Harald Glanzer
2019-Jan-21 14:24 UTC
[Samba] force re-authentication when accessing different shares
hello & thx for your fast response! i need a way to create samba shares without creating system user accounts: - add users via smbpasswd with unique password - no need for a corresponding useraccount in /etc/passwd - access to the corresponding shares should be independent from any domain (i.e. the share should be accessable via windows client) to come around the useraccount-restriction (as samba is getting information via getpwnam_r()) i think a nss module for database 'passwd' is necessary. i am starting to think that my implementation of _nss_<sourcename>_getpwnam_r() is wrong nevertheless, if you can think of any other solution without the need of interfacing with getpwnam - plz let me know! thx hari On Mon, Jan 21, 2019 at 10:37 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 21 Jan 2019 09:36:13 +0100 > Harald Glanzer via samba <samba at lists.samba.org> wrote: > > > thats interesting. shouldn't samba force to authenticate every > > distinct username, accessing different shares? > > From different clients, yes, but as Samba tries to work just like > Windows, not from the same client. Windows only allows one user at once > to log in, so it only allows one connection to Samba from the Windows > computer. > > > > > as written, if i want to access directory /data/samba/username_a, i > > need to supply the correct password for username_a, as hashed > > in smbpasswd. > > That's another thing, you shouldn't be using the smbpasswd passdb, you > should be using tdbsam. > > > > > smb.conf: > > -------- 8< ------- > > ... > > valid users = %S > > path = /data/samba/%S > > ... > > -------- 8< ------- > > > > if in the next step i want to access /data/samba/username_b, samba > > should know that the client which is connecting has not been > > authenticated for accessing this different share, and should require > > authentication. > > If you are connecting from a Windows computer that already has a > connection open, it will use that connection. > > > > > the selft written nss source (/etc/nsswitch.conf, additional source > > for database 'passwd') installs a handler for getpwnam_r() and returns > > a passwd struct. i am confident that the module is not the culprit > > for this issue as the password(hash) needs to be checked by smbpasswd > > backend anyway. > > > > You appear to be trying to do the reverse of what 'idmap_nss' does, can > I ask why ? > Are the Windows computers part of a domain ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Robert Marcano
2019-Jan-21 14:43 UTC
[Samba] force re-authentication when accessing different shares
On 1/21/19 10:24 AM, Harald Glanzer via samba wrote:> hello & thx for your fast response! > > i need a way to create samba shares without creating system user accounts: > > - add users via smbpasswd with unique password > - no need for a corresponding useraccount in /etc/passwd > - access to the corresponding shares should be independent from any domain > (i.e. the share should be accessable > via windows client)Is't this a reimplementation on winbind nss interface?. Why not just use winbind with one of it's mapping strategies. I am pretty sure it should work for standalone servers.> > to come around the useraccount-restriction (as samba is getting information > via getpwnam_r()) i think a nss module for database 'passwd' is necessary. > i am starting to think that my implementation of > _nss_<sourcename>_getpwnam_r() is wrong > > nevertheless, if you can think of any other solution without the need of > interfacing with getpwnam - plz let me know! > > thx > hari > > > On Mon, Jan 21, 2019 at 10:37 AM Rowland Penny via samba < > samba at lists.samba.org> wrote: > >> On Mon, 21 Jan 2019 09:36:13 +0100 >> Harald Glanzer via samba <samba at lists.samba.org> wrote: >> >>> thats interesting. shouldn't samba force to authenticate every >>> distinct username, accessing different shares? >> >> From different clients, yes, but as Samba tries to work just like >> Windows, not from the same client. Windows only allows one user at once >> to log in, so it only allows one connection to Samba from the Windows >> computer. >> >>> >>> as written, if i want to access directory /data/samba/username_a, i >>> need to supply the correct password for username_a, as hashed >>> in smbpasswd. >> >> That's another thing, you shouldn't be using the smbpasswd passdb, you >> should be using tdbsam. >> >>> >>> smb.conf: >>> -------- 8< ------- >>> ... >>> valid users = %S >>> path = /data/samba/%S >>> ... >>> -------- 8< ------- >>> >>> if in the next step i want to access /data/samba/username_b, samba >>> should know that the client which is connecting has not been >>> authenticated for accessing this different share, and should require >>> authentication. >> >> If you are connecting from a Windows computer that already has a >> connection open, it will use that connection. >> >>> >>> the selft written nss source (/etc/nsswitch.conf, additional source >>> for database 'passwd') installs a handler for getpwnam_r() and returns >>> a passwd struct. i am confident that the module is not the culprit >>> for this issue as the password(hash) needs to be checked by smbpasswd >>> backend anyway. >>> >> >> You appear to be trying to do the reverse of what 'idmap_nss' does, can >> I ask why ? >> Are the Windows computers part of a domain ? >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2019-Jan-21 15:00 UTC
[Samba] force re-authentication when accessing different shares
On Mon, 21 Jan 2019 15:24:53 +0100 Harald Glanzer via samba <samba at lists.samba.org> wrote:> hello & thx for your fast response! > > i need a way to create samba shares without creating system user > accounts: > > - add users via smbpasswd with unique password > - no need for a corresponding useraccount in /etc/passwdYou will need to have your users shown by 'getent passwd', the OS must know your users.> - access to the corresponding shares should be independent from any > domain (i.e. the share should be accessable > via windows client)Then Samba will need to run as a standalone server> > to come around the useraccount-restriction (as samba is getting > information via getpwnam_r()) i think a nss module for database > 'passwd' is necessary. i am starting to think that my implementation > of _nss_<sourcename>_getpwnam_r() is wrong > > nevertheless, if you can think of any other solution without the need > of interfacing with getpwnam - plz let me know! >I think you need to look into how Samba use the idmap backends Rowland
Rowland Penny
2019-Jan-21 15:04 UTC
[Samba] force re-authentication when accessing different shares
On Mon, 21 Jan 2019 10:43:35 -0400 Robert Marcano via samba <samba at lists.samba.org> wrote:> On 1/21/19 10:24 AM, Harald Glanzer via samba wrote: > > hello & thx for your fast response! > > > > i need a way to create samba shares without creating system user > > accounts: > > > > - add users via smbpasswd with unique password > > - no need for a corresponding useraccount in /etc/passwd > > - access to the corresponding shares should be independent from any > > domain (i.e. the share should be accessable > > via windows client) > > Is't this a reimplementation on winbind nss interface?. Why not just > use winbind with one of it's mapping strategies. I am pretty sure it > should work for standalone servers. >idmap_nss maps Unix users to Domain users, it needs users in /etc/passwd, the OP doesn't want this. Rowland
Apparently Analagous Threads
- force re-authentication when accessing different shares
- force re-authentication when accessing different shares
- force re-authentication when accessing different shares
- force re-authentication when accessing different shares
- force re-authentication when accessing different shares