2018-03-10 19:48 GMT+01:00 Jeremy Allison <jra at samba.org>:> On Sat, Mar 10, 2018 at 01:10:46PM +0100, Davor Vusir via samba wrote: > > > > Off list I got a tip on using become_user(). A soon as I get a grip on > how > > to extract the calling user's vuid I give it a try I have of course tried > > other functions; become_user_permanently( ), become_user_by_session( ) > and > > become_authenticated_pipe_user( ). None of these have given the right > > $HOME.Or I simply don't know how to interpret the outcome or to proceed > > from there. > > None of these functions set $HOME, as Samba doesn't > use this in any of our code. We get and use the home directory > when the magic [homes] share is configured, but never > set an environment variable. Your code will have to take > care of that itself. > > Jeremy. >I see. Thank you. I'll see what i can do. Is it possible to run smbd in the context of a service account, Preferably an AD account? Is it possible to run a VFS module in the context of a service account? Preferably in the calling user's context? Regards Davor Vusir
On Sun, 2018-03-11 at 06:46 +0100, Davor Vusir via samba wrote:> 2018-03-10 19:48 GMT+01:00 Jeremy Allison <jra at samba.org>: > > > On Sat, Mar 10, 2018 at 01:10:46PM +0100, Davor Vusir via samba wrote: > > > > > > Off list I got a tip on using become_user(). A soon as I get a grip on > > > > how > > > to extract the calling user's vuid I give it a try I have of course tried > > > other functions; become_user_permanently( ), become_user_by_session( ) > > > > and > > > become_authenticated_pipe_user( ). None of these have given the right > > > $HOME.Or I simply don't know how to interpret the outcome or to proceed > > > from there. > > > > None of these functions set $HOME, as Samba doesn't > > use this in any of our code. We get and use the home directory > > when the magic [homes] share is configured, but never > > set an environment variable. Your code will have to take > > care of that itself. > > > > Jeremy. > > > > I see. Thank you. I'll see what i can do. > Is it possible to run smbd in the context of a service account, Preferably > an AD account? > Is it possible to run a VFS module in the context of a service account? > Preferably in the calling user's context?It is, it does change to the right user for the kernel's purposes. Things that use getpwuid(geteuid()) will get the 'right' results, but you have to work out how to fight with your library to do the glue. In terms of 'can you run the whole smbd as non-root, then no. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
2018-03-11 7:54 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:> On Sun, 2018-03-11 at 06:46 +0100, Davor Vusir via samba wrote: > > 2018-03-10 19:48 GMT+01:00 Jeremy Allison <jra at samba.org>: > > > > > On Sat, Mar 10, 2018 at 01:10:46PM +0100, Davor Vusir via samba wrote: > > > > > > > > Off list I got a tip on using become_user(). A soon as I get a grip > on > > > > > > how > > > > to extract the calling user's vuid I give it a try I have of course > tried > > > > other functions; become_user_permanently( ), become_user_by_session( > ) > > > > > > and > > > > become_authenticated_pipe_user( ). None of these have given the > right > > > > $HOME.Or I simply don't know how to interpret the outcome or to > proceed > > > > from there. > > > > > > None of these functions set $HOME, as Samba doesn't > > > use this in any of our code. We get and use the home directory > > > when the magic [homes] share is configured, but never > > > set an environment variable. Your code will have to take > > > care of that itself. > > > > > > Jeremy. > > > > > > > I see. Thank you. I'll see what i can do. > > Is it possible to run smbd in the context of a service account, > Preferably > > an AD account? > > Is it possible to run a VFS module in the context of a service account? > > Preferably in the calling user's context? > > It is, it does change to the right user for the kernel's purposes. > Things that use getpwuid(geteuid()) will get the 'right' results, but > you have to work out how to fight with your library to do the glue. > > In terms of 'can you run the whole smbd as non-root, then no. > > I hope this helps, > > Andrew Bartlett > >That is good news. Back to the drawing board, then. Thank you both for your time. It is valuable to me. Regards Davor Vusir --> Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > >