win2K and RH6.2

[Armand Welsh]

*This message was transferred with a trial version of CommuniGate(tm) Pro*
Share logon, only needs a password by definition, to access a shared
resource, where domain logon, verfies users against a domain controller.

Essentially, in a share logon state, the username is trusted.  When a user
logs into a network, the network trusts that the user is valid, not
requiring a password check to authenticate the user.  Any authentication
that exists is handled only by the client, if any.  Only when a share is
accessed is there a need for password checks.  The user is considered
trusted, so the only thing needed is the password for the share, which is
almost always, NOT THE SAME as the user's password. but rather dependant on
the share or the server hosting the share.  If that is a windows machine,
then username/password authentication is used on the share.  If it's
win9x/win3.11 then it's a single password assigned to the share, and if it's
samba it's handled however samba wants to handle it.

from smb.conf man page:

When clients connect  to  a  share  level  security
server  then  need  not  log onto the server with a
valid username and password  before  attempting  to
connect  to  a  shared  resource  (although  modern
clients such as Windows 95/98 and Windows  NT  will
send  a  logon request with a username but no pass­
word when  talking  to  a  security=share  server).
Instead,  the  clients send authentication informa­
tion (passwords) on a per-share basis, at the  time
they attempt to connect to that share.

Note  that  smbd *ALWAYS* uses a valid UNIX user to
act  on  behalf  of  the  client,  even  in  "secu­
rity=share" level security.

As  clients  are not required to send a username to
the server in share level security, smbd uses  sev­
eral  techniques to determine the correct UNIX user
to use on behalf of the client.

A list of possible UNIX usernames to match with the
given client password is constructed using the fol­
lowing methods :

o      If the "guest only" parameter is set, then all  the
       other   stages  are  missed  and  only  the  "guest
       account" username is checked.

o      Is a username is sent  with  the  share  connection
       request,  then  this  username (after mapping - see
       "username map"), is added as a potential  username.

o      If  the  client did a previous "logon" request (the
       SessionSetup SMB call) then the  username  sent  in
       this SMB will be added as a potential username.

o      The  name  of  the  service the client requested is
       added as a potential username.

o      The NetBIOS name of the client is added to the list
       as a potential username.

o      Any users on the "user" list are added as potential
       usernames.


If the "guest only" parameter is not set, then this
list  is then tried with the supplied password. The
first user for whom the password  matches  will  be
used as the UNIX user.

If  the  "guest only" parameter is set, or no user­
name can be determined then if the share is  marked
as  available  to  the  "guest  account", then this
guest  user  will  be  used,  otherwise  access  is
denied.

Note that it can be *very* confusing in share-level
security as to which UNIX username will  eventually
be used in granting access.

----- Original Message -----
From: "David Hemingway" <david_hemingway at lineone.net>
To: "Hazen Valliant-Saunders" <hazen at potentia.ca>;
<samba-ntdom at us5.samba.org>
Sent: Monday, January 08, 2001 11:00 AM
Subject: RE: win2K and RH6.2


> >From this I gather that my win2k server (2000SERVER) is the pdc.
>
> The diference between domain and share logon - I'm not sure but i use the
> follow to access a directory on the 2000Server.
> smbmount //2000server/dir /mnt/dir -U admin -P passwd
>