Followup on "force user = %S"
David Collier-Brown
davecb at Canada.Sun.COM
Wed Jan 6 15:13:25 GMT 1999
In earlier discussion on this list, Thomas R. Stevenson was advised to
use
"force user = %S" in order to have a connection, for example, from
"davecb" at a client machine to //server/xyz authenticated as the user
"xyz"
on the server.
Alas, this appears to be quite different from what actually occurs in
make_connection: the connecting user is authenticated first, as "davecb"
then
the userid is changed to xyz.
This is, from my limited knowledge, the "right" thing to do:
authenticate then
force.
However, what the user is trying to do is make the user mappings an
automatic
part of the [homes] processing, rather than exhaustively listing all the
dos user : unix user relations in a manually maintained text file.
I do note that the old "user = " option, when set to %S, will cause
Samba to try the "davecb" account name first, and then clear the default
real name and continue using davecb:
su root -c 'smbclient //elsbeth/davecb'
---
[1999/01/06 09:15:37, 4] passdb/pass_check.c:(791)
Checking password for user davecb (l=8)
[1999/01/06 09:15:37, 3] smbd/password.c:(192)
davecb is in 2 groups: 10, 41
[1999/01/06 09:15:37, 3] smbd/password.c:(270)
uid 57957 registered to name davecb
[1999/01/06 09:15:37, 3] smbd/password.c:(272)
Clearing default real name
...
[1999/01/06 09:15:37, 1] smbd/service.c:(484)
server (129.155.8.39) connect to service davecb as user davecb
(uid=57957, gid
=10) (pid 28299)
[1999/01/06 09:15:37, 3] smbd/reply.c:(340)
tconX service=davecb user=davecb
---
I wasn't actually expecting that to work!
This is subtly different from the documentation: the smb.conf man page
says:
---
Step 1: If the client has passed a username/password pair and
that username/password pair is validated by the UNIX system's password
programs then the connection is made as that username. Note that this
includes the tt(\\server\service%username) method of passing a
username.
Step 2: If the client has previously registered a username...
Step 3: The client's netbios name and any previously used user
names are checked against the supplied password...
Step 4: If the client has previously validated a
username/password pair ...
Step 5: If a link(bf("user = "))(user) field is given in the
smb.conf file for the service and the client has supplied a password,
and that password matches (according to the UNIX system's password
checking) with one of the usernames from the "user="
field then the connection is made as the username in the
"user=" line.
Step 6: If the service is a guest service...
---
I'm pleased that //server/davecb%davecb works!
I'm mildly amazed that the ordering was such that
user=%S worked... I had expected that one of
the previous steps would have succeeded instead.
Notably step 2, which I has assumed used the username
previously sent in the SMBsesssetupX message, long before
the SMBtconX.
So: the questions:
1) is //servername/service%service the canonical way
to connrct to service AS service?
2) is user = %S intended to be evaluated in such a way
as to yeild the same behavior?
3) shouldn't step 2 override the "user=" hack?
--dave
--
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | http://java.science.yorku.ca/~davecb
Work: (905) 477-0437 Home: (416) 223-8968 Email: davecb at canada.sun.com
More information about the samba-technical
mailing list