(Root) Preexec close: exit code?

[David Lee]

Re:

> From:   werner maes <werner.maes at cc.kuleuven.ac.be>
> To:     samba at samba.org
> Subject: (Root) Preexec close: exit code?
> 
> What exactly is this return code and when is it different from zero?
> I mean what determines what will be the return code?
> 
> >From help smb.conf:
> 
> Preexec close = yes
> 
> "This boolean option controls whether a non-zero return code from
> "preexec" should     close the service being connected to. "

"preexec" (a long-established Samba feature) runs a program on the Samba
server (typically a UNIX machine) during the making of a connection from
the PC.  Historically, Samba would then always complete (establish) the
connection.  Note the "always" (unless there are other Samba errors, but
these are irrelevant in this discussion).

The related boolean "preexec close" is a recent addition to Samba.  If
unset, the default, the connection behaves the old way: i.e. it always
tries to complete.  If set, Samba checks the UNIX return code from the
"preexec" program/script on the UNIX host, to determine whether to
complete or fail the connection.

To give you an example:  We use it to check password ageing data.  For
most users, most of the time, the connection simply completes.  But for
new users, we want them to change their initial password on the UNIX Samba
server, and if, after warnings, they fail to change it, we want their
connection attempt to fail. 

So we use a preexec script to check the password ageing:

1. If no password ageing data is applicable for the user (most users, most
   of the time), it completes silently, with a return code of 0.   The
   Samba connection establishes.

2. If the user's password needs to be changed during a warning period (few
   days/weeks), the "preexec" script sends a message to the PC via the
   Messaging Service and exits with 0.   The Samba connection establishes.

3. If the user's password has expired (they have ignored warnings over
   preceding days!), the "preexec" script sends a slightly different
   message, and, crucially, exits with non-0.  Historically, this would
   still have completed the connection.  But we use "preexec close = yes",
   which sees the non-0 return code from UNIX, and so Samba then aborts
   the connection attempt.

> I'm trying to use this to avoid several logons from the same student on
> different pc's.

Have you seen the "max connections" option?  Might this be a better way to
achieve your aim (instead of any "preexec" use at all)?

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/~dcl0tdl            South Road            :
:                                           Durham                :
:  Phone: +44 191 374 2882                  U.K.                  :