Seip Christian
2000-Sep-22 05:58 UTC
[solved] Users can map other user's shares without password in do main-security mode
Hi!
I'd like to say thanks to all of you folks who helped me with this. Now it
works as it should and as I expect it to. I hope you guys won't beat be for
the cause of my problem when I'm going to tell you.
I didn't apply all of the changes you suggested because I don't think I
need
them. For instance, do I really need to specify the "smbpassd file"
parameter when I don't have/use a smbpasswd?
Now for the cause: I did set the "encrypt passwords = yes" in the
smb.conf
because we've got a NT-domain with Service Pack 4 or higher. What I have
completly forgot: Long time ago, when I started experimenting with samba, I
enabled the plain text passwords in my registry. Sorry but I forgot that
flag. With plain text passwords disabled, samba works as I described it.
It's using only the /etc/passwd for user validation now in combination with
the PDC. It does not longer use the smbpasswd in which every smbuser had no
password set.
Again, I'm sorry to have bothered you with this stupid mistake of mine.
Nevertheless I've learned some things about samba and so I'm glad to say
that your efforts we're not useless.
Thanks to all,
Christian
PS: For those who want to know (whoever that may be), here's my smb.conf
placed on the shared storage and the perl-script (beta-version :-), tested,
but not yet full error handling) to keep the user ids synchronized between
the two nodes.
----------------------------------- schnipp
-----------------------------------
# Global parameters
[global]
workgroup = SR
netbios name = SMB
interfaces = 192.168.1.77/255.255.255.0
bind interfaces only = yes
security = DOMAIN
encrypt passwords = Yes
password server = *
name resolve order = wins lmhosts bcast host
wins server = 192.168.1.2
create mask = 0777
directory mask = 0777
character set = ISO8859-1
local master = no
domain master = no
preferred master = no
browseable = No
nt acl support = true
add user script = /shares/etcsmb/smb_useradd.pl %u
null passwords = true
mangle case = yes
[homes]
comment = Home-Verzeichnis %u
writeable = yes
browseable = No
guest ok = no
# share on the shared storage
[public]
path = /shares/public
read only = No
browseable = Yes
guest ok = Yes
# this is a local node share
[pub]
path = /home/public
read only = No
browseable = Yes
guest ok = yes
----------------------------------- schnipp
-----------------------------------
#!/usr/bin/perl
#
# Script to add Samba User to local account database.
#
# This script is invoked from smbd (AS ROOT) when smb.conf:
# 1. 'security' = server OR domain
# 2. smbd is able to authenticate current user via 'password server'
# 3. no local or NIS account exists for the presently connecting user
# 4. 'add user script' specifies this script
#
# invoked as: smb_useradd %u
# where %u is current user name
#
# This script performs the following actions:
# 1. creates %u local account and home directory via useradd(8).
# 2. logs success/failure via logger(1).
# Account Creation Options (useradd)
$CMNT = "created by smb_useradd"; # Comment passwd field
$SHL = "/bin/false "; # Default shell
$LOGFILE = "/shares/etcsmb/log.smb_useradd";
# ab welcher UID gesucht und vergeben werden soll
$UID_OFFSET = 1000;
$MYPASSWD = "/shares/etcsmb/smbusers";
my %username;
my %userid;
############################################################################
##
sub CreateLogEntry
{
# Enter message into syslog
my $msg = shift;
my $LOGGER="logger -f $LOGFILE -t smb-CSe smb_useradd.pl:";
`$LOGGER $msg`;
}
############################################################################
##
sub CreateAccount
{
($usr, $uid) = @_;
my $cmd="/usr/sbin/useradd -u $uid -g 100 -c '$CMNT' -d
/shares/home/$usr -s $SHL $usr 2>&1";
my @res=`$cmd`;
my $sta=$?;
print "Creating Account for $usr with UID $uid\n";
if ( $sta != 0 ) {
&CreateLogEntry( "[$usr] useradd: Failure in doacct" );
exit 1;
}
}
############################################################################
##
sub ReadMyPasswd
{
die "$MYPASSWD does not exist!" unless -e $MYPASSWD;
open (MYPASSWD, "< $MYPASSWD") or die "Can't open
$MYPASSWD!";
while ($line = <MYPASSWD>)
{
chop($line);
print "Reading MYPASSWD: $line...\n";
($myusername, $myuserid) = split(":", $line);
$username{$myuserid} = $myusername;
$userid{$myusername} = $myuserid;
}
close (MYPASSWD);
return 1;
}
############################################################################
##
sub AppendToMyPasswd
{
($usr, $curruid) = @_;
open (MYPASSWD, ">> $MYPASSWD");
print MYPASSWD "$usr:$curruid\n";
close (MYPASSWD);
return 1;
}
############################################################################
##
# all the main stuff
my $usr = shift;
my $curruid;
&ReadMyPasswd();
print "Hash username:\n";
foreach $key (sort keys %username)
{
print "$key($username{$key})\n";
}
print "Hash userid:\n";
foreach $key (sort keys %userid)
{
print "$key($userid{$key})\n";
}
# wenn der Benutzer schon existiert, braucht keine neu UID vergeben zu
# werden
if (exists $userid{$usr} )
{
$curruid = $userid{$usr};
&CreateAccount($usr, $curruid);
}
# ansonsten volles Programm :-)
else
{
# next uid suchen
$i = $UID_OFFSET;
undef($curruid);
do
{
print "Testing UID $i...\n";
if (exists $username{$i})
{
print "UID $i is used...\n";
$i++;
}
else
{
print "UID $i IS FREE!\n";
$curruid = $i;
}
}
while (! defined $curruid);
print "Adding user $usr with UID $curruid...\n";
&CreateLogEntry( "smb_useradd: add [$usr]" );
&CreateAccount($usr, $curruid);
&AppendToMyPasswd($usr, $curruid);
}
----------------------------------- schnipp
-----------------------------------
EOT :-)