Multiple users sharing the same UIC (samba-2.0.3)

John E. Malmberg wb8tyw at qsl.net
Sat Nov 9 21:17:16 GMT 2002 

> Claude Marinier wrote:
>
> Unix (and Unix-like) operating systems use the UIC to identify users. 
> This is often to only means available for authentication. It is 
> necessary for system administrators of such systems to coordinate the 
> allocation of UICs and UIDs accross an organization. NFS and other 
> network services use the UIC to assign file access rights to users.
>
> In the absence of coordination of UIC allocation, we could end up with 
> a bunch of workstations whose main user accounts have a UIC of 100. 
> This means that all those users can see any network visible file owned 
> by all the other users with the same UIC.
>
> The only real solution is to change the UICs so no two users have the
> same one. This is clearly a difficult task since you much change the
> ownership of all existing files. Don't even think of backups that were
> made before this.


I do not think that this is what is happening here.  See below.

>
> On Wed, 6 Nov 2002, John E. Malmberg wrote:
>
> >>georges.bert at Lafarge-Ciments.Lafarge.company wrote:
> >
> >>In this example, the value 9044133 corresponds to UIC = [212,245].
> >>The problem is that the sysuaf database does not effectively have an
> >>identifier with a value of [212,245] and a name equal to the

 >>>username.

> >>This was not a problem with PathWorks but how can I deal with that

 >>> in Samba ?

> >
> >Samba on OpenVMS requires that the UIC match a username, and that the
> >username have a default directory that it has write access to.

This is how it worked in 1.19 and in 2.0.6, and I suspect in the 
versions of SAMBA that I have not looked at.

The only thing that a SAMBA client gives for authentication is a 
username and a password.  The UIC comes from looking up that username, 
or from the designated GUEST account.

Now there are two database files that are involved.  Rightslist.dat and 
SYSUAF.DAT.

Rightslist.dat is what provides the mapping between the UIC and the 
USERNAME.  Because a UIC was logged, it means that the username in use 
by the client exists in that database.

SAMBA then needs to get the privileges and the default directory that 
goes with that username.

For that it looks in the SYSUAF database, and it apparently does not 
find this.

This is usually considered a configuration error in the user database, 
and will cause problems for SAMBA and another of other products.

It also opens up a security hole where a UIC may be assigned to more 
than one account.

But as far as having all users share one username coming into SAMBA, 
that should work.  Some sites do not like it, but there is nothing that 
should stop that from working.

The fix to this is to resove the differences from the SYSUAF.DAT and the 
RIGHTSLIST.DAT file.

-John
wb8tyw at qsl.network
Personal Opinion Only

More information about the samba-vms mailing list