[Samba] Restricting access to [homes]

NdK ndk.clanbo at gmail.com
Wed May 23 00:57:52 MDT 2012 

Il 12/04/2012 11:57, Jonathan Buzzard ha scritto:

Sorry to reopen an old thread, but it seems I can't understand (or still
miss) something...

The problem:
>> Is it just me or there's no way to restrict access to [homes] share to
>> members of an AD group? Or is it treated like an ordinary Unix group via
>> Winbind mapping? If I use "valid users = %S" (to give access to the home
>> only to the owner), every domain user (worse: every user in any trusted
>> domain) can access his/her own share... if path exists. That leads to
>> the second problem: is it possible to automatically create the home dir
>> if it's missing (w/o requiring the user to log on the server)? Sort of
>> "pam_mkhomedir" for shares...

Proposed solution:
> Use the exec option for the share to call out a script to create the
> home directory and set ownership etc. correctly.
> 
> Note if no home directory exists then you cannot access the share, so
> your script to create their home directory automatically can test to see
> if they are a member of a suitable group.

And that seems all good... It actually IS all good, as long as I only
consider users in the domain the server is member of.
But I have the majority of users from another (trusted) domain. And when
they try to access their home (tried accessing share as  user.name,
DOMAIN\user.name, DOMAIN/user.name) they don't get authenticated and the
preexec script isn't called :?

In smb.conf I have:
[global]
...
        template homedir = /srv/shared/%D/%U

[homes]
   valid users = %S
   preexec = /opt/checklogon '%S' '%H' '%u' 'p=%p' 'D=%D' 'U=%U'

And /opt/checklogon (w/o checks) is:
#!/bin/bash
echo "checklogon S=$1 H=$2 u=$3 p=$4 D=$5 U=$6" >> /tmp/checklogon.log
mkdir "$4"

(preexec script is run as the authenticated user accessing the share, so
no need to chown -- but that requires a world-writable /srv/shared...
I'll have to secure it when the rest is working, hints appreciated...
not really pressing as long as no user is allowed to unix-login to the box).

If some tries w/ smbclient could be useful, here they are.
[ndk at jago ~]$ smbclient -I 137.204.66.31
'\\str00160-samba\diego.zuccato' -U diego.zuccato
Enter diego.zuccato's password:
Domain=[PERSONALE] OS=[Unix] Server=[Samba 3.5.6]
smb: \> ls
  .                                   D        0  Wed May 23 08:44:44 2012
  ..                                  D        0  Wed May 23 08:44:44 2012

                60073 blocks of size 262144. 53984 blocks available
smb: \>
ndk at jago ~]$ smbclient -I 10.1.5.32 '\\str00160-samba\diego.zuccato2' -U
STUDENTI\\diego.zuccato2
Enter STUDENTI\diego.zuccato2's password:
Domain=[PERSONALE] OS=[Unix] Server=[Samba 3.5.6]
tree connect failed: NT_STATUS_ACCESS_DENIED
[ndk at jago ~]$ smbclient -I 10.1.5.32
'\\str00160-samba\STUDENTI\diego.zuccato2' -U STUDENTI\\diego.zuccato2
Enter STUDENTI\diego.zuccato2's password:
Domain=[PERSONALE] OS=[Unix] Server=[Samba 3.5.6]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
[ndk at jago ~]$ smbclient -I 10.1.5.32
'\\str00160-samba\STUDENTI/diego.zuccato2' -U STUDENTI\\diego.zuccato2
Enter STUDENTI\diego.zuccato2's password:
Domain=[PERSONALE] OS=[Unix] Server=[Samba 3.5.6]
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

On the first, the home for PERSONALE\diego.zuccato gets created. But it
seems there's no way (I could find) to make it create the home for
STUDENTI\diego.zuccato2 ...

Any hint welcome!

TIA,
 Diego.

More information about the samba mailing list