I think MS just did us (and themselves) a disservice.
mkuhne at microsoft.com
Thu Jan 11 10:22:13 GMT 2001
Sorry, you are wrong.
cf. CIFS spec section "2.8 Security Model"
From: Richard Sharpe [mailto:sharpe at ns.aus.com]
Sent: Wednesday, January 10, 2001 8:04 PM
To: David Flynn; Francois Gouget; B.V.Dean
Cc: samba-technical at samba.org
Subject: Re: I think MS just did us (and themselves) a disservice.
At 08:01 PM 1/10/01 +0000, David Flynn wrote:
>> Gouget writes:
>> > This has been there since at least NT 3.51. I've never been able
>> >connect to a server with two different ids.
>> > Also, despite what they say, I suspect it's not for security
>> >but truely because of _bad_ design. Or at least it must be simpler
>> >them to handle it that way.
>> I miss this. When we used to have Windows 3.1 and PC-NFS I used to
>> connect over a dozen drive letters to different servers using upto 3
>> it made management much easier!
>the problem is using a single server. you can not connect to the
>server with different credentials. its annoying, sure, what you said
>true and still can be done, you can connect to MANY differerent servers
>different credentials, but not to a single server.
I think that, fundamentally, this is a problem with the protocol,
to us by IBM, but modified by MS in places, and the implementation used
Let me explain.
Authentication is done by sending a sessionsetup&X request, which
the username and password proof. There is no concept of authenticating
Later, when you want to access a share, you send the request to access
share over the TCP connection set up to that system earlier. All access
shares on the one system are sent over the single TCP connection to that
system. You cannot authenticate as a different user for another share
because that would require a logoff as the previous user and a logon as
new user. This may compromise security, and would involve losing the old
shares, and so on.
However, you can authenticate as a different user if you can set up a
TCP connection to the target system. I have observed that the only way
can manage this is:
- Use a different NetBIOS name for the target system. While Samba
a server to have multiple NetBIOS names, I am not sure that Windows
does. When you connect to a server using a different NetBIOS name
from a Windows client, the redirector sets up a new TCP connection.
- Use the IP address of the server if the client allows that.
Both of these are limited, in that you may be able to authenticate
or three times, but not more than the number of NetBIOS names + n (for
IP addresses the server has) supported by the server.
>> Barry V Dean
Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba
More information about the samba-technical