VFS Implementation and user authentication

Luke Kenneth Casson Leighton lkcl at samba.org
Tue Sep 12 06:13:39 GMT 2000


not many people grok the difference between user authentication, user
authorisation and user credentials.  i had to have this explicitly
explained to me, recently, although i was subconsciously aware of the
differences from my observations of ntlmssp and netlogon traffic.

user credentials can be TOTALLY different from the user authentication

take a look at the NET_USER_INFO_3 structure.  it contains a username and
domain name.

try modifying the username and domain name in a samba PDC to return, in
the NET_USER_INFO_3 structure, oh, i dunno: Administrator :) :)

guess what happens??? you get logged in as username Administrator,
*regardless* of the username, domain and password you typed in under the
user authentication dialog box.

user authentication info is typically username, domain name, kerberos
realm, password, smart card, optional PIN number.

user authorisation is the process by which a user's authentication details
are verified.

user credentials include such things as the user profile, the username
under which the [now authorised] local session is to be carried out, uid,
gid, secondary groups, home dir, user SID, group SID, group RIDs, etc.

i repeat: the username in the user credentials can bear ABSOLUTELY NO
relation to the username in the user authentication info.


More information about the samba-technical mailing list