samba job: put each daemon into its own job file

use start/stop samba-control to start/stop them all You can enable syncing samba passwords when using passwd as well now. However you still have to add a user to the samba user database once using smbpasswd -a username. svn path=/nixos/branches/modular-nixos/; revision=15218
2009-04-21 16:30:32 +00:00 · 2009-04-21 16:30:32 +00:00 · 8237528c4a
commit 8237528c4a
parent 9f8aa03168
4 changed files with 176 additions and 70 deletions
--- a/etc/default.nix
+++ b/etc/default.nix
@ -186,6 +186,9 @@ let
          inherit (pkgs.xorg) xauth;
          inherit pamConsoleHandlers;
          isLDAPEnabled = if isLDAPEnabled then "" else "#";
          syncSambaPasswords = if config.services.samba.syncPasswordsByPam
            then "password   optional     ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
            else "# change samba configuration options to make passwd sync the samba auth database as well here..";
        };
        target = "pam.d/" + program;
      }
--- a/etc/pam.d/common
+++ b/etc/pam.d/common
@ -6,7 +6,8 @@ auth     required       pam_deny.so
 account  required       @pam_unix2@/lib/security/pam_unix2.so
@isLDAPEnabled@  password sufficient     @pam_ldap@/lib/security/pam_ldap.so 
-password sufficient     @pam_unix2@/lib/security/pam_unix2.so nullok
+password requisite     @pam_unix2@/lib/security/pam_unix2.so nullok
@syncSambaPasswords@
@isLDAPEnabled@  session  optional       @pam_ldap@/lib/security/pam_ldap.so 
 session  required       @pam_unix2@/lib/security/pam_unix2.so
--- a/upstart-jobs/samba.nix
+++ b/upstart-jobs/samba.nix
@ -2,7 +2,7 @@
 ###### interface
 let
-  inherit (pkgs.lib) mkOption mkIf;
+  inherit (pkgs.lib) mkOption mkIf mkAlways;
  options = {
    services = {
@ -12,9 +12,101 @@ let
          default = false;
          description = "
            Whether to enable the samba server. (to communicate with, and provide windows shares)
            use start / stop samba-control to start/stop all daemons.
            smbd and nmbd are not shutdown correctly yet. so just pkill them and restart those jobs.
          ";
        };
        syncPasswordsByPam = mkOption {
          default = false;
          description = "
            enabling this will add a line directly after pam_unix.so.
            Whenever a password is changed the samba password will be updated as well.
            However you still yave to add the samba password once using smbpasswd -a user
            If you don't want to maintain an extra pwd database you still can send plain text
            passwords which is not secure.
          ";
        };
        extraConfig = mkOption {
          default = ''
            # [global] continuing global section here, section is started by nix to set pids etc
              smb passwd file = /etc/samba/passwd
              # is this useful ?
              domain master = auto
              encrypt passwords = Yes
              client plaintext auth = No
              # yes: if you use this you probably also want to enable syncPasswordsByPam
              # no: You can still use the pam password database. However
              # passwords will be sent plain text on network (discouraged)
              workgroup = Users
              server string = %h
              comment = Samba
              log file = /var/log/samba/log.%m
              log level = 10
              max log size = 50000
              security = user
              client lanman auth = Yes
              dns proxy = no
              invalid users = root
              passdb backend = tdbsam
              passwd program = /usr/bin/passwd %u
            ### end [ global ] section
            # Un-comment the following (and tweak the other settings below to suit)
            # to enable the default home directory shares.  This will share each
            # user's home directory as \\server\username
            ;[homes]
            ;   comment = Home Directories
            ;   browseable = no
            ;   writable = no
            # File creation mask is set to 0700 for security reasons. If you want to
            # create files with group=rw permissions, set next parameter to 0775.
            ;   create mask = 0700
            #  this directory and user is created automatically for you by nixos
            ;[default]
            ;  path = /home/smbd
            ;  read only = no
            ;  guest ok = yes
            # this directory and user is created automatically for you by nixos
            ;[default]
            ;  path = /home/smbd
            ;  read only = no
            ;  guest ok = yes
            # additional share example
            ;[raidbackup]
            ;  path = /home/raidbackup/files
            ;  read only = no
            ;  guest ok = no
            ;  available = yes
            ;  browseable = yes
            ;  public = yes
            ;  valid users = raidbackup
            ;  comment = Raid backup Files
          '';
          description = "
            additional global section and extra section lines go in here.
          ";
        };
        configFile = mkOption {
          description = "
            internal use to pass filepath to samba pam module
          ";
        };
      };
    };
  };
@ -23,24 +115,69 @@ in
 ###### implementation
 let
  cfg = config.services.samba;
  user = "smbguest";
  group = "smbguest";
  logDir = "/var/log/samba";
  privateDir = "/var/samba/private";
  #smbConfig = ./smb.conf ;
  smbConfig = pkgs.substituteAll {
    src = ./smb.conf;
    inherit samba;
  };
  inherit (pkgs) samba;
  setupScript = ''
    mkdir -p /var/lock
    if ! test -d /home/smbd ; then
      mkdir -p /home/smbd
      chown ${user} /home/smbd
      chmod a+rwx /home/smbd
    fi
    if ! test -d /var/samba ; then
      mkdir -p /var/samba/locks /var/samba/cores/nmbd  /var/samba/cores/smbd /var/samba/cores/winbindd
    fi
    passwdFile="$(sed -n 's/^.*smb[ ]\+passwd[ ]\+file[ ]\+=[ ]\+\(.*\)/\1/p' /nix/store/nnmrqalldfv2vkwy6qpg340rv7w34lmp-smb.conf)"
    if [ -n "$passwdFile" ]; then
      echo 'INFO: creating directory containing passwd file'
      mkdir -p "$(dirname "$passwdFile")"
    fi
    mkdir -p ${logDir}
    mkdir -p ${privateDir}
  '';
  configFile = pkgs.writeText "smb.conf" ''
    [ global ]
      log file = ${logDir}/log.%m
      private dir = ${privateDir}
      ${if cfg.syncPasswordsByPam then "pam password change = true" else "" /* does this make sense ? */ }
    ${cfg.extraConfig}";
  '';
  daemonJob = appName : args :
    {
      name = "samba-${appName}";
      job = ''
        description "Samba Service daemon ${appName}"
        start on samba-control/started
        stop on samba-control/stop
        respawn ${samba}/sbin/${appName} ${args}
      '';
    };
 in
 mkIf config.services.samba.enable {
  require = [
    options
@ -60,39 +197,39 @@ mkIf config.services.samba.enable {
    ];
  };
-  services = {
+  # always provide a smb.conf to shut up programs like smbclient and smbspool.
-    extraJobs = [{
+  environment = {
-      name = "samba";
+    etc = mkAlways [{
-      job = ''
+      source = if cfg.enable then configFile else pkgs.writeText "smb-dummy.conf" "# samba is disabled. Purpose see samba expression in nixpkgs";
      target = "samba/smb.conf";
      }];
  };
-        description "Samba Service"
+  services = {
    extraJobs = [
    { name = "samba-control"; # start this dummy job to start the real samba daemons nmbd, smbd, winbindd
      job = ''
        description "samba job starting/stopping the real samba jobs";
        start on network-interfaces/started
        stop on network-interfaces/stop
        start script
-
+        ${setupScript}
          if ! test -d /home/smbd ; then 
            mkdir -p /home/smbd
            chown ${user} /home/smbd
            chmod a+rwx /home/smbd
          fi
          if ! test -d /var/samba ; then
            mkdir -p /var/samba/locks /var/samba/cores/nmbd  /var/samba/cores/smbd /var/samba/cores/winbindd
          fi
          ${samba}/sbin/nmbd -D  -s ${smbConfig} &
          ${samba}/sbin/smbd -D  -s ${smbConfig} &
          ${samba}/sbin/winbindd -s ${smbConfig} &
          ln -fs ${smbConfig} /var/samba/config
        end script
-        respawn ${samba}/sbin/nmbd -D -s ${smbConfig} &; ${samba}/sbin/smbd -D -s ${smbConfig} &; ${samba}/sbin/winbindd &
+        respawn sleep 1000000 # !!! hack
        # put the store path here so that daemons are restarted when configuration changes
        # config is ${configFile}
      '';
-    }];
+    }
    # add -S to get debugging output on stdout
    # config directory is passed by configure at compilation time
    ( daemonJob "nmbd" " -i -F" ) # nmbd says "standard input is not a socket, assuming -D option", but using -i makes it stay in foreground (?)
    ( daemonJob "smbd" " -i -F" ) # dito
    ( daemonJob "winbindd" " -F" )
    ];
  };
 }
--- a/upstart-jobs/smb.conf
+++ b/upstart-jobs/smb.conf
@ -1,35 +0,0 @@
 [global]
  workgroup = Users
  server string = %h
  comment = Samba
  log file = /var/log/samba/log.%m
  log level = 10
  max log size = 50000
  security = user
  #must be set to 'no' to use PAM
  encrypt passwords = No
  client plaintext auth = yes
  client lanman auth = Yes
  dns proxy = no
  invalid users = root
  passdb backend = tdbsam
  passwd program = /usr/bin/passwd %u
 #  encrypt passwords = yes
 #  smb passwd file = @samba@/private/smbpasswd
 #[default]
 #  path = /home/smbd
 #  read only = no
 #  guest ok = yes
 [raidbackup]
  path = /home/raidbackup/files
  read only = no
  guest ok = no
  available = yes
  browseable = yes
  public = yes
  valid users = raidbackup
  comment = Raid backup Files