3
0
Fork 0
forked from mirrors/nixpkgs

samba job: put each daemon into its own job file

use start/stop samba-control to start/stop them all

You can enable syncing samba passwords when using passwd as well now.
However you still have to add a user to the samba user database once
using smbpasswd -a username.

svn path=/nixos/branches/modular-nixos/; revision=15218
This commit is contained in:
Marc Weber 2009-04-21 16:30:32 +00:00
parent 9f8aa03168
commit 8237528c4a
4 changed files with 176 additions and 70 deletions

View file

@ -186,6 +186,9 @@ let
inherit (pkgs.xorg) xauth;
inherit pamConsoleHandlers;
isLDAPEnabled = if isLDAPEnabled then "" else "#";
syncSambaPasswords = if config.services.samba.syncPasswordsByPam
then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
else "# change samba configuration options to make passwd sync the samba auth database as well here..";
};
target = "pam.d/" + program;
}

View file

@ -6,7 +6,8 @@ auth required pam_deny.so
account required @pam_unix2@/lib/security/pam_unix2.so
@isLDAPEnabled@ password sufficient @pam_ldap@/lib/security/pam_ldap.so
password sufficient @pam_unix2@/lib/security/pam_unix2.so nullok
password requisite @pam_unix2@/lib/security/pam_unix2.so nullok
@syncSambaPasswords@
@isLDAPEnabled@ session optional @pam_ldap@/lib/security/pam_ldap.so
session required @pam_unix2@/lib/security/pam_unix2.so

View file

@ -2,7 +2,7 @@
###### interface
let
inherit (pkgs.lib) mkOption mkIf;
inherit (pkgs.lib) mkOption mkIf mkAlways;
options = {
services = {
@ -12,9 +12,101 @@ let
default = false;
description = "
Whether to enable the samba server. (to communicate with, and provide windows shares)
use start / stop samba-control to start/stop all daemons.
smbd and nmbd are not shutdown correctly yet. so just pkill them and restart those jobs.
";
};
syncPasswordsByPam = mkOption {
default = false;
description = "
enabling this will add a line directly after pam_unix.so.
Whenever a password is changed the samba password will be updated as well.
However you still yave to add the samba password once using smbpasswd -a user
If you don't want to maintain an extra pwd database you still can send plain text
passwords which is not secure.
";
};
extraConfig = mkOption {
default = ''
# [global] continuing global section here, section is started by nix to set pids etc
smb passwd file = /etc/samba/passwd
# is this useful ?
domain master = auto
encrypt passwords = Yes
client plaintext auth = No
# yes: if you use this you probably also want to enable syncPasswordsByPam
# no: You can still use the pam password database. However
# passwords will be sent plain text on network (discouraged)
workgroup = Users
server string = %h
comment = Samba
log file = /var/log/samba/log.%m
log level = 10
max log size = 50000
security = user
client lanman auth = Yes
dns proxy = no
invalid users = root
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
### end [ global ] section
# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
;[homes]
; comment = Home Directories
; browseable = no
; writable = no
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
; create mask = 0700
# this directory and user is created automatically for you by nixos
;[default]
; path = /home/smbd
; read only = no
; guest ok = yes
# this directory and user is created automatically for you by nixos
;[default]
; path = /home/smbd
; read only = no
; guest ok = yes
# additional share example
;[raidbackup]
; path = /home/raidbackup/files
; read only = no
; guest ok = no
; available = yes
; browseable = yes
; public = yes
; valid users = raidbackup
; comment = Raid backup Files
'';
description = "
additional global section and extra section lines go in here.
";
};
configFile = mkOption {
description = "
internal use to pass filepath to samba pam module
";
};
};
};
};
@ -23,24 +115,69 @@ in
###### implementation
let
cfg = config.services.samba;
user = "smbguest";
group = "smbguest";
logDir = "/var/log/samba";
privateDir = "/var/samba/private";
#smbConfig = ./smb.conf ;
smbConfig = pkgs.substituteAll {
src = ./smb.conf;
inherit samba;
};
inherit (pkgs) samba;
setupScript = ''
mkdir -p /var/lock
if ! test -d /home/smbd ; then
mkdir -p /home/smbd
chown ${user} /home/smbd
chmod a+rwx /home/smbd
fi
if ! test -d /var/samba ; then
mkdir -p /var/samba/locks /var/samba/cores/nmbd /var/samba/cores/smbd /var/samba/cores/winbindd
fi
passwdFile="$(sed -n 's/^.*smb[ ]\+passwd[ ]\+file[ ]\+=[ ]\+\(.*\)/\1/p' /nix/store/nnmrqalldfv2vkwy6qpg340rv7w34lmp-smb.conf)"
if [ -n "$passwdFile" ]; then
echo 'INFO: creating directory containing passwd file'
mkdir -p "$(dirname "$passwdFile")"
fi
mkdir -p ${logDir}
mkdir -p ${privateDir}
'';
configFile = pkgs.writeText "smb.conf" ''
[ global ]
log file = ${logDir}/log.%m
private dir = ${privateDir}
${if cfg.syncPasswordsByPam then "pam password change = true" else "" /* does this make sense ? */ }
${cfg.extraConfig}";
'';
daemonJob = appName : args :
{
name = "samba-${appName}";
job = ''
description "Samba Service daemon ${appName}"
start on samba-control/started
stop on samba-control/stop
respawn ${samba}/sbin/${appName} ${args}
'';
};
in
mkIf config.services.samba.enable {
require = [
options
@ -60,39 +197,39 @@ mkIf config.services.samba.enable {
];
};
services = {
extraJobs = [{
name = "samba";
job = ''
# always provide a smb.conf to shut up programs like smbclient and smbspool.
environment = {
etc = mkAlways [{
source = if cfg.enable then configFile else pkgs.writeText "smb-dummy.conf" "# samba is disabled. Purpose see samba expression in nixpkgs";
target = "samba/smb.conf";
}];
};
description "Samba Service"
services = {
extraJobs = [
{ name = "samba-control"; # start this dummy job to start the real samba daemons nmbd, smbd, winbindd
job = ''
description "samba job starting/stopping the real samba jobs";
start on network-interfaces/started
stop on network-interfaces/stop
start script
if ! test -d /home/smbd ; then
mkdir -p /home/smbd
chown ${user} /home/smbd
chmod a+rwx /home/smbd
fi
if ! test -d /var/samba ; then
mkdir -p /var/samba/locks /var/samba/cores/nmbd /var/samba/cores/smbd /var/samba/cores/winbindd
fi
${samba}/sbin/nmbd -D -s ${smbConfig} &
${samba}/sbin/smbd -D -s ${smbConfig} &
${samba}/sbin/winbindd -s ${smbConfig} &
ln -fs ${smbConfig} /var/samba/config
${setupScript}
end script
respawn ${samba}/sbin/nmbd -D -s ${smbConfig} &; ${samba}/sbin/smbd -D -s ${smbConfig} &; ${samba}/sbin/winbindd &
respawn sleep 1000000 # !!! hack
# put the store path here so that daemons are restarted when configuration changes
# config is ${configFile}
'';
}];
}
# add -S to get debugging output on stdout
# config directory is passed by configure at compilation time
( daemonJob "nmbd" " -i -F" ) # nmbd says "standard input is not a socket, assuming -D option", but using -i makes it stay in foreground (?)
( daemonJob "smbd" " -i -F" ) # dito
( daemonJob "winbindd" " -F" )
];
};
}

View file

@ -1,35 +0,0 @@
[global]
workgroup = Users
server string = %h
comment = Samba
log file = /var/log/samba/log.%m
log level = 10
max log size = 50000
security = user
#must be set to 'no' to use PAM
encrypt passwords = No
client plaintext auth = yes
client lanman auth = Yes
dns proxy = no
invalid users = root
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
# encrypt passwords = yes
# smb passwd file = @samba@/private/smbpasswd
#[default]
# path = /home/smbd
# read only = no
# guest ok = yes
[raidbackup]
path = /home/raidbackup/files
read only = no
guest ok = no
available = yes
browseable = yes
public = yes
valid users = raidbackup
comment = Raid backup Files