Added 3 additional scripts (refer to README.md for what they do)
- freeipa-samba-user.sh - freeipa-service-ntlm.sh - freeipa-service-password.sh
This commit is contained in:
75
freeipa-samba-user.sh
Executable file
75
freeipa-samba-user.sh
Executable file
@@ -0,0 +1,75 @@
|
||||
#!/bin/bash -e
|
||||
#
|
||||
# freeipa-samba-user.sh - extend existing user(s) with sambaSAMAccount
|
||||
#
|
||||
# Version 1.0, latest version, documentation and bugtracker available at:
|
||||
# https://gitlab.lindenaar.net/scripts/freeipa
|
||||
#
|
||||
# Copyright (c) 2019 Frederik Lindenaar
|
||||
#
|
||||
# This script is free software: you can redistribute and/or modify it under the
|
||||
# terms of version 3 of the GNU General Public License as published by the Free
|
||||
# Software Foundation, or (at your option) any later version of the license.
|
||||
#
|
||||
# This script is distributed in the hope that it will be useful but WITHOUT ANY
|
||||
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
|
||||
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License along with
|
||||
# this program. If not, visit <http://www.gnu.org/licenses/> to download it.
|
||||
|
||||
die() { echo $* >&2; exit 1; }
|
||||
|
||||
# Exit if hostname not provided
|
||||
if [ $# -lt 1 ]; then
|
||||
die "Usage: `basename $0` <user> [<user> ...]"
|
||||
fi
|
||||
|
||||
# Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server
|
||||
if ! klist -s; then
|
||||
die "no valid Kerberos ticket, please login to FreeIPA using kinit first"
|
||||
elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then
|
||||
die "this script should be run on an active IPA server"
|
||||
fi
|
||||
|
||||
# Generate the LDAP User filter, !admin if parameter is * else a list of users
|
||||
if [ $# == 1 -a "$1" == "*" ]; then
|
||||
USERFILTER='(!(uid=admin))'
|
||||
else
|
||||
USERS="$*"
|
||||
USERFILTER="(|(uid=${USERS// /)(uid=}))"
|
||||
fi
|
||||
|
||||
# Lookup the Samba Domain - equal to the Kerberos REALM by default
|
||||
: ${SAMBADOMAIN:=$(ipa host-show $HOSTNAME --raw | fgrep "krbcanonicalname: host/" | cut -d@ -f2)}
|
||||
|
||||
# Lookup the users not yet converted and process each of them
|
||||
declare -A params=( )
|
||||
ldapsearch -QLLL "(&${USERFILTER}(objectClass=ipantuserattrs)(!(objectClass=sambaSamAccount)))" dn uid ipaNTSecurityIdentifier | while read key value; do
|
||||
# If we're at an empty line it's the end of the record, perform the change
|
||||
if [ -z "$key" ]; then
|
||||
if ldapmodify -Q > /dev/null 2>&1 <<EOLDIF; then
|
||||
dn: ${params[dn]}
|
||||
changetype: modify
|
||||
add: objectClass
|
||||
objectClass: sambaSamAccount
|
||||
-
|
||||
add: sambaSID
|
||||
sambaSID: ${params[ipaNTSecurityIdentifier]}
|
||||
-
|
||||
add: sambaAcctFlags
|
||||
sambaAcctFlags: [U ]
|
||||
-
|
||||
add: sambaDomainName
|
||||
sambaDomainName: ${SAMBADOMAIN}
|
||||
EOLDIF
|
||||
echo "successfully updated user ${params[uid]}"
|
||||
else
|
||||
die "failed to update user ${params[uid]}, aborting!"
|
||||
fi
|
||||
declare -A params=( )
|
||||
else # we got another attibute, store it for later processing
|
||||
params[${key/:/}]="$value"
|
||||
fi
|
||||
done
|
||||
|
||||
Reference in New Issue
Block a user