mirror of https://github.com/tLDP/LDP
863 lines
47 KiB
Plaintext
863 lines
47 KiB
Plaintext
<!doctype linuxdoc system>
|
|
|
|
<article><!-- LyX 1.2 created this file. For more info see http://www.lyx.org/ -->
|
|
<title>Samba Authenticated Gateway HOWTO
|
|
</title><author>Ricardo Alexandre Mattar
|
|
</author><date>v1.1.1, 2003-07-14
|
|
</date><abstract>This documents intends to show how to build a Firewall/Gateway
|
|
with rules set on user basis having the users authenticated by a
|
|
Samba Primary Domain Controller
|
|
</abstract><sect>Introduction
|
|
<p>As you can see by the poorness of my language, English is not
|
|
my native language. I am writing this document in English for the
|
|
sake of the Linux community. So, please, excuse me for my poor English.
|
|
And, please, if you speak Portuguese, address me in this language.
|
|
</p><p>This document intends to enlighten you (and myself) in the process
|
|
of building a Linux Gateway or Firewall, which modify rules on demand
|
|
when users log in or out from their Windows workstations.
|
|
</p><p>I should be writing an application, but I am too lazy. Hopefully
|
|
when the idea is out there, people will build a few intelligently
|
|
integrated packages. Meanwhile...
|
|
</p><p>In this document, I will try to show how to build a gateway to
|
|
NAT or MASQUERADE Windows workstations. Use your imagination to modify
|
|
it to get any level of network management. You may use it to grant
|
|
or deny access to services, servers or entire subnetworks on your
|
|
network.
|
|
</p><p>Imagine that you have to build a gateway to let Windows workstation
|
|
access the Internet and that you need to authenticate each user before
|
|
letting them access the external networks. The first solution you
|
|
think about is Squid. It's indeed a great solution, when http and
|
|
ftp access is enough for your users. When it comes to let them access
|
|
other services like pop, smtp, ssh, a database server or whatever
|
|
else, you immediately think about NAT or MASQUERADE. But what happens
|
|
to the user authentication?
|
|
</p><p>Well, this is my solution. It gives you user authentication and
|
|
fine grain control over their access to the external networks.
|
|
</p><sect1>Overview
|
|
<p>We know that SAMBA can act as a Domain Controller and so it can
|
|
authenticate users on Windows boxes. As a PDC, SAMBA can push netlogon
|
|
scripts to the Windows workstations. We can use this netlogon scripts
|
|
to force the Windows workstations mounting a given share from our
|
|
Linux PDC. This "forced" share shall have preexec and postexec scripts
|
|
which shall be triggered when the user logs in or out. There is a
|
|
program named smbstatus which lists the shares being used, giving
|
|
us also the username and ip address of the workstation. We just need
|
|
to grep this information from smbstatus output and update our firewall
|
|
rules.
|
|
</p><sect1>Disclaimer
|
|
<p>No liability for the contents of this document can be accepted.
|
|
Use the concepts, examples and other content at your own risk. As
|
|
this is a new edition of this document, there may be errors and inaccuracies,
|
|
that may of course be damaging to your system. Proceed with caution,
|
|
and although this is highly unlikely, the author(s) do not take any
|
|
responsibility for that.
|
|
</p><p>All copyrights are held by their respective owners, unless specifically
|
|
noted otherwise. Use of a term in this document should not be regarded
|
|
as affecting the validity of any trademark or service mark.
|
|
</p><p>Naming of particular products or brands should not be seen as
|
|
endorsements.
|
|
</p><sect1>New versions
|
|
<p>The newest release of this document can be found at <url url="http://ram.eti.br" name="http://ram.eti.br"> or at <url url="http://www.tldp.org" name="http://www.tldp.org">
|
|
</p><p>Related HOWTOs can be found at the Linux Documentation Project
|
|
homepage at <url url="http://tldp.org" name="http://tldp.org">.
|
|
</p><sect1>Translations
|
|
<p>A Portuguese version is available.
|
|
</p><p>A French translation by Guillaume Lelarge is available at<url url="http://www.traduc.org/docs/HOWTO/lecture/Samba-Authenticated-Gateway-HOWTO.html" name="http://www.traduc.org">
|
|
</p><p>If you want to contribute with a translation, please do.
|
|
</p><sect1>Feedback
|
|
<p>Contributions and criticism are both welcome.
|
|
</p><p>Corrections to my English are also very welcome!
|
|
</p><p>If you find any bugs in the scripts included, please tell me.
|
|
</p><p>You can find me at ricardo@ram.eti.br or ricardo.mattar@bol.com.br
|
|
</p><sect1>Copyright and trademarks
|
|
<p>Copyright (c) 2002-2003 Ricardo Alexandre Mattar
|
|
</p><p>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation;
|
|
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
"GNU Free Documentation License".
|
|
</p><sect1>Acknowledgments and Thanks
|
|
<p>Thanks to Carlos Alberto Reis Ribeiro for introducing me to Linux.
|
|
</p><p>Thanks to Cesar Bremer Pinheiro for motivating me to write this
|
|
document.
|
|
</p><p>Thanks to Guillaume Lelarge for the (continuous) help with the
|
|
revision.
|
|
</p><p>Thanks to Erik Esplund for further language corrections.
|
|
</p><p>Thanks to Albert Teixids for code improvements.
|
|
</p><sect>Requirements
|
|
<sect1>Knowledge
|
|
<p>This document is target at the seasoned systems administrator.
|
|
</p><p>You must have a fair knowledge about (at least know what these
|
|
are):
|
|
</p><p><itemize><item>TCP/IP;
|
|
<item>Linux netfilter;
|
|
<item>A scripting language (bash?);
|
|
<item>SAMBA and Windows networking and domain controllers;
|
|
</itemize></p><p>Fortunately, there is plenty of documentation on these topics
|
|
on the Internet.
|
|
</p><sect1>Software
|
|
<p>Installed on your server, you will need at least:
|
|
</p><p><itemize><item>Samba;
|
|
<item>Iptables;
|
|
<item>A scripting language;
|
|
</itemize></p><sect>Linux box setup
|
|
<p>This Howto assumes you have a kernel from the 2.4 series as it
|
|
uses iptables. Other than that, there are no known issues why this
|
|
should not work on a 2.2 kernel box with the scripts adapted to ipchains.
|
|
</p><p>Of course, you need to install the iptables userland tools, an
|
|
apache http server if you want to run a CGI tool to change passwords
|
|
and SAMBA. And you will need a kernel compiled with iptables modules.
|
|
</p><p>You may wish to use DHCP. If so, it is easy to set up. Remember
|
|
to configure the dhcp server to give the nameserver IP address and
|
|
the gateway IP address as well. The Windows machines will make good
|
|
use of this information.
|
|
</p><sect1>Basic system setup
|
|
<p>Generally any basic system setup from the common Linux distributions
|
|
will fit in this gateway example. Just check if you have Samba and
|
|
IPTABLES.
|
|
</p><sect1>Additional directory hierarchy
|
|
<p>The additional directory hierarchy will be required to accomplish
|
|
the example of this howto:
|
|
</p><p>This is used to keep track of the users and IP addresses:
|
|
</p><p><verb>/var/run/smbgate/
|
|
</verb></p><p>This is where I place user specific scripts:
|
|
</p><p><verb>/etc/smbgate/users/
|
|
</verb></p><p>And group specific scripts:
|
|
</p><p><verb>/etc/smbgate/groups/
|
|
</verb></p><p>Directory for the netlogon share:
|
|
</p><p><verb>/home/samba/netlogon/
|
|
</verb></p><p>Directory for the tracking share:
|
|
</p><p><verb>/home/samba/samba/
|
|
</verb></p><p>These hierarchies are required by some of the scripts and daemons
|
|
of the example.
|
|
</p><sect1>Firewall setup
|
|
<p>Its very unlikely that your distribution's kernel won't be compiled
|
|
with Iptables and the userland tools won't be installed either. Anyway,
|
|
if you don't have it, refer to <url url="http://www.netfilter.org" name="http://www.netfilter.org"> or <url url="http://www.iptables.org" name="http://www.iptables.org"> to get the software and the documentation.
|
|
</p><p>You will need a basic firewall setup in order to get the gateway
|
|
working. Take a look at the iptables tutorial at <url url="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html" name="IPTABLES TUTORIAL">. It's an interesting
|
|
reading. Anyway, if you have no time to spend, the following code
|
|
is somewhat (very) loose but it may fit your needs:
|
|
</p><p><verb>#!/bin/sh
|
|
IPTABLES=/usr/sbin/iptables
|
|
/sbin/depmod -a
|
|
/sbin/insmod ip_tables
|
|
/sbin/insmod ip_conntrack
|
|
/sbin/insmod ip_conntrack_ftp
|
|
/sbin/insmod ip_conntrack_irc
|
|
/sbin/insmod iptable_nat
|
|
/sbin/insmod ip_nat_ftp
|
|
echo "1" > /proc/sys/net/ipv4/ip_forward
|
|
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
|
|
$IPTABLES -P INPUT ACCEPT
|
|
$IPTABLES -F INPUT
|
|
$IPTABLES -P OUTPUT ACCEPT
|
|
$IPTABLES -F OUTPUT
|
|
$IPTABLES -P FORWARD ACCEPT
|
|
$IPTABLES -F FORWARD
|
|
$IPTABLES -t nat -F
|
|
</verb></p><p>You will notice that this code actually does nothing, but load
|
|
the kernel modules related to nat and firewalling and turns the packet
|
|
routing on. You can (and should) place any rules there to give your
|
|
gateway a standard behavior, but the big magic will be done by scripts
|
|
called by the SAMBA daemon.
|
|
</p><p>Please, remember that this code doesn't have the least bit of
|
|
security! Don't use these examples in production environments. This
|
|
example intends only to be educational. You have to add a firewall
|
|
configuration that suits your systems.
|
|
</p><p>You have been warned!
|
|
</p><sect1>SAMBA setup
|
|
<p>Check if you have Samba installed. If your distribution doesn't
|
|
come with Samba pre-packaged then refer to <url url="http://www.samba.org" name="http://www.samba.org"> to get the packages and
|
|
for documentation on how to install Samba. Brows around their web
|
|
site and learn about it. The site has plenty of documentation and
|
|
maybe your LINUX distribution also has plenty of SAMBA documentation.
|
|
</p><p>We will need to setup SAMBA as a Primary Domain Controller. I
|
|
will give an example configuration file here, but you should read
|
|
the <url url="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html" name="Samba HOWTO Collection"> and learn all you can about a PDC.
|
|
</p><sect2>Basic SAMBA setup.
|
|
<p>Since I do not intend to rewrite the SAMBA documentation, here
|
|
goes a sample smb.conf file:
|
|
</p><p><verb># Global parameters
|
|
[global]
|
|
workgroup = DOMAIN
|
|
netbios name = LINUX
|
|
server string = Linux PDC
|
|
encrypt passwords = Yes
|
|
map to guest = Bad Password
|
|
passwd program = /usr/bin/passwd
|
|
unix password sync = Yes
|
|
max log size = 50
|
|
time server = Yes
|
|
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
|
|
logon script = netlogon.bat
|
|
domain logons = Yes
|
|
os level = 64
|
|
lm announce = True
|
|
preferred master = True
|
|
domain master = True
|
|
dns proxy = No
|
|
printing = lprng
|
|
[homes]
|
|
comment = Home Directories
|
|
path = /home/%u
|
|
read only = No
|
|
[printers]
|
|
comment = All Printers
|
|
path = /var/spool/samba
|
|
printable = Yes
|
|
browseable = No
|
|
available = No
|
|
[netlogon]
|
|
comment = NetLogon ShARE
|
|
path = /home/samba/netlogon
|
|
guest account =
|
|
[samba]
|
|
comment = login tracking share
|
|
path = /home/samba/samba
|
|
browseable = No
|
|
root preexec = /usr/local/bin/netlogon.sh %u %I
|
|
root postexec = /usr/local/bin/netlogoff.sh %u
|
|
</verb></p><p>You will have to do with it or read the SAMBA documentation if
|
|
you really want to control your server and network.
|
|
</p><sect2>The netlogon and the tracking shares
|
|
<p>The netlogon share is where the Windows workstations download
|
|
the logon script from. We need this share in order to place there
|
|
a logon script, which will tell the workstation to mount a share
|
|
that will be used to track the users ip addresses.
|
|
</p><p>As you can see, there must be a line like the following in your
|
|
smb.conf
|
|
</p><p><verb>logon script = netlogon.bat
|
|
</verb></p><p>This line will tell your Windows client to download and execute
|
|
the script named netlogon.bat. This script must be placed at the
|
|
netlogon share. So, we will also need a netlogon.bat script to your
|
|
Windows workstations. You can use the following example and place
|
|
it at the netlogon share, in this case: /home/samba/netlogon/NETLOGON.BAT.
|
|
</p><p><verb>REM NETLOGON.BAT
|
|
net use z: \\linux\samba /yes
|
|
</verb></p><p>This script will tell the Windows workstation to mount the specified
|
|
share, and so we will be able to keep track of the user and workstation
|
|
through the output of the smbstatus program.
|
|
</p><p>Quite simple! But not enough...
|
|
</p><p>As you could see, we will need also a tracking share which, in
|
|
this example, I named samba. You can see the tracking share configuration
|
|
in smb.conf:
|
|
</p><p><verb>[samba]
|
|
comment = login tracking share
|
|
path = /home/samba/samba
|
|
browseable = No
|
|
root preexec = /usr/local/bin/netlogon.sh %u %I
|
|
root postexec = /usr/local/bin/netlogoff.sh %u
|
|
</verb></p><p>As you can guess or know if you read the SAMBA documentation,
|
|
the root preexec and the root postexec lines tell SAMBA to run the
|
|
indicated scripts when a user mounts or unmounts the share. In this
|
|
case, we are passing the username to the script as a parameter. Note
|
|
the %u at the end of the lines. These scripts are the beasts
|
|
which will call a script or program to modify our gateway's packet
|
|
filtering rules.
|
|
</p><p>Note that the netlogon.sh script must check if the refered workstation
|
|
has already mounted the tracking share.
|
|
</p><p>Take a look at the netlogon.sh and netlogoff.sh scripts:
|
|
</p><p><verb>#!/bin/sh
|
|
#
|
|
# netlogon.sh
|
|
#
|
|
# usage:
|
|
# netlogon.sh <username>
|
|
#
|
|
if [ -f /var/run/smbgate/$1 ] ; then
|
|
exit 0
|
|
fi
|
|
echo $2 > /var/run/smbgate/$1
|
|
IPTABLES='/usr/sbin/iptables'
|
|
EXTIF='eth0'
|
|
COMMAND='-A'
|
|
ADDRESS=`cat /var/run/smbgate/$1`
|
|
GROUP=`groups $1 | gawk '// { print $3 }'`
|
|
if [ -f /etc/smbgate/users/$1 ] ; then
|
|
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF
|
|
else
|
|
if [ -f /etc/smbgate/groups/$GROUP ] ; then
|
|
/etc/smbgate/groups/$GROUP $COMMAND $ADDRESS $EXTIF
|
|
else
|
|
/etc/smbgate/users/default.sh $COMMAND $ADDRESS $EXTIF
|
|
fi
|
|
fi
|
|
|
|
</verb></p><p>This script (netlogon.sh) is intended to run when the user logs
|
|
in and will select the which scripts will be executed based on the
|
|
user name and to which group the user belongs. The user's ip address
|
|
will be written to a file at /var/run/smbgate for tracking purposes.
|
|
The file will take the user's name and will be later used when the
|
|
user log off. The IP address will be passed as an argument to a script
|
|
with the users' name which will finally update the firewall.
|
|
</p><p>Notice that this netlogon.sh script tries a user script, then
|
|
if it can't find the user script it tries a group script, and finally
|
|
if it can't find the group script it tries the default.sh script.
|
|
You can modify this logic and behavior as you wish and need, just
|
|
remember to modify the others accordingly.
|
|
</p><p>Chances are if the user belong to more than one that these scripts
|
|
will fail. I did not have time to write a better code.
|
|
</p><p><verb>#!/bin/sh
|
|
#
|
|
# netlogoff.sh
|
|
#
|
|
# usage:
|
|
# netlogoff.sh <username>
|
|
#
|
|
IPTABLES='/usr/sbin/iptables'
|
|
EXTIF='ppp0'
|
|
COMMAND='-D'
|
|
ADDRESS=`cat /var/run/smbgate/$1`
|
|
GROUP=`groups $1 | gawk '// { print $3 }'`
|
|
if [ -f /etc/smbgate/users/$1 ] ; then
|
|
/etc/smbgate/users/$1 $COMMAND $ADDRESS $EXTIF
|
|
else
|
|
if [ -f /etc/smbgate/groups/$GROUP ] ; then
|
|
/etc/smbgate/groups/$GROUP $COMMAND $ADDRESS $EXTIF
|
|
else
|
|
/etc/smbgate/users/default.sh $COMMAND $ADDRESS $EXTIF
|
|
fi
|
|
fi
|
|
rm -f /var/run/smbgate/$1
|
|
</verb></p><p>This script (netlogoff.sh) is intended to run when the user logs
|
|
off and will get the address from the /var/run/smbgate/user file
|
|
which will be passed as an argument to the /etc/smbgate/users/user
|
|
script which will update the firewall to the state desired when the
|
|
user is not logged in.
|
|
</p><p>Some versions of Windows, such as Windows 2000, mount the tracking
|
|
share more than once per login. This may cause problems with the
|
|
netlogon.sh and netlogoff.sh, triggering the scripts more the once.
|
|
This can make a real mess. So, you may prefer to use a logout checking
|
|
script at cron instead of a netlogoff.sh script triggered by SAMBA.
|
|
Here is an example:
|
|
</p><p><verb>#!/bin/sh
|
|
# checklogout.sh
|
|
#
|
|
# usage:
|
|
# intended to run at cron (maybe each 10 minutes)
|
|
|
|
TRACKDIR="/var/run/smbgate"
|
|
DIRLENGTH=${#TRACKDIR}
|
|
TRACKSHARE="samba"
|
|
EXTIF='eth0'
|
|
COMMAND='-D'
|
|
if [ -d $TRACKDIR ]; then
|
|
for n in $TRACKDIR/*; do
|
|
[ -d $n ] && continue;
|
|
if [ -f $n ] ; then
|
|
IPADDRESS=`cat $n`
|
|
USERNAME=${n:$DIRLENGTH+1}
|
|
NMS=`smbstatus -u $USERNAME | grep $TRACKSHARE | grep $IPADDRESS | grep -v grep | wc -l`
|
|
if [ $NMS == 0 ] ; then
|
|
rm -f $n
|
|
GROUP=`groups $USERNAME | gawk '// { print $3 }'`
|
|
if [ -f /etc/smbgate/users/$USERNAME ] ; then
|
|
/etc/smbgate/users/$USERNAME $COMMAND $IPADDRESS $EXTIF
|
|
else
|
|
if [ -f /etc/smbgate/groups/$GROUP ] ; then
|
|
/etc/smbgate/groups/$GROUP $COMMAND $IPADDRESS $EXTIF
|
|
else
|
|
/etc/smbgate/users/default.sh $COMMAND $IPADDRESS $EXTIF
|
|
fi
|
|
fi
|
|
fi
|
|
else
|
|
exit 0
|
|
fi
|
|
done
|
|
fi
|
|
</verb></p><p>In that case you should remove the root postexec clause from
|
|
the tracking share on smb.conf:
|
|
</p><p><verb>root postexec = /usr/local/bin/netlogoff.sh %u
|
|
</verb></p><p>The following is a standard /etc/smbgate/users/user script. This
|
|
is the one which will actually modify the firewall rules.
|
|
</p><p><verb>#!/bin/sh
|
|
#
|
|
COMMAND=$1
|
|
ADDRESS=$2
|
|
EXTIF=$3
|
|
IPTABLES='/usr/sbin/iptables'
|
|
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE
|
|
</verb></p><p>We should also hase a default.sh script at /etc/smbgate/users/
|
|
to give the gateway a default behavior.
|
|
</p><p><verb>#!/bin/sh
|
|
#
|
|
# default.sh
|
|
COMMAND=$1
|
|
ADDRESS=$2
|
|
EXTIF=$3
|
|
IPTABLES='/usr/sbin/iptables'
|
|
#$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE
|
|
exit 0
|
|
</verb></p><sect>Windows workstation setup
|
|
<sect1>Introduction
|
|
<p>We will stick to setting up the network, user management and
|
|
policies on the Windows workstations.
|
|
</p><p>I will not go through all those steps, naming each dialog box.
|
|
I will presume that if you can read and understand this document
|
|
you can find your way through that mess.
|
|
</p><sect1>Network protocols
|
|
<p>First, unless you really need, remove all network protocols but
|
|
TCP/IP. Even without their own protocol, Windows machines like to
|
|
broadcast a lot, and this doesn't please anyone. Anyway, with TCP/IP
|
|
who needs anything else?
|
|
</p><sect1>DHCP setup
|
|
<p>If you setup a DHCP server on your Linux box, remember that Windows
|
|
workstations can get the nameservers and gateway's address besides
|
|
its own IP address from it. So, you don't need to set all these items
|
|
on each workstation.
|
|
</p><sect1>Join your Linux server domain
|
|
<p>Configure the Windows workstation to log in a Domain, and give
|
|
the domain name of your Linux server. This is essential to the gateway
|
|
work.
|
|
</p><p>You must know that in order to join some versions of Windows
|
|
to a SAMBA domain controller, you must create machine accounts in
|
|
your Linux PDC. Check the SAMBA documentation on how to setup your
|
|
PDC to the specific version of Windows which you have.
|
|
</p><sect2>Windows 95/98
|
|
<p>These versions seems to need no special configuration to join
|
|
the Linux PDC domain.
|
|
</p><sect2>Windows NT and 2000
|
|
<p>These versions require machine accounts at the Linux box. Again,
|
|
check the SAMBA documentation.
|
|
</p><sect2>Windows XP
|
|
<p>This version needs a machine account at the Linux box and a tweak
|
|
at the registry, as follows.
|
|
</p><p>Locate the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal".
|
|
The default value is 1. Set it to 0 and it will no more complain
|
|
about joining the domain.
|
|
</p><p>If you have many workstation to configure create a file named
|
|
anything.reg with the following content and use it to modify the
|
|
"faulty" registry.
|
|
</p><p><verb>Windows Registry Editor Version 5.00
|
|
|
|
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
|
|
"requiresignorseal"=dword:00000000
|
|
</verb></p><p>This version also needs an adjust at the NETLOGON.BAT script.
|
|
Sometimes it insists on making the mounting persistent.
|
|
</p><p><verb>REM NETLOGON.BAT
|
|
net use z: \\linux\samba /yes /persistent:no
|
|
</verb></p><sect1>Policy editor
|
|
<p>There is a utility named policy editor bundled on the Windows
|
|
CD. The file name is poledit.exe. This tool, as the name suggest,
|
|
allows to create a user and system policy file.
|
|
</p><p>Unfortunately, this tool does not generate a plain text configuration
|
|
file, so I can't place an example here.
|
|
</p><p>Use the policy editor to create a policy to your workstations
|
|
and users. You should disable the local password cache and domain
|
|
cache in order to get some security. Save the policy file as config.pol
|
|
and place it at the netlogon share of your Linux server. In this
|
|
way, your Windows workstations will download and use the config.pol
|
|
file to set their policy. Of course this task must be done on a Windows
|
|
machine.
|
|
</p><p>If you don't use a config.pol file, your Windows workstations
|
|
will annoy you asking for a Windows password and you will become
|
|
nuts trying to synchronize and manage your Domain and Windows passwords.
|
|
It seems that the OS doesn't know that it joined a domain. You must
|
|
tell it and then you have to slap it in the face so it will believe
|
|
you.
|
|
</p><sect>User management
|
|
<sect1>Adding users
|
|
<p>Adding a Linux user by usual means and setting a samba password
|
|
using smbpasswd will work. If you have any doubt, just refer to the
|
|
SAMBA documentation. This is not a difficult issue.
|
|
</p><sect1>Password management
|
|
<p>I am issuing this a major topic because I couldn't learn yet
|
|
how to manage users and users' passwords from a Windows workstation
|
|
without using a web interface. I couldn't find and didn't know how
|
|
to build integrated tools to solve this problem. So, I am using a
|
|
CGI program to get it done.
|
|
</p><p>Try the package at <url url="http://changepassword.sourceforge.net" name="http://changepassword.sourceforge.net">, it seems to be a good choice.
|
|
</p><sect1>Granting or denying access to users
|
|
<p>As you could see in a previous section of this howto, the SAMBA
|
|
daemon will call a netlogon.sh script every time the tracking share
|
|
is mounted. This netlogon.sh script will call a script with the user's
|
|
name giving this script the ip address of the refered workstation
|
|
as a parameter. This user script will apply the desired rules.
|
|
</p><p>For example if you want to give the user full access to internet:
|
|
</p><p><verb>#!/bin/sh
|
|
#
|
|
COMMAND=$1
|
|
ADDRESS=$2
|
|
EXTIF=$3
|
|
IPTABLES='/usr/sbin/iptables'
|
|
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF -j MASQUERADE
|
|
</verb></p><p>If you don't want to change anything to a particular user, just
|
|
give him an empty script:
|
|
</p><p><verb>#/bin/sh
|
|
#
|
|
exit 0
|
|
</verb></p><p>Or just don't create any script for the less privileged users,
|
|
letting them have the default.sh script, which would be empty as
|
|
the previous or just give limited access as follows:
|
|
</p><p><verb>#!/bin/sh
|
|
#
|
|
COMMAND=$1
|
|
ADDRESS=$2
|
|
EXTIF=$3
|
|
EXTIFADDRESS=$4
|
|
IPTABLES='/usr/sbin/iptables'
|
|
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF --dport 25 -j SNAT --to-source $EXTIFADDRESS
|
|
$IPTABLES $COMMAND POSTROUTING -t nat -s $ADDRESS -o $EXTIF --dport 110 -j SNAT --to-source $EXTIFADDRESS
|
|
</verb></p><p>Remember that this script requires you to modify all the previous
|
|
scripts to include the extra parameter ou just modify the script
|
|
script. And remember that you will go nowhere whis this howto if
|
|
you don't understand iptables.
|
|
</p><sect>Group management
|
|
<sect1>Creating groups
|
|
<p>Just create your user groups in the Linux PDC and add the users
|
|
to the groups. This is it.
|
|
</p><p>Remember that the example scripts in this howto will probably
|
|
fail if you have users belonging to more than one group. If you need
|
|
this, remember to adjust the scripts.
|
|
</p><sect1>Group policy
|
|
<p>You will need to define group specific scripts and place them
|
|
in the directory "/etc/smbgate/groups/". Remember that the script must
|
|
be named as the group, at least if you want to follow the examples
|
|
in this howto.
|
|
</p><p>The default scheme of this howto is to check for a user script,
|
|
then for a group script and finally for the default script. If you
|
|
want to modify this behavior remember to adapt the netlogon.sh, netlogoff.sh
|
|
(or the checklogout.sh) scripts. The whole logic is in these scripts.
|
|
</p><sect>Bibliography
|
|
<p><url url="http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html" name="IPTABLES TUTORIAL"> by Oskar Andreasson
|
|
</p><p><url url="http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection.html" name="Samba HOWTO Collection"> by the SAMBA Team
|
|
</p><sect>GNU Free Documentation License
|
|
<p>GNU Free Documentation License Version 1.2, November 2002
|
|
</p><p>Copyright (C) 2000,2001,2002 Free Software Foundation, Inc. 59
|
|
Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted
|
|
to copy and distribute verbatim copies of this license document,
|
|
but changing it is not allowed.
|
|
</p><p>0. PREAMBLE
|
|
</p><p>The purpose of this License is to make a manual, textbook, or
|
|
other functional and useful document "free" in the sense
|
|
of freedom: to assure everyone the effective freedom to copy and
|
|
redistribute it, with or without modifying it, either commercially
|
|
or noncommercially. Secondarily, this License preserves for the author
|
|
and publisher a way to get credit for their work, while not being
|
|
considered responsible for modifications made by others.
|
|
</p><p>This License is a kind of "copyleft", which means that
|
|
derivative works of the document must themselves be free in the same
|
|
sense. It complements the GNU General Public License, which is a
|
|
copyleft license designed for free software.
|
|
</p><p>We have designed this License in order to use it for manuals
|
|
for free software, because free software needs free documentation:
|
|
a free program should come with manuals providing the same freedoms
|
|
that the software does. But this License is not limited to software
|
|
manuals; it can be used for any textual work, regardless of subject
|
|
matter or whether it is published as a printed book. We recommend
|
|
this License principally for works whose purpose is instruction or
|
|
reference.
|
|
</p><p>1. APPLICABILITY AND DEFINITIONS
|
|
</p><p>This License applies to any manual or other work, in any medium,
|
|
that contains a notice placed by the copyright holder saying it can
|
|
be distributed under the terms of this License. Such a notice grants
|
|
a world-wide, royalty-free license, unlimited in duration, to use
|
|
that work under the conditions stated herein. The "Document",
|
|
below, refers to any such manual or work. Any member of the public
|
|
is a licensee, and is addressed as "you". You accept the
|
|
license if you copy, modify or distribute the work in a way requiring
|
|
permission under copyright law.
|
|
</p><p>A "Modified Version" of the Document means any work
|
|
containing the Document or a portion of it, either copied verbatim,
|
|
or with modifications and/or translated into another language.
|
|
</p><p>A "Secondary Section" is a named appendix or a front-matter
|
|
section of the Document that deals exclusively with the relationship
|
|
of the publishers or authors of the Document to the Document's overall
|
|
subject (or to related matters) and contains nothing that could fall
|
|
directly within that overall subject. (Thus, if the Document is in
|
|
part a textbook of mathematics, a Secondary Section may not explain
|
|
any mathematics.) The relationship could be a matter of historical
|
|
connection with the subject or with related matters, or of legal,
|
|
commercial, philosophical, ethical or political position regarding
|
|
them.
|
|
</p><p>The "Invariant Sections" are certain Secondary Sections
|
|
whose titles are designated, as being those of Invariant Sections,
|
|
in the notice that says that the Document is released under this
|
|
License. If a section does not fit the above definition of Secondary
|
|
then it is not allowed to be designated as Invariant. The Document
|
|
may contain zero Invariant Sections. If the Document does not identify
|
|
any Invariant Sections then there are none.
|
|
</p><p>The "Cover Texts" are certain short passages of text
|
|
that are listed, as Front-Cover Texts or Back-Cover Texts, in the
|
|
notice that says that the Document is released under this License.
|
|
A Front-Cover Text may be at most 5 words, and a Back-Cover Text
|
|
may be at most 25 words.
|
|
</p><p>A "Transparent" copy of the Document means a machine-readable
|
|
copy, represented in a format whose specification is available to
|
|
the general public, that is suitable for revising the document straightforwardly
|
|
with generic text editors or (for images composed of pixels) generic
|
|
paint programs or (for drawings) some widely available drawing editor,
|
|
and that is suitable for input to text formatters or for automatic
|
|
translation to a variety of formats suitable for input to text formatters.
|
|
A copy made in an otherwise Transparent file format whose markup,
|
|
or absence of markup, has been arranged to thwart or discourage subsequent
|
|
modification by readers is not Transparent. An image format is not
|
|
Transparent if used for any substantial amount of text. A copy that
|
|
is not "Transparent" is called "Opaque".
|
|
</p><p>Examples of suitable formats for Transparent copies include plain
|
|
ASCII without markup, Texinfo input format, LaTeX input format, SGML
|
|
or XML using a publicly available DTD, and standard-conforming simple
|
|
HTML, PostScript or PDF designed for human modification. Examples
|
|
of transparent image formats include PNG, XCF and JPG. Opaque formats
|
|
include proprietary formats that can be read and edited only by proprietary
|
|
word processors, SGML or XML for which the DTD and/or processing
|
|
tools are not generally available, and the machine-generated HTML,
|
|
PostScript or PDF produced by some word processors for output purposes
|
|
only.
|
|
</p><p>The "Title Page" means, for a printed book, the title
|
|
page itself, plus such following pages as are needed to hold, legibly,
|
|
the material this License requires to appear in the title page. For
|
|
works in formats which do not have any title page as such, "Title
|
|
Page" means the text near the most prominent appearance of the
|
|
work's title, preceding the beginning of the body of the text.
|
|
</p><p>A section "Entitled XYZ" means a named subunit of the
|
|
Document whose title either is precisely XYZ or contains XYZ in parentheses
|
|
following text that translates XYZ in another language. (Here XYZ
|
|
stands for a specific section name mentioned below, such as "Acknowledgements",
|
|
"Dedications", "Endorsements", or "History".)
|
|
To "Preserve the Title" of such a section when you modify
|
|
the Document means that it remains a section "Entitled XYZ"
|
|
according to this definition.
|
|
</p><p>The Document may include Warranty Disclaimers next to the notice
|
|
which states that this License applies to the Document. These Warranty
|
|
Disclaimers are considered to be included by reference in this License,
|
|
but only as regards disclaiming warranties: any other implication
|
|
that these Warranty Disclaimers may have is void and has no effect
|
|
on the meaning of this License.
|
|
</p><p>2. VERBATIM COPYING
|
|
</p><p>You may copy and distribute the Document in any medium, either
|
|
commercially or noncommercially, provided that this License, the
|
|
copyright notices, and the license notice saying this License applies
|
|
to the Document are reproduced in all copies, and that you add no
|
|
other conditions whatsoever to those of this License. You may not
|
|
use technical measures to obstruct or control the reading or further
|
|
copying of the copies you make or distribute. However, you may accept
|
|
compensation in exchange for copies. If you distribute a large enough
|
|
number of copies you must also follow the conditions in section 3.
|
|
</p><p>You may also lend copies, under the same conditions stated above,
|
|
and you may publicly display copies.
|
|
</p><p>3. COPYING IN QUANTITY
|
|
</p><p>If you publish printed copies (or copies in media that commonly
|
|
have printed covers) of the Document, numbering more than 100, and
|
|
the Document's license notice requires Cover Texts, you must enclose
|
|
the copies in covers that carry, clearly and legibly, all these Cover
|
|
Texts: Front-Cover Texts on the front cover, and Back-Cover Texts
|
|
on the back cover. Both covers must also clearly and legibly identify
|
|
you as the publisher of these copies. The front cover must present
|
|
the full title with all words of the title equally prominent and
|
|
visible. You may add other material on the covers in addition. Copying
|
|
with changes limited to the covers, as long as they preserve the
|
|
title of the Document and satisfy these conditions, can be treated
|
|
as verbatim copying in other respects.
|
|
</p><p>If the required texts for either cover are too voluminous to
|
|
fit legibly, you should put the first ones listed (as many as fit
|
|
reasonably) on the actual cover, and continue the rest onto adjacent
|
|
pages.
|
|
</p><p>If you publish or distribute Opaque copies of the Document numbering
|
|
more than 100, you must either include a machine-readable Transparent
|
|
copy along with each Opaque copy, or state in or with each Opaque
|
|
copy a computer-network location from which the general network-using
|
|
public has access to download using public-standard network protocols
|
|
a complete Transparent copy of the Document, free of added material.
|
|
If you use the latter option, you must take reasonably prudent steps,
|
|
when you begin distribution of Opaque copies in quantity, to ensure
|
|
that this Transparent copy will remain thus accessible at the stated
|
|
location until at least one year after the last time you distribute
|
|
an Opaque copy (directly or through your agents or retailers) of
|
|
that edition to the public.
|
|
</p><p>It is requested, but not required, that you contact the authors
|
|
of the Document well before redistributing any large number of copies,
|
|
to give them a chance to provide you with an updated version of the
|
|
Document.
|
|
</p><p>4. MODIFICATIONS
|
|
</p><p>You may copy and distribute a Modified Version of the Document
|
|
under the conditions of sections 2 and 3 above, provided that you
|
|
release the Modified Version under precisely this License, with the
|
|
Modified Version filling the role of the Document, thus licensing
|
|
distribution and modification of the Modified Version to whoever
|
|
possesses a copy of it. In addition, you must do these things in
|
|
the Modified Version:
|
|
</p><p>A. Use in the Title Page (and on the covers, if any) a title
|
|
distinct from that of the Document, and from those of previous versions
|
|
(which should, if there were any, be listed in the History section
|
|
of the Document). You may use the same title as a previous version
|
|
if the original publisher of that version gives permission. B. List
|
|
on the Title Page, as authors, one or more persons or entities responsible
|
|
for authorship of the modifications in the Modified Version, together
|
|
with at least five of the principal authors of the Document (all
|
|
of its principal authors, if it has fewer than five), unless they
|
|
release you from this requirement. C. State on the Title page the
|
|
name of the publisher of the Modified Version, as the publisher.
|
|
D. Preserve all the copyright notices of the Document. E. Add an
|
|
appropriate copyright notice for your modifications adjacent to the
|
|
other copyright notices. F. Include, immediately after the copyright
|
|
notices, a license notice giving the public permission to use the
|
|
Modified Version under the terms of this License, in the form shown
|
|
in the Addendum below. G. Preserve in that license notice the full
|
|
lists of Invariant Sections and required Cover Texts given in the
|
|
Document's license notice. H. Include an unaltered copy of this License.
|
|
I. Preserve the section Entitled "History", Preserve its
|
|
Title, and add to it an item stating at least the title, year, new
|
|
authors, and publisher of the Modified Version as given on the Title
|
|
Page. If there is no section Entitled "History" in the
|
|
Document, create one stating the title, year, authors, and publisher
|
|
of the Document as given on its Title Page, then add an item describing
|
|
the Modified Version as stated in the previous sentence. J. Preserve
|
|
the network location, if any, given in the Document for public access
|
|
to a Transparent copy of the Document, and likewise the network locations
|
|
given in the Document for previous versions it was based on. These
|
|
may be placed in the "History" section. You may omit a
|
|
network location for a work that was published at least four years
|
|
before the Document itself, or if the original publisher of the version
|
|
it refers to gives permission. K. For any section Entitled "Acknowledgements"
|
|
or "Dedications", Preserve the Title of the section, and
|
|
preserve in the section all the substance and tone of each of the
|
|
contributor acknowledgements and/or dedications given therein. L.
|
|
Preserve all the Invariant Sections of the Document, unaltered in
|
|
their text and in their titles. Section numbers or the equivalent
|
|
are not considered part of the section titles. M. Delete any section
|
|
Entitled "Endorsements". Such a section may not be included
|
|
in the Modified Version. N. Do not retitle any existing section to
|
|
be Entitled "Endorsements" or to conflict in title with
|
|
any Invariant Section. O. Preserve any Warranty Disclaimers.
|
|
</p><p>If the Modified Version includes new front-matter sections or
|
|
appendices that qualify as Secondary Sections and contain no material
|
|
copied from the Document, you may at your option designate some or
|
|
all of these sections as invariant. To do this, add their titles
|
|
to the list of Invariant Sections in the Modified Version's license
|
|
notice. These titles must be distinct from any other section titles.
|
|
</p><p>You may add a section Entitled "Endorsements", provided
|
|
it contains nothing but endorsements of your Modified Version by
|
|
various parties--for example, statements of peer review or that the
|
|
text has been approved by an organization as the authoritative definition
|
|
of a standard.
|
|
</p><p>You may add a passage of up to five words as a Front-Cover Text,
|
|
and a passage of up to 25 words as a Back-Cover Text, to the end
|
|
of the list of Cover Texts in the Modified Version. Only one passage
|
|
of Front-Cover Text and one of Back-Cover Text may be added by (or
|
|
through arrangements made by) any one entity. If the Document already
|
|
includes a cover text for the same cover, previously added by you
|
|
or by arrangement made by the same entity you are acting on behalf
|
|
of, you may not add another; but you may replace the old one, on
|
|
explicit permission from the previous publisher that added the old
|
|
one.
|
|
</p><p>The author(s) and publisher(s) of the Document do not by this
|
|
License give permission to use their names for publicity for or to
|
|
assert or imply endorsement of any Modified Version.
|
|
</p><p>5. COMBINING DOCUMENTS
|
|
</p><p>You may combine the Document with other documents released under
|
|
this License, under the terms defined in section 4 above for modified
|
|
versions, provided that you include in the combination all of the
|
|
Invariant Sections of all of the original documents, unmodified,
|
|
and list them all as Invariant Sections of your combined work in
|
|
its license notice, and that you preserve all their Warranty Disclaimers.
|
|
</p><p>The combined work need only contain one copy of this License,
|
|
and multiple identical Invariant Sections may be replaced with a
|
|
single copy. If there are multiple Invariant Sections with the same
|
|
name but different contents, make the title of each such section
|
|
unique by adding at the end of it, in parentheses, the name of the
|
|
original author or publisher of that section if known, or else a
|
|
unique number. Make the same adjustment to the section titles in
|
|
the list of Invariant Sections in the license notice of the combined
|
|
work.
|
|
</p><p>In the combination, you must combine any sections Entitled "History"
|
|
in the various original documents, forming one section Entitled "History";
|
|
likewise combine any sections Entitled "Acknowledgements",
|
|
and any sections Entitled "Dedications". You must delete
|
|
all sections Entitled "Endorsements".
|
|
</p><p>6. COLLECTIONS OF DOCUMENTS
|
|
</p><p>You may make a collection consisting of the Document and other
|
|
documents released under this License, and replace the individual
|
|
copies of this License in the various documents with a single copy
|
|
that is included in the collection, provided that you follow the
|
|
rules of this License for verbatim copying of each of the documents
|
|
in all other respects.
|
|
</p><p>You may extract a single document from such a collection, and
|
|
distribute it individually under this License, provided you insert
|
|
a copy of this License into the extracted document, and follow this
|
|
License in all other respects regarding verbatim copying of that
|
|
document.
|
|
</p><p>7. AGGREGATION WITH INDEPENDENT WORKS
|
|
</p><p>A compilation of the Document or its derivatives with other separate
|
|
and independent documents or works, in or on a volume of a storage
|
|
or distribution medium, is called an "aggregate" if the
|
|
copyright resulting from the compilation is not used to limit the
|
|
legal rights of the compilation's users beyond what the individual
|
|
works permit. When the Document is included an aggregate, this License
|
|
does not apply to the other works in the aggregate which are not
|
|
themselves derivative works of the Document.
|
|
</p><p>If the Cover Text requirement of section 3 is applicable to these
|
|
copies of the Document, then if the Document is less than one half
|
|
of the entire aggregate, the Document's Cover Texts may be placed
|
|
on covers that bracket the Document within the aggregate, or the
|
|
electronic equivalent of covers if the Document is in electronic
|
|
form. Otherwise they must appear on printed covers that bracket the
|
|
whole aggregate.
|
|
</p><p>8. TRANSLATION
|
|
</p><p>Translation is considered a kind of modification, so you may
|
|
distribute translations of the Document under the terms of section
|
|
4. Replacing Invariant Sections with translations requires special
|
|
permission from their copyright holders, but you may include translations
|
|
of some or all Invariant Sections in addition to the original versions
|
|
of these Invariant Sections. You may include a translation of this
|
|
License, and all the license notices in the Document, and any Warrany
|
|
Disclaimers, provided that you also include the original English
|
|
version of this License and the original versions of those notices
|
|
and disclaimers. In case of a disagreement between the translation
|
|
and the original version of this License or a notice or disclaimer,
|
|
the original version will prevail.
|
|
</p><p>If a section in the Document is Entitled "Acknowledgements",
|
|
"Dedications", or "History", the requirement
|
|
(section 4) to Preserve its Title (section 1) will typically require
|
|
changing the actual title.
|
|
</p><p>9. TERMINATION
|
|
</p><p>You may not copy, modify, sublicense, or distribute the Document
|
|
except as expressly provided for under this License. Any other attempt
|
|
to copy, modify, sublicense or distribute the Document is void, and
|
|
will automatically terminate your rights under this License. However,
|
|
parties who have received copies, or rights, from you under this
|
|
License will not have their licenses terminated so long as such parties
|
|
remain in full compliance.
|
|
</p><p>10. FUTURE REVISIONS OF THIS LICENSE
|
|
</p><p>The Free Software Foundation may publish new, revised versions
|
|
of the GNU Free Documentation License from time to time. Such new
|
|
versions will be similar in spirit to the present version, but may
|
|
differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.
|
|
</p><p>Each version of the License is given a distinguishing version
|
|
number. If the Document specifies that a particular numbered version
|
|
of this License "or any later version" applies to it, you
|
|
have the option of following the terms and conditions either of that
|
|
specified version or of any later version that has been published
|
|
(not as a draft) by the Free Software Foundation. If the Document
|
|
does not specify a version number of this License, you may choose
|
|
any version ever published (not as a draft) by the Free Software
|
|
Foundation.
|
|
</p><p>ADDENDUM: How to use this License for your documents
|
|
</p><p>To use this License in a document you have written, include a
|
|
copy of the License in the document and put the following copyright
|
|
and license notices just after the title page:
|
|
</p><p>Copyright (c) YEAR YOUR NAME. Permission is granted to copy,
|
|
distribute and/or modify this document under the terms of the GNU
|
|
Free Documentation License, Version 1.2 or any later version published
|
|
by the Free Software Foundation; with no Invariant Sections, no Front-Cover
|
|
Texts, and no Back-Cover Texts. A copy of the license is included
|
|
in the section entitled "GNU Free Documentation License".
|
|
</p><p>If you have Invariant Sections, Front-Cover Texts and Back-Cover
|
|
Texts, replace the "with...Texts." line with this:
|
|
</p><p>with the Invariant Sections being LIST THEIR TITLES, with the
|
|
Front-Cover Texts being LIST, and with the Back-Cover Texts being
|
|
LIST.
|
|
</p><p>If you have Invariant Sections without Cover Texts, or some other
|
|
combination of the three, merge those two alternatives to suit the
|
|
situation.
|
|
</p><p>If your document contains nontrivial examples of program code,
|
|
we recommend releasing these examples in parallel under your choice
|
|
of free software license, such as the GNU General Public License,
|
|
to permit their use in free software.
|
|
</p>
|
|
|
|
</article>
|