[oi-dev] Install defaults re. SMB and pam.conf

Toomas Soome tsoome at me.com
Sun Mar 26 15:35:03 UTC 2017 

> On 26. märts 2017, at 18:31, Andreas Wacknitz <A.Wacknitz at gmx.de> wrote:
> 
> 
> 
> Am 26.03.17 um 13:36 schrieb Toomas Soome:
>> 
>>> On 26. märts 2017, at 14:23, Andreas Wacknitz <A.Wacknitz at gmx.de <mailto:A.Wacknitz at gmx.de>> wrote:
>>> 
>>> 
>>> 
>>> Am 25.03.17 um 22:30 schrieb James Blachly:
>>>> (I did not get any response on the -discuss list, so please forgive the re-posting)
>>>> 
>>>> Speaking as a new OI user here,
>>>> 
>>>> I am using the kernel CIFS/SMB service for the first time (on other systems including smartos I am using samba), which is quite convenient. However, it did not work out of the box.
>>>> 
>>>> Is there any reason something along the lines of the following should not be in /etc/pam.conf in the installer/freshly installed image?
>>>> 
>>>> # Kernel SMB/CIFS service for insertion into /var/smb/smbpasswd
>>>> other   password required       pam_smb_passwd.so.1     nowarn
>>>> 
>>>> This seems like a reasonable change that would lower the barrier to entry / lower the frustration level for new users at a critical point in their go/no go decision.
>>> I am not sure about the reasons it is missing in our standard installation. Probably because not everybody is using smb/cifs and it might be
>>> a security problem. I think the general idea behind it was (during Solaris times) that it is safer to have as few as possible things "on" by default
>>> and an admin should know what to activate.
>>> So an alternative to enable this in /etc/pam.conf would be an enhanced desription of admin steps after installation (on the wiki probably).
>>> 
>>> Regards
>>> Andreas
>>> 
>> 
>> 
>> The problem is that smb setup is not consistent. From one hand you get this mantra “look how easy it is” - which is an lie. What actually should happen is:
>> 
>> 1. creating an share should check if we also need to do smbadm join domain or workgroup; if its workgroup, then the join should also set up the pam entry.
>> 2. Set up the default ACL for share. This one is major pain, it is not properly documented, the current default is useless and confusing.
>> 3. create /etc/avahi/services/smb.service for SMB.
> Toomas, is there any documentation on how to do that? I have installed avahi but there is no /etc/avahi folder and I haven't found a documentation for it.
> 
> Regards
> Andreas
> 

I found it from googling around, but there is an sample, the avahi-service.dtd should describe it - in example below the Xserve is of course just for giggles;)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
    <name replace-wildcards="yes">%h</name>
    <service>
        <type>_smb._tcp</type>
        <port>445</port>
    </service>
    <service>
        <type>_device-info._tcp</type>
        <port>0</port>
        <txt-record>model=Xserve</txt-record>
    </service>
</service-group>


rgds,
toomas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openindiana.org/pipermail/oi-dev/attachments/20170326/6b0b2c8e/attachment-0005.html>

More information about the oi-dev mailing list