#!/bin/bash -e
#
# freeipa-samba-user.sh - extend existing user(s) with sambaSAMAccount
#
# Version 1.0, latest version, documentation and bugtracker available at:
#		https://gitlab.lindenaar.net/scripts/freeipa
#
# Copyright (c) 2019 Frederik Lindenaar
#
# This script is free software: you can redistribute and/or modify it under the
# terms of version 3 of the GNU General Public License as published by the Free
# Software Foundation, or (at your option) any later version of the license.
#
# This script is distributed in the hope that it will be useful but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along with
# this program.  If not, visit <http://www.gnu.org/licenses/> to download it.

die() { echo $* >&2; exit 1; }

# Exit if hostname not provided
if [ $# -lt 1 ]; then
    die "Usage: `basename $0` <user> [<user> ...]"
fi

# Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server
if ! klist -s; then
    die "no valid Kerberos ticket, please login to FreeIPA using kinit first"
elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then
    die "this script should be run on an active IPA server"
fi

# Generate the LDAP User filter, !admin if parameter is * else a list of users
if [ $# == 1 -a "$1" == "*" ]; then
    USERFILTER='(!(uid=admin))'
else
    USERS="$*"
    USERFILTER="(|(uid=${USERS// /)(uid=}))"
fi

# Lookup the Samba Domain - equal to the Kerberos REALM by default
: ${SAMBADOMAIN:=$(ipa host-show $HOSTNAME --raw | fgrep "krbcanonicalname: host/" | cut -d@ -f2)}

# Lookup the users not yet converted and process each of them
declare -A params=( )
ldapsearch -QLLL "(&${USERFILTER}(objectClass=ipantuserattrs)(!(objectClass=sambaSamAccount)))" dn uid ipaNTSecurityIdentifier | while read key value; do
    # If we're at an empty line it's the end of the record, perform the change
    if [ -z "$key" ]; then
        if ldapmodify -Q > /dev/null 2>&1 <<EOLDIF; then
dn: ${params[dn]}
changetype: modify
add: objectClass
objectClass: sambaSamAccount
-
add: sambaSID
sambaSID: ${params[ipaNTSecurityIdentifier]}
-
add: sambaAcctFlags
sambaAcctFlags: [U           ]
-
add: sambaDomainName
sambaDomainName: ${SAMBADOMAIN}
EOLDIF
            echo "successfully updated user ${params[uid]}"
        else
            die "failed to update user ${params[uid]}, aborting!"
        fi
        declare -A params=( )
    else # we got another attibute, store it for later processing
        params[${key/:/}]="$value"
    fi
done