Julian Pilfold-Bagwell
2007-Oct-01 12:33 UTC
[Samba] Logging logins with preexec and Samba/LDAP
Hi all, I had the following line in my smb.conf with which to log access to the home share when users logged in: preexec = /bin/echo \"%u logged in to %m at %T\" >> /var/log/samba/logons.log Since updating to LDAP however, it's stopped working and I suspect that smbldap cant handle the % substitutions for user, machine and time. Has anyone else run into this problem? If so, any help with the solution would be handy. Thanks, -- Julian Pilfold-Bagwell, Network Manager, Borden Grammar School, Sittingbourne, Kent, ME10 1EY. Tel: 01795 424192
Julian Pilfold-Bagwell
2007-Oct-01 14:11 UTC
[Samba] Logging logins with preexec and Samba/LDAP
Mac wrote:>> Date: Mon, 01 Oct 2007 13:22:25 +0100 >> From: Julian Pilfold-Bagwell <jpb@bordengrammar.kent.sch.uk> >> To: Samba mail List <samba@lists.samba.org> >> Subject: [Samba] Logging logins with preexec and Samba/LDAP >> >> I had the following line in my smb.conf with which to log access to the >> home share when users logged in: >> >> preexec = /bin/echo \"%u logged in to %m at %T\" >> >> /var/log/samba/logons.log >> >> Since updating to LDAP however, it's stopped working and I suspect that smbldap cant handle the % substitutions for user, machine and time. Has anyone else run into this problem? If so, any help with the solution would be handy. >> > > > Did you upgrade Samba recently? (perhaps at the same time as adding > LDAP?) > > > The way things like "preexec" are handled changed in about 3.0.24 or 25. > > I can help if that looks like it might be the issue. > > > > Mac > Assistant Systems Administrator @nibsc.ac.uk > mac@nibsc.ac.uk > Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) >Hiya, Yup, I upgraded to 3.0.24 at the same time. How's it changed? Thanks, Julian -- Julian Pilfold-Bagwell, Network Manager, Borden Grammar School, Sittingbourne, Kent, ME10 1EY. Tel: 01795 424192
Julian Pilfold-Bagwell
2007-Oct-01 14:27 UTC
[Samba] Logging logins with preexec and Samba/LDAP
Mac wrote:> Hi there, > > >> Date: Mon, 01 Oct 2007 14:36:26 +0100 >> From: Julian Pilfold-Bagwell <jpb@bordengrammar.kent.sch.uk> >> Subject: Re: [Samba] Logging logins with preexec and Samba/LDAP >> >> Yup, I upgraded to 3.0.24 at the same time. How's it changed? >> > > It was documented (just about) in the release notes. > > As the result of a security problem, the way all external commands are > invoked has been tightend up. Annyoingly I think 'testparm' doesn't > tell you this. > > In essence, you can't use any meta characters in the invocation at all. > So your \'s will cause the command to be ignored by Samba. > > The fix is (in general) to write a tiny shell script that does the right > thing. > > Here's an example from our smb.conf:- > > [mydocs] > ; root preexec = if [ ! -d "/n17/profiles/%u/My Documents" ] ;\ > ; then { mkdir -p "/n17/profiles/%u/My Documents" ;\ > ; chown -R %u "/n17/profiles/%u" ; \ > ; chmod -R 0700 "/n17/profiles/%u" ;} ; \ > ; fi > root preexec = /usr/local/bin/samba-mkdir "%u" "My Documents" > > > The ;-ed lines are what we used to use. Now we use the samba-mkdir > script. We had to write the samba-mkdir script which looks like this:- > > #!/bin/sh > > u=${1:?must_specify_user_name} > > d=${2:?must_specifiy_directory_to_create} > > dir="/n17/profiles/$u/$d" > > > if [ ! -d "$dir" ] > then mkdir -p "$dir" > chown -R "$u" "$dir" > chmod -R 0700 "$dir" > fi > > > > which, as you can see, does much the same thing. We included a tiny bit > of error checking (the $ : ? thing) just in case anyone ever tried to > run the script outside of Samba. > > > Does this help? > > Mac > Assistant Systems Administrator @nibsc.ac.uk > mac@nibsc.ac.uk > Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime) >Thanks very much both of you. I'll post a copy of the working script along with a SOLVED header when I get it going. Many thanks again, All the best, Julian PB -- Julian Pilfold-Bagwell, Network Manager, Borden Grammar School, Sittingbourne, Kent, ME10 1EY. Tel: 01795 424192