spamreceptacle@gmail.com
2007-Sep-26 00:52 UTC
[Samba] Re: Authentication Question; WAS: installing Samba as non-root user
I've played around with this some more. Ideally I'd like to have other users in my group map their home directories using the samba server that I have daemonized on my Linux machine, as some don't have their own Linux boxes. Considering I am running this daemon as a non-root user, I am not sure how this works, or if it's even possible. I had another user map her home directory by tunneling to my server, and it worked, however she did not have write access to her home directory. I have added her as a Samba user, using smbpasswd. Again, it's not clear to me how the authentication is actually happening, even if I were to be running the daemon as root. Since you can add a Samba user with smbpasswd with a password other than their Linux or Unix password, how is it truly authenticating the user? In the case of running the daemon as root, are all actions done by root on behalf of the actual user? But it appears, per the smb.conf man page, that upon every Samba connection, a new daemon is spawned for the user of the client that established that connection. It would then seem that all share accesses are being made by the actual user, as it should be, rather than through root. If this is true, how then is the user really being authenticated, since never is the Linux password being provided (just the smb password)? Because it would seem that I could set up a user map file to map my Windows username to someone else's Linux username. I could then add that Linux username to Samba using smbpasswd and pick some password for me to know. This would then allow me to access his files. Of course this doesn't work (because I've tried it), so either some true Linux authentication is happening in the background (but how could it without providing it the user's Linux password), or are all share accesses being done by root on behalf of the user, and the assumption is that root would setup the Samba configuration to never allow the kind of unwarranted access that I've described. If the latter is true, then is there anyway to have Samba authenticate a user by checking against the regular Linux password and not the Samba smbpasswd? Essentially, since I am not running the daemon as root, I would need an authentication mechanism that is somehow detached from from local non-root daemon, such as an external authentication server. If all else fails, I suppose I can have each user install Samba in a public directory on my Linux box (again, since not everyone has his own Linux machine) and launch an individual daemon with their Linux user account to be run on my machine, each with a different port number. This is quite convoluted, which is why I'm hoping someone can offer a solution. Thanks, Ben On 9/25/07, spamreceptacle@gmail.com <spamreceptacle@gmail.com> wrote:> > Hi, > > I was able to actually get this to work! I successfully mapped my Linux > home directory within Windows on a non-root smb install. > > I was able to get smbd to run OK with the non-standard ports. > > I then needed to do ssh tunneling to forward port 139 on a Windows > Loopback Network device to the non-standard port of 1139 on my Linux box. I > used a method similar to this. > > http://smithii.com/map_a_network_drive_over_ssh_in_windows > > I'm now in business. > > My next question is, can I have other users in my group map their own home > directories by using my smbd server that's running on my Linux box? > > I'm assuming I'd need to add the users to the smbpasswd file. > > But how does that all work? If I were to add another user and choose my > own password for that user, I'm assuming I can't just map his home drive and > have full privileges to it (which is not what I want). Does the smbpasswd > have to match the Linux password for the user? If not, wow else would it > grant proper access to files, if it would seem I can masquerade as this user > and use an smb password that is different from his own Linux password. > > Thanks
Adam Tauno Williams
2007-Sep-26 11:13 UTC
[Samba] Re: Authentication Question; WAS: installing Samba as non-root user
> Considering I am running this daemon as a non-root user, I am not sure how > this works, or if it's even possible. I had another user map her home > directory by tunneling to my server, and it worked, however she did not have > write access to her home directory. I have added her as a Samba user, using > smbpasswd. > Again, it's not clear to me how the authentication is actually happening,Samba authentication and behavior are VERY well documented - RTFM.> even if I were to be running the daemon as root. Since you can add a Samba > user with smbpasswd with a password other than their Linux or Unix password, > how is it truly authenticating the user?Not "can add a Samba user with smbpasswd", *must* "add a Samba user with smbpasswd". That password is used for authenticating users, and unless you are using some kind of mapping there must be a correspondingly named user available from NSS. All this is explained in the manual.> In the case of running the daemon > as root, are all actions done by root on behalf of the actual user? But it > appears, per the smb.conf man page, that upon every Samba connection, a new > daemon is spawned for the user of the client that established that > connection. It would then seem that all share accesses are being made by > the actual user, as it should be, rather than through root.A non-root Samba probably can't change it's own privileges or effective user id. This is one of the many reasons your configuration will not work. Samba must run as root or your going to have to jump through endless machinations. -- Adam Tauno Williams, Network & Systems Administrator Consultant - http://www.whitemiceconsulting.com Developer - http://www.opengroupware.org