use strict;
use FindBin;
use FindBin qw($RealBin);
use lib "$RealBin/";
use smbldap_tools;
use Getopt::Std;
my %Options;
my $nscd_status;
my $ok = getopts('A:B:C:D:E:F:H:IJM:N:S:PT:ame:f:u:g:G:d:l:r:s:c:ok:?h', \%Options);
if ( (!$ok) || (@ARGV < 1) || ($Options{'?'}) || ($Options{'h'}) ) {
print_banner;
print "Usage: $0 [-awmugdsckABCDEFGHIPSMT?h] username\n";
print "Available options are:\n";
print " -c gecos\n";
print " -d home directory\n";
print " -r new username (cn, sn and dn are updated)\n";
print " -u uid\n";
print " -o uid can be non unique\n";
print " -g gid\n";
print " -G supplementary groups (comma separated)\n";
print " -s shell\n";
print " -N canonical name\n";
print " -S surname\n";
print " -P ends by invoking smbldap-passwd\n";
print " For samba users:\n";
print " -a add sambaSAMAccount objectclass\n";
print " -e expire date (\"YYYY-MM-DD HH:MM:SS\")\n";
print " -A can change password ? 0 if no, 1 if yes\n";
print " -B must change password ? 0 if no, 1 if yes\n";
print " -C sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')\n";
print " -D sambaHomeDrive (letter associated with home share, like 'H:')\n";
print " -E sambaLogonScript (DOS script to execute on login)\n";
print " -F sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')\n";
print " -H sambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')\n";
print " -I disable an user. Can't be used with -H or -J\n";
print " -J enable an user. Can't be used with -H or -I\n";
print " -M mailAddresses (comma seperated)\n";
print " -T mailToAddress (forward address) (comma seperated)\n";
print " -?|-h show this help message\n";
exit (1);
}
if ($< != 0) {
print "You must be root to modify an user\n";
exit (1);
}
my $user = $ARGV[0];
my $ldap_master=connect_ldap_master();
my $user_entry = read_user_entry($user);
if (!defined($user_entry)) {
print "$0: user $user doesn't exist\n";
exit (1);
}
my $samba = 0;
if (grep ($_ =~ /^sambaSamAccount$/i, $user_entry->get_value('objectClass'))) {
$samba = 1;
}
my $dn= $user_entry->dn();
my $tmp;
my @mods;
my @dels;
if (defined($tmp = $Options{'a'})) {
my $winmagic = 2147483647;
my $valpwdcanchange = 0;
my $valpwdmustchange = $winmagic;
my $valpwdlastset = 0;
my $valacctflags = "[UX]";
my $user_entry=read_user_entry($user);
my $uidNumber = $user_entry->get_value('uidNumber');
my $userRid = 2 * $uidNumber + 1000;
my $modify = $ldap_master->modify ( "$dn",
changes => [
add => [objectClass => 'sambaSAMAccount'],
add => [sambaPwdLastSet => "$valpwdlastset"],
add => [sambaLogonTime => '0'],
add => [sambaLogoffTime => '2147483647'],
add => [sambaKickoffTime => '2147483647'],
add => [sambaPwdCanChange => "$valpwdcanchange"],
add => [sambaPwdMustChange => "$valpwdmustchange"],
add => [displayName => "$config{userGecos}"],
add => [sambaSID=> "$config{SID}-$userRid"],
add => [sambaAcctFlags => "$valacctflags"],
]
);
$modify->code && warn "failed to modify entry: ", $modify->error ;
}
my $changed_uid;
my $_userUidNumber;
my $_userRid;
if (defined($tmp = $Options{'u'})) {
if (defined($Options{'o'})) {
$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd stop > /dev/null 2>&1";
}
if (getpwuid($tmp)) {
if ($nscd_status == 0) {
system "/etc/init.d/nscd start > /dev/null 2>&1";
}
print "$0: uid number $tmp exists\n";
exit (6);
}
if ($nscd_status == 0) {
system "/etc/init.d/nscd start > /dev/null 2>&1";
}
}
push(@mods, 'uidNumber', $tmp);
$_userUidNumber = $tmp;
if ($samba) {
my $_userRid = 2 * $_userUidNumber + 1000;
if (defined($Options{'x'})) {
$_userRid= sprint("%x", $_userRid);
}
push(@mods, 'sambaSID', $config{SID}.'-'.$_userRid);
}
$changed_uid = 1;
}
my $changed_gid;
my $_userGidNumber;
my $_userGroupSID;
if (defined($tmp = $Options{'g'})) {
$_userGidNumber = parse_group($tmp);
if ($_userGidNumber < 0) {
print "$0: group $tmp doesn't exist\n";
exit (6);
}
push(@mods, 'gidNumber', $_userGidNumber);
if ($samba) {
my $group_entry = read_group_entry_gid($_userGidNumber);
my $_userGroupSID = $group_entry->get_value('sambaSID');
unless ($_userGroupSID) {
print "Error: sambaPrimaryGroupSid could not be set (sambaSID for group $_userGidNumber does not exist\n";
exit (7);
}
push(@mods, 'sambaPrimaryGroupSid', $_userGroupSID);
}
$changed_gid = 1;
}
if (defined($tmp = $Options{'s'})) {
push(@mods, 'loginShell' => $tmp);
}
if (defined($tmp = $Options{'c'})) {
push(@mods, 'gecos' => $tmp,
'description' => $tmp);
if ($samba == 1) {
push(@mods, 'displayName' => $tmp);
}
}
if (defined($tmp = $Options{'d'})) {
push(@mods, 'homeDirectory' => $tmp);
}
if (defined($tmp = $Options{'N'})) {
push(@mods, 'cn' => $tmp);
}
if (defined($tmp = $Options{'S'})) {
push(@mods, 'sn' => $tmp);
}
my $mailobj = 0;
if ($tmp= $Options{'M'}) {
my $action= '';
if ($tmp =~ s/^([+-])+\s*//) {
$action= $1;
}
my @userMailLocal = &split_arg_comma($tmp);
my @mail;
foreach my $m (@userMailLocal) {
my $domain = $config{mailDomain};
if ($m =~ /^(.+)@/) {
push (@mail, $m);
$m= $1;
} else {
push(@mail, $m.($domain ? '@'.$domain : ''));
}
}
if ($action) {
my @old_MailLocal;
my @old_mail;
@old_mail = $user_entry->get_value('mail');
@old_MailLocal = $user_entry->get_value('mailLocalAddress');
if ($action eq '+') {
@userMailLocal = &list_union(\@old_MailLocal, \@userMailLocal);
@mail = &list_union(\@old_mail, \@mail);
} elsif ($action eq '-') {
@userMailLocal = &list_minus(\@old_MailLocal, \@userMailLocal);
@mail = &list_minus(\@old_mail, \@mail);
}
}
push(@mods, 'mailLocalAddress', [ @userMailLocal ]);
push(@mods, 'mail' => [ @mail ]);
$mailobj = 1;
}
if ($tmp= $Options{'T'}) {
my $action= '';
my @old;
if ($tmp =~ s/^([+-])+\s*//) {
$action= $1;
}
my @userMailTo = &split_arg_comma($tmp);
if ($action) {
@old = $user_entry->get_value('mailRoutingAddress');
}
if ($action eq '+') {
@userMailTo = &list_union(\@old, \@userMailTo);
} elsif ($action eq '-') {
@userMailTo = &list_minus(\@old, \@userMailTo);
}
push(@mods, 'mailRoutingAddress', [ @userMailTo ]);
$mailobj = 1;
}
if ($mailobj) {
my @objectclass = $user_entry->get_value('objectClass');
if (! grep ($_ =~ /^inetLocalMailRecipient$/i, @objectclass)) {
push(@mods, 'objectClass' => [ @objectclass, 'inetLocalMailRecipient' ]);
}
}
if (defined($tmp = $Options{'G'})) {
my $action= '';
if ($tmp =~ s/^([+-])+\s*//) {
$action= $1;
}
if ($action eq '-') {
foreach my $gname (&split_arg_comma($tmp)) {
group_remove_member($gname, $user);
}
} else {
if ($action ne '+') {
my @old = &find_groups_of($user);
foreach my $gname (@old) {
if ($gname ne "") {
group_remove_member($gname, $user);
}
}
}
add_grouplist_user($tmp, $user);
}
}
my $attr;
my $winmagic = 2147483647;
$samba = is_samba_user($user);
if (defined($tmp = $Options{'e'})) {
if ($samba == 1) {
my $kickoffTime=`date --date='$tmp' +%s`;
chomp($kickoffTime);
push(@mods, 'sambakickoffTime' => $kickoffTime);
} else {
print "User $user is not a samba user\n";
}
}
my $_sambaPwdCanChange;
if (defined($tmp = $Options{'A'})) {
if ($samba == 1) {
$attr = "sambaPwdCanChange";
if ($tmp != 0) {
$_sambaPwdCanChange=0;
} else {
$_sambaPwdCanChange=$winmagic;
}
push(@mods, 'sambaPwdCanChange' => $_sambaPwdCanChange);
} else {
print "User $user is not a samba user\n";
}
}
my $_sambaPwdMustChange;
if (defined($tmp = $Options{'B'})) {
if ($samba == 1) {
if ($tmp != 0) {
$_sambaPwdMustChange=0;
my $_sambaAcctFlags;
my $flags = $user_entry->get_value('sambaAcctFlags');
if ( defined $flags and $flags =~ /X/ ) {
my $letters;
if ($flags =~ /(\w+)/) {
$letters = $1;
}
$letters =~ s/X//;
$_sambaAcctFlags="\[$letters\]";
push(@mods, 'sambaAcctFlags' => $_sambaAcctFlags);
}
my $_sambaPwdLastSet = $user_entry->get_value('sambaPwdLastSet');
if ($_sambaPwdLastSet == 0) {
push(@mods, 'sambaPwdLastSet' => $winmagic);
}
} else {
$_sambaPwdMustChange=$winmagic;
}
push(@mods, 'sambaPwdMustChange' => $_sambaPwdMustChange);
} else {
print "User $user is not a samba user\n";
}
}
if (defined($tmp = $Options{'C'})) {
if ($samba == 1) {
if ($tmp eq "" and defined $user_entry->get_value('sambaHomePath')) {
push(@dels, 'sambaHomePath' => []);
} elsif ($tmp ne "") {
push(@mods, 'sambaHomePath' => $tmp);
}
} else {
print "User $user is not a samba user\n";
}
}
my $_sambaHomeDrive;
if (defined($tmp = $Options{'D'})) {
if ($samba == 1) {
if ($tmp eq "" and defined $user_entry->get_value('sambaHomeDrive')) {
push(@dels, 'sambaHomeDrive' => []);
} elsif ($tmp ne "") {
$tmp = $tmp.":" unless ($tmp =~ /:/);
push(@mods, 'sambaHomeDrive' => $tmp);
}
} else {
print "User $user is not a samba user\n";
}
}
if (defined($tmp = $Options{'E'})) {
if ($samba == 1) {
if ($tmp eq "" and defined $user_entry->get_value('sambaLogonScript')) {
push(@dels, 'sambaLogonScript' => []);
} elsif ($tmp ne "") {
push(@mods, 'sambaLogonScript' => $tmp);
}
} else {
print "User $user is not a samba user\n";
}
}
if (defined($tmp = $Options{'F'})) {
if ($samba == 1) {
if ($tmp eq "" and defined $user_entry->get_value('sambaProfilePath')) {
push(@dels, 'sambaProfilePath' => []);
} elsif ($tmp ne "") {
push(@mods, 'sambaProfilePath' => $tmp);
}
} else {
print "User $user is not a samba user\n";
}
}
if ($samba == 1 and (defined $Options{'H'} or defined $Options{'I'} or defined $Options{'J'})) {
my $_sambaAcctFlags;
if (defined($tmp = $Options{'H'})) {
$_sambaAcctFlags=$tmp;
} else {
my $flags;
$flags = $user_entry->get_value('sambaAcctFlags');
if (defined($tmp = $Options{'I'})) {
if ( !($flags =~ /D/) ) {
my $letters;
if ($flags =~ /(\w+)/) {
$letters = $1;
}
$_sambaAcctFlags="\[D$letters\]";
}
} elsif (defined($tmp = $Options{'J'})) {
if ( $flags =~ /D/ ) {
my $letters;
if ($flags =~ /(\w+)/) {
$letters = $1;
}
$letters =~ s/D//;
$_sambaAcctFlags="\[$letters\]";
}
}
}
if ($_sambaAcctFlags and "$_sambaAcctFlags" ne '') {
push(@mods, 'sambaAcctFlags' => $_sambaAcctFlags);
}
} elsif (!$samba == 1 and (defined $Options{'H'} or defined $Options{'I'} or defined $Options{'J'})) {
print "User $user is not a samba user\n";
}
my $modify = $ldap_master->modify ( "$dn",
'replace' => { @mods }
);
$modify->code && warn "failed to modify entry: ", $modify->error ;
my $nb_to_del=scalar(@dels);
if ($nb_to_del != 0) {
$modify = $ldap_master->modify ( "$dn",
'delete' => { @dels }
);
$modify->code && warn "failed to modify entry: ", $modify->error ;
}
$ldap_master->unbind;
if (defined(my $new_user= $Options{'r'})) {
my $ldap_master=connect_ldap_master();
chomp($new_user);
my $new_user_entry = read_user_entry($new_user);
if (defined($new_user_entry)) {
print "$0: user $new_user already exists, cannot rename\n";
exit (1);
}
my $modify = $ldap_master->moddn (
"uid=$user,$config{usersdn}",
newrdn => "uid=$new_user",
deleteoldrdn => "1",
newsuperior => "$config{usersdn}"
);
$modify->code && die "failed to change dn", $modify->error;
my $user_entry = read_user_entry($new_user);
my $dn= $user_entry->dn();
my @mods;
push(@mods, 'sn' => $new_user);
push(@mods, 'cn' => $new_user);
$modify = $ldap_master->modify ("$dn",
changes => [
'replace' => [ @mods ]
]
);
$modify->code && warn "failed to change cn and sn attributes: ", $modify->error;
my @groups = &find_groups_of($user);
foreach my $gname (@groups) {
if ($gname ne "") {
my $dn_line = get_group_dn($gname);
my $dn = get_dn_from_line("$dn_line");
print "updating group $gname\n";
$modify = $ldap_master->modify("$dn",
changes => [
'delete' => [memberUid => $user],
'add' => [memberUid => $new_user]
]);
$modify->code && warn "failed to change cn and sn attributes: ", $modify->error;
}
}
$ldap_master->unbind;
}
$nscd_status = system "/etc/init.d/nscd status >/dev/null 2>&1";
if ($nscd_status == 0) {
system "/etc/init.d/nscd restart > /dev/null 2>&1";
}
if (defined($Options{'P'})) {
exec "$RealBin/smbldap-passwd $user"
}
=head1 NAME
smbldap-usermod - Modify a user account
=head1 SYNOPSIS
smbldap-usermod [-a] [-c comment] [-d home_dir] [-e expiration_date] [-g initial_group] [-l login_name] [-p passwd] [-s shell] [-u uid [ -o]] [-x] [-A canchange] [-B mustchange] [-C smbhome] [-D homedrive] [-E scriptpath] [-F profilepath] [-G group[,...]] [-H acctflags] [-N canonical_name] [-S surname] [-P] login
=head1 DESCRIPTION
The smbldap-usermod command modifies the system account files to reflect the changes that are specified on the command line. The options which apply to the usermod command are
-a
Add the sambaSAMAccount objectclass to the specified user account. This allow the user to become a samba user.
-c comment
The new value of the user's comment field (gecos).
-d home_dir
The user's new login directory.
-e expiration_date
Set the expiration date for the user account. This only affect samba account. The date must be in the following format : YYYY-MM-DD HH:MM:SS. This option call the external 'date' command to set calculate the number of seconds from Junary 1 1970 to the specified date.
-g initial_group
The group name or number of the user's new initial login group. The group name must exist. A group number must refer to an already existing group. The default group number is 1.
-G group,[...]
A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option. If the user is currently a member of a group which is not listed, the user will be removed from the group
-l login_name
The name of the user will be changed from login to login_name. Nothing else is changed. In particular, the user's home directory name should probably be changed to reflect the new login name.
-s shell
The name of the user's new login shell. Setting this field to blank causes the system to select the default login shell.
-u uid
The numerical value of the user's ID. This value must be unique, unless the -o option is used. The value must be non negative. Any files which the user owns and which are located in the directory tree rooted at the user's home directory will have the file user ID changed automatically. Files outside of the user's home directory must be altered manually.
-r new_user
Allow to rename a user. This option will update the cn, sn and dn attribute for the user. You can
also update others attributes using the corresponding script options.
-x
Creates rid and primaryGroupID in hex instead of decimal (for Samba 2.2.2 unpatched only - higher versions always use decimal)
-A
can change password ? 0 if no, 1 if yes
-B
must change password ? 0 if no, 1 if yes
-C
sambaHomePath (SMB home share, like '\\\\PDC-SRV\\homes')
-D
sambaHomeDrive (letter associated with home share, like 'H:')
-E
sambaLogonScript, relative to the [netlogon] share (DOS script to execute on login, like 'foo.bat')
-F
sambaProfilePath (profile directory, like '\\\\PDC-SRV\\profiles\\foo')
-H
sambaAcctFlags, spaces and trailing bracket are ignored (samba account control bits like '[NDHTUMWSLKI]')
-I
disable user. Can't be used with -H or -J
-J
enable user. Can't be used with -H or -I
-N
set the canonical name (attribut cn)
-S
Set the surname
-P
End by invoking smbldap-passwd to change the user password (both unix and samba passwords)
=head1 SEE ALSO
usermod(1)
=cut