#!/usr/bin/perl -w # $Id: configure.pl,v 1.17 2005/07/05 09:05:16 jtournier Exp $ # $Source: /opt/cvs/samba/smbldap-tools/configure.pl,v $ # This script can help you setting up the smbldap_conf.pl file. It will get all the defaults value # that are defined in the smb.conf configuration file. You should then start with this configuration # file. You will also need the SID for your samba domain: set up the controler domain before using # this script. # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. use strict; use File::Basename; # we need to be root to configure the scripts if ($< != 0) { die "Only root can configure the smbldap-tools scripts\n"; } print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- smbldap-tools script configuration -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Before starting, check . if your samba controller is up and running. . if the domain SID is defined (you can get it with the 'net getlocalsid') . you can leave the configuration using the Crtl-c key combination . empty value can be set with the \".\" character\n"; print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"; # we first check if Samba is up and running my $test_smb=`pidof smbd`; chomp($test_smb); die "\nSamba need to be started first !\n" if ($test_smb eq "" || not defined $test_smb); print "Looking for configuration files...\n\n"; my $smb_conf=""; if (-e "/etc/samba/smb.conf") { $smb_conf="/etc/samba/smb.conf"; } elsif (-e "/usr/local/samba/lib/smb.conf") { $smb_conf="/usr/local/samba/lib/smb.conf"; } print "Samba Configuration File Path [$smb_conf] > "; chomp(my $config_smb=); if ($config_smb ne "") { $smb_conf=$config_smb; } my $conf_dir; if (-d "/etc/opt/IDEALX/smbldap-tools") { $conf_dir="/etc/opt/IDEALX/smbldap-tools/"; } elsif (-d "/etc/smbldap-tools") { $conf_dir="/etc/smbldap-tools/"; } else { $conf_dir="/etc/opt/IDEALX/smbldap-tools/"; } print "\nThe default directory in which the smbldap configuration files are stored is shown.\n"; print "If you need to change this, enter the full directory path, then press enter to continue.\n"; print "Smbldap-tools Configuration Directory Path [$conf_dir] > "; my $conf_dir_tmp; chomp($conf_dir_tmp=); if ($conf_dir_tmp ne "") { $conf_dir=$conf_dir_tmp; } $conf_dir=~s/(\w)$/$1\//; if (! -d $conf_dir) { mkdir "$conf_dir"; } my $smbldap_conf="$conf_dir"."smbldap.conf"; my $smbldap_bind_conf="$conf_dir"."smbldap_bind.conf"; # Let's read the smb.conf configuration file my %config; open (CONFIGFILE, "$smb_conf") || die "Unable to open $smb_conf for reading !\n"; while () { chomp($_); ## eat leading whitespace $_=~s/^\s*//; ## eat trailing whitespace $_=~s/\s*$//; ## throw away comments next if (($_=~/^#/) || ($_=~/^;/)); ## check for a param = value if ($_=~/=/) { #my ($param, $value) = split (/=/, $_); my ($param, $value) = ($_=~/([^=]*)=(.*)/i); $param=~s/./\l$&/g; $param=~s/\s+//g; $value=~s/^\s+//; $value=~s/"//g; $config{$param} = $value; #print "param=$param\tvalue=$value\n"; next; } } close (CONFIGFILE); print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; print "Let's start configuring the smbldap-tools scripts ...\n\n"; # This function need 4 parameters: # . the description of the parameter # . name of the key it is related to in the %config hash (key similar as the name parameter in # smb.conf). You can get all the available keys using this: # foreach my $tmp (keys %config) { # print "key=$tmp\t value=$config{$tmp}\n"; # } # . if no value is found in smb.conf for the keys, this value is proposed # . the 'insist' variable: if set to 1, then the script will always call for a value # for the parameter. In other words, there's not default value, and it can't be set # to a null caracter string. sub read_entry { my $description=shift; my $value=shift; my $example_value=shift; my $insist=shift; my $value_tmp; chomp($value); $insist=0 if (! defined $insist); if (defined $config{$value} and $config{$value} ne "") { print "$description [$config{$value}] > "; $value_tmp=$config{$value}; } else { print "$description [$example_value] > "; $value_tmp="$example_value"; } chomp(my $get=); if ($get eq "") { $value=$value_tmp; } elsif ($get eq ".") { $value=""; } else { $value=$get; } if ($insist == 1 and "$value" eq "") { while ($insist == 1) { print " Warning: You really need to set this parameter...\n"; $description=~s/. / /; if (defined $config{$value}) { print "$description [$config{$value}] > "; $value_tmp=$config{$value}; } else { print "$description [$value] > "; $value_tmp="$value"; } chomp(my $get=); if ($get eq "") { $value=$value_tmp; } elsif ($get eq ".") { $value=""; } else { $value=$get; $insist=0; } } } return $value; } print ". workgroup name: name of the domain Samba act as a PDC\n"; my $workgroup=read_entry(" workgroup name","workgroup","",0); print ". netbios name: netbios name of the samba controler\n"; my $netbios_name=read_entry(" netbios name","netbiosname","",0); print ". logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'\n"; my $logondrive=read_entry(" logon drive","logondrive","",0); print ". logon home: home directory location (for Win95/98 or NT Workstation).\n (use %U as username) Ex:'\\\\$netbios_name\\%U'\n"; my $logonhome=read_entry(" logon home (press the \".\" character if you don't want homeDirectory)","logonhome","\\\\$netbios_name\\%U",0); #$logonhome=~s/\\/\\\\/g; print ". logon path: directory where roaming profiles are stored. Ex:'\\\\$netbios_name\\profiles\\\%U'\n"; my $logonpath=read_entry(" logon path (press the \".\" character if you don't want roaming profile)","logonpath","\\\\$netbios_name\\profiles\\\%U",0); #$logonpath=~s/\\/\\\\/g; my $userHome=read_entry(". home directory prefix (use %U as username)","","/home/\%U",0); my $userHomeDirectoryMode=read_entry(". default users' homeDirectory mode","","700",0); my $userScript=read_entry(". default user netlogon script (use %U as username)","logonscript","",0); my $defaultMaxPasswordAge=read_entry(" default password validation time (time in days)","","45",0); ############################# # ldap directory parameters # ############################# my $ldap_suffix=read_entry(". ldap suffix","ldapsuffix","",0); my $ldap_group_suffix=read_entry(". ldap group suffix","ldapgroupsuffix","",0); $ldap_group_suffix=~s/ou=//; my $ldap_user_suffix=read_entry(". ldap user suffix","ldapusersuffix","",0); $ldap_user_suffix=~s/ou=//; my $ldap_machine_suffix=read_entry(". ldap machine suffix","ldapmachinesuffix","",0); $ldap_machine_suffix=~s/ou=//; my $ldap_idmap_suffix=read_entry(". Idmap suffix","ldapidmapsuffix","ou=Idmap",0); print ". sambaUnixIdPooldn: object where you want to store the next uidNumber\n"; print " and gidNumber available for new users and groups\n"; my $sambaUnixIdPooldn=read_entry(" sambaUnixIdPooldn object (relative to \${suffix})","","sambaDomainName=$workgroup",0); # parameters for the master ldap server my ($trash1,$server); if (defined $config{passdbbackend}) { ($trash1,$server)=($config{passdbbackend}=~m/(.*)ldap:\/\/(.*)/); } else { $server="127.0.0.1"; } $server=~s/\///; my $ldapmasterserver; print ". ldap master server: IP adress or DNS name of the master (writable) ldap server\n"; $ldapmasterserver=read_entry(" ldap master server","",$server,0); my $ldapmasterport; if (defined $config{ldapport}) { $ldapmasterport=read_entry(". ldap master port","ldapport","",0); } else { $ldapmasterport=read_entry(". ldap master port","","389",0); } my $ldap_master_admin_dn=read_entry(". ldap master bind dn","ldapadmindn","",0); system "stty -echo"; my $ldap_master_bind_password=read_entry(". ldap master bind password","","",1); print "\n"; system "stty echo"; # parameters for the slave ldap server print ". ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one\n"; my $ldap_slave_server=read_entry(" ldap slave server","","$server",0); my $ldap_slave_port; if (defined $config{ldapport}) { $ldap_slave_port=read_entry(". ldap slave port","ldapport","",0); } else { $ldap_slave_port=read_entry(". ldap slave port","","389",0); } my $ldap_slave_admin_dn=read_entry(". ldap slave bind dn","ldapadmindn","",0); system "stty -echo"; my $ldap_slave_bind_password=read_entry(". ldap slave bind password","","",1); print "\n"; system "stty echo"; my $ldaptls=read_entry(". ldap tls support (1/0)","","0",0); my ($cert_verify,$cert_cafile,$cert_clientcert,$cert_clientkey)=("","","",""); if ($ldaptls == 1) { $cert_verify=read_entry(". How to verify the server's certificate (none, optional or require)","","require",0); $cert_cafile=read_entry(". CA certificate file","","$conf_dir/ca.pem",0); $cert_clientcert=read_entry(". certificate to use to connect to the ldap server","","$conf_dir/smbldap-tools.pem",0); $cert_clientkey=read_entry(". key certificate to use to connect to the ldap server","","$conf_dir/smbldap-tools.key",0); } # let's test if any sid is available # Here is the strategy: If smb.conf has 'domain master = No' # this means we are a BDC and we must obtain the SID from the PDC # using the command 'net rpc getsid -S PDC -Uroot%password' BEFORE # executing this script - that then guarantees the correct SID is available. my $sid_tmp=`net getlocalsid \$netbios_name 2>/dev/null | cut -f2 -d: | sed "s/ //g"`; chomp $sid_tmp; print ". SID for domain $config{workgroup}: SID of the domain (can be obtained with 'net getlocalsid $netbios_name')\n"; my $sid=read_entry(" SID for domain $config{workgroup}","","$sid_tmp",0); print ". unix password encryption: encryption used for unix passwords\n"; my $cryp_algo=read_entry(" unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)","","SSHA",0); my $crypt_salt_format=""; if ( $cryp_algo eq "CRYPT" ) { print ". crypt salt format: If hash_encrypt is set to CRYPT, you may set \n"; print " a salt format. The default is \"\%s\", but many systems will generate\n"; print " MD5 hashed passwords if you use \"\$1\$\%\.8s\"\n"; $crypt_salt_format=read_entry(" crypt salt format","","\%s",0); } my $default_user_gidnumber=read_entry(". default user gidNumber","","513",0); my $default_computer_gidnumber=read_entry(". default computer gidNumber","","515",0); my $userLoginShell=read_entry(". default login shell","","/bin/bash",0); my $skeletonDir=read_entry(". default skeleton directory","","/etc/skel",0); my $mailDomain=read_entry(". default domain name to append to mail adress", "","",0); print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n"; my $template_smbldap=" # \$Source: /opt/cvs/samba/smbldap-tools/configure.pl,v $ # \$Id: configure.pl,v 1.17 2005/07/05 09:05:16 jtournier Exp $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ############################################################################## # # General Configuration # ############################################################################## # Put your own SID. To obtain this number do: \"net getlocalsid\". # If not defined, parameter is taking from \"net getlocalsid\" return SID=\"$sid\" # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain=\"IDEALX-NT\" sambaDomain=\"$workgroup\" ############################################################################## # # LDAP Configuration # ############################################################################## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Slave LDAP server # Ex: slaveLDAP=127.0.0.1 # If not defined, parameter is set to \"127.0.0.1\" slaveLDAP=\"$ldap_slave_server\" # Slave LDAP port # If not defined, parameter is set to \"389\" slavePort=\"$ldap_slave_port\" # Master LDAP server: needed for write operations # Ex: masterLDAP=127.0.0.1 # If not defined, parameter is set to \"127.0.0.1\" masterLDAP=\"$ldapmasterserver\" # Master LDAP port # If not defined, parameter is set to \"389\" masterPort=\"$ldapmasterport\" # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) # If not defined, parameter is set to \"1\" ldapTLS=\"$ldaptls\" # How to verify the server's certificate (none, optional or require) # see \"man Net::LDAP\" in start_tls section for more details verify=\"$cert_verify\" # CA certificate # see \"man Net::LDAP\" in start_tls section for more details cafile=\"$cert_cafile\" # certificate to use to connect to the ldap server # see \"man Net::LDAP\" in start_tls section for more details clientcert=\"$cert_clientcert\" # key certificate to use to connect to the ldap server # see \"man Net::LDAP\" in start_tls section for more details clientkey=\"$cert_clientkey\" # LDAP Suffix # Ex: suffix=dc=IDEALX,dc=ORG suffix=\"$ldap_suffix\" # Where are stored Users # Ex: usersdn=\"ou=Users,dc=IDEALX,dc=ORG\" # Warning: if 'suffix' is not set here, you must set the full dn for usersdn usersdn=\"ou=$ldap_user_suffix,\${suffix}\" # Where are stored Computers # Ex: computersdn=\"ou=Computers,dc=IDEALX,dc=ORG\" # Warning: if 'suffix' is not set here, you must set the full dn for computersdn computersdn=\"ou=$ldap_machine_suffix,\${suffix}\" # Where are stored Groups # Ex: groupsdn=\"ou=Groups,dc=IDEALX,dc=ORG\" # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn groupsdn=\"ou=$ldap_group_suffix,\${suffix}\" # Where are stored Idmap entries (used if samba is a domain member server) # Ex: groupsdn=\"ou=Idmap,dc=IDEALX,dc=ORG\" # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn idmapdn=\"$ldap_idmap_suffix,\${suffix}\" # Where to store next uidNumber and gidNumber available for new users and groups # If not defined, entries are stored in sambaDomainName object. # Ex: sambaUnixIdPooldn=\"sambaDomainName=\${sambaDomain},\${suffix}\" # Ex: sambaUnixIdPooldn=\"cn=NextFreeUnixId,\${suffix}\" sambaUnixIdPooldn=\"$sambaUnixIdPooldn,\${suffix}\" # Default scope Used scope=\"sub\" # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt=\"$cryp_algo\" # if hash_encrypt is set to CRYPT, you may set a salt format. # default is \"\%s\", but many systems will generate MD5 hashed # passwords if you use \"\$1\$\%\.8s\". This parameter is optional! crypt_salt_format=\"$crypt_salt_format\" ############################################################################## # # Unix Accounts Configuration # ############################################################################## # Login defs # Default Login Shell # Ex: userLoginShell=\"/bin/bash\" userLoginShell=\"$userLoginShell\" # Home directory # Ex: userHome=\"/home/\%U\" userHome=\"$userHome\" # Default mode used for user homeDirectory userHomeDirectoryMode=\"$userHomeDirectoryMode\" # Gecos userGecos=\"System User\" # Default User (POSIX and Samba) GID defaultUserGid=\"$default_user_gidnumber\" # Default Computer (Samba) GID defaultComputerGid=\"$default_computer_gidnumber\" # Skel dir skeletonDir=\"$skeletonDir\" # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) defaultMaxPasswordAge=\"$defaultMaxPasswordAge\" ############################################################################## # # SAMBA Configuration # ############################################################################## # The UNC path to home drives location (\%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or disable roaming profiles # Ex: userSmbHome=\"\\\\PDC-SMB3\\%U\" userSmbHome=\"$logonhome\" # The UNC path to profiles locations (\%U username substitution) # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or disable roaming profiles # Ex: userProfile=\"\\\\PDC-SMB3\\profiles\\\%U\" userProfile=\"$logonpath\" # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: userHomeDrive=\"H:\" userHomeDrive=\"$logondrive\" # The default user netlogon script name (\%U username substitution) # if not used, will be automatically username.cmd # make sure script file is edited under dos # Ex: userScript=\"startup.cmd\" # make sure script file is edited under dos userScript=\"$userScript\" # Domain appended to the users \"mail\"-attribute # when smbldap-useradd -M is used # Ex: mailDomain=\"idealx.com\" mailDomain=\"$mailDomain\" ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ############################################################################## # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer Crypt::SmbHash library with_smbpasswd=\"0\" smbpasswd=\"/usr/bin/smbpasswd\" # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm) # but prefer Crypt:: libraries with_slappasswd=\"0\" slappasswd=\"/usr/sbin/slappasswd\" # comment out the following line to get rid of the default banner # no_banner=\"1\" "; my $template_smbldap_bind=" ############################ # Credential Configuration # ############################ # Notes: you can specify two differents configuration if you use a # master ldap for writing access and a slave ldap server for reading access # By default, we will use the same DN (so it will work for standard Samba # release) slaveDN=\"$ldap_master_admin_dn\" slavePw=\"$ldap_master_bind_password\" masterDN=\"$ldap_slave_admin_dn\" masterPw=\"$ldap_slave_bind_password\" "; print "backup old configuration files:\n"; print " $smbldap_conf->$smbldap_conf.old\n"; print " $smbldap_bind_conf->$smbldap_bind_conf.old\n"; rename "$smbldap_conf","$smbldap_conf.old"; rename "$smbldap_bind_conf","$smbldap_bind_conf.old"; print "writing new configuration file:\n"; open (SMBLDAP,'>',"$smbldap_conf") || die "Unable to open $smbldap_conf for writing !\n"; print SMBLDAP "$template_smbldap"; close(SMBLDAP); print " $smbldap_conf done.\n"; my $mode=0644; chmod $mode,"$smbldap_conf","$smbldap_conf.old"; open (SMBLDAP_BIND,'>',"$smbldap_bind_conf") || die "Unable to open $smbldap_bind_conf for writing !\n"; print SMBLDAP_BIND "$template_smbldap_bind"; close(SMBLDAP_BIND); print " $smbldap_bind_conf done.\n"; $mode=0600; chmod $mode,"$smbldap_bind_conf","$smbldap_bind_conf.old";