-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathREADME.en
372 lines (258 loc) · 9.45 KB
/
README.en
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
= README.en
$Id$
== Name
ActiveSambaLdap
== Description
ActiveSambaLdap is a library and a management tool for Samba +
LDAP environment.
ActiveSambaLdap provides object-oriented API to manipulate
LDAP entry for Samba. ActiveSambaLdap also provides
command-line tools to replace smbldap-tools written by Perl.
== Author
Kouhei Sutou <tt><[email protected]></tt>
== Licence
LGPL 2.1 or later. See license/lgpl-2.1.txt for details.
(Kouhei Sutou has a right to change the license including
contributed patches.)
== Dependency libraries
* ActiveLdap >= 1.2.2
== Install
% sudo gem install activesambaldap
== Mailing list
http://rubyforge.org/mailman/listinfo/asl-devel/
== Reference manual
http://asl.rubyforge.org/activesambaldap/
== Usage
=== Use with Rails
First, load ActiveSambaLdap gem.
Add the following line into config/environment.rb:
config.gem "activesambaldap", :lib => "active_samba_ldap"
Next, scaffold the environment of ActiveSambaLdap for Rails.
% script/generate scaffold_active_samba_ldap
Modify config/ldap.yml generated by
scaffold_active_samba_ldap to adapt to your environment. See
"Options in configuration file" section to find available
options.
==== Populate
First, need to populate your Samba + LDAP environment.
Access http://localhost:3000/samba after invoking Rails by
script/server and so on. And populate your Samba + LDAP
environment by following "Populate Samba + LDAP environment"
link.
And you can development your applications with
User/Computer/Group classes. You can develop like with
ActiveRecord.
=== Use from command line
Use asl-* commands. You'll don't use asl-samba-* commands
from command line because they are for smb.conf.
==== Configuration
First, modify configuration file to adapt to your
environment. You can confirm default configuration files by
invoking asl-* commands with --help option. For example, you
can use asl-populate.
% asl-populate --help
...
--config=CONFIG Specify configuration file
Default configuration files:
/etc/activesambaldap/config.yaml
/etc/activesambaldap/bind.yaml
/home/kou/.activesambaldap.conf
/home/kou/.activesambaldap.bind
...
Configuration files are read from the above files to the
below files. Configurations are overridden by latter
configuration files. In the above example, configuration
files are read by the following order:
* /etc/activesambaldap/config.yaml
* /etc/activesambaldap/bind.yaml
* /home/kou/.activesambaldap.conf
* /home/kou/.activesambaldap.bind
The reason why bind.yaml and *.bind are read after
config.yaml and *.conf is for security. You should write
opened configurations (host name, port number and so on)
into config.yaml and *.conf, closed configurations (user
name, password and so on) into bind.yaml and *.bind. And you
should set suitable permission to bind.yaml and *.bind.
==== Format of configuration file
Use YAML format. There are three sections:
update:
# configurations for updating LDAP entries
...
reference:
# configurations for referring LDAP entries
...
common:
# configurations to share for updating/referring
...
For example:
common:
sid: S-1-5-21-915876905-2926214379-2876160357
base: dc=samba,dc=local,dc=net
host: localhost
method: :tls
update:
bind_dn: cn=admin,dc=local,dc=net
password: admin
reference:
allow_anonymous: true
It's best that you write 'password' configuration into
bind.yaml *.bind.
You must configure 'base'. And you should configure
'sid'. You can find your SID by the following command:
% sudo net getlocalsid
It's inefficiency that sid isn't configured because 'net
getlocalsid' is invoked each time.
==== Options in configuration file
The following options are available:
[_base_]
Same as the option of ActiveLdap::Base.setup_connection.
[_host_]
Same as the option of ActiveLdap::Base.setup_connection.
[_port_]
Same as the option of ActiveLdap::Base.setup_connection.
[_scope_]
Same as the option of ActiveLdap::Base.setup_connection.
[_bind_dn_]
Same as the option of ActiveLdap::Base.setup_connection.
[_password_]
Same as the option of ActiveLdap::Base.setup_connection.
[_method_]
Same as the option of ActiveLdap::Base.setup_connection.
[_allow_anonymous_]
Same as the option of ActiveLdap::Base.setup_connection.
[_sid_]
SID(Security Identifier) of your Samba server.
[_smb_conf_]
The path of smb.conf for your Samba server.
[_samba_domain_]
Domain name of your Samba server.
[_samba_netbios_name_]
NetBIOS name of your Samba server.
[_password_hash_type_]
Algorithm for hashing password in LDAP. Available
algorithms are +:crypt+, +:md5+, +:smd5+, +:sha+ and
+:ssha+.
Password in LDAP is used for recognition in UNIX not Samba.
Default algorithm: +:ssha+
[_users_suffix_]
Tree for user entries in LDAP. Specify relative path for
base.
For example: <tt>"ou=Users"</tt>
[_groups_suffix_]
Tree for group entries in LDAP. Specify relative path for
base.
For example: <tt>"ou=Groups"</tt>
[_computers_suffix_]
Tree for computer entries in LDAP. Specify relative path for
base.
For example: <tt>"ou=Computers"</tt>
[_idmap_suffix_]
Tree for idmap entries in LDAP. Specify relative path for
base.
For example: <tt>"ou=Idmap"</tt>
[_start_uid_]
UID (User Identifier) for making new user. Next new
user's default UID is incremented after making new
user.
Default: <tt>10000</tt>
[_start_gid_]
GID (Group Identifier) for making new group. Next new
group's default GID is incremented after making new
group.
Default: <tt>10000</tt>
[_user_login_shell_]
Default login shell for new user.
Default: <tt>"/bin/false"</tt>
[_user_home_directory_]
Default home directory for new user. %U is substituted
with the user name.
Default: <tt>"/home/%U"<tt>
[_user_home_directory_mode_]
Default permission of user's home directory.
Default: <tt>0755</tt> (octal notation)
[_user_gecos_]
Default GECOS field value for new user. %U is substituted
with user name.
[_user_home_unc_]
Default path for user's home in Windows. The path should
be specified by UNC (Universal Naming Convention). %U is
substituted with user name.
Default: <tt>"\\\\NetBIOS name of your Samba server\\%U"</tt>.
[_user_profile_]
Default path of user profile specified by
UNC (Universal Naming Convention). %U is substituted by
the user name.
Default: <tt>"\\\\NetBIOS name Samba server\\profiles\\%U"</tt>
[_user_home_drive_]
Default drive name of user's home.
Default: <tt>"H:"<tt>
[_user_logon_script_]
Default script name that is invoked when user
logon.
Default: <tt>"logon.bat"</tt>
[_skeleton_directory_]
Default skeleton directory for making user's home
directory.
Default: <tt>"/etc/skel"</tt>
[_default_user_gid_]
Default GID of group to which user belongs.
Default: <tt>"Domain Users"</tt> group
[_default_computer_gid_]
Default GID of group to which computer belongs.
Default: <tt>"Domain Computers"</tt> group
==== Populate
You need to populate your Samba + LDAP environment by
invoking asl-populate before administrate your Samba + LDAP
with asl-*.
% sudo asl-populate
You can use the following command if you don't need to root
authorization. (root authorization check may be needed...)
% fakeroot asl-populate
==== Administrate
Use asl-user*, asl-group*, asl-populate,
asl-purge and asl-password. Use --help options for more detail.
==== Configuration of smb.conf
You need to configure you smb.conf like the following if you
want to administrate with
Srvtools[http://support.microsoft.com/kb/173673/]
from Windows or make Samba server domain controller.
Use asl-samba-* for those propose.
passdb backend = ldapsam:ldap://127.0.0.0
ldap admin dn = cn=admin,dc=local,dc=net
ldap suffix = dc=samba,dc=local,dc=net
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap passwd sync = yes
admin users = "@Domain Admins"
add user script = /.../asl-samba-useradd "%u"
delete user script = /.../asl-samba-userdel "%u"
add group script = /.../asl-samba-groupadd "%g"
delete group script = /.../asl-samba-groupdel "%g"
add user to group script = /.../asl-samba-groupmod "%g" --add-members "%u"
delete user from group script = /.../asl-samba-groupmod "%g" --delete-members "%u"
set primary group script = /.../asl-samba-usermod "%u" --gid "%g"
add machine script = /.../asl-samba-computeradd "%u"
You need to set LDAP administrator password by the following
command before invoke your Samba server.
% sudo /usr/bin/smbpasswd -W
== Trouble shootings
=== Groups aren't listed
You can list groups by the following command:
% net rpc group list --user=USER_NAME
If no groups listed by the above command after you execute
asl-populate, please confirm the following:
* Is your samba.schema old?
If your sambaSID entry in your samba.schema doesn't have
the following configuration, your samba.schema may be old.
Please update your samba.schema.
SUBSTR caseExactIA5SubstringsMatch
== Thanks
* Henrik Krög: Some bug reports.
* Olivier DIRRENBERGER: A bug report.
* Francesco Malvezzi: Some bug report.
* Kazuhiro NISHIYAMA: Some bug reports.
* Orlando Marquina: Some bug reports.
* Piotr Romanczuk: A bug report.