This file is indexed.

/usr/bin/ldap-createuser-krb5 is in debian-edu-config 1.818+deb8u2.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
#!/bin/sh
#
# Create user in LDAP and add a password using Kerberos.  This script
# is for testing purposes only, and will fail if several systems add
# users at the same time to LDAP, as the uid and gid values will
# conflict.

# The samba related attributes are described in
# <URL: http://download.gna.org/smbldap-tools/docs/samba-ldap-howto/#htoc43 >

set -e

USERNAME="$1"
# posixAccount only accept ASCII in the gecos attribute.  Make sure
# any non-ascii characters are converted apprpropriately.
GECOS="$(echo $2 | iconv -t ASCII//TRANSLIT)"

if [ -z "$USERNAME" -o -z "$GECOS" ] ; then 
    echo "Usage: $0 <username> <gecos>"
    echo
    echo "  Create a user with a personal group and configure its kerberos"
    echo "  principal."
    exit 1
fi

# Put users in first gosaDepartment
BASE=$(ldapsearch -x "(objectClass=gosaDepartment)" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}' | sort | head -1)

if [ -z "$BASE" ] ; then
    BASE="$(debian-edu-ldapserver -b)"
fi

GROUPBASE="ou=group,$BASE"
USERBASE="ou=people,$BASE"

ADMINUSER="admin";

# Locate the LDAP admin DN
admindn=$(ldapsearch -x "(&(cn=$ADMINUSER)(objectClass=simpleSecurityObject))" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^dn: / {print $2}')

HOMEDIR=/skole/tjener/home0/$USERNAME
SMBHOMEPATH="\\\\tjener.intern\\$USERNAME"
KRB5DOMAIN=INTERN
SAMBADOMAIN=SKOLELINUX
PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))

# Find last UID/GID
SAMBASID=`net getlocalsid $HOSTNAME 2>/dev/null | awk '{ print $6; }'`

if [ -z "$SAMBASID" ] ; then
    echo "error: unable to fetch Samba SID"
    exit 1
fi

SAMBADOMAINDN=$(ldapsearch -x -s sub \
    "(&(objectclass=sambaDomain)(sambaDomainName=$SAMBADOMAIN))" \
    dn 2>/dev/null | perl -p0e 's/\n //g' | \
    awk '/^dn: / { print $2}')

if [ -z "$SAMBADOMAINDN" ] ; then
    echo "error: unable to find sambaDomain LDAP object"
    exit 1
fi

SAMBARID=$(ldapsearch -s base -b "$SAMBADOMAINDN" -x \
    sambaNextRid 2>/dev/null | perl -p0e 's/\n //g' | \
    awk '/^sambaNextRid: / { print $2}')

if [ -z "$SAMBARID" ] ; then
    echo "error: unable to find sambaNextRid LDAP attribute in $SAMBADOMAINDN"
    exit 1
fi

NEXTRID=$(( $SAMBARID + 1 ))

LASTID=$(ldapsearch -s sub -x \
    '(|(objectclass=posixaccount)(objectclass=posixgroup))' \
    uidnumber gidnumber 2>/dev/null | perl -p0e 's/\n //g' | \
    awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')

# If no ID was found, use LASTID=1000-1 to get uid/gid=1000
if [ -z "$LASTID" ] ; then
    LASTID=999
fi

NEWUID=$(( $LASTID + 1 ))

# Look up group DN
NEWGID=$(ldapsearch -x "(&(cn=$USERNAME)(objectClass=posixGroup))" 2>/dev/null | perl -p0e 's/\n //g' | awk '/^gidNumber: / {print $2}')
if [ -z "$NEWGID" ] ; then
    NEWGID=$NEWUID
    ldif="$ldif

dn: cn=$USERNAME,$GROUPBASE
objectClass: posixGroup
cn: $USERNAME
description: Private group of user $USERNAME
gidNumber: $NEWGID
"
fi

ldif="$ldif

dn: uid=$USERNAME,$USERBASE
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipalAux
objectClass: sambaSamAccount
sn: $GECOS
givenName: $GECOS
uid: $USERNAME
cn: $GECOS
userPassword: {SSHA}N0T$3T4N0W
homeDirectory: $HOMEDIR
loginShell: /bin/bash
uidNumber: $NEWUID
gidNumber: $NEWGID
gecos: $GECOS
shadowLastChange: $PWLASTCHANGE
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
sambaSID: $SAMBASID-$SAMBARID
sambaAcctFlags: [U]
sambaHomePath: SMBHOMEPATH
krbPrincipalName: $USERNAME@$KRB5DOMAIN
"

# Update samba RIN
ldif="$ldif
dn: $SAMBADOMAINDN
changetype: modify
replace: sambaNextRid
sambaNextRid: $NEXTRID
"

echo "$ldif"

if echo "$ldif" | ldapadd -ZZ -D "$admindn" -W -v -x ; then

    # Set the kerberos password
    kadmin.local -q "change_password $USERNAME@$KRB5DOMAIN"

    # Create home directory
    if [ ! -d $HOMEDIR ] ; then
	cp -r /etc/skel $HOMEDIR
	chown -R $NEWUID:$NEWGID $HOMEDIR
    fi
fi