Followup on "force user = %S"

[Dan "Effugas" Kaminsky]

-----Original Message-----
From: Jeremy Allison <jallison at cthulhu.engr.sgi.com>
To: Multiple recipients of list <samba-technical at samba.org>
Date: Wednesday, January 06, 1999 1:18 PM
Subject: Re: Followup on "force user = %S"


>Actually, that's not what I told him. He intimated he wanted
>*everyone* attaching to share //server/xyz to access the share
>as user xyz. Only *after* I'd told him to use force user with
>user level security did he reveal he actually wanted to
>*authenticate* as user xyz, but only if the share was xyz.
>
>Of course, this is not possible with "force user" or even with
>user level security (which I also told him to use, given the
>information he supplied).


Hurm.  Based on my understanding of how SMB(heck, most file sharing systems)
work, the system logs you in under a given identity, *then* lets you poke
around to connect to shares and stuff.  What he seems to want above is for
the logged in identity to shift based on where one connects to.  That'd
require tons of Ugly Modification To Samba(TM), I presume.

On the flip side, I see his point.  User Bob, trying to connect to the
\\SERVER\HOME\BOB sharedir, possibly should be able to reauthenticate at the
point of connection to a protected resource.

Of course, all this begs the question, why not use standard unix security
and have all users input into the smbpasswd file to begin with?  Let them
log in whenever they access standard shares.  If there are "guest users",
have a guest account.

Actually, just figured out a quick hack that *MIGHT* do what this guy wants,
though the hack requires changes to the code.  Suppose guest ok = no, and a
user is trying to connect anyway.  Instead of just rejecting them, kill the
link.  Windows should attempt to relogin, and boom, instant login screen at
the requested share.