I think MS just did us (and themselves) a disservice.

Martin Kuhne mkuhne at microsoft.com
Thu Jan 11 10:22:13 GMT 2001

Sorry, you are wrong.
cf. CIFS spec section "2.8  Security Model"


-----Original Message-----
From: Richard Sharpe [mailto:sharpe at ns.aus.com]
Sent: Wednesday, January 10, 2001 8:04 PM
To: David Flynn; Francois Gouget; B.V.Dean
Cc: samba-technical at samba.org
Subject: Re: I think MS just did us (and themselves) a disservice.

At 08:01 PM 1/10/01 +0000, David Flynn wrote:
>>  Gouget writes:
>> >
>> >   This has been there since at least NT 3.51. I've never been able
>> >connect to a server with two different ids.
>> >
>> >   Also, despite what they say, I suspect it's not for security
>> >but truely because of _bad_ design. Or at least it must be simpler
>> >them to handle it that way.
>> I miss this. When we used to have Windows 3.1 and PC-NFS I used to
>> connect over a dozen drive letters to different servers using upto 3
or 4
>> it made management much easier!
>the problem is using a single server.  you can not connect to the

Yes                     ^^^^^^^^^^^^^

>server with different credentials.  its annoying, sure, what you said
>true and still can be done, you can connect to MANY differerent servers
>different credentials, but not to a single server.

I think that, fundamentally, this is a problem with the protocol,
to us by IBM, but modified by MS in places, and the implementation used

Let me explain.

Authentication is done by sending a sessionsetup&X request, which
the username and password proof.  There is no concept of authenticating
separate sessions.

Later, when you want to access a share, you send the request to access
share over the TCP connection set up to that system earlier. All access
shares on the one system are sent over the single TCP connection to that
system. You cannot authenticate as a different user for another share
because that would require a logoff as the previous user and a logon as
new user. This may compromise security, and would involve losing the old
shares, and so on.

However, you can authenticate as a different user if you can set up a
TCP connection to the target system. I have observed that the only way
can manage this is:

  - Use a different NetBIOS name for the target system. While Samba
    a server to have multiple NetBIOS names, I am not sure that Windows
    does.  When you connect to a server using a different NetBIOS name 
    from a Windows client, the redirector sets up a new TCP connection.

  - Use the IP address of the server if the client allows that.

Both of these are limited, in that you may be able to authenticate
or three times, but not more than the number of NetBIOS names + n (for
IP addresses the server has) supported by the server.

>> Barry V Dean

Richard Sharpe, sharpe at ns.aus.com
Samba (Team member, www.samba.org), Ethereal (Team member, www.zing.org)
Contributing author, SAMS Teach Yourself Samba in 24 Hours
Author, Special Edition, Using Samba

More information about the samba-technical mailing list