USERID\nLM password:
$LMPASSWD\nNT password: $NTPASSWD\n"
# printf "contents of $LDIF:\n"
# cat $LDIF
# printf "\n"
#
# check for existing account
if /usr/bin/ldapsearch -x "uid=$USER" | grep uidNumber 2>&1 > /dev/null;
then
printf "$USER: account exists in LDAP database\n" >> $LOGFILE
else
printf "$USER: account not found, creating account now...\n" >>
$LOGFILE
./smbldap-useradd.pl $USER
fi
# check for existing samba records
if /usr/bin/ldapsearch -x "uid=$USER" | grep sambaSamAccount 2>&1 >
/dev/null;
then
printf "$USER: already has samba records\n" >> $LOGFILE
else
# add sambaSamAccount records to user account
printf "$USER: samba records not found, adding them now...\n" >>
$LOGFILE
./smbldap-usermod.pl -a $USER
fi
# enable user account and set initial password
/usr/bin/smbpasswd -a -e $USER $USER
# use ldapmodify to set password
/usr/bin/ldapmodify -x -w $LDAPPASSWD -D "$LDAPADMIN" -f $LDIF
# delete LDIF file
rm $LDIF
# check for null passwords
if [ "$LMPASSWD" = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ]; then
# user has null password; log it and continue
printf "$USER: sambaLMPassword is not set\n" >> $LOGFILE
fi
if [ "$NTPASSWD" = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" ]; then
# user has null password; log it and continue
printf "$USER: sambaNTPassword is not set\n" >> $LOGFILE
fi
done
More information about the samba
mailing list