Users can map shares without password in domain-security mode

[Christian Seip]

Hi!

"Nelson, John P." schrieb:

> >1. Samba authenticates the users against the PDC, so as far as I have
> >unterstood the concept, there sohould only be a linux user necessary and
> not
> >an user in the smbpasswd.
>
> That should be how it works.  It IS working for us!

As I said, it works only if I add the user to the smbpasswd.

> You don't explicitly say that you are using security=domain in the smb.conf

> file.  Doing "smbpasswd -j DOM -r PDC" by itself is not enough to get domain
> style authentication.  But perhaps you just didn't state it explicitly.

In a different posting, I included an excerpt of my smb.conf. I do use
security=domain.

> >But without an entry in the smbpasswd I can't map any share.
>
> I can't explain that.  I would expect that if you need to add an entry to
> smbpasswd, that the smbpasswd "password" entry would be used, rather than
> the one from the domain server.  Have you tried setting the two passwords
> (smbpasswd and domain controller) differently, and see which one actually

Nope, I didn't. But I'll try this one.

> works?  I'm guessing that you aren't actually getting domain authentication
> at all.

Now as you say that: It feels like samba only asks the PDC for a valid username and
ignores the password. I'll have to explore this a bit.

> Yeah, but you still want to use filesystem permissions, don't you?  At
> least, I would.

I don't think we need them here because this fileserver will serve the user-homes and
nothing else. But "not using them" and "not be able to use them" is a different
thing. You're right, I should reserve the rights to use the permissions.

> I would really recommend fixing this, and use real unix filesystem
> permissions.  By the way, setting create and directory mask to 777 is not

> sufficient:  you also need to "force" these modes.  Why?  If a user with one
> userid sets a file to readonly (444), and then connect via the other server
> with a different userid, the second userid will be unable to "unset"
> readonly permissions since he is not the owner of the file.

Ok and accepted.

> >Now my question: Why can other
> >users map my home-share (defined by the [homes]-section in smb.conf)
> without
> >being asked for a password?
>
> Because that's the way it's supposed to work.  Security=server is a
> variation on security=user - which means that users only have to authenicate
> ONCE (when first connecting) rather than having to verify their identity for
> each individual share.  Once connected to a server with a network identity,
> a user is allowed to access any share on that server that he has permssions
> to access.

Hmmm, I have to think about this. NT seems to use a mixture between server- and
user-level. If I connect to a share with a valid username and password for this
share, the connection will be created without asking for a password. If my username
or my password is not valid, NT asks me for a valid username/password-combination.
That's not share- or user-level security (I don't know exactly which one) because
security=share/user always asks for a password.

> You seem to think that the [homes] section provides some extra level of
> security, but it doesn't:  it simply provides a shorthand method of

I think a user should only be able to connect to another user's home with the other
user's password. But Samba doesn't ask me at all for a password.

> specifying a share for each unix username.  There are no special access
> permissions implied by doing this:  if you need to restrict access, you can
> do it with unix permissions, or using something like "valid users = %S" in

I tried "valid users = %u" but I meant "valid users = %S".

> the [homes] section, which would only permit users to connect to a share
> name that matches their username.

That's a last option. I'll do this if anything else I try doesn't work out.

> But you will NEVER get the behavior of having samba prompt the user for a
> password when connecting to someone else's share, at least not with
> security=user or it's variations (security=server or security=domain).

But that's what I've always experienced. I connect to your share with my username.
That doesn't work because I don't know your password. If I connect to your share with
your username, I'm usually asked for a password. That's the way it works with
NT-server and that's what I've seen to work with our samba-server here. The only
difference I know between our working samba-server and my cluster is that my cluster
uses the [homes]-section for the user-shares and our other server has all the
user-shares created by hand. It shouldn't make a difference as far as I have
understood this stuff.

I guess I have an error in my view of this but I can't find it.

Thanks for helping, guys.

I'll tell you the results of my next steps.

Regards,

Christian