[Samba] Restricting access to [homes]
NdK
ndk.clanbo at gmail.com
Wed May 23 05:40:45 MDT 2012
Il 23/05/2012 09:11, Jorell ha scritto:
> here is what I use in my conf
> [ProfileShare]
Uh?
> ...
> path = /home/%D/%U
> root preexec = /root/pdc/smbmkhomedir.sh %D %U
ARGH! 'root preexec'. I missed that "root" bit :(
Tks! You saved my day!
> < smbmkhomedir.sh >
> #!/bin/bash
> if [ ! -e /home/$1/$2 ]; then
> mkdir -p /home/$1/$2
> chown $2:"Domain Users" /home/$1/$2
> chmod 4711 /home/$1/$2
> setfacl --set=d:u::rwx,d:g::--x,d:o::---,d:u:$2:rwx,d:g:'domain
> users':--x /home/$1/$2
> fi
> exit 0
I just tweaked it a bit to check group membership.
Any faster way than
gid=$(wbinfo -Y $(wbinfo -n $group))
if [ ! 0 -eq $(wbinfo -r $user | grep -c $gid) ]; then ...
that calls wbinfo 3 times?
> instead of using 'valid users' maybe try setting "path = /home/%S"
I used valid users = %D\%S AND path= (%H seems undefined for trusted
domains users).
This way (I think) if username != sharename => no access. But IIUC that
should never happen (unless someone is trying to access another user's
home -- maybe I should allow it to let users share files changing ACLs?).
The current checklogon script I'm using is:
#!/bin/bash
allowed="personaleStudenti"
log=/tmp/checklogon.log
sharename=$1
home=$2
givenUser=$3
p=$4
domain=$5
user=$6
echo "checklogon: home=$home S=$1 H=$2 u=$3 P=$4 D=$5 U=$6" >> $log
if [ ! -e $home ]; then
if [ ! 0 -eq $(wbinfo -r "$domain\\$user" | grep -c $(wbinfo -Y
$(wbinfo -n $allowed))) ]; then
domusers=$(wbinfo -Y $(wbinfo -n $domain\\domain_users))
mkdir -p $home >> $log 2>&1
chown "$domain\\$user":$domusers $home >> $log 2>&1
chmod 4711 $home >> $log 2>&1
setfacl
--set=d:u::rwx,d:g::--x,d:o::---,d:u:"$domain\\$user":rwx,d:g:$domusers:--x
$home >> $log 2>&1
fi
fi
exit 0
I've had to obtain DOMAIN\domin_users gid before chown or it gave an
error (maybe due to a clash from a trusted domain -- still trying to
understand how can it happen).
And I'm still having issues with setfacl (I never used ACLs before, so I
have to study a bit).
BTW it's been a great leap forward!
BYtE,
Diego.
More information about the samba
mailing list