samba - Jan 2019 - force re-authentication when accessing different shares

hello & thx for your fast response!

i need a way to create samba shares without creating system user accounts:

- add users via smbpasswd with unique password
- no need for a corresponding useraccount in /etc/passwd
- access to the corresponding shares should be independent from any domain
(i.e. the share should be accessable
via windows client)

to come around the useraccount-restriction (as samba is getting information
via getpwnam_r()) i think a nss module for database 'passwd' is
necessary.
i am starting to think that my implementation of
_nss_<sourcename>_getpwnam_r() is wrong

nevertheless, if you can think of any other solution without the need of
interfacing with getpwnam - plz let me know!

thx
hari


On Mon, Jan 21, 2019 at 10:37 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 21 Jan 2019 09:36:13 +0100
> Harald Glanzer via samba <samba at lists.samba.org> wrote:
>
> > thats interesting. shouldn't samba force to authenticate every
> > distinct username, accessing different shares?
>
> From different clients, yes, but as Samba tries to work just like
> Windows, not from the same client. Windows only allows one user at once
> to log in, so it only allows one connection to Samba from the Windows
> computer.
>
> >
> > as written, if i want to access directory /data/samba/username_a, i
> > need to supply the correct password for username_a, as hashed
> > in smbpasswd.
>
> That's another thing, you shouldn't be using the smbpasswd passdb,
you
> should be using tdbsam.
>
> >
> > smb.conf:
> > -------- 8< -------
> > ...
> > valid users = %S
> > path = /data/samba/%S
> > ...
> > -------- 8< -------
> >
> > if in the next step i want to access /data/samba/username_b, samba
> > should know that the client which is connecting has not been
> > authenticated for accessing this different share, and should require
> > authentication.
>
> If you are connecting from a Windows computer that already has a
> connection open, it will use that connection.
>
> >
> > the selft written nss source (/etc/nsswitch.conf, additional source
> > for database 'passwd') installs a handler for getpwnam_r() and
returns
> > a passwd struct. i am confident that the module is not the culprit
> > for this issue as the password(hash) needs to be checked by smbpasswd
> > backend anyway.
> >
>
> You appear to be trying to do the reverse of what 'idmap_nss' does,
can
> I ask why ?
> Are the Windows computers part of a domain ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 1/21/19 10:24 AM, Harald Glanzer via samba wrote:
> hello & thx for your fast response!
> 
> i need a way to create samba shares without creating system user accounts:
> 
> - add users via smbpasswd with unique password
> - no need for a corresponding useraccount in /etc/passwd
> - access to the corresponding shares should be independent from any domain
> (i.e. the share should be accessable
> via windows client)
Is't this a reimplementation on winbind nss interface?. Why not just use 
winbind with one of it's mapping strategies. I am pretty sure it should 
work for standalone servers.
> 
> to come around the useraccount-restriction (as samba is getting information
> via getpwnam_r()) i think a nss module for database 'passwd' is
necessary.
> i am starting to think that my implementation of
> _nss_<sourcename>_getpwnam_r() is wrong
> 
> nevertheless, if you can think of any other solution without the need of
> interfacing with getpwnam - plz let me know!
> 
> thx
> hari
> 
> 
> On Mon, Jan 21, 2019 at 10:37 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On Mon, 21 Jan 2019 09:36:13 +0100
>> Harald Glanzer via samba <samba at lists.samba.org> wrote:
>>
>>> thats interesting. shouldn't samba force to authenticate every
>>> distinct username, accessing different shares?
>>
>>  From different clients, yes, but as Samba tries to work just like
>> Windows, not from the same client. Windows only allows one user at once
>> to log in, so it only allows one connection to Samba from the Windows
>> computer.
>>
>>>
>>> as written, if i want to access directory /data/samba/username_a, i
>>> need to supply the correct password for username_a, as hashed
>>> in smbpasswd.
>>
>> That's another thing, you shouldn't be using the smbpasswd
passdb, you
>> should be using tdbsam.
>>
>>>
>>> smb.conf:
>>> -------- 8< -------
>>> ...
>>> valid users = %S
>>> path = /data/samba/%S
>>> ...
>>> -------- 8< -------
>>>
>>> if in the next step i want to access /data/samba/username_b, samba
>>> should know that the client which is connecting has not been
>>> authenticated for accessing this different share, and should
require
>>> authentication.
>>
>> If you are connecting from a Windows computer that already has a
>> connection open, it will use that connection.
>>
>>>
>>> the selft written nss source (/etc/nsswitch.conf, additional source
>>> for database 'passwd') installs a handler for getpwnam_r()
and returns
>>> a passwd struct. i am confident that the module is not the culprit
>>> for this issue as the password(hash) needs to be checked by
smbpasswd
>>> backend anyway.
>>>
>>
>> You appear to be trying to do the reverse of what 'idmap_nss'
does, can
>> I ask why ?
>> Are the Windows computers part of a domain ?
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

On Mon, 21 Jan 2019 15:24:53 +0100
Harald Glanzer via samba <samba at lists.samba.org> wrote:
> hello & thx for your fast response!
> 
> i need a way to create samba shares without creating system user
> accounts:
> 
> - add users via smbpasswd with unique password
> - no need for a corresponding useraccount in /etc/passwd
You will need to have your users shown by 'getent passwd', the OS must
know your users.
 
> - access to the corresponding shares should be independent from any
> domain (i.e. the share should be accessable
> via windows client)
Then Samba will need to run as a standalone server
> 
> to come around the useraccount-restriction (as samba is getting
> information via getpwnam_r()) i think a nss module for database
> 'passwd' is necessary. i am starting to think that my
implementation
> of _nss_<sourcename>_getpwnam_r() is wrong
> 
> nevertheless, if you can think of any other solution without the need
> of interfacing with getpwnam - plz let me know!
> 
I think you need to look into how Samba use the idmap backends

Rowland

On Mon, 21 Jan 2019 10:43:35 -0400
Robert Marcano via samba <samba at lists.samba.org> wrote:
> On 1/21/19 10:24 AM, Harald Glanzer via samba wrote:
> > hello & thx for your fast response!
> > 
> > i need a way to create samba shares without creating system user
> > accounts:
> > 
> > - add users via smbpasswd with unique password
> > - no need for a corresponding useraccount in /etc/passwd
> > - access to the corresponding shares should be independent from any
> > domain (i.e. the share should be accessable
> > via windows client)
> 
> Is't this a reimplementation on winbind nss interface?. Why not just
> use winbind with one of it's mapping strategies. I am pretty sure it
> should work for standalone servers.
> 
idmap_nss maps Unix users to Domain users, it needs users
in /etc/passwd, the OP doesn't want this.

Rowland