[Samba] Run smbd in AD user context

[Davor Vusir]

2018-03-11 7:54 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:

> On Sun, 2018-03-11 at 06:46 +0100, Davor Vusir via samba wrote:
> > 2018-03-10 19:48 GMT+01:00 Jeremy Allison <jra at samba.org>:
> >
> > > On Sat, Mar 10, 2018 at 01:10:46PM +0100, Davor Vusir via samba wrote:
> > > >
> > > > Off list I got a tip on using become_user(). A soon as I get a grip
> on
> > >
> > > how
> > > > to extract the calling user's vuid I give it a try I have of course
> tried
> > > > other functions; become_user_permanently( ), become_user_by_session(
> )
> > >
> > > and
> > > > become_authenticated_pipe_user( ). None of these have given the
> right
> > > > $HOME.Or I simply don't know how to interpret the outcome or to
> proceed
> > > > from there.
> > >
> > > None of these functions set $HOME, as Samba doesn't
> > > use this in any of our code. We get and use the home directory
> > > when the magic [homes] share is configured, but never
> > > set an environment variable. Your code will have to take
> > > care of that itself.
> > >
> > > Jeremy.
> > >
> >
> > I see. Thank you. I'll see what i can do.
> > Is it possible to run smbd in the context of a service account,
> Preferably
> > an AD account?
> > Is it possible to run a VFS module in the context of a service account?
> > Preferably in the calling user's context?
>
> It is, it does change to the right user for the kernel's purposes.
> Things that use getpwuid(geteuid()) will get the 'right' results, but
> you have to work out how to fight with your library to do the glue.
>
> In terms of 'can you run the whole smbd as non-root, then no.
>
> I hope this helps,
>
> Andrew Bartlett
>
>
That is good news.
Back to the drawing board, then.
Thank you both for your time. It is valuable to me.

Regards
Davor Vusir

--
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>