#!/usr/bin/perl -w
#----------------------------------------------------------------------
# copyright (C) 2001 Mitel Networks Corporation
# 
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# 		
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 		
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307  USA
# 
# Technical support for this program is available from Mitel Networks 
# Please visit our web site www.e-smith.com for details.
#----------------------------------------------------------------------
package esmith;

use strict;
use Errno;
use esmith::ConfigDB;
use esmith::AccountsDB;
use esmith::util;

my $a = esmith::AccountsDB->open || die "Couldn't open accounts db\n";
my $c = esmith::ConfigDB->open_ro || die "Could not open Config DB";

my $ldapauth = $c->get('ldap')->prop('Authentication') || 'disabled';
my $x = 0; # exit value

my $domain = $c->get('DomainName')->value();
my $base = esmith::util::ldapBase ($domain);

my $event = $ARGV [0];
my $machineName = $ARGV [1];

die "machine name $machineName is not a valid machine account name"
	unless ( $machineName =~ /\$$/ );

my $m = $a->get($machineName);
if ($m)
{
    my $type = $m->prop('type');
    die "$machineName is not a machine account" 
	unless ($type eq "machine");
}
else
{
    # Auto-create the accounts database entry. This is bad form, but
    # the Samba "add user script" is called as the user "admin", who
    # does not currently have permissions to write to the config database
    $m = $a->new_record($machineName, {type => "machine"});
}

my $lock = undef;
my $uid;
unless ($uid = $m->prop('Uid'))
{
    use esmith::lockfile;

    $lock = esmith::lockfile::LockFileOrWait("/home/e-smith/db/accounts");
    $uid = $a->get_next_uid;
    $m->set_prop('Uid', $uid);
}
my $gid = $m->prop('Gid') || $uid;

# We really, really need to be root to run "passwd -l"
esmith::util::setRealToEffective();

warn "create-machine-account $machineName: Creating Unix user and group\n";

if ($ldapauth ne 'enabled')
{
    # Create the machine's unique group first
    system(
            "/usr/sbin/groupadd",
            "-g",
            $gid,
            $machineName
        ) == 0 or ( $x = 255, warn "Failed to create (unix) group $machineName.\n" );

    # Now create the machine account
    system(
            "/usr/sbin/useradd",
            "-u", $uid,
            "-g", $gid,
            "-c", "Hostname account for $machineName",
            "-M",
            "-d", "/noexistingpath",
            "-s", "/bin/false",
            "$machineName"
        ) == 0 or ( $x = 255, warn "Failed to create (unix) account $machineName.\n" );

    system("/usr/bin/passwd", "-l", "$machineName") == 0
        or ( $x = 255, warn "Failed locking (unix) password for $machineName\n" );
}

# Create the machine's unique group first (in ldap)
system( 
        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "groupadd",
        "-g", $gid,
        "-o",
        "$machineName"
    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) group $machineName.\n" );

# Now create the machine account (in ldap)
system(
        "/usr/sbin/cpu", "-C/etc/cpu-system.conf", "useradd",
        "-u", $uid,
        "-g", $gid,
        "--userbase=ou=Computers,$base",
        "-c", "Hostname account for $machineName",
        "-o",
        "-d", "/noexistingpath",
        "-s", "/bin/false",
        "$machineName"
    ) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed to create (ldap) account $machineName.\n" );

warn "create-machine-account $machineName: Locking account\n";

system("/usr/sbin/cpu", "-C/etc/cpu-system.conf", "usermod", 
       "--userbase=ou=Computers,$base",
       "-o", 
       "-L", 
       "$machineName"
) == 0 or ( $x = $ldapauth ne 'enabled' ? $x : 255, warn "Failed locking (ldap) password for $machineName\n" );

if ($ldapauth ne 'enabled')
{
    warn "create-machine-account $machineName: Creating smbpasswd account\n";

    system("/usr/bin/smbpasswd", "-a", "-m", "$machineName") == 0 
        or warn "Could not create smb password entry for $machineName\n";
}
exit ($x);
