initial commit of file from CVS for e-smith-samba on Sat Mar 23 16:28:38 AEDT 2024

root/etc/e-smith/events/actions/cleanup-domains

@@ -0,0 +1,56 @@
+#!/usr/bin/perl -w
+
+package esmith;
+
+use strict;
+use Errno;
+use esmith::ConfigDB;
+use esmith::util;
+use Net::LDAP;
+
+my $c = esmith::ConfigDB->open_ro;
+
+# Don't attempt to update ldap unles master
+exit(0) unless ($c->get('ldap')->prop('Authentication') || 'disabled') eq 'enabled';
+
+my $l = $c->get('ldap');
+my $status = $l->prop('status') || "disabled";
+unless ($status eq "enabled" )
+{
+    warn "Not running action script $0, LDAP service not enabled!\n";
+    exit(0);
+}
+
+my $domain = $c->get('DomainName')
+|| die("Couldn't determine domain name");
+$domain = $domain->value;
+
+my $base = esmith::util::ldapBase ($domain);
+my $pw = esmith::util::LdapPassword();
+
+my $ldap = Net::LDAP->new('localhost')
+    or die "$@";
+
+$ldap->bind(
+    dn => "cn=root,$base",
+    password => $pw
+);
+
+my $smb = $c->get('smb');
+my $domName = $smb->prop('Workgroup') || 'sme-server';
+if ( ($smb->prop('ServerRole') || 'WS') eq 'WS' )
+{
+    $domName = $smb->prop('ServerName') || 'sme-server';
+}
+
+my $result = $ldap->search( base => $base, 
+    filter => "(&(objectClass=sambaDomain)(!(sambaDomainName=$domName)))", 
+    scope => 'one' 
+);
+die "failed looking up sambaDomainName entry: ", $result->error if $result->code;
+
+foreach ($result->entries)
+{
+    $_->delete;
+    $_->update($ldap);
+}

root/etc/e-smith/events/actions/create-machine-account

@@ -0,0 +1,140 @@
+#!/usr/bin/perl -w
+#----------------------------------------------------------------------
+# copyright (C) 2001 Mitel Networks Corporation
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# 		
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 		
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+# 
+# Technical support for this program is available from Mitel Networks 
+# Please visit our web site www.e-smith.com for details.
+#----------------------------------------------------------------------
+package esmith;
+
+use strict;
+use Errno;
+use esmith::ConfigDB;
+use esmith::AccountsDB;
+use esmith::util;
+
+my $a = esmith::AccountsDB->open || die "Couldn't open accounts db\n";
+my $c = esmith::ConfigDB->open_ro || die "Could not open Config DB";
+
+my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
+my $x = 0; # exit value
+
+my $domain = $c->get('DomainName')->value();
+my $base = esmith::util::ldapBase ($domain);
+
+my $event = $ARGV [0];
+my $machineName = $ARGV [1];
+
+die "machine name $machineName is not a valid machine account name"
+	unless ( $machineName =~ /\$$/ );
+
+my $m = $a->get($machineName);
+if ($m)
+{
+    my $type = $m->prop('type');
+    die "$machineName is not a machine account" 
+	unless ($type eq "machine");
+}
+else
+{
+    # Auto-create the accounts database entry. This is bad form, but
+    # the Samba "add user script" is called as the user "admin", who
+    # does not currently have permissions to write to the config database
+    $m = $a->new_record($machineName, {type => "machine"});
+}
+
+my $lock = undef;
+my $uid;
+unless ($uid = $m->prop('Uid'))
+{
+    use esmith::lockfile;
+
+    $lock = esmith::lockfile::LockFileOrWait("/home/e-smith/db/accounts");
+    $uid = $a->get_next_uid;
+    $m->set_prop('Uid', $uid);
+}
+my $gid = $m->prop('Gid') || $uid;
+
+# We really, really need to be root to run "passwd -l"
+esmith::util::setRealToEffective();
+
+warn "create-machine-account $machineName: Creating Unix user and group\n";
+
+if ($ldapauth ne 'enabled')
+{
+    # Create the machine's unique group first
+    system(
+            "/usr/sbin/groupadd",
+            "-g",
+            $gid,
+            $machineName
+        ) == 0 or ( $x = 255, warn "Failed to create (unix) group $machineName.\n" );
+
+    # Now create the machine account
+    system(
+            "/usr/sbin/useradd",
+            "-u", $uid,
+            "-g", $gid,
+            "-c", "Hostname account for $machineName",
+            "-M",
+            "-d", "/noexistingpath",
+            "-s", "/bin/false",
+            "$machineName"
+        ) == 0 or ( $x = 255, warn "Failed to create (unix) account $machineName.\n" );
+
+    system("/usr/bin/passwd", "-l", "$machineName") == 0
+        or ( $x = 255, warn "Failed locking (unix) password for $machineName\n" );
+}
+
+# Create the machine's unique group first (in ldap)
+system( 
+        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupadd",
+        "-g", $gid,
+        "-o",
+        "$machineName"
+    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $machineName.\n" );
+
+# Now create the machine account (in ldap)
+system(
+        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "useradd",
+        "-u", $uid,
+        "-g", $gid,
+        "--userbase=ou=Computers,$base",
+        "-c", "Hostname account for $machineName",
+        "-o",
+        "-d", "/noexistingpath",
+        "-s", "/bin/false",
+        "$machineName"
+    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $machineName.\n" );
+
+warn "create-machine-account $machineName: Locking account\n";
+
+system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", 
+       "--userbase=ou=Computers,$base",
+       "-o", 
+       "-L", 
+       "$machineName"
+) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed locking (ldap) password for $machineName\n" );
+
+if ($ldapauth ne 'enabled')
+{
+    warn "create-machine-account $machineName: Creating smbpasswd account\n";
+
+    system("/usr/bin/smbpasswd", "-a", "-m", "$machineName") == 0 
+        or warn "Could not create smb password entry for $machineName\n";
+}
+exit ($x);

root/etc/e-smith/events/actions/delete-smbpasswd

@@ -0,0 +1,2 @@
+#! /bin/sh
+exec rm -f /etc/samba/smbpasswd

root/etc/e-smith/events/actions/delete_printer_tdb

@@ -0,0 +1,6 @@
+#! /bin/sh
+
+ACTION=$1
+PRINTER=$2
+
+exec rm -f /var/cache/samba/printing/$PRINTER.tdb

root/etc/e-smith/events/actions/shadow-copy-rotate

@@ -0,0 +1,130 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+use POSIX qw(strftime); 
+use File::Path;
+use File::Basename;
+use esmith::ConfigDB;
+use esmith::AccountsDB;
+
+# Routines taken from powershift of rlbackup
+sub stagger;
+sub powershift;
+sub shadowdir;
+sub rmshadow;
+
+my $cdb = esmith::ConfigDB->open_ro;
+my $adb = esmith::AccountsDB->open_ro();
+
+my $smb = $cdb->get('smb') or die "No smb db entry found\n";
+my $shadowdir = $smb->prop('ShadowDir') || '/home/e-smith/files/.shadow';
+my $shadowcopy = $smb->prop('ShadowCopy') || 'disabled';
+my $offset = ($smb->prop('ShadowCount') || 2) - 2;
+$offset = 0 if $offset < 0;
+
+exit unless -d $shadowdir;
+exit if $shadowcopy eq 'disabled';
+
+my $filesdir = '/home/e-smith/files';
+my $snapfmt = '@GMT-%Y.%m.%d-%H.%M.%S';
+
+# Switch old shadow directories to new format
+opendir(SHADOW, $shadowdir);
+foreach my $s ( grep { /^\d/ && ! -l "$shadowdir/$_" && -d "$shadowdir/$_" } readdir SHADOW ) {
+     my @stat = stat("$shadowdir/$s");
+     rename "$shadowdir/$s", "$shadowdir/".strftime($snapfmt, gmtime($stat[9]));
+     symlink strftime($snapfmt, gmtime($stat[9])), "$shadowdir/$s";
+}
+closedir(SHADOW);
+
+# remove old symlinks in ibays
+foreach my $ibay ($adb->ibays()) {
+    my $ibaydir = 'ibays/' . $ibay->key . ( $ibay->prop('PublicAccess') eq 'none' ? '/files' : '' );
+
+    opendir(IBAY, "$filesdir/$ibaydir") || next;
+    unlink "$filesdir/$ibaydir/$_" foreach (grep /^\@GMT-/, readdir(IBAY));
+    closedir(IBAY);
+}
+
+# remove old symlinks in ibays
+foreach my $user ($adb->users()) {
+    my $userdir = 'users/' . $user->key . '/home';
+
+    opendir(USER, "$filesdir/$userdir") || next;
+    unlink "$filesdir/$userdir/$_" foreach (grep /^\@GMT-/, readdir(USER));
+    closedir(USER);
+}
+
+# Create sync point if it doesn't already exist
+my $snapdir = strftime($snapfmt, gmtime(time));
+if ( -d "$shadowdir/0" ) {
+    rename "$shadowdir/".readlink("$shadowdir/0"), "$shadowdir/$snapdir";
+    unlink "$shadowdir/0";
+} else {
+    mkdir "$shadowdir/$snapdir";
+}
+symlink "$snapdir", "$shadowdir/0";
+
+# Create list of ibays and users to shadow
+my ($ibays, $users, $link) = ('','','');
+my @ibays = grep { ($_->prop('ShadowCopy') || 'enabled') ne 'disabled' } $adb->ibays();
+$ibays = "$filesdir/./ibays/{" . join(',', map { $_->key } @ibays) . "}/" if scalar @ibays > 1;
+$ibays = "$filesdir/./ibays/" . $ibays[0]->key . "/" if scalar @ibays == 1;
+my @users = grep { ($_->prop('ShadowCopy') || 'enabled') ne 'disabled' } $adb->users();
+$users = "$filesdir/./users/{" . join(',', map { $_->key } @users) . "}/home/" if scalar @users > 1;
+$users = "$filesdir/./users/" . $users[0]->key . "/home/" if scalar @users == 1;
+$link = "--link-dest ../1" if -d "$shadowdir/1";
+
+# Sync directories to shadow directory
+if ( $ibays || $users) {
+    system("rsync -aHmR --partial --delete --delete-excluded --exclude 'aquota.*' $link $ibays $users $shadowdir/0/") == 0
+        or die "Couldn't sync directories";
+}
+
+# Shift directories using geometric roll-off (only if different)
+if ( -d "$shadowdir/1" ) {
+    if (system("diff -qr $shadowdir/0 $shadowdir/1 &> /dev/null") == 0) {
+        rmshadow("$shadowdir/0");
+    } else {
+        powershift(2) if -d shadowdir(-$offset);
+        for (my $i=2; $i >= -$offset; $i--) {
+            rename shadowdir($i), shadowdir($i+1) 
+        }
+    }
+} else {
+    rename "$shadowdir/0", "$shadowdir/1";
+}
+
+sub rmshadow {
+    my $d = shift;
+    if ( -l "$d" ) {
+        rmtree dirname($d)."/".readlink($d);
+        unlink "$d";
+    } elsif ( -d "$d" ) {
+        rmtree "$d"
+    }
+}
+
+sub shadowdir {
+    my $i = shift;
+    return "$shadowdir/".($i+$offset);
+}
+
+sub stagger {
+    my $i = shift;
+    return $i + ($i >> 1);
+}
+
+sub powershift {
+    my $i = shift;
+    if ( -d shadowdir(stagger($i)) ) {
+        my $n = powershift($i << 1);
+        $i = $n >> 1;
+        rename shadowdir(stagger($i)), shadowdir($n) if -d shadowdir(stagger($i));
+        rmshadow(shadowdir($i));
+    } else {
+        rename shadowdir($i), shadowdir(stagger($i)) if -d shadowdir($i);
+    }
+    return $i;
+}

root/etc/e-smith/events/actions/store-ldap-smbpasswd

@@ -0,0 +1,40 @@
+#!/usr/bin/perl -w
+
+#----------------------------------------------------------------------
+# copyright (C) 2010 Firewall Services
+# daniel@firewall-services.com
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+#----------------------------------------------------------------------
+
+use esmith::ConfigDB;
+use esmith::util;
+
+my $c = esmith::ConfigDB->open_ro;
+my $l = $c->get('ldap') || die "ldap service not found\n";
+my $s = $l->prop('status') || 'disabled';
+unless ( $s eq 'enabled' ){
+    warn "Not running action script $0, LDAP service not enabled!\n";
+    exit(0);
+}
+exit(0) unless ($l->prop('Authentication') || 'disabled') eq 'enabled';
+
+my $domain = $c->get("DomainName")
+    || die("Could not determine domain name");
+my $base = esmith::util::ldapBase ($domain->value);
+my $pw = esmith::util::LdapPassword();
+
+die "Error storing LDAP password in secret.tdb\n" unless
+    system('/usr/bin/smbpasswd', '-w', "$pw") == 0;

root/etc/e-smith/events/actions/update-domain-group-maps

@@ -0,0 +1,106 @@
+#!/usr/bin/perl -w
+
+package esmith;
+
+use strict;
+use Errno;
+use esmith::AccountsDB;
+use esmith::ConfigDB;
+use esmith::util;
+
+# events: console-save, bootstrap-console-save, group-modify-samba, group-create
+#         post-install, post-upgrade, workgroup-update
+my $debug = "--debuglevel=1";
+
+my $a = esmith::AccountsDB->open_ro or die "Couldn't open accounts db\n";
+my $c = esmith::ConfigDB->open_ro or die "Could not open Config DB";
+
+my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
+my $pw = esmith::util::LdapPassword();
+
+my $g = `/usr/bin/net getlocalsid`;
+unless ($g =~ /SID.*is: (.+)/) {
+    warn "Unable to determine SID.  Clearning cache to see if it helps.";
+    rename '/etc/samba/secrets.tdb','/etc/samba/secrets.'.time;
+    rename '/var/cache/samba/gencache.tdb','/var/cache/samba/gencache.'.time;
+    rename '/var/cache/samba/wins.dat','/var/cache/samba/wins.'.time;
+    $g = `/usr/bin/net getlocalsid`;
+    $g =~ /SID.*is: (.+)/ or die "Could not get current sid\n";
+    if ($ldapauth eq 'enabled')
+    {
+        # Add the LDAP admin password in secret.tdb
+        warn "Couldn't add LDAP password in secret.tdb\n" unless
+            system("/usr/bin/smbpasswd", "-w", "$pw") == 0;
+    }
+}
+my $local_sid = $1;
+
+my %mappings = (
+	'Domain Admins' => 'admin',
+	'Domain Users' => 'shared',
+	'Domain Guests' => 'nobody',
+    (map { $_->prop('FirstName')." ".$_->prop('LastName'), $_->key } $a->users()),
+    (map { $_->prop('Description'), $_->key } $a->groups()));
+
+$mappings{$a->get_prop('admin','FirstName')." ".$a->get_prop('admin','LastName')} = 'admin' unless $mappings{'Domain Admins'} eq 'admin';
+
+my %ridmap = (
+	'Domain Admins' => '512',
+	'Domain Users' => '513',
+	'Domain Guests' => '514');
+
+my %sidmap = ();
+foreach (`/usr/bin/net groupmap list`)
+{
+    chomp;
+    if (/^(.*?) \((S-.*-(\d+))\) -> (.*)$/)
+    {
+	my ($nt, $sid, $rid, $group) = ($1, $2, $3, $4);
+
+	# Skip local groups
+	next if ($sid =~ /^S-1-5-32-\d+$/);
+
+	if (exists $mappings{$nt})
+	{
+	    if ($ridmap{$nt} && $ridmap{$nt} ne $rid)
+	    {
+		# Wrong (old?) sid
+		system('/usr/bin/net','groupmap','delete',"sid=$sid");
+	    }
+	    elsif ($sid =~ /^$local_sid-/)
+	    {
+		my $ug = $mappings{$nt};
+		if ($group eq $ug)
+		{
+		    $sidmap{$nt} = 'done';
+		}
+		else
+		{
+		    system('/usr/bin/net','groupmap','delete',"sid=$sid");
+		}
+	    }
+	    else
+	    {
+		# Wrong (old?) sid
+		system('/usr/bin/net','groupmap','delete',"sid=$sid");
+	    }
+	}
+	else
+	{
+	    # Non existant group
+	    system('/usr/bin/net','groupmap','delete',"sid=$sid");
+	}
+    }
+}
+
+foreach (keys %mappings)
+{
+    next if $sidmap{$_} && $sidmap{$_} eq 'done';
+    system('/usr/bin/net',$debug,
+	    'groupmap','add',
+	    "ntgroup=$_",
+	    "unixgroup=" . $mappings{$_},
+	    $ridmap{$_} ? "rid=$ridmap{$_}" : (),
+	    $sidmap{$_} && ! $ridmap{$_} ? "sid=$sidmap{$_}" : (),
+	    'type=d');
+}

root/etc/e-smith/events/actions/user-create-profiledir

@@ -0,0 +1,59 @@
+#!/usr/bin/perl -w
+#----------------------------------------------------------------------
+# copyright (C) 2001-2005 Mitel Networks Corporation
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# 		
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 		
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+# 
+#----------------------------------------------------------------------
+package esmith;
+
+use strict;
+use Errno;
+use esmith::util;
+
+use esmith::AccountsDB;
+my $adb = esmith::AccountsDB->open_ro();
+
+my $event = $ARGV [0];
+
+my @users = ('admin', map { $_->key } $adb->users);
+
+my @newusers = ( not defined $ARGV[1] ) ? @users : $ARGV[1] ;
+
+foreach my $user ( @newusers )
+{
+    die "$user is not a user account\n"
+        unless ( grep /^$user$/, @users );
+
+    my @dirs = ("/home/e-smith/files/samba/profiles/$user","/home/e-smith/files/samba/profiles/${user}.V2",
+    "/home/e-smith/files/samba/profiles/${user}.V3","/home/e-smith/files/samba/profiles/${user}.V4",
+    "/home/e-smith/files/samba/profiles/${user}.V5","/home/e-smith/files/samba/profiles/${user}.V6");
+   
+    foreach my $dir (@dirs)
+    {
+        my $pre_existing = ( -d $dir );
+     
+        $pre_existing || mkdir $dir, 700 || die "Couldn't create directory $dir\n";
+
+        chmod 0700, $dir;	# Remove setgid bit
+        
+        next if $pre_existing;
+
+        esmith::util::chownFile($user, $user, $dir) || 
+            die "Couldn't change ownership of $dir\n";
+    }
+}
+
+exit (0);

root/etc/e-smith/events/actions/user-delete-profiledir

@@ -0,0 +1,50 @@
+#!/usr/bin/perl -w
+#----------------------------------------------------------------------
+# copyright (C) 1999-2005 Mitel Networks Corporation
+# 
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# 		
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 		
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
+# 
+#----------------------------------------------------------------------
+package esmith;
+
+use strict;
+use Errno;
+use File::Path;
+
+use esmith::AccountsDB;
+my $adb = esmith::AccountsDB->open_ro();
+
+my $event = $ARGV [0];
+my $account = $ARGV [1];
+
+$a = $adb->get($account) || undef;
+unless ( defined $a && $a->prop('type') eq "user-deleted" )
+{
+    warn "$account is not a user account\n";
+    exit (0);
+}
+
+my @dirs = ("/home/e-smith/files/samba/profiles/$account","/home/e-smith/files/samba/profiles/$account.V2",
+    "/home/e-smith/files/samba/profiles/$account.V3","/home/e-smith/files/samba/profiles/$account.V4",
+    "/home/e-smith/files/samba/profiles/$account.V5","/home/e-smith/files/samba/profiles/$account.V6");
+
+foreach (@dirs) {
+ 
+    next unless -d $_;
+    rmtree( $_ ) || die "Couldn't remove tree $_\n";
+
+}
+
+exit (0);