Ubuntu - Samba - Samba Configuration Detailed

smb.conf
#---------------
# SELINUX NOTES:
#
# If you want to use the useradd/groupadd family of binaries please run:
# setsebool -P samba_domain_controller on
#
# If you want to share home directories via samba please run:
# setsebool -P samba_enable_home_dirs on
#
# If you create a new directory you want to share you should mark it as
# "samba-share_t" so that selinux will let you write into it.
# Make sure not to do that on system directories as they may already have
# been marked with othe SELinux labels.
#
# Use ls -ldZ /path to see which context a directory has
#
# Set labels only on directories you created!
# To set a label use the following: chcon -t samba_share_t /path
#
# If you need to share a system created directory you can use one of the
# following (read-only/read-write):
# setsebool -P samba_export_all_ro on
# or
# setsebool -P samba_export_all_rw on
#
# If you want to run scripts (preexec/root prexec/print command/...) please
# put them into the /var/lib/samba/scripts directory so that smbd will be
# allowed to run them.
# Make sure you COPY them and not MOVE them so that the right SELinux context
# is applied, to check all is ok use restorecon -R -v /var/lib/samba/scripts
#
#--------------
#
#======================= Global Settings =====================================
 
[global]
 
	workgroup = WORKGROUP
	server string = Samba Server Version %v
 
	netbios name = HP00
 
;	interfaces = lo eth0 192.168.12.2/24 192.168.13.2/24 
;	hosts allow = 127. 192.168.12. 192.168.13.
 
# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach
 
	# logs split per machine
	log file = /var/log/samba/log.%m
	# max 50KB per log file, then rotate
	max log size = 50
 
# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should 
# use either tdbsam or ldapsam. smbpasswd is available for backwards 
# compatibility. tdbsam requires no further configuration.
 
	security = user
#	passdb backend = ldapsam
 
 
# ----------------------- Domain Members Options ------------------------
#
# Security must be set to domain or ads
#
# Use the realm option only with security = ads
# Specifies the Active Directory realm the host is part of
#
# Backend to store user information in. New installations should 
# use either tdbsam or ldapsam. smbpasswd is available for backwards 
# compatibility. tdbsam requires no further configuration.
#
# Use password server option only with security = server or if you can't
# use the DNS to locate Domain Controllers
# The argument list may include:
#   password server = My_PDC_Name [My_BDC_Name] [My_Next_BDC_Name]
# or to auto-locate the domain controller/s
#   password server = *
 
 
;	security = domain
;	passdb backend = tdbsam
;	realm = MY_REALM
 
;	password server = <NT-Server-Name>
 
# ----------------------- Domain Controller Options ------------------------
#
# Security must be set to user for domain controllers
#
# Backend to store user information in. New installations should 
# use either tdbsam or ldapsam. smbpasswd is available for backwards 
# compatibility. tdbsam requires no further configuration.
#
# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
#
# Domain Logons let Samba be a domain logon server for Windows workstations. 
#
# Logon Scrpit let yuou specify a script to be run at login time on the client
# You need to provide it in a share called NETLOGON
#
# Logon Path let you specify where user profiles are stored (UNC path)
#
# Various scripts can be used on a domain controller or stand-alone
# machine to add or delete corresponding unix accounts
#
;	security = user
;	passdb backend = tdbsam
 
	domain master = yes 
	domain logons = yes
 
	# the login script name depends on the machine name
;	logon script = %m.bat
	# the login script name depends on the unix user used
;	logon script = %u.bat
;	logon path = \\%L\Profiles\%u
	# disables profiles support by specifing an empty path
	logon path =          
 
        passdb backend = ldapsam:ldap://127.0.0.1/
        ldap admin dn = cn=Manager,dc=example
        #ldap admin dn = cn=samba,ou=DSA,dc=company,dc=com
 
        ldap suffix = dc=example
        ldap group suffix = ou=Groups
        ldap user suffix = ou=People
        ldap machine suffix = ou=Computers
        #ldap idmap suffix = ou=Idmap
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
 
	#pam password change = yes
 
	check password script = /usr/local/bin/check.sh
 
;	add user script = /usr/sbin/useradd "%u" -n -g users
;	add group script = /usr/sbin/groupadd "%g"
;	add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
;	delete user script = /usr/sbin/userdel "%u"
;	delete user from group script = /usr/sbin/userdel "%u" "%g"
;	delete group script = /usr/sbin/groupdel "%g"
 
 
# ----------------------- Browser Control Options ----------------------------
#
# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
#
# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
#
# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
	local master = yes
	os level = 96
	preferred master = yes
 
#----------------------------- Name Resolution -------------------------------
# Windows Internet Name Serving Support Section:
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
#
# - WINS Support: Tells the NMBD component of Samba to enable it's WINS Server
#
# - WINS Server: Tells the NMBD components of Samba to be a WINS Client
#
# - WINS Proxy: Tells Samba to answer name resolution queries on
#   behalf of a non WINS capable client, for this to work there must be
#   at least one	WINS Server on the network. The default is NO.
#
# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups.
 
	wins support = yes
;	wins server = w.x.y.z
;	wins proxy = yes
 
;	dns proxy = yes
 
# --------------------------- Printing Options -----------------------------
#
# Load Printers let you load automatically the list of printers rather
# than setting them up individually
#
# Cups Options let you pass the cups libs custom options, setting it to raw
# for example will let you use drivers on your Windows clients
#
# Printcap Name let you specify an alternative printcap file
#
# You can choose a non default printing system using the Printing option
 
	load printers = yes
	cups options = raw
 
;	printcap name = /etc/printcap
	#obtain list of printers automatically on SystemV
;	printcap name = lpstat
;	printing = cups
 
# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares
 
;	map archive = no
;	map hidden = no
;	map read only = no
;	map system = no
;	store dos attributes = yes
 
 
#============================ Share Definitions ==============================
 
[homes]
	comment = Home Directories
	browseable = no
	writable = yes
;	valid users = %S
;	valid users = MYDOMAIN\%S
 
[printers]
	comment = All Printers
	path = /var/spool/samba
	browseable = no
	guest ok = no
	writable = no
	printable = yes
 
# Un-comment the following and create the netlogon directory for Domain Logons
;	[netlogon]
;	comment = Network Logon Service
;	path = /var/lib/samba/netlogon
;	guest ok = yes
;	writable = no
;	share modes = no
 
 
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;	[Profiles]
;	path = /var/lib/samba/profiles
;	browseable = no
;	guest ok = yes
 
 
# A publicly accessible directory, but read only, except for people in
# the "staff" group
	[public]
	comment = Public Stuff
	path = /srv/samba
	public = yes
	writable = yes
	printable = no
;	write list = +staff
	force create mode = 0666
	force directory mode = 0777
	vfs objects = recycle
	vfs recycle:repository = .recycle
slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
 
include		/etc/openldap/schema/corba.schema
include		/etc/openldap/schema/core.schema
include		/etc/openldap/schema/cosine.schema
include		/etc/openldap/schema/duaconf.schema
include		/etc/openldap/schema/dyngroup.schema
include		/etc/openldap/schema/inetorgperson.schema
include		/etc/openldap/schema/java.schema
include		/etc/openldap/schema/misc.schema
include		/etc/openldap/schema/nis.schema
include		/etc/openldap/schema/openldap.schema
include		/etc/openldap/schema/ppolicy.schema
include		/etc/openldap/schema/collective.schema
 
include		/etc/openldap/schema/samba.schema
 
# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2
 
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org
 
pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args
 
# Load dynamic backend modules:
# modulepath	/usr/lib/openldap # or /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
 
serverID 1
 
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
TLSCACertificateFile /etc/openldap/ca.crt
TLSCertificateFile /etc/openldap/ldap.crt
TLSCertificateKeyFile /etc/openldap/ldap.key
 
# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
 
# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
 
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
 
database	bdb
suffix		"dc=example"
checkpoint	1024 15
#rootdn		"cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw		secret
# rootpw		{crypt}ijFYNcSNctBYg
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
 
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/lib/ldap
 
# Indices to maintain for this database
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
 
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
 
access to dn.base="" by * read
 
access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaPasswordHistory
	by dn="cn=Manager,dc=example" write
	by dn="cn=replicator,dc=example" read
	by anonymous auth
	by self write
	by * none
 
access to *
	by dn="cn=Manager,dc=example" write
	by self write
	by * read
 
# enable monitoring
database monitor
 
# allow onlu rootdn to read the monitor
access to *
        by dn.exact="cn=Manager,dc=example" read
        by * none
/etc/smbldap-tools/smbldap.conf
# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools
 
#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.
 
#  Purpose :
#       . be the configuration file for all smbldap-tools scripts
 
##############################################################################
#
# General Configuration
#
##############################################################################
 
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-2252255531-4061614174-2474224979"
 
# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="EXAMPLE"
 
##############################################################################
#
# LDAP Configuration
#
##############################################################################
 
# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have 
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)
 
# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
 
# Slave LDAP port
# If not defined, parameter is set to "389"
slavePort="389"
 
# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"
 
# Master LDAP port
# If not defined, parameter is set to "389"
masterPort="389"
 
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="0"
 
# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"
 
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
 
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/pki/tls/certs/ldapserverca.pem"
 
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/pki/tls/certs/ldapclient.pem"
 
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/pki/tls/certs/ldapclientkey.pem"
 
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=example"
 
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=People,${suffix}"
 
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"
 
# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Group,${suffix}"
 
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: idmapdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
 
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
 
# Default scope Used
scope="sub"
 
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
 
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
 
##############################################################################
# 
# Unix Accounts Configuration
# 
##############################################################################
 
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
 
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
 
# Default mode used for user homeDirectory
userHomeDirectoryMode="700"
 
# Gecos
userGecos="System User"
 
# Default User (POSIX and Samba) GID
defaultUserGid="513"
 
# Default Computer (Samba) GID
defaultComputerGid="515"
 
# Skel dir
skeletonDir="/etc/skel"
 
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"
 
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
 
# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\HP00\%U"
 
# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile=""
 
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"
 
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"
 
# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="example.info"
 
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
 
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
 
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
 
# comment out the following line to get rid of the default banner
# no_banner="1"

This is a template for phpLDAPAdmin-a.

sambaSamAccount.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE template SYSTEM "template.dtd">
<template>
<title>Samba3 Account</title>
<regexp>^ou=People,dc=example$</regexp>
<icon>images/user.png</icon>
<description>New Samba3 Account</description>
<askcontainer>1</askcontainer>
<!--This is the main attribute, which will be part of the dn-a -->
<rdn>uid</rdn>
<visible>1</visible>
 
<objectClasses>
<objectClass id="top"></objectClass>
<objectClass id="person"></objectClass>
<objectClass id="inetOrgPerson"></objectClass>
<objectClass id="organizationalPerson"></objectClass>
<objectClass id="sambaSAMAccount"></objectClass>
<objectClass id="posixAccount"></objectClass>
<objectClass id="shadowAccount"></objectClass>
</objectClasses>
 
<attributes>
<attribute id="givenName">
	<display>First name</display>
	<icon>images/uid.png</icon>
	<onchange>autoFill:cn,%givenName% %sn%</onchange>
	<order>1</order>
	<page>1</page>
</attribute>
<attribute id="sn">
	<display>Last name</display>
	<onchange>autoFill:cn,%givenName% %sn%</onchange>
	<onchange>autoFill:uid,%gidNumber|0-0/T%-%givenName|0-1/l%%sn/l%</onchange>
	<order>2</order>
	<page>1</page>
</attribute>
<attribute id="cn">
	<display>Common Name</display>
	<order>3</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="uid">
	<display>User ID</display>
	<onchange>autoFill:homeDirectory,/home/users/%gidNumber|0-0/T%/%uid|3-%</onchange>
	<order>4</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="uidNumber">
	<display>UID Number</display>
	<hint>Automatically determined</hint>
	<value>=php.GetNextNumber(/,uid)</value>
	<order>5</order>
	<page>1</page>
	<readonly>1</readonly>
</attribute>
<attribute id="sambaSID">
	<display>Samba SID</display>
	<option>=php.PickList(/,(objectClass=sambaDomain),sambaSID,%sambaSID% (%sambaDomainName%))</option>
	<helper>
		<id>sidsuffix</id>
		<option>=php.GetNextNumber(/,uid,false,,*2;+1000)</option>
	</helper>
	<post>=php.Join(-,(%sambaSID%,%sidsuffix%))</post>
	<order>6</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="userPassword">
	<display>Password</display>
	<icon>images/lock.png</icon>
	<onchange>autoFill:sambaLMPassword,%userPassword%</onchange>
	<onchange>autoFill:sambaNTPassword,%userPassword%</onchange>
	<type>password</type>
	<verify>1</verify>
	<helper>
		<display>Encryption</display>
		<id>enc</id>
		<option>blowfish</option>
		<option>clear</option>
		<option>crypt</option>
		<option>ext_des</option>
		<option>md5</option>
		<option>md5crypt</option>
		<option>sha</option>
		<option>smd5</option>
		<option>ssha</option>
		<value>md5</value>
	</helper>
	<post>=php.Password(%enc%,%userPassword%)</post>
	<order>7</order>
	<page>1</page>
</attribute>
<attribute id="sambaLMPassword">
	<display>LM Password</display>
	<type>password</type>
	<post>=php.SambaPassword(LM,%sambaLMPassword%)</post>
	<order>8</order>
	<page>1</page>
</attribute>
<attribute id="sambaNTPassword">
	<display>NT Password</display>
	<type>password</type>
	<post>=php.SambaPassword(NT,%sambaNTPassword%)</post>
	<order>9</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="loginShell">
	<display>Login shell</display>
	<icon>images/terminal.png</icon>
	<!-- <option>=php.PickList(/,(objectClass=posixAccount),loginShell,%loginShell%)</option> -->
	<option>/bin/false</option>
	<option>/bin/bash</option>
	<order>10</order>
	<page>1</page>
</attribute>
<attribute id="gidNumber">
	<display>GID Number</display>
	<onchange>autoFill:homeDirectory,/home/users/%gidNumber|0-0/T%/%uid|3-%</onchange>
	<option>=php.PickList(/,(objectClass=posixGroup),gidNumber,%cn%)</option>
	<order>11</order>
	<page>1</page>
</attribute>
<attribute id="sambaPrimaryGroupSID">
	<display>Primary Group ID</display>
	<option>=php.PickList(/,(objectClass=sambaGroupMapping),sambaSID,%sambaSID% (%cn%),sambaPrimaryGroupSID)</option>
	<helper>
		<id>sidpgsuffix</id>
		<value></value>
	</helper>
	<post>=php.Join(-,(%sambaPrimaryGroupSID%,%sidpgsuffix%))</post>
	<order>13</order>
	<page>1</page>
	<spacer>1</spacer>
</attribute>
<attribute id="homeDirectory">
	<display>Home directory</display>
	<order>14</order>
	<page>1</page>
</attribute>
<attribute id="sambaAcctFlags">
	<value>[U]</value>
	<hidden>1</hidden>
</attribute>
</attributes>
</template>