VFS Implementation and user authentication

Nicolas Williams Nicolas.Williams at ubsw.com
Tue Sep 12 21:30:30 GMT 2000

> nico,
> not many people grok the difference between user authentication, user
> authorisation and user credentials.  i had to have this explicitly
> explained to me, recently, although i was subconsciously aware of the
> differences from my observations of ntlmssp and netlogon traffic.

I recommend reading the PAM API man pages for a good understanding of
the difference.

> user credentials can be TOTALLY different from the user authentication
> information.


> user authentication info is typically username, domain name, kerberos
> realm, password, smart card, optional PIN number.


> user authorisation is the process by which a user's authentication details
> are verified.

Hmmm. Authentication is the verification of the user's identity.

Authorisation is the verification of the authenticated user's _right_ to
access to desired resource.

> user credentials include such things as the user profile, the username
> under which the [now authorised] local session is to be carried out, uid,
> gid, secondary groups, home dir, user SID, group SID, group RIDs, etc.

Forgive me. I was using Kerberos terminology, wherein "credentials"
refers to forwarded TGTs and proxied service tickets. These tickets name
a user and ALSO provide the ticket holder the right to impersonate that
user to other services.

Is there a better set of words to describe this such that the user
profile information in credentials can be separated, conceptually, while
talking about them, from the impersonation tokens?

I'm willing to learn new terminology, though I cringe every time if the
new terminology does not improve existing terminology.

> i repeat: the username in the user credentials can bear ABSOLUTELY NO
> relation to the username in the user authentication info.

This is quite true. This observation relates to _authorisation_: an
successfully authenticated user may be authorized to use a resource as
a _different_ user.

Think rsh/rlogin: users are authenticated as whoever they claim to be
if their source port is < 1024, but they are authorized to the accounts
they request by the contents of .rhosts in the home directories of the
requested accounts.

> luke


More information about the samba-technical mailing list