scripts/FreeIPA
Archived
1
0
Fork 0
Code Issues 4 Activity
This repository has been archived on 2026-01-01. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
master
FreeIPA/freeipa-samba-user.sh
Frederik Lindenaar 3470ed2dcf Added 3 additional scripts (refer to README.md for what they do) 
- freeipa-samba-user.sh
  - freeipa-service-ntlm.sh
  - freeipa-service-password.sh
2019-07-19 18:18:02 +02:00

76 lines
2.6 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash -e
#
# freeipa-samba-user.sh - extend existing user(s) with sambaSAMAccount
#
# Version 1.0, latest version, documentation and bugtracker available at:
# https://gitlab.lindenaar.net/scripts/freeipa
#
# Copyright (c) 2019 Frederik Lindenaar
#
# This script is free software: you can redistribute and/or modify it under the
# terms of version 3 of the GNU General Public License as published by the Free
# Software Foundation, or (at your option) any later version of the license.
#
# This script is distributed in the hope that it will be useful but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program. If not, visit <http://www.gnu.org/licenses/> to download it.
die() { echo $* >&2; exit 1; }
# Exit if hostname not provided
if [ $# -lt 1 ]; then
die "Usage: `basename $0` <user> [<user> ...]"
fi
# Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server
if ! klist -s; then
die "no valid Kerberos ticket, please login to FreeIPA using kinit first"
elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then
die "this script should be run on an active IPA server"
fi
# Generate the LDAP User filter, !admin if parameter is * else a list of users
if [ $# == 1 -a "$1" == "*" ]; then
USERFILTER='(!(uid=admin))'
else
USERS="$*"
USERFILTER="(|(uid=${USERS// /)(uid=}))"
fi
# Lookup the Samba Domain - equal to the Kerberos REALM by default
: ${SAMBADOMAIN:=$(ipa host-show $HOSTNAME --raw | fgrep "krbcanonicalname: host/" | cut -d@ -f2)}
# Lookup the users not yet converted and process each of them
declare -A params=( )
ldapsearch -QLLL "(&${USERFILTER}(objectClass=ipantuserattrs)(!(objectClass=sambaSamAccount)))" dn uid ipaNTSecurityIdentifier | while read key value; do
# If we're at an empty line it's the end of the record, perform the change
if [ -z "$key" ]; then
if ldapmodify -Q > /dev/null 2>&1 <<EOLDIF; then
dn: ${params[dn]}
changetype: modify
add: objectClass
objectClass: sambaSamAccount
-
add: sambaSID
sambaSID: ${params[ipaNTSecurityIdentifier]}
-
add: sambaAcctFlags
sambaAcctFlags: [U ]
-
add: sambaDomainName
sambaDomainName: ${SAMBADOMAIN}
EOLDIF
echo "successfully updated user ${params[uid]}"
else
die "failed to update user ${params[uid]}, aborting!"
fi
declare -A params=( )
else # we got another attibute, store it for later processing
params[${key/:/}]="$value"
fi
done
Reference in New Issue View Git Blame Copy Permalink