Web lists-archives.com

Re: [Samba] Run smbd in AD user context




On Sun, 2018-03-11 at 06:46 +0100, Davor Vusir via samba wrote:
> 2018-03-10 19:48 GMT+01:00 Jeremy Allison <jra@xxxxxxxxx>:
> 
> > On Sat, Mar 10, 2018 at 01:10:46PM +0100, Davor Vusir via samba wrote:
> > > 
> > > Off list I got a tip on using become_user(). A soon as I get a grip on
> > 
> > how
> > > to extract the calling user's vuid I give it a try I have of course tried
> > > other functions; become_user_permanently( ), become_user_by_session( )
> > 
> > and
> > > become_authenticated_pipe_user( ). None of these have given the right
> > > $HOME.Or I simply don't know how to interpret the outcome or to proceed
> > > from there.
> > 
> > None of these functions set $HOME, as Samba doesn't
> > use this in any of our code. We get and use the home directory
> > when the magic [homes] share is configured, but never
> > set an environment variable. Your code will have to take
> > care of that itself.
> > 
> > Jeremy.
> > 
> 
> I see. Thank you. I'll see what i can do.
> Is it possible to run smbd in the context of a service account, Preferably
> an AD account?
> Is it possible to run a VFS module in the context of a service account?
> Preferably in the calling user's context?

It is, it does change to the right user for the kernel's purposes. 
Things that use getpwuid(geteuid()) will get the 'right' results, but
you have to work out how to fight with your library to do the glue.

In terms of 'can you run the whole smbd as non-root, then no. 

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba