Seip Christian
2000-Sep-19 07:43 UTC
Users can map shares without password in domain-security mode
Hi! I've got this setup: My Samba 2.0.7 is clustered by two nodes with RedHat Linux 6.2 and kernel 2.2.16 and a SCSI-RAID as a shared storage. The Samba-server is a member of domain (add in NT-Server-Manager followed by "smbpasswd -j DOM -r PDC) and creates its user accounts on the fly with an add user script. This is necessary because only one node is active at a time and the other one serves as a stand-by. The active node has the shared storage mounted. All users have their homes on the shares storage. When a failover happens and the stand-by node takes over the samba-service, the stand-by node mounts the storage. The users can't be synchronized between those two nodes but that doesn't matter because they're created when they're needed. Now I have two probs: 1. Samba authenticates the users against the PDC, so as far as I have unterstood the concept, there sohould only be a linux user necessary and not an user in the smbpasswd. But without an entry in the smbpasswd I can't map any share. Yep, security-mode is domain and it works. But only with "useradd %u; smbpasswd -a -n %u". 2. The user-homes on the shared storage are owned by root because I don't need a local login for any user. This samba-server is really only a file-server. No remote logins. Since the user list between the two clusternodes are not synchronized, the user-homes can't be owned by the users because of different UIDs. If on node A user testuser1 has UID 500 and on node B user testuser2 UID 500, there will be a problem with the file and directory permissions depending on which node the shared storage is mounted. So create mask and directory mask is 777. Now my question: Why can other users map my home-share (defined by the [homes]-section in smb.conf) without being asked for a password? Any suggestions? Thanks in advance and sorry for the long explanation. Best regards, Christian
Jeffry Smith
2000-Sep-19 18:16 UTC
Users can map shares without password in domain-security mode
What software are you using to do the clustering? You need to make certain in clustering that the clustered machines have an identical view of things (this includes users). The best way to do this is to ensure that the path to samba's password & lock files is on the shared storage. Also, how do you have the [homes] section of smb.conf set up? Are you using the %U (if they don't have a unix account)? On Tue, 19 Sep 2000, Seip Christian wrote:> Date: Tue, 19 Sep 2000 09:43:40 +0200 > From: Seip Christian <cseip@sr-online.de> > To: "'samba@lists.samba.org'" <samba@us4.samba.org> > Subject: Users can map shares without password in domain-security mode > > Hi! > > I've got this setup: > > My Samba 2.0.7 is clustered by two nodes with RedHat Linux 6.2 and kernel > 2.2.16 and a SCSI-RAID as a shared storage. The Samba-server is a member of > domain (add in NT-Server-Manager followed by "smbpasswd -j DOM -r PDC) and > creates its user accounts on the fly with an add user script. This is > necessary because only one node is active at a time and the other one serves > as a stand-by. The active node has the shared storage mounted. All users > have their homes on the shares storage. When a failover happens and the > stand-by node takes over the samba-service, the stand-by node mounts the > storage. The users can't be synchronized between those two nodes but that > doesn't matter because they're created when they're needed. > > Now I have two probs: > > 1. Samba authenticates the users against the PDC, so as far as I have > unterstood the concept, there sohould only be a linux user necessary and not > an user in the smbpasswd. But without an entry in the smbpasswd I can't map > any share. Yep, security-mode is domain and it works. But only with "useradd > %u; smbpasswd -a -n %u". > > 2. The user-homes on the shared storage are owned by root because I don't > need a local login for any user. This samba-server is really only a > file-server. No remote logins. Since the user list between the two > clusternodes are not synchronized, the user-homes can't be owned by the > users because of different UIDs. If on node A user testuser1 has UID 500 and > on node B user testuser2 UID 500, there will be a problem with the file and > directory permissions depending on which node the shared storage is mounted. > So create mask and directory mask is 777. Now my question: Why can other > users map my home-share (defined by the [homes]-section in smb.conf) without > being asked for a password? > > Any suggestions? Thanks in advance and sorry for the long explanation. > > Best regards, > > Christian > >------------------------------------------------------------------------ Jeffry Smith Technical Sales Consultant Mission Critical Linux smith@missioncriticallinux.com phone:603.930.9739 fax:978.446.9470 ------------------------------------------------------------------------ Thought for today: hot chat n. Sexually explicit one-on-one chat. See teledildonics.
Seip Christian
2000-Sep-20 06:46 UTC
Users can map shares without password in domain-security mode
Hi!
> What software are you using to do the clustering?
It's the Wizard software Watchdog in the light version. Wizard is a german
company and has been renamed to AppTime recently.
> You need to make certain in clustering that the clustered machines
have an identical
> view of things (this includes users).
That's what I'm trying to do and it works. But with the unix users I
can't
guarantee this without additional efforts to keep the user lists
synchronized. That's the reason why I use the "add user script"
feature.
Samba creates every user that does not yet exist by itself. That works too.
> The best way to do this is
> to ensure that the path to samba's password & lock files is on
> the shared storage. Also, how do you have
It shouldn't be a problem to put the smbpasswd on the shared storage. That
could work, I'll try this today. That does not interfere with generating all
users on the fly. Putting the /etc/passwd on the shared storage is a bad
idea. :-) So I think I have to live with the user homes owned by root
because of different UIDs on the clusternodes for the same user account.
Hey, I like your idea with putting that stuff on the storage. So I can put
the whole private-dir on the storage and have to add only one of the nodes
to the domain. I tried to solve my problem with "smbpasswd -j DOM -r
PDC"
all the time because I have to add two machines to the domain with the same
netbios name and a different MAC-address.
Yes, I do a IP-address-takeover but no, I don't do a MAC-address-takeover. A
MAC-address-takeover delays the failover a few more seconds because the
switch has to learn that a MAC-address now appears on a different port. I
can live with a IP-only-takeover and it seems to work too.
BTW: I don't think I have to put the lock files on the shared storage
because there's only one clusternode running smbd at a time. This is managed
by the Watchdog. Since I have an asymmetric cluster configuration the second
node is only a stand-by-node. No load-balancing.
> the [homes] section of smb.conf set up? Are you using the %U (if
they
> don't have a unix account)?
Hmmm, here's an excerpt of my smb.conf:
-------------------------------------- schnipp
--------------------------------------
# Global parameters
[global]
workgroup = SR
netbios name = SMB
interfaces = 192.168.1.77/255.255.255.0
security = DOMAIN
encrypt passwords = Yes
password server = DVDC02
name resolve order = wins lmhosts bcast host
wins server = 192.168.1.2
create mask = 0777
directory mask = 0777
character set = ISO8859-1
local master = no
domain master = no
browseable = No
nt acl support = true
add user script = /usr/sbin/smb_useradd.pl %u
# null passwords = true
mangle case = yes
[homes]
comment = Home-Verzeichnis %u
writeable = yes
browseable = No
guest ok = no
[public]
path = /shares/public
read only = No
browseable = Yes
guest ok = Yes
[pub]
path = /home/public
read only = No
browseable = Yes
guest ok = yes
-------------------------------------- schnipp
--------------------------------------
I tried an additional "valid users = %u" in the [homes]-section, too.
But
that didn't work either. Argh, that can't work. I see that now. Stupid
idea.
:-)
Maybe this could work but I don't think so because it does the same what the
[homes]-section does as far as I see:
-------------------------------------- schnipp
--------------------------------------
[%u]
path = /shares/home/%u
read only = No
browseable = Yes
guest ok = Yes
valid users = %u
-------------------------------------- schnipp
--------------------------------------
I've got another samba-server from which I have copied the smb.conf and
which authenticates the users against the same PDC. On the other server
everything works, here on my machine it doesn't.
Here's basically what my smb_useradd.pl does, not exactly in perl code but
understandable I hope.
-------------------------------------- schnipp
--------------------------------------
/usr/sbin/useradd -c "created by smb_useradd.pl" -d /shares/home/%u -s
"/bin/false" %u
chmod 777 /shares/home/%u
chown root.root /shares/home/%u
-------------------------------------- schnipp
--------------------------------------
My smb_useradd.pl is a modified version of the script posted by Randy
O'Meara to the list here in April 1999.
Thanks for taking the time and having a look.
Best regards,
Christian
Christian Seip
2000-Sep-20 17:36 UTC
Users can map shares without password in domain-security mode
Hi! "Nelson, John P." schrieb:> >1. Samba authenticates the users against the PDC, so as far as I have > >unterstood the concept, there sohould only be a linux user necessary and > not > >an user in the smbpasswd. > > That should be how it works. It IS working for us!As I said, it works only if I add the user to the smbpasswd.> You don't explicitly say that you are using security=domain in the smb.conf> file. Doing "smbpasswd -j DOM -r PDC" by itself is not enough to get domain > style authentication. But perhaps you just didn't state it explicitly.In a different posting, I included an excerpt of my smb.conf. I do use security=domain.> >But without an entry in the smbpasswd I can't map any share. > > I can't explain that. I would expect that if you need to add an entry to > smbpasswd, that the smbpasswd "password" entry would be used, rather than > the one from the domain server. Have you tried setting the two passwords > (smbpasswd and domain controller) differently, and see which one actuallyNope, I didn't. But I'll try this one.> works? I'm guessing that you aren't actually getting domain authentication > at all.Now as you say that: It feels like samba only asks the PDC for a valid username and ignores the password. I'll have to explore this a bit.> Yeah, but you still want to use filesystem permissions, don't you? At > least, I would.I don't think we need them here because this fileserver will serve the user-homes and nothing else. But "not using them" and "not be able to use them" is a different thing. You're right, I should reserve the rights to use the permissions.> I would really recommend fixing this, and use real unix filesystem > permissions. By the way, setting create and directory mask to 777 is not> sufficient: you also need to "force" these modes. Why? If a user with one > userid sets a file to readonly (444), and then connect via the other server > with a different userid, the second userid will be unable to "unset" > readonly permissions since he is not the owner of the file.Ok and accepted.> >Now my question: Why can other > >users map my home-share (defined by the [homes]-section in smb.conf) > without > >being asked for a password? > > Because that's the way it's supposed to work. Security=server is a > variation on security=user - which means that users only have to authenicate > ONCE (when first connecting) rather than having to verify their identity for > each individual share. Once connected to a server with a network identity, > a user is allowed to access any share on that server that he has permssions > to access.Hmmm, I have to think about this. NT seems to use a mixture between server- and user-level. If I connect to a share with a valid username and password for this share, the connection will be created without asking for a password. If my username or my password is not valid, NT asks me for a valid username/password-combination. That's not share- or user-level security (I don't know exactly which one) because security=share/user always asks for a password.> You seem to think that the [homes] section provides some extra level of > security, but it doesn't: it simply provides a shorthand method ofI think a user should only be able to connect to another user's home with the other user's password. But Samba doesn't ask me at all for a password.> specifying a share for each unix username. There are no special access > permissions implied by doing this: if you need to restrict access, you can > do it with unix permissions, or using something like "valid users = %S" inI tried "valid users = %u" but I meant "valid users = %S".> the [homes] section, which would only permit users to connect to a share > name that matches their username.That's a last option. I'll do this if anything else I try doesn't work out.> But you will NEVER get the behavior of having samba prompt the user for a > password when connecting to someone else's share, at least not with > security=user or it's variations (security=server or security=domain).But that's what I've always experienced. I connect to your share with my username. That doesn't work because I don't know your password. If I connect to your share with your username, I'm usually asked for a password. That's the way it works with NT-server and that's what I've seen to work with our samba-server here. The only difference I know between our working samba-server and my cluster is that my cluster uses the [homes]-section for the user-shares and our other server has all the user-shares created by hand. It shouldn't make a difference as far as I have understood this stuff. I guess I have an error in my view of this but I can't find it. Thanks for helping, guys. I'll tell you the results of my next steps. Regards, Christian