[Samba] Logging logins with preexec and Samba/LDAP

Julian Pilfold-Bagwell jpb at bordengrammar.kent.sch.uk
Mon Oct 1 14:27:10 GMT 2007 

Mac wrote:
> Hi there,
>
>   
>> Date: Mon, 01 Oct 2007 14:36:26 +0100
>> From: Julian Pilfold-Bagwell <jpb at bordengrammar.kent.sch.uk>
>> Subject: Re: [Samba] Logging logins with preexec and Samba/LDAP
>>
>> Yup, I upgraded to 3.0.24 at the same time. How's it changed?
>>     
>
> It was documented (just about) in the release notes.
>
> As the result of a security problem, the way all external commands are
> invoked has been tightend up.  Annyoingly I think 'testparm' doesn't
> tell you this.
>
> In essence, you can't use any meta characters in the invocation at all.
> So your \'s  will cause the command to be ignored by Samba.
>
> The fix is (in general) to write a tiny shell script that does the right
> thing.
>
> Here's an example from our smb.conf:-
>
> [mydocs]
> ;        root preexec = if [ ! -d "/n17/profiles/%u/My Documents" ] ;\
> ;                       then { mkdir -p "/n17/profiles/%u/My Documents" ;\
> ;                              chown -R %u "/n17/profiles/%u" ; \
> ;                              chmod -R 0700 "/n17/profiles/%u" ;} ; \
> ;                       fi
>         root preexec = /usr/local/bin/samba-mkdir "%u" "My Documents"
>
>
> The ;-ed lines are what we used to use. Now we use the samba-mkdir
> script.  We had to write the samba-mkdir script which looks like this:-
>
> #!/bin/sh
>
> u=${1:?must_specify_user_name}
>
> d=${2:?must_specifiy_directory_to_create}
>
> dir="/n17/profiles/$u/$d"
>
>
> if [ ! -d "$dir" ]
> then  mkdir -p "$dir"
>       chown -R "$u" "$dir"
>       chmod -R 0700 "$dir"
> fi
>
>
>
> which, as you can see, does much the same thing. We included a tiny bit
> of error checking (the   $ : ?  thing) just in case anyone ever tried to
> run the script outside of Samba.
>
>
> Does this help?
>
>                                Mac
>           Assistant Systems Administrator @nibsc.ac.uk
>                            mac at nibsc.ac.uk
>    Work: +44 1707 641565          Everything else: +44 7956 237670 (anytime)
>   

Thanks very much both of you. I'll post a copy of the working script
along with a SOLVED header when I get it going.

Many thanks again,

All the best,

Julian PB

-- 
Julian Pilfold-Bagwell,
Network Manager,
Borden Grammar School,
Sittingbourne,
Kent,
ME10 1EY.

Tel: 01795 424192

More information about the samba mailing list