Web lists-archives.com

Re: [Samba] force re-authentication when accessing different shares




On Fri, Jan 18, 2019, 8:15 AM Harald Glanzer via samba <
samba@xxxxxxxxxxxxxxx wrote:

> hi all!
>
> using samba 4.9 to export directories for 'virtual' users, i.e. users which
> have distinct homedirectories and distinct smbpasswd entries under a
> writeable /data partition.
>
> to prevent the need to create /etc/passwd useraccounts (on read-only /), a
> self written libnss modul acts as a source. the lib only checks if the
> homedirectory exists, returns a fake passwd struct, and finally smbpasswd
> backend checks for the correct password.
>
> this solution is working in principal, but the problem is that if (1)
> logging in to a share with one user(with the distinct username/password
> combination), and (2) opening another share (different directory, different
> username, different password), NO password prompt opens, i.e. the (correct)
> share is just delivered by samba.
>
> instead, samba should see different usernames + sharedirectories for (1)
> and (2), and therefor
> refuse access until successful authentication occurs.
>

To my knowledge, from a Windows client, you can't connect to a server
multiple times with different users from the same Windows session. You can
only close the current connection (net use /d ...) before trying to
authenticate again.

It is different to how other clients, for example GNOME Nautilus works
(using gvfs SMB client). Every share connection can use different
authentications being more flexible.


> any ideas?
> regards,
> harri
> ---------------------------------------------- smb.conf
> ----------------------------------------------
> [global]
>     security        = user
>     invalid users        = root
>     encrypt passwords     = yes
>     passdb backend        = smbpasswd
>     smb passwd file        = /data/samba/smbpasswd
>     follow symlinks        = yes
>     wide links        = yes
>     unix extensions        = no
>     ntlm auth        = yes
>     client lanman auth    = yes
>     client ntlmv2 auth    = yes
> [homes]
>     comment            = Data Directory
>     path            = /data/samba/%S
>     browseable        = no
>     read only        = yes
>     valid users        = %S
>     public            = no
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba