LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-10-2003, 01:10 AM   #16
calabash
Member
 
Registered: Sep 2003
Distribution: FC11
Posts: 128

Original Poster
Rep: Reputation: 15

I'm running the same version of SAMBA as you - 2.2.8a.

If I change the win98 logon directory - the roaming profiles will go into the users home folder to be mucked about. Eventually there needs to be 80 machine names that users can roam about on and that is a lot of symlinks that could be deleted. That entry seems to be working fine as for each machine my users log into, a folder is created with a profile.
I thought that the IPC$ connect for the 2k & XP machines are because the machines themselves are added to the "user" database?
You've brought up an interesting point however. I don't really understand how "/home" procures the correct folder. I need to read two chapters and think. (well, that goes without saying... <grin>)
Also, I need to check my etc/passwords file closely since this is where the /home info is pulled.
I feel pretty upbeat right now, I think you are on to something.
I'll post tomorrow...
 
Old 10-10-2003, 09:56 AM   #17
sidmark-2850
Member
 
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
Honestly, I never liked roaming profiles on windows 98 boxes. I found it too much of a problem so I disabled it entirely. Do all of your boxes have the same software applications, settings, etc? I normally change the folder paths in the registry so I never have to deal with profiles. ie the "My Documents" folder on the desktops point to the user's home directory or H drive. (Running from a samba server.) The favorites directory is also located on the user's H drive. You can check out the following registry keys:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. Use Microsoft's tweakui tool or another tool or regedit to set the paths. Some programs like microsoft office have directories where they store their preferences like the user's dictionary file and so forth. I think that it can be set from the application itself.

An interesting download is the Windows NT Server Management Tools for Windows 95. They say that it only runs on 95, but it runs just fine off my 98 box. You won't be able to change the settings from it but you can use it to view your users' properties including the home directory, profile path, etc.

The /home, I think, returns the path from the "logon home" parameter in the smb.conf file.
 
Old 10-10-2003, 10:04 AM   #18
sidmark-2850
Member
 
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
I played around with my samba box and roaming profiles on 98. What you should to is to leave the logon home as it is, then change the logon script so that it maps the explicit path of the user's home directory, \\Cap\Homes. It worked for me.

Last edited by sidmark-2850; 10-10-2003 at 10:18 AM.
 
Old 10-10-2003, 02:29 PM   #19
calabash
Member
 
Registered: Sep 2003
Distribution: FC11
Posts: 128

Original Poster
Rep: Reputation: 15
Thank you for the reg keys. I was not aware that "My Documents" was a symlink of a sort.

I do want to stick with roaming profiles for my 7th and 8th graders. At that age we want to begin to teach them how to pick appropriate backgrounds and screen savers. So this needs to follow them around.

I'll follow the link and play! <smile> More Toys! I tell you, this SAMBA/LINUX thing has been very engaging!

I will change my logon file.

I notice that my [ ] sections is "homes" and my command is /home singular.

I won't have any feed-back until Monday so have a very good week-end.
 
Old 10-11-2003, 11:09 PM   #20
sidmark-2850
Member
 
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
Quote:
I notice that my [ ] sections is "homes" and my command is /home singular.
Yep, that's correct. The [Homes] section is plural wheres the net use command has a singular "/home" parameter. Let me know how things turn out.
 
Old 10-15-2003, 04:17 PM   #21
calabash
Member
 
Registered: Sep 2003
Distribution: FC11
Posts: 128

Original Poster
Rep: Reputation: 15
Well, I've got good news and bad news.

I got ahold of a "nobody" login and verified that it is connecting to my SAMBA server. It dumps them out at / level. Since my samba config file is denying the guest account, I have no idea why a valid login would behave this way.

So I changed my logon.bat file to say: net use H: \\cap\homes /y , as you suggested. So far, no more nobodies (now that I've said it though... <smile>) but the folder name for the H: drive is now universally "Homes" as opposed to "juser" and my teachers are freaking out because there is no way to be "sure" that the directory is correct. So they are having the students drill through the directory and open a file to verify that they are in the correct directory. <sigh>

This is like performing a valve job and having the head gasket blow the following week.

On the other hand - we've got our first PDC!!! Yippee!
 
Old 10-15-2003, 07:02 PM   #22
sidmark-2850
Member
 
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
I honestly can't tell you why the nobody share gets mounted. Your smb.conf file looks good as far as I can see. Have you tried putting the "invalid users = nobody" in your global or share sections?

You can modify the homes share in the following way:

[Homes]
comment = Home Directory for %U
path = %H
valid users = %S
read only = No
guest ok = No
create mask = 0660
security mask = 0660
directory mask = 2770
directory security mask = 2770
browseable = No
volume = Home Directory for %U

The masks control the permissions on newly created files and directories so files are not readable by other people. If all students have a common primary group, set the masks to 0600 and 2700 instead. The valid users statement is suggested for the "homes" directories as it prevents people from connecting to other people's home directries.

The universal Homes share is something that they will have to get used to. If you want to see whether a user is connected, just open up explores and open your server. The user's directory should be seen as one of the shares.

If you really want the share to be listed as '<Username> on Cap' you would have to create a logon script for each user or find a way to dynamically create them with the preexec or root preexec parameter. You would also have to set the "logon script = %u.bat"

Quote:
On the other hand - we've got our first PDC!!! Yippee!
Cool!

I am looking at the g4u package for cloning machines and I can't get it to work. It does not recognize my network card. Have you tried it?

Quote:
This is like performing a valve job and having the head gasket blow the following week.
I'm sorry, I don't know jack about cars. I will need to get a cars for dummies book.
 
Old 10-23-2003, 06:20 PM   #23
calabash
Member
 
Registered: Sep 2003
Distribution: FC11
Posts: 128

Original Poster
Rep: Reputation: 15
Sorry for the long lag in reply time, but we have "Parent Weekend" coming up and I've had to switch over to that.

I took a look at the g4u package and thought it was very cool, but I haven't a clue regarding your NIC. Hopefully by now you have it working. I _was_ thinking good thoughts... <lol>

Good news! I think I've solved my problem! 2 days running and no "nobody" and everyone is being connected to their "loginname" directory on the S: drive.

I was creating users in the GUI for expediency's sake if you remember. Well, turns out that when you use the Red Hat GUI tool for this it auto assigns the group as "user". I'm sure there is a way to change that, but I hadn't arrived at that point.
Then I would open up the properties for the newly created user and un-check "user" and check "student" to make this their only group.
Well, this meant that all home directories were assigned the "user" group, which none of my users were now a member of. I guess user is a default group with lax privileges, because sometimes users could connect and other times not. Also some users were listed under smbstatus by their true login name, but when you went to "My Computer" the S: drive was connected to "nobody on S:".
So I chown"ed" the directories to read "student" and I haven't seen the problem since. (of course now that I've typed this, 4 "nobody"s will show up... <grin>)
Now I'm off on my next wild goose chase... ACL support. Red Hat pulled it from 9 due to NFS instability, but I seem to have the package installed. I can getfacl but I can't setfacl. Rumor has it that I must "turn it on" somehow for the file system and then re-compile SAMBA to "turn it on".
Fittingly scary for Halloween don't you think? At least for me. If I mess it up, it is not like I can just swap in another server. This is the only Linux box I have.
Hope things are going well and I hope that after reading all this you are going to tell me that my supposition of the fix cannot possibly be true. <bgrin>
 
Old 10-26-2003, 01:39 AM   #24
sidmark-2850
Member
 
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
Cool. For g4u, I will need to install netbsd and recompile it. And the learning process goes on . I installed it a couple of days ago. It's similar to linux but it will take a bit to get used to. Well, I'll have to read the netbsd faqs and man pages learn bsd and then the bsd kernel faq. Oh well. But it's all worth it. The g4u works just fine on my box with a 3com card. Creating an image of your machines would really simplify administration tasks and reduce downtime with your machines.

I normally create my users with the addusers command. I plug the user's name in a script, and away I go. I use user private groups for my users. This means that there is a group named after the user and the user's primary group is set to that. Eg user calabash would have a group called calabash. The groupid of the group will be the same as the uid for the user. I would have the student's secondary group as students. That is how I have mine set up right now and it works just fine.

If you want to go with your approach, having the student's primary group as students, you will have to protect the home directories differently. You will need to chmod them to 2700. You don't want students to be able to modify other students' directory contents. Your [homes] definition would change to

[Homes]
comment = Home Directory for %U
path = %H
valid users = %S
read only = No
guest ok = No
create mask = 0600
security mask = 0600
directory mask = 2700
directory security mask = 2700
browseable = No
volume = Home Directory for %U

You will also need to protect other directories so that they are not accessible to unwanted people. You will also need to control the create masks and directory masks for your shares to protect the data inside. Did you end up creating a login script for each user?

ACL's are a different story. For acls to work on linux, you will need to patch your kernel and recompile it. Go to Extended attributes and access control lists. It is also a good idea to read the The Linux Kernel HOWTO. You may or may not need to recompile samba. If you compiled samba with "--with-acl-support" and you had the acl-devel and attr-devel packages installed, you are fine. If not, you will have to recompile. Watch the output from the configure script when you compile samba. Close to the end, it will say sometihng about acls and whether to compile it. You will need to reboot the new kernel and mount your file system with the acl option. ACL's are really cool because they allow a granular access control lists like nt and 2k servers. They are somewhat limited compared to ntfs acls, but it is much better than the standard unix permissions.

If this is the only box you have, grab one of the 98 clients and test. TEST TEST TEST!!! I can't stress that enough. Install it on another box and test with the new kernel. I ended up completely messing up my box on my first kernel compile. My box did not boot up the first time and I got a kernel panic. You definitely do not want that to happen on a production box. A lot of things broke, but I wiped it up and tried again. Now, I am fairly proficient with it. The kernel howto helped a lot. It took me a while before I upgraded my production box to the newer kernel with acl support.

Are you using samba to share other directories or just home directories? You should look at implementing disk quotas as it will limit users' disk usage on your server. Now that's really cool.

Hope this helps.
Sid.

Last edited by sidmark-2850; 10-26-2003 at 01:42 AM.
 
Old 10-26-2003, 01:42 AM   #25
sidmark-2850
Member
 
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
What does your complete smb.conf file look like now?
 
Old 10-28-2003, 04:45 PM   #26
calabash
Member
 
Registered: Sep 2003
Distribution: FC11
Posts: 128

Original Poster
Rep: Reputation: 15
I'm still working through your answer, but a quick ls -l of my homes directory shows no privileges given to group or other.
So this means my user's directory should be safe, right?

And by browsable=no, that doesn't mean I can't type \\ovs\home\username into explorer and get there right?

Now let me look up chmod 2700 and digest the full meaning of your reply so that I can contribute useful discourse. <lol>
 
Old 10-29-2003, 02:37 AM   #27
sidmark-2850
Member
 
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
If all of your directory entries look like:

drwx------ 9 calabash students 4096 Oct 29 00:00 calabash

then it's ok. Browsable=no means that the share des not show up in the browse list. It is still accessible though. You can use either 2700 or 0700 for the directory masks and 0600 for the file masks. Depending on what the share will be used for, it is better sometimes to have the setgid bit on new directories.
 
Old 12-08-2003, 12:27 PM   #28
calabash
Member
 
Registered: Sep 2003
Distribution: FC11
Posts: 128

Original Poster
Rep: Reputation: 15
Sidmark-2850
So sorry for my dropping of this thread. Suffice to say that a) I'm very happy to still have a job b) I have a new and improved office c) Valium is my _best_ friend!!!!!
Oh yeah and because learning Linux, Samba and server tech is not enough for one day, I now need to brush up on fiber backbones.
I think next week I'll attempt to install a WAN with VPN tunneling and wireless access.
I swear these people have _no_ idea what they are asking!
Ah well - if you want to subject yourself to the gory details, e-mail me, cause i've fallen way off-topic.... <sigh>
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Guest account in Ubuntu 5.10 "Breezy Badger" DaneM Ubuntu 7 11-11-2005 02:58 PM
UT2004 some maps give "ReadFile beyond EOF 0+4/0..." AC97Conquerer Linux - Games 1 03-25-2005 01:52 AM
[Redhat] make "admin" account same privledges as "root" Bi0haZarD Linux - Networking 20 01-12-2005 10:47 AM
after I created a new account , why system displays"I have no name!" larrylovelinux Linux - Security 3 05-08-2004 05:13 AM
Your account has expired " VEREY URGENT" khalidcsc Linux - General 4 10-12-2003 01:01 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:17 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration