Trouble authenticating with OfficeJet CIFS client
Andrew Bartlett
abartlet at samba.org
Fri Jul 20 02:18:53 GMT 2007
On Thu, 2007-07-19 at 17:53 -0700, Bob Richmond wrote:
> Christopher R. Hertel wrote:
>
> > Jeremy Allison wrote:
> >> On Thu, Jul 19, 2007 at 04:57:12PM -0700, Bob Richmond wrote:
> >>> Hmm, I see that now. So, what is the meaning of "User ID" in the context
> >>> of the first sessionsetupX response for NTLMSSP_CHALLENGE, if the CIFS
> >>> client hasn't yet specified the username it wants to authenticate as?
> >> It's a placeholder. On Windows it becomes the eventual uid used, but
> >> we allocate a new one. I'll look into fixing that.
> >
> > The [v]uid in the SMB header is not related to real user IDs as assigned by
> > the OS. It is a token allocated by the server and associated with a login
> > instance. There may be several valid authentications, all with different
> > [v]uid's assigned, within the same session.
> >
> > Chris -)-----
>
> Is there a performance or resource consumption ramification in not
> deferring the allocation of the real vuid until after the authentication
> succeeds?
Yes, you need to tie in the multiple-step authentication together.
Otherwise, we end up back where we started (where a client attempting
two simultaneous authentications breaks).
> I imagine the rationale behind the current behavior is to
> prevent unauthenticated clients from being able to get the server to
> keep allocating uids (and associated state data) that aren't going to be
> attached to active sessions.
That's a limit we should investigate adding.
> Is it legal after a failed authentication
> to return the same uid to a new authentication attempt? Or does it have
> to be a new id every time an attempt is made?
If windows returns the same token, we are free to match the behaviour.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070720/e35bf0a2/attachment.bin
More information about the samba-technical
mailing list