3 # $Id: configure.pl,v 1.17 2005/07/05 09:05:16 jtournier Exp $
4 # $Source: /opt/cvs/samba/smbldap-tools/configure.pl,v $
6 # This script can help you setting up the smbldap_conf.pl file. It will get all the defaults value
7 # that are defined in the smb.conf configuration file. You should then start with this configuration
8 # file. You will also need the SID for your samba domain: set up the controler domain before using
11 # This code was developped by IDEALX (http://IDEALX.org/) and
12 # contributors (their names can be found in the CONTRIBUTORS file).
14 # Copyright (C) 2002 IDEALX
16 # This program is free software; you can redistribute it and/or
17 # modify it under the terms of the GNU General Public License
18 # as published by the Free Software Foundation; either version 2
19 # of the License, or (at your option) any later version.
21 # This program is distributed in the hope that it will be useful,
22 # but WITHOUT ANY WARRANTY; without even the implied warranty of
23 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 # GNU General Public License for more details.
26 # You should have received a copy of the GNU General Public License
27 # along with this program; if not, write to the Free Software
28 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
35 # we need to be root to configure the scripts
37 die "Only root can configure the smbldap-tools scripts\n";
40 print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
41 smbldap-tools script configuration
42 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
43 Before starting, check
44 . if your samba controller is up and running.
45 . if the domain SID is defined (you can get it with the 'net getlocalsid')
47 . you can leave the configuration using the Crtl-c key combination
48 . empty value can be set with the \".\" character\n";
49 print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n";
51 # we first check if Samba is up and running
52 my $test_smb=`pidof smbd`;
54 die "\nSamba need to be started first !\n" if ($test_smb eq "" || not defined $test_smb);
56 print "Looking for configuration files...\n\n";
58 if (-e
"/etc/samba/smb.conf") {
59 $smb_conf="/etc/samba/smb.conf";
60 } elsif (-e
"/usr/local/samba/lib/smb.conf") {
61 $smb_conf="/usr/local/samba/lib/smb.conf";
63 print "Samba Configuration File Path [$smb_conf] > ";
64 chomp(my $config_smb=<STDIN
>);
65 if ($config_smb ne "") {
66 $smb_conf=$config_smb;
70 if (-d
"/etc/opt/IDEALX/smbldap-tools") {
71 $conf_dir="/etc/opt/IDEALX/smbldap-tools/";
72 } elsif (-d
"/etc/smbldap-tools") {
73 $conf_dir="/etc/smbldap-tools/";
75 $conf_dir="/etc/opt/IDEALX/smbldap-tools/";
78 print "\nThe default directory in which the smbldap configuration files are stored is shown.\n";
79 print "If you need to change this, enter the full directory path, then press enter to continue.\n";
80 print "Smbldap-tools Configuration Directory Path [$conf_dir] > ";
82 chomp($conf_dir_tmp=<STDIN
>);
83 if ($conf_dir_tmp ne "") {
84 $conf_dir=$conf_dir_tmp;
87 $conf_dir=~s/(\w)$/$1\//;
92 my $smbldap_conf="$conf_dir"."smbldap.conf";
93 my $smbldap_bind_conf="$conf_dir"."smbldap_bind.conf";
97 # Let's read the smb.conf configuration file
99 open (CONFIGFILE
, "$smb_conf") || die "Unable to open $smb_conf for reading !\n";
101 while (<CONFIGFILE
>) {
105 ## eat leading whitespace
108 ## eat trailing whitespace
112 ## throw away comments
113 next if (($_=~/^#/) || ($_=~/^;/));
115 ## check for a param = value
117 #my ($param, $value) = split (/=/, $_);
118 my ($param, $value) = ($_=~/([^=]*)=(.*)/i);
125 $config{$param} = $value;
126 #print "param=$param\tvalue=$value\n";
133 print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
134 print "Let's start configuring the smbldap-tools scripts ...\n\n";
136 # This function need 4 parameters:
137 # . the description of the parameter
138 # . name of the key it is related to in the %config hash (key similar as the name parameter in
139 # smb.conf). You can get all the available keys using this:
140 # foreach my $tmp (keys %config) {
141 # print "key=$tmp\t value=$config{$tmp}\n";
143 # . if no value is found in smb.conf for the keys, this value is proposed
144 # . the 'insist' variable: if set to 1, then the script will always call for a value
145 # for the parameter. In other words, there's not default value, and it can't be set
146 # to a null caracter string.
150 my $description=shift;
152 my $example_value=shift;
156 $insist=0 if (! defined $insist);
157 if (defined $config{$value} and $config{$value} ne "") {
158 print "$description [$config{$value}] > ";
159 $value_tmp=$config{$value};
161 print "$description [$example_value] > ";
162 $value_tmp="$example_value";
164 chomp(my $get=<STDIN
>);
167 } elsif ($get eq ".") {
172 if ($insist == 1 and "$value" eq "") {
173 while ($insist == 1) {
174 print " Warning: You really need to set this parameter...\n";
175 $description=~s/. / /;
176 if (defined $config{$value}) {
177 print "$description [$config{$value}] > ";
178 $value_tmp=$config{$value};
180 print "$description [$value] > ";
183 chomp(my $get=<STDIN
>);
186 } elsif ($get eq ".") {
197 print ". workgroup name: name of the domain Samba act as a PDC\n";
198 my $workgroup=read_entry
(" workgroup name","workgroup","",0);
200 print ". netbios name: netbios name of the samba controler\n";
201 my $netbios_name=read_entry
(" netbios name","netbiosname","",0);
203 print ". logon drive: local path to which the home directory will be connected (for NT Workstations). Ex: 'H:'\n";
204 my $logondrive=read_entry
(" logon drive","logondrive","",0);
206 print ". logon home: home directory location (for Win95/98 or NT Workstation).\n (use %U as username) Ex:'\\\\$netbios_name\\%U'\n";
207 my $logonhome=read_entry
(" logon home (press the \".\" character if you don't want homeDirectory)","logonhome","\\\\$netbios_name\\%U",0);
208 #$logonhome=~s/\\/\\\\/g;
210 print ". logon path: directory where roaming profiles are stored. Ex:'\\\\$netbios_name\\profiles\\\%U'\n";
211 my $logonpath=read_entry
(" logon path (press the \".\" character if you don't want roaming profile)","logonpath","\\\\$netbios_name\\profiles\\\%U",0);
212 #$logonpath=~s/\\/\\\\/g;
214 my $userHome=read_entry
(". home directory prefix (use %U as username)","","/home/\%U",0);
216 my $userHomeDirectoryMode=read_entry
(". default users' homeDirectory mode","","700",0);
218 my $userScript=read_entry
(". default user netlogon script (use %U as username)","logonscript","",0);
220 my $defaultMaxPasswordAge=read_entry
(" default password validation time (time in days)","","45",0);
222 #############################
223 # ldap directory parameters #
224 #############################
225 my $ldap_suffix=read_entry
(". ldap suffix","ldapsuffix","",0);
226 my $ldap_group_suffix=read_entry
(". ldap group suffix","ldapgroupsuffix","",0);
227 $ldap_group_suffix=~s/ou=//;
228 my $ldap_user_suffix=read_entry
(". ldap user suffix","ldapusersuffix","",0);
229 $ldap_user_suffix=~s/ou=//;
230 my $ldap_machine_suffix=read_entry
(". ldap machine suffix","ldapmachinesuffix","",0);
231 $ldap_machine_suffix=~s/ou=//;
232 my $ldap_idmap_suffix=read_entry
(". Idmap suffix","ldapidmapsuffix","ou=Idmap",0);
233 print ". sambaUnixIdPooldn: object where you want to store the next uidNumber\n";
234 print " and gidNumber available for new users and groups\n";
235 my $sambaUnixIdPooldn=read_entry
(" sambaUnixIdPooldn object (relative to \${suffix})","","sambaDomainName=$workgroup",0);
237 # parameters for the master ldap server
238 my ($trash1,$server);
239 if (defined $config{passdbbackend
}) {
240 ($trash1,$server)=($config{passdbbackend
}=~m/(.*)ldap:\/\
/(.*)/);
245 my $ldapmasterserver;
246 print ". ldap master server: IP adress or DNS name of the master (writable) ldap server\n";
247 $ldapmasterserver=read_entry
(" ldap master server","",$server,0);
249 if (defined $config{ldapport
}) {
250 $ldapmasterport=read_entry
(". ldap master port","ldapport","",0);
252 $ldapmasterport=read_entry
(". ldap master port","","389",0);
254 my $ldap_master_admin_dn=read_entry
(". ldap master bind dn","ldapadmindn","",0);
256 my $ldap_master_bind_password=read_entry
(". ldap master bind password","","",1);
260 # parameters for the slave ldap server
261 print ". ldap slave server: IP adress or DNS name of the slave ldap server: can also be the master one\n";
262 my $ldap_slave_server=read_entry
(" ldap slave server","","$server",0);
264 if (defined $config{ldapport
}) {
265 $ldap_slave_port=read_entry
(". ldap slave port","ldapport","",0);
267 $ldap_slave_port=read_entry
(". ldap slave port","","389",0);
269 my $ldap_slave_admin_dn=read_entry
(". ldap slave bind dn","ldapadmindn","",0);
271 my $ldap_slave_bind_password=read_entry
(". ldap slave bind password","","",1);
274 my $ldaptls=read_entry
(". ldap tls support (1/0)","","0",0);
275 my ($cert_verify,$cert_cafile,$cert_clientcert,$cert_clientkey)=("","","","");
277 $cert_verify=read_entry
(". How to verify the server's certificate (none, optional or require)","","require",0);
278 $cert_cafile=read_entry
(". CA certificate file","","$conf_dir/ca.pem",0);
279 $cert_clientcert=read_entry
(". certificate to use to connect to the ldap server","","$conf_dir/smbldap-tools.pem",0);
280 $cert_clientkey=read_entry
(". key certificate to use to connect to the ldap server","","$conf_dir/smbldap-tools.key",0);
283 # let's test if any sid is available
284 # Here is the strategy: If smb.conf has 'domain master = No'
285 # this means we are a BDC and we must obtain the SID from the PDC
286 # using the command 'net rpc getsid -S PDC -Uroot%password' BEFORE
287 # executing this script - that then guarantees the correct SID is available.
288 my $sid_tmp=`net getlocalsid \$netbios_name 2>/dev/null | cut -f2 -d: | sed "s/ //g"`;
290 print ". SID for domain $config{workgroup}: SID of the domain (can be obtained with 'net getlocalsid $netbios_name')\n";
291 my $sid=read_entry
(" SID for domain $config{workgroup}","","$sid_tmp",0);
293 print ". unix password encryption: encryption used for unix passwords\n";
294 my $cryp_algo=read_entry
(" unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)","","SSHA",0);
295 my $crypt_salt_format="";
296 if ( $cryp_algo eq "CRYPT" ) {
297 print ". crypt salt format: If hash_encrypt is set to CRYPT, you may set \n";
298 print " a salt format. The default is \"\%s\", but many systems will generate\n";
299 print " MD5 hashed passwords if you use \"\$1\$\%\.8s\"\n";
300 $crypt_salt_format=read_entry
(" crypt salt format","","\%s",0);
303 my $default_user_gidnumber=read_entry
(". default user gidNumber","","513",0);
305 my $default_computer_gidnumber=read_entry
(". default computer gidNumber","","515",0);
307 my $userLoginShell=read_entry
(". default login shell","","/bin/bash",0);
309 my $skeletonDir=read_entry
(". default skeleton directory","","/etc/skel",0);
311 my $mailDomain=read_entry
(". default domain name to append to mail adress", "","",0);
313 print "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\n";
314 my $template_smbldap="
315 # \$Source: /opt/cvs/samba/smbldap-tools/configure.pl,v $
316 # \$Id: configure.pl,v 1.17 2005/07/05 09:05:16 jtournier Exp $
318 # smbldap-tools.conf : Q & D configuration file for smbldap-tools
320 # This code was developped by IDEALX (http://IDEALX.org/) and
321 # contributors (their names can be found in the CONTRIBUTORS file).
323 # Copyright (C) 2001-2002 IDEALX
325 # This program is free software; you can redistribute it and/or
326 # modify it under the terms of the GNU General Public License
327 # as published by the Free Software Foundation; either version 2
328 # of the License, or (at your option) any later version.
330 # This program is distributed in the hope that it will be useful,
331 # but WITHOUT ANY WARRANTY; without even the implied warranty of
332 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
333 # GNU General Public License for more details.
335 # You should have received a copy of the GNU General Public License
336 # along with this program; if not, write to the Free Software
337 # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
341 # . be the configuration file for all smbldap-tools scripts
343 ##############################################################################
345 # General Configuration
347 ##############################################################################
349 # Put your own SID. To obtain this number do: \"net getlocalsid\".
350 # If not defined, parameter is taking from \"net getlocalsid\" return
353 # Domain name the Samba server is in charged.
354 # If not defined, parameter is taking from smb.conf configuration file
355 # Ex: sambaDomain=\"IDEALX-NT\"
356 sambaDomain=\"$workgroup\"
358 ##############################################################################
362 ##############################################################################
364 # Notes: to use to dual ldap servers backend for Samba, you must patch
365 # Samba with the dual-head patch from IDEALX. If not using this patch
366 # just use the same server for slaveLDAP and masterLDAP.
367 # Those two servers declarations can also be used when you have
368 # . one master LDAP server where all writing operations must be done
369 # . one slave LDAP server where all reading operations must be done
370 # (typically a replication directory)
373 # Ex: slaveLDAP=127.0.0.1
374 # If not defined, parameter is set to \"127.0.0.1\"
375 slaveLDAP=\"$ldap_slave_server\"
378 # If not defined, parameter is set to \"389\"
379 slavePort=\"$ldap_slave_port\"
381 # Master LDAP server: needed for write operations
382 # Ex: masterLDAP=127.0.0.1
383 # If not defined, parameter is set to \"127.0.0.1\"
384 masterLDAP=\"$ldapmasterserver\"
387 # If not defined, parameter is set to \"389\"
388 masterPort=\"$ldapmasterport\"
391 # If set to 1, this option will use start_tls for connection
392 # (you should also used the port 389)
393 # If not defined, parameter is set to \"1\"
396 # How to verify the server's certificate (none, optional or require)
397 # see \"man Net::LDAP\" in start_tls section for more details
398 verify=\"$cert_verify\"
401 # see \"man Net::LDAP\" in start_tls section for more details
402 cafile=\"$cert_cafile\"
404 # certificate to use to connect to the ldap server
405 # see \"man Net::LDAP\" in start_tls section for more details
406 clientcert=\"$cert_clientcert\"
408 # key certificate to use to connect to the ldap server
409 # see \"man Net::LDAP\" in start_tls section for more details
410 clientkey=\"$cert_clientkey\"
413 # Ex: suffix=dc=IDEALX,dc=ORG
414 suffix=\"$ldap_suffix\"
416 # Where are stored Users
417 # Ex: usersdn=\"ou=Users,dc=IDEALX,dc=ORG\"
418 # Warning: if 'suffix' is not set here, you must set the full dn for usersdn
419 usersdn=\"ou=$ldap_user_suffix,\${suffix}\"
421 # Where are stored Computers
422 # Ex: computersdn=\"ou=Computers,dc=IDEALX,dc=ORG\"
423 # Warning: if 'suffix' is not set here, you must set the full dn for computersdn
424 computersdn=\"ou=$ldap_machine_suffix,\${suffix}\"
426 # Where are stored Groups
427 # Ex: groupsdn=\"ou=Groups,dc=IDEALX,dc=ORG\"
428 # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
429 groupsdn=\"ou=$ldap_group_suffix,\${suffix}\"
431 # Where are stored Idmap entries (used if samba is a domain member server)
432 # Ex: groupsdn=\"ou=Idmap,dc=IDEALX,dc=ORG\"
433 # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
434 idmapdn=\"$ldap_idmap_suffix,\${suffix}\"
436 # Where to store next uidNumber and gidNumber available for new users and groups
437 # If not defined, entries are stored in sambaDomainName object.
438 # Ex: sambaUnixIdPooldn=\"sambaDomainName=\${sambaDomain},\${suffix}\"
439 # Ex: sambaUnixIdPooldn=\"cn=NextFreeUnixId,\${suffix}\"
440 sambaUnixIdPooldn=\"$sambaUnixIdPooldn,\${suffix}\"
445 # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
446 hash_encrypt=\"$cryp_algo\"
448 # if hash_encrypt is set to CRYPT, you may set a salt format.
449 # default is \"\%s\", but many systems will generate MD5 hashed
450 # passwords if you use \"\$1\$\%\.8s\". This parameter is optional!
451 crypt_salt_format=\"$crypt_salt_format\"
453 ##############################################################################
455 # Unix Accounts Configuration
457 ##############################################################################
460 # Default Login Shell
461 # Ex: userLoginShell=\"/bin/bash\"
462 userLoginShell=\"$userLoginShell\"
465 # Ex: userHome=\"/home/\%U\"
466 userHome=\"$userHome\"
468 # Default mode used for user homeDirectory
469 userHomeDirectoryMode=\"$userHomeDirectoryMode\"
472 userGecos=\"System User\"
474 # Default User (POSIX and Samba) GID
475 defaultUserGid=\"$default_user_gidnumber\"
477 # Default Computer (Samba) GID
478 defaultComputerGid=\"$default_computer_gidnumber\"
481 skeletonDir=\"$skeletonDir\"
483 # Default password validation time (time in days) Comment the next line if
484 # you don't want password to be enable for defaultMaxPasswordAge days (be
485 # careful to the sambaPwdMustChange attribute's value)
486 defaultMaxPasswordAge=\"$defaultMaxPasswordAge\"
488 ##############################################################################
490 # SAMBA Configuration
492 ##############################################################################
494 # The UNC path to home drives location (\%U username substitution)
495 # Just set it to a null string if you want to use the smb.conf 'logon home'
496 # directive and/or disable roaming profiles
497 # Ex: userSmbHome=\"\\\\PDC-SMB3\\%U\"
498 userSmbHome=\"$logonhome\"
500 # The UNC path to profiles locations (\%U username substitution)
501 # Just set it to a null string if you want to use the smb.conf 'logon path'
502 # directive and/or disable roaming profiles
503 # Ex: userProfile=\"\\\\PDC-SMB3\\profiles\\\%U\"
504 userProfile=\"$logonpath\"
506 # The default Home Drive Letter mapping
507 # (will be automatically mapped at logon time if home directory exist)
508 # Ex: userHomeDrive=\"H:\"
509 userHomeDrive=\"$logondrive\"
511 # The default user netlogon script name (\%U username substitution)
512 # if not used, will be automatically username.cmd
513 # make sure script file is edited under dos
514 # Ex: userScript=\"startup.cmd\" # make sure script file is edited under dos
515 userScript=\"$userScript\"
517 # Domain appended to the users \"mail\"-attribute
518 # when smbldap-useradd -M is used
519 # Ex: mailDomain=\"idealx.com\"
520 mailDomain=\"$mailDomain\"
522 ##############################################################################
524 # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
526 ##############################################################################
528 # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
529 # prefer Crypt::SmbHash library
531 smbpasswd=\"/usr/bin/smbpasswd\"
533 # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
534 # but prefer Crypt:: libraries
535 with_slappasswd=\"0\"
536 slappasswd=\"/usr/sbin/slappasswd\"
538 # comment out the following line to get rid of the default banner
542 my $template_smbldap_bind="
543 ############################
544 # Credential Configuration #
545 ############################
546 # Notes: you can specify two differents configuration if you use a
547 # master ldap for writing access and a slave ldap server for reading access
548 # By default, we will use the same DN (so it will work for standard Samba
550 slaveDN=\"$ldap_master_admin_dn\"
551 slavePw=\"$ldap_master_bind_password\"
552 masterDN=\"$ldap_slave_admin_dn\"
553 masterPw=\"$ldap_slave_bind_password\"
556 print "backup old configuration files:\n";
557 print " $smbldap_conf->$smbldap_conf.old\n";
558 print " $smbldap_bind_conf->$smbldap_bind_conf.old\n";
559 rename "$smbldap_conf","$smbldap_conf.old";
560 rename "$smbldap_bind_conf","$smbldap_bind_conf.old";
562 print "writing new configuration file:\n";
563 open (SMBLDAP
,'>',"$smbldap_conf") || die "Unable to open $smbldap_conf for writing !\n";
564 print SMBLDAP
"$template_smbldap";
566 print " $smbldap_conf done.\n";
568 chmod $mode,"$smbldap_conf","$smbldap_conf.old";
570 open (SMBLDAP_BIND
,'>',"$smbldap_bind_conf") || die "Unable to open $smbldap_bind_conf for writing !\n";
571 print SMBLDAP_BIND
"$template_smbldap_bind";
573 print " $smbldap_bind_conf done.\n";
575 chmod $mode,"$smbldap_bind_conf","$smbldap_bind_conf.old";