Niels Peuyn
2007-Jan-03 13:31 UTC
[Samba] prevent "delete user script" to delete special Samba user
Hello, OS: FreeBSD 6.1 Samba: 3.0.23c What kind of exit code do the "delete user script" need, to prevent Samba from deleting a user in tdbsam database? I'm testing Windows "User Manager for Domain" (usrmgr.exe) and I'm trying to convince Samba to NOT delete special users like "administrator" etc. Whenever I delete such a user within User Manager for Domain the unix user is still in passwd, but the Samba user has been deleted. Thanks in advance Niels
Cleber P. de Souza
2007-Jan-03 13:46 UTC
[Samba] prevent "delete user script" to delete special Samba user
You can put a if test using script. Similar to: delete user script = path/to/script/script.sh "%U" Into script.sh #!/bin/bash if [ $1 -ne "myuser" ]; then delete_user; fi This is preventing Samba from deleting Samba myuser user. I haven't check this script. Check by yourself in a test environment first. On 1/3/07, Niels Peuyn <peuyn@npy.oberon.net> wrote:> Hello, > > OS: FreeBSD 6.1 > Samba: 3.0.23c > > What kind of exit code do the "delete user script" need, to > prevent Samba from deleting a user in tdbsam database? > > I'm testing Windows "User Manager for Domain" (usrmgr.exe) and > I'm trying to convince Samba to NOT delete special users like > "administrator" etc. > > Whenever I delete such a user within User Manager for Domain > the unix user is still in passwd, but the Samba user has been > deleted. > > Thanks in advance > Niels > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >-- *** Cleber P. de Souza
Gerald (Jerry) Carter
2007-Jan-04 13:07 UTC
[Samba] prevent "delete user script" to delete special Samba user
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Niels Peuyn wrote:> Hello, > > OS: FreeBSD 6.1 > Samba: 3.0.23c > > What kind of exit code do the "delete user script" need, to > prevent Samba from deleting a user in tdbsam database? > > I'm testing Windows "User Manager for Domain" (usrmgr.exe) and > I'm trying to convince Samba to NOT delete special users like > "administrator" etc. > > Whenever I delete such a user within User Manager for Domain > the unix user is still in passwd, but the Samba user has been > deleted.The delete user script only manages the Unix account. The passdb entry permissions are handled by the SeAddUsersPrivilege (or connecting as root). There is no current per user security descriptor that would give the kind of control you want without modifying the source. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFnPwEIR7qMdg1EfYRAsicAJ9kBXChm/SyT1xd7Xp+3FzkEZZRdACgniwq Ok5P7VmOaYoGvMTDPBV0Mxw=6uNV -----END PGP SIGNATURE-----
Niels Peuyn
2007-Jan-04 13:31 UTC
[Samba] prevent "delete user script" to delete special Samba user
Hello Jerry,> > The delete user script only manages the Unix account. The > passdb entry permissions are handled by the SeAddUsersPrivilege > (or connecting as root). There is no current per user security > descriptor that would give the kind of control you want without > modifying the source. >is it right, that the source in "passdb/pdb_interface.c:smb_delete_user" will control user deletion? Thank you very much for this information Niels Peuyn Oberon.net GmbH Tel: +49 211 179253-0 Georg-Glock-Str. 8 Direct: +49 211 179253-17 40474 Duesseldorf Fax: +49 211 450 656
Gerald (Jerry) Carter
2007-Jan-04 13:45 UTC
[Samba] prevent "delete user script" to delete special Samba user
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Niels Peuyn wrote:> Hello Jerry, > >> The delete user script only manages the Unix account. The >> passdb entry permissions are handled by the SeAddUsersPrivilege >> (or connecting as root). There is no current per user security >> descriptor that would give the kind of control you want without >> modifying the source. >> > > is it right, that the source in > "passdb/pdb_interface.c:smb_delete_user" > will control user deletion?It depends on the passdb backend you are using. You need to back up on level higher. See pdb_default_delete_user() for example. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFnQTTIR7qMdg1EfYRAm5QAJwIHPFObINyCH1+9NFrvzPH5wouEwCg7nY3 QDGKeTfJhl1ret78HGjPPmw=OuuD -----END PGP SIGNATURE-----