[Samba] Is “obey pam restrictions” still supposed to work in Samba 4?

[Andrew Bartlett]

On Wed, 2021-02-10 at 22:52 +0100, Chentao Credungtao wrote:
> > Not via this method.  I suggest overall file quotas, but that
> > wouldn't stop individual files growing.
> > Sorry!
> 
> So, to sum things up, limiting the size of individual files cannot
> be 
> achieved, only overall quotas can be implemented.
> 
> If I understand you right, the files on the samba server aren't
> created 
> by the end user (e.g. johndoe) , but by some kind of samba hook, and 
> that's why the restrictions defined in limits.conf aren't enforced
> (or 
> are only enforced at the first attempt, according to my tests).

My guess is that in the single smbd process, the limits are being set,
then overridden.  

The pam_limits design assumes the process running PAM is going to be
like a login shell, the parent process for a single user, not a multi-
user application like smbd.  One smbd can service multiple accounts
(from the same client machine), so it is possible to have pam_limits
called many times for many users, eg also the machine account of the
PC.

In any case, any limit which causes samba to be instantly terminated
with a signal is a bad idea, Samba will clean up but this isn't a good
plan for the normal case.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
https://catalyst.net.nz/services/samba