samba - Jan 2019 - force re-authentication when accessing different shares

thats interesting. shouldn't samba force to authenticate every distinct
username, accessing different shares?

as written, if i want to access directory /data/samba/username_a, i need to
supply the correct password for username_a, as hashed
in smbpasswd.

smb.conf:
-------- 8< -------
...
valid users = %S
path = /data/samba/%S
...
-------- 8< -------

if in the next step i want to access /data/samba/username_b, samba should
know that the client which is connecting has not been authenticated
for accessing this different share, and should require authentication.

the selft written nss source (/etc/nsswitch.conf, additional source for
database 'passwd') installs a handler for getpwnam_r() and returns
a passwd struct. i am confident that the module is not the culprit for this
issue as the password(hash) needs to be checked by smbpasswd backend anyway.

thx in advance,
hari

On Sat, Jan 19, 2019 at 7:49 PM Robert Marcano via samba <
samba at lists.samba.org> wrote:
> On Fri, Jan 18, 2019, 8:15 AM Harald Glanzer via samba <
> samba at lists.samba.org wrote:
>
> > hi all!
> >
> > using samba 4.9 to export directories for 'virtual' users,
i.e. users
> which
> > have distinct homedirectories and distinct smbpasswd entries under a
> > writeable /data partition.
> >
> > to prevent the need to create /etc/passwd useraccounts (on read-only
/),
> a
> > self written libnss modul acts as a source. the lib only checks if the
> > homedirectory exists, returns a fake passwd struct, and finally
smbpasswd
> > backend checks for the correct password.
> >
> > this solution is working in principal, but the problem is that if (1)
> > logging in to a share with one user(with the distinct
username/password
> > combination), and (2) opening another share (different directory,
> different
> > username, different password), NO password prompt opens, i.e. the
> (correct)
> > share is just delivered by samba.
> >
> > instead, samba should see different usernames + sharedirectories for
(1)
> > and (2), and therefor
> > refuse access until successful authentication occurs.
> >
>
> To my knowledge, from a Windows client, you can't connect to a server
> multiple times with different users from the same Windows session. You can
> only close the current connection (net use /d ...) before trying to
> authenticate again.
>
> It is different to how other clients, for example GNOME Nautilus works
> (using gvfs SMB client). Every share connection can use different
> authentications being more flexible.
>
>
> > any ideas?
> > regards,
> > harri
> > ---------------------------------------------- smb.conf
> > ----------------------------------------------
> > [global]
> >     security        = user
> >     invalid users        = root
> >     encrypt passwords     = yes
> >     passdb backend        = smbpasswd
> >     smb passwd file        = /data/samba/smbpasswd
> >     follow symlinks        = yes
> >     wide links        = yes
> >     unix extensions        = no
> >     ntlm auth        = yes
> >     client lanman auth    = yes
> >     client ntlmv2 auth    = yes
> > [homes]
> >     comment            = Data Directory
> >     path            = /data/samba/%S
> >     browseable        = no
> >     read only        = yes
> >     valid users        = %S
> >     public            = no
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 21 Jan 2019 09:36:13 +0100
Harald Glanzer via samba <samba at lists.samba.org> wrote:
> thats interesting. shouldn't samba force to authenticate every
> distinct username, accessing different shares?
From different clients, yes, but as Samba tries to work just like
Windows, not from the same client. Windows only allows one user at once
to log in, so it only allows one connection to Samba from the Windows
computer.
> 
> as written, if i want to access directory /data/samba/username_a, i
> need to supply the correct password for username_a, as hashed
> in smbpasswd.
That's another thing, you shouldn't be using the smbpasswd passdb, you
should be using tdbsam.
> 
> smb.conf:
> -------- 8< -------
> ...
> valid users = %S
> path = /data/samba/%S
> ...
> -------- 8< -------
> 
> if in the next step i want to access /data/samba/username_b, samba
> should know that the client which is connecting has not been
> authenticated for accessing this different share, and should require
> authentication.
If you are connecting from a Windows computer that already has a
connection open, it will use that connection.
> 
> the selft written nss source (/etc/nsswitch.conf, additional source
> for database 'passwd') installs a handler for getpwnam_r() and
returns
> a passwd struct. i am confident that the module is not the culprit
> for this issue as the password(hash) needs to be checked by smbpasswd
> backend anyway.
> 
You appear to be trying to do the reverse of what 'idmap_nss' does, can
I ask why ?
Are the Windows computers part of a domain ?

Rowland

hello & thx for your fast response!

i need a way to create samba shares without creating system user accounts:

- add users via smbpasswd with unique password
- no need for a corresponding useraccount in /etc/passwd
- access to the corresponding shares should be independent from any domain
(i.e. the share should be accessable
via windows client)

to come around the useraccount-restriction (as samba is getting information
via getpwnam_r()) i think a nss module for database 'passwd' is
necessary.
i am starting to think that my implementation of
_nss_<sourcename>_getpwnam_r() is wrong

nevertheless, if you can think of any other solution without the need of
interfacing with getpwnam - plz let me know!

thx
hari


On Mon, Jan 21, 2019 at 10:37 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 21 Jan 2019 09:36:13 +0100
> Harald Glanzer via samba <samba at lists.samba.org> wrote:
>
> > thats interesting. shouldn't samba force to authenticate every
> > distinct username, accessing different shares?
>
> From different clients, yes, but as Samba tries to work just like
> Windows, not from the same client. Windows only allows one user at once
> to log in, so it only allows one connection to Samba from the Windows
> computer.
>
> >
> > as written, if i want to access directory /data/samba/username_a, i
> > need to supply the correct password for username_a, as hashed
> > in smbpasswd.
>
> That's another thing, you shouldn't be using the smbpasswd passdb,
you
> should be using tdbsam.
>
> >
> > smb.conf:
> > -------- 8< -------
> > ...
> > valid users = %S
> > path = /data/samba/%S
> > ...
> > -------- 8< -------
> >
> > if in the next step i want to access /data/samba/username_b, samba
> > should know that the client which is connecting has not been
> > authenticated for accessing this different share, and should require
> > authentication.
>
> If you are connecting from a Windows computer that already has a
> connection open, it will use that connection.
>
> >
> > the selft written nss source (/etc/nsswitch.conf, additional source
> > for database 'passwd') installs a handler for getpwnam_r() and
returns
> > a passwd struct. i am confident that the module is not the culprit
> > for this issue as the password(hash) needs to be checked by smbpasswd
> > backend anyway.
> >
>
> You appear to be trying to do the reverse of what 'idmap_nss' does,
can
> I ask why ?
> Are the Windows computers part of a domain ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba