[cifs-protocol] Access check by user x for file y in the context of user z

[Adam Simpkins]

On Tue, Jan 31, 2006 at 01:54:15PM +0100, Reiterer, Horst wrote:
> Hi Stefan,
> 
> Thanks for your input.
> 
> > In CIFS it's possible to do multiple session setup's (with
> > different users) on one CIFS connection
> 
> Session setup of course requires credentials of all users I create a session
> for. In my server application, I only have the credentials of a single
> (privileged) user that is authorized to access the given share. Based on
> that user, I need to check permission of other users for accessing specific
> files - the only thing I have available is the other user's account name.
> 
> Does the protocol support impersonating other users in the context of a
> single session OR performing an access check based on a different account
> name? Judging from the spec, there seems to be no way to accomplish that.
> However, Windows-specific resources do mention that SMB supports
> impersonation.

I believe you're referring to the account delegation functionality in
Windows 2000 and later.  I've also read some documentation about this,
but I've never used it or investigated how it is implemented.

However, my guess is that this is done via Kerberos, instead of via
CIFS.  The MSDN documentation does indicate that account delegation
only works when Kerberos is being used.  A logical way to implement
this would be for the KDC to simply grant the client a ticket for the
user being impersonated.  The client will then have the credentials
(i.e., the ticket) to perform normal CIFS authentication as that user.

Note that the client communicates directly with the KDC in order to
get a ticket; the server is not involved in this process.  The client
then simply sends the ticket to the server (as part of the session
setup) in order to authenticate as the user for which the ticket was
granted.

-- 
Adam Simpkins
simpkins at neopathnetworks.com