User revalidate

[SambaGord]

Hey all,

I'm definately sorry as this MUST be an old thread. I had a look around and couldn't find what I was looking for.

I'm relatively new at Linux, and even more with Samba. I LOVE Samba. I don't know how I would do without it anymore.

However, I would like to revalidate users on every login. For example, if 'Gord' logs on and does what he has to do, then 'Chantal' has to log on, Chantal is directed to Gord's directory.

I noticed the 'revalidate = yes' key and thought that would do it. I scripted it, stopped Samba, and started it, but it didn't make a difference.

Please tell me what I'm missing.

Thanks!! Happy new Year!!

 

[smah]

What you're describing shouldn't happen. Tell us a little more about the setup - are both users accessing the samba server from the same client machine or different ones? What version of samba? Post the global section of smb.conf

 

[SambaGord]

Wow - Fast Reply

Yeah, Samba is running on a Gentoo Machine, and I'm fileserving from a Windows Maching - both on the same network (behind a d-link, hooked up to DSL).

As for the Global Section, I believe that smb.conf is the way it was configured on the install. Here's some deets:

SAMBA VERSION 3.0
=================================
[global]

# 1. Server Naming Options:
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = WORKGROUP

# netbios name is the name you will see in "Network Neighbourhood",
# but defaults to your hostname
; netbios name = <name_of_this_server>

# server string is the equivalent of the NT Description field
server string = Gords Samba Server %v

# Message command is run by samba when a "popup" message is sent to it.
# The example below is for use with LinPopUp:
; message command = /usr/bin/linpopup "%f" "%m" %s; rm %s

# 2. Printing Options:
# CHANGES TO ENABLE PRINTING ON ALL CUPS PRINTERS IN THE NETWORK
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
printcap name = cups
load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx, cups
; printing = cups

# Samba 3.x supports the Windows NT-style point-and-print feature. To
# use this, you need to be able to upload print drivers to the samba
# server. The printer admins (or root) may install drivers onto samba.
# Note that this feature uses the print$ share, so you will need to
# enable it below.
# printer admin = @<group> <user>
; printer admin = @adm
# This should work well for winbind:
; printer admin = @"Domain Admins"

# 3. Logging Options:
# this tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba3/log.%m

# Put a capping on the size of the log files (in Kb).
max log size = 50

# Set the log (verbosity) level (0 <= log level <= 10)
; log level = 3

# 4. Security and Domain Membership Options:
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page. Do not enable this if (tcp/ip) name resolution does
# not work for all the hosts in your network.
# hosts allow = 192.168.1. 127.
hosts allow = 192.168.0.101
#revalidate = yes
# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
; guest account = pcguest
# Allow users to map to guest:
; map to guest = bad user

# Security mode. Most people will want user level security. See
# security_level.txt for details.
security = user
# Use password server option only with security = server or security = domain
# When using security = domain, you should use password server = *
; password server = <NT-Server-Name>
; password server = *

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
; password level = 8
; username level = 8

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
# Encrypted passwords are required for any use of samba in a Windows NT domain
# The smbpasswd file is only required by a server doing authentication, thus
# members of a domain do not need one.
encrypt passwords = yes
; smb passwd file = /etc/samba/private/smbpasswd

# The following are needed to allow password changing from Windows to
# also update the Linux system password.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
# the encrypted SMB passwords. They allow the Unix password
# to be kept in sync with the SMB password.
; unix password sync = Yes
# You either need to setup a passwd program and passwd chat, or
# enable pam password change
; pam password change = yes
; passwd program = /usr/bin/passwd %u
; passwd chat = *New*UNIX*password* %n\n *Re*ype*new*UNIX*password* %n\n \
;*passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m

# Options for using winbind. Winbind allows you to do all account and
# authentication from a Windows or samba domain controller, creating
# accounts on the fly, and maintaining a mapping of Windows RIDs to unix uid's
# and gid's. idmap uid and idmap gid are the only required parameters.
#
# winbind separator is the character a user must use between their domain
# name and username, defaults to "\"
; winbind separator = +
#
# winbind use default domain allows you to have winbind return usernames
# in the form user instead of DOMAIN+user for the domain listed in the
# workgroup parameter.
; winbind use default domain = yes
#
# template homedir determines the home directory for winbind users, with
# %D expanding to their domain name and %U expanding to their username:
; template homedir = /home/%D/%U

# When using winbind, you may want to have samba create home directories
# on the fly for authenticated users. Ensure that /etc/pam.d/samba is
# using 'service=system-auth-winbind' in pam_stack modules, and then
# enable obedience of pam restrictions below:
; obey pam restrictions = yes

#
# template shell determines the shell users authenticated by winbind get
; template shell = /bin/bash

# 5. Browser Control and Networking Options:
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
; interfaces = 192.168.12.2/24 192.168.13.2/24

# Configure remote browse list synchronisation here
# request announcement to, or browse list sync from:
# a specific host or from / to a whole subnet (see below)
; remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
; remote announce = 192.168.1.255 192.168.2.44

# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
; local master = no

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
; os level = 33

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
; domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
; preferred master = yes

# 6. Domain Control Options:
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations or Primary Domain Controller for WinNT and Win2k
; domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
; logon script = %m.bat
# run a specific logon batch file per username
; logon script = %U.bat

# Where to store roaming profiles for WinNT and Win2k
# %L substitutes for this servers netbios name, %U is username
# You must uncomment the [Profiles] share below
; logon path = \\%L\Profiles\%U

# Where to store roaming profiles for Win9x. Be careful with this as it also
# impacts where Win2k finds it's /HOME share
; logon home = \\%L\%U\.profile


# The add user script is used by a domain member to add local user accounts
# that have been authenticated by the domain controller, or when adding
# users via the Windows NT Tools (ie User Manager for Domains).

# Scripts for file (passwd, smbpasswd) backend:
; add user script = /usr/sbin/useradd -s /bin/false '%u'
; delete user script = /usr/sbin/userdel '%s'
; add user to group script = /usr/bin/gpasswd -a '%u' '%g'
; delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
; set primary group script = /usr/sbin/usermod -g '%g' '%u'
; add group script = /usr/sbin/groupadd %g && getent group '%g'|awk -F: '{print $3}'
; delete group script = /usr/sbin/groupdel '%g'

# Scripts for LDAP backend (assumes nss_ldap is in use on the domain controller.
# Needs IDEALX scripts, and configuration in smbldap_conf.pm.
# This assumes you've installed the IDEALX scripts into /usr/share/samba/scripts...
; add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
; delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u'
; add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m '%u' '%g'
; delete user from group script = /usr/share/samba/scripts/smbldap-groupmod.pl -x '%u' '%g'
; set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g '%g' '%u'
; add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' && /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}'
; delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g'


# The add machine script is use by a samba server configured as a domain
# controller to add local machine accounts when adding machines to the domain.
# The script must work from the command line when replacing the macros,
# or the operation will fail. Check that groups exist if forcing a group.
# Script for domain controller for adding machines:
; add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 'Machine Account' -s /bin/false -M '%u'
# Script for domain controller with LDAP backend for adding machines (You need
# the IDEALX scripts, and to configure the smbldap_conf.pm first):
; add machine script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d /dev/null -g machines -c 'Machine Account' -s /bin/false '%u'

# Domain groups:
# Domain groups are now configured by using the 'net groupmap' tool

# Samba Password Database configuration:
# Samba now has runtime-configurable password database backends. Multiple
# passdb backends may be used, but users will only be added to the first one
# Default:
; passdb backend = smbpasswd guest
# TDB backen with fallback to smbpasswd and guest
; passdb backend = tdbsam smbpasswd guest
# LDAP with fallback to smbpasswd guest
# Enable SSL by using an ldaps url, or enable tls with 'ldap ssl' below.
; passdb backend = ldapsam:ldaps://ldap.mydomain.com smbpasswd guest
# Use the samba2 LDAP schema:
; passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com smbpasswd guest

# idmap uid account range:
# This is a range of unix user-id's that samba will map non-unix RIDs to,
# such as when using Winbind
; idmap uid = 10000-20000
; idmap gid = 10000-20000

# LDAP configuration for Domain Controlling:
# The account (dn) that samba uses to access the LDAP server
# This account needs to have write access to the LDAP tree
# You will need to give samba the password for this dn, by
# running 'smbpasswd -w mypassword'
; ldap admin dn = cn=root,dc=mydomain,dc=com
; ldap ssl = start_tls
# start_tls should run on 389, but samba defaults incorrectly to 636
; ldap port = 389
; ldap suffix = dc=mydomain,dc=com
; ldap server = ldap.mydomain.com
# Seperate suffixes are available for machines, users, groups, and idmap, if
# ldap suffix appears first, it is appended to the specific suffix.
# Example for a unix-ish directory layout:
; ldap machine suffix = ou=Hosts
; ldap user suffix = ou=People
; ldap group suffix = ou=Group
; ldap idmap suffix = ou=Idmap
# Example for AD-ish layout:
; ldap machine suffix = cn=Computers
; ldap user suffix = cn=Users
; ldap group suffix = cn=Groups
; ldap idmap suffix = cn=Idmap


# 7. Name Resolution Options:
# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
; name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
; wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one WINS Server on the network. The default is NO.
; wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
dns proxy = no

# 8. File Naming Options:
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
; preserve case = no
; short preserve case = no
# Default case is normally upper case for all DOS files
; default case = lower
# Be very careful with case sensitivity - it can break things!
; case sensitive = no

# Enabling internationalization:
# you can match a Windows code page with a UNIX character set.
# Windows: 437 (US), 737 (GREEK), 850 (Latin1 - Western European),
# 852 (Czech), 861 (???), 932 (Japanese),
# 936 (Simplified Chin.), 949 (Korean Hangul),
# 950 (Trad. Chin.).
# More detail about code page is in
# "

http://www.microsoft.com/globaldev/reference/oslocversion.mspx"

# UNIX: ISO8859-1 (Western European), ISO8859-2 (Eastern Eu.),
# ISO8859-5 (Russian Cyrillic), KOI8-R (Alt-Russ. Cyril.)
# This is an example for french users:
; dos charset = 850
; unix charset = ISO8859-1

 

[smah]

So both users are using the same Windows computer?

hosts allow = 192.168.0.101

Do they each use a different windows logon?

security = user

Because, under these conditions if they are not using different windows logons, Samba has no way to diferentiate between them. This may be complicated by

; smb passwd file = /etc/samba/private/smbpasswd

because I'm not sure how samba can authenticate either user with this commented out.

 

[SambaGord]

I'm starting to understand -

Yes, both users do use the same Windows user account. Is there any way to keep authenticating the Samba user though? I sort of understand what you mean, and on separate logons, we can each validate separately, but is there any way to have Samba 'not pay attention' to who's logged in to Windows, and just revalidate every session?

Hm - Still mulling this over - I sort of understand.
G

 

[smah]

Let me answer with a scenario/question - If user Gord was at the Windows PC using some file on the Samba server & left to get a coffee. Now user Chantal sits at the Windows PC & starts doing something else, how would the Samba server ever know that Gord has gone out for coffee?

 

[SambaGord]

Yeah, that's how it is.

Gord opens a Samba session, does what he has to do, goes for a coffee, Chantal comes and uses the computer on the same Windows session. When she opens a Samba session, I want her Samba to revalidate.

I don't know if this is possible though given the information you've told me.

 

[smah]

How are you defining "opens a Samba session"? Do you mean connecting to some share by way of Network Neighborhood (Network Places) or a mapped drive letter or Windows Explorer? You might be better off changing to share level security security = share. To get samba to notice the user change you would still need to do something like log off windows or disconnect the mapped drive (if applicable) or close the Network Places share window.

I have never tried using the revalidate option before, so just now, in the course of writing this & doing some checking on how that option works, I noticed that it's still commented out in the configuration file that you posted above. Did you try this with the # comment character removed from the revalidate line?

6.5.3.5 revalidate

This share-level option tells Samba to force users to authenticate with passwords each time they connect to a different share on a machine, no matter what level of security is in place on the Samba server. The default value is no, which allows users to be trusted once they successfully authenticate themselves. You can override it as:

revalidate = yes

You can use this option to increase security on your system. However, you should weigh it against the inconvenience of having users revalidate themselves to every share.

 

[SambaGord]

Hey - Thanks so much for all the help I'm totally starting to get this thing. There's a few things that I'm unclear still.

When I mean 'start a Samba session' I mean, when I'm in windows, I open a window to my Linux box via Windows explorer. I guess that's kind of like 'network places'. But all I'm doing is opening any old folder, and typing an address in: \\192.168.0.100.

Could you please tell me what 'security = share' means?

Yes I've tried uncommenting the revalidate key, I stopped and started Samba, and got the same result.

G

 

[smah]

Samba has several security models. Right now, you're set for user level security - which simply means that the shared resourses are based entirely on which user samba thinks you are. Share level security on the other hand, grants access based only on wether or not the user knows the correct password for the share (very similar to the way win9x shared files). See also

http://us2.samba.org/samba/docs/man/Samba-HOWTO-Collection/ServerType.html#id2526884

Something that I probably should have asked earlier - Did you create the different samba users using smbpasswd, swat, or something else?

 

[SambaGord]

Very cool. Okay - I think that I should get on to this site and do a little reading. Thanks for all the help! Totally appreciated.

I created my samba users with smbpasswd.

I'm gonna go read this sucker now. Thanks again. Don't know what time zone you're in, but whatever, have great celebrations tonight

G