1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-26 10:04:02 +03:00

checlking in initial version of 2.2 scripts so I can start updating them

This commit is contained in:
Gerald Carter -
parent ae452e51b0
commit 766a5070d5
35 changed files with 6143 additions and 0 deletions

View File

View File

@ -0,0 +1,29 @@
# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/CONTRIBUTORS,v $
#
## Authors and actives contributors to SMBLDAP-TOOLS
Have contributed directly to this tools, or are always in charge of
some aspects of it developments (alphabetical order):
. Terry Davis <tdavis@approbation.org>
. David Le Corfec <dlc@freesurf.fr>
. Olivier Lemaire <olivier.lemaire@IDEALX.com>
. Jérôme Tournier <jerome.tournier@IDEALX.com>
Many thanks to contributors for bug report and patches:
. Gert-Jan Braas <braas@wyldebeast-wunderliebe.com>
bug report for 2.2.3 samba.schema
. Jody Haynes <Jody.Haynes@isunnetworks.com>
originaly passwd.pl
. Brad Langhorst <brad@langhorst.com>
package relocatability
. Mirko Manea <mami@arena.sci.univr.it>
originaly useradd.pl
. Alain Richard <alain.richard@equation.fr>
bug report and Perl tips
. Roland Schulz <mail@r2s2.de>
bug report for smbldap-passwd
. Xavier Boschian <Xavier.Boschian@rtlgroup.net>
bug report for smbldap-populate
# - The End

View File

@ -0,0 +1,340 @@
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Library General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) 19yy <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General
Public License instead of this License.

View File

@ -0,0 +1,29 @@
# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/ChangeLog,v $
#
## ChangeLog for SMBLDAP-TOOLS
* 2002-06-03: notes to webmin.idealx.org (idxldapaccounts)
* 2002-06-01: release 0.7. tested with 2.2.4
* 2002-05-31: fixed smbldap-populate compliance to smbldap_conf
cleaned up smbldap_conf to be more readable
some more documentation
bugfixes on smbldap-passwd and smbldap-populate
* 2002-05-16: modified default mode on homes: now 700
* 2002-05-13: fixed spec (relocation and reqs)
* 2002-03-02: fixed 2.2.3 sambaAccount bug with smbldap-useradd.pl
(rid is now mandatory in the sambaAccount objectClass)
* 2002-02-14: just modified default populate for Administrator
* 2002-02-05: release 0.6. enable/disable user in usermod
* 2002-02-04: release 0.5. added smbldap-migrate-groups to migrate NT groups
from a net group dump. added samba parameters to smbldap-useradd
and smbldap-usermod.
* 2002-01-12: added smbldap-migrate-accounts to migrate users/machines
accounts from a PWDUMP dump
* 2001-12-13: added smbldap-populate to create the initial base
* 2001-12-13: initial release 0.1
* 2001-12-12: fixed the SPEC file for RedHat
* 2001-12-03: cleaned the code and use strict;
* 2001-11-20: initial needs (for testing purpose on Samba-2.2.2 an Samba-TNG)
# - The End

View File

@ -0,0 +1,43 @@
# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/FILES,v $
#
## File listing for SMBLDAP-TOOLS
CONTRIBUTORS : authors and contributors
COPYING : licence
FILES : this file listing
README : introduction and usage
TODO : feature request and bug report list
ChangeLog : changelog
Core:
=-=-=
smbldap-groupadd.pl : to add a new group
(objectclass: posixGroup)
smbldap-groupdel.pl : to delete a group
(objectclass: posixGroup)
smbldap-groupmod.pl : to modify a group (mostly used to add user to a group)
(objectclass: posixGroup)
smbldap-groupshow.pl : to view a group
(objectclass: posixGroup)
smbldap_conf.pm : global configuration datas
smbldap_tools.pm : functions
smbldap-useradd.pl : to add a new user
(objectclass: posixAccount and/or sambaAccount)
smbldap-userdel.pl : to delete a user
(objectclass: posixAccount and/or sambaAccount)
smbldap-usermod.pl : to modify an user datas
(objectclass: posixAccount and/or sambaAccount)
smbldap-usershow.pl : to view an user datas
(objectclass: posixAccount and/or sambaAccount)
smbldap-passwd.pl : to sync passwd (Unix and Samba)
(a replacement for the system passwd utility)
smbldap-populate.pl : to add a builtin ldif to initialize your LDAP master for
smbldap use, or to add a specified ldif
smbldap-tools.spec : SPEC file for RedHat RPM package format
Migration:
=-=-=-=-=-
smbldap-migrate-accounts.pl : add NT sam entries from pwdump to ldap
smbldap-migrate-groups.pl : add any LDAP posixGroups from the output of the 'net group' NT command
# - The End

View File

@ -0,0 +1,84 @@
# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INFRASTRUCTURE,v $
#
## Some notes about the architecture
Global Architecture for smbdlap-tools
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
smbldap-tools help you manage users and groups for Unix and Samba,
using LDAP. They may be used in any context, and are kept relatively
simplier enought to let you customize them to you needs.
They need the following objectClasses to work:
. sambaAccount: from samba.schema for Samba 2.2 branch
. posixAccount and posixGroup : from nis.schema
. organizationalUnit and dcObject: from core.schema
They will probably use in a near future some additional objectClasses
to support :
. mail features (sendmail/postfix/qmail/courier).
. conform to RFC2307 best practices (and so some maps too like merging
Netbios computers (sambaAccounts) with ipHosts
For ease of visualization of the LDAP objects by human standards, we
used a DIT like this one :
. dc=IDEALX,dc=org : the company/organization suffix
. ou=Users : to store users accounts
. ou=Computers : to store computers accounts
. ou=Groups : to store system groups
Of course, you're free to use a different naming scheme and DIT (see
smbldap_conf.pm).
Built in groups initial population
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
smbldap-populate.pl populate the LDAP directory with some built in groups
using gidNumber according to Well Know RID of Windows NT4 Srv. In fact, As
far a Samba 2.2.x is concerned, only the 'Domain Admins' (gidNumber 512) have
real inpact on the Samba and Windows population. To activate this group as
the Domain Administrators Group, use the following smb.conf directive (see
man smb.conf for more):
domain admin group = " @"Domain Admins" "
Other built in groups are really cosmetic ones with Samba 2.2.x. We did not
removed them because one of these days, we whish to use Samba 3.0 where
Windows Group Support should be operational.
Why these specific gidNumbers ?
It's about unix/windows mapping of numerical ids with Samba. Ids below 1024
are NT special ids. In fact, 512 is the RID (Windows uid/gid) for the
"Domain Administrators" NT group. The magic number is found in Samba sources
and possibly other Samba/Windows documentations.
The goal is to have a set of Unix users who are Domain Administrators and can
modify Samba datas (eg. LDAP content), with commandline tools or within
Windows via Samba.
Say you want to add a NT4 ws to an NT domain (controlled by a samba/ldap
server). You give the domain administrator's login and password in the
appropriate ws settings, then the ws contacts the samba server, which checks
the credentials and use them as unix user to run the smbldap-tools (if I
remember). Giving 512 as a RID to a LDAP entry marks it as a domain admin
for Samba (thus Windows). Using nss_ldap, you also have an account with
gid 512.
Known BUGS and WORKAROUND used
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
The 2.2.2 has at least a bug : rid/primaryGroupID are read as hex in LDAP,
but written as decimal. Fixed in CVS by reading as decimal. By default
smbldap-useradd.pl writes decimal to LDAP. Use -x to support the odd
behaviour.
The samba-2.2.4-ldapbindnotuid0.patch is not a perfect solution however
as the check is there because Samba store admin credentials to establish the
LDAP connection. The uid == 0 check was to ensure that a normal user could
not get write access to the LDAP backend. A more logical situation should be
done for 2.2.5 by checking if the user is a member of the domain admin group
(reported to Jerremy and Gerald 2002-05-28).
# - The End

View File

@ -0,0 +1,28 @@
# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/INSTALL,v $
#
## How To Install SMBLDAP-TOOLS
Quick & Dirty:
=-=-=-=-=-=-=-
. Copy all those scripts in /usr/local/sbin/
. Modify smbldap_conf.pm to match your configuration
. If not already done : "smbpasswd -w secret" to set up
the ldap admin password in secrets.tdb
. Either add /usr/local/sbin in $PERLLIB or run the scripts
from this directory, or make a symlink from /usr/local/sbin/*.pm
to /usr/lib/perl5/.
. to allow a domain admin to add user using "add user script" in smb.conf :
chmod 753 smbldap_conf.pm
chmod 750 smbldap-useradd.pl
chgrp 512 smbldap_conf.pm smbldap-useradd.pl (512 = 0x200 = Domain Admins)
Have your admin belong to this group
In smb.conf : domain admin group = " @"Domain Admins" "
RedHat RPM:
=-=-=-=-=-=
Install smbldap-tools-0.7-1.i386.rpm
Modify /usr/local/sbin/smbldap_conf.pm to match you configuration
If not already done : "smbpasswd -w secret" to set up
the ldap admin password in secrets.tdb
# - The End

View File

@ -0,0 +1,35 @@
PACKAGE=smbldap-tools
RELEASE=0.7
DESTDIR = $(PACKAGE)-$(RELEASE)
dist: distclean $(DESTDIR).tgz
$(DESTDIR).tgz: .diststamp
rm -rf $(DESTDIR)
mkdir $(DESTDIR)
# copy files
cp CONTRIBUTORS $(DESTDIR)
cp COPYING $(DESTDIR)
cp ChangeLog $(DESTDIR)
cp FILES $(DESTDIR)
cp INSTALL $(DESTDIR)
cp README $(DESTDIR)
cp TODO $(DESTDIR)
cp INFRASTRUCTURE $(DESTDIR)
tar cf mkntpwd.tar mkntpwd
gzip mkntpwd.tar
cp mkntpwd.tar.gz $(DESTDIR)
cp smbldap-*.pl $(DESTDIR)
cp smbldap_*.pm $(DESTDIR)
# copy directories
tar cvzf $(DESTDIR).tgz $(DESTDIR)
rm -rf $(DESTDIR)
touch .diststamp
.diststamp:
distclean:
rm -f *~
rm -f $(DESTDIR).tgz
rm -f mkntpwd.tar.gz

View File

View File

@ -0,0 +1,87 @@
# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/README,v $
#
Latest version may be found at http://samba.idealx.org/
What those tools are for?
=-=-=-=-=-=-=-=-=-=-=-=-=
A collection of scripts, «over» user{add,del,mod} and group{add,del,mod}
system tools to manipulate users and groups stored in LDAP directory,
for DEN system like SAMBA-LDAP and pam/nss_ldap systems.
Additionnaly, some scripts are designed to ease your migration from
a Windows NT 4.0 PDC Server to a Samba-LDAP PDC Server (Killer?;-):
smbldap-populate, smbldap-migrate-groups, smbldap-migrate-accounts.
They are currently used with Samba 2.2.4, therefore you may (will) have
to make some fixes for Samba TNG and Samba 3.0. Hint: contribs welcome :)
In the future, some other function may come (like backup and restore,
Novell migration tools, samba system activity report, dealing with
mail functions, compliance to RFC2307...): consult TODO.
What do SMBLDAP-TOOLS provide?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Those tools provide the following functions :
. populate LDAP database with a basic LDIF
. add a user or group
. delete a user or group
. modify all users or groups data (all attributes types stored in
posixAccount and sambaAccount object class)
Taking care of :
. staying compatible with all standard system tools options
(user/group{add,del,mod})
. be extensible for future developments
(manipulation of shadow account options, for example)
. error management, in the way system tools do
Constraints :
. usage of PERL (portability)
. all options must be placed in an external configuration file
. english localization
The current release uses the "mkntpwd" program, in mkntpwd.tar.gz
in the current directory. It comes from
http://www.demog.berkeley.edu/~aperrin/tips/src/mkntpwd.tar.gz
It allows to not use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm)
What do SMBLDAP-TOOLS deliver?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Contents :
. scripts (see FILES)
. user documentation in pod format, included in the sources
(or just use the -? option)
These tools aim at delivering the same functionality as the corresponding
system tools. However they may not be all implemented yet.
Current limitations :
. no shadow support
. cannot change uid with usermod
. no UTF-8 support (thus ASCII-7 only)
How to generate documentation?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Just issue the following command:
perldoc name_of_script.pl (ex: perldoc smbldap-useradd.pl)
Where can I find the latest release of those scripts?
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Just fire any web browser to http://samba.IDEALX.org/
and/or contact samba@IDEALX.org
Additionnaly, you will find an useful Webmin module
at http://webmin.IDEALX.org/ if interested in a graphical
user interface to manager user and groups accounts via Webmin
for your Samba+LDAP PDC.
Let us know if these tools helped you, or if we should enhance
them with some functions you want them to support.
Sincerly,
LEM
# - The End

View File

@ -0,0 +1,27 @@
# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/TODO,v $
#
## TODO list - First In, Last in the list...
## (BF: Bug Report / FR: Feature Request)
FR * use RFC2307 best practices (Luke, next time you visit Paris, have a
beer at IDEALX'cantina ;-)
FR * add mail (sendmail/postfix/qmail/courier) support
FR * bugfix, really : allow non-root users to change passwd
(currently the config must be unreadable because of bindpasswd)
FR * make smbldap-tools to use system configuration files
(/etc/login.defs and /etc/ldap.conf for example)
FR * rewrite smbldap-tools using perl-ldap. In fact, this 0.x
release use ldap system tools (ldapadd,ldapdelete,ldapmodify)
FR * add shadowAccounts manipulation support
FR * internationalize the SMBLDAP-TOOLS
FR * add smbldap-sar : Samba System Activity Report to help
supporting Samba/LDAP sysadmin activity
FR * add smbldap-backup/smbldap-restore to backup and restore
a SAM (in LDAP) database. No sorcery, just LDIF, but usefull
for non-LDAP gurus
FR * adding migration tools from migration from W2K and NetWare to Samba-LDAP
FR * adapt smbldap-tools to use Samba 3.0
# - The End

View File

@ -0,0 +1,27 @@
Description:
A cgi to allow users to change their passwords via a web browser.
Installation:
Drop this into a cgi-enabled directory on your webserver.
Edit it and change the CONFIGURATION section to suit your environment.
READ THE NOTES SECTION.
Notes: This script will run as the user who runs your web server. So, to invoke the smbpasswd call, you must implement sudo.
Example of /etc/sudoers:
# Host alias specification
# User alias specification
User_Alias PASSWD = apache
# Cmnd alias specification
Cmnd_Alias PASSWD = /usr/bin/smbpasswd
# User privilege specification
root ALL=(ALL) ALL
PASSWD ALL= NOPASSWD: PASSWD
This concept is probably very insecure and broken. That is why this is a 0.1 release. :)
Feel free to drop me suggestions. I am a perl learner so I am always open to suggestions.
Terry Davis
tdavis@approbation.org

View File

@ -0,0 +1,202 @@
#!/usr/bin/perl
################################################################################
#
# changepass.pl - A program to allow users to change their passwords
# via a web browser.
# Terry Davis
#
# URLs
# Net::LDAP - http://
# usermod and this file - http://www.cloudamster.com/cloudmaster/projects
#
# Release History:
# Version 0.1 - initial write
#
# ToDo:
# ... the ToDo section is on the ToDo list...
#
# Limitations:
# The password cannot contain single and double quotes.....welcome to quoting hell....
#
# Notes:
# This code is largely based on work done by Danny Sauer - http://www.cloudamster.com/cloudmaster/projects
# His work is not licensed and is marked as 'freely distributable'.
# Thank you to Danny for his hard work on the initial work.
#
################################################################################
use CGI qw(:standard);
use Net::LDAP;
# CONFIGURATION SECTION
$masterLDAP = "ldap.idealx.org";
$basedn = "dc=IDEALX,dc=org";
$masterPw = "";
$masterDN = "cn=manager,$basedn";
$ldap_path = "/usr/bin";
$ldap_opts = "-x";
$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'";
$usersdn = "ou=Users,$basedn";
# END CONFIGURATION
# DONT EDIT ANYTHING BELOW THIS LINE
$logtag = "Login:";
$passtag = "Current password:";
$npasstag1 = "New password:";
$npasstag2 = "Retype new pasword:";
$error = "";
$color = "<FONT color='red'>";
$stopcolor = "</FONT>";
if(param()){
nologin() unless ($username = param('login'));
nopass() unless ($oldpass = param('oldpass'));
nonewpass(1) unless ($newpass1 = param('newpass'));
nonewpass(2) unless ($newpass2 = param('newpass2'));
verifyuser($username) or die "bad user";
verifypass($username, $oldpass) or die "bad pass";
testnewpass($newpass1, $newpass2) or die "bad new pass";
changepass($username, $newpass1) or die "couldn't change pass";
printsuccess();
}else{
printpage();
}
exit(0);
sub verifyuser{
local $user = shift;
$ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@";
$ldap->bind();
if (0 < $ldap->search(base => $basedn, filter => "(uid=$user)")->count){
return 1;
}
$logtag = $color . $logtag . $color;
$error = "No such user";
printpage();
return 0;
}
sub verifypass{
$uid = shift;
$pass = shift;
$ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@";
$binddn = "uid=$uid,ou=People,$basedn";
return 1 if($ldap->bind( $binddn, password => $pass)->code == 0);
if($ldap->bind()){
$passtag = $color . $passtag . $color;
$error = "Incorrect password";
printpage();
return 0;
}else{
print header, start_html(-title=>"LDAP dead");
print h2("<CENTER>The LDAP server is temporarily unavailable."),
p,"Please try again later</CENTER>";
return 0;
}die "Something (or someone) is defective, contact your friendly Systems Administrator";
}
sub testnewpass{
$p1 = shift; $p2 = shift;
if ($p1 ne $p2){
$npasstag1 = $color . $npasstag1 . $color;
$npasstag2 = $color . $npasstag2 . $color;
$error = "Passwords don't match ($p1 vs $p2)";
printpage();
return 0;
}
if ($p1 =~ /"/ ){
$npasstag1 = $color . $npasstag1 . $color;
$npasstag2 = $color . $npasstag2 . $color;
$error = "Passwords cannot contain double quotes. Sorry";
printpage();
return 0;
}
if ($p1 =~ /'/ ){
$npasstag1 = $color . $npasstag1 . $color;
$npasstag2 = $color . $npasstag2 . $color;
$error = "Passwords cannot contain single quotes. Sorry";
printpage();
return 0;
}
return 1;
}
sub changepass{
local $user = shift;
local $newpass = shift;
local $dn = "uid=$user,$usersdn";
system "$ldappasswd $dn -s '$newpass' > /dev/null";
`/usr/bin/sudo /usr/bin/smbpasswd $user "$newpass"`;
exit(1);
}
sub nologin{
$logtag = $color . $logtag . $color;
$error = "You need to enter a Login Name";
printpage();
exit(1);
}
sub nopass{
$passtag = $color . $passtag . $color;
$error = "Please enter your old password";
printpage();
exit(1);
}
sub nonewpass{
$f=shift;
$npasstag1 = $color . $npasstag1 . $color if($f==1);
$npasstag2 = $color . $npasstag2 . $color if($f==2);
$error = "You need to enter your new password";
$error .= " twice" if($f==2);
printpage();
exit(1);
}
sub printpage{
print header,
start_html(-title=> "Password Change Page",
-author=> 'tdavis@birddog.com',
-BGCOLOR=> 'WHITE'),
h3('Password Change Page'),
startform(-method=>'POST'),
"<TABLE BORDER=0 WIDTH=50%>",
"<font size=2>",
"<TR><TD>",
$logtag,
"</TD><TD>",
textfield(-name=>'login', -default=>$login,
-size=>15, -maxlength=>20),
"</TD><TR><TD>",
$passtag,
"</TD><TD>",
password_field(-name=>'oldpass', -size=>15, -maxlength=>25),
"</TD><TR><TD>",
$npasstag1,
"</TD><TD>",
password_field(-name=>'newpass', -size=>15, -maxlength=>25),
"</TD><TR><TD>",
$npasstag2,
"</TD><TD>",
password_field(-name=>'newpass2', -size=>15, -maxlength=>25),
"</TD><TR><TD></TD><TD>",
submit(-name=>"change"),reset(),
"</TD></TR></TABLE>",
"</font>",
endform(),
"<FONT color='red'>$error</FONT>",
end_html;
}
sub printsuccess(){
print header,
start_html(-title=> "Success",
-BGCOLOR=> 'WHITE'),
h1("Password Succesfully Changed"),
"<br>",
end_html;
}

View File

@ -0,0 +1,62 @@
# Makefile for l0phtcrack - mudge@l0pht.com 11/1/96
# C compiler
#CC=cc
CC=gcc
# Uncomment the following to add symbols to the code for debugging
#DEBUG=-g -Wall -D_DEBUG
#DEBUG=-D_DEBUG
# Optimization for the compiler
#OPTIMIZE=
OPTIMIZE=-O2
# Choose your architecture
# note that if you are on a big-endian machine like SUN's
# I haven't tweaked the mem-cmp's and md4 stuff to be in
# the correct order yet. You're on your own right now.
#
# FreeBSD
ARCH=-DMPU8086
STATIC=
XLIBS=
#
# SUNOS
#ARCH=-DBIGENDIAN
#STATIC=
#OPTIMIZE=-O2
#XLIBS=
#
# ULTRA_SPARC w/ native compiler
#ARCH=-DBIGENDIAN
#STATIC=
#OPTIMIZE=-fast -xO4 -xdepend -xchip=ultra -xarch=v8plus
#XLIBS=
#
# SunOS/Solaris w/gcc
#ARCH=-DBIGENDIAN -DTEST
#STATIC=
#OPTIMIZE=-O2
#XLIBS=
#
# NeXTStep 3.2
#CC=cc
#ARCH=-DBIGENDIAN
#STATIC=-Bstatic
#OPTIMIZE=
#XLIBS=
CFLAGS= $(DEBUG) $(OPTIMIZE) $(ARCH) $(VISUAL) $(PERMUTE) $(STATIC)
OBJS = getopt.o md4.o mkntpwd.o smbdes.o
mkntpwd: $(OBJS)
$(CC) $(CFLAGS) $(XLIBS) -o mkntpwd $(OBJS)
clean:
rm -f core *.o mkntpwd
install: mkntpwd
install -m 555 mkntpwd $(PREFIX)/sbin/mkntpwd

View File

@ -0,0 +1,756 @@
/* Getopt for GNU.
NOTE: getopt is now part of the C library, so if you don't know what
"Keep this file name-space clean" means, talk to roland@gnu.ai.mit.edu
before changing it!
Copyright (C) 1987, 88, 89, 90, 91, 92, 93, 94
Free Software Foundation, Inc.
This file is part of the GNU C Library. Its master source is NOT part of
the C library, however. The master source lives in /gd/gnu/lib.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Library General Public License for more details.
You should have received a copy of the GNU Library General Public
License along with the GNU C Library; see the file COPYING.LIB. If
not, write to the Free Software Foundation, Inc., 675 Mass Ave,
Cambridge, MA 02139, USA. */
/* This tells Alpha OSF/1 not to define a getopt prototype in <stdio.h>.
Ditto for AIX 3.2 and <stdlib.h>. */
#ifndef _NO_PROTO
#define _NO_PROTO
#endif
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#if !defined (__STDC__) || !__STDC__
/* This is a separate conditional since some stdc systems
reject `defined (const)'. */
#ifndef const
#define const
#endif
#endif
#include <stdio.h>
#ifdef WIN32
#include <string.h>
#endif
/* Comment out all this code if we are using the GNU C Library, and are not
actually compiling the library itself. This code is part of the GNU C
Library, but also included in many other GNU distributions. Compiling
and linking in this code is a waste when using the GNU C library
(especially if it is a shared library). Rather than having every GNU
program understand `configure --with-gnu-libc' and omit the object files,
it is simpler to just do this in the source for each such file. */
#if defined (_LIBC) || !defined (__GNU_LIBRARY__)
/* This needs to come after some library #include
to get __GNU_LIBRARY__ defined. */
#ifdef __GNU_LIBRARY__
/* Don't include stdlib.h for non-GNU C libraries because some of them
contain conflicting prototypes for getopt. */
#include <stdlib.h>
#endif /* GNU C library. */
/* This version of `getopt' appears to the caller like standard Unix `getopt'
but it behaves differently for the user, since it allows the user
to intersperse the options with the other arguments.
As `getopt' works, it permutes the elements of ARGV so that,
when it is done, all the options precede everything else. Thus
all application programs are extended to handle flexible argument order.
Setting the environment variable POSIXLY_CORRECT disables permutation.
Then the behavior is completely standard.
GNU application programs can use a third alternative mode in which
they can distinguish the relative order of options and other arguments. */
#include "getopt.h"
/* For communication from `getopt' to the caller.
When `getopt' finds an option that takes an argument,
the argument value is returned here.
Also, when `ordering' is RETURN_IN_ORDER,
each non-option ARGV-element is returned here. */
char *optarg = NULL;
/* Index in ARGV of the next element to be scanned.
This is used for communication to and from the caller
and for communication between successive calls to `getopt'.
On entry to `getopt', zero means this is the first call; initialize.
When `getopt' returns EOF, this is the index of the first of the
non-option elements that the caller should itself scan.
Otherwise, `optind' communicates from one call to the next
how much of ARGV has been scanned so far. */
/* XXX 1003.2 says this must be 1 before any call. */
int optind = 0;
/* The next char to be scanned in the option-element
in which the last option character we returned was found.
This allows us to pick up the scan where we left off.
If this is zero, or a null string, it means resume the scan
by advancing to the next ARGV-element. */
static char *nextchar;
/* Callers store zero here to inhibit the error message
for unrecognized options. */
int opterr = 1;
/* Set to an option character which was unrecognized.
This must be initialized on some systems to avoid linking in the
system's own getopt implementation. */
int optopt = '?';
/* Describe how to deal with options that follow non-option ARGV-elements.
If the caller did not specify anything,
the default is REQUIRE_ORDER if the environment variable
POSIXLY_CORRECT is defined, PERMUTE otherwise.
REQUIRE_ORDER means don't recognize them as options;
stop option processing when the first non-option is seen.
This is what Unix does.
This mode of operation is selected by either setting the environment
variable POSIXLY_CORRECT, or using `+' as the first character
of the list of option characters.
PERMUTE is the default. We permute the contents of ARGV as we scan,
so that eventually all the non-options are at the end. This allows options
to be given in any order, even with programs that were not written to
expect this.
RETURN_IN_ORDER is an option available to programs that were written
to expect options and other ARGV-elements in any order and that care about
the ordering of the two. We describe each non-option ARGV-element
as if it were the argument of an option with character code 1.
Using `-' as the first character of the list of option characters
selects this mode of operation.
The special argument `--' forces an end of option-scanning regardless
of the value of `ordering'. In the case of RETURN_IN_ORDER, only
`--' can cause `getopt' to return EOF with `optind' != ARGC. */
static enum
{
REQUIRE_ORDER, PERMUTE, RETURN_IN_ORDER
} ordering;
/* Value of POSIXLY_CORRECT environment variable. */
static char *posixly_correct;
#ifdef __GNU_LIBRARY__
/* We want to avoid inclusion of string.h with non-GNU libraries
because there are many ways it can cause trouble.
On some systems, it contains special magic macros that don't work
in GCC. */
#include <string.h>
#define my_index strchr
#else
/* Avoid depending on library functions or files
whose names are inconsistent. */
char *getenv ();
static char *
my_index (str, chr)
const char *str;
int chr;
{
while (*str)
{
if (*str == chr)
return (char *) str;
str++;
}
return 0;
}
/* If using GCC, we can safely declare strlen this way.
If not using GCC, it is ok not to declare it. */
#ifdef __GNUC__
/* Note that Motorola Delta 68k R3V7 comes with GCC but not stddef.h.
That was relevant to code that was here before. */
#if !defined (__STDC__) || !__STDC__
/* gcc with -traditional declares the built-in strlen to return int,
and has done so at least since version 2.4.5. -- rms. */
extern int strlen (const char *);
#endif /* not __STDC__ */
#endif /* __GNUC__ */
#endif /* not __GNU_LIBRARY__ */
/* Handle permutation of arguments. */
/* Describe the part of ARGV that contains non-options that have
been skipped. `first_nonopt' is the index in ARGV of the first of them;
`last_nonopt' is the index after the last of them. */
static int first_nonopt;
static int last_nonopt;
/* Exchange two adjacent subsequences of ARGV.
One subsequence is elements [first_nonopt,last_nonopt)
which contains all the non-options that have been skipped so far.
The other is elements [last_nonopt,optind), which contains all
the options processed since those non-options were skipped.
`first_nonopt' and `last_nonopt' are relocated so that they describe
the new indices of the non-options in ARGV after they are moved. */
static void
exchange (argv)
char **argv;
{
int bottom = first_nonopt;
int middle = last_nonopt;
int top = optind;
char *tem;
/* Exchange the shorter segment with the far end of the longer segment.
That puts the shorter segment into the right place.
It leaves the longer segment in the right place overall,
but it consists of two parts that need to be swapped next. */
while (top > middle && middle > bottom)
{
if (top - middle > middle - bottom)
{
/* Bottom segment is the short one. */
int len = middle - bottom;
register int i;
/* Swap it with the top part of the top segment. */
for (i = 0; i < len; i++)
{
tem = argv[bottom + i];
argv[bottom + i] = argv[top - (middle - bottom) + i];
argv[top - (middle - bottom) + i] = tem;
}
/* Exclude the moved bottom segment from further swapping. */
top -= len;
}
else
{
/* Top segment is the short one. */
int len = top - middle;
register int i;
/* Swap it with the bottom part of the bottom segment. */
for (i = 0; i < len; i++)
{
tem = argv[bottom + i];
argv[bottom + i] = argv[middle + i];
argv[middle + i] = tem;
}
/* Exclude the moved top segment from further swapping. */
bottom += len;
}
}
/* Update records for the slots the non-options now occupy. */
first_nonopt += (optind - last_nonopt);
last_nonopt = optind;
}
/* Initialize the internal data when the first call is made. */
static const char *
_getopt_initialize (optstring)
const char *optstring;
{
/* Start processing options with ARGV-element 1 (since ARGV-element 0
is the program name); the sequence of previously skipped
non-option ARGV-elements is empty. */
first_nonopt = last_nonopt = optind = 1;
nextchar = NULL;
posixly_correct = getenv ("POSIXLY_CORRECT");
/* Determine how to handle the ordering of options and nonoptions. */
if (optstring[0] == '-')
{
ordering = RETURN_IN_ORDER;
++optstring;
}
else if (optstring[0] == '+')
{
ordering = REQUIRE_ORDER;
++optstring;
}
else if (posixly_correct != NULL)
ordering = REQUIRE_ORDER;
else
ordering = PERMUTE;
return optstring;
}
/* Scan elements of ARGV (whose length is ARGC) for option characters
given in OPTSTRING.
If an element of ARGV starts with '-', and is not exactly "-" or "--",
then it is an option element. The characters of this element
(aside from the initial '-') are option characters. If `getopt'
is called repeatedly, it returns successively each of the option characters
from each of the option elements.
If `getopt' finds another option character, it returns that character,
updating `optind' and `nextchar' so that the next call to `getopt' can
resume the scan with the following option character or ARGV-element.
If there are no more option characters, `getopt' returns `EOF'.
Then `optind' is the index in ARGV of the first ARGV-element
that is not an option. (The ARGV-elements have been permuted
so that those that are not options now come last.)
OPTSTRING is a string containing the legitimate option characters.
If an option character is seen that is not listed in OPTSTRING,
return '?' after printing an error message. If you set `opterr' to
zero, the error message is suppressed but we still return '?'.
If a char in OPTSTRING is followed by a colon, that means it wants an arg,
so the following text in the same ARGV-element, or the text of the following
ARGV-element, is returned in `optarg'. Two colons mean an option that
wants an optional arg; if there is text in the current ARGV-element,
it is returned in `optarg', otherwise `optarg' is set to zero.
If OPTSTRING starts with `-' or `+', it requests different methods of
handling the non-option ARGV-elements.
See the comments about RETURN_IN_ORDER and REQUIRE_ORDER, above.
Long-named options begin with `--' instead of `-'.
Their names may be abbreviated as long as the abbreviation is unique
or is an exact match for some defined option. If they have an
argument, it follows the option name in the same ARGV-element, separated
from the option name by a `=', or else the in next ARGV-element.
When `getopt' finds a long-named option, it returns 0 if that option's
`flag' field is nonzero, the value of the option's `val' field
if the `flag' field is zero.
The elements of ARGV aren't really const, because we permute them.
But we pretend they're const in the prototype to be compatible
with other systems.
LONGOPTS is a vector of `struct option' terminated by an
element containing a name which is zero.
LONGIND returns the index in LONGOPT of the long-named option found.
It is only valid when a long-named option has been found by the most
recent call.
If LONG_ONLY is nonzero, '-' as well as '--' can introduce
long-named options. */
int
_getopt_internal (argc, argv, optstring, longopts, longind, long_only)
int argc;
char *const *argv;
const char *optstring;
const struct option *longopts;
int *longind;
int long_only;
{
optarg = NULL;
if (optind == 0)
optstring = _getopt_initialize (optstring);
if (nextchar == NULL || *nextchar == '\0')
{
/* Advance to the next ARGV-element. */
if (ordering == PERMUTE)
{
/* If we have just processed some options following some non-options,
exchange them so that the options come first. */
if (first_nonopt != last_nonopt && last_nonopt != optind)
exchange ((char **) argv);
else if (last_nonopt != optind)
first_nonopt = optind;
/* Skip any additional non-options
and extend the range of non-options previously skipped. */
while (optind < argc
&& (argv[optind][0] != '-' || argv[optind][1] == '\0'))
optind++;
last_nonopt = optind;
}
/* The special ARGV-element `--' means premature end of options.
Skip it like a null option,
then exchange with previous non-options as if it were an option,
then skip everything else like a non-option. */
if (optind != argc && !strcmp (argv[optind], "--"))
{
optind++;
if (first_nonopt != last_nonopt && last_nonopt != optind)
exchange ((char **) argv);
else if (first_nonopt == last_nonopt)
first_nonopt = optind;
last_nonopt = argc;
optind = argc;
}
/* If we have done all the ARGV-elements, stop the scan
and back over any non-options that we skipped and permuted. */
if (optind == argc)
{
/* Set the next-arg-index to point at the non-options
that we previously skipped, so the caller will digest them. */
if (first_nonopt != last_nonopt)
optind = first_nonopt;
return EOF;
}
/* If we have come to a non-option and did not permute it,
either stop the scan or describe it to the caller and pass it by. */
if ((argv[optind][0] != '-' || argv[optind][1] == '\0'))
{
if (ordering == REQUIRE_ORDER)
return EOF;
optarg = argv[optind++];
return 1;
}
/* We have found another option-ARGV-element.
Skip the initial punctuation. */
nextchar = (argv[optind] + 1
+ (longopts != NULL && argv[optind][1] == '-'));
}
/* Decode the current option-ARGV-element. */
/* Check whether the ARGV-element is a long option.
If long_only and the ARGV-element has the form "-f", where f is
a valid short option, don't consider it an abbreviated form of
a long option that starts with f. Otherwise there would be no
way to give the -f short option.
On the other hand, if there's a long option "fubar" and
the ARGV-element is "-fu", do consider that an abbreviation of
the long option, just like "--fu", and not "-f" with arg "u".
This distinction seems to be the most useful approach. */
if (longopts != NULL
&& (argv[optind][1] == '-'
|| (long_only && (argv[optind][2] || !my_index (optstring, argv[optind][1])))))
{
char *nameend;
const struct option *p;
const struct option *pfound = NULL;
int exact = 0;
int ambig = 0;
int indfound = 0; /* set to zero by Anton */
int option_index;
for (nameend = nextchar; *nameend && *nameend != '='; nameend++)
/* Do nothing. */ ;
/* Test all long options for either exact match
or abbreviated matches. */
for (p = longopts, option_index = 0; p->name; p++, option_index++)
if (!strncmp(p->name, nextchar, nameend - nextchar))
{
if ((unsigned int)(nameend - nextchar) == (unsigned int)strlen (p->name))
{
/* Exact match found. */
pfound = p;
indfound = option_index;
exact = 1;
break;
}
else if (pfound == NULL)
{
/* First nonexact match found. */
pfound = p;
indfound = option_index;
}
else
/* Second or later nonexact match found. */
ambig = 1;
}
if (ambig && !exact)
{
if (opterr)
fprintf (stderr, "%s: option `%s' is ambiguous\n",
argv[0], argv[optind]);
nextchar += strlen (nextchar);
optind++;
return '?';
}
if (pfound != NULL)
{
option_index = indfound;
optind++;
if (*nameend)
{
/* Don't test has_arg with >, because some C compilers don't
allow it to be used on enums. */
if (pfound->has_arg)
optarg = nameend + 1;
else
{
if (opterr)
{
if (argv[optind - 1][1] == '-')
/* --option */
fprintf (stderr,
"%s: option `--%s' doesn't allow an argument\n",
argv[0], pfound->name);
else
/* +option or -option */
fprintf (stderr,
"%s: option `%c%s' doesn't allow an argument\n",
argv[0], argv[optind - 1][0], pfound->name);
}
nextchar += strlen (nextchar);
return '?';
}
}
else if (pfound->has_arg == 1)
{
if (optind < argc)
optarg = argv[optind++];
else
{
if (opterr)
fprintf (stderr, "%s: option `%s' requires an argument\n",
argv[0], argv[optind - 1]);
nextchar += strlen (nextchar);
return optstring[0] == ':' ? ':' : '?';
}
}
nextchar += strlen (nextchar);
if (longind != NULL)
*longind = option_index;
if (pfound->flag)
{
*(pfound->flag) = pfound->val;
return 0;
}
return pfound->val;
}
/* Can't find it as a long option. If this is not getopt_long_only,
or the option starts with '--' or is not a valid short
option, then it's an error.
Otherwise interpret it as a short option. */
if (!long_only || argv[optind][1] == '-'
|| my_index (optstring, *nextchar) == NULL)
{
if (opterr)
{
if (argv[optind][1] == '-')
/* --option */
fprintf (stderr, "%s: unrecognized option `--%s'\n",
argv[0], nextchar);
else
/* +option or -option */
fprintf (stderr, "%s: unrecognized option `%c%s'\n",
argv[0], argv[optind][0], nextchar);
}
nextchar = (char *) "";
optind++;
return '?';
}
}
/* Look at and handle the next short option-character. */
{
char c = *nextchar++;
char *temp = my_index (optstring, c);
/* Increment `optind' when we start to process its last character. */
if (*nextchar == '\0')
++optind;
if (temp == NULL || c == ':')
{
if (opterr)
{
if (posixly_correct)
/* 1003.2 specifies the format of this message. */
fprintf (stderr, "%s: illegal option -- %c\n", argv[0], c);
else
fprintf (stderr, "%s: invalid option -- %c\n", argv[0], c);
}
optopt = c;
return '?';
}
if (temp[1] == ':')
{
if (temp[2] == ':')
{
/* This is an option that accepts an argument optionally. */
if (*nextchar != '\0')
{
optarg = nextchar;
optind++;
}
else
optarg = NULL;
nextchar = NULL;
}
else
{
/* This is an option that requires an argument. */
if (*nextchar != '\0')
{
optarg = nextchar;
/* If we end this ARGV-element by taking the rest as an arg,
we must advance to the next element now. */
optind++;
}
else if (optind == argc)
{
if (opterr)
{
/* 1003.2 specifies the format of this message. */
fprintf (stderr, "%s: option requires an argument -- %c\n",
argv[0], c);
}
optopt = c;
if (optstring[0] == ':')
c = ':';
else
c = '?';
}
else
/* We already incremented `optind' once;
increment it again when taking next ARGV-elt as argument. */
optarg = argv[optind++];
nextchar = NULL;
}
}
return c;
}
}
int
getopt (argc, argv, optstring)
int argc;
char *const *argv;
const char *optstring;
{
return _getopt_internal (argc, argv, optstring,
(const struct option *) 0,
(int *) 0,
0);
}
#endif /* _LIBC or not __GNU_LIBRARY__. */
#ifdef TEST
/* Compile with -DTEST to make an executable for use in testing
the above definition of `getopt'. */
int
main (argc, argv)
int argc;
char **argv;
{
int c;
int digit_optind = 0;
while (1)
{
int this_option_optind = optind ? optind : 1;
c = getopt (argc, argv, "abc:d:0123456789");
if (c == EOF)
break;
switch (c)
{
case '0':
case '1':
case '2':
case '3':
case '4':
case '5':
case '6':
case '7':
case '8':
case '9':
if (digit_optind != 0 && digit_optind != this_option_optind)
printf ("digits occur in two different argv-elements.\n");
digit_optind = this_option_optind;
printf ("option %c\n", c);
break;
case 'a':
printf ("option a\n");
break;
case 'b':
printf ("option b\n");
break;
case 'c':
printf ("option c with value `%s'\n", optarg);
break;
case '?':
break;
default:
printf ("?? getopt returned character code 0%o ??\n", c);
}
}
if (optind < argc)
{
printf ("non-option ARGV-elements: ");
while (optind < argc)
printf ("%s ", argv[optind++]);
printf ("\n");
}
exit (0);
}
#endif /* TEST */

View File

@ -0,0 +1,133 @@
/* Declarations for getopt.
Copyright (C) 1989, 90, 91, 92, 93, 94 Free Software Foundation, Inc.
This file is part of the GNU C Library. Its master source is NOT part of
the C library, however. The master source lives in /gd/gnu/lib.
The GNU C Library is free software; you can redistribute it and/or
modify it under the terms of the GNU Library General Public License as
published by the Free Software Foundation; either version 2 of the
License, or (at your option) any later version.
The GNU C Library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Library General Public License for more details.
You should have received a copy of the GNU Library General Public
License along with the GNU C Library; see the file COPYING.LIB. If
not, write to the Free Software Foundation, Inc., 675 Mass Ave,
Cambridge, MA 02139, USA. */
#ifndef _GETOPT_H
#define _GETOPT_H 1
#ifdef __cplusplus
extern "C" {
#endif
/* For communication from `getopt' to the caller.
When `getopt' finds an option that takes an argument,
the argument value is returned here.
Also, when `ordering' is RETURN_IN_ORDER,
each non-option ARGV-element is returned here. */
extern char *optarg;
/* Index in ARGV of the next element to be scanned.
This is used for communication to and from the caller
and for communication between successive calls to `getopt'.
On entry to `getopt', zero means this is the first call; initialize.
When `getopt' returns EOF, this is the index of the first of the
non-option elements that the caller should itself scan.
Otherwise, `optind' communicates from one call to the next
how much of ARGV has been scanned so far. */
extern int optind;
/* Callers store zero here to inhibit the error message `getopt' prints
for unrecognized options. */
extern int opterr;
/* Set to an option character which was unrecognized. */
extern int optopt;
/* Describe the long-named options requested by the application.
The LONG_OPTIONS argument to getopt_long or getopt_long_only is a vector
of `struct option' terminated by an element containing a name which is
zero.
The field `has_arg' is:
no_argument (or 0) if the option does not take an argument,
required_argument (or 1) if the option requires an argument,
optional_argument (or 2) if the option takes an optional argument.
If the field `flag' is not NULL, it points to a variable that is set
to the value given in the field `val' when the option is found, but
left unchanged if the option is not found.
To have a long-named option do something other than set an `int' to
a compiled-in constant, such as set a value from `optarg', set the
option's `flag' field to zero and its `val' field to a nonzero
value (the equivalent single-letter option character, if there is
one). For long options that have a zero `flag' field, `getopt'
returns the contents of the `val' field. */
struct option
{
#if defined (__STDC__) && __STDC__
const char *name;
#else
char *name;
#endif
/* has_arg can't be an enum because some compilers complain about
type mismatches in all the code that assumes it is an int. */
int has_arg;
int *flag;
int val;
};
/* Names for the values of the `has_arg' field of `struct option'. */
#define no_argument 0
#define required_argument 1
#define optional_argument 2
#if defined (__STDC__) && __STDC__
#ifdef __GNU_LIBRARY__
/* Many other libraries have conflicting prototypes for getopt, with
differences in the consts, in stdlib.h. To avoid compilation
errors, only prototype getopt for the GNU C library. */
extern int getopt (int argc, char *const *argv, const char *shortopts);
#else /* not __GNU_LIBRARY__ */
extern int getopt ();
#endif /* __GNU_LIBRARY__ */
extern int getopt_long (int argc, char *const *argv, const char *shortopts,
const struct option *longopts, int *longind);
extern int getopt_long_only (int argc, char *const *argv,
const char *shortopts,
const struct option *longopts, int *longind);
/* Internal only. Users should not call this directly. */
extern int _getopt_internal (int argc, char *const *argv,
const char *shortopts,
const struct option *longopts, int *longind,
int long_only);
#else /* not __STDC__ */
extern int getopt ();
extern int getopt_long ();
extern int getopt_long_only ();
extern int _getopt_internal ();
#endif /* __STDC__ */
#ifdef __cplusplus
}
#endif
#endif /* _GETOPT_H */

View File

@ -0,0 +1,171 @@
/*
Unix SMB/Netbios implementation.
Version 1.9.
a implementation of MD4 designed for use in the SMB authentication protocol
Copyright (C) Andrew Tridgell 1997
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
/* NOTE: This code makes no attempt to be fast!
It assumes that a int is at least 32 bits long
*/
typedef unsigned int uint32;
static uint32 A, B, C, D;
static uint32 F(uint32 X, uint32 Y, uint32 Z)
{
return (X&Y) | ((~X)&Z);
}
static uint32 G(uint32 X, uint32 Y, uint32 Z)
{
return (X&Y) | (X&Z) | (Y&Z);
}
static uint32 H(uint32 X, uint32 Y, uint32 Z)
{
return X^Y^Z;
}
static uint32 lshift(uint32 x, int s)
{
x &= 0xFFFFFFFF;
return ((x<<s)&0xFFFFFFFF) | (x>>(32-s));
}
#define ROUND1(a,b,c,d,k,s) a = lshift(a + F(b,c,d) + X[k], s)
#define ROUND2(a,b,c,d,k,s) a = lshift(a + G(b,c,d) + X[k] + (uint32)0x5A827999,s)
#define ROUND3(a,b,c,d,k,s) a = lshift(a + H(b,c,d) + X[k] + (uint32)0x6ED9EBA1,s)
/* this applies md4 to 64 byte chunks */
static void mdfour64(uint32 *M)
{
int j;
uint32 AA, BB, CC, DD;
uint32 X[16];
for (j=0;j<16;j++)
X[j] = M[j];
AA = A; BB = B; CC = C; DD = D;
ROUND1(A,B,C,D, 0, 3); ROUND1(D,A,B,C, 1, 7);
ROUND1(C,D,A,B, 2, 11); ROUND1(B,C,D,A, 3, 19);
ROUND1(A,B,C,D, 4, 3); ROUND1(D,A,B,C, 5, 7);
ROUND1(C,D,A,B, 6, 11); ROUND1(B,C,D,A, 7, 19);
ROUND1(A,B,C,D, 8, 3); ROUND1(D,A,B,C, 9, 7);
ROUND1(C,D,A,B, 10, 11); ROUND1(B,C,D,A, 11, 19);
ROUND1(A,B,C,D, 12, 3); ROUND1(D,A,B,C, 13, 7);
ROUND1(C,D,A,B, 14, 11); ROUND1(B,C,D,A, 15, 19);
ROUND2(A,B,C,D, 0, 3); ROUND2(D,A,B,C, 4, 5);
ROUND2(C,D,A,B, 8, 9); ROUND2(B,C,D,A, 12, 13);
ROUND2(A,B,C,D, 1, 3); ROUND2(D,A,B,C, 5, 5);
ROUND2(C,D,A,B, 9, 9); ROUND2(B,C,D,A, 13, 13);
ROUND2(A,B,C,D, 2, 3); ROUND2(D,A,B,C, 6, 5);
ROUND2(C,D,A,B, 10, 9); ROUND2(B,C,D,A, 14, 13);
ROUND2(A,B,C,D, 3, 3); ROUND2(D,A,B,C, 7, 5);
ROUND2(C,D,A,B, 11, 9); ROUND2(B,C,D,A, 15, 13);
ROUND3(A,B,C,D, 0, 3); ROUND3(D,A,B,C, 8, 9);
ROUND3(C,D,A,B, 4, 11); ROUND3(B,C,D,A, 12, 15);
ROUND3(A,B,C,D, 2, 3); ROUND3(D,A,B,C, 10, 9);
ROUND3(C,D,A,B, 6, 11); ROUND3(B,C,D,A, 14, 15);
ROUND3(A,B,C,D, 1, 3); ROUND3(D,A,B,C, 9, 9);
ROUND3(C,D,A,B, 5, 11); ROUND3(B,C,D,A, 13, 15);
ROUND3(A,B,C,D, 3, 3); ROUND3(D,A,B,C, 11, 9);
ROUND3(C,D,A,B, 7, 11); ROUND3(B,C,D,A, 15, 15);
A += AA; B += BB; C += CC; D += DD;
A &= 0xFFFFFFFF; B &= 0xFFFFFFFF;
C &= 0xFFFFFFFF; D &= 0xFFFFFFFF;
for (j=0;j<16;j++)
X[j] = 0;
}
static void copy64(uint32 *M, unsigned char *in)
{
int i;
for (i=0;i<16;i++)
M[i] = (in[i*4+3]<<24) | (in[i*4+2]<<16) |
(in[i*4+1]<<8) | (in[i*4+0]<<0);
}
static void copy4(unsigned char *out,uint32 x)
{
out[0] = x&0xFF;
out[1] = (x>>8)&0xFF;
out[2] = (x>>16)&0xFF;
out[3] = (x>>24)&0xFF;
}
/* produce a md4 message digest from data of length n bytes */
void mdfour(unsigned char *out, unsigned char *in, int n)
{
unsigned char buf[128];
uint32 M[16];
uint32 b = n * 8;
int i;
A = 0x67452301;
B = 0xefcdab89;
C = 0x98badcfe;
D = 0x10325476;
while (n > 64) {
copy64(M, in);
mdfour64(M);
in += 64;
n -= 64;
}
for (i=0;i<128;i++)
buf[i] = 0;
memcpy(buf, in, n);
buf[n] = 0x80;
if (n <= 55) {
copy4(buf+56, b);
copy64(M, buf);
mdfour64(M);
} else {
copy4(buf+120, b);
copy64(M, buf);
mdfour64(M);
copy64(M, buf+64);
mdfour64(M);
}
for (i=0;i<128;i++)
buf[i] = 0;
copy64(M, buf);
copy4(out, A);
copy4(out+4, B);
copy4(out+8, C);
copy4(out+12, D);
A = B = C = D = 0;
}

View File

@ -0,0 +1,253 @@
/*
This code is based on work from
L0phtcrack 1.5 06.02.97 mudge@l0pht.com
The code also contains sources from:
. routines from the samba code source
md4.c smbdes.c
Anton Roeckseisen (anton@genua.de)
*/
/*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "mkntpwd.h"
void str_to_key(unsigned char *,unsigned char *);
void usage(char *);
int PutUniCode(char *dst,char *src);
void printlanhash(char *tmp);
void mdfour(unsigned char *out, unsigned char *in, int n);
void E_P16(unsigned char *p14,unsigned char *p16);
void main(int argc, char **argv) {
extern char *optarg;
int c;
int printlan = 0;
char lanpwd[LMPASSWDLEN+1];
int printnt = 0;
char inputfile[FILENAMEBUFFER+1] = "";
FILE* InputFilePtr;
int just_pwd = 0;
int i;
char hashout[17];
char ntpasswd[NTPASSWDLEN+1];
char *hold;
unsigned char *p16;
int uni_len;
char passwd[NTPASSWDLEN+1];
if (argc==1)
usage(argv[0]);
if (argc==2)
just_pwd=1;
else
just_pwd=0;
lanpwd[0] = '\0';
ntpasswd[0] = '\0';
while ( (c = getopt(argc, argv, "L:N:f:")) != EOF){
switch(c) {
case 'L':
printlan++;
strncpy(lanpwd,optarg,LMPASSWDLEN);
lanpwd[LMPASSWDLEN]='\0';
for (i=0;i<LMPASSWDLEN;i++)
lanpwd[i]=toupper(lanpwd[i]);
break;
case 'N':
printnt++;
strncpy(passwd,optarg,NTPASSWDLEN);
passwd[NTPASSWDLEN]='\0';
break;
case 'f':
strncpy(inputfile,optarg,FILENAMEBUFFER);
inputfile[FILENAMEBUFFER]='\0';
break;
default:
usage(argv[0]);
}
}
/* Get password from file or STDIN */
if (inputfile[0]!='\0') {
just_pwd=0; /* make sure no shit is happening... */
/* get NT-password (longer) */
if (strcmp(inputfile,"-")==0) {
fgets(passwd,NTPASSWDLEN,stdin);
} else {
if ((InputFilePtr=fopen(inputfile,"r")) == NULL)
fprintf(stderr,"Couldn't open passwordfile: %s",inputfile) ;
fgets(passwd,NTPASSWDLEN,InputFilePtr);
fclose(InputFilePtr);
}
while (strlen(passwd)>0 && passwd[strlen(passwd)-1]=='\n')
passwd[strlen(passwd)-1]='\0';
/* create LANMAN-password (shorter) */
strncpy(lanpwd,passwd,LMPASSWDLEN);
lanpwd[LMPASSWDLEN]='\0';
for (i=0;i<LMPASSWDLEN;i++)
lanpwd[i]=toupper(lanpwd[i]);
printlan++;
printnt++;
}
/* Assume the one and only Arg is the new password! */
if (argc>1 && just_pwd==1) {
strncpy(lanpwd,argv[1],LMPASSWDLEN);
lanpwd[LMPASSWDLEN]='\0';
for (i=0;i<LMPASSWDLEN;i++)
lanpwd[i]=toupper(lanpwd[i]);
printlan++;
strncpy(passwd,argv[1],NTPASSWDLEN);
passwd[NTPASSWDLEN]='\0';
printnt++;
}
if (printlan >0) {
memset(hashout,'\0',17);
E_P16((uchar *)lanpwd,hashout);
printlanhash(hashout);
}
if (printnt >0) {
if (printlan>0) printf(":");
memset(ntpasswd, '\0', sizeof(ntpasswd));
if (passwd[strlen(passwd)-1] == '\n') /* strip the \n - this
is done in LowerString for the case sensitive
check */
passwd[strlen(passwd)-1] = '\0';
hold = (char *)malloc(NTPASSWDLEN * 2); /* grab space for
unicode */
if (hold == NULL){
fprintf(stderr, "out of memory...crackntdialog hold\n");
exit(1);
}
uni_len = PutUniCode(hold, passwd); /* convert to
unicode and return correct
unicode length for md4 */
p16 = (unsigned char*)malloc(17); /* grab space for md4 hash */
if (p16 == NULL){
fprintf(stderr, "out of memory...crackntdialect p16\n");
exit(1);
}
memset(p16,'\0',17);
mdfour(p16,hold, uni_len);
printlanhash(p16);
free(p16);
free(hold);
}
printf("\n");
exit(0);
}
/*****************************************************************************/
/*****************************************************************************/
/*****************************************************************************/
void usage(char *progname){
char *p;
p = strrchr(progname, '\\');
if (p == NULL)
p = progname;
else
p++;
fprintf(stderr, "Usage: %s [-L lanmgrpwd] [-N ntpasswd]\n",p);
fprintf(stderr, " %s password\n",p);
fprintf(stderr, " %s -f [-] [filename]\n\n",p);
fprintf(stderr, " -L lanmgrpasswd LanManager cleartextpwd <= 14 chars\n");
fprintf(stderr, " -N ntpasswd NT cleartextpwd <=128 chars (usually <=14)\n\n");
fprintf(stderr, " with both options present the encrypted LanManager-Pwd is \n");
fprintf(stderr, " printed first, followed by a ':' and the encrypted NT-Pwd.\n\n");
fprintf(stderr, " The second usage behaves like %s -L pwd -N pwd\n\n",p);
fprintf(stderr, " The third usage reads the password from STDIN or a File. Printout\n");
fprintf(stderr, " is the same as second.\n\n");
fprintf(stderr, "anton@genua.de\n\n");
exit(1);
}
/*******************************************************************
write a string in unicoode format
********************************************************************/
int PutUniCode(char *dst,char *src)
{
int ret = 0;
while (*src) {
dst[ret++] = src[0];
dst[ret++] = 0;
src++;
}
dst[ret++]=0;
dst[ret++]=0;
return(ret-2); /* the way they do the md4 hash they don't represent
the last null. ie 'A' becomes just 0x41 0x00 - not
0x41 0x00 0x00 0x00 */
}
/*
print binary buffer as hex-string
*/
void printlanhash(char *tmp) {
int i;
unsigned char c;
char outbuffer[33];
/* build string from binary hash */
for(i=0;i<16;i++) {
c=tmp[i];
sprintf(outbuffer+2*i,"%x",(c>>4) & 0x0f);
sprintf(outbuffer+2*i+1,"%x",c & 0x0f);
}
/* convert to uppercase */
for(i=0;i<32;i++)
outbuffer[i] = toupper(outbuffer[i]);
outbuffer[32]='\0';
/* print out hex-string */
printf("%s",outbuffer);
}

View File

@ -0,0 +1,17 @@
#include <memory.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
typedef short int16;
typedef int int32;
typedef unsigned short uint16;
typedef unsigned int uint32;
typedef unsigned char uchar;
#define MAX_STRING 255
#define MAX_WORD 128
#define LMPASSWDLEN 14
#define NTPASSWDLEN 128
#define FILENAMEBUFFER 128

View File

@ -0,0 +1,337 @@
/*
Unix SMB/Netbios implementation.
Version 1.9.
a partial implementation of DES designed for use in the
SMB authentication protocol
Copyright (C) Andrew Tridgell 1997
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
/* NOTES:
This code makes no attempt to be fast! In fact, it is a very
slow implementation
This code is NOT a complete DES implementation. It implements only
the minimum necessary for SMB authentication, as used by all SMB
products (including every copy of Microsoft Windows95 ever sold)
In particular, it can only do a unchained forward DES pass. This
means it is not possible to use this code for encryption/decryption
of data, instead it is only useful as a "hash" algorithm.
There is no entry point into this code that allows normal DES operation.
I believe this means that this code does not come under ITAR
regulations but this is NOT a legal opinion. If you are concerned
about the applicability of ITAR regulations to this code then you
should confirm it for yourself (and maybe let me know if you come
up with a different answer to the one above)
*/
static int perm1[56] = {57, 49, 41, 33, 25, 17, 9,
1, 58, 50, 42, 34, 26, 18,
10, 2, 59, 51, 43, 35, 27,
19, 11, 3, 60, 52, 44, 36,
63, 55, 47, 39, 31, 23, 15,
7, 62, 54, 46, 38, 30, 22,
14, 6, 61, 53, 45, 37, 29,
21, 13, 5, 28, 20, 12, 4};
static int perm2[48] = {14, 17, 11, 24, 1, 5,
3, 28, 15, 6, 21, 10,
23, 19, 12, 4, 26, 8,
16, 7, 27, 20, 13, 2,
41, 52, 31, 37, 47, 55,
30, 40, 51, 45, 33, 48,
44, 49, 39, 56, 34, 53,
46, 42, 50, 36, 29, 32};
static int perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2,
60, 52, 44, 36, 28, 20, 12, 4,
62, 54, 46, 38, 30, 22, 14, 6,
64, 56, 48, 40, 32, 24, 16, 8,
57, 49, 41, 33, 25, 17, 9, 1,
59, 51, 43, 35, 27, 19, 11, 3,
61, 53, 45, 37, 29, 21, 13, 5,
63, 55, 47, 39, 31, 23, 15, 7};
static int perm4[48] = { 32, 1, 2, 3, 4, 5,
4, 5, 6, 7, 8, 9,
8, 9, 10, 11, 12, 13,
12, 13, 14, 15, 16, 17,
16, 17, 18, 19, 20, 21,
20, 21, 22, 23, 24, 25,
24, 25, 26, 27, 28, 29,
28, 29, 30, 31, 32, 1};
static int perm5[32] = { 16, 7, 20, 21,
29, 12, 28, 17,
1, 15, 23, 26,
5, 18, 31, 10,
2, 8, 24, 14,
32, 27, 3, 9,
19, 13, 30, 6,
22, 11, 4, 25};
static int perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32,
39, 7, 47, 15, 55, 23, 63, 31,
38, 6, 46, 14, 54, 22, 62, 30,
37, 5, 45, 13, 53, 21, 61, 29,
36, 4, 44, 12, 52, 20, 60, 28,
35, 3, 43, 11, 51, 19, 59, 27,
34, 2, 42, 10, 50, 18, 58, 26,
33, 1, 41, 9, 49, 17, 57, 25};
static int sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
static int sbox[8][4][16] = {
{{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7},
{0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8},
{4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0},
{15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
{{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10},
{3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5},
{0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15},
{13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
{{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8},
{13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1},
{13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7},
{1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
{{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15},
{13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9},
{10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4},
{3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
{{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9},
{14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6},
{4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14},
{11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
{{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11},
{10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8},
{9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6},
{4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
{{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1},
{13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6},
{1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2},
{6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
{{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7},
{1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2},
{7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8},
{2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}};
static void permute(char *out, char *in, int *p, int n)
{
int i;
for (i=0;i<n;i++)
out[i] = in[p[i]-1];
}
static void lshift(char *d, int count, int n)
{
char out[64];
int i;
for (i=0;i<n;i++)
out[i] = d[(i+count)%n];
for (i=0;i<n;i++)
d[i] = out[i];
}
static void concat(char *out, char *in1, char *in2, int l1, int l2)
{
while (l1--)
*out++ = *in1++;
while (l2--)
*out++ = *in2++;
}
static void xor(char *out, char *in1, char *in2, int n)
{
int i;
for (i=0;i<n;i++)
out[i] = in1[i] ^ in2[i];
}
static void dohash(char *out, char *in, char *key)
{
int i, j, k;
char pk1[56];
char c[28];
char d[28];
char cd[56];
char ki[16][48];
char pd1[64];
char l[32], r[32];
char rl[64];
permute(pk1, key, perm1, 56);
for (i=0;i<28;i++)
c[i] = pk1[i];
for (i=0;i<28;i++)
d[i] = pk1[i+28];
for (i=0;i<16;i++) {
lshift(c, sc[i], 28);
lshift(d, sc[i], 28);
concat(cd, c, d, 28, 28);
permute(ki[i], cd, perm2, 48);
}
permute(pd1, in, perm3, 64);
for (j=0;j<32;j++) {
l[j] = pd1[j];
r[j] = pd1[j+32];
}
for (i=0;i<16;i++) {
char er[48];
char erk[48];
char b[8][6];
char cb[32];
char pcb[32];
char r2[32];
permute(er, r, perm4, 48);
xor(erk, er, ki[i], 48);
for (j=0;j<8;j++)
for (k=0;k<6;k++)
b[j][k] = erk[j*6 + k];
for (j=0;j<8;j++) {
int m, n;
m = (b[j][0]<<1) | b[j][5];
n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4];
for (k=0;k<4;k++)
b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0;
}
for (j=0;j<8;j++)
for (k=0;k<4;k++)
cb[j*4+k] = b[j][k];
permute(pcb, cb, perm5, 32);
xor(r2, l, pcb, 32);
for (j=0;j<32;j++)
l[j] = r[j];
for (j=0;j<32;j++)
r[j] = r2[j];
}
concat(rl, r, l, 32, 32);
permute(out, rl, perm6, 64);
}
static void str_to_key(unsigned char *str,unsigned char *key)
{
int i;
key[0] = str[0]>>1;
key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
key[7] = str[6]&0x7F;
for (i=0;i<8;i++) {
key[i] = (key[i]<<1);
}
}
static void smbhash(unsigned char *out, unsigned char *in, unsigned char *key)
{
int i;
char outb[64];
char inb[64];
char keyb[64];
unsigned char key2[8];
str_to_key(key, key2);
for (i=0;i<64;i++) {
inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
outb[i] = 0;
}
dohash(outb, inb, keyb);
for (i=0;i<8;i++) {
out[i] = 0;
}
for (i=0;i<64;i++) {
if (outb[i])
out[i/8] |= (1<<(7-(i%8)));
}
}
void E_P16(unsigned char *p14,unsigned char *p16)
{
unsigned char sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
smbhash(p16, sp8, p14);
smbhash(p16+8, sp8, p14+7);
}
void E_P24(unsigned char *p21, unsigned char *c8, unsigned char *p24)
{
smbhash(p24, c8, p21);
smbhash(p24+8, c8, p21+7);
smbhash(p24+16, c8, p21+14);
}
void cred_hash1(unsigned char *out,unsigned char *in,unsigned char *key)
{
unsigned char buf[8];
smbhash(buf, in, key);
smbhash(out, buf, key+9);
}
void cred_hash2(unsigned char *out,unsigned char *in,unsigned char *key)
{
unsigned char buf[8];
static unsigned char key2[8];
smbhash(buf, in, key);
key2[0] = key[7];
smbhash(out, buf, key2);
}

View File

@ -0,0 +1,84 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-groupadd : group (posix) add
use strict;
use smbldap_tools;
use Getopt::Std;
my %Options;
my $ok = getopts('og:?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
print "Usage: $0 [-go?] groupname\n";
print " -g gid\n";
print " -o gid is not unique\n";
print " -? show this help message\n";
exit (1);
}
my $_groupName = $ARGV[0];
if (defined(get_group_dn($_groupName))) {
print "$0: group $_groupName exists\n";
exit (6);
}
my $_groupGidNumber = $Options{'g'};
if (!group_add($_groupName, $_groupGidNumber, $Options{'o'})) {
print "$0: error adding group $_groupName\n";
exit (6);
}
exit(0);
########################################
=head1 NAME
smbldap-groupadd.pl - Create a new group
=head1 SYNOPSIS
smbldap-groupadd.pl [-g gid [-o]] group
=head1 DESCRIPTION
The smbldap-groupadd.pl command creates a new group account using
the values specified on the command line and the default values
from the system. The new group will be entered into the system
files as needed. The options which apply to the groupadd command are
-g gid The numerical value of the group's ID. This value must be
unique, unless the -o option is used. The value must be non-
negative. The default is to use the smallest ID value greater
than 1000 and greater than every other group.
=head1 SEE ALSO
groupadd(1)
=cut
#'

View File

@ -0,0 +1,93 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-groupdel : group (posix) deletion
use strict;
use smbldap_tools;
use smbldap_conf;
#####################
use Getopt::Std;
my %Options;
my $ok = getopts('?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
print "Usage: $0 groupname\n";
print " -? show this help message\n";
exit (1);
}
my $_groupName = $ARGV[0];
my $dn_line;
if (!defined($dn_line = get_group_dn($_groupName))) {
print "$0: group $_groupName doesn't exist\n";
exit (6);
}
my $dn = get_dn_from_line($dn_line);
my $rc = system "$ldapdelete $dn >/dev/null";
die "$0: error while deleting group $_groupName\n"
unless ($rc == 0);
my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd restart > /dev/null 2>&1";
}
#if (defined($dn_line = get_group_dn($_groupName))) {
# print "$0: failed to delete group\n";
# exit (7);
#}
exit (0);
############################################################
=head1 NAME
smbldap-groupdel.pl - Delete a group
=head1 SYNOPSIS
smbldap-groupdel.pl group
=head1 DESCRIPTION
The smbldap-groupdel.pl command modifies the system account files,
deleting all entries that refer to group. The named group must exist.
You must manually check all filesystems to insure that no files remain
with the named group as the file group ID.
=head1 SEE ALSO
groupdel(1)
=cut
#'

View File

@ -0,0 +1,211 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-groupmod : group (posix) modification
use strict;
use smbldap_tools;
use smbldap_conf;
#####################
use Getopt::Std;
my %Options;
my $ok = getopts('og:n:m:x:?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
print "Usage: $0 [-g gid [-o]] [-n name] [-m members(,)] [-x members (,)] groupname\n";
print " -g new gid\n";
print " -o gid is not unique\n";
print " -n new group name\n";
print " -m add members (comma delimited)\n";
print " -x delete members (comma delimted)\n";
print " -? show this help message\n";
exit (1);
}
my $groupName = $ARGV[0];
if (!defined(get_group_dn($groupName))) {
print "$0: group $groupName doesn't exist\n";
exit (6);
}
my $newname = $Options{'n'};
my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd restart > /dev/null 2>&1";
}
my $gid = getgrnam($groupName);
my $tmp;
if (defined($tmp = $Options{'g'}) and $tmp =~ /\d+/) {
if (!defined($Options{'o'})) {
if (defined(getgrgid($tmp))) {
print "$0: gid $tmp exists\n";
exit (6);
}
}
if (!($gid == $tmp)) {
my $tmpldif =
"dn: cn=$groupName,$groupsdn
changetype: modify
replace: gidNumber
gidNumber: $tmp
";
die "$0: error while modifying group $groupName\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
}
if (defined($newname)) {
my $FILE="|$ldapmodrdn >/dev/null";
open (FILE, $FILE) || die "$!\n";
print FILE <<EOF;
cn=$groupName,$groupsdn
cn=$newname
EOF
;
close FILE;
die "$0: error while modifying group $groupName\n" if ($?);
my $tmpldif =
"dn: cn=$newname,$groupsdn
changetype: modify
delete: cn
-
add: cn
cn: $newname
";
die "$0: error while modifying group $groupName\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
# Add members
if (defined($Options{'m'})) {
my $members = $Options{'m'};
my @members = split( /,/, $members );
my $member;
foreach $member ( @members ) {
my $tmpldif =
"dn: cn=$groupName,$groupsdn
changetype: modify
add: memberUid
memberUid: $member
";
die "$0: error while modifying group $groupName\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
}
# Delete members
if (defined($Options{'x'})) {
my $members = $Options{'x'};
my @members = split( /,/, $members );
my $member;
foreach $member ( @members ) {
my $tmpldif =
"dn: cn=$groupName,$groupsdn
changetype: modify
delete: memberUid
memberUid: $member
";
die "$0: error while modifying group $groupName\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
}
$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd restart > /dev/null 2>&1";
}
exit (0);
############################################################
=head1 NAME
smbldap-groupmod.pl - Modify a group
=head1 SYNOPSIS
smbldap-groupmod.pl [-g gid [-o]] [-n group_name ] group
=head1 DESCRIPTION
The smbldap-groupmod.pl command modifies the system account files to
reflect the changes that are specified on the command line.
The options which apply to the smbldap-groupmod command are
-g gid The numerical value of the group's ID. This value must be
unique, unless the -o option is used. The value must be non-
negative. Any files which the old group ID is the file
group ID must have the file group ID changed manually.
-n group_name
The name of the group will be changed from group to group_name.
-m members
The members to be added to the group in comma-delimeted form.
-x members
The members to be removed from the group in comma-delimted form.
=head1 EXAMPLES
smbldap-groupmod.pl -g 253 development
This will change the GID of the 'development' group to '253'.
smbldap-groupmod.pl -n Idiots Managers
This will change the name of the 'Managers' group to 'Idiots'.
smbldap-groupmod.pl -m "jdoe,jsmith" "Domain Admins"
This will add 'jdoe' and 'jsmith' to the 'Domain Admins' group.
smbldap-groupmod.pl -x "jdoe,jsmith" "Domain Admins"
This will remove 'jdoe' and 'jsmith' from the 'Domain Admins' group.
=head1 SEE ALSO
groupmod(1)
=cut
#'

View File

@ -0,0 +1,72 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-groupshow : user (posix,shadow,samba) display
#
# History :
# . originally by David Le Corfec <david.le-corfec@IDEALX.com>
use strict;
use smbldap_tools;
use Getopt::Std;
my %Options;
my $ok = getopts('?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
print "Usage: $0 [-?] group\n";
print " -? show this help message\n";
exit (1);
}
# Read only first @ARGV
my $group = $ARGV[0];
my $lines = read_group($group);
if (!defined($lines)) {
print "$0: group $group doesn't exist\n";
exit (1);
}
print "$lines\n";
exit(0);
############################################################
=head1 NAME
smbldap-groupshow.pl - Display group informations
=head1 SYNOPSIS
smbldap-groupshow.pl groupname
=head1 DESCRIPTION
The smbldap-groupshow.pl command displays informations
associated with the given group.
=cut
#'

View File

@ -0,0 +1,234 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-migrate-accounts : add NT sam entries from pwdump
# to ldap
use strict;
use Getopt::Std;
use smbldap_tools;
use smbldap_conf;
# smbldap-migrate.pl (-? for help)
#
# Read pwdump entries on stdin, and add them to the ldap server.
# Output uncreated/unmodified entries (see parameters -C -U)
# in pwdump format to stdout.
# Errors, debug and stats are output to stderr.
sub modify_account
{
my ($login, $basedn, $lmpwd, $ntpwd, $gecos, $homedir) = @_;
my $tmpldif =
"dn: uid=$login,$basedn
changetype: modify
lmpassword: $lmpwd
ntpassword: $ntpwd
gecos: $gecos
smbHome: $homedir
";
die "$0: error while modifying user $login\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
#####################
my %Options;
my $ok = getopts('awA:CUW:?', \%Options);
if ( (!$ok) || ($Options{'?'}) ) {
print "Usage: $0 [-awAWCU?]\n";
print " -a process only people, ignore computers\n";
print " -w process only computers, ignore persons\n";
print " -A <opts> option string passed verbatim to smbldap-useradd for persons\n";
print " -W <opts> option string passed verbatim to smbldap-useradd for computers\n";
print " -C if entry not found, don't create it and log it to stdout (default: create it)\n";
print " -U if entry found, don't update it and log it to stdout (default: update it)\n";
print " -? show this help message\n";
exit (1);
}
my %processed = ( 'user' => 0, 'machine' => 0);
my %created = ( 'user' => 0, 'machine' => 0);
my %updated = ( 'user' => 0, 'machine' => 0);
my %logged = ( 'user' => 0, 'machine' => 0);
my %errors = ( 'user' => 0, 'machine' => 0);
my %existing = ( 'user' => 0, 'machine' => 0);
my $specialskipped = 0;
while (<>)
{
my ($login, $rid, $lmpwd, $ntpwd, $gecos, $homedir, $b) = split(/:/, $_);
my $usertype;
my $userbasedn;
my $entry_type = 'user';
if ($login =~ m/.*\$$/ ) { # computer
$processed{'machine'}++;
$entry_type = 'machine';
if (defined($Options{'a'})) {
print STDERR "ignoring $login\n";
next;
}
$usertype = "-w $Options{'W'}";
$userbasedn = $computersdn;
}
else { # people
$processed{'user'}++;
if (defined($Options{'w'})) {
print STDERR "ignoring $login\n";
next;
}
if ($rid < 1000) {
$specialskipped++;
print STDERR "$login seems to be a special Win account (rid=$rid), skipping\n";
next;
}
$usertype = "-a $Options{'A'}";
$userbasedn = $usersdn;
}
# normalize homedir
# uncomment to replace configured share with share from pwdump
# if ($homedir eq "") {
$homedir = $_userSmbHome;
# }
# normalize gecos
if (!($gecos eq "")) {
$gecos =~ tr/ÁÀÂÄáàâäÇçÉÈÊËÆéèêëæÍÌÏÎíìîÏÑñÓÒÔÖóòôöÚÙÜÛúùüûÝýÿ/AAAAaaaaCcEEEEEeeeeeIIIIiiiiNnOOOOooooUUUUuuuuYyy/;
} else {
$gecos = $_userGecos;
}
my $user_exists = is_samba_user($login);
if (!$user_exists) {
if (!defined($Options{'C'})) {
# uid doesn't exist and we want to create it
my $addcmd = "/usr/local/sbin/smbldap-useradd.pl $usertype $login > /dev/null";
print STDERR "$addcmd\n";
my $r = system "$addcmd";
if ($r != 0) {
print STDERR "error adding $login, skipping\n";
next;
}
# lem modif... a retirer si pb
if ($entry_type eq "user")
{
modify_account($login, $userbasedn, $lmpwd, $ntpwd, $gecos, $homedir);
}
$created{$entry_type}++;
}
else { # uid doesn't exist and no create => log
print "$_";
$logged{$entry_type}++;
}
}
else { # account exists
$existing{$entry_type}++;
if (!defined($Options{'U'})) { # exists and modify
modify_account($login, $userbasedn, $lmpwd, $ntpwd, $gecos, $homedir);
$updated{$entry_type}++;
}
else { # exists and log
print "$_";
$logged{$entry_type}++;
}
}
}
my $sum;
$sum = $processed{'user'} + $processed{'machine'};
print STDERR "processed: all=$sum user=$processed{'user'} machine=$processed{'machine'}\n";
$sum = $existing{'user'} + $existing{'machine'};
print STDERR "existing: all=$sum user=$existing{'user'} machine=$existing{'machine'}\n";
$sum = $created{'user'} + $created{'machine'};
print STDERR "created: all=$sum user=$created{'user'} machine=$created{'machine'}\n";
$sum = $updated{'user'} + $updated{'machine'};
print STDERR "updated: all=$sum user=$updated{'user'} machine=$updated{'machine'}\n";
$sum = $logged{'user'} + $logged{'machine'};
print STDERR "logged: all=$sum user=$logged{'user'} machine=$logged{'machine'}\n";
print STDERR "special users skipped: $specialskipped\n";
########################################
=head1 NAME
smbldap-migrate.pl - Migrate NT accounts to LDAP
=head1 SYNOPSIS
smbldap-migrate.pl [-a] [-w] [-A opts] [-W opts] [-C] [-U] [-?]
=head1 DESCRIPTION
This command reads from stdin account entries as created by pwdump,
a tool to dump an user database on NT.
Depending of the options, some account entries may be output on
stdout. All errors and informations are sent to stderr.
-a process only people, ignore computers
-w process only computers, ignore persons
-A opts
a string containing arguments to pass verbatim to
smbldap-useradd when adding users, eg "-m -x".
You don't have to specify -a in this string.
-W opts
a string containing arguments to pass verbatim to
smbldap-useradd when adding computers, eg "-m -x".
You don't have to specify -w in this string.
-C if NT account not found in LDAP, don't create it and log it to stdout
(default: create it)
-U if NT account found in LDAP, don't update it and log it to stdout
(default: update it)
-? show the help message
=cut
#'
# The End

View File

@ -0,0 +1,225 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-migrate-groups : to parse a Windows
# group dump and populate Unix groups
# Reads group dump on stdin
use strict;
use smbldap_tools;
use smbldap_conf;
use Getopt::Std;
sub process_rec_group
{
my ($group, $mb) = @_;
my @members;
if (!(@members = group_get_members($group))) {
return 0;
}
foreach my $m (@members) {
if ( !($m =~ m/^\*/) ) {
push @{$mb}, $m;
} else {
my $gname = $m;
$gname =~ s/^.//;
if (!process_rec_group($gname, $mb)) {
print "recursive group not added : $gname\n";
}
}
}
}
# given a group dn and a list of members, update the group
sub modify_group
{
my ($group, $dn_line, @members, $recgroup) = @_;
my $m;
my @new_mb;
foreach $m (@members) {
if ( ($m =~ m/^\*/) ) {
my $gname = $m;
$gname =~ s/^.//;
if (!$recgroup) {
print "recursive group not added : $gname\n";
} else {
if (!process_rec_group($gname, \@new_mb)) {
print "recursive group not added : $gname\n";
}
}
} else {
push @new_mb, $m;
}
}
# new_mb contains flat members from group dump
# now append them to existing members
push @new_mb, group_get_members($group);
# uniq them
my %saw;
@saw{@new_mb} = ();
@new_mb = keys %saw;
my $nmb = $#new_mb + 1;
print STDERR "Group $group now has $nmb member(s)\n";
my $mbs;
foreach $m (@new_mb) {
$mbs .= "memberUid: $m\n";
}
my $mods="$dn_line
changetype: modify
replace: memberUid
$mbs
";
#print "$mods\n";
my $tmpldif =
"$mods
";
die "$0: error while modifying group $group\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
sub display_group
{
my ($group, @members) = @_;
print "Group name $group\n";
print "Members\n";
my $m;
my $i = 0;
foreach $m (@members) {
print "$m ";
if ($i % 5 == 0) {
print "\n";
}
$i++;
}
}
sub process_group
{
my ($group, @members, $nocreate, $noupdate, $recgroup) = @_;
my $dn_line;
if (!defined($dn_line = get_group_dn($group))) {
# group not found, create it ?
if (!$nocreate) {
system "/usr/local/sbin/smbldap-groupadd.pl \"$group\"; sleep 5";
if (!defined($dn_line = get_group_dn($group))) {
return 1;
}
modify_group($group, $dn_line, @members, $recgroup);
} else {
# don't create
print "not created:\n";
display_group($group, @members);
}
} else {
# group found, update it ?
if (!$noupdate) {
modify_group($group, $dn_line, @members, $recgroup);
} else {
# don't update
print "not updated:\n";
display_group($group, @members);
}
}
}
###################################################
my %Options;
my $ok = getopts('CUr?', \%Options);
if ( (!$ok) || ($Options{'?'}) ) {
print "Usage: $0 [-CUr?] < group_dump\n";
print " -C don't create group if it doesn't exist\n";
print " -U don't update group if it exists\n";
print " -r recursively process groups\n";
exit(1);
}
my $group_name;
my $group_desc;
my $has_members = 0;
my @members = ();
while (<>)
{
my $line = $_;
chomp($line);
next if ( $line =~ m/^\s*$/ );
if ($group_name eq "") {
if ( $line =~ m/^Group name\s+(.+).$/ ) {
$group_name = $1;
next;
}
}
if ($group_desc eq "") {
if ( $line =~ m/^Comment\s+(.*)$/ ) {
$group_desc = $1;
next;
}
}
next if ( $line =~ m/^-+.$/ );
if (!$has_members) {
if ( $line =~ m/^Members/ ) {
$has_members = 1;
next;
}
} else {
if ( $line =~ m/^The command completed successfully/ ) {
last;
} else {
push(@members, split(/\s+/, $line));
next;
}
}
#print;
}
if ( $#members > -1) {
process_group($group_name, @members, $Options{'C'}, $Options{'U'}, $Options{'r'});
}
#print "gn=$group_name\n";
#print "gd=$group_desc\n";
#my $m;
#foreach $m (@members)
#{
# print "$m ";
#}
#print "\n";

View File

@ -0,0 +1,215 @@
#!/usr/bin/perl
# LDAP to unix password sync script for samba
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . ldap-unix passwd sync for SAMBA-2.2.2 + LDAP
# . may also replace /bin/passwd
use strict;
use smbldap_tools;
use smbldap_conf;
my $user;
my $oldpass;
my $ret;
my $arg;
foreach $arg (@ARGV) {
if ($< != 0) {
die "Only root can specify parameters\n";
} else {
if ( ($arg eq '-?') || ($arg eq '--help') ) {
print "Usage: $0 [username]\n";
print " -?, --help show this help message\n";
exit (6);
} elsif (substr($arg,0) ne '-') {
$user = $arg;
}
$oldpass = 1;
}
}
if (!defined($user)) {
$user=$ENV{"USER"};
}
# test existence of user in LDAP
my $dn_line;
if (!defined($dn_line = get_user_dn($user))) {
print "$0: user $user doesn't exist\n";
exit (10);
}
my $dn = get_dn_from_line($dn_line);
my $samba = is_samba_user($user);
print "Changing password for $user\n";
# non-root user
if (!defined($oldpass)) {
# prompt for current password
system "stty -echo";
print "(current) UNIX password: ";
chomp($oldpass=<STDIN>);
print "\n";
system "stty echo";
if (!is_user_valid($user, $dn, $oldpass)) {
print "Authentication failure\n";
exit (10);
}
}
# prompt for new password
my $pass;
my $pass2;
system "stty -echo";
print "New password : ";
chomp($pass=<STDIN>);
print "\n";
system "stty echo";
system "stty -echo";
print "Retype new password : ";
chomp($pass2=<STDIN>);
print "\n";
system "stty echo";
if ($pass ne $pass2) {
print "New passwords don't match!\n";
exit (10);
}
# only modify smb passwords if smb user
if ($samba == 1) {
if (!$with_smbpasswd) {
# generate LanManager and NT clear text passwords
if ($mk_ntpasswd eq '') {
print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n";
exit(1);
}
my $ntpwd = `$mk_ntpasswd '$pass'`;
chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':')));
chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1));
# change nt/lm passwords
my $tmpldif =
"$dn_line
changetype: modify
replace: lmpassword
lmpassword: $lmpassword
-
changetype: modify
replace: ntpassword
ntpassword: $ntpassword
-
";
die "$0: error while modifying password for $user\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
else {
if ($< != 0) {
my $FILE="|$smbpasswd -s >/dev/null";
open (FILE, $FILE) || die "$!\n";
print FILE <<EOF;
'$oldpass'
'$pass'
'$pass'
EOF
;
close FILE;
} else {
my $FILE="|$smbpasswd $user -s >/dev/null";
open (FILE, $FILE) || die "$!\n";
print FILE <<EOF;
'$pass'
'$pass'
EOF
;
close FILE;
}
}
}
# change unix password
$ret = system "$ldappasswd $dn -s '$pass' > /dev/null";
if ($ret == 0) {
print "all authentication tokens updated successfully\n";
} else {
return $ret;
}
exit 0;
# - The End
=head1 NAME
smbldap-passwd.pl - change user password
=head1 SYNOPSIS
smbldap-passwd.pl [name]
=head1 DESCRIPTION
smbldap-passwd.pl changes passwords for user accounts. A normal user
may only change the password for their own account, the super user may
change the password for any account.
Password Changes
The user is first prompted for their old password, if one is present.
This password is then tested against the stored password by binding
to the server. The user has only one chance to enter the correct pass-
word. The super user is permitted to bypass this step so that forgot-
ten passwords may be changed.
The user is then prompted for a replacement password. As a general
guideline, passwords should consist of 6 to 8 characters including
one or more from each of following sets:
Lower case alphabetics
Upper case alphabetics
Digits 0 thru 9
Punctuation marks
passwd will prompt again and compare the second entry against the first.
Both entries are require to match in order for the password to be
changed.
=head1 SEE ALSO
passwd(1)
=cut
#'

View File

@ -0,0 +1,294 @@
#!/usr/bin/perl
# Populate a LDAP base for Samba-LDAP usage
#
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . Create an initial LDAP database suitable for Samba 2.2
# . For lazy people, replace ldapadd (with only an ldif parameter)
use strict;
use smbldap_tools;
use smbldap_conf;
use Getopt::Std;
use vars qw(%oc);
# objectclass of the suffix
%oc = (
"ou" => "organizationalUnit",
"o" => "organization",
"dc" => "dcObject",
);
my %Options;
my $ok = getopts('a:b:?', \%Options);
if ( (!$ok) || ($Options{'?'}) ) {
print "Usage: $0 [-ab?] [ldif]\n";
print " -a administrator login name (default: Administrator)\n";
print " -b guest login name (default: nobody)\n";
print " -? show this help message\n";
print " ldif file to add to ldap (default: suffix, Groups,";
print " Users, Computers and builtin users )\n";
exit (1);
}
my $_ldifName;
if (@ARGV >= 1) {
$_ldifName = $ARGV[0];
}
my $adminName = $Options{'a'};
if (!defined($adminName)) {
$adminName = "Administrator";
}
my $guestName = $Options{'b'};
if (!defined($guestName)) {
$guestName = "nobody";
}
if (!defined($_ldifName)) {
my $attr;
my $val;
my $objcl;
if ($suffix =~ m/([^=]+)=([^,]+)/) {
$attr = $1;
$val = $2;
$objcl = $oc{$attr} if (exists $oc{$attr});
if (!defined($objcl)) {
$objcl = "myhardcodedobjectclass";
}
} else {
die "can't extract first attr and value from suffix $suffix";
}
#print "$attr=$val\n";
#my $FILE="|cat";
my $FILE="|$ldapadd -c";
open (FILE, $FILE) || die "$!\n";
print FILE <<EOF;
dn: $suffix
objectClass: $objcl
$attr: $val
dn: $usersdn
objectClass: organizationalUnit
ou: $usersou
dn: $groupsdn
objectClass: organizationalUnit
ou: $groupsou
dn: $computersdn
objectClass: organizationalUnit
ou: $computersou
dn: uid=$adminName,$usersdn
cn: $adminName
objectClass: sambaAccount
objectClass: posixAccount
gidNumber: 512
uid: $adminName
uidNumber: 998
homeDirectory: $_userHomePrefix
pwdLastSet: 0
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
smbHome: $_userSmbHome
homeDrive: $_userHomeDrive
profilePath: $_userProfile
rid: 500
primaryGroupID: 512
lmPassword: XXX
ntPassword: XXX
acctFlags: [U ]
loginShell: /bin/false
gecos: Netbios Domain Administrator
dn: uid=$guestName,$usersdn
cn: $guestName
objectClass: sambaAccount
objectClass: posixAccount
gidNumber: 514
uid: $guestName
uidNumber: 999
homeDirectory: /dev/null
pwdLastSet: 0
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
smbHome: $_userSmbHome
homeDrive: $_userHomeDrive
profilePath: $_userProfile
rid: 501
primaryGroupID: 514
lmPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
ntPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
acctFlags: [NU ]
loginShell: /bin/false
dn: cn=Domain Admins,$groupsdn
objectClass: posixGroup
gidNumber: 512
cn: Domain Admins
memberUid: $adminName
description: Netbios Domain Administrators (need smb.conf configuration)
dn: cn=Domain Users,$groupsdn
objectClass: posixGroup
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users (not implemented yet)
dn: cn=Domain Guests,$groupsdn
objectClass: posixGroup
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users (not implemented yet)
dn: cn=Administrators,$groupsdn
objectClass: posixGroup
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/domain (not implemented yet)
dn: cn=Users,$groupsdn
objectClass: posixGroup
gidNumber: 545
cn: Users
description: Netbios Domain Ordinary users (not implemented yet)
dn: cn=Guests,$groupsdn
objectClass: posixGroup
gidNumber: 546
cn: Guests
memberUid: $guestName
description: Netbios Domain Users granted guest access to the computer/domain (not implemented yet)
dn: cn=Power Users,$groupsdn
objectClass: posixGroup
gidNumber: 547
cn: Power Users
description: Netbios Domain Members can share directories and printers (not implemented yet)
dn: cn=Account Operators,$groupsdn
objectClass: posixGroup
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts (not implemented yet)
dn: cn=Server Operators,$groupsdn
objectClass: posixGroup
gidNumber: 549
cn: Server Operators
description: Netbios Domain Server Operators (need smb.conf configuration)
dn: cn=Print Operators,$groupsdn
objectClass: posixGroup
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators (need smb.conf configuration)
dn: cn=Backup Operators,$groupsdn
objectClass: posixGroup
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up files (not implemented yet)
dn: cn=Replicator,$groupsdn
objectClass: posixGroup
gidNumber: 552
cn: Replicator
description: Netbios Domain Supports file replication in a domain (not implemented yet)
dn: cn=Domain Computers,$groupsdn
objectClass: posixGroup
gidNumber: 553
cn: Domain Computers
description: Netbios Domain Computers accounts
EOF
close FILE;
exit($?)
} else {
exec "$ldapadd < $_ldifName";
}
exit(0);
########################################
=head1 NAME
smbldap-populate.pl - Populate your LDAP database
=head1 SYNOPSIS
smbldap-populate.pl [ldif-file]
=head1 DESCRIPTION
The smbldap-populate.pl command helps to populate an LDAP server
by adding the necessary entries : base suffix (doesn't abort
if already there), organizational units for users, groups and
computers, builtin users : Administrator and guest, builtin
groups (though posixAccount only, no SambaTNG support).
-a name Your local administrator login name (default: Administrator)
-b name Your local guest login name (default: nobody)
If you give an extra parameter, it is assumed to be the ldif
file to use instead of the builtin one. Options -a and -b
will be ignored. This usage mode makes the command behave
like ldapadd(1) with extra parameters taken from the smbldap-tools
config (smbldap_conf.pm).
=head1 FILES
/usr/lib/perl5/site-perl/smbldap_conf.pm : Global parameters.
=head1 SEE ALSO
smp(1)
=cut
#'
# - The End

View File

@ -0,0 +1,169 @@
# $Source: /data/src/mirror/cvs/samba/examples/LDAP/smbldap-tools/smbldap-tools.spec,v $
%define version 0.7
%define release 1
%define name smbldap-tools
%define realname smbldap-tools
Summary: User & Group administration tools for Samba-OpenLDAP
Name: %{name}
version: %{version}
Release: %{release}
Group: System Environment/Base
License: GPL
Vendor: IDEALX S.A.S.
URL: http://samba.IDEALX.org/
Packager: Olivier Lemaire <olivier.lemaire@IDEALX.com>
Source0: smbldap-groupadd.pl
Source1: smbldap-groupdel.pl
Source2: smbldap-groupmod.pl
Source3: smbldap-groupshow.pl
Source4: smbldap-passwd.pl
Source5: smbldap-useradd.pl
Source6: smbldap-userdel.pl
Source7: smbldap-usermod.pl
Source8: smbldap-usershow.pl
Source9: smbldap_conf.pm
Source10: smbldap_tools.pm
Source11: CONTRIBUTORS
Source12: COPYING
Source13: ChangeLog
Source14: FILES
Source15: README
Source16: TODO
Source17: mkntpwd.tar.gz
Source18: smbldap-populate.pl
Source19: smbldap-migrate-accounts.pl
Source20: smbldap-migrate-groups.pl
Source21: INFRA
BuildRoot: /%{_tmppath}/%{name}
Prefix: /usr/local
BuildRequires: perl >= 5.6
Requires: perl >= 5.6, openldap, openldap-clients, samba
%description
In settings with OpenLDAP and Samba-LDAP servers, this collection is
useful to add, modify and delete users and groups, and to change
Unix and Samba passwords. In those context they replace the system
tools to manage users, groups and passwords.
%prep
%setup -c -T
%build
tar zxvf %{SOURCE17}
cd mkntpwd
make
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/%{prefix}/sbin
mkdir -p $RPM_BUILD_ROOT/%{prefix}/share
mkdir -p $RPM_BUILD_ROOT/%{prefix}/share/doc
mkdir -p $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools
cd mkntpwd ; make PREFIX=$RPM_BUILD_ROOT/%{prefix} install
install -m 550 %{SOURCE0} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupadd.pl
install -m 550 %{SOURCE1} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupdel.pl
install -m 550 %{SOURCE2} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupmod.pl
install -m 555 %{SOURCE3} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-groupshow.pl
install -m 555 %{SOURCE4} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-passwd.pl
install -m 550 %{SOURCE5} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-useradd.pl
install -m 550 %{SOURCE6} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-userdel.pl
install -m 550 %{SOURCE7} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-usermod.pl
install -m 555 %{SOURCE8} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-usershow.pl
install -m 550 %{SOURCE18} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-populate.pl
install -m 751 %{SOURCE9} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap_conf.pm
install -m 555 %{SOURCE10} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap_tools.pm
install -m 550 %{SOURCE19} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-accounts.pl
install -m 550 %{SOURCE20} $RPM_BUILD_ROOT/%{prefix}/sbin/smbldap-migrate-groups.pl
install -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/CONTRIBUTORS
install -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/COPYING
install -m 644 %{SOURCE13} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/ChangeLog
install -m 644 %{SOURCE14} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/FILES
install -m 644 %{SOURCE15} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/README
install -m 644 %{SOURCE16} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/TODO
install -m 644 %{SOURCE21} $RPM_BUILD_ROOT/%{prefix}/share/doc/smbldap-tools/INFRA
%clean
rm -rf $RPM_BUILD_ROOT
%post
ln -sf %{prefix}/sbin/smbldap_tools.pm /usr/lib/perl5/site_perl/smbldap_tools.pm
ln -sf %{prefix}/sbin/smbldap_conf.pm /usr/lib/perl5/site_perl/smbldap_conf.pm
chgrp 512 %{prefix}/sbin/smbldap-useradd.pl %{prefix}/sbin/smbldap_conf.pm || echo "An error occured while changing groups of smbldap-useradd.pl and smbldap_conf.pm in /usr/local/sbin. For proper operations, please ensure that they have the same posix group as the Samba domain administrator if there's a local Samba PDC."
perl -i -pe 's/_SLAVELDAP_/localhost/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_MASTERLDAP_/localhost/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_SUFFIX_/dc=IDEALX,dc=org/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_USERS_/Users/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_COMPUTERS_/Computers/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_GROUPS_/Groups/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_LOGINSHELL_/\/bin\/bash/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_USERHOMEPREFIX_/\/home\//' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_BINDDN_/cn=Manager,\$suffix/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_BINDPW_/secret/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_PDCNAME_/PDC-SRV/' %{prefix}/sbin/smbldap_conf.pm
perl -i -pe 's/_HOMEDRIVE_/D/' %{prefix}/sbin/smbldap_conf.pm
# FIXME: links should not be removed on upgrade
#%postun
#if [ $1 = 0 ] ; then
# rm -f /usr/lib/perl5/site_perl/smbldap_tools.pm
# rm -f /usr/lib/perl5/site_perl/smbldap_conf.pm
#fi
%files
%defattr(-,root,root)
%{prefix}/sbin/*.pl
%{prefix}/sbin/smbldap_tools.pm
%config %{prefix}/sbin/smbldap_conf.pm
%{prefix}/sbin/mkntpwd
%doc %{prefix}/share/doc/%{name}/TODO
%doc %{prefix}/share/doc/%{name}/README
%doc %{prefix}/share/doc/%{name}/CONTRIBUTORS
%doc %{prefix}/share/doc/%{name}/FILES
%doc %{prefix}/share/doc/%{name}/COPYING
%changelog
* Sat Jun 1 2002 Olivier Lemaire <olem@IDEALX.com> 0.7-1
- some bugfixes about smbldap-populate
- bugfixed the smbpasswd call in smbldap-useradd
- cleaned up the smbldap_conf
- more documentation
* Tue Apr 30 2002 Brad Langhorst <brad@langhorst.com> 0.6-2
- changed requires samba-common to samba
- replaced /usr/local with %{prefix} to allow relocation
* Tue Feb 5 2002 David Le Corfec <dlc@IDEALX.com> 0.6-1
- v0.6
* Mon Feb 4 2002 David Le Corfec <dlc@IDEALX.com> 0.5-1
- v0.5
* Mon Jan 14 2002 David Le Corfec <dlc@IDEALX.com> 0.3-4
- internal changes
- should upgrade smoothly from now on
* Mon Jan 14 2002 David Le Corfec <dlc@IDEALX.com> 0.2-1
- added migration scripts
* Fri Dec 28 2001 David Le Corfec <dlc@IDEALX.com> 0.1-5
- numeric group for chmod
* Thu Dec 27 2001 David Le Corfec <dlc@IDEALX.com> 0.1-4
- misc bugfixes
* Mon Dec 18 2001 David Le Corfec <dlc@IDEALX.com> 0.1-3
- changed files attrs for domain admins to add users
- added smbldap-populate.pl
* Fri Dec 14 2001 David Le Corfec <dlc@IDEALX.com>
- added mkntpwd
* Wed Dec 12 2001 Olivier Lemaire <olivier.lemaire@IDEALX.com>
- Spec file was generated, and tested atomically.

View File

@ -0,0 +1,460 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-useradd : user (posix,shadow,samba) add
use strict;
use smbldap_tools;
use smbldap_conf;
#####################
use Getopt::Std;
my %Options;
my $ok = getopts('axnmwPG:u:g:d:s:c:k:A:B:C:D:E:F:H:?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
print "Usage: $0 [-awmugdsckGPABCDEFH?] username\n";
print " -a is a Windows User (otherwise, Posix stuff only)\n";
print " -w is a Windows Workstation (otherwise, Posix stuff only)\n";
print " -x creates rid and primaryGroupID in hex instead of decimal\n";
print " -u uid\n";
print " -g gid\n";
print " -G supplementary comma-separated groups\n";
print " -n do not create a group\n";
print " -d home\n";
print " -s shell\n";
print " -c gecos\n";
print " -m creates home directory and copies /etc/skel\n";
print " -k skeleton dir (with -m)\n";
print " -P ends by invoking smbldap-passwd.pl\n";
print " -A can change password ? 0 if no, 1 if yes\n";
print " -B must change password ? 0 if no, 1 if yes\n";
print " -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')\n";
print " -D homeDrive (letter associated with home share, like 'H:')\n";
print " -E scriptPath (DOS script to execute on login)\n";
print " -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n";
print " -H acctFlags (samba account control bits like '[NDHTUMWSLKI]')\n";
print " -? show this help message\n";
exit (1);
}
# cause problems when dealing with getpwuid because of the
# negative ttl and ldap modification
my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd stop > /dev/null 2>&1";
}
# Read options
my $userUidNumber = $Options{'u'};
if (!defined($userUidNumber)) {
# find first unused uid starting from $UID_START
while (defined(getpwuid($UID_START))) {
$UID_START++;
}
$userUidNumber = $UID_START;
} elsif (getpwuid($userUidNumber)) { die "Uid already exists.\n"; }
if ($nscd_status == 0) {
system "/etc/init.d/nscd start > /dev/null 2>&1";
}
# as rid we use 2 * uid + 1000
my $userRid = 2 * $userUidNumber + 1000;
if (defined($Options{'x'})) {
$userRid= sprint("%x", $userRid);
}
my $createGroup = 0;
my $userGidNumber = $Options{'g'};
# gid not specified ?
if (!defined($userGidNumber)) {
# windows machine => $_defaultComputerGid
if (defined($Options{'w'})) {
$userGidNumber = $_defaultComputerGid;
# } elsif (!defined($Options{'n'})) {
# create new group (redhat style)
# find first unused gid starting from $GID_START
# while (defined(getgrgid($GID_START))) {
# $GID_START++;
# }
# $userGidNumber = $GID_START;
# $createGroup = 1;
} else {
# user will have gid = $_defaultUserGid
$userGidNumber = $_defaultUserGid;
}
} else {
my $gid;
if (($gid = parse_group($userGidNumber)) < 0) {
print "$0: unknown group $userGidNumber\n";
exit (6);
}
$userGidNumber = $gid;
}
# as grouprid we use 2 * gid + 1001
my $userGroupRid = 2 * $userGidNumber + 1001;
if (defined($Options{'x'})) {
$userGroupRid = sprint("%x", $userGroupRid);
}
# Read only first @ARGV
my $userName = $ARGV[0];
# user must not exist in LDAP (should it be nss-wide ?)
my ($rc, $dn) = get_user_dn2($userName);
if ($rc and defined($dn)) {
print "$0: user $userName exists\n";
exit (9);
} elsif (!$rc) {
print "$0: error in get_user_dn2\n";
exit(10);
}
my $userHomeDirectory;
my $tmp;
if (!defined($userHomeDirectory = $Options{'d'}))
{
$userHomeDirectory = $_userHomePrefix.$userName;
}
$_userLoginShell = $tmp if (defined($tmp = $Options{'s'}));
$_userGecos = $tmp if (defined($tmp = $Options{'c'}));
$_skeletonDir = $tmp if (defined($tmp = $Options{'k'}));
########################
# MACHINE ACCOUNT
if (defined($tmp = $Options{'w'})) {
# add a trailing dollar if missing
if ($userName =~ /[^\$]$/s) {
$userName .= "\$";
}
#print "About to create machine $userName:\n";
if (!add_posix_machine ($userName, $userUidNumber, $userGidNumber)) {
die "$0: error while adding posix account\n";
}
if (!$with_smbpasswd) {
if (!add_samba_machine_mkntpwd($userName, $userUidNumber)) {
die "$0: error while adding samba account\n";
}
} else {
if (!add_samba_machine($userName)) {
die "$0: error while adding samba account\n";
}
my $tmpldif =
"dn: uid=$userName,$computersdn
changetype: modify
acctFlags: [W ]
";
die "$0: error while modifying accountflags of $userName\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
exit 0;
}
#######################
# USER ACCOUNT
# add posix account first
my $tmpldif =
"dn: uid=$userName,$usersdn
objectclass: top
objectclass: account
objectclass: posixAccount
cn: $userName
uid: $userName
uidNumber: $userUidNumber
gidNumber: $userGidNumber
homeDirectory: $userHomeDirectory
loginShell: $_userLoginShell
gecos: $_userGecos
description: $_userGecos
userPassword: {crypt}x
";
die "$0: error while adding posix user $userName\n"
unless (do_ldapadd($tmpldif) == 0);
undef $tmpldif;
#if ($createGroup) {
# group_add($userName, $userGidNumber);
#}
group_add_user($userGidNumber, $userName);
my $grouplist;
# adds to supplementary groups
if (defined($grouplist = $Options{'G'})) {
add_grouplist_user($grouplist, $userName);
}
# If user was created successfully then we should create his/her home dir
if (defined($tmp = $Options{'m'})) {
if ( !(-e $userHomeDirectory) ) {
system "mkdir $userHomeDirectory 2>/dev/null";
system "cp -a $_skeletonDir/.[a-z,A-Z]* $_skeletonDir/* $userHomeDirectory 2>/dev/null";
system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory 2>/dev/null";
system "chmod 700 $userHomeDirectory 2>/dev/null";
}
}
# Add Samba user infos
if (defined($Options{'a'})) {
if (!$with_smbpasswd) {
my $winmagic = 2147483647;
my $valpwdcanchange = 0;
my $valpwdmustchange = $winmagic;
my $valacctflags = "[UX]";
if (defined($tmp = $Options{'A'})) {
if ($tmp != 0) {
$valpwdcanchange = "0";
} else {
$valpwdcanchange = "$winmagic";
}
}
if (defined($tmp = $Options{'B'})) {
if ($tmp != 0) {
$valpwdmustchange = "0";
} else {
$valpwdmustchange = "$winmagic";
}
}
if (defined($tmp = $Options{'H'})) {
$valacctflags = "$tmp";
}
my $tmpldif =
"dn: uid=$userName,$usersdn
changetype: modify
objectclass: top
objectclass: account
objectclass: posixAccount
objectClass: sambaAccount
pwdLastSet: 0
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: $valpwdcanchange
pwdMustChange: $valpwdmustchange
displayName: $_userGecos
acctFlags: $valacctflags
rid: $userRid
";
die "$0: error while adding samba account to posix user $userName\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
} else {
my $FILE="|smbpasswd -s -a $userName >/dev/null" ;
open (FILE, $FILE) || die "$!\n";
print FILE <<EOF;
x
x
EOF
;
close FILE;
if ($?) {
print "$0: error adding samba account\n";
exit (10);
}
} # with_smbpasswd
my $valscriptpath = "$userName.cmd";
my $valprofilepath = "$_userProfile$userName";
my $valsmbhome = "$_userSmbHome";
my $valhomedrive = "$_userHomeDrive";
if (defined($tmp = $Options{'C'})) {
$valsmbhome = "$tmp";
}
if (defined($tmp = $Options{'D'})) {
$tmp = $tmp.":" unless ($tmp =~ /:/);
$valhomedrive = "$tmp";
}
if (defined($tmp = $Options{'E'})) {
$valscriptpath = "$tmp";
}
if (defined($tmp = $Options{'F'})) {
$valprofilepath = "$tmp";
}
my $tmpldif =
"dn: uid=$userName,$usersdn
changetype: modify
rid: $userRid
primaryGroupID: $userGroupRid
homeDrive: $valhomedrive
smbHome: $valsmbhome
profilePath: $valprofilepath
scriptPath: $valscriptpath
lmPassword: XXX
ntPassword: XXX
";
die "$0: error while modifying samba account of user $userName\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
if (defined($Options{'P'})) {
exec "/usr/local/sbin/smbldap-passwd.pl $userName"
}
exit 0;
########################################
=head1 NAME
smbldap-useradd.pl - Create a new user or update default new
user information
=head1 SYNOPSIS
smbldap-useradd.pl [-c comment] [-d home_dir]
[-g initial_group] [-G group[,...]]
[-m [-k skeleton_dir]]
[-s shell] [-u uid [ -o]] [-P]
[-A canchange] [-B mustchange] [-C smbhome]
[-D homedrive] [-E scriptpath] [-F profilepath]
[-H acctflags] login
=head1 DESCRIPTION
Creating New Users
The smbldap-useradd.pl command creates a new user account using
the values specified on the command line and the default
values from the system.
The new user account will be entered into the system
files as needed, the home directory will be created, and
initial files copied, depending on the command line options.
You have to use smbldap-passwd to set the user password.
For Samba users, rid is 2*uidNumber+1000, and primaryGroupID
is 2*gidNumber+1001. Thus you may want to use
smbldap-useradd.pl -a -g "Domain Admins" -u 500 Administrator
to create a domain administrator (admin rid is 0x1F4 = 500 and
grouprid is 0x200 = 512)
Without any option, the account created will be an Unix (Posix)
account. The following options may be used to add information:
-a The user will have a Samba account (and Unix).
-w Creates an account for a Samba machine (Workstation), so that
it can join a domain.
-x Creates rid and primaryGroupID in hex (for Samba 2.2.2 bug). Else
decimal (2.2.2 patched from cvs or 2.2.x, x > 2)
-c comment
The new user's comment field (gecos).
-d home_dir
The new user will be created using home_dir as the value for the
user's login directory. The default is to append the login name
to default_home and use that as the login directory name.
-g initial_group
The group name or number of the user's initial login group. The
group name must exist. A group number must refer to an already
existing group. The default group number is 1.
-G group,[...]
A list of supplementary groups which the user is also a member
of. Each group is separated from the next by a comma, with no
intervening whitespace. The groups are subject to the same
restrictions as the group given with the -g option. The default
is for the user to belong only to the initial group.
-m The user's home directory will be created if it does not exist.
The files contained in skeleton_dir will be copied to the home
directory if the -k option is used, otherwise the files con­
tained in /etc/skel will be used instead. Any directories con­
tained in skeleton_dir or /etc/skel will be created in the
user's home directory as well. The -k option is only valid in
conjunction with the -m option. The default is to not create
the directory and to not copy any files.
-s shell
The name of the user's login shell. The default is to leave
this field blank, which causes the system to select the default
login shell.
-u uid The numerical value of the user's ID. This value must be
unique, unless the -o option is used. The value must be non-
negative. The default is to use the smallest ID value greater
than 1000 and greater than every other user.
-P ends by invoking smbldap-passwd.pl
-A can change password ? 0 if no, 1 if yes
-B must change password ? 0 if no, 1 if yes
-C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')
-D homeDrive (letter associated with home share, like 'H:')
-E scriptPath, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat')
-F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')
-H acctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]')
=head1 SEE ALSO
useradd(1)
=cut
#'

View File

@ -0,0 +1,122 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-userdel : user (posix,shadow,samba) deletion
use strict;
use smbldap_tools;
#####################
use Getopt::Std;
my %Options;
my $ok = getopts('r?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
print "Usage: $0 [-r?] username\n";
print " -r remove home directory\n";
exit (1);
}
# Read only first @ARGV
my $user = $ARGV[0];
my $dn;
# user must not exist in LDAP
if (!defined($dn=get_user_dn($user))) {
print "$0: user $user does not exist\n";
exit (6);
}
if ($< != 0) {
print "You must be root to delete an user\n";
exit (1);
}
my $homedir;
if (defined($Options{'r'})) {
$homedir=get_homedir($user);
}
# remove user from groups
my $groups = find_groups_of $user;
my @grplines = split(/\n/, $groups);
my $grp;
foreach $grp (@grplines) {
my $gname = "";
if ( $grp =~ /dn: cn=([^,]+),/) {
$gname = $1;
#print "xx $gname\n";
}
if ($gname ne "") {
group_remove_member($gname, $user);
}
}
# XXX
delete_user($user);
# delete dir -- be sure that homeDir is not a strange value
if (defined($Options{'r'})) {
if ($homedir !~ /^\/dev/ and $homedir !~ /^\/$/) {
system "rm -rf $homedir";
}
}
my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd restart > /dev/null 2>&1";
}
exit (0);
############################################################
=head1 NAME
smbldap-userdel.pl - Delete a user account and related files
=head1 SYNOPSIS
smbldap-userdel.pl [-r] login
=head1 DESCRIPTION
The smbldap-userdel.pl command modifies the system
account files, deleting all entries that refer to login.
The named user must exist.
-r Files in the user's home directory will be removed along with
the home directory itself. Files located in other file
systems will have to be searched for and deleted manually.
=head1 SEE ALSO
userdel(1)
=cut
#'

View File

@ -0,0 +1,403 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-usermod : user (posix,shadow,samba) modification
use strict;
use smbldap_tools;
use smbldap_conf;
#####################
use Getopt::Std;
my %Options;
my $nscd_status;
my $ok = getopts('A:B:C:D:E:F:H:IJxme:f:u:g:G:d:l:s:c:ok:?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
print "Usage: $0 [-awmugdsckxABCDEFGHI?] username\n";
print " -c gecos\n";
print " -d home directory\n";
#print " -m move home directory\n";
#print " -e expire date (YYYY-MM-DD)\n";
#print " -f inactive days\n";
print " -u uid\n";
print " -o uid can be non unique\n";
print " -g gid\n";
print " -G supplementary groups (comma separated)\n";
print " -l login name\n";
print " -s shell\n";
print " -x creates rid and primaryGroupID in hex instead of decimal (for Samba 2.2.2 unpatched only)\n";
print " -A can change password ? 0 if no, 1 if yes\n";
print " -B must change password ? 0 if no, 1 if yes\n";
print " -C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')\n";
print " -D homeDrive (letter associated with home share, like 'H:')\n";
print " -E scriptPath (DOS script to execute on login)\n";
print " -F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n";
print " -H acctFlags (samba account control bits like '[NDHTUMWSLKI]')\n";
print " -I disable an user. Can't be used with -H or -J\n";
print " -J enable an user. Can't be used with -H or -I\n";
print " -? show this help message\n";
exit (1);
}
if ($< != 0) {
print "You must be root to modify an user\n";
exit (1);
}
# Read only first @ARGV
my $user = $ARGV[0];
# Read user datas
my $lines = read_user($user);
if (!defined($lines)) {
print "$0: user $user doesn't exist\n";
exit (1);
}
#print "$lines\n";
my $dn_line;
if ( $lines =~ /(^dn: .*)/ ) {
$dn_line = $1;
}
chomp($dn_line);
my $samba = 0;
if ($lines =~ m/objectClass: sambaAccount/) {
$samba = 1;
}
############
my $tmp;
my $mods;
# Process options
my $changed_uid;
my $_userUidNumber;
my $_userRid;
if (defined($tmp = $Options{'u'})) {
if (defined($Options{'o'})) {
$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd stop > /dev/null 2>&1";
}
if (getpwuid($tmp)) {
if ($nscd_status == 0) {
system "/etc/init.d/nscd start > /dev/null 2>&1";
}
print "$0: uid number $tmp exists\n";
exit (6);
}
if ($nscd_status == 0) {
system "/etc/init.d/nscd start > /dev/null 2>&1";
}
}
$_userUidNumber = $tmp;
# as rid we use 2 * uid + 1000
my $_userRid = 2 * $_userUidNumber + 1000;
if (defined($Options{'x'})) {
$_userRid= sprint("%x", $_userRid);
}
$mods .= "uidNumber: $_userUidNumber\n";
if ($samba) {
$mods .= "rid: $_userRid\n";
}
$changed_uid = 1;
}
my $changed_gid;
my $_userGidNumber;
my $_userGroupRid;
if (defined($tmp = $Options{'g'})) {
$_userGidNumber = parse_group($tmp);
if ($_userGidNumber < 0) {
print "$0: group $tmp doesn't exist\n";
exit (6);
}
# as grouprid we use 2 * gid + 1001
my $_userGroupRid = 2 * $_userGidNumber + 1001;
if (defined($Options{'x'})) {
$_userGroupRid = sprint("%x", $_userGroupRid);
}
$mods .= "gidNumber: $_userGidNumber\n";
if ($samba) {
$mods .= "primaryGroupID: $_userGroupRid\n";
}
$changed_gid = 1;
}
my $changed_shell;
my $_userLoginShell;
if (defined($tmp = $Options{'s'})) {
$_userLoginShell = $tmp;
$mods .= "loginShell: $_userLoginShell\n";
$changed_shell = 1;
}
my $changed_gecos;
my $_userGecos;
if (defined($tmp = $Options{'c'})) {
$_userGecos = $tmp;
$mods .= "gecos: $_userGecos\n";
$changed_gecos = 1;
}
my $changed_homedir;
my $newhomedir;
if (defined($tmp = $Options{'d'})) {
$newhomedir = $tmp;
$mods .= "homeDirectory: $newhomedir\n";
$changed_homedir = 1;
}
if (defined($tmp = $Options{'G'})) {
# remove user from old groups
my $groups = find_groups_of $user;
my @grplines = split(/\n/, $groups);
my $grp;
foreach $grp (@grplines) {
my $gname = "";
if ( $grp =~ /dn: cn=([^,]+),/) {
$gname = $1;
#print "xx $gname\n";
}
if ($gname ne "") {
group_remove_member($gname, $user);
}
}
# add user to new groups
add_grouplist_user($tmp, $user);
}
#
# A : pwdCanChange
# B : pwdMustChange
# C : smbHome
# D : homeDrive
# E : scriptPath
# F : profilePath
# H : acctFlags
my $attr;
my $winmagic = 2147483647;
if (defined($tmp = $Options{'A'})) {
$attr = "pwdCanChange";
if ($tmp != 0) {
$mods .= "$attr: 0\n";
} else {
$mods .= "$attr: $winmagic\n";
}
}
if (defined($tmp = $Options{'B'})) {
$attr = "pwdMustChange";
if ($tmp != 0) {
$mods .= "$attr: 0\n";
} else {
$mods .= "$attr: $winmagic\n";
}
}
if (defined($tmp = $Options{'C'})) {
$attr = "smbHome";
#$tmp =~ s/\\/\\\\/g;
$mods .= "$attr: $tmp\n";
}
if (defined($tmp = $Options{'D'})) {
$attr = "homeDrive";
$tmp = $tmp.":" unless ($tmp =~ /:/);
$mods .= "$attr: $tmp\n";
}
if (defined($tmp = $Options{'E'})) {
$attr = "scriptPath";
#$tmp =~ s/\\/\\\\/g;
$mods .= "$attr: $tmp\n";
}
if (defined($tmp = $Options{'F'})) {
$attr = "profilePath";
#$tmp =~ s/\\/\\\\/g;
$mods .= "$attr: $tmp\n";
}
if (defined($tmp = $Options{'H'})) {
$attr = "acctFlags";
#$tmp =~ s/\\/\\\\/g;
$mods .= "$attr: $tmp\n";
} elsif (defined($tmp = $Options{'I'})) {
my $flags;
if ( $lines =~ /^acctFlags: (.*)/m ) {
$flags = $1;
}
chomp($flags);
if ( !($flags =~ /D/) ) {
my $letters;
if ($flags =~ /(\w+)/) {
$letters = $1;
}
$mods .= "acctFlags: \[D$letters\]\n";
}
} elsif (defined($tmp = $Options{'J'})) {
my $flags;
if ( $lines =~ /^acctFlags: (.*)/m ) {
$flags = $1;
}
chomp($flags);
if ( $flags =~ /D/ ) {
my $letters;
if ($flags =~ /(\w+)/) {
$letters = $1;
}
$letters =~ s/D//;
$mods .= "acctFlags: \[$letters\]\n";
}
}
if ($mods ne '') {
#print "----\n$dn_line\n$mods\n----\n";
my $tmpldif =
"$dn_line
changetype: modify
$mods
";
die "$0: error while modifying user $user\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd restart > /dev/null 2>&1";
}
############################################################
=head1 NAME
smbldap-usermod.pl - Modify a user account
=head1 SYNOPSIS
smbldap-usermod.pl [-c comment] [-d home_dir]
[-g initial_group] [-G group[,...]]
[-l login_name] [-p passwd]
[-s shell] [-u uid [ -o]] [-x]
[-A canchange] [-B mustchange] [-C smbhome]
[-D homedrive] [-E scriptpath] [-F profilepath]
[-H acctflags] login
=head1 DESCRIPTION
The smbldap-usermod.pl command modifies the system account files
to reflect the changes that are specified on the command line.
The options which apply to the usermod command are
-c comment
The new value of the user's comment field (gecos).
-d home_dir
The user's new login directory.
-g initial_group
The group name or number of the user's new initial login group.
The group name must exist. A group number must refer to an
already existing group. The default group number is 1.
-G group,[...]
A list of supplementary groups which the user is also a member
of. Each group is separated from the next by a comma, with no
intervening whitespace. The groups are subject to the same
restrictions as the group given with the -g option. If the user
is currently a member of a group which is not listed, the user
will be removed from the group
-l login_name
The name of the user will be changed from login to login_name.
Nothing else is changed. In particular, the user's home direc­
tory name should probably be changed to reflect the new login
name.
-s shell
The name of the user's new login shell. Setting this field to
blank causes the system to select the default login shell.
-u uid The numerical value of the user's ID. This value must be
unique, unless the -o option is used. The value must be non-
negative. Any files which the user owns and which are
located in the directory tree rooted at the user's home direc­
tory will have the file user ID changed automatically. Files
outside of the user's home directory must be altered manually.
-x Creates rid and primaryGroupID in hex instead of decimal (for
Samba 2.2.2 unpatched only - higher versions always use decimal)
-A can change password ? 0 if no, 1 if yes
-B must change password ? 0 if no, 1 if yes
-C smbHome (SMB home share, like '\\\\PDC-SRV\\homes')
-D homeDrive (letter associated with home share, like 'H:')
-E scriptPath, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat')
-F profilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')
-H acctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]')
-I disable user. Can't be used with -H or -J
-J enable user. Can't be used with -H or -I
=head1 SEE ALSO
usermod(1)
=cut
#'

View File

@ -0,0 +1,69 @@
#!/usr/bin/perl
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose of smbldap-userdisplay : user (posix,shadow,samba) display
use strict;
use smbldap_tools;
use Getopt::Std;
my %Options;
my $ok = getopts('?', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) ) {
print "Usage: $0 [-?] username\n";
print " -? show this help message\n";
exit (1);
}
# Read only first @ARGV
my $user = $ARGV[0];
my $lines = read_user($user);
if (!defined($lines)) {
print "$0: user $user doesn't exist\n";
exit (1);
}
print "$lines\n";
exit(0);
############################################################
=head1 NAME
smbldap-usershow.pl - Show a user account informations
=head1 SYNOPSIS
smbldap-usershow.pl login
=head1 DESCRIPTION
The smbldap-usershow.pl command displays the informations
associated with the login. The named user must exist.
=cut
#'

View File

@ -0,0 +1,249 @@
#!/usr/bin/perl
use strict;
package smbldap_conf;
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# Purpose :
# . be the configuration file for all smbldap-tools scripts
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS
$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP
$with_smbpasswd $mk_ntpasswd
$ldap_path $ldap_opts $ldapsearch $ldapsearchnobind
$ldapmodify $ldappasswd $ldapadd $ldapdelete $ldapmodrdn
$suffix $usersdn $computersdn
$groupsdn $scope $binddn $bindpasswd
$slaveDN $slavePw $masterDN $masterPw
$_userLoginShell $_userHomePrefix $_userGecos
$_defaultUserGid $_defaultComputerGid
$_skeletonDir $_userSmbHome
$_userProfile $_userHomeDrive
$_userScript $usersou $computersou $groupsou
);
use Exporter;
$VERSION = 1.00;
@ISA = qw(Exporter);
@EXPORT = qw(
$UID_START $GID_START $smbpasswd $slaveLDAP $masterLDAP
$with_smbpasswd $mk_ntpasswd
$ldap_path $ldap_opts $ldapsearch $ldapsearchnobind $ldapmodify $ldappasswd
$ldapadd $ldapdelete $ldapmodrdn $suffix $usersdn
$computersdn $groupsdn $scope $binddn $bindpasswd
$slaveDN $slavePw $masterDN $masterPw
$_userLoginShell $_userHomePrefix $_userGecos
$_defaultUserGid $_defaultComputerGid $_skeletonDir
$_userSmbHome $_userProfile $_userHomeDrive $_userScript
$usersou $computersou $groupsou
);
##############################################################################
#
# General Configuration
#
##############################################################################
#
# UID and GID starting at...
#
$UID_START = 1000;
$GID_START = 1000;
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
#
# Slave LDAP : needed for read operations
#
# Ex: $slaveLDAP = "127.0.0.1";
$slaveLDAP = "_SLAVELDAP_";
#
# Master LDAP : needed for write operations
#
# Ex: $masterLDAP = "127.0.0.1";
$masterLDAP = "_MASTERLDAP_";
#
# LDAP Suffix
#
# Ex: $suffix = "dc=IDEALX,dc=ORG";
$suffix = "_SUFFIX_";
#
# Where are stored Users
#
# Ex: $usersdn = "ou=Users,$suffix"; for ou=Users,dc=IDEALX,dc=ORG
$usersou = q(_USERS_);
$usersdn = "ou=$usersou,$suffix";
#
# Where are stored Computers
#
# Ex: $computersdn = "ou=Computers,$suffix"; for ou=Computers,dc=IDEALX,dc=ORG
$computersou = q(_COMPUTERS_);
$computersdn = "ou=$computersou,$suffix";
#
# Where are stored Groups
#
# Ex $groupsdn = "ou=Groups,$suffix"; for ou=Groups,dc=IDEALX,dc=ORG
$groupsou = q(_GROUPS_);
$groupsdn = "ou=$groupsou,$suffix";
#
# Default scope Used
#
$scope = "sub";
#
# Credential Configuration
#
# Bind DN used
# Ex: $binddn = "cn=Manager,$suffix"; for cn=Manager,dc=IDEALX,dc=org
$binddn = "_BINDDN_";
#
# Bind DN passwd used
# Ex: $bindpasswd = 'secret'; for 'secret'
$bindpasswd = "_BINDPW_";
#
# Notes: if using dual ldap patch, you can specify to different configuration
# By default, we will use the same DN (so it will work for standard Samba
# release)
#
$slaveDN = $binddn;
$slavePw = $bindpasswd;
$masterDN = $binddn;
$masterPw = $bindpasswd;
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
#
# Default Login Shell
#
# Ex: $_userLoginShell = q(/bin/bash);
$_userLoginShell = q(_LOGINSHELL_);
#
# Home directory prefix (without username)
#
#Ex: $_userHomePrefix = q(/home/);
$_userHomePrefix = q(_USERHOMEPREFIX_);
#
# Gecos
#
$_userGecos = q(System User);
#
# Default User (POSIX and Samba) GID
#
$_defaultUserGid = 100;
#
# Default Computer (Samba) GID
#
$_defaultComputerGid = 553;
#
# Skel dir
#
$_skeletonDir = q(/etc/skel);
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
#
# The UNC path to home drives location without the username last extension
# (will be dynamically prepended)
# Ex: q(\\\\My-PDC-netbios-name\\homes) for \\My-PDC-netbios-name\homes
$_userSmbHome = q(\\\\_PDCNAME_\\homes);
#
# The UNC path to profiles locations without the username last extension
# (will be dynamically prepended)
# Ex: q(\\\\My-PDC-netbios-name\\profiles) for \\My-PDC-netbios-name\profiles
$_userProfile = q(\\\\_PDCNAME_\\profiles\\);
#
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: q(U:) for U:
$_userHomeDrive = q(_HOMEDRIVE_:);
#
# The default user netlogon script name
# if not used, will be automatically username.cmd
#
#$_userScript = q(startup.cmd); # make sure script file is edited under dos
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer mkntpwd... most of the time, it's a wise choice :-)
$with_smbpasswd = 0;
$smbpasswd = "/usr/bin/smbpasswd";
$mk_ntpasswd = "/usr/local/sbin/mkntpwd";
$ldap_path = "/usr/bin";
$ldap_opts = "-x";
$ldapsearch = "$ldap_path/ldapsearch $ldap_opts -h $slaveLDAP -D '$slaveDN' -w '$slavePw'";
$ldapsearchnobind = "$ldap_path/ldapsearch $ldap_opts -h $slaveLDAP";
$ldapmodify = "$ldap_path/ldapmodify $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'";
$ldappasswd = "$ldap_path/ldappasswd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'";
$ldapadd = "$ldap_path/ldapadd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'";
$ldapdelete = "$ldap_path/ldapdelete $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'";
$ldapmodrdn = "$ldap_path/ldapmodrdn $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'";
1;
# - The End

View File

@ -0,0 +1,583 @@
#! /usr/bin/perl
use strict;
package smbldap_tools;
use smbldap_conf;
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
#
# Copyright (C) 2001-2002 IDEALX
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
# USA.
# ugly funcs using global variables and spawning openldap clients
use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS);
use Exporter;
$VERSION = 1.00;
@ISA = qw(Exporter);
@EXPORT = qw(
get_user_dn
get_group_dn
is_samba_user
is_user_valid
get_dn_from_line
add_posix_machine
add_samba_machine
add_samba_machine_mkntpwd
group_add_user
add_grouplist_user
disable_user
delete_user
group_add
get_homedir
read_user
read_group
find_groups_of
parse_group
group_remove_member
group_get_members
do_ldapadd
do_ldapmodify
get_user_dn2
);
# dn_line = get_user_dn($username)
# where dn_line is like "dn: a=b,c=d"
sub get_user_dn
{
my $user = shift;
my $dn=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^dn:"`;
chomp $dn;
if ($dn eq '') {
return undef;
}
return $dn;
}
# return (success, dn)
sub get_user_dn2
{
my $user = shift;
my $sr = `$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'`;
if ($sr eq "") {
print "get_user_dn2: error in ldapsearch :
$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))'\n";
return (0, undef);
}
my @lines = split(/\n/, $sr);
my @matches = grep(/^dn:/, @lines);
my $dn = $matches[0];
chomp $dn;
if ($dn eq '') {
return (1, undef);
}
return (1, $dn);
}
# dn_line = get_group_dn($groupname)
# where dn_line is like "dn: a=b,c=d"
sub get_group_dn
{
my $group = shift;
my $dn=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(|(cn=$group)(gidNumber=$group)))' | grep "^dn:"`;
chomp $dn;
if ($dn eq '') {
return undef;
}
return $dn;
}
# bool = is_samba_user($username)
sub is_samba_user
{
my $user = shift;
my $cmd = "$ldapsearch -b '$suffix' -s '$scope' '(&(objectClass=sambaAccount)(uid=$user))' | grep '^dn:\'";
my $res=`$cmd`;
chomp $res;
if ($res ne '') {
return 1;
}
return 0;
}
# bool = is_user_valid($username)
# try to bind with user dn and password to validate current password
sub is_user_valid
{
my ($user, $dn, $pass) = @_;
my $res=`$ldapsearchnobind -b '$usersdn' -s '$scope' -D '$dn' -w '$pass' '(&(objectclass=posixAccount)(uid=$user))' 2>/dev/null | grep "^dn:"`;
chomp $res;
if ($res eq '') {
return 0;
}
return 1;
}
# dn = get_dn_from_line ($dn_line)
# helper to get "a=b,c=d" from "dn: a=b,c=d"
sub get_dn_from_line
{
my $dn = shift;
$dn =~ s/^dn: //;
return $dn;
}
# success = add_posix_machine($user, $uid, $gid)
sub add_posix_machine
{
my ($user, $uid, $gid) = @_;
my $tmpldif =
"dn: uid=$user,$computersdn
objectclass: top
objectclass: posixAccount
cn: $user
uid: $user
uidNumber: $uid
gidNumber: $gid
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
";
die "$0: error while adding posix account to machine $user\n"
unless (do_ldapadd($tmpldif) == 0);
undef $tmpldif;
return 1;
}
# success = add_samba_machine($computername)
sub add_samba_machine
{
my $user = shift;
system "smbpasswd -a -m $user";
return 1;
}
sub add_samba_machine_mkntpwd
{
my ($user, $uid) = @_;
my $rid = 2 * $uid + 1000; # Samba 2.2.2 stuff
my $name = $user;
$name =~ s/.$//s;
if ($mk_ntpasswd eq '') {
print "Either set \$with_smbpasswd = 1 or specify \$mk_ntpasswd\n";
return 0;
}
my $ntpwd = `$mk_ntpasswd '$name'`;
chomp(my $lmpassword = substr($ntpwd, 0, index($ntpwd, ':')));
chomp(my $ntpassword = substr($ntpwd, index($ntpwd, ':')+1));
my $tmpldif =
"dn: uid=$user,$computersdn
changetype: modify
objectclass: top
objectclass: posixAccount
objectClass: sambaAccount
pwdLastSet: 0
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
acctFlags: [W ]
lmpassword: $lmpassword
ntpassword: $ntpassword
rid: $rid
primaryGroupID: 0
";
die "$0: error while adding samba account to $user\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
return 1;
}
sub group_add_user
{
my ($group, $userid) = @_;
my $dn_line;
if (!defined($dn_line = get_group_dn($group))) {
return 1;
}
my $dn = get_dn_from_line($dn_line);
my $members = `$ldapsearch -b '$dn' -s base | grep -i "^memberUid:"`;
chomp($members);
# user already member ?
if ($members =~ m/^memberUid: $userid/) {
return 2;
}
my $mods = "";
if ($members ne '') {
$mods="$dn_line
changetype: modify
replace: memberUid
$members
memberUid: $userid
";
} else {
$mods="$dn_line
changetype: modify
add: memberUid
memberUid: $userid
";
}
#print "$mods\n";
my $tmpldif =
"$mods
";
die "$0: error while modifying group $group\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
return 0;
}
sub add_grouplist_user
{
my ($grouplist, $user) = @_;
my @array = split(/,/, $grouplist);
foreach my $group (@array) {
group_add_user($group, $user);
}
}
# XXX FIXME : acctFlags |= D, and not acctFlags = D
sub disable_user
{
my $user = shift;
my $dn_line;
if (!defined($dn_line = get_user_dn($user))) {
print "$0: user $user doesn't exist\n";
exit (10);
}
my $tmpldif =
"dn: $dn_line
changetype: modify
replace: userPassword
userPassword: {crypt}!x
";
die "$0: error while modifying user $user\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
if (is_samba_user($user)) {
my $tmpldif =
"dn: $dn_line
changetype: modify
replace: acctFlags
acctFlags: [D ]
";
die "$0: error while modifying user $user\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
}
}
# delete_user($user)
sub delete_user
{
my $user = shift;
my $dn_line;
if (!defined($dn_line = get_user_dn($user))) {
print "$0: user $user doesn't exist\n";
exit (10);
}
my $dn = get_dn_from_line($dn_line);
system "$ldapdelete $dn >/dev/null";
}
# $success = group_add($groupname, $group_gid, $force_using_existing_gid)
sub group_add
{
my ($gname, $gid, $force) = @_;
my $nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd stop > /dev/null 2>&1";
}
if (!defined($gid)) {
while (defined(getgrgid($GID_START))) {
$GID_START++;
}
$gid = $GID_START;
} else {
if (!defined($force)) {
if (defined(getgrgid($gid))) {
return 0;
}
}
}
if ($nscd_status == 0) {
system "/etc/init.d/nscd start > /dev/null 2>&1";
}
my $tmpldif =
"dn: cn=$gname,$groupsdn
objectclass: posixGroup
cn: $gname
gidNumber: $gid
";
die "$0: error while adding posix group $gname\n"
unless (do_ldapadd($tmpldif) == 0);
undef $tmpldif;
return 1;
}
# $homedir = get_homedir ($user)
sub get_homedir
{
my $user = shift;
my $homeDir=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' | grep "^homeDirectory:"`;
chomp $homeDir;
if ($homeDir eq '') {
return undef;
}
$homeDir =~ s/^homeDirectory: //;
return $homeDir;
}
# search for an user
sub read_user
{
my $user = shift;
my $lines=`$ldapsearch -b '$suffix' -s '$scope' '(&(objectclass=posixAccount)(uid=$user))' -LLL`;
chomp $lines;
if ($lines eq '') {
return undef;
}
return $lines;
}
# search for a group
sub read_group
{
my $user = shift;
my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(cn=$user))' -LLL`;
chomp $lines;
if ($lines eq '') {
return undef;
}
return $lines;
}
# find groups of a given user
sub find_groups_of
{
my $user = shift;
my $lines=`$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixGroup)(memberuid=$user))' -LLL | grep "^dn: "`;
chomp $lines;
if ($lines eq '') {
return undef;
}
return $lines;
}
# return the gidnumber for a group given as name or gid
# -1 : bad group name
# -2 : bad gidnumber
sub parse_group
{
my $userGidNumber = shift;
if ($userGidNumber =~ /[^\d]/ ) {
my $gname = $userGidNumber;
my $gidnum = getgrnam($gname);
if ($gidnum !~ /\d+/) {
return -1;
} else {
$userGidNumber = $gidnum;
}
} elsif (!defined(getgrgid($userGidNumber))) {
return -2;
}
return $userGidNumber;
}
# remove $user from $group
sub group_remove_member
{
my ($group, $user) = @_;
my $grp_line = get_group_dn($group);
if (!defined($grp_line)) {
return 0;
}
my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' | grep -i "^memberUid:"`;
#print "avant ---\n$members\n";
$members =~ s/memberUid: $user\n//;
#print "----\n$members\n---\n";
chomp($members);
my $header;
if ($members eq '') {
$header = "changetype: modify\n";
$header .= "delete: memberUid";
} else {
$header = "changetype: modify\n";
$header .= "replace: memberUid";
}
my $tmpldif =
"$grp_line
$header
$members
";
die "$0: error while modifying group $group\n"
unless (do_ldapmodify($tmpldif) == 0);
undef $tmpldif;
return 1;
}
sub group_get_members
{
my ($group) = @_;
my @members;
my $grp_line = get_group_dn($group);
if (!defined($grp_line)) {
return 0;
}
my $members = `$ldapsearch -b '$groupsdn' -s '$scope' '(&(objectclass=posixgroup)(cn=$group))' memberUid | grep -i "^memberUid:"`;
my @lines = split (/\n/, $members);
foreach my $line (@lines) {
$line =~ s/^memberUid: //;
push(@members, $line);
}
return @members;
}
sub file_write {
my ($filename, $filecontent) = @_;
local *FILE;
open (FILE, "> $filename") ||
die "Cannot open «$filename» for writing: $!\n";
print FILE $filecontent;
close FILE;
}
# wrapper for ldapadd
sub do_ldapadd2
{
my $ldif = shift;
my $tempfile = "/tmp/smbldapadd.$$";
file_write($tempfile, $ldif);
my $rc = system "$ldapadd < $tempfile >/dev/null";
unlink($tempfile);
return $rc;
}
sub do_ldapadd
{
my $ldif = shift;
my $FILE = "|$ldapadd >/dev/null";
open (FILE, $FILE) || die "$!\n";
print FILE <<EOF;
$ldif
EOF
;
close FILE;
my $rc = $?;
return $rc;
}
# wrapper for ldapmodify
sub do_ldapmodify2
{
my $ldif = shift;
my $tempfile = "/tmp/smbldapmod.$$";
file_write($tempfile, $ldif);
my $rc = system "$ldapmodify -r < $tempfile >/dev/null";
unlink($tempfile);
return $rc;
}
sub do_ldapmodify
{
my $ldif = shift;
my $FILE = "|$ldapmodify -r >/dev/null";
open (FILE, $FILE) || die "$!\n";
print FILE <<EOF;
$ldif
EOF
;
close FILE;
my $rc = $?;
return $rc;
}
1;