#!/bin/bash -e # # freeipa-samba-user.sh - extend existing user(s) with sambaSAMAccount # # Version 1.0, latest version, documentation and bugtracker available at: # https://gitlab.lindenaar.net/scripts/freeipa # # Copyright (c) 2019 Frederik Lindenaar # # This script is free software: you can redistribute and/or modify it under the # terms of version 3 of the GNU General Public License as published by the Free # Software Foundation, or (at your option) any later version of the license. # # This script is distributed in the hope that it will be useful but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR # A PARTICULAR PURPOSE. See the GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along with # this program. If not, visit <http://www.gnu.org/licenses/> to download it. die() { echo $* >&2; exit 1; } # Exit if hostname not provided if [ $# -lt 1 ]; then die "Usage: `basename $0` <user> [<user> ...]" fi # Sanity checks, ensure we have a valid Kerberos ticket and run on FreeIPA server if ! klist -s; then die "no valid Kerberos ticket, please login to FreeIPA using kinit first" elif ! ipa server-show ${HOSTNAME:=$(hostname --fqdn)} > /dev/null; then die "this script should be run on an active IPA server" fi # Generate the LDAP User filter, !admin if parameter is * else a list of users if [ $# == 1 -a "$1" == "*" ]; then USERFILTER='(!(uid=admin))' else USERS="$*" USERFILTER="(|(uid=${USERS// /)(uid=}))" fi # Lookup the Samba Domain - equal to the Kerberos REALM by default : ${SAMBADOMAIN:=$(ipa host-show $HOSTNAME --raw | fgrep "krbcanonicalname: host/" | cut -d@ -f2)} # Lookup the users not yet converted and process each of them declare -A params=( ) ldapsearch -QLLL "(&${USERFILTER}(objectClass=ipantuserattrs)(!(objectClass=sambaSamAccount)))" dn uid ipaNTSecurityIdentifier | while read key value; do # If we're at an empty line it's the end of the record, perform the change if [ -z "$key" ]; then if ldapmodify -Q > /dev/null 2>&1 <<EOLDIF; then dn: ${params[dn]} changetype: modify add: objectClass objectClass: sambaSamAccount - add: sambaSID sambaSID: ${params[ipaNTSecurityIdentifier]} - add: sambaAcctFlags sambaAcctFlags: [U ] - add: sambaDomainName sambaDomainName: ${SAMBADOMAIN} EOLDIF echo "successfully updated user ${params[uid]}" else die "failed to update user ${params[uid]}, aborting!" fi declare -A params=( ) else # we got another attibute, store it for later processing params[${key/:/}]="$value" fi done