README.en

$Id: README.en 145 2008-06-14 14:30:20Z kou $

Name

ActiveSambaLdap

What's this?

ActiveSambaLdap is a library and a management tool for Samba + LDAP environment.

ActiveSambaLdap provides object-oriented API to manipulate LDAP entry for Samba. ActiveSambaLdap also provides command-line tools to replace smbldap-tools written by Perl.

Author

Kouhei Sutou <kou@cozmixng.org>

Licence

Ruby's.

Mailing list

asl-devel@rubyforge.org

<URL:http://rubyforge.org/mailman/listinfo/asl-devel/>

Reference manual

<URL:http://asl.rubyforge.org/activesambaldap/>

Dependency libraries

• ActiveLdap >= 1.0.1

Usage

Use with Rails

First, install ActiveSambaLdap plugin for Rails. And modify the following URL because the URL is for trunk.

% script/plugin install svn://rubyforge.org/var/svn/asl/trunk/rails/plugin/active_samba_ldap

Next, scaffold the environment of ActiveSambaLdap for Rails.

% script/generate scaffold_active_samba_ldap

Modify config/ldap.yml generated by scaffold_active_samba_ldap to adapt to your environment. See "Options in configuration file" section to find available options.

Populate

First, need to populate your Samba + LDAP environment. Access http://localhost:3000/samba after invoking Rails by script/server and so on. And populate your Samba + LDAP environment by following "Populate Samba + LDAP environment" link.

And you can development your applications with User/Computer/Group classes. You can develop like with ActiveRecord.

Use from command line

Use asl-* commands. You'll don't use asl-samba-* commands from command line because they are for smb.conf.

Configuration

First, modify configuration file to adapt to your environment. You can confirm default configuration files by invoking asl-* commands with --help option. For example, you can use asl-populate.

% asl-populate --help
...
      --config=CONFIG              Specify configuration file
                                   Default configuration files:
                                     /etc/activesambaldap/config.yaml
                                     /etc/activesambaldap/bind.yaml
                                     /home/kou/.activesambaldap.conf
                                     /home/kou/.activesambaldap.bind
...

Configuration files are read from the above files to the below files. Configurations are overridden by latter configuration files. In the above example, configuration files are read by the following order:

• /etc/activesambaldap/config.yaml
• /etc/activesambaldap/bind.yaml
• /home/kou/.activesambaldap.conf
• /home/kou/.activesambaldap.bind

The reason why bind.yaml and *.bind are read after config.yaml and *.conf is for security. You should write opened configurations (host name, port number and so on) into config.yaml and *.conf, closed configurations (user name, password and so on) into bind.yaml and *.bind. And you should set suitable permission to bind.yaml and *.bind.

Format of configuration file

Use YAML format. There are three sections:

update:
  # configurations for updating LDAP entries
  ...

reference:
  # configurations for referring LDAP entries
  ...

common:
  # configurations to share for updating/referring
  ...

For example:

common:
  sid: S-1-5-21-915876905-2926214379-2876160357
  base: dc=samba,dc=local,dc=net
  host: localhost
  method: :tls

update:
  bind_dn: cn=admin,dc=local,dc=net
  password: admin

reference:
  allow_anonymous: true

It's best that you write 'password' configuration into bind.yaml *.bind.

You must configure 'base'. And you should configure 'sid'. You can find your SID by the following command:

% sudo net getlocalsid

It's inefficiency that sid isn't configured because 'net getlocalsid' is invoked each time.

Options in configuration file

The following options are available:

base

Same as the option of ActiveLdap::Base.establish_connection.

host

Same as the option of ActiveLdap::Base.establish_connection.

port

Same as the option of ActiveLdap::Base.establish_connection.

scope

Same as the option of ActiveLdap::Base.establish_connection.

bind_dn

Same as the option of ActiveLdap::Base.establish_connection.

password

Same as the option of ActiveLdap::Base.establish_connection.

method

Same as the option of ActiveLdap::Base.establish_connection.

allow_anonymous

Same as the option of ActiveLdap::Base.establish_connection.

sid

SID(Security Identifier) of your Samba server.

smb_conf

The path of smb.conf for your Samba server.

samba_domain

Domain name of your Samba server.

samba_netbios_name

NetBIOS name of your Samba server.

password_hash_type

Algorithm for hashing password in LDAP. Available algorithms are :crypt, :md5, :smd5, :sha and

ssha. Default algorithm is :ssha.

Password in LDAP is used for recognition in UNIX not Samba.

users_suffix

Tree for user entries in LDAP. Specify relative path for base. For example: ou=Users

groups_suffix

Tree for group entries in LDAP. Specify relative path for base. For example: ou=Groups

computers_suffix

Tree for computer entries in LDAP. Specify relative path for base. For example: ou=Computers

idmap_suffix

Tree for idmap entries in LDAP. Specify relative path for base. For example: ou=Idmap

start_uid

UID (User Identifier) for making new user. Next new user's default UID is incremented after making new user. Default is 10000.

start_gid

GID (Group Identifier) for making new group. Next new group's default GID is incremented after making new group. Default is 10000.

user_login_shell

Default login shell for new user. Default is /bin/false.

user_home_directory

Default home directory for new user. %U is substituted with the user name. Default is /home/%U.

user_home_directory_mode

Default permission of user's home directory. Default is 0755 (octal notation).

user_gecos

Default GECOS field value for new user. %U is substituted with user name.

user_home_unc

Default path for user's home in Windows. The path should be specified by UNC (Universal Naming Convention). %U is substituted with user name. Default is "\\NetBIOS name of your Samba server\%U".

user_profile

Default path of user profile specified by UNC (Universal Naming Convention). %U is substituted by the user name. Default is "\\NetBIOS name Samba server\profiles\%U".

user_home_drive

Default drive name of user's home. Default is H:.

user_logon_script

Default script name that is invoked when user logon. Default is logon.bat.

skeleton_directory

Default skeleton directory for making user's home directory. Default is /etc/skel.

default_user_gid

Default GID of group to which user belongs. Default is 'Domain Users' group.

default_computer_gid

Default GID of group to which computer belongs. Default is 'Domain Computers' group.

Populate

You need to populate your Samba + LDAP environment by invoking asl-populate before administrate your Samba + LDAP with asl-*.

% sudo asl-populate

You can use the following command if you don't need to root authorization^*1.

% fakeroot asl-populate

Administrate

Use asl-user*, asl-group*, asl-populate, asl-purge and asl-password. Use --help options for more detail.

Configuration of smb.conf

You need to configure you smb.conf like the following if you want to administrate with Srvtools from Windows or make Samba server domain controller. Use asl-samba-* for those propose.

passdb backend = ldapsam:ldap://127.0.0.0
ldap admin dn = cn=admin,dc=local,dc=net
ldap suffix = dc=samba,dc=local,dc=net
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Idmap
ldap passwd sync = yes

admin users = "@Domain Admins"
add user script = /.../asl-samba-useradd "%u"
delete user script = /.../asl-samba-userdel "%u"
add group script = /.../asl-samba-groupadd "%g"
delete group script = /.../asl-samba-groupdel "%g"
add user to group script = /.../asl-samba-groupmod "%g" --add-members "%u"
delete user from group script = /.../asl-samba-groupmod "%g" --delete-members "%u"
set primary group script = /.../asl-samba-usermod "%u" --gid "%g"
add machine script = /.../asl-samba-computeradd "%u"

You need to set LDAP administrator password by the following command before invoke your Samba server.

% sudo /usr/bin/smbpasswd -W

Trouble shootings

Groups aren't listed

You can list groups by the following command:

% net rpc group list --user=USER_NAME

If no groups listed by the above command after you execute asl-populate, please confirm the following:

• Is your samba.schema old?

  If your sambaSID entry in your samba.schema doesn't have the following configuration, your samba.schema may be old. Please update your samba.schema.

  SUBSTR caseExactIA5SubstringsMatch

Thanks

• Henrik Kr旦g: He reported some bugs.
• Olivier DIRRENBERGER: He reported a bug.
• Francesco Malvezzi: He reported some bugs.

^*1root authorization check may be needed...