Smb multi-sessions, samba3.0.2pre1

Andrew Bartlett abartlet at
Tue Jan 20 12:32:27 GMT 2004

On Tue, 2004-01-20 at 22:25, Jianliang Lu wrote:
> > On Tue, 2004-01-20 at 20:27, Jianliang Lu wrote:
> > NT does not have the concept to 'force user'.  When we act on 'force
> > user', I ensure that the second VUID (smb_uid) cannot access that share,
> > as they will not have passed the access control tests.  Perhaps this
> > could be looked at again.
> > 
> > > That I'd like to avoid is to set the user's uid = 0, it is so ugly. We 
> > > should use "admin users" instead until we have not implemented the 
> > > "user provileges". Any patch to set euid=0 looking at not only the conn-
> >uid 
> > > but also the smb_uid?
> > 
> > This is what our standard behaviour is.
> > 
> > Andrew Bartlett
> > 
> I think that we should perform the access check using the uid (smb_uid), not 
> the Tid to admin_users. Following are the descriptions of "CIFS 1.0" of SNIA, 
> page 22:

Admin users is a special case, because admin users is a *per share*
option.  Therefore, like 'force user =', we must honour it in a secure
way, per-share.  

>  3.2.6 Uid Field
>   Uid is a reference number assigned by the server after a user authenticates 
>   to it, and that it will associate with that user until client requests the
>   association be broken. ... Requests that do authorization, such as open
>   requests, will perform access checks using the identity associated with the
>   Uid.

And when we are not playing samba-specific hacks, and are not in
'security=share', this is what we do.

> So if we want grant the root privilege to a user (set euid=0) we should  
> associate it with the Uid, not the Tid. Now Samba did "set_admin_user" in 
> function "make_connection_snum" with conn->admin that implicate that we 
> should check the Tid to have certain privilege. I suppose that may be more 
> correct to do the "set_admin_user" in "change_to_user", checking the vuid 
> in "admin users".

Indeed, if admin users were a global parameter.  People (for some
reason) want to give users root on only one share, hence this parameters

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list