[Samba] force re-authentication when accessing different shares

Harald Glanzer harald.glanzer at gmail.com
Tue Jan 22 10:23:38 UTC 2019


we are building a session-based service. after the session has ended, the
samba users are created in advance for a limited lifetime.
creating /etc/passwd users is not possible because we are using a read-only
root partition - therefore i want to save credentials on a writeable
partition, via
smbpasswd.
---
i found out that the problem(no re-auth occuring) is indeed related to my
nss module - i was returning a fixed uid/gid pair in calls to getpwnam_r()
for any username,
which is obviously wrong. SRY for the confusion - mea culpa!

FYI: i have now a working solution by implementing two getpw_xy() calls:

(1) enum nss_status _nss_<servicename>_getpwnam_r (const char *nam, struct
passwd *result, char *buffer, size_t buflen, struct passwd **res)

here, i do some validity checks (form of the username), and apply a
transformation of a part of the username to a 2 byte UID. the rest of
'struct passwd'
will contain the user's homedirectory, a static GID/gecos/shell and a
static 'fakepassword' entry

(2) enum nss_status _nss_<servicename>_getpwuid_r(uid_t uid, struct passwd
*result, char *buffer, size_t buflen, struct passwd **res)

here, the uid is transformed back to our username - scheme, and the rest of
struct passwd is returned as above

thx to all repliers!
hari



On Mon, Jan 21, 2019 at 6:09 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 21 Jan 2019 12:54:00 -0400
> Robert Marcano via samba <samba at lists.samba.org> wrote:
>
> > On 1/21/19 11:04 AM, Rowland Penny via samba wrote:
> > > On Mon, 21 Jan 2019 10:43:35 -0400
> > > Robert Marcano via samba <samba at lists.samba.org> wrote:
> > >
> > >> On 1/21/19 10:24 AM, Harald Glanzer via samba wrote:
> > >>> hello & thx for your fast response!
> > >>>
> > >>> i need a way to create samba shares without creating system user
> > >>> accounts:
> > >>>
> > >>> - add users via smbpasswd with unique password
> > >>> - no need for a corresponding useraccount in /etc/passwd
> > >>> - access to the corresponding shares should be independent from
> > >>> any domain (i.e. the share should be accessable
> > >>> via windows client)
> > >>
> > >> Is't this a reimplementation on winbind nss interface?. Why not
> > >> just use winbind with one of it's mapping strategies. I am pretty
> > >> sure it should work for standalone servers.
> > >>
> > >
> > > idmap_nss maps Unix users to Domain users, it needs users
> > > in /etc/passwd, the OP doesn't want this.
> >
> > But shouldn't something like
> >
> >    idmap config * : backend = tdb
> >    idmap config * : range = 1000000-2000000
> >
> > and the propper winbind entries on /etc/nsswitch.conf be enough?
>
> No, it probably wouldn't, he would still need users in /etc/passwd.
> >
> > I am assuming Samba working on standalone mode will try to locate the
> > user on the passwd database via nss and then the idmap config is
> > used, looking for the user and creating a new mapping if not found.
>
> The OP does not want users in /etc/passwd. I think the only way to do
> this using the default Samba packages will be to run Samba as a
> standalone server with users in ldap, but this still requires the users
> to be stored in ldap. The OP seems to want the users creating as they
> connect.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list