[Samba] Connection scripts with the 'prexec' clause

Maurice Forte mforte at us.ibm.com
Tue Aug 15 13:04:57 GMT 2006 

Shaun,

I am little confused by your response when you say LDAP could help.  Our 
Samba server runs on AIX box which has been configured to point to an LDAP 
backend for the management of the AIX userids.   Our Windows clients 
userid/passwords have to match our AIX userid/smb password in order for 
them to be able to perform a 'net use' to shares.   Here is a snippet of 
my smb.conf file:

[global]
                 security = user
                 encrypt passwords = yes

                 netbios name = NSCC04
                 workgroup = WBS

                 passdb backend = 
ldapsam:ldap://nsldap.raleigh.ibm.com:389

                 ldap admin dn = "cn=root"
                 ldap ssl = on
                 ldap suffix = "ou=swg,o=ibm.com"
                 ldap passwd sync = no
        create mask = 0775
        directory mask = 0775
        oplocks = no
        kernel oplocks = no
        case sensitive = no
        preserve case = yes
        max log size = 10000
        log level = 2
        max xmit = 65535
        socket options = TCP_NODELAY IPTOS_LOWDELAY SO_SNDBUF=8192
        getwd cache = yes
        wide links = no
                 invalid users = root daemon bin sys adm uucp nuucp lpd 
imnadm \
                        ipsec lp snapp invscout
        guest account = nobody

[clearcase]
        comment = ClearCase Release Area
        path = /samba/release_area
        valid users = @install
        read only = yes
        wide links = yes

[ccupdate]
        comment = ClearCase Release Area
        path = /samba/release_area
        valid users = @wbs
        writeable = yes
        browseable = no
        wide links = yes

[euss]
        comment = EUSS Production Vob
        path = /vbsstore/euss
                 valid users = @eussdev @a2cs @acsa @eussjava @nhpe @gcapi 
@eussold @euss
        writeable = yes

[esadt]
        comment = ESADT Production Vob
        path = /vbsstore/esadt
                 valid users = @esadt @rzos_dev @esadt_pi @wsed_dev
        writeable = yes

My problem scenario is as follows:
I use Rational Clearcase which depends on Samba to serve shares from our 
AIX server to Windows clients.   A user can 'spoof' another user by simply 
logging on their windows workstation as userB(which is a valid ID that 
they created on their local workstation because they have administrator 
privileges but they don't know userB Samba password) and then performing a 
'net use * \\some share /userA'(userA happens to be their own valid Samba 
ID/PWD) and then bringing up ClearCase and performing checkins/checkouts 
as userB.   I know the security problem lies in the way ClearCase works 
but if I can stop the userA from 'net using' as himself while logged into 
his workstation as userB,  then I can eliminate the security hole in 
ClearCase.    So,  in my case,  if their Windows login(%USERNAME%) doesn't 
match the user they are connecting to the share with(I can get this via 
Samba environment variable%u and a preexec clause),  then I don't allow 
them to access the share.   I am trying to figure out how to grab the 
userid(%USERNAME%) they are logged onto their workstation as at the time 
of when they perform their 'net use'. 

Thanks,
Maurice







Shaun Marolf <shaun.marolf at gmail.com> 
Sent by: samba-bounces+mforte=us.ibm.com at lists.samba.org
08/14/2006 04:16 PM

To
samba at lists.samba.org
cc

Subject
Re: [Samba] Connection scripts with the 'prexec' clause






On Monday 14 August 2006 14:57, Maurice Forte wrote:
> Hi all,
>
> I am running Samba 3.0.20B on an AIX server with SECURITY=USER using an
> LDAP backend.    I am looking for a way to capture the actual
> username(%USER_NAME%) that
> the client user is logged onto his individual workstation with and 
compare
> it with the user(%u) they are connecting with the share as.    If they 
are
> different,  I want to reject the user's connection.   After doing some
> reading,  it appears that a connection script with the 'preexec' clause 
is
> the way to go but the Samba environment variables only can intrepret
> client's hostname, netbios name, and ip address.   Is there a way for me
> to capture the client's logon id(%USERNAME%) or accomplish this task
> another way?
>
> Thanks in advance,
> Maurice Forte

I believe you can use LDAP to handle the security measures you are talking 

about. I don't know how to set LDAP to do that but someone in a LDAP forum 

should.

However, keep in mind such a scheme may cause an issue if you have users 
working on a shared project that is kept in one, or both, of their users 
folders on the server. You should allow users the option to let other 
users 
access their files if need be. Again I have no clue how to setup LDAP to 
handle this but I believe it can be done.

--Shaun

-- 
It isn't about it being free. Rather its about the freedom it brings.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list