samba - Jan 2019 - force re-authentication when accessing different shares

hi all!

using samba 4.9 to export directories for 'virtual' users, i.e. users
which
have distinct homedirectories and distinct smbpasswd entries under a
writeable /data partition.

to prevent the need to create /etc/passwd useraccounts (on read-only /), a
self written libnss modul acts as a source. the lib only checks if the
homedirectory exists, returns a fake passwd struct, and finally smbpasswd
backend checks for the correct password.

this solution is working in principal, but the problem is that if (1)
logging in to a share with one user(with the distinct username/password
combination), and (2) opening another share (different directory, different
username, different password), NO password prompt opens, i.e. the (correct)
share is just delivered by samba.

instead, samba should see different usernames + sharedirectories for (1)
and (2), and therefor
refuse access until successful authentication occurs.

any ideas?
regards,
harri
---------------------------------------------- smb.conf
----------------------------------------------
[global]
    security        = user
    invalid users        = root
    encrypt passwords     = yes
    passdb backend        = smbpasswd
    smb passwd file        = /data/samba/smbpasswd
    follow symlinks        = yes
    wide links        = yes
    unix extensions        = no
    ntlm auth        = yes
    client lanman auth    = yes
    client ntlmv2 auth    = yes
[homes]
    comment            = Data Directory
    path            = /data/samba/%S
    browseable        = no
    read only        = yes
    valid users        = %S
    public            = no

On Fri, 18 Jan 2019 13:15:09 +0100
Harald Glanzer via samba <samba at lists.samba.org> wrote:
> hi all!
> 
> using samba 4.9 to export directories for 'virtual' users, i.e.
users
> which have distinct homedirectories and distinct smbpasswd entries
> under a writeable /data partition.
> 
> to prevent the need to create /etc/passwd useraccounts (on
> read-only /), a self written libnss modul acts as a source. the lib
> only checks if the homedirectory exists, returns a fake passwd
> struct, and finally smbpasswd backend checks for the correct password.
> 
> this solution is working in principal, but the problem is that if (1)
> logging in to a share with one user(with the distinct
> username/password combination), and (2) opening another share
> (different directory, different username, different password), NO
> password prompt opens, i.e. the (correct) share is just delivered by
> samba.
> 
> instead, samba should see different usernames + sharedirectories for
> (1) and (2), and therefor
> refuse access until successful authentication occurs.
> 
> any ideas?
> regards,
> harri
> ---------------------------------------------- smb.conf
> ----------------------------------------------
> [global]
>     security        = user
>     invalid users        = root
>     encrypt passwords     = yes
>     passdb backend        = smbpasswd
>     smb passwd file        = /data/samba/smbpasswd
>     follow symlinks        = yes
>     wide links        = yes
>     unix extensions        = no
>     ntlm auth        = yes
>     client lanman auth    = yes
>     client ntlmv2 auth    = yes
> [homes]
>     comment            = Data Directory
>     path            = /data/samba/%S
>     browseable        = no
>     read only        = yes
>     valid users        = %S
>     public            = no
How does the OS know who the users are on /data/samba ?
I don't actually think this is Samba problem, it is more likely to be
something in your lib or that the link already establish is being
reused, something that is outside the control of Samba.

It may help if you could explain what you are trying to do and why you
are doing it.

Rowland

On Fri, Jan 18, 2019, 8:15 AM Harald Glanzer via samba <
samba at lists.samba.org wrote:
> hi all!
>
> using samba 4.9 to export directories for 'virtual' users, i.e.
users which
> have distinct homedirectories and distinct smbpasswd entries under a
> writeable /data partition.
>
> to prevent the need to create /etc/passwd useraccounts (on read-only /), a
> self written libnss modul acts as a source. the lib only checks if the
> homedirectory exists, returns a fake passwd struct, and finally smbpasswd
> backend checks for the correct password.
>
> this solution is working in principal, but the problem is that if (1)
> logging in to a share with one user(with the distinct username/password
> combination), and (2) opening another share (different directory, different
> username, different password), NO password prompt opens, i.e. the (correct)
> share is just delivered by samba.
>
> instead, samba should see different usernames + sharedirectories for (1)
> and (2), and therefor
> refuse access until successful authentication occurs.
>
To my knowledge, from a Windows client, you can't connect to a server
multiple times with different users from the same Windows session. You can
only close the current connection (net use /d ...) before trying to
authenticate again.

It is different to how other clients, for example GNOME Nautilus works
(using gvfs SMB client). Every share connection can use different
authentications being more flexible.

> any ideas?
> regards,
> harri
> ---------------------------------------------- smb.conf
> ----------------------------------------------
> [global]
>     security        = user
>     invalid users        = root
>     encrypt passwords     = yes
>     passdb backend        = smbpasswd
>     smb passwd file        = /data/samba/smbpasswd
>     follow symlinks        = yes
>     wide links        = yes
>     unix extensions        = no
>     ntlm auth        = yes
>     client lanman auth    = yes
>     client ntlmv2 auth    = yes
> [homes]
>     comment            = Data Directory
>     path            = /data/samba/%S
>     browseable        = no
>     read only        = yes
>     valid users        = %S
>     public            = no
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

thats interesting. shouldn't samba force to authenticate every distinct
username, accessing different shares?

as written, if i want to access directory /data/samba/username_a, i need to
supply the correct password for username_a, as hashed
in smbpasswd.

smb.conf:
-------- 8< -------
...
valid users = %S
path = /data/samba/%S
...
-------- 8< -------

if in the next step i want to access /data/samba/username_b, samba should
know that the client which is connecting has not been authenticated
for accessing this different share, and should require authentication.

the selft written nss source (/etc/nsswitch.conf, additional source for
database 'passwd') installs a handler for getpwnam_r() and returns
a passwd struct. i am confident that the module is not the culprit for this
issue as the password(hash) needs to be checked by smbpasswd backend anyway.

thx in advance,
hari

On Sat, Jan 19, 2019 at 7:49 PM Robert Marcano via samba <
samba at lists.samba.org> wrote:
> On Fri, Jan 18, 2019, 8:15 AM Harald Glanzer via samba <
> samba at lists.samba.org wrote:
>
> > hi all!
> >
> > using samba 4.9 to export directories for 'virtual' users,
i.e. users
> which
> > have distinct homedirectories and distinct smbpasswd entries under a
> > writeable /data partition.
> >
> > to prevent the need to create /etc/passwd useraccounts (on read-only
/),
> a
> > self written libnss modul acts as a source. the lib only checks if the
> > homedirectory exists, returns a fake passwd struct, and finally
smbpasswd
> > backend checks for the correct password.
> >
> > this solution is working in principal, but the problem is that if (1)
> > logging in to a share with one user(with the distinct
username/password
> > combination), and (2) opening another share (different directory,
> different
> > username, different password), NO password prompt opens, i.e. the
> (correct)
> > share is just delivered by samba.
> >
> > instead, samba should see different usernames + sharedirectories for
(1)
> > and (2), and therefor
> > refuse access until successful authentication occurs.
> >
>
> To my knowledge, from a Windows client, you can't connect to a server
> multiple times with different users from the same Windows session. You can
> only close the current connection (net use /d ...) before trying to
> authenticate again.
>
> It is different to how other clients, for example GNOME Nautilus works
> (using gvfs SMB client). Every share connection can use different
> authentications being more flexible.
>
>
> > any ideas?
> > regards,
> > harri
> > ---------------------------------------------- smb.conf
> > ----------------------------------------------
> > [global]
> >     security        = user
> >     invalid users        = root
> >     encrypt passwords     = yes
> >     passdb backend        = smbpasswd
> >     smb passwd file        = /data/samba/smbpasswd
> >     follow symlinks        = yes
> >     wide links        = yes
> >     unix extensions        = no
> >     ntlm auth        = yes
> >     client lanman auth    = yes
> >     client ntlmv2 auth    = yes
> > [homes]
> >     comment            = Data Directory
> >     path            = /data/samba/%S
> >     browseable        = no
> >     read only        = yes
> >     valid users        = %S
> >     public            = no
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba