#!/bin/bash

TIMEOUT=120 # seconds

BASE=dc=skole,dc=skolelinux,dc=no
LDAPURI="ldaps://ldap"
DOMAIN=SKOLELINUX
BASEDN=cn=smbadmin,ou=People,$BASE
SHORTHOST=`hostname -s`

# Search for existing samba objects, and if they exists, exit
if /usr/bin/ldapsearch -LLL -H $LDAPURI -x -b "$BASEDN" 1>/dev/null 2>&1 ; then
  echo "error: smbadmin account already exists, exiting"
  exit 1
fi

if [ -x /etc/init.d/slapd -a -x /etc/init.d/samba ] ; then
    :
else
    echo "error: Missing slapd or samba.  Exiting."
    exit 1
fi

# Start slapd
/etc/init.d/slapd start

# Restart Samba
/etc/init.d/samba restart

# We have to fetch something called sambasid to create the sambaDomainName
# object. if we do not have this object smbpasswd will complain try to
# add it to the ldap tree, but since samba does not have write access,
# it will fail. but the sambasid is not available until 120 seconds after
# samba is restarted for the first time. This is on my PIII-750MHz test
# machine.

get_sid() {
  net getlocalsid $SHORTHOST 2>/dev/null| cut -f 2 -d:
}

DELAY=5
AFTER=0
echo "Waiting up to $TIMEOUT seconds for \"net getlocalsid $SHORTHOST\" to return"
SAMBASID="$(get_sid)"
while [ -z "$SAMBASID" -a $AFTER -lt $TIMEOUT ]  ; do
  echo -n .
  let AFTER=$AFTER+$DELAY
  sleep $DELAY
  SAMBASID="$(get_sid)"
done


if [ -z "$SAMBASID" ] ; then
  echo unable to fetch SAMBASID 1>&2
  exit 0
fi

echo "SAMBASID success after $AFTER sec" 1>&2

# Generate Samba_passwd
SMBPW=$(/usr/bin/makepasswd)

# Generate Crypted password
CRYPTPW=$(/usr/sbin/slappasswd -u -s $SMBPW)

# Stop openldap
/etc/init.d/slapd stop

# Stop nscd
/etc/init.d/nscd stop

# Add smbadmin user to ldap db
cat << EOF | /usr/sbin/slapadd
dn: $BASEDN
objectClass: top
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: smbadmin
description: Samba Administrator
userPassword: $CRYPTPW

EOF

# Store samba pw for later use
/usr/bin/smbpasswd -w $SMBPW


# Samba want s to save some information, but since we do not want to
# allow global write access to samba, we just do the update ourselves.
NOW=$(date -u +%Y%m%d%H%M%SZ)
cat << EOF | /usr/sbin/slapadd
dn: sambaDomainName=$DOMAIN,$BASE
sambaDomainName: $DOMAIN
sambaSID: $SAMBASID
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
EOF

cat << EOF | /usr/sbin/slapadd
dn: uid=root,ou=People,$BASE
objectClass: sambaSamAccount
objectClass: account
uid: root
sambaSID: ${SAMBASID}-1000
EOF

#in etch the database must be owned by openldap
if getent passwd openldap | grep  -q openldap ; then
   chown -R  openldap:openldap /var/lib/ldap
fi

# Start slapd
/etc/init.d/slapd start

# Wait until slapd is started, and it's possible to fetch the group "Admins"
LOOP=0
while [ $LOOP -lt 10 ] ; do 
  if getent group admins >/dev/null ; then 
    LOOP=10
  else
    sleep 1
    let LOOP=($LOOP + 1)
  fi
done

# Add samba Groupmap for Admins
/usr/bin/net groupmap add rid=512 unixgroup=admins \
             type=domain ntgroup="Domain Admins" \
             comment="All system administrators in the school"
