Smb multi-sessions, samba3.0.2pre1
abartlet at samba.org
Tue Jan 20 12:32:27 GMT 2004
On Tue, 2004-01-20 at 22:25, Jianliang Lu wrote:
> > On Tue, 2004-01-20 at 20:27, Jianliang Lu wrote:
> > NT does not have the concept to 'force user'. When we act on 'force
> > user', I ensure that the second VUID (smb_uid) cannot access that share,
> > as they will not have passed the access control tests. Perhaps this
> > could be looked at again.
> > > That I'd like to avoid is to set the user's uid = 0, it is so ugly. We
> > > should use "admin users" instead until we have not implemented the
> > > "user provileges". Any patch to set euid=0 looking at not only the conn-
> > > but also the smb_uid?
> > This is what our standard behaviour is.
> > Andrew Bartlett
> I think that we should perform the access check using the uid (smb_uid), not
> the Tid to admin_users. Following are the descriptions of "CIFS 1.0" of SNIA,
> page 22:
Admin users is a special case, because admin users is a *per share*
option. Therefore, like 'force user =', we must honour it in a secure
> 3.2.6 Uid Field
> Uid is a reference number assigned by the server after a user authenticates
> to it, and that it will associate with that user until client requests the
> association be broken. ... Requests that do authorization, such as open
> requests, will perform access checks using the identity associated with the
And when we are not playing samba-specific hacks, and are not in
'security=share', this is what we do.
> So if we want grant the root privilege to a user (set euid=0) we should
> associate it with the Uid, not the Tid. Now Samba did "set_admin_user" in
> function "make_connection_snum" with conn->admin that implicate that we
> should check the Tid to have certain privilege. I suppose that may be more
> correct to do the "set_admin_user" in "change_to_user", checking the vuid
> in "admin users".
Indeed, if admin users were a global parameter. People (for some
reason) want to give users root on only one share, hence this parameters
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040120/7de0141a/attachment.bin
More information about the samba-technical