!C99Shell v. 1.0 pre-release build #16!

Software: Apache/2.0.54 (Fedora). PHP/5.0.4 

uname -a: Linux mina-info.me 2.6.17-1.2142_FC4smp #1 SMP Tue Jul 11 22:57:02 EDT 2006 i686 

uid=48(apache) gid=48(apache) groups=48(apache)
context=system_u:system_r:httpd_sys_script_t 

Safe-mode: OFF (not secure)

/usr/share/doc/samba-3.0.23a/LDAP/smbldap-tools-0.9.2/doc/html/   drwxr-xr-x
Free 3.5 GB of 27.03 GB (12.96%)
Home    Back    Forward    UPDIR    Refresh    Search    Buffer    Encoder    Tools    Proc.    FTP brute    Sec.    SQL    PHP-code    Update    Feedback    Self remove    Logout    


Viewing file:     smbldap-tools005.html (21.22 KB)      -rw-r--r--
Select action/file-type:
(+) | (+) | (+) | Code (+) | Session (+) | (+) | SDB (+) | (+) | (+) | (+) | (+) | (+) |
Using the scripts Précédent Remonter Suivant

4  Using the scripts

4.1  Initial directory's population

You can initialize the LDAP directory using the smbldap-populate script. To do that, the account defined in the /etc/opt/IDEALX/smbldap-tools/smbldap_bind.conf to access the master directory must must be the manager account defined in the directory configuration. On RedHat system, this file is /etc/openldap/slapd.conf and the account is defined with 
  rootdn          "cn=Manager,dc=idealx,dc=com"
  rootpw          secret
The smbldap_bind.conf file must then be configured so that the parameters to connect to the master LDAP server match the previous ones: 
  masterDN="cn=Manager,dc=idealx,dc=com"
  masterPw="secret"
Available options for this script are summarized in the table 1:
option definition default value
-u uidNumber first uidNumber to allocate 1000
-g gidNumber first uidNumber to allocate 1000
-a user administrator login name Administrator
-b user guest login name nobody
-e file export a init file  
-i file import a init file  

Table 1: Options available for the smbldap-populate script

In the more general case, to set up your directory, simply use the following command: 
[root@etoile root]# smbldap-populate 
Using builtin directory structure
adding new entry: dc=idealx,dc=com
adding new entry: ou=Users,dc=idealx,dc=com
adding new entry: ou=Groups,dc=idealx,dc=com
adding new entry: ou=Computers,dc=idealx,dc=com
adding new entry: ou=Idmap,dc=idealx,dc=org
adding new entry: cn=NextFreeUnixId,dc=idealx,dc=org
adding new entry: uid=Administrator,ou=Users,dc=idealx,dc=com
adding new entry: uid=nobody,ou=Users,dc=idealx,dc=com
adding new entry: cn=Domain Admins,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Domain Users,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Domain Guests,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Print Operators,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Backup Operators,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Replicator,ou=Groups,dc=idealx,dc=com
adding new entry: cn=Domain Computers,ou=Groups,dc=idealx,dc=com
After this step, if you don't want to use the cn=Manager,dc=idealx,dc=com account anymore, you can create a dedicated account for Samba and the smbldap-tools. See section 8.2 for more details.

The cn=NextFreeUnixId,dc=idealx,dc=org entry is only used to defined the next uidNumber and gidNumber available for creating new users and groups. The default values for those numbers are 1000. You can change it with the -u and -g option. For example, if you want the first available value for uidNumber and gidNumber to be set to 1500, you can use the following command : 
smbldap-populate -u 1550 -g 1500

4.2  User management

4.2.1  Adding a user

To add a user, use the smbldap-useradd script. Available options are summarized in the table 2. If applicable, default values are mentionned in the third column. Any string beginning with a $ symbol refers to a parameter defined in the /etc/opt/IDEALX/smbldap-tools/smbldap.conf configuration file.
option definition example default value
-a create a Windows account. Otherwise, only a Posix account is created    
-w create a Windows Workstation account    
-i create an interdomain trust account. See section 4.4 for more details    
-u set a uid value -u 1003 first uid available
-g set a gid value -g 1003 first gid available
-G add the new account to one or several supplementary groups (comma-separated) -G 512,550  
-d set the home directory -d /var/user $userHomePrefix/user
-s set the login shell -s /bin/ksh $userLoginShell
-c set the user gecos -c "admin user" $userGecos
-m creates user's home directory and copies /etc/skel into it    
-k set the skeleton dir (with -m) -k /etc/skel2 $skeletonDir
-P ends by invoking smbldap-passwd to set the user's password    
-A user can change password ? 0 if no, 1 if yes -A 1  
-B user must change password at first session ? 0 if no, 1 if yes -B 1  
-C set the samba home share -C \\PDC\homes $userSmbHome
-D set a letter associated with the home share -D H: $userHomeDrive
-E set DOS script to execute on login -E common.bat $userScript
-F set the profile directory -F \\PDC\profiles\user $userProfile
-H set the samba account control bits like'[NDHTUMWSLKI]' -H [X]  
-N set the canonical name of the user    
-S set the surname of the user    
-M local mailAddress (comma seperated) -M testuser,aliasuser  
-T forward mail address (comma seperated) -T testuser@domain.org  

Table 2: Options available to the smbldap-useradd script

For example, if you want to add a user named user_admin and who :
  • is a windows user
  • must belong to the group of gid=512 ('Domain Admins' group)
  • has a home directory
  • does not have a login shell
  • has a homeDirectory set to /dev/null
  • does not have a roaming profile
  • and for whom we want to set a first login password
you must invoke: 
smbldap-useradd -a -G 512 -m -s /bin/false -d /dev/null -F "" -P user_admin

4.2.2  Removing a user

To remove a user account, use the smbldap-userdel script. Available options are
option definition
-r remove home directory
-R remove home directory interactively

Table 3: Option available to the smbldap-userdel script

For example, if you want to remove the user1 account from the LDAP directory, and if you also want to delete his home directory, use the following command : 
smbldap-userdel -r user1
Note: '-r' is dangerous as it may delete precious and unbackuped data, please be careful.

4.2.3  Modifying a user

To modify a user account, use the smbldap-usermod script. Availables options are listed in the table 4.
option definition example
-c set the user gecos -c "admin user"
-d set the home directory -d /var/user
-u set a uid value -u 1003
-g set a gid value -g 1003
-G add the new account to one or several supplementary groups (comma-separated) -G 512,550
-G -512,550
-G +512,550
-s set the login shell -s /bin/ksh
-N set the canonical name of the user  
-S set the surname of the user  
-P ends by invoking smbldap-passwd to set the user's password  
-a add sambaSAMAccount objectclass  
-e set an expiration date for the password (format: YYYY-MM-DD HH:MM:SS)  
-A user can change password ? 0 if no, 1 if yes -A 1
-B user must change password at first session ? 0 if no, 1 if yes -B 1
-C set the samba home share -C \\PDC\homes
-C ""
-D set a letter associated with the home share -D H:
-D ""
-E set DOS script to execute on login -E common.bat
-E ""
-F set the profile directory -F \\PDC\profiles\user
-F ""
-H set the samba account control bits like'[NDHTUMWSLKI]' -H [X]
-I disable a user account -I 1
-J enable a user -J 1
-M local mailAddress (comma seperated) -M testuser,aliasuser
-T forward mail address (comma seperated) -T testuser@domain.org

Table 4: Options available to the smbldap-usermod script

You can also use the smbldap-userinfo script to update user's information. This script can also be used by users themselves to update their own informations listed in the tables 5 (adequats ACL must be set in the directory server). Available options are :
option definition example
-f set the full name's user -f MyName
-r set the room number -r 99
-w set the work phone number -w 111111111
-h set the home phone number -h 222222222
-o set other information (in gecos definition) -o "second stage"
-s set the default bash -s /bin/ksh

Table 5: Options available to the smbldap-userinfo script

4.3  Group management

4.3.1  Adding a group

To add a new group in the LDAP directory, use the smbldap-groupadd script. Available options are listed in the table 6.
option definition example
-a add automatic group mapping entry  
-g gid set the gidNumer for this group to gid -g 1002
-o gidNumber is not unique  
-r group-rid set the rid of the group to group-rid -r 1002
-s group-sid set the sid of the group to group-sid -s S-1-5-21-3703471949-3718591838-2324585696-1002
-t group-type set the sambaGroupType to group-type -t 2
-p print the gidNumber to stdout  

Table 6: Options available for the smbldap-groupadd script

4.3.2  Removing a group

To remove the group named group1, just use the following command : 
smbldap-userdel group1

4.4  Adding a interdomain trust account

To add an interdomain trust account to the primary controller trust-pdc, use the -i option of smbldap-useradd as follows : 
[root@etoile root]# smbldap-useradd -i trust-pdc
New password : *******
Retype new password : *******
The script will terminate asking for a password for this trust account. The account will be created in the directory branch where all computer accounts are stored (ou=Computers by default). The only two particularities of this account are that you are setting a password for this account, and the flags of this account are [I ].
Précédent Remonter Suivant

:: Command execute ::

Enter:
 
Select:
 

:: Search ::
  - regexp 
:: Upload ::
 
[ Read-Only ]

:: Make Dir ::
 
[ Read-Only ]
:: Make File ::
 
[ Read-Only ]

:: Go Dir ::
 
:: Go File ::
 

--[ c99shell v. 1.0 pre-release build #16 powered by Captain Crunch Security Team | http://ccteam.ru | Generation time: 0.0036 ]--