Web lists-archives.com

Re: [Samba] force re-authentication when accessing different shares




On 1/21/19 10:24 AM, Harald Glanzer via samba wrote:
hello & thx for your fast response!

i need a way to create samba shares without creating system user accounts:

- add users via smbpasswd with unique password
- no need for a corresponding useraccount in /etc/passwd
- access to the corresponding shares should be independent from any domain
(i.e. the share should be accessable
via windows client)

Is't this a reimplementation on winbind nss interface?. Why not just use winbind with one of it's mapping strategies. I am pretty sure it should work for standalone servers.


to come around the useraccount-restriction (as samba is getting information
via getpwnam_r()) i think a nss module for database 'passwd' is necessary.
i am starting to think that my implementation of
_nss_<sourcename>_getpwnam_r() is wrong

nevertheless, if you can think of any other solution without the need of
interfacing with getpwnam - plz let me know!

thx
hari


On Mon, Jan 21, 2019 at 10:37 AM Rowland Penny via samba <
samba@xxxxxxxxxxxxxxx> wrote:

On Mon, 21 Jan 2019 09:36:13 +0100
Harald Glanzer via samba <samba@xxxxxxxxxxxxxxx> wrote:

thats interesting. shouldn't samba force to authenticate every
distinct username, accessing different shares?

 From different clients, yes, but as Samba tries to work just like
Windows, not from the same client. Windows only allows one user at once
to log in, so it only allows one connection to Samba from the Windows
computer.


as written, if i want to access directory /data/samba/username_a, i
need to supply the correct password for username_a, as hashed
in smbpasswd.

That's another thing, you shouldn't be using the smbpasswd passdb, you
should be using tdbsam.


smb.conf:
-------- 8< -------
...
valid users = %S
path = /data/samba/%S
...
-------- 8< -------

if in the next step i want to access /data/samba/username_b, samba
should know that the client which is connecting has not been
authenticated for accessing this different share, and should require
authentication.

If you are connecting from a Windows computer that already has a
connection open, it will use that connection.


the selft written nss source (/etc/nsswitch.conf, additional source
for database 'passwd') installs a handler for getpwnam_r() and returns
a passwd struct. i am confident that the module is not the culprit
for this issue as the password(hash) needs to be checked by smbpasswd
backend anyway.


You appear to be trying to do the reverse of what 'idmap_nss' does, can
I ask why ?
Are the Windows computers part of a domain ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba