[Samba] Restricting access to [homes]

NdK ndk.clanbo at gmail.com
Wed May 23 05:40:45 MDT 2012 

Il 23/05/2012 09:11, Jorell ha scritto:
> here is what I use in my conf
> [ProfileShare]
Uh?
> ...
> path = /home/%D/%U
> root preexec = /root/pdc/smbmkhomedir.sh %D %U
ARGH! 'root preexec'. I missed that "root" bit :(
Tks! You saved my day!

> < smbmkhomedir.sh >
> #!/bin/bash
> if [ ! -e /home/$1/$2 ]; then
>     mkdir -p /home/$1/$2
>     chown $2:"Domain Users" /home/$1/$2
>     chmod 4711 /home/$1/$2
>     setfacl --set=d:u::rwx,d:g::--x,d:o::---,d:u:$2:rwx,d:g:'domain
> users':--x /home/$1/$2
> fi
> exit 0
I just tweaked it a bit to check group membership.
Any faster way than
gid=$(wbinfo -Y $(wbinfo -n $group))
if [ ! 0 -eq $(wbinfo -r $user | grep -c $gid) ]; then ...
that calls wbinfo 3 times?

> instead of using 'valid users' maybe try setting "path = /home/%S"
I used valid users = %D\%S AND path= (%H seems undefined for trusted
domains users).

This way (I think) if username != sharename => no access. But IIUC that
should never happen (unless someone is trying to access another user's
home -- maybe I should allow it to let users share files changing ACLs?).

The current checklogon script I'm using is:
#!/bin/bash
allowed="personaleStudenti"
log=/tmp/checklogon.log

sharename=$1
home=$2
givenUser=$3
p=$4
domain=$5
user=$6

echo "checklogon: home=$home S=$1 H=$2 u=$3 P=$4 D=$5 U=$6" >> $log
if [ ! -e $home ]; then
    if [ ! 0 -eq $(wbinfo -r "$domain\\$user" | grep -c $(wbinfo -Y
$(wbinfo -n $allowed))) ]; then
        domusers=$(wbinfo -Y $(wbinfo -n $domain\\domain_users))
        mkdir -p $home >> $log 2>&1
        chown "$domain\\$user":$domusers $home >> $log 2>&1
        chmod 4711 $home >> $log 2>&1
        setfacl
--set=d:u::rwx,d:g::--x,d:o::---,d:u:"$domain\\$user":rwx,d:g:$domusers:--x
$home >> $log 2>&1
    fi
fi
exit 0

I've had to obtain DOMAIN\domin_users gid before chown or it gave an
error (maybe due to a clash from a trusted domain -- still trying to
understand how can it happen).
And I'm still having issues with setfacl (I never used ACLs before, so I
have to study a bit).

BTW it's been a great leap forward!

BYtE,
 Diego.

More information about the samba mailing list