January 19th, 2010 by greg
If you use pam_ldap to authenticate against Active Directory you may have a problem you never thought of. You may be allowing disabled accounts access to your system. Use the following filter to exclude disabled accounts. The filter looks at the userAccountControl field which is a bit field. It checks the single bit that determines if an account is enabled or disabled. This snippet belongs in /etc/pam_ldap.conf.
pam_filter &(objectclass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))
On second thought this might not be desirable. This will filter out disabled accounts making them appear as though they do not exist which is different than being disabled.
Category: Geek, Tips |
No Comments »
January 18th, 2010 by greg
Sometimes you want to have logs of who created files and deleted files and even those who opened files. Samba makes this possible but not where you’d expect. You’d probably expect to see this if you increased the log level option to a verbose enough number. It turns out that there is a vfs module that does exactly this. It logs auditing information to syslog. But remember, this information goes to syslog, not to your normal samba log files. Also note that there is a vfs module named audit and one called full_audit.
Example share definition using the auditing facility.
[web-sites]
comment = "Web Sites"
# turn on auditing to see what the heck is going on
vfs objects = full_audit
writeable = yes
locking = no
create mask = 0775
directory mask = 0775
force create mode = 0664
force directory mode = 0775
force user = www-data
force group = www-data
path = /var/www-sites/
valid users = @www-data
Category: Geek, Tips |
No Comments »
