[SOLVED] Is “obey pam restrictions” still supposed to work in Samba 4 ?
by stoorky from LinuxQuestions.org on (#5E1DQ)
Hi,
Working on Debian Buster 10.7 / Samba 4.9
The up-to-date Samba doc says (https://www.samba.org/samba/docs/cur...mb.conf.5.html) :
Quote:
Is this still supposed to work with Samba 4 ?
I had some strange result, it seems PAM's restrictions are enforced once, but then not anymore.
I tried to set up a file-size limitation on a Samba share. I'm not talking about quotas, I'm talking about preventing users from storing files that are bigger than 100MB, for example. I used /etc/security/limits.conf for this.
It almost works. Well, it works the first time a user tries to create a file, and then not anymore.
Here's what I did :
- First I defined a hard filesize limit of 100MB for user johndoe in /etc/security/limits.conf : Code:johndoe hard fsize 102400 - Then I added Code:session required pam_limits.so to /etc/pam.d/samba, in order to tell PAM to enforce the limitations
- And finally, I added Code:obey pam restrictions = yes to /etc/samba/smb.conf
At first it seemed promising, when user johndoe tries to copy a file > 100MB, a Windows 10 client throws the following error :
Quote:
(see screenshot)
So far, so good ! That's what I wanted, prevent the user to store a file > 100MB
But if I click on "Try again", the file is copied anyway.
And if I then try to copy more files > 100MB, no more error message is thrown, and the copies proceed.
If user johndoe logs out and back in, same result : the first attempt at copying a file > 100MB throws an error, the following attempts succeed.
So, it seems the restriction I set in /etc/security/limits.conf is only enforced at the first attempt, and is no more enforced afterwards.
Any idea why ? Or any idea how I could achieve my goal (prevent a user to copy a file > 100MB) ?
Working on Debian Buster 10.7 / Samba 4.9
The up-to-date Samba doc says (https://www.samba.org/samba/docs/cur...mb.conf.5.html) :
Quote:
| When Samba 3.0 is configured to enable PAM support (i.e. --with-pam), this parameter will control whether or not Samba should obey PAM's account and session management directives. |
I had some strange result, it seems PAM's restrictions are enforced once, but then not anymore.
I tried to set up a file-size limitation on a Samba share. I'm not talking about quotas, I'm talking about preventing users from storing files that are bigger than 100MB, for example. I used /etc/security/limits.conf for this.
It almost works. Well, it works the first time a user tries to create a file, and then not anymore.
Here's what I did :
- First I defined a hard filesize limit of 100MB for user johndoe in /etc/security/limits.conf : Code:johndoe hard fsize 102400 - Then I added Code:session required pam_limits.so to /etc/pam.d/samba, in order to tell PAM to enforce the limitations
- And finally, I added Code:obey pam restrictions = yes to /etc/samba/smb.conf
At first it seemed promising, when user johndoe tries to copy a file > 100MB, a Windows 10 client throws the following error :
Quote:
| An unexpected error is keeping you from copying the file...An unexpected network error occured |
So far, so good ! That's what I wanted, prevent the user to store a file > 100MB
But if I click on "Try again", the file is copied anyway.
And if I then try to copy more files > 100MB, no more error message is thrown, and the copies proceed.
If user johndoe logs out and back in, same result : the first attempt at copying a file > 100MB throws an error, the following attempts succeed.
So, it seems the restriction I set in /etc/security/limits.conf is only enforced at the first attempt, and is no more enforced afterwards.
Any idea why ? Or any idea how I could achieve my goal (prevent a user to copy a file > 100MB) ?