I think MS just did us (and themselves) a disservice.

Martin Kuhne mkuhne at microsoft.com
Thu Jan 11 10:22:13 GMT 2001 

Sorry, you are wrong.
cf. CIFS spec section "2.8  Security Model"

Martin

-----Original Message-----
From: Richard Sharpe [mailto:sharpe at ns.aus.com]
Sent: Wednesday, January 10, 2001 8:04 PM
To: David Flynn; Francois Gouget; B.V.Dean
Cc: samba-technical at samba.org
Subject: Re: I think MS just did us (and themselves) a disservice.


At 08:01 PM 1/10/01 +0000, David Flynn wrote:
>>  Gouget writes:
>> >
>> >   This has been there since at least NT 3.51. I've never been able
to
>> >connect to a server with two different ids.
>> >
>> >   Also, despite what they say, I suspect it's not for security
reasons
>> >but truely because of _bad_ design. Or at least it must be simpler
for
>> >them to handle it that way.
>>
>> I miss this. When we used to have Windows 3.1 and PC-NFS I used to
>> connect over a dozen drive letters to different servers using upto 3
or 4
>IDs,
>> it made management much easier!
>>
>
>the problem is using a single server.  you can not connect to the
_same_

Yes                     ^^^^^^^^^^^^^

>server with different credentials.  its annoying, sure, what you said
is
>true and still can be done, you can connect to MANY differerent servers
with
>different credentials, but not to a single server.

I think that, fundamentally, this is a problem with the protocol,
bequethed
to us by IBM, but modified by MS in places, and the implementation used
by
everyone.

Let me explain.

Authentication is done by sending a sessionsetup&X request, which
contains
the username and password proof.  There is no concept of authenticating
for
separate sessions.

Later, when you want to access a share, you send the request to access
the
share over the TCP connection set up to that system earlier. All access
to
shares on the one system are sent over the single TCP connection to that
system. You cannot authenticate as a different user for another share
because that would require a logoff as the previous user and a logon as
the
new user. This may compromise security, and would involve losing the old
shares, and so on.

However, you can authenticate as a different user if you can set up a
new
TCP connection to the target system. I have observed that the only way
you
can manage this is:

  - Use a different NetBIOS name for the target system. While Samba
allows
    a server to have multiple NetBIOS names, I am not sure that Windows
    does.  When you connect to a server using a different NetBIOS name 
    from a Windows client, the redirector sets up a new TCP connection.

  - Use the IP address of the server if the client allows that.

Both of these are limited, in that you may be able to authenticate
twice,
or three times, but not more than the number of NetBIOS names + n (for
the
IP addresses the server has) supported by the server.

>> Barry V Dean
>
>Dave
>
>
>
>

Regards
-------
Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba

More information about the samba-technical mailing list