win2K and RH6.2
Armand Welsh
armand at welshhome.org
Thu Jan 11 16:54:15 GMT 2001
*This message was transferred with a trial version of CommuniGate(tm) Pro*
Share logon, only needs a password by definition, to access a shared
resource, where domain logon, verfies users against a domain controller.
Essentially, in a share logon state, the username is trusted. When a user
logs into a network, the network trusts that the user is valid, not
requiring a password check to authenticate the user. Any authentication
that exists is handled only by the client, if any. Only when a share is
accessed is there a need for password checks. The user is considered
trusted, so the only thing needed is the password for the share, which is
almost always, NOT THE SAME as the user's password. but rather dependant on
the share or the server hosting the share. If that is a windows machine,
then username/password authentication is used on the share. If it's
win9x/win3.11 then it's a single password assigned to the share, and if it's
samba it's handled however samba wants to handle it.
from smb.conf man page:
When clients connect to a share level security
server then need not log onto the server with a
valid username and password before attempting to
connect to a shared resource (although modern
clients such as Windows 95/98 and Windows NT will
send a logon request with a username but no pass
word when talking to a security=share server).
Instead, the clients send authentication informa
tion (passwords) on a per-share basis, at the time
they attempt to connect to that share.
Note that smbd *ALWAYS* uses a valid UNIX user to
act on behalf of the client, even in "secu
rity=share" level security.
As clients are not required to send a username to
the server in share level security, smbd uses sev
eral techniques to determine the correct UNIX user
to use on behalf of the client.
A list of possible UNIX usernames to match with the
given client password is constructed using the fol
lowing methods :
o If the "guest only" parameter is set, then all the
other stages are missed and only the "guest
account" username is checked.
o Is a username is sent with the share connection
request, then this username (after mapping - see
"username map"), is added as a potential username.
o If the client did a previous "logon" request (the
SessionSetup SMB call) then the username sent in
this SMB will be added as a potential username.
o The name of the service the client requested is
added as a potential username.
o The NetBIOS name of the client is added to the list
as a potential username.
o Any users on the "user" list are added as potential
usernames.
If the "guest only" parameter is not set, then this
list is then tried with the supplied password. The
first user for whom the password matches will be
used as the UNIX user.
If the "guest only" parameter is set, or no user
name can be determined then if the share is marked
as available to the "guest account", then this
guest user will be used, otherwise access is
denied.
Note that it can be *very* confusing in share-level
security as to which UNIX username will eventually
be used in granting access.
----- Original Message -----
From: "David Hemingway" <david_hemingway at lineone.net>
To: "Hazen Valliant-Saunders" <hazen at potentia.ca>;
<samba-ntdom at us5.samba.org>
Sent: Monday, January 08, 2001 11:00 AM
Subject: RE: win2K and RH6.2
> >From this I gather that my win2k server (2000SERVER) is the pdc.
>
> The diference between domain and share logon - I'm not sure but i use the
> follow to access a directory on the 2000Server.
> smbmount //2000server/dir /mnt/dir -U admin -P passwd
>
More information about the samba-ntdom
mailing list