Samba-TNG                                                 README.hechenberger
-----------------------------------------------------------------------------

LDAP - Scripts

Martin Hechenberger and Simon Roscic (february 2003)
 
Comments welcome: martin.hechenberger@mpreis.at

---------------------------------------------------
===================================================

This is a collection of some useful scripts for use with an LDAP-PDC.
Modify "prefs"-file to fit your needs (will depend on your LDAP structure).

Then use "basicentries" to replace all variables in basicentries.ldif.dot and 
produce basicentries.ldif which can be imported into a fresh LDAP installation.

These scripts are intended for use with this LDAP tree:

========= dc=mycompany,dc=at
     |
      ------ o=smb (all samba entries: users, groups, machines)
     |
      ------ ou=Group (posix system groups)
     |
      ------ ou=People (posix system users)

Requirements: Perl, nsswitch configured to use ldap, openldap, samba-TNG


To use ldap with nsswitch modify /etc/nsswitch.conf this way:
-------------------------------------------------------------

passwd: files ldap [NOTFOUND=return]
shadow: files ldap [NOTFOUND=return]
group:  files ldap [NOTFOUND=return]

Therefore you must configure your ldap.conf.
Take a look at mine (see www.padl.org for details):
---------------------------------------------------

host localhost
suffix "dc=mycompany, dc=at"
rootdn "cn=root, dc=mycompany, dc=at"
rootpw <secret>
base dc=mycompany,dc=at
ldap_version 3
binddn cn=root,dc=mycompany,dc=at
bindpw <secret>
scope sub
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_crypt local
pam_password clear

If you want to have unified logons, hack your /etc/pam.d/* files. 

My /etc/pam.d/sshd looks like this:
-----------------------------------

#%PAM-1.0
auth     required       pam_nologin.so
auth     sufficient     pam_ldap.so
auth     required       pam_unix.so             use_first_pass # set_secrpc
account  required       pam_unix.so
password required       pam_pwcheck.so
password sufficient     pam_ldap.so             use_authok
password required       pam_unix.so             use_first_pass use_authtok
session  sufficient     pam_ldap.so
session  required       pam_unix.so             none # debug or trace
session  required       pam_limits.so
session  required       pam_env.so
session  optional       pam_mail.so

This is my slapd.conf:
-----------------------

include /opt/openldap/etc/openldap/schema/core.schema
include /opt/openldap/etc/openldap/schema/cosine.schema
include /opt/openldap/etc/openldap/schema/nis.schema
include /opt/openldap/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/etc/openldap/schema/samba.schema
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args
Loglevel 0
sizelimit 500000
lastmod on
TLSCipherSuite HIGH:MEDIUM:+SSLv2
database        ldbm
suffix          "dc=mycompany, dc=at"
rootdn          "cn=root, dc=mycompany, dc=at"
rootpw          <secret>
directory       /opt/openldap/samba
index   default pres,eq
index   objectClass,rid,uid,ntuid
index   cn,sn,mail      pres,sub,eq
defaultaccess   read
        access to *
        by self write
        by dn="cn=root, dc=mycompany, dc=at" write


And, finally, my smb.conf:
----------------------------

[global]
#----------------------------------------------------
# LDAP Options
#----------------------------------------------------
ldap suffix = "o=smb, dc=mycompany, dc=at"
ldap bind as = "cn=root, dc=mycompany, dc=at"
ldap passwd file = /opt/samba/private/ldappasswd
ldap server = localhost
ldap port = 389
#----------------------------------------------------
# Network Options
#----------------------------------------------------
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
#----------------------------------------------------
# Domain Options
#----------------------------------------------------
workgroup = WORKGROUP
netbios name = MP-PDC
server string = Primary Domain Controller
comment = Samba - LDAP
security = user
null passwords = yes
encrypt passwords = yes
update encrypted = yes
browseable = yes
guest ok = yes

#loglevel = 3

logon drive = H:
domain master = yes
domain logons = yes
local master = yes
preferred master = yes
os level = 65
wins support = yes
wins proxy = yes

time offset = 60
time server = true
log file = /var/log/samba
public = no
browseable = yes
writable = no
logon path =
logon home =
#----------------------------------------------------
# Password Sync
#----------------------------------------------------
unix password sync = yes
passwd program = /opt/samba/sbin/ldapsync.pl %u
passwd chat = *New*Password* %n\n *modifying*

add user script = /opt/samba/sbin/add_unix_user
delete user script = /opt/samba/sbin/delete_unix_user
#----------------------------------------------------
#----------------------------------------------------
# Shares
#----------------------------------------------------
[netlogon]
path = /opt/samba/netlogon
locking = no
writeable = yes
guest ok = no
browseable = yes
#----------------------------------------------------
[profiles]
path = /opt/samba/profiles
writeable = no
guest ok = yes
browseable = yes
create mode = 0777

#----------------------------------------------------
#----------------------------------------------------


Almost forgot ldapsync.pl (don't forget to adapt dn):
-----------------------------------------------------

#!/usr/bin/perl -w

$user=$ARGV[0];
print "New Password:  ";
$pass=<STDIN>;
chomp $pass;

$salt=join '', ('.', '/', 0..9, 'A'..'Z', 'a'..'z')[rand 64, rand 64];

$pass=crypt($pass,$salt);

$FILE="|ldapmodify -D 'cn=root,dc=mycompany,dc=com' -w <secret>";

open FILE or die;

print FILE <<EOF;
dn: uid=$user,ou=People,dc=mycompany,dc=com
changetype: modify
replace: userPassword
userPassword: {crypt}$pass

EOF
close FILE;

exit 0;

--------------------------------------------------------------------------
EOF README
