[solved] Users can map other user's shares without password in do main-security mode

Seip Christian cseip at sr-online.de
Fri Sep 22 05:58:28 GMT 2000


Hi!

I'd like to say thanks to all of you folks who helped me with this. Now it
works as it should and as I expect it to. I hope you guys won't beat be for
the cause of my problem when I'm going to tell you.

I didn't apply all of the changes you suggested because I don't think I need
them. For instance, do I really need to specify the "smbpassd file"
parameter when I don't have/use a smbpasswd?

Now for the cause: I did set the "encrypt passwords = yes" in the smb.conf
because we've got a NT-domain with Service Pack 4 or higher. What I have
completly forgot: Long time ago, when I started experimenting with samba, I
enabled the plain text passwords in my registry. Sorry but I forgot that
flag. With plain text passwords disabled, samba works as I described it.
It's using only the /etc/passwd for user validation now in combination with
the PDC. It does not longer use the smbpasswd in which every smbuser had no
password set.

Again, I'm sorry to have bothered you with this stupid mistake of mine.
Nevertheless I've learned some things about samba and so I'm glad to say
that your efforts we're not useless.

Thanks to all,

Christian

PS: For those who want to know (whoever that may be), here's my smb.conf
placed on the shared storage and the perl-script (beta-version :-), tested,
but not yet full error handling) to keep the user ids synchronized between
the two nodes.

----------------------------------- schnipp
-----------------------------------

# Global parameters
[global]
        workgroup = SR
        netbios name = SMB
        interfaces = 192.168.1.77/255.255.255.0
        bind interfaces only = yes
        security = DOMAIN
        encrypt passwords = Yes
        password server = *
        name resolve order = wins lmhosts bcast host
        wins server = 192.168.1.2
        create mask = 0777
        directory mask = 0777
        character set = ISO8859-1
        local master = no
        domain master = no
        preferred master = no

        browseable = No
        nt acl support = true
        add user script = /shares/etcsmb/smb_useradd.pl %u
        null passwords = true
        mangle case = yes

[homes]
        comment = Home-Verzeichnis %u
        writeable = yes
        browseable = No
        guest ok = no

# share on the shared storage
[public] 
        path = /shares/public
        read only = No
        browseable = Yes
        guest ok = Yes

# this is a local node share
[pub]
        path = /home/public
        read only = No
        browseable = Yes
        guest ok = yes

----------------------------------- schnipp
-----------------------------------

#!/usr/bin/perl
#
# Script to add Samba User to local account database.
#
# This script is invoked from smbd (AS ROOT) when smb.conf:
#   1. 'security' = server OR domain
#   2. smbd is able to authenticate current user via 'password server'
#   3. no local or NIS account exists for the presently connecting user
#   4. 'add user script' specifies this script
#
# invoked as: smb_useradd %u
#  where %u is current user name
#
# This script performs the following actions:
#   1. creates %u local account and home directory via useradd(8).
#   2. logs success/failure via logger(1).

# Account Creation Options (useradd)

$CMNT           = "created by smb_useradd";     # Comment passwd field
$SHL            = "/bin/false ";                # Default shell
$LOGFILE        = "/shares/etcsmb/log.smb_useradd";

# ab welcher UID gesucht und vergeben werden soll
$UID_OFFSET     = 1000;
$MYPASSWD       = "/shares/etcsmb/smbusers";

my %username;
my %userid;

############################################################################
##

sub CreateLogEntry
{
    # Enter message into syslog
    my $msg = shift;
    my $LOGGER="logger -f $LOGFILE -t smb-CSe smb_useradd.pl:";
    `$LOGGER $msg`;
}

############################################################################
##

sub CreateAccount
{
    ($usr, $uid) = @_;
    my $cmd="/usr/sbin/useradd -u $uid -g 100 -c '$CMNT' -d
/shares/home/$usr -s $SHL $usr 2>&1";

    my @res=`$cmd`;
    my $sta=$?;
 
    print "Creating Account for $usr with UID $uid\n";

    if ( $sta != 0 ) {
        &CreateLogEntry( "[$usr] useradd: Failure in doacct" );
        exit 1;
    }
}

############################################################################
##

sub ReadMyPasswd
{
    die "$MYPASSWD does not exist!" unless -e $MYPASSWD;

    open (MYPASSWD, "< $MYPASSWD") or die "Can't open $MYPASSWD!";
    while ($line = <MYPASSWD>)
    {
        chop($line);

        print "Reading MYPASSWD: $line...\n";

        ($myusername, $myuserid) = split(":", $line);
        $username{$myuserid} = $myusername;
        $userid{$myusername} = $myuserid;
    }
    close (MYPASSWD);

    return 1;
}

############################################################################
##

sub AppendToMyPasswd
{
    ($usr, $curruid) = @_;

    open (MYPASSWD, ">> $MYPASSWD");
    print MYPASSWD "$usr:$curruid\n";

    close (MYPASSWD);

    return 1;
}

############################################################################
##
# all the main stuff

my $usr = shift;
my $curruid;

&ReadMyPasswd();

print "Hash username:\n";
foreach $key (sort keys %username)
{
   print "$key($username{$key})\n";
}

print "Hash userid:\n";
foreach $key (sort keys %userid)
{
   print "$key($userid{$key})\n";
}


# wenn der Benutzer schon existiert, braucht keine neu UID vergeben zu
# werden

if (exists $userid{$usr} )
{
    $curruid = $userid{$usr};
    &CreateAccount($usr, $curruid);
}

# ansonsten volles Programm :-)

else
{
    # next uid suchen
    $i = $UID_OFFSET;
    undef($curruid);

    do
    {
       print "Testing UID $i...\n";

       if (exists $username{$i})
       {
           print "UID $i is used...\n";
           $i++;
       }
       else
       {
           print "UID $i IS FREE!\n";
           $curruid = $i;
       }
    }
    while (! defined $curruid);

    print "Adding user $usr with UID $curruid...\n";
    &CreateLogEntry( "smb_useradd: add [$usr]" );
    &CreateAccount($usr, $curruid);
    &AppendToMyPasswd($usr, $curruid);
}

----------------------------------- schnipp
-----------------------------------

EOT :-)





More information about the samba mailing list