LinuxQuestions.org
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Samba is Only Accepting Share Connections from root (https://www.linuxquestions.org/questions/linux-server-73/samba-is-only-accepting-share-connections-from-root-618950/)

des_a 02-05-2008 08:13 PM
Samba is Only Accepting Share Connections from root
 
I have a strange thing happening. Samba seems to be only accepting connections to shares from the root user. Some shares certainly work without root priviliges, but don't work properly. Other shares say that the path can't be found, even though samba clearly defines them.

jschiwal 02-05-2008 08:19 PM
You will need to supply more information. Post the global portion of your smb.conf file and the parts for the services that don't work. Which directories are being shared and how are they set up? Does each windows user have a corresponding Linux users and did you run the smbpasswd program to add the and record their passwords?

tajamari 02-05-2008 10:33 PM
Quote:
Originally Posted by des_a (Post 3047364)
I have a strange thing happening. Samba seems to be only accepting connections to shares from the root user. Some shares certainly work without root priviliges, but don't work properly. Other shares say that the path can't be found, even though samba clearly defines them.
What were the errors seen when using other users aside from root? Did you check the samba log?

des_a 02-06-2008 02:55 PM
I thought I'd need more information, but I didn't want to give too much all at once, so here's the information you requested.

des_a 02-06-2008 03:09 PM
Global Section of /etc/samba/smb.conf:

Code:

# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options (perhaps too
# many!) most of which are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentry and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings =====================================
 [global]

# 1. Server Naming Options:
# workgroup = NT-Domain-Name or Workgroup-Name
 workgroup = NSRESIDENT

# netbios name is the name you will see in "Network Neighbourhood",
# but defaults to your hostname
 netbios name = a-des-main

# server string is the equivalent of the NT Description field
 server string = 2005 E-Machine Desktop Server

# 2. Printing Options:
# CHANGES TO ENABLE PRINTING ON ALL CUPS PRINTERS IN THE NETWORK
# (as cups is now used in linux-mandrake 7.2 by default)
# if you want to automatically load your printer list rather
# than setting them up individually then you'll need this
 printcap name = cups
 load printers = yes

# It should not be necessary to spell out the print system type unless
# yours is non-standard. Currently supported print systems include:
# bsd, sysv, plp, lprng, aix, hpux, qnx, cups
 printing = cups

# Samba 2.2 supports the Windows NT-style point-and-print feature. To
# use this, you need to be able to upload print drivers to the samba
# server. The printer admins (or root) may install drivers onto samba.
# Note that this feature uses the print$ share, and not the printers share,
# so you will need to enable it below.
# This parameter works like domain admins:
# printer admin = @<group> <user>
 printer admin = @administratorsl2

# 3. Logging Options:
# this tells Samba to use a separate log file for each machine
# that connects
 log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
 max log size = 50

# Set the log (verbosity) level (0 <= log level <= 10)
 log level = 3

# 4. Security Options:
# This option is important for security. It allows you to restrict
# connections to machines which are on your local network. The
# following example restricts access to two C class networks and
# the "loopback" interface. For more examples of the syntax see
# the smb.conf man page. Do not enable this if (tcp/ip) name resolution does
# not work for all the hosts in your network.
 ;hosts allow = 127.0.0.1 2.1.1.0/254
 ;hosts deny =

# Uncomment this if you want a guest account, you must add this to /etc/passwd
# otherwise the user "nobody" is used
 guest account = guest

# Security mode. Most people will want user level security. See
# security_level.txt for details.
 security = user
# Use password server option only with security = server or security = domain
# When using security = domain, you should use password server = *
; password server = <NT-Server-Name>

# Password Level allows matching of _n_ characters of the password for
# all combinations of upper and lower case.
 password level = 16
 username level = 16

# You may wish to use password encryption. Please read
# ENCRYPTION.txt, Win95.txt and WinNT.txt in the Samba documentation.
# Do not enable this option unless you have read those documents
# Encrypted passwords are required for any use of samba in a Windows NT domain
# The smbpasswd file is only required by a server doing authentication, thus
# members of a domain do not need one.
 encrypt passwords = yes
 smb passwd file = /etc/samba/smbpasswd

# The following are needed to allow password changing from Windows to
# also update the Linux system password.
# NOTE: Use these with 'encrypt passwords' and 'smb passwd file' above.
# NOTE2: You do NOT need these to allow workstations to change only
#        the encrypted SMB passwords. They allow the Unix password
#        to be kept in sync with the SMB password.
 unix password sync = Yes
 passwd program = /usr/bin/passwd %u
 passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully*

# Unix users can map to different SMB User names
 username map = /etc/samba/smbusers

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /etc/samba/smb.conf.%m

# 5. Browser Control and Networking Options:
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Configure Samba to use multiple interfaces
# If you have multiple network interfaces then you must list them
# here. See the man page for details.
# interfaces = 192.168.12.2/24 192.168.13.2/24

# Configure remote browse list synchronisation here
#  request announcement to, or browse list sync from:
#      a specific host or from / to a whole subnet (see below)
# remote browse sync = 192.168.3.25 192.168.5.255
# Cause this host to announce itself to local subnets here
# remote announce = 192.168.1.255 192.168.2.44

# set local master to no if you don't want Samba to become a master
# browser on your network. Otherwise the normal election rules apply
 local master = yes

# OS Level determines the precedence of this server in master browser
# elections. The default value should be reasonable
 os level = 65

# Domain Master specifies Samba to be the Domain Master Browser. This
# allows Samba to collate browse lists between subnets. Don't use this
# if you already have a Windows NT domain controller doing this job
 domain master = yes

# Preferred Master causes Samba to force a local browser election on startup
# and gives it a slightly higher chance of winning the election
 preferred master = yes

# 6. Domain Control Options:
# Enable this if you want Samba to be a domain logon server for
# Windows95 workstations or Primary Domain Controller for WinNT and Win2k
 domain logons = yes

# if you enable domain logons then you may want a per-machine or
# per user logon script
# run a specific logon batch file per workstation (machine)
 logon script = %U.bat
# run a specific logon batch file per username
 logon script = %U.bat

# Where to store roaming profiles for WinNT and Win2k
#        %L substitutes for this servers netbios name, %U is username
#        You must uncomment the [Profiles] share below
 logon path = \\%L\Profiles\%U

# Where to store roaming profiles for Win9x. Be careful with this as it also
# impacts where Win2k finds it's /HOME share
 logon home = \\%L\%U\.profile

# The add user script is used by a domain member to add local user accounts
# that have been authenticated by the domain controller, or by the domain
# controller to add local machine accounts when adding machines to the domain.
# The script must work from the command line when replacing the macros,
# or the operation will fail. Check that groups exist if forcing a group.
# Script for domain controller for adding machines:
 add user script = /usr/sbin/useradd -s /bin/false %u
# Script for domain member for addig local accounts for authenticated users:
 add user script = /usr/sbin/useradd -s /bin/false %u
 
# 7. Time Server
# Is our domain controller also a time server?
time server = yes

# 8. Name Resolution Options:
# All NetBIOS names must be resolved to IP Addresses
# 'Name Resolve Order' allows the named resolution mechanism to be specified
# the default order is "host lmhosts wins bcast". "host" means use the unix
# system gethostbyname() function call that will use either /etc/hosts OR
# DNS or NIS depending on the settings of /etc/host.config, /etc/nsswitch.conf
# and the /etc/resolv.conf file. "host" therefore is system configuration
# dependant. This parameter is most often of use to prevent DNS lookups
# in order to resolve NetBIOS names to IP Addresses. Use with care!
# The example below excludes use of name resolution for machines that are NOT
# on the local network segment
# - OR - are not deliberately to be known via lmhosts or via WINS.
 name resolve order = wins lmhosts bcast

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable it's WINS Server
 wins support = yes

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
#      Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
# wins server = w.x.y.z

# WINS Proxy - Tells Samba to answer name resolution queries on
# behalf of a non WINS capable client, for this to work there must be
# at least one  WINS Server on the network. The default is NO.
 wins proxy = yes

# DNS Proxy - tells Samba whether or not to try to resolve NetBIOS names
# via DNS nslookups. The built-in default for versions 1.9.17 is yes,
# this has been changed in version 1.9.18 to no.
 dns proxy = no

# 9. File Naming Options:
# Name mangling
; mangle case = no
# Case Preservation can be handy - system default is _no_
# NOTE: These can be set on a per share basis
 preserve case = yes
 short preserve case = no
# Default case is normally upper case for all DOS files
 default case = lower
# Be very careful with case sensitivity - it can break things!
 case sensitive = no

# Enabling internationalization:
# you can match a Windows code page with a UNIX character set.
# Windows: 437 (US), 737 (GREEK), 850 (Latin1 - Western European),
# 852 (Eastern Eu.), 861 (Icelandic), 932 (Cyrillic - Russian),
# 936 (Japanese - Shift-JIS), 936 (Simpl. Chinese), 949 (Korean Hangul),
# 950 (Trad. Chin.).
# UNIX: ISO8859-1 (Western European), ISO8859-2 (Eastern Eu.),
# ISO8859-5 (Russian Cyrillic), KOI8-R (Alt-Russ. Cyril.)
# This is an example for french users:
; client code page = 850
; character set = ISO8859-1

des_a 02-06-2008 03:14 PM
The shares that I've got are:

Code:
[homes]
[guest]
[public]
[printers]
[print$]
[netlogon]
[profiles]
[-mnt-software-basic]
[-mnt-cdrom]
[-mnt-cdrom2]
[-mnt-floppy]
[drives]
[backupdata]
[software]
[documentation]

des_a 02-06-2008 03:18 PM
The services that work are:

Code:
[homes]
[guest]
[-mnt-cdrom]
[-mnt-cdrom2]
[-mnt-floppy]
The services that don't work are:

Code:
[public]
[printers]
[print$]
[netlogon]
[profiles]
[-mnt-software-basic]
[drives]
[backupdata]
[software]
[documentation]

des_a 02-06-2008 03:20 PM
The shares section goes like this:

Code:
#============================ Share Definitions ==============================
[homes]
 comment = Home Directories
 browseable = no
 writable = yes
 guest ok = no

[guest]
 comment = Guest Public Stuff
 browseable = yes
 path = /home/guest
 guest ok = yes
 read only = false
 force user = Guest
 
# A publicly accessible directory
[public]
 comment = Public Stuff
 browseable = yes
 path = /mnt/etc/samba/public
 write list = @vpn_users,root
 read list = @vpn_users,root
 guest ok = yes

# NOTE: If you have a CUPS print system there is no need to
# specifically define each individual printer.
# You must configure the samba printers with the appropriate Windows
# drivers on your Windows clients. On the Samba server no filtering is
# done. If you wish that the server provides the driver and the clients
# send PostScript ("Generic PostScript Printer" under Windows), you have
# to swap the 'print command' line below with the commented one.
[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
# to allow user 'guest account' to print.
guest ok = yes
writable = no
printable = yes
create mode = 0700
# =====================================
# print command: see above for details.
# =====================================
print command = lpr-cups -P %p %s # using cups own drivers (use generic PostScript on clients).
print command = lpr-cups -P %p %s # using cups own drivers (use generic PostScript on clients).
lpq command = lpstat -o %p
lprm command = cancel %p-%j
use client drivers = yes

[print$]
 comment = Printer Drivers Share
 path = /var/lib/samba/printers
 write list = @administratorsl3,root
 printer admin = @administratorsl3,root
 browseable = Yes

[netlogon]
 comment = Network Logon Service
 path = /var/lib/samba/netlogon
 read list = @administratorsl4,root
 write list = @administratorsl4,root
 admin users = @administratorsl4,root
 guest OK = No
 browseable = Yes

[profiles]
 comment = Roaming Profile Share
 path = /var/lib/samba/profiles
 read only = No
 profile acls = Yes

[-mnt-software-basic]
 comment = Basic Software
 path = /mnt/etc/samba/software/basic
 read list = @vpn_users,root
 write list = @administratorsl4,root
 browseable = true

[-mnt-cdrom]
 comment = CD Rom 1
 path = /mnt/cdrom
 browseable = true
 force user = root
 read only = true

[-mnt-cdrom2]
 comment = CD Rom 2
 path = /mnt/cdrom2
 browseable = true
 force user = root
 read only = true
 
[-mnt-floppy]
 comment = Floppy
 path = /mnt/floppy
 browseable = true
 force user = root
 read only = false

[drives]
 comment = Drives
 path = /mnt/etc/samba/drives
 read list = @vpn_users,root
 write list = @administratorsl3,root
 browseable = true

[backupdata]
 comment = backupdata
 path = /mnt/etc/samba/removable
 read list = @vpn_users,root
 write list = @administratorsl3,root
 browseable = true
 force user = root

[software]
 comment = Standard Software
 path = /mnt/etc/samba/software/standard
 read list = @vpn_users
 write list = @administratorsl3
 browseable = true

[documentation]
 comment = Documentation
 path = /mnt/etc/samba/documentation
 read list = @vpn_users,root
 write list = @administratorsl3,root
 browseable = true

des_a 02-06-2008 03:37 PM
Each Linux user has a coresponding Windows user. Here's the general user documentation I created.

Here's the identical code for the documentation for Windows and Linux, since there's no way to attatch a file that I see. If you want to view it with Windows, then put the Windows code in a BATCH file. If you want to view it on Linux, put the Linux code in a file. These probably require Windows XP. and I know they require the BASH shell for Linux. Call either file's base name usrtypes. The Windows extension should be .bat, and the Linux version should have no extension. The Linux version should be owned by user root and group root. It should be chmod 750, I believe, going from memory. The Windows version can be pretty flexible about where you put it, if it's in the PATH. The Linux version should be in /usr/bin for best results, unless your Linux is different. Don't forget to delete them when you're done, unless you need to leave executable "junk" around.

* NOTE: It said there was too much text to post at first, so I've split it up into a few posts instead.

des_a 02-06-2008 03:38 PM
Windows code:
Code:
@ECHO OFF


IF "%1" == "" GOTO USAGE
IF "%2" == "" GOTO ONE_ARGUMENT

IF "%1" == "PRIVILIGE_LIST" GOTO PRIVILIGE_LIST_2
IF "%1" == "LIST" GOTO LIST_2
GOTO INVALID_COMMAND


:PRIVILIGE_LIST_2
IF "%2" == "guest" GOTO guest
IF "%2" == "internet_user" GOTO internet_user
IF "%2" == "vpn_user" GOTO vpn_user
IF "%2" == "normal_user" GOTO normal_user
IF "%2" == "administrator" GOTO administrator
IF "%2" == "administratorl2" GOTO administratorl2
IF "%2" == "administratorl3" GOTO administratorl3
IF "%2" == "administratorl4" GOTO administratorl4
GOTO INVALID_OPTION


:guest
ECHO guest          - A guest on the system.
ECHO.
ECHO An unidentified user. Usually there is only one guest needed, however you may
ECHO create more guest users if desired. Guests are allowed very few things they may do.
GOTO END


:internet_user
ECHO internet_user  - A user that is on the Internet.
ECHO.
ECHO Internet users have certain remote priviliges that guests do not, making them
ECHO perfect for very special applications where users need low priviliges.
GOTO END


:vpn_user
ECHO vpn_user        - A user that's capable of using virtual private networking
ECHO                  through the Internet.
ECHO.
ECHO A VPN user has just enough more priviliges to be able to feel comfortable with
ECHO networking applications locally, or remotely.
GOTO END


:normal_user
ECHO normal_user    - The normal level of access given.
ECHO.
ECHO A user with the standard priviliges is now allowed to do everything they
ECHO normally need to do. Note that VPN priviliges do not go away at this level, but remain.
GOTO END


:administrator
ECHO administrator  - A user with administrative priviliges.
ECHO.
ECHO A user that can change settings on the local computer to set up some system-widesettings. However, they do not nearly have full priviliges over the network.
GOTO END


:administratorl2
ECHO administratorl2 - A user with more administrative priviliges.
ECHO.
ECHO With the addition of this access-level, a user may now reset passwords.
GOTO END


:administratorl3
ECHO administratorl3 - A user with the third level of administrative priviliges.
ECHO.
ECHO Level 3 Administrators are allowed to not only reset passwords, but can change
ECHO them to anything they desire. This might be useful for protecting against
ECHO attacks from authorized users.
GOTO END


:administratorl4
ECHO administratorl4 - A user that has administrative priviliges second only to the
ECHO                  root user.
ECHO.
ECHO This access-level allows a user to do anything they wish to do on the network,
ECHO save things that take root priviliges to accomplish.
GOTO END


:LIST_2
IF "%2" == "nsowner" GOTO nsowner
IF "%2" == "nsnhelper" GOTO nsnhelper
IF "%2" == "nsbus" GOTO nsbus
IF "%2" == "nsbusl2" GOTO nsbusl2
IF "%2" == "nsbusl3" GOTO nsbusl3
IF "%2" == "nsstaff" GOTO nsstaff
IF "%2" == "nsstaffl2" GOTO nsstaffl2
IF "%2" == "nslresident" GOTO nslresident
IF "%2" == "nsresident" GOTO nsresident
IF "%2" == "nsresidentl2" GOTO nsresidentl2
IF "%2" == "nslfrfam" GOTO nslfrfam
IF "%2" == "nsfrfam" GOTO nsfrfam
IF "%2" == "nsfrfaml2" GOTO nsfrfaml2
IF "%2" == "nslstranger" GOTO nslstranger
IF "%2" == "nsstranger" GOTO nsstranger
IF "%2" == "nsstrangerl2" GOTO nsstrangerl2
GOTO INVALID_OPTION


:nsowner
ECHO nsowner    - The owner(s) of the company.
ECHO.
ECHO You would use this userset-level for anybody who owns the company.
GOTO END


:nsnhelper
ECHO nsnhelper  - Someone who helps out with the network.
ECHO.
ECHO Because the owners may not wish to know everything about the network, they may
ECHO deligate some tasks to network helpers.
GOTO END


:nsbus
ECHO nsbus      - A buisness representative for a company that needs access to the
ECHO              network (caseworker, etc.).
ECHO.
ECHO Some buisness representatives might need access to the network beyond the
ECHO standard guest account because they're here often enough.
GOTO END


:nsbusl2
ECHO nsbusl2    - A buisness representative for a company that needs access to
ECHO              certain remote features of the network that guests do not have
ECHO              access to.
ECHO.
ECHO A buisness representative might need to communicate with the network on a
ECHO regular basis, but might not require very much local access.
GOTO END


:nsbusl3
ECHO nsbusl3    - A buisness representative for a company that needs normal access
ECHO              to the network.
ECHO.
ECHO A buisness representative might require access to the network locally so that
ECHO they may accomplish certain tasks they otherwise may not.
GOTO END


:nsstaff
ECHO nsstaff    - A staff member.
ECHO.
ECHO Most staff would simply require this level of access to the network and no
ECHO more.
GOTO END


:nsstaffl2
ECHO nsstaffl2  - A staff member who needs to be able to have complete control over
ECHO              user and group passwords.
ECHO.
ECHO Some staff might need to change account passwords to attribary values.
GOTO END


:nslresident
ECHO nslresident  - A resident that doesn't have a computer of their own or should
ECHO                not be allowed to change certain settings on computers.
ECHO.
ECHO Not all residents have their own computer. If they do not, they'd get this levelof access to attempt to protect staff/residents from abuse or accidents. They
ECHO might also not be very trustworthy.
GOTO END


:nsresident
ECHO nsresident  - A resident that has a computer of their own and should be allowed
ECHO                to change settings that a computer owner would likely want to
ECHO                change.
ECHO.
ECHO As most residents have their own computer, most residents are allowed to do a
ECHO whole number of things to their computer. It's only when it comes to the networkthat they are restricted.
GOTO END


:nsresidentl2
ECHO nsresidentl2 - A resident that has equal power as a normal staff member and
ECHO                therefore is allowed to reset network passwords.
ECHO.
ECHO Is resetting passwords too common an operation for staff? Is it getting
ECHO annoying? Can some residents be trusted to reset passwords? If you allow them tohave this level of access, then the task of resetting passwords may be delegatedto a resident.
GOTO END


:nslfrfam
ECHO nslfrfam    - A friend or family member who should have certain remote
ECHO                priviliges that guests don't have.
ECHO.
ECHO Often certain friends and family may need access to the network beyond the guestaccount for tasks over the Internet. A program may require them to have their
ECHO own account, but the guest account won't do, because it doesn't have the proper remote priviliges.
GOTO END


:nsfrfam
ECHO nsfrfam      - A friend or family member that in addition to certain remote
ECHO                priviliges, is allowed to participate in VPN Networking.
ECHO.
ECHO If you tend to desire to play special shared games with a friend or family
ECHO member, or you do projects with them often, you might consider allowing them VPNaccess, as this will pass through the firewall.
GOTO END


:nsfrfaml2
ECHO nsfrfaml2    - A friend or family member that should have normal access to the
ECHO                network.
ECHO.
ECHO Sometimes VPN access isn't enough for your friend or family. Sometimes they may need to come in and sit down and 'borrow' your machine. In a case like this, youmight give them normal network access.
GOTO END


:nslstranger
ECHO nslstranger  - A stranger that needs their own account for a special purpose.
ECHO.
ECHO Normally, strangers do not need accounts. But what if they do for a special
ECHO purpose? You don't trust them a lot, likely, so you give them guest access via
ECHO this type of account.
GOTO END


:nsstranger
ECHO nsstranger  - A stranger that needs their own account for certain remote
ECHO                priviliges that guests do not have.
ECHO.
ECHO An application might require a stranger to have higher than guest access. If so,then this is the right type of account.
GOTO END


:nsstrangerl2
ECHO nsstrangerl2 - A stranger that needs to participate in VPN Networking.
ECHO.
ECHO Some strangers need VPN access to the network. Use this with care.
GOTO END


:ONE_ARGUMENT
IF "%1" == "EXPLANATION" GOTO EXPLANATION
IF "%1" == "PRIVILIGE_LIST" GOTO PRIVILIGE_LIST
IF "%1" == "LIST_CATIGORIES" GOTO LIST_CATIGORIES
IF "%1" == "LIST" GOTO LIST
GOTO INVALID_COMMAND


:EXPLANATION
ECHO Except for guests to a system, each user has their own user account for the mostpart. Users can be added to local groups or a group database stored on a server.Usually, these priviliges are exactly the same everywhere.
ECHO.
ECHO Each user gets a special level of access set up just for them. It starts out
ECHO being the standard level of access for that type of person, but that may change if it doesn't fit the person. Run 'usrtypes PRIVILIGE_LIST' for the types of
ECHO access you may specify.
ECHO.
ECHO To be flexable for a home and/or buisness setting, and to increase security in
ECHO theory, each user actually gets a user set. A user set is a set of users that
ECHO fits the type of access the person needs. It is encouraged to use the lowest
ECHO level access you can for the task, when doing tasks. This should make the systemsecure if followed. See usrtypes 'LIST_CATIGORIES' and 'usrtypes LIST' for
ECHO explanations of standard user sets. There should theoretically be a user set
ECHO type for each person in the world, as applies to the scope of the network
ECHO purposes.
ECHO.
ECHO Obviously then, it's not exactly recommended that you attempt to create actual
ECHO user accounts for everyone in the world, however you would be allowed to. The
ECHO recomendation is that you only create user accounts for the users you need to,
ECHO and forget about the rest of the people in the world. It's also recomended that you disable inactive users and delete former users to increase security.
GOTO END


:PRIVILIGE_LIST
ECHO guest          - A guest on the system.
ECHO internet_user  - A user that is on the Internet.
ECHO vpn_user        - A user that's capable of using virtual private networking
ECHO                  through the Internet.
ECHO normal_user    - The normal level of access given.
ECHO administrator  - A user with administrative priviliges.
ECHO administratorl2 - A user with more administrative priviliges.
ECHO administratorl3 - A user with the third level of administrative priviliges.
ECHO administratorl4 - A user that has administrative priviliges second only to the
ECHO                  root user.
GOTO END


:LIST_CATIGORIES
ECHO Staff or Helpers:
ECHO    Owners:                                    nsowner
ECHO    Network Helpers:                          nsnhelper
ECHO    Buisness Related People:                  nsbus, nsbusl2, nsbusl3
ECHO    Staff:                                    nsstaff, nsstaffl2
ECHO.
ECHO Residents and Related People:
ECHO    Residents:                                nslresident, nsresident,
ECHO                                                nsresidentl2
ECHO    Friends and Family of People in the House: nslfrfam, nsfrfam, nsfrfaml2
ECHO.
ECHO Strangers:
ECHO    Unknown People:                            nslstranger, nsstranger,
ECHO                                                nsstrangerl2
GOTO END


:LIST
REM Staff or Helpers
ECHO nsowner    - The owner(s) of the company.
   
ECHO nsnhelper  - Someone who helps out with the network.
 
ECHO nsstaff    - A staff member.
ECHO nsstaffl2  - A staff member who needs to be able to have complete control over
ECHO              user and group passwords.
   
ECHO nsbus      - A buisness representative for a company that needs access to the
ECHO              network (caseworker, etc.).
ECHO nsbusl2    - A buisness representative for a company that needs access to
ECHO              certain remote features of the network that guests do not have
ECHO              access to.
ECHO nsbusl3    - A buisness representative for a company that needs normal access
ECHO              to the network.
ECHO.
ECHO.
   
 
REM Residents and Related People
ECHO nslresident  - A resident that doesn't have a computer of their own or should
ECHO                not be allowed to change certain settings on computers.
ECHO nsresident  - A resident that has a computer of their own and should be allowed              to change settings that a computer owner would likely want to
ECHO                change.
ECHO nsresidentl2 - A resident that has equal power as a normal staff member and
ECHO                therefore is allowed to reset network passwords.
ECHO.
ECHO.
   
ECHO nslfrfam    - A friend or family member who should have certain remote
ECHO                priviliges that guests don't have.
ECHO nsfrfam      - A friend or family member that in addition to certain remote
ECHO                priviliges, is allowed to participate in VPN Networking.
ECHO nsfrfaml2    - A friend or family member that should have normal access to the
ECHO                network.
ECHO.
ECHO.
   
 
REM Strangers
ECHO nslstranger  - A stranger that needs their own account for a special purpose.
ECHO nsstranger  - A stranger that needs their own account for certain remote
ECHO                priviliges that guests do not have.
ECHO nsstrangerl2 - A stranger that needs to participate in VPN Networking.
GOTO END


:INVALID_COMMAND
ECHO Invalid Command
GOTO END


:INVALID_OPTION
ECHO Invalid Option
GOTO END


:USAGE
ECHO Usage: usrtypes command [option]
ECHO.
ECHO        commands: EXPLANATION, PRIVILIGE_LIST, LIST_CATIGORIES, LIST
ECHO        options:  PRIVILIGE_LIST [privilige level], LIST [user-set]
ECHO.
ECHO.


:END

des_a 02-06-2008 03:39 PM
Linux code:
Code:
#!/bin/sh


if [ $# == 0 ] ; then
 echo "Usage: usrtypes <command> [option]"
 echo
 echo "      commands: EXPLANATION, PRIVILIGE_LIST, LIST_CATIGORIES, LIST"
 echo "      options:  PRIVILIGE_LIST [privilige level], LIST [user-set]"
 echo
elif [ $# == 1 ] ; then
 if [ $1 == "EXPLANATION" ] ; then
  echo "Except for guests to a system, each user has their own user account for the most part. Users can be added to local groups or a group database stored on a server. Usually, these priviliges are exactly the same everywhere."
  echo
  echo "Each user gets a special level of access set up just for them. It starts out being the standard level of access for that typeof person, but that may change if it doesn't fit the person. Run 'usrtypes PRIVILIGE_LIST' for the types of access you may"
  echo "specify."
  echo
  echo "To be flexable for a home and/or buisness setting, and to increase security in theory, each user actually gets a user set. A user set is a set of users that fits the type of access the person needs. It is encouraged to use the lowest level access youcan for the task, when doing tasks. This should make the system secure if followed. See usrtypes 'LIST_CATIGORIES' and "
  echo "'usrtypes LIST' for explanations of standard user sets. There should theoretically be a user set type for each person in the world, as applies to the scope of the network purposes. "
  echo
  echo "Obviously then, it's not exactly recommended that you attempt to create actual user accounts for everyone in the world,"
  echo "however you would be allowed to. The recomendation is that you only create user accounts for the users you need to, and "
  echo "forget about the rest of the people in the world. It's also recomended that you disable inactive users and delete former"
  echo "users to increase security."
  echo
 elif [ $1 == "PRIVILIGE_LIST" ] ; then
  echo "guest          - A guest on the system."
  echo "internet_user  - A user that is on the Internet."
  echo "vpn_user        - A user that's capable of using virtual private networking through the Internet."
  echo "normal_user    - The normal level of access given."
  echo "administrator  - A user with administrative priviliges."
  echo "administratorl2 - A user with more administrative priviliges."
  echo "administratorl3 - A user with the third level of administrative priviliges."
  echo "administratorl4 - A user that has administrative priviliges second only to the root user."
  echo
 elif [ $1 == "LIST_CATIGORIES" ] ; then
  echo "Staff or Helpers:"
  echo "    Owners:                  nsowner"
  echo "    Network Helpers:        nsnhelper"
  echo "    Buisness Related People: nsbus, nsbusl2, nsbusl3"
  echo "    Staff:                  nsstaff, nsstaffl2"
  echo
  echo "Residents and Related People:"
  echo "    Residents:                                nslresident, nsresident, nsresidentl2"
  echo "    Friends and Family of People in the House: nslfrfam, nsfrfam, nsfrfaml2"
  echo
  echo "Strangers:"
  echo "    Unknown People: nslstranger, nsstranger, nsstrangerl2"
  echo
 elif [ $1 == "LIST" ] ; then
  # Staff or Helpers
  echo "nsowner    - The owner(s) of the company."
   
  echo "nsnhelper  - Someone who helps out with the network."
   
  echo "nsstaff    - A staff member."
  echo "nsstaffl2  - A staff member who needs to be able to have complete control over user and group passwords."
   
  echo "nsbus      - A buisness representative for a company that needs access to the network (caseworker, etc.)."
  echo "nsbusl2    - A buisness representative for a company that needs access to certain remote features of the network that guests"
  echo "              do not have access to."
  echo "nsbusl3    - A buisness representative for a company that needs normal access to the network."
  echo
  echo
   
 
  # Residents and Related People
  echo "nslresident  - A resident that doesn't have a computer of their own or should not be allowed to change certain settings on"
  echo  "              computers."
  echo "nsresident  - A resident that has a computer of their own and should be allowed to change settings that a computer owner"
  echo "              would likely want to change."
  echo "nsresidentl2 - A resident that has equal power as a normal staff member and therefore is allowed to reset network passwords."
  echo
  echo
   
  echo "nslfrfam    - A friend or family member who should have certain remote priviliges that guests don't have."
  echo "nsfrfam      - A friend or family member that in addition to certain remote priviliges, is allowed to participate in VPN"
  echo "              Networking."
  echo "nsfrfaml2    - A friend or family member that should have normal access to the network."
  echo
  echo
   
 
  # Strangers
  echo "nslstranger  - A stranger that needs their own account for a special purpose."
  echo "nsstranger  - A stranger that needs their own account for certain remote priviliges that guests do not have."
  echo "nsstrangerl2 - A stranger that needs to participate in VPN Networking."
  echo
 else
  echo "Invalid Command Given"
 fi
elif [ $# == 2 ] ; then
if [ $1 == "PRIVILIGE_LIST" ] ; then 
 if [ $2 == "guest" ] ; then
  echo "guest          - A guest on the system."
  echo
  echo "An unidentified user. Usually there is only one guest needed, however you may create more guest users if desired. Guests are allowed very few things they may do."
  echo
 elif [ $2 == "internet_user" ] ; then
  echo "internet_user  - A user that is on the Internet."
  echo
  echo "Internet users have certain remote priviliges that guests do not, making them perfect for very special applications where"
  echo "users need low priviliges."
  echo
 elif [ $2 == "vpn_user" ] ; then
  echo "vpn_user        - A user that's capable of using virtual private networking through the Internet."
  echo
  echo "A VPN user has just enough more priviliges to be able to feel comfortable with networking applications locally, or remotely."
  echo
 elif [ $2 == "normal_user" ] ; then
  echo "normal_user    - The normal level of access given."
  echo
  echo "A user with the standard priviliges is now allowed to do everything they normally need to do. Note that VPN priviliges do not"
  echo "go away at this level, but remain."
  echo
 elif [ $2 == "administrator" ] ; then
  echo "administrator  - A user with administrative priviliges."
  echo
  echo "A user that can change settings on the local computer to set up some system-wide settings. However, they do not nearly have"
  echo "full priviliges over the network."
  echo
 elif [ $2 == "administratorl2" ] ; then
  echo "administratorl2 - A user with more administrative priviliges."
  echo
  echo "With the addition of this access-level, a user may now reset passwords."
  echo
 elif [ $2 == "administratorl3" ] ; then
  echo "administratorl3 - A user with the third level of administrative priviliges."
  echo
  echo "Level 3 Administrators are allowed to not only reset passwords, but can change them to anything they desire. This might be"
  echo "useful for protecting against attacks from authorized users."
  echo
 elif [ $2 == "administratorl4" ] ; then
  echo "administratorl4 - A user that has administrative priviliges second only to the root user."
  echo
  echo "This access-level allows a user to do anything they wish to do on the network, save things that take root priviliges to"
  echo "accomplish."
  echo
 else
  echo "Invalid Option Given"
 fi
elif [ $1 == "LIST" ] ; then
 if [ $2 == "nsowner" ] ; then
  echo "nsowner    - The owner(s) of the company."
  echo
  echo "You would use this userset-level for anybody who owns the company."
  echo
 elif [ $2 == "nsnhelper" ] ; then
  echo "nsnhelper  - Someone who helps out with the network."
  echo
  echo "Because the owners may not wish to know everything about the network, they may deligate some tasks to network helpers."
  echo
 elif [ $2 == "nsstaff" ] ; then
  echo "nsstaff    - A staff member."
  echo
  echo "Most staff would simply require this level of access to the network and no more."
  echo
 elif [ $2 == "nsstaffl2" ] ; then
  echo "nsstaffl2  - A staff member who needs to be able to have complete control over user and group passwords."
  echo
  echo "Some staff might need to change account passwords to attribary values."
  echo
 elif [ $2 == "nsbus" ] ; then
  echo "nsbus      - A buisness representative for a company that needs access to the network (caseworker, etc.)."
  echo
  echo "Some buisness representatives might need access to the network beyond the standard guest account because they're here often"
  echo "enough."
  echo
 elif [ $2 == "nsbusl2" ] ; then
  echo "nsbusl2    - A buisness representative for a company that needs access to certain remote features of the network that guests              do not have access to."
  echo
  echo "A buisness representative might need to communicate with the network on a regular basis, but might not require very much"
  echo "local access."
  echo
 elif [ $2 == "nsbusl3" ] ; then
  echo "nsbusl3    - A buisness representative for a company that needs normal access to the network."
  echo
  echo "A buisness representative might require access to the network locally so that they may accomplish certain tasks they"
  echo "otherwise may not."
  echo
 elif [ $2 == "nslresident" ] ; then
  echo "nslresident  - A resident that doesn't have a computer of their own or should not be allowed to change certain settings on"
  echo "              computers."
  echo
  echo "Not all residents have their own computer. If they do not, they'd get this level of access to attempt to protect"
  echo "staff/residents from abuse or accidents. They might also not be very trustworthy."
  echo
 elif [ $2 == "nsresident" ] ; then
  echo "nsresident  - A resident that has a computer of their own and should be allowed to change settings that a computer owner"
  echo "              would likely want to change."
  echo
  echo "As most residents have their own computer, most residents are allowed to do a whole number of things to their computer. It's only when it comes to the network that they are restricted."
  echo
 elif [ $2 == "nsresidentl2" ] ; then
  echo "nsresidentl2 - A resident that has equal power as a normal staff member and therefore is allowed to reset network passwords."
  echo
  echo "Is resetting passwords too common an operation for staff? Is it getting annoying? Can some residents be trusted to reset "
  echo "passwords? If you allow them to have this level of access, then the task of resetting passwords may be delegated to a"
  echo "resident."
  echo
 elif [ $2 == "nslfrfam" ] ; then
  echo "nslfrfam    - A friend or family member who should have certain remote priviliges that guests don't have."
  echo
  echo "Often certain friends and family may need access to the network beyond the guest account for tasks over the Internet. A"
  echo "program may require them to have their own account, but the guest account won't do, because it doesn't have the proper remotepriviliges."
  echo
 elif [ $2 == "nsfrfam" ] ; then
  echo "nsfrfam      - A friend or family member that in addition to certain remote priviliges, is allowed to participate in VPN"
  echo "              Networking."
  echo
  echo "If you tend to desire to play special shared games with a friend or family member, or you do projects with them often, you "
  echo "might consider allowing them VPN access, as this will pass through the firewall."
  echo
 elif [ $2 == "nsfrfaml2" ] ; then
  echo "nsfrfaml2    - A friend or family member that should have normal access to the network."
  echo
  echo "Sometimes VPN access isn't enough for your friend or family. Sometimes they may need to come in and sit down and 'borrow'"
  echo "your machine. In a case like this, you might give them normal "
  echo "network access."
  echo
 elif [ $2 == "nslstranger" ] ; then
  echo "nslstranger  - A stranger that needs their own account for a special purpose."
  echo
  echo "Normally, strangers do not need accounts. But what if they do for a special purpose? You don't trust them a lot, likely, so"
  echo "you give them guest access via this type of account."
  echo
 elif [ $2 == "nsstranger" ] ; then
  echo "nsstranger  - A stranger that needs their own account for certain remote priviliges that guests do not have."
  echo
  echo "An application might require a stranger to have higher than guest access. If so, then this is the right type of account."
  echo
 elif [ $2 == "nsstrangerl2" ] ; then
  echo "nsstrangerl2 - A stranger that needs to participate in VPN Networking."
  echo
  echo "Some strangers need VPN access to the network. Use this with care."
  echo
 else
  echo "Invalid Option Given"
 fi
fi
else
 echo "Invalid Command Given"
fi

des_a 02-06-2008 04:04 PM
That explains the privilege levels in a nutshell. Now, yes, each Windows user has a Linux user at this point. I was frustrated with manually entering and re-entering users and putting them in exactly the right privilige levels. I'm having to re-enter, because I'm using partimage to create "test patterns" of my Linux server as I go along, until I figure out how to get it just "perfect" where it's going to run and be reliable without much of my help all the time. Then I'll do the same starting with my client machine.

I got so frustrated, that I'd decided I'd try to save up money so I could by a network printer instead of trying to continue with the otherwise good USB printer. But that was before December, when I did make major progress towards getting it to work again.

I figured out in my head (just an approximate starting point though) how to automatically add users and groups to a machine. It even theoretically worked with at least 2 different OSs: Windows, and Linux (Samba included too). That turned out to be one thing I was wrong about how to do in the samba server, previously (with the new version I'm using).

When creating the samba server, my intent is to create a PDC, but not all of it's functions are to be used with all the computers all the time. Unless my understanding of how it's behavior would be is wrong, then I could use all the features of a PDC.

My understanding is that a PDC would mean that all computers in the domain had users and groups the same and stored in one place. But it'd also make it so that (especially laptops) are useless outside of this house. They'd not be able to function properly without being able to "find" the domain controller. Computers are typically owned by individuals, so this'd be an issue. Plus some computers run Windows XP Home, some run Windows XP Proffessional, and some run Windows XP Media Center Edition.

I'm now starting to encourage others to use a version of Windows XP, and not Windows XP Home. If I can do the same configuration, I'll also help with Windows 9x too, but except for some planned special situations (servers), I'm not going to discourage it. I'm also encouraging people not to install Vista yet, or to do so with no help yet. Linux clients are temporarily no longer supported, save servers until I can close the newly found security holes from installing them.

So, since this should make full domains not a good idea, I've created users that exactly match as much as possible (some Windows groups do nothing on XP, and visa versa for Linux and/or samba), in respect to priviliges they've got.

To deal with this, I've created 3 sets of scripts. One for Windows XP, one for Linux, and one for Samba. All 3 work almost identically, but the deep insides must be different because of the inconsistencies with how Linux and Windows and Samba expect their commands to be given.

I'd run the scripts for Linux for each Linux machine. I'd also do so with Windows XP. Last, I'd do so with samba. For places that can safely use the PDC, I'd run as few scripts as possible for it to work. I'd use the groups from the PDC as much as I safely can to reduce requirements for computer hardware/virtual hardware.

Each computer, would carry the users and groups around with them so that the computer would work anywhere.

des_a 02-06-2008 04:26 PM
Here's the basic Linux scripts for adding and removing samba users and groups. My current distributions do not provide smbadduser to add users. I previously relied on this, so finding no downloadable version for my version of samba, I started by creating my own version. I later revised it so that I could map users to another Linux user than Windows user if I wanted to. This is rarely needed or used, but I decided not to delete Administrator from Windows, so Administrator and root on Windows both had to map to the root user on Linux and Samba.

For adding users to the username map (asmbuser):
Code:
#! /bin/sh


if [ $# != 2 ] ; then
 echo "Usage: asmbuser [linux username] [samba username(s)]"
else
 echo $1 = "$2" >> /etc/samba/smbusers
fi
For deleting users from the username map (dsmbuser):
Code:
#! /bin/sh


if [ $# != 1 ] ; then
 echo "Usage: dsmbuser [linux username]"
else
 cat /etc/samba/smbusers | sed "/^$1/d" > /etc/samba/smbusers
fi
For editing users from the username map (esmbuser):
Code:
#! /bin/sh


if [ $# != 2 ] ; then
 echo "Usage: esmbuser [linux username] [samba username]"
else
 dsmbuser $1
 asmbuser $1 $2
fi
For finding users added to the username map (fsmbuser):
Code:
#! /bin/sh


if [ $# != 1 ] ; then
 echo "Usage: fsmbuser [linux username]"
else
 grep ^$1 /etc/samba/smbusers
fi
For the complete adding of a samba user (smbadduser):
Code:
#!/bin/sh


if [ $# != 3 ] ; then
 echo "Usage: smbadduser [linux username] [windows username] [password]"
else
 echo $3 > /tmp/smbpchange.tmp
 echo $3 >> /tmp/smbpchange.tmp
 smbpasswd -a $1 -s < /tmp/smbpchange.tmp
 asmbuser $1 "$2"
fi
For the complete deleting of a samba user (smbdeluser):
Code:
#!/bin/sh


if [ $# == 0 ] ; then
 echo "Usage: smbdeluser [user]"
else
 dsmbuser $1
 smbpasswd -x $1
fi
Since I didn't rely on anything for groups before, I just created the best possible interface for adding groups. My old version of Linux and Samba did not require mapping groups. This one does.

For miscellanious groupmap options (smbgroup):
Code:
#!/bin/sh


if [ $# != 0 ] ; then
 if [ $1 == "list" ] ; then
  if [ $# == 1 ] ; then
  net groupmap list verbose
  elif [ $# == 2 ] ; then
  net groupmap list ntgroup="$2"
  else
  echo "Bad format"
  fi
 elif [ $1 == "add" ] ; then
  if [ $# == 5 ] ; then
  net groupmap add ntgroup="$2" unixgroup="$3" type="$4" comment="$5"
  elif [ $# == 6 ] ; then
  net groupmap add ntgroup="$2" unixgroup="$3" type="$4" comment="$5" rid="$6"
  else
  echo "Bad format"
  fi
 elif [ $1 == "delete" ] ; then
  if [ $# == 2 ] ; then
  net groupmap delete ntgroup="$2"
  else
  echo "Bad format"
  fi
 elif [ $1 == "modify" ] ; then
  if [ $# == 5 ] ; then
  net groupmap modify ntgroup="$2" unixgroup="$3" type="$4" comment="$5"
  else
  echo "Bad format"
  fi
 elif [ $1 == "typelist" ] ; then
  echo "builtin - Group that normally comes built into Windows machines"
  echo "local  - Group used on the local machine"
  echo "domain  - Group used on the whole domain"
 fi
else
 echo "Usage: smbgroup <options>"
 echo "      <option> = list [ntgroup]"
 echo "      <option> = add <ntgroup> <unixgroup> <type> <comment> [rid]"
 echo "      <option> = delete <ntgroup>"
 echo "      <option> = modify <ntgroup> <unixgroup> <type> <comment>"
 echo "      <option> = typelist"
fi

des_a 02-06-2008 04:47 PM
I also created a Linux script to add the directories that aren't there yet. I created the script along with the other user creation tools. I used prior DOS/Windows/Linux code knowlege to create this script, and I decided to allow it to automatically run when I initialize the Samba groups, so that not running it wouldn't cause errors. It's run at what should be the proper time. Here's the code for adding and removing the standard directories.

smbaddsdirs:
Code:
#! /bin/sh


echo Making Standard Samba Directories...
echo
echo
echo Making Directories...
cd /mnt/etc

echo /mnt/etc/samba
mkdir samba

echo /mnt/etc/samba/public
cd samba
mkdir public

echo /mnt/etc/samba/software
mkdir software

echo /mnt/etc/samba/software/basic
cd software
mkdir basic

echo /mnt/etc/samba/drives
cd ..
mkdir drives

echo /mnt/etc/samba/removable
mkdir removable

echo /mnt/etc/samba/removable/DATA
cd removable
mkdir DATA
cd ..

echo /mnt/etc/samba/documentation
mkdir documentation


echo
echo
echo Making Links...
echo /mnt/etc/samba/software/standard
cd software
ln -s /mnt/removable/DATA/SOFTWARE standard

echo /mnt/etc/samba/removable/BACKUP
cd ..
cd removable
ln -s /mnt/removable/BACKUP BACKUP

echo /mnt/etc/samba/removable/lost+found
ln -s /mnt/removable/lost+found lost+found

echo /mnt/etc/samba/Recycled
ln -s /mnt/removable/Recycled Recycled

echo /mnt/etc/samba/DATA/DOWNLOADS
cd DATA
ln -s /mnt/removable/DATA/DOWNLOADS DOWNLOADS

echo /mnt/etc/samba/DATA/programs
ln -s /mnt/removable/DATA/programs programs

echo /mnt/etc/samba/DATA/Projects
ln -s /mnt/removable/DATA/Projects Projects

echo /mnt/etc/samba/DATA/TEMP
ln -s /mnt/removable/DATA/TEMP TEMP

echo /mnt/etc/samba/DATA/Templates
ln -s /mnt/removable/DATA/Templates Templates
smbdelsdirs:
Code:
#! /bin/sh


echo Deleting Standard Samba Directories...
cd /mnt/etc/samba
rm -r -f *

cd ..
rmdir samba
Note that at this time, all the permissions are set manually for these directories. The reason for this is most of the code was origionally ported from DOS/Windows and they usually don't support permissions. Second, when troubleshooting, I'd rather first create them manually in small groups, and then figure out how they should be, and make a way to do this automatically. I did attempt to set it up though, of course, because if I didn't, that would be the fault right there, and I'd rather try to set it up than not make an effort and do pointless work.

des_a 02-06-2008 05:00 PM
All these Linux scripts should be put in /usr/bin. They should all be owned by user root and group root. Also they require the same chmod 750 mode. This closes security holes and bugs if you run them as normal users. When they are ever needed to be run by normal users, it requires sudo. Sudo has to be set up for it to run as root for the most part, but my sudo file is another story most likely.


All times are GMT -5. The time now is 09:16 PM.
Page 1 of 2 1 2
Show 50 post(s) from this thread on one page