New version of my hint "starting-and-stopping-fusesmb-with-kdm-and-pam.txt".

Stef Bon stef at bononline.nl
Mon Jan 30 07:14:35 PST 2006


Hello,

here is my a new version of my hint

 starting-and-stopping-fusesmb-with-kdm-and-pam.txt

I've corrected some typo's and changed the name a bit. The old name was:

starting-and-stopping-fusesmb-with-kdm.txt

It uses PAM, so this is not correct.

Stef Bon
-------------- next part --------------
AUTHOR: Stef Bon <stef at bononline dot nl>

DATE: 2006-01-24

LICENSE: GNU Free Documentation License Version 1.2

SYNOPSIS: Starting and stopping Fusesmb at a KDE-session using KDM and PAM.

DESCRIPTION: 
This hint is about starting the sessionpart of the fusesmb. 

This is based on my hint 
"Execute scripts at begin and end of a KDE-session using KDM and PAM".

In this hint is described in general how scripts and commands are 
started at the begin and end of a KDE session using KDM, and for password 
sensitive commands support from PAM.


ATTACHMENT:

PREREQUISITES:
This hint requires sufficient knowledge of LINUX in general, and scripts in particular.
Futher sudo should be installed, and you should start KDE via KDM.


HINT:

Content:

1. Browsing the network using FUSE, fusesmb and PAM
1.1 Installation of FUSE and FuseSMB.
1.2 Starting fusesmb.
1.3 Stopping fusesmb.
1.4 Storing credentials in personal configurationfile.


---------------------------------------------------
1. Browsing the network using FUSE, fusesmb and PAM
---------------------------------------------------

Very new is FUSE. At this moment the FUSE package contains a kernelmodule, a library and utilities.
Soon the module will be standard in the kernel. For more information see the website of course.

Pam_script has the ability (from version 0.1.5) to get the password provided at login, and provide this via an evironmentvariable PAM_AUTHTOK to scripts. A script for fusesmb can write this value to the configurationfile of fusesmb (~/.smb/fusesmb.conf) to browse the network with the credentials provided at login. 

warning:

This looks a little bit like Single Sign On, but it isn't!! The credentials are stored in 
a subdirectory of the homedir (~/.smb/fusesmb.conf), with enough security at runtime.
But somebody can still find them being root, or with a LiveCD. The credentials are stored
plaintext, no encryption!!

So, this should never be used in an environment where you can't trust your users!


-------------------------------------
1.1 Installation of FUSE and FuseSMB.
-------------------------------------

Get FUSE from the projectsite:

http://fuse.sourceforge.net

Installing FUSE:

cd fuse-2.3.0
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-kernel-module --enable-lib --enable-util
make
make install

A module is installed, fuse.

To load it:

modprobe fuse

and add it to /etc/sysconfig/modules.

Note:

In the newest kernels (>=2.6.14) the kernelmodule is included in the kernel. You still
need the package above, because of the library and the utilities.

Configuration of fuse goes via the fuse.conf file in the /etc directory:

cat >> /etc/fuse.conf << "EOF"

mount_max = 999

user_allow_other
EOF

Get fusesmb:

Look for a link at :

http://freshmeat.net/projects/fusesmb/

Installing fusesmb:

cd fusesmb-0.8.3
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var
make
make install

It requires samba-3.0.*.



---------------------
1.2 Starting fusesmb.
---------------------


Now the actual scripts:

cd /etc/session.d/kdm/startup

cat >> fusesmb.sh << "EOF"
#!/bin/bash

retcode=0;

userid=$1
userproperties=$(getent passwd | grep -E "^$userid")
homedir=$(echo $userproperties | cut -d ":" -f 6);
gidnr=$(echo $userproperties | cut -d ":" -f 4);
uidnr=$(echo $userproperties | cut -d ":" -f 3);

if [ -d $homedir ]; then

    if [ ! -d $homedir/network ]; then
	mkdir -p $homedir/network
	chown $uidnr:$gidnr $homedir/network
    fi

    if [ $(id -u) -eq 0 ]; then
 	sudo -H -u $userid /bin/sh -c "fusesmb $homedir/network -o fsname=fusesmb,default_permissions,allow_other"
	retcode=$?
    elif [ $(id -u) -eq $uidnr ]; then 
    	fusesmb $homedir/network -o fsname=fusesmb,default_permissions,allow_other
	retcode=$?
    fi	

fi;

if [ $retcode -ne 0 ]; then
    echo "An error with fusesmb ($retcode)."
fi;

exit $retcode
EOF


Now with fusesmb running you can access your SMB(Windows)
network environment via a filesystem in userspace, with
**any** (not only KDE apps with kio's or GNOME with vfs) 
application, like MC or vi.


------------------------
1.3 Stopping of fusesmb.
------------------------

And the logout script:

cd /etc/session.d/kdm/reset

cat >> fusesmb.sh << "EOF"
#!/bin/bash

retcode=0;

userid=$1
userproperties=$(getent passwd | grep -E "^$userid")
homedir=$(echo $userproperties | cut -d ":" -f 6);
gidnr=$(echo $userproperties | cut -d ":" -f 4);
uidnr=$(echo $userproperties | cut -d ":" -f 3);

if [ -d $homedir ]; then

    if [ -n "$(mount | grep $homedir/network)" ]; then

	fusermount -u $homedir/network

    fi;

    if [ -e $homedir/.smb/fusesmb.conf ]; then

	rm -f $homedir/.smb/fusesmb.conf

    fi;

fi;


if [ $retcode -ne 0 ]; then
    echo "An error with fusesmb ($retcode)."
fi;

exit $retcode
EOF


------------------------------------------------------
1.4 Storing credentials in personal configurationfile.
------------------------------------------------------

With files above you could already get a working sollution.
To access the SMB servers where a username and a password are
required, FuseSMB allows you to give credentials in the 
~/.smb/fusesmb.conf file. Look for these and more options
in the manpage of fusesmb.conf.

With PAM and the module pam_script it is possible to use the
credentials provided at login. In my network the sambaservers
use the same credentials as my normal login  (via OPENLDAP).

cat >> /etc/session.d/pam/onauth/fusesmb.sh << "EOF"
#!/bin/bash

retcode=0;

userid=$1
service=$2
authtok=$3

userproperties=$(getent passwd | grep -E "^$userid")
homedir=$(echo $userproperties | cut -d ":" -f 6);
gidnr=$(echo $userproperties | cut -d ":" -f 4);
uidnr=$(echo $userproperties | cut -d ":" -f 3);

if [ -d $homedir ]; then


	if [ ! -d $homedir/.smb ]; then

	    mkdir -p $homedir/.smb
	    chown $uidnr:$gidnr $homedir/.smb
	    chmod 755 $homedir/.smb

	fi

	if [ -n "$authtok" ]; then

	    rm -f $homedir/.smb/fusesmb.conf

	    touch $homedir/.smb/fusesmb.conf
	    chown $uidnr:$gidnr $homedir/.smb/fusesmb.conf
	    chmod 600 $homedir/.smb/fusesmb.conf

	    echo "[global]" > $homedir/.smb/fusesmb.conf
	    echo "username = $userid" >> $homedir/.smb/fusesmb.conf
	    echo "password = $authtok" >> $homedir/.smb/fusesmb.conf

	fi;

fi;


if [ $retcode -ne 0 ]; then
    echo "An error with fusesmb ($retcode)."
fi;

exit $retcode
EOF


Notes:

- The fusesmb script in the onauth directory overwrites any existing fusesmb.conf in the ~/.smb 
directory. I do not have any simple sollution to do otherwise. One way to do that is the use of 
a template. In this template the variables username and password get inserted with 'sed'.
- this script is executed before(!) any script started by KDM. So when fusesmb starts, it reads 
this new configuration file.


ACKNOWLEDGEMENTS:


CHANGELOG:
[2006-01-24]
  * Initial hint.
[2006-01-30]
  * fixed some typos



More information about the hints mailing list