Seip Christian
2000-Sep-22 05:58 UTC
[solved] Users can map other user's shares without password in do main-security mode
Hi! I'd like to say thanks to all of you folks who helped me with this. Now it works as it should and as I expect it to. I hope you guys won't beat be for the cause of my problem when I'm going to tell you. I didn't apply all of the changes you suggested because I don't think I need them. For instance, do I really need to specify the "smbpassd file" parameter when I don't have/use a smbpasswd? Now for the cause: I did set the "encrypt passwords = yes" in the smb.conf because we've got a NT-domain with Service Pack 4 or higher. What I have completly forgot: Long time ago, when I started experimenting with samba, I enabled the plain text passwords in my registry. Sorry but I forgot that flag. With plain text passwords disabled, samba works as I described it. It's using only the /etc/passwd for user validation now in combination with the PDC. It does not longer use the smbpasswd in which every smbuser had no password set. Again, I'm sorry to have bothered you with this stupid mistake of mine. Nevertheless I've learned some things about samba and so I'm glad to say that your efforts we're not useless. Thanks to all, Christian PS: For those who want to know (whoever that may be), here's my smb.conf placed on the shared storage and the perl-script (beta-version :-), tested, but not yet full error handling) to keep the user ids synchronized between the two nodes. ----------------------------------- schnipp ----------------------------------- # Global parameters [global] workgroup = SR netbios name = SMB interfaces = 192.168.1.77/255.255.255.0 bind interfaces only = yes security = DOMAIN encrypt passwords = Yes password server = * name resolve order = wins lmhosts bcast host wins server = 192.168.1.2 create mask = 0777 directory mask = 0777 character set = ISO8859-1 local master = no domain master = no preferred master = no browseable = No nt acl support = true add user script = /shares/etcsmb/smb_useradd.pl %u null passwords = true mangle case = yes [homes] comment = Home-Verzeichnis %u writeable = yes browseable = No guest ok = no # share on the shared storage [public] path = /shares/public read only = No browseable = Yes guest ok = Yes # this is a local node share [pub] path = /home/public read only = No browseable = Yes guest ok = yes ----------------------------------- schnipp ----------------------------------- #!/usr/bin/perl # # Script to add Samba User to local account database. # # This script is invoked from smbd (AS ROOT) when smb.conf: # 1. 'security' = server OR domain # 2. smbd is able to authenticate current user via 'password server' # 3. no local or NIS account exists for the presently connecting user # 4. 'add user script' specifies this script # # invoked as: smb_useradd %u # where %u is current user name # # This script performs the following actions: # 1. creates %u local account and home directory via useradd(8). # 2. logs success/failure via logger(1). # Account Creation Options (useradd) $CMNT = "created by smb_useradd"; # Comment passwd field $SHL = "/bin/false "; # Default shell $LOGFILE = "/shares/etcsmb/log.smb_useradd"; # ab welcher UID gesucht und vergeben werden soll $UID_OFFSET = 1000; $MYPASSWD = "/shares/etcsmb/smbusers"; my %username; my %userid; ############################################################################ ## sub CreateLogEntry { # Enter message into syslog my $msg = shift; my $LOGGER="logger -f $LOGFILE -t smb-CSe smb_useradd.pl:"; `$LOGGER $msg`; } ############################################################################ ## sub CreateAccount { ($usr, $uid) = @_; my $cmd="/usr/sbin/useradd -u $uid -g 100 -c '$CMNT' -d /shares/home/$usr -s $SHL $usr 2>&1"; my @res=`$cmd`; my $sta=$?; print "Creating Account for $usr with UID $uid\n"; if ( $sta != 0 ) { &CreateLogEntry( "[$usr] useradd: Failure in doacct" ); exit 1; } } ############################################################################ ## sub ReadMyPasswd { die "$MYPASSWD does not exist!" unless -e $MYPASSWD; open (MYPASSWD, "< $MYPASSWD") or die "Can't open $MYPASSWD!"; while ($line = <MYPASSWD>) { chop($line); print "Reading MYPASSWD: $line...\n"; ($myusername, $myuserid) = split(":", $line); $username{$myuserid} = $myusername; $userid{$myusername} = $myuserid; } close (MYPASSWD); return 1; } ############################################################################ ## sub AppendToMyPasswd { ($usr, $curruid) = @_; open (MYPASSWD, ">> $MYPASSWD"); print MYPASSWD "$usr:$curruid\n"; close (MYPASSWD); return 1; } ############################################################################ ## # all the main stuff my $usr = shift; my $curruid; &ReadMyPasswd(); print "Hash username:\n"; foreach $key (sort keys %username) { print "$key($username{$key})\n"; } print "Hash userid:\n"; foreach $key (sort keys %userid) { print "$key($userid{$key})\n"; } # wenn der Benutzer schon existiert, braucht keine neu UID vergeben zu # werden if (exists $userid{$usr} ) { $curruid = $userid{$usr}; &CreateAccount($usr, $curruid); } # ansonsten volles Programm :-) else { # next uid suchen $i = $UID_OFFSET; undef($curruid); do { print "Testing UID $i...\n"; if (exists $username{$i}) { print "UID $i is used...\n"; $i++; } else { print "UID $i IS FREE!\n"; $curruid = $i; } } while (! defined $curruid); print "Adding user $usr with UID $curruid...\n"; &CreateLogEntry( "smb_useradd: add [$usr]" ); &CreateAccount($usr, $curruid); &AppendToMyPasswd($usr, $curruid); } ----------------------------------- schnipp ----------------------------------- EOT :-)