#!/usr/bin/perl -w #---------------------------------------------------------------------- # copyright (C) 2001 Mitel Networks Corporation # Copyright (C) 2024 Koozali Foundation inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # Technical support for this program is available from Mitel Networks # Please visit our web site www.e-smith.com for details. #---------------------------------------------------------------------- package esmith; use strict; use Errno; use esmith::ConfigDB; use esmith::AccountsDB; use esmith::util; use utf8; use esmith::util::ldap; my $a = esmith::AccountsDB->open || die "Couldn't open accounts db\n"; my $c = esmith::ConfigDB->open_ro || die "Could not open Config DB"; my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled'; my $x = 0; # exit value # prepare LDAP bind my $ldap=esmith::util::ldap->new(); my $event = $ARGV [0]; my $machineName = $ARGV [1]; die "machine name $machineName is not a valid machine account name" unless ( $machineName =~ /\$$/ ); my $m = $a->get($machineName); if ($m) { my $type = $m->prop('type'); die "$machineName is not a machine account" unless ($type eq "machine"); } else { # Auto-create the accounts database entry. This is bad form, but # the Samba "add user script" is called as the user "admin", who # does not currently have permissions to write to the config database $m = $a->new_record($machineName, {type => "machine"}); } my $lock = undef; my $uid; unless ($uid = $m->prop('Uid')) { use esmith::lockfile; $lock = esmith::lockfile::LockFileOrWait("/home/e-smith/db/accounts"); $uid = $a->get_next_uid; $m->set_prop('Uid', $uid); } my $gid = $m->prop('Gid') || $uid; # We really, really need to be root to run "passwd -l" esmith::util::setRealToEffective(); warn "create-machine-account $machineName: Creating Unix user and group\n"; if ($ldapauth ne 'enabled') { # Create the machine's unique group first system( "/usr/sbin/groupadd", "-g", $gid, $machineName ) == 0 or ( $x = 255, warn "Failed to create (unix) group $machineName.\n" ); # Now create the machine account system( "/usr/sbin/useradd", "-u", $uid, "-g", $gid, "-c", "Hostname account for $machineName", "-M", "-d", "/noexistingpath", "-s", "/bin/false", "$machineName" ) == 0 or ( $x = 255, warn "Failed to create (unix) account $machineName.\n" ); system("/usr/bin/passwd", "-l", "$machineName") == 0 or ( $x = 255, warn "Failed locking (unix) password for $machineName\n" ); } # Create the machine's unique group first (in ldap) my $result = $ldap->ldapgroup($m); $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $machineName.\n" ); # Now create the machine account (in ldap). samba related action script will add more $result = $ldap->ldapaddmachine($m); $result && ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $machineName.\n" ); warn "create-machine-account $machineName: Locking account\n"; # esmith::util::ldap ldapaddmachine already lock account on creation in LDAP if ($ldapauth ne 'enabled') { warn "create-machine-account $machineName: Creating smbpasswd account\n"; system("/usr/bin/smbpasswd", "-a", "-m", "$machineName") == 0 or warn "Could not create smb password entry for $machineName\n"; } exit ($x);