New hint: starting and stopping fusesmb per session.

Stef Bon stef at bononline.nl
Tue Jan 24 10:56:24 PST 2006


Hello,


as promised here my new hint about starting and stopping the fusesmb per 
user when your session starts.

Stef
-------------- next part --------------
AUTHOR: Stef Bon <stef at bononline dot nl>

DATE: 2006-01-24

LICENSE: GNU Free Documentation License Version 1.2

SYNOPSIS: Starting and stopping Fusesmb at a KDE-session using KDM.

DESCRIPTION: 
This hint is about starting the sessionpart of the fusesmb. 

This is based on my hint 
"Execute scripts at begin and end of a KDE-session using KDM and PAM".

In this hint is described in general how scripts and commands are 
started at the begin and end of a KDE session using KDM, and for password 
sensitive commands support from PAM.


ATTACHMENT:

PREREQUISITES:
This hint requires sufficient knowledge of LINUX in general, and scripts in particular.
Futher sudo should be installed, and you should start KDE via KDM.


HINT:

Content:

1. Browsing the network using FUSE, fusesmb and PAM
1.1 Installation of FUSE and FuseSMB.
1.2 Starting the sessionbus part of fusesmb.
1.3 Stopping the sessionbus part of fusesmb.
1.4 Storing credentials in personal configurationfile.


---------------------------------------------------
1. Browsing the network using FUSE, fusesmb and PAM
---------------------------------------------------

Very new is FUSE. At this moment the FUSE package contains a kernelmodule, a library and utilities.
Soon the module will be standard in the kernel. For more information see the website of course.

Pam_script has the ability (from version 0.1.5) to get the password provided at login, and provide this via an evironmentvariable PAM_AUTHTOK to scripts. A script for fusesmb can write this value to the configurationfile of fusesmb (~/.smb/fusesmb.conf) to browse the network with the credentials provided at login. 

warning:

This looks a little bit like Single Sign On, but it isn't!! The credentials are stored in 
a subdirectory of the homedir (~/.smb/fusesmb.conf), with enough security at runtime.
But somebody can still find them being root, or with a LiveCD. The credentials are stored
plaintext, no encryption!!

So, this should never be used in an environment where you can't trust your users!


-------------------------------------
1.1 Installation of FUSE and FuseSMB.
-------------------------------------

Get FUSE from the projectsite:

http://fuse.sourceforge.net

Installing FUSE:

cd fuse-2.3.0
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-kernel-module --enable-lib --enable-util
make
make install

A module is installed, fuse.

To load it:

modprobe fuse

and add it to /etc/sysconfig/modules.

Note:

In the newest kernels (>=2.6.14) the kernelmodule is included in the kernel. You still
need the package above, because of the library and the utilities.

Configuration of fuse goes via the fuse.conf file in the /etc directory:

cat >> /etc/fuse.conf << "EOF"

mount_max = 999

user_allow_other
EOF

Get fusesmb:

Look for a link at :

http://freshmeat.net/projects/fusesmb/

Installing fusesmb:

cd fusesmb-0.8.3
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install

It requires samba-3.0.*.

Now with fusesmb running you can access your SMB(Windows)
network environment via a filesystem in userspace, with
**any** (not only KDE apps with kio's or GNOME with vfs) 
application, like MC or vi.


--------------------------------------------
1.2 Starting the sessionbus part of fusesmb.
--------------------------------------------


Now the actual scripts:

cd /etc/session.d/kdm/startup

cat >> fusesmb.sh << "EOF"
#!/bin/bash

retcode=0;

userid=$1
userproperties=$(getent passwd | grep -E "^$userid")
homedir=$(echo $userproperties | cut -d ":" -f 6);
gidnr=$(echo $userproperties | cut -d ":" -f 4);
uidnr=$(echo $userproperties | cut -d ":" -f 3);

if [ -d $homedir ]; then

    if [ ! -d $homedir/network ]; then
	mkdir -p $homedir/network
	chown $uidnr:$gidnr $homedir/network
    fi

    if [ $(id -u) -eq 0 ]; then
 	sudo -H -u $userid /bin/sh -c "fusesmb $homedir/network -o fsname=fusesmb,default_permissions,allow_other"
	retcode=$?
    elif [ $(id -u) -eq $uidnr ]; then 
    	fusesmb $homedir/network -o fsname=fusesmb,default_permissions,allow_other
	retcode=$?
    fi	

fi;

if [ $retcode -ne 0 ]; then
    echo "An error with fusesmb ($retcode)."
fi;

exit $retcode
EOF



--------------------------------------------
1.3 Stopping the sessionbus part of fusesmb.
--------------------------------------------

And the logout script:

cd /etc/session.d/kdm/reset

cat >> fusesmb.sh << "EOF"
#!/bin/bash

retcode=0;

userid=$1
userproperties=$(getent passwd | grep -E "^$userid")
homedir=$(echo $userproperties | cut -d ":" -f 6);
gidnr=$(echo $userproperties | cut -d ":" -f 4);
uidnr=$(echo $userproperties | cut -d ":" -f 3);

if [ -d $homedir ]; then

    if [ -n "$(mount | grep $homedir/network)" ]; then

	fusermount -u $homedir/network

    fi;

    if [ -e $homedir/.smb/fusesmb.conf ]; then

	rm -f $homedir/.smb/fusesmb.conf

    fi;

fi;


if [ $retcode -ne 0 ]; then
    echo "An error with fusesmb ($retcode)."
fi;

exit $retcode
EOF


------------------------------------------------------
1.4 Storing credentials in personal configurationfile.
------------------------------------------------------

With files above you could already get a working sollution.
To access the SMB servers where a username and a password are
required, FuseSMB allows you to give credentials in the 
~/.smb/fusesmb.conf file. Look for these and more options
in the manpage of fusesmb.conf.

With PAM and the module pam_script it is possible to use the
credentials provided at login. In my network the sambaservers
use the same credentials as my normal login  (via OPENLDAP).

cat >> /etc/session.d/pam/onauth/fusesmb.sh << "EOF"
#!/bin/bash

retcode=0;

userid=$1
service=$2
authtok=$3

userproperties=$(getent passwd | grep -E "^$userid")
homedir=$(echo $userproperties | cut -d ":" -f 6);
gidnr=$(echo $userproperties | cut -d ":" -f 4);
uidnr=$(echo $userproperties | cut -d ":" -f 3);

if [ -d $homedir ]; then


	if [ ! -d $homedir/.smb ]; then

	    mkdir -p $homedir/.smb
	    chown $uidnr:$gidnr $homedir/.smb
	    chmod 755 $homedir/.smb

	fi

	if [ -n "$authtok" ]; then

	    rm -f $homedir/.smb/fusesmb.conf

	    touch $homedir/.smb/fusesmb.conf
	    chown $uidnr:$gidnr $homedir/.smb/fusesmb.conf
	    chmod 600 $homedir/.smb/fusesmb.conf

	    echo "[global]" > $homedir/.smb/fusesmb.conf
	    echo "username = $userid" >> $homedir/.smb/fusesmb.conf
	    echo "password = $authtok" >> $homedir/.smb/fusesmb.conf

	fi;

fi;


if [ $retcode -ne 0 ]; then
    echo "An error with fusesmb ($retcode)."
fi;

exit $retcode
EOF


Notes:

- The fusesmb script in the onauth directory overwrites any existing fusesmb.conf in the ~/.smb 
directory. I do not have any simple sollution to do otherwise. One way to do that is the use of 
a template. In this template the variables username and password get inserted with 'sed'.
- this script is executed before(!) any script started by KDM. So when fusesmb starts, it reads 
this new configuration file.


ACKNOWLEDGEMENTS:


CHANGELOG:
[2006-01-24]
  * Initial hint.



More information about the hints mailing list