[Nix-dev] PATCH samba update, server (nixos) part
Marc Weber
marco-oweber at gmx.de
Wed Apr 15 14:43:17 CEST 2009
I've prepared the nixos side of the samba update now.
major changes:
* one upstart job for each samba daeomon
* dummy /etc/samba/smb.conf file used when samba service is disabled
* possibilty to sync the samba passwd database automatically when using passwd
I had to make this change to /etc/pam.d/common:
-password sufficient @pam_unix2@/lib/security/pam_unix2.so nullok
+password requisite @pam_unix2@/lib/security/pam_unix2.so nullok
+ at syncSambaPasswords@
Using requisite instead of sufficient should still be save because it returns on failure.
private dir is set automatically. The password database (passdb.tdb secrets.tdb) are put here.
Do you know wether they may be readable by others?
commit b8e8c17b7b6e6dc87d4c47803755393b775ac9c5
Author: Marc Weber <marco-oweber at gmx.de>
Date: Wed Apr 15 14:32:54 2009 +0200
rewriting parts of the samba job putting each daemon into its own job file
use start/stop samba-control to start/stop them all
You can enable syncing samba passwords when using passwd as well now.
However you still have to add a user to the samba user database once
using smbpasswd -a username.
diff --git a/etc/default.nix b/etc/default.nix
index fedc3c3..01ebb50 100644
--- a/etc/default.nix
+++ b/etc/default.nix
@@ -186,6 +186,9 @@ let
inherit (pkgs.xorg) xauth;
inherit pamConsoleHandlers;
isLDAPEnabled = if isLDAPEnabled then "" else "#";
+ syncSambaPasswords = if config.services.samba.syncPasswordsByPam
+ then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
+ else "# change samba configuration options to make passwd sync the samba auth database as well here..";
};
target = "pam.d/" + program;
}
diff --git a/etc/pam.d/common b/etc/pam.d/common
index 8497f65..538c5fe 100644
--- a/etc/pam.d/common
+++ b/etc/pam.d/common
@@ -6,7 +6,8 @@ auth required pam_deny.so
account required @pam_unix2@/lib/security/pam_unix2.so
@isLDAPEnabled@ password sufficient @pam_ldap@/lib/security/pam_ldap.so
-password sufficient @pam_unix2@/lib/security/pam_unix2.so nullok
+password requisite @pam_unix2@/lib/security/pam_unix2.so nullok
+ at syncSambaPasswords@
@isLDAPEnabled@ session optional @pam_ldap@/lib/security/pam_ldap.so
session required @pam_unix2@/lib/security/pam_unix2.so
diff --git a/upstart-jobs/samba.nix b/upstart-jobs/samba.nix
index 00686a0..f783afd 100644
--- a/upstart-jobs/samba.nix
+++ b/upstart-jobs/samba.nix
@@ -2,7 +2,7 @@
###### interface
let
- inherit (pkgs.lib) mkOption mkIf;
+ inherit (pkgs.lib) mkOption mkIf mkAlways;
options = {
services = {
@@ -12,9 +12,101 @@ let
default = false;
description = "
Whether to enable the samba server. (to communicate with, and provide windows shares)
+ use start / stop samba-control to start/stop all daemons.
+ smbd and nmbd are not shutdown correctly yet. so just pkill them and restart those jobs.
";
};
+ syncPasswordsByPam = mkOption {
+ default = false;
+ description = "
+ enabling this will add a line directly after pam_unix.so.
+ Whenever a password is changed the samba password will be updated as well.
+ However you still yave to add the samba password once using smbpasswd -a user
+ If you don't want to maintain an extra pwd database you still can send plain text
+ passwords which is not secure.
+ ";
+ };
+
+ extraConfig = mkOption {
+ default = ''
+ # [global] continuing global section here, section is started by nix to set pids etc
+
+ smb passwd file = /etc/samba/passwd
+
+ # is this useful ?
+ domain master = auto
+
+ encrypt passwords = Yes
+ client plaintext auth = No
+
+ # yes: if you use this you probably also want to enable syncPasswordsByPam
+ # no: You can still use the pam password database. However
+ # passwords will be sent plain text on network (discouraged)
+
+ workgroup = Users
+ server string = %h
+ comment = Samba
+ log file = /var/log/samba/log.%m
+ log level = 10
+ max log size = 50000
+ security = user
+
+ client lanman auth = Yes
+ dns proxy = no
+ invalid users = root
+ passdb backend = tdbsam
+ passwd program = /usr/bin/passwd %u
+
+ ### end [ global ] section
+
+
+ # Un-comment the following (and tweak the other settings below to suit)
+ # to enable the default home directory shares. This will share each
+ # user's home directory as \\server\username
+ ;[homes]
+ ; comment = Home Directories
+ ; browseable = no
+ ; writable = no
+
+ # File creation mask is set to 0700 for security reasons. If you want to
+ # create files with group=rw permissions, set next parameter to 0775.
+ ; create mask = 0700
+
+ # this directory and user is created automatically for you by nixos
+ ;[default]
+ ; path = /home/smbd
+ ; read only = no
+ ; guest ok = yes
+
+ # this directory and user is created automatically for you by nixos
+ ;[default]
+ ; path = /home/smbd
+ ; read only = no
+ ; guest ok = yes
+
+ # additional share example
+ ;[raidbackup]
+ ; path = /home/raidbackup/files
+ ; read only = no
+ ; guest ok = no
+ ; available = yes
+ ; browseable = yes
+ ; public = yes
+ ; valid users = raidbackup
+ ; comment = Raid backup Files
+ '';
+
+ description = "
+ additional global section and extra section lines go in here.
+ ";
+ };
+
+ configFile = mkOption {
+ description = "
+ internal use to pass filepath to samba pam module
+ ";
+ };
};
};
};
@@ -23,23 +115,68 @@ in
###### implementation
let
+
+ cfg = config.services.samba;
user = "smbguest";
group = "smbguest";
-
- #smbConfig = ./smb.conf ;
- smbConfig = pkgs.substituteAll {
- src = ./smb.conf;
- inherit samba;
- };
+ logDir = "/var/log/samba";
+ privateDir = "/var/samba/private";
+
inherit (pkgs) samba;
-in
+ setupScript = ''
+ mkdir -p /var/lock
+ if ! test -d /home/smbd ; then
+ mkdir -p /home/smbd
+ chown ${user} /home/smbd
+ chmod a+rwx /home/smbd
+ fi
+
+ if ! test -d /var/samba ; then
+ mkdir -p /var/samba/locks /var/samba/cores/nmbd /var/samba/cores/smbd /var/samba/cores/winbindd
+ fi
+
+ passwdFile="$(sed -n 's/^.*smb[ ]\+passwd[ ]\+file[ ]\+=[ ]\+\(.*\)/\1/p' /nix/store/nnmrqalldfv2vkwy6qpg340rv7w34lmp-smb.conf)"
+ if [ -n "$passwdFile" ]; then
+ echo 'INFO: creating directory containing passwd file'
+ mkdir -p "$(dirname "$passwdFile")"
+ fi
+
+ mkdir -p ${logDir}
+ mkdir -p ${privateDir}
+ '';
+
+ configFile = pkgs.writeText "smb.conf" ''
+ [ global ]
+ log file = ${logDir}/log.%m
+ private dir = ${privateDir}
+
+ ${if cfg.syncPasswordsByPam then "pam password change = true" else "" /* does this make sense ? */ }
+
+
+ ${cfg.extraConfig}";
+ '';
+
+ daemonJob = appName : args :
+ {
+ name = "samba-${appName}";
+ job = ''
+
+ description "Samba Service daemon ${appName}"
+
+ start on samba-control/started
+ stop on samba-control/stop
+
+ respawn ${samba}/sbin/${appName} ${args}
+ '';
+ };
+
+in
-
mkIf config.services.samba.enable {
require = [
@@ -60,39 +197,39 @@ mkIf config.services.samba.enable {
];
};
+ # always provide a smb.conf to shut up programs like smbclient and smbspool.
+ environment = {
+ etc = mkAlways [{
+ source = if cfg.enable then configFile else pkgs.writeText "smb-dummy.conf" "# samba is disabled. dummy configuration file to ";
+ target = "samba/smb.conf";
+ }];
+ };
+
services = {
- extraJobs = [{
- name = "samba";
- job = ''
- description "Samba Service"
+ extraJobs = [
+ { name = "samba-control"; # start this dummy job to start the real samba daemons nmbd, smbd, winbindd
+ job = ''
+ description "samba job starting/stopping the real samba jobs";
start on network-interfaces/started
stop on network-interfaces/stop
start script
-
- if ! test -d /home/smbd ; then
- mkdir -p /home/smbd
- chown ${user} /home/smbd
- chmod a+rwx /home/smbd
- fi
-
- if ! test -d /var/samba ; then
- mkdir -p /var/samba/locks /var/samba/cores/nmbd /var/samba/cores/smbd /var/samba/cores/winbindd
- fi
-
- ${samba}/sbin/nmbd -D -s ${smbConfig} &
- ${samba}/sbin/smbd -D -s ${smbConfig} &
- ${samba}/sbin/winbindd -s ${smbConfig} &
-
- ln -fs ${smbConfig} /var/samba/config
-
+ ${setupScript}
end script
- respawn ${samba}/sbin/nmbd -D -s ${smbConfig} &; ${samba}/sbin/smbd -D -s ${smbConfig} &; ${samba}/sbin/winbindd &
+ respawn sleep 1000000 # !!! hack
+ # put the store path here so that daemons are restarted when configuration changes
+ # config is ${configFile}
'';
- }];
+ }
+ # add -S to get debugging output on stdout
+ # config directory is passed by configure at compilation time
+ ( daemonJob "nmbd" " -i -F" ) # nmbd says "standard input is not a socket, assuming -D option", but using -i makes it stay in foreground (?)
+ ( daemonJob "smbd" " -i -F" ) # dito
+ ( daemonJob "winbindd" " -F" )
+ ];
};
}
diff --git a/upstart-jobs/smb.conf b/upstart-jobs/smb.conf
deleted file mode 100644
index 889f3c6..0000000
--- a/upstart-jobs/smb.conf
+++ /dev/null
@@ -1,35 +0,0 @@
-[global]
- workgroup = Users
- server string = %h
- comment = Samba
- log file = /var/log/samba/log.%m
- log level = 10
- max log size = 50000
- security = user
-
- #must be set to 'no' to use PAM
- encrypt passwords = No
- client plaintext auth = yes
- client lanman auth = Yes
- dns proxy = no
- invalid users = root
- passdb backend = tdbsam
- passwd program = /usr/bin/passwd %u
-
-# encrypt passwords = yes
-# smb passwd file = @samba@/private/smbpasswd
-
-#[default]
-# path = /home/smbd
-# read only = no
-# guest ok = yes
-
-[raidbackup]
- path = /home/raidbackup/files
- read only = no
- guest ok = no
- available = yes
- browseable = yes
- public = yes
- valid users = raidbackup
- comment = Raid backup Files
More information about the nix-dev
mailing list