Smb multi-sessions, samba3.0.2pre1

Jianliang Lu at
Tue Jan 20 11:25:58 GMT 2004

> On Tue, 2004-01-20 at 20:27, Jianliang Lu wrote:
> NT does not have the concept to 'force user'.  When we act on 'force
> user', I ensure that the second VUID (smb_uid) cannot access that share,
> as they will not have passed the access control tests.  Perhaps this
> could be looked at again.
> > That I'd like to avoid is to set the user's uid = 0, it is so ugly. We 
> > should use "admin users" instead until we have not implemented the 
> > "user provileges". Any patch to set euid=0 looking at not only the conn-
> > but also the smb_uid?
> This is what our standard behaviour is.
> Andrew Bartlett

I think that we should perform the access check using the uid (smb_uid), not 
the Tid to admin_users. Following are the descriptions of "CIFS 1.0" of SNIA, 
page 22:

 3.2.6 Uid Field
  Uid is a reference number assigned by the server after a user authenticates 
  to it, and that it will associate with that user until client requests the
  association be broken. ... Requests that do authorization, such as open
  requests, will perform access checks using the identity associated with the

So if we want grant the root privilege to a user (set euid=0) we should  
associate it with the Uid, not the Tid. Now Samba did "set_admin_user" in 
function "make_connection_snum" with conn->admin that implicate that we 
should check the Tid to have certain privilege. I suppose that may be more 
correct to do the "set_admin_user" in "change_to_user", checking the vuid 
in "admin users".

Jianliang Lu

TieSse s.p.a.     Ivrea (To) - Italy at   luj at

More information about the samba-technical mailing list