/usr/bin/ldap-debian-edu-install

#!/bin/bash
set -e

#
# to re-run the LDAP/GOsa/Samba bootstrap...
#
# [[[ WATCH OUT ]]] ... if you do this, your TJENER will be initialized
#                       YOU WILL LOOSE ALL SETTINGS STORED IN LDAP!!!
#                       DO THIS AT YOUR OWN RISK!!!
#
# o ... create little script with the following lines:
#
# <quote>
# #!/bin/bash
# . /usr/share/debconf/confmodule
# db_set debian-edu-config/ldap-password <rootpw>
# db_set debian-edu-config/kdc-password <rootpw>
# db_set debian-edu-config/first-user-password <firstuserpw>
# </quote>
#
# o then run the just created script; you have to run it using its
#   full path (otherwise debconf will throw an error)
# o edit /etc/gosa/gosa.conf and replace password hashes after options
#   named ,,adminPassword'' and ,,snapshotAdminPassword'' with the 
#   placeholder string ,,$GOSAPWD''
# o edit /etc/smbldap-tools/smbldap_bind.conf and replace the passwords
#   there with the placeholder string ,,$SAMBAPWD''
# o Then run these commands from a terminal
#
#  $ systemctl stop nmbd.service
#  $ systemctl stop smbd.service
#  $ systemctl stop slapd.service
#  $ rm /var/lib/ldap/*
#  $ rm -r /var/lib/samba/*
#  $ mkdir /var/lib/samba/private
#  $ chmod 755 /var/lib/samba/private
#  $ systemctl start slapd.service
#  $ systemctl start smbd.service
#  $ systemctl start nmbd.service
#  $ rm /etc/krb5kdc/stash
#  $ rm /etc/krb5.keyt*
#
#  o Then run
#
#  $ ldap-debian-edu-install
#
#  o restart Kerberos KDC and admin server:
#
#  $ /etc/init.d/krb5-kdc restart
#  $ /etc/init.d/krb5-admin-server restart
#
#  o And finally restart your webservice, e.g.
#
#  $ /etc/init.d/apache2 restart
#
#  o If https://tjener/gosa/ shows an error, rebooting tjener may help.

################# fetch LDAP password from debconf ################
#export DEBCONF_DEBUG='developer'
. /usr/share/debconf/confmodule
db_get debian-edu-config/ldap-password
ROOTPWDCLEAR="$RET"
RESTARTSLAPD=false

if db_get debian-edu-config/first-user-name && [ "$RET" ] ; then
    FIRSTUSERNAME="$RET"
else
    echo "error: no value in first-user-name, passing debconf values fail?  Creating localadmin user instead" 1>&2
    FIRSTUSERNAME="localadmin"
    db_set debian-edu-config/first-user-name "$FIRSTUSERNAME"
fi
if db_get debian-edu-config/first-user-fullname && [ "$RET" ] ; then
    # Last word
    FIRSTUSERLASTNAME="$(echo "$RET" | awk '{print $NF}')"
    # Everything extept the last word
    FIRSTUSERGIVENNAME="$(echo "$RET" | awk '{for (i=1; i<NF; i++) printf("%s ",$i);print ""}')"
    if [ -z "$FIRSTUSERGIVENNAME" ] ; then
	FIRSTUSERGIVENNAME="$FIRSTUSERLASTNAME"
    fi
    # GECOS in LDAP must be ASCII (IA5String), convert to this
    FIRSTUSERGECOS="$(echo $RET | iconv -t ASCII//TRANSLIT)"
else
    echo "error: no value in first-user-fullname, passing debconf values fail?" 1>&2
    FIRSTUSERGECOS="LDAP initial admin user"
    db_set debian-edu-config/first-user-fullname "$FIRSTUSERGECOS"
    FIRSTUSERLASTNAME="LDAP"
    FIRSTUSERGIVENNAME="initial admin user"
fi
if db_get debian-edu-config/first-user-password && [ "$RET" ] ; then
    FIRSTUSERPWD="$RET"
else
    echo "error: no value in first-user-password, passing debconf values fail?" 1>&2
    FIRSTUSERPWD="$ROOTPWD"
    db_set debian-edu-config/first-user-password "$FIRSTUSERPWD"
fi

echo "info: Creating first user <$FIRSTUSERNAME> '$FIRSTUSERGECOS'."

FIRSTUSERPWDHASH=$(slappasswd -s "$FIRSTUSERPWD" -h {SSHA})

## Make sure to ask for the password if it is not available
if [ -f /etc/debian-edu/config ] && grep -q Main-Server /etc/debian-edu/config \
    && [ ! -f /var/lib/ldap/__db.001 ] && [ -z "$ROOTPWDCLEAR" ]; then
    loop=0
    while [ $loop -lt 50 ]; do
        loop=$(($loop+1))
        db_input critical debian-edu-config/ldap-password || true
        db_input critical debian-edu-config/ldap-password-again || true
        db_go
        ## Check if password is non-empty:
        db_get debian-edu-config/ldap-password
        ROOTPWDCLEAR="$RET"
        if [ -z "$ROOTPWDCLEAR" ]; then
            db_set debian-edu-config/ldap-password ""
            db_set debian-edu-config/ldap-password-again ""
            db_fset debian-edu-config/ldap-password-empty seen false
            db_input critical debian-edu-config/ldap-password-empty
            db_fset debian-edu-config/ldap-password seen false
            db_fset debian-edu-config/ldap-password-again seen false
            continue
        fi
        ## Check if both entered passwords are identical:
        db_get debian-edu-config/ldap-password-again
        if [ "$ROOTPWDCLEAR" != "$RET" ]; then
            db_set debian-edu-config/ldap-password ""
            db_set debian-edu-config/ldap-password-again ""
            db_fset debian-edu-config/ldap-password-mismatch seen false
            db_input critical debian-edu-config/ldap-password-mismatch
            db_fset debian-edu-config/ldap-password seen false
            db_fset debian-edu-config/ldap-password-again seen false
        else
            break
        fi
    done
else
    echo "To initialize a brand new LDAP+KDC: " 1>&2
    echo "rm /var/lib/ldap/__db* /var/lib/ldap/*.bdb" 1>&2
    echo "rm /etc/krb5kdc/stash /etc/krb5.keytab*" 1>&2
fi

## clear passwords in the database:
db_set debian-edu-config/ldap-password ''
db_set debian-edu-config/ldap-password-again ''
## reset all questions/templates:
db_fset debian-edu-config/ldap-password seen false
db_fset debian-edu-config/ldap-password-mismatch seen false
db_fset debian-edu-config/ldap-password-again seen false
db_fset debian-edu-config/ldap-password-empty seen false
echo "LDAP passwords cleared from debconf database."

## check if the provided LDAP password is non-empty:
if [ -z "$ROOTPWDCLEAR" ]; then
    echo "The provided LDAP password is empty: Skipping LDAP setup."
    exit 1
else
    echo "The provided LDAP password is valid."
fi

################# password available now ##################

# Some easy means to start/stop the mail spool
#if [ -x /etc/init.d/exim ] ; then
#  MTAINIT=/etc/init.d/exim
#elif [ -x /etc/init.d/exim4 ] ; then
#  MTAINIT=/etc/init.d/exim4
#else
#  echo "error: unknown MTA, exiting..."
#  exit 9
#fi


copy_example_DB_CONFIG() {
#function to set a DB_CONFIG, ripped from slapd.postinst
# Copy an example DB_CONFIG file
# copy_example_DB_CONFIG <directory>
        local directory srcdir

        directory="$1"
        srcdir="/usr/share/slapd"

        if ! [ -f "${directory}/DB_CONFIG" ] && [ -d "$directory" ]; then
                cp $srcdir/DB_CONFIG "${directory}/DB_CONFIG"
        fi
}

lookup_mac_addrs() {
    PATH=/sbin:$PATH LANG=C ifconfig 2>/dev/null | grep -i hwaddr | awk '{print $5}' | sort -u
}

slapd_stop() {
  # Check if slapd is running.  Use pidfile to avoid detecting the wrong
  # daemon when running in a chroot.
  if [ -f /var/run/slapd/slapd.pid ] &&
    kill -0 $(cat /var/run/slapd/slapd.pid) ; then
    RESTARTSLAPD=true
    /etc/init.d/slapd stop

    # Make sure slapd is really stopped
    SLAPPIDS=$(pidof slapd || /bin/true)
    if [ "$SLAPPIDS" ] ; then
      echo -n "warning: slapd is still running, trying to TERM it"
      for SLAPPID in $SLAPPIDS ; do
        kill $SLAPPID || /bin/true
      done
    fi

    # Not sure why, but it seem like slapd takes some time to shut down
    LOOP=0
    while [ $LOOP -lt 10 ] ; do
      SLAPPIDS=$(pidof slapd || /bin/true)
      if [ "$SLAPPIDS" ] ; then
        LOOP=$(($LOOP + 1))
        sleep 1
        echo -n "."
      else
  	LOOP=10
      fi
    done
    echo
    if [ "$SLAPPIDS" ] ; then
      echo -n "error: slapd is still running, I'll KILL it"
      for SLAPPID in $SLAPPIDS ; do
        kill -9 $SLAPPID || /bin/true
      done
    fi

    # Not sure why, but it seem like slapd takes some time to shut down
    LOOP=0
    while [ $LOOP -lt 10 ] ; do
      SLAPPIDS=$(pidof slapd || /bin/true)
      if [ "$SLAPPIDS" ] ; then
        LOOP=$(($LOOP + 1))
        sleep 1
        echo -n "."
      else
  	LOOP=10
      fi
    done
    echo
    if [ "$SLAPPIDS" ] ; then
      echo "error: Critical: slapd is still running, I'm giving up"
      exit 9
    fi
  fi
}

dns_stop() {
    # make sure to stop DNS service, to avoid hanging installer.
    PID=`pidof named || /bin/true`
    if [ -n "$PID" ]; then
        echo "info: stopping bind9 with pid $PID"
       /etc/init.d/bind9 stop
    fi
}

# Init tree
init_ldap () {

  rm -f /var/lib/ldap/*
  copy_example_DB_CONFIG /var/lib/ldap

  if [ -f /etc/shadow ] ; then
      FILE=/etc/shadow
  else
      FILE=/etc/passwd
  fi
  ROOTPWDHASH=`grep ^root: < $FILE | cut -d':' -f2`

  # Calculate the ssha hash
  ROOTPWDSSHAHASH=$(slappasswd -h {ssha} -s "$ROOTPWDCLEAR")

  HOSTNAME=`hostname -s`

  ## Create and distribute a random password and
  ## its hash for the ldap gosa-admin account:
  GOSAPWD=`slappasswd -g -h {CLEARTEXT}`
  GOSAPWDHASH=`slappasswd -s "$GOSAPWD" -h {SSHA}`
  GOSACONFDIR="/etc/gosa/"
  GOSACONF="gosa.conf"
  GOSAADMINSDN=$(awk '/dn: cn=gosa-admins,/ { print $2 }' /etc/ldap/gosa.ldif)
  GOSAADMINSDN64=$(echo -n "$GOSAADMINSDN" | base64 -w0)
  ADMINROLEDN=$(awk '/dn: cn=admin-role,/ { print $2 }' /etc/ldap/gosa.ldif)
  ADMINROLEDN64=$(echo -n "$ADMINROLEDN" | base64 -w0)
  JRADMINROLEDN=$(awk '/dn: cn=jradmin-role,/ { print $2 }' /etc/ldap/gosa.ldif)
  JRADMINROLEDN64=$(echo -n "$JRADMINROLEDN" | base64 -w0)
  TEACHERSDN=$(awk '/dn: cn=teachers,/ { print $2 }' /etc/ldap/gosa.ldif)
  TEACHERSDN64=$(echo -n "$TEACHERSDN" | base64 -w0)
  MAC=$(lookup_mac_addrs|head -1)

  ## query debconf data base for time zone and locale:
  AREA=`debconf-show tzdata | grep "^* tzdata/Areas:" | \
      sed "s/.*:[[:space:]]*\([[:alpha:]]*\)$/\1/"`
  ZONE=`debconf-show tzdata | grep "^* tzdata/Zones/$AREA:" | \
      sed "s/.*:[[:space:]]*\([[:alpha:]]*\)$/\1/"`
  TIMEZONE=$AREA/$ZONE
  LANGUAGE=`debconf-show locales | grep "^* locales/default_environment_locale:" | \
      sed "s/.*:[[:space:]]*\([^[:space:]]*\)$/\1/"`

  ## FIXME: make sure gosa.conf is in place if it is missing:
  if [ -f $GOSACONFDIR$GOSACONF ] && grep -q \$GOSAPWD $GOSACONFDIR$GOSACONF ; then
      sed -i "s:\$GOSAPWD:$GOSAPWD:g" $GOSACONFDIR$GOSACONF
      sed -i "s:\$TIMEZONE:$TIMEZONE:g" $GOSACONFDIR$GOSACONF
      sed -i "s:\$LANGUAGE:$LANGUAGE:g" $GOSACONFDIR$GOSACONF
      rm -f $GOSACONFDIR/gosa.random_secret
      chown root:www-data $GOSACONFDIR$GOSACONF
      chmod 0640 $GOSACONFDIR$GOSACONF
      ## run gosa-encrypt-passwords:
      rm -f /etc/gosa/gosa.secrets
      gosa-encrypt-passwords > /dev/null
  else
      mkdir -p $GOSACONFDIR
      touch $GOSACONFDIR/gosa.random_secret
      chmod 0600 $GOSACONFDIR/gosa.random_secret
      cat > $GOSACONFDIR/gosa.random_secret <<EOF
## The gosa configuration file "$GOSACONFDIR$GOSACONF" has
## been missing during bootstrap of the ldap database or 
## does not contain the string \$GOSAPWD.
## The password used by the gosa-admin in ldap is: 
##                 $GOSAPWD
## Make sure to use this password in "$GOSACONFDIR$GOSACONF".
## Finally, run 'gosa-encrypt-passwords' if anything 
## works fine and remove this file.
EOF
  fi

  ## Create and distribute a random password and its hash
  ## for the kdc service accounts kadmin and kdc-service:
  KDCPWD=`slappasswd -g -h {CLEARTEXT}`
  KDCPWDHASH=`slappasswd -s "$KDCPWD" -h {SSHA}`
  KDCCONFDIR="/etc/krb5kdc/"
  KEYFILE="service.keyfile"
  ## convert to {HEX} encoding:
  KDCPWDHEX=`echo "$KDCPWD" | xxd -g0 -ps | sed "s/0a$//"`
  KRB_CONT_DN=`awk '/dn: cn=kerberos,/ { print $2 }' /etc/ldap/krb5.ldif`

  mkdir -p $KDCCONFDIR
  touch $KDCCONFDIR$KEYFILE
  chmod 0600 $KDCCONFDIR$KEYFILE
  cat > $KDCCONFDIR$KEYFILE <<EOF
cn=kdc-service,$KRB_CONT_DN#{HEX}$KDCPWDHEX
cn=kadmin-service,$KRB_CONT_DN#{HEX}$KDCPWDHEX
EOF

  ## bootstrap ldap with passwords inserted:

  # generate Samba passwd already here
  SAMBAPWD=$(slappasswd -g -h {CLEARTEXT})
  # then generate hashed Samba password, this will be needed for bootstrapping
  # cn=smbadmin in root.ldif
  SAMBAPWDHASH=$(slappasswd -u -s "$SAMBAPWD")
 
  # first portion of bootstrap (everything except samba.ldif)
  for ldif in \
    /etc/ldap/root.ldif \
    /etc/ldap/ipnetworks.ldif \
    /etc/ldap/netgroup.ldif \
    /etc/ldap/autofs.ldif \
    /etc/ldap/sudo.ldif \
    /etc/ldap/gosa.ldif \
    /etc/ldap/gosa-server.ldif \
    /etc/ldap/ltsp.ldif \
    /etc/ldap/firstuser.ldif \
    /etc/ldap/krb5.ldif
 
  do
      if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
	-e "s/\$MAC/$MAC/" \
	-e "s:\$GOSAPWDHASH:$GOSAPWDHASH:" \
	-e "s:\$GOSAADMINSDN64:$GOSAADMINSDN64:" \
	-e "s:\$ADMINROLEDN64:$ADMINROLEDN64:" \
	-e "s:\$JRADMINROLEDN64:$JRADMINROLEDN64:" \
	-e "s:\$TEACHERSDN64:$TEACHERSDN64:" \
	-e "s:\$KDCPWDHASH:$KDCPWDHASH:" \
	-e "s:\$ROOTPWDSSHAHASH:$ROOTPWDSSHAHASH:" \
        -e "s:\$SAMBAPWDHASH:$SAMBAPWDHASH:" \
        -e "s:\$SAMBAPWD:$SAMBAPWD:" \
        -e "s:\$FIRSTUSERNAME:$FIRSTUSERNAME:" \
        -e "s:\$FIRSTUSERGECOS:$FIRSTUSERGECOS:" \
        -e "s:\$FIRSTUSERLASTNAME:$FIRSTUSERLASTNAME:" \
        -e "s:\$FIRSTUSERGIVENNAME:$FIRSTUSERGIVENNAME:" \
        -e "s:\$FIRSTUSERPWDHASH:$FIRSTUSERPWDHASH:" \
	  | /usr/sbin/slapadd ; then
	  echo "info: added '$ldif' to ldap database."
      else
	  echo "error: Unable to load '$ldif'"
	  exit 1
      fi
  done

  # in Etch, Lenny, Squeeze..., the database must be owned by openldap
  if getent passwd openldap | grep  -q openldap ; then
     chown -R openldap:openldap /var/lib/ldap
  fi

  # For some lines of code, we need LDAP up and running again
  ## check if slapd is running:
  if [ -x /sbin/start-stop-daemon.REAL ] ; then
      ## needed to start slapd during installation:
      mv /sbin/start-stop-daemon /sbin/start-stop-daemon.FAKE
      cp /sbin/start-stop-daemon.REAL /sbin/start-stop-daemon
  fi

  PID=`pidof slapd || /bin/true`
  if [ -z "$PID" ]; then
      echo "The LDAP server slapd seems not to be running. Trying to start slapd." 1>&2
      /etc/init.d/slapd start
      slapd_started=true
  fi

  PID=`pidof slapd || /bin/true`
  if [ -z "$PID" ]; then
      echo "error: the LDAP server is not running. Skipping Samba setup." 1>&2
      exit 1
  else

    ## FIXME: this next part now is experimental... it needs sanity checks...

    # Samba will also need DNS to bind to LDAP
    /etc/init.d/bind9 start

    # sync DNS from LDAP for the first time... (this has to run as uid ,,bind''!)
    su -s /bin/sh -c "PATH=/usr/sbin:/sbin:/usr/bin:/bin /usr/sbin/ldap2bind" - bind

    ## END OF FIXME

    cat > /etc/samba/smb-debian-edu-ldapbootstrap.conf <<EOF
#
# Samba configuration Skolelinux LDAP bootstrap, this file is temporary
#

#======================= Global Settings =======================

[global]

   server role = classic primary domain controller
   acl allow execute always = true
   netbios name = TJENER 
   security = USER
   workgroup = SKOLELINUX
   encrypt passwords = true
   passdb backend = ldapsam:"ldapi:///"
   ldapsam:trusted = yes
   ldap suffix = ou=samba,dc=skole,dc=skolelinux,dc=no
   ldap admin dn = "cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no"
   ldap ssl = no
   local master = yes
   domain logons = yes
   domain master = yes
   preferred master = yes
   lanman auth = yes
   ntlm auth = yes
   os level = 127 
   name resolve order = bcast host lmhosts wins
   wins support = yes
   dns proxy = yes
EOF

    # Store root's password temporarily in secrets.tdb (for
    # cn=admin,ou=ldap-access,BASEDN)
    smbpasswd -c /etc/samba/smb-debian-edu-ldapbootstrap.conf -w "$ROOTPWDCLEAR"

    # This will initialize the sambaDomainName=<DOMAIN> object in LDAP
    # and generate a sambaSID for <DOMAIN>.
    net -s /etc/samba/smb-debian-edu-ldapbootstrap.conf getlocalsid &> /dev/null

    echo "info: Fetching SMB domain SID."
    SAMBASID=`net -s /etc/samba/smb-debian-edu-ldapbootstrap.conf getdomainsid | awk '/SKOLELINUX/ { print $6 }'`

    # start from scratch with secrets.tdb...
    rm -f /var/lib/samba/private/secrets.tdb


    # remove the bootstrap smb.conf again... this file was really temporary...
    rm -f /etc/samba/smb-debian-edu-ldapbootstrap.conf

    # now set up our auto-generated Samba password (created further
    # above) that shall be used in smb.conf and with smbldap-tools
    # (i.e. for cn=smbadmin,ou=samba,dc=skole,dc=skolelinux,dc=no)...
    smbpasswd -c /etc/samba/smb.conf -w "$SAMBAPWD"

    # also put the $SAMBAPWD also into smbldap_bind.conf
    chmod 0600 /etc/smbldap-tools/smbldap_bind.conf
    sed -i "s:\$SAMBAPWD:$SAMBAPWD:g" /etc/smbldap-tools/smbldap_bind.conf

    if [ -z "$SAMBASID" ] ; then
      echo "error: unable to fetch Samba SID. Bootstrapping failed, exiting."
      exit 1
    fi
    # the next line is unknowingly dirty, but it fixes a ,,Can't fetch
    # domain SID for name: TJENER'' error if running ,,net
    # getlocalsid'' after the bootstrap.
    net getlocalsid -s /dev/null &> /dev/null

    # and now... stop slapd again... and restore start-stop-daemon
    # script
    remember_RESTARTSLAPD=$RESTARTSLAPD
    slapd_stop
    RESTARTSLAPD=$remember_RESTART_SLAPD

    dns_stop

    if [ -x /sbin/start-stop-daemon.REAL ] ; then
        mv /sbin/start-stop-daemon.FAKE /sbin/start-stop-daemon
    fi

  fi

  # Generate NT/LM hashes for Samba's Administrator account
  SAMBA_ADMPWD_HASHES=$(perl -MCrypt::SmbHash -e "print join(q[:],ntlmgen \$ARGV[0]), $/;" "$ROOTPWDCLEAR")
  SAMBA_ADMPWD_LMHASH=$(echo $SAMBA_ADMPWD_HASHES | cut -d ":" -f1)
  SAMBA_ADMPWD_NTHASH=$(echo $SAMBA_ADMPWD_HASHES | cut -d ":" -f2)

  # perform the rest of the LDAP bootstrap
  for ldif in \
    /etc/ldap/samba.ldif

  do
      if cat $ldif | sed -e "s:\$ROOTPWDHASH:$ROOTPWDHASH:" \
	-e "s:\$SAMBASID:$SAMBASID:" \
	-e "s:\$SAMBAPWD:$SAMBAPWD:" \
	-e "s:\$SAMBAPWDHASH:$SAMBAPWDHASH:" \
	-e "s:\$SAMBA_ADMPWD_LMHASH:$SAMBA_ADMPWD_LMHASH:" \
	-e "s:\$SAMBA_ADMPWD_NTHASH:$SAMBA_ADMPWD_NTHASH:" \
	-e "s:\$FIRSTUSERNAME:$FIRSTUSERNAME:" \
	  | /usr/sbin/slapadd ; then
	  echo "info: added '$ldif' to ldap database."
      else
	  echo "error: Unable to load '$ldif'"
	  exit 1
      fi
  done
  # Migrate to new style LDAP configuration first.  Required since
  # slapd version 2.4.23-4.
  # A better way is to convert our configuration to slapd.d config and
  # include those files in the package.
  # Disabled after openldap in squeeze (since 2.4.23-5) no longer
  # require slapd.d config.
  if false && [ ! -d /etc/ldap/slapd.d ] ; then
    echo "info: migrating SLAPD configuration to slapd.d format"
    mkdir /etc/ldap/slapd.d
    slapd -f /etc/ldap/slapd.conf -F /etc/ldap/slapd.d
    /etc/init.d/slapd stop
    chown -R openldap:openldap /etc/ldap/slapd.d
    # In case the init.d script fail to stop the service (which it
    # does when testing 2010-09-07).
    killall slapd
  fi

  # again: in Etch, Lenny, Squeeze..., the database must be owned by
  # openldap
  if getent passwd openldap | grep  -q openldap ; then
     chown -R openldap:openldap /var/lib/ldap
  fi

}

# Create ldap-tree on the initial install
#$MTAINIT stop
slapd_stop

if slapcat 2> /dev/null | grep -q "dn: cn=all-hosts" ; then
  echo "info: found existing data (cn=all-hosts): skipping initalization"
  echo "info: use rm /var/lib/ldap/__db* /var/lib/ldap/*.bdb to reinitialize"
else
  init_ldap

# Instead of registering unix groups in samba like this
#   net groupmap add unixgroup=teachers \
#        type=domain ntgroup="teachers" \
#        comment="All teachers in the institution"
# we add the sambaSID attribute to LDAP objects when they are created,
# with static RID part.

  ## initialize Kerberos KDC, use gosa-admin account to access ldap:
  if [ -x /usr/share/debian-edu-config/tools/kerberos-kdc-init ] ; then
      if /usr/share/debian-edu-config/tools/kerberos-kdc-init "$GOSAPWD" ; then
          :
      else
          echo "error: critical: setting up Kerberos failed"
      fi
  fi
fi

# Restart ldap server if we stopped it and it aint already running
SLAPPIDS=$(pidof slapd || /bin/true)
if [ true = "$RESTARTSLAPD" ] && [ -z "$SLAPPIDS" ] ; then
  /etc/init.d/slapd start
fi

chown mail.mail /var/lib/maildirs/
#$MTAINIT start

## restart Kerberos KDC and admin server:
#/etc/init.d/krb5-kdc restart
#/etc/init.d/krb5-admin-server restart
debian-edu-config 1.818+deb8u2 / usr / bin / ldap-debian-edu-install
