I think MS just did us (and themselves) a disservice.

Richard Sharpe sharpe at ns.aus.com
Wed Jan 10 19:04:11 GMT 2001

At 08:01 PM 1/10/01 +0000, David Flynn wrote:
>>  Gouget writes:
>> >
>> >   This has been there since at least NT 3.51. I've never been able to
>> >connect to a server with two different ids.
>> >
>> >   Also, despite what they say, I suspect it's not for security reasons
>> >but truely because of _bad_ design. Or at least it must be simpler for
>> >them to handle it that way.
>> I miss this. When we used to have Windows 3.1 and PC-NFS I used to
>> connect over a dozen drive letters to different servers using upto 3 or 4
>> it made management much easier!
>the problem is using a single server.  you can not connect to the _same_

Yes                     ^^^^^^^^^^^^^

>server with different credentials.  its annoying, sure, what you said is
>true and still can be done, you can connect to MANY differerent servers with
>different credentials, but not to a single server.

I think that, fundamentally, this is a problem with the protocol, bequethed
to us by IBM, but modified by MS in places, and the implementation used by

Let me explain.

Authentication is done by sending a sessionsetup&X request, which contains
the username and password proof.  There is no concept of authenticating for
separate sessions.

Later, when you want to access a share, you send the request to access the
share over the TCP connection set up to that system earlier. All access to
shares on the one system are sent over the single TCP connection to that
system. You cannot authenticate as a different user for another share
because that would require a logoff as the previous user and a logon as the
new user. This may compromise security, and would involve losing the old
shares, and so on.

However, you can authenticate as a different user if you can set up a new
TCP connection to the target system. I have observed that the only way you
can manage this is:

  - Use a different NetBIOS name for the target system. While Samba allows
    a server to have multiple NetBIOS names, I am not sure that Windows
    does.  When you connect to a server using a different NetBIOS name 
    from a Windows client, the redirector sets up a new TCP connection.

  - Use the IP address of the server if the client allows that.

Both of these are limited, in that you may be able to authenticate twice,
or three times, but not more than the number of NetBIOS names + n (for the
IP addresses the server has) supported by the server.

>> Barry V Dean

Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba

More information about the samba-technical mailing list