L. A. Walsh
2005-Aug-02 01:21 UTC
[Samba] Validating as different users, domain user mapping to local (not happening?)
This bounced back from "samba@lists.samba.org", I guess the posting addr is samba@samba.org(?)... Thierry ITTY a ?crit:> maybe > if you access a share on a server as user1 and want to access another share > on the same server as user2, windows complains that you can't use different > credentials at the same time (error 1236 ? I think)--- Yeah, something similar> thought this doesn't forbid you to have shares accessed as user1 and runas > something as user2---- I doesn't seem like it should.> > the following works : open a session as user1, access a share, run cmd, > then "net use" : you will see your share--- Yes.> then runas "cmd" as user2. what will happen is that from user2's command > prompt "net use" will show an empty list.--- Yes. but you'll be able to access the> same or another share from there and "net use" will show it.---- Yes. (had to map local account to remote user 'user1'), as local user2 didn't exist on the server.> user1 and user2 will access their shares each with their own credentials > even on the same server--- Yep -- as soon as I created "user2" on the server (:-)).> > the following doesn't work : open a session as user1, access a share > (implicitely "as" user1), access a share as user2 on the same server (net > use /user:...), this pops up the credentials error message--- Haven't tried that scenario, specifically. Where I've seen it is on trying to add sharing permissions on a directory: - Click "Menu" (right click on my mouse) over a folder to share and choose "Sharing and Security". - Select Sharing tab, select "Share this folder", then select "Permissions". (You can duplicate the problem using the Security tab as well on an NTFS-based directory) - Click "Add...". On my computer, the *default* location to select objects from is my domain name. If you are not part of a domain, I'm not sure if this error will come up. I should note that my "file server" in my home also functions as the PDC (right now I really only have a 2 computer setup: 1 server (linux based), 1 client (Win XP-Pro)). - Select a username from the domain (or the computer you have open share's to). (in my case, I chose "user1" using your above examples). - click "OK"; Now I see a Popup Dialog that says: *** "Enter Network Password": Enter the name and password of an account with permissions for <DOMAINNAME>. *** I have tried "user1" as well as "Domain\user1". I get the dual connection error message here: *** The following error occured while using the username (user1) and password you entered: Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again. *** The only way I've gotten around this is by unsharing (net use [drive|sharename] /d). ... Hm...ok...now RUNAS is working (though not exactly as I'd like...but can probably figure that out by consulting my books)... Seems user@domain doesn't work in simple case -- their example shows: user@domain.microsoft.com. Maybe it needs the dots in the domain name? As for the "\\" syntax...it doesn't want a double slash in front of the domain name and I have to remember to quote the backslash before the user, either double \ or single (not double! *kick self*) quotes around the argument.> so the only solution I see is : open your session as user1, runas cmd as > user2 (local program, no problem), access the share where bash is on, then > run bash from the share----- Bash.exe (cygwin toolset) is on the local machine. I can now start bash, but not "explorer". When I try to start Explorer, I get no error message and nothing happens (or starts). Even though my remote user is listed as being in the Domain Admins group, trying to run, say the disk defragmenter gives an error about my remote user not having administrative priviledges. Well...guess that's more work to figure out in the future...> I hoped this too a while ago > the main difference in such situations is that linux (and other unices) > sets up "shares" at the system level whereas windows sets them up at the > user level---- Yes, I can see that if I log in as a different user. Thanks for the things to try...made some progress on this-- just have to figure out what is needed for remote users to have their remote privileges. My original intent was to have my credential information be on the Domain Server (but cached locally), and to have my home directory on the local machine. What I think I ended up with is a local-only account that happens to work with "file-sharing" because the passwords for the two users on the two boxes are the same. I'd wanted "domain based" security and know I had security=domain in my smb.conf file, but it appears to have been removed, perhaps by an upgrade in my SuSE version around December of last year. Do you happen to know the default for security when a server is setup to be both a domain master and a domain logon server? Thanks, Linda p.s. -- think I'll take a break; at least I know how to get "runas" working -- though I still find the requirement to unmount all my drivers to athenticate users from the domain. But I guess that's another windows bug....(?)...
Possibly Parallel Threads
- Can't validate USER@DOMAIN in Runas
- Call history problems from B2BUA
- Moving home directories to another location leads to NT_STATUS_ACCESS_DENIED listing
- g729 + GSM + g723
- dovecot 2.3.11.3 namespace/ACL shared folder not accessible in sharing-user's Mail folder tree? have a working config?