Mac wrote:
Hi there,
Date: Mon, 01 Oct 2007 14:36:26 +0100
From: Julian Pilfold-Bagwell <[EMAIL PROTECTED]>
Subject: Re: [Samba] Logging logins with preexec and Samba/LDAP
Yup, I upgraded to 3.0.24 at the same time. How's it changed?
It was documented (just about) in the release notes.
As the result of a security problem, the way all external commands are
invoked has been tightend up. Annyoingly I think 'testparm' doesn't
tell you this.
In essence, you can't use any meta characters in the invocation at all.
So your \'s will cause the command to be ignored by Samba.
The fix is (in general) to write a tiny shell script that does the right
thing.
Here's an example from our smb.conf:-
[mydocs]
; root preexec = if [ ! -d "/n17/profiles/%u/My Documents" ] ;\
; then { mkdir -p "/n17/profiles/%u/My Documents" ;\
; chown -R %u "/n17/profiles/%u" ; \
; chmod -R 0700 "/n17/profiles/%u" ;} ; \
; fi
root preexec = /usr/local/bin/samba-mkdir "%u" "My Documents"
The ;-ed lines are what we used to use. Now we use the samba-mkdir
script. We had to write the samba-mkdir script which looks like this:-
#!/bin/sh
u=${1:?must_specify_user_name}
d=${2:?must_specifiy_directory_to_create}
dir="/n17/profiles/$u/$d"
if [ ! -d "$dir" ]
then mkdir -p "$dir"
chown -R "$u" "$dir"
chmod -R 0700 "$dir"
fi
which, as you can see, does much the same thing. We included a tiny bit
of error checking (the $ : ? thing) just in case anyone ever tried to
run the script outside of Samba.
Does this help?
Mac
Assistant Systems Administrator @nibsc.ac.uk
[EMAIL PROTECTED]
Work: +44 1707 641565 Everything else: +44 7956 237670 (anytime)
Thanks very much both of you. I'll post a copy of the working script
along with a SOLVED header when I get it going.
Many thanks again,
All the best,
Julian PB
--
Julian Pilfold-Bagwell,
Network Manager,
Borden Grammar School,
Sittingbourne,
Kent,
ME10 1EY.
Tel: 01795 424192
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
