[Samba] Validating as different users, domain user mapping to local (not happening?)

[L. A. Walsh]

This bounced back from "samba at lists.samba.org", I guess
the posting addr is samba at samba.org(?)...

Thierry ITTY a écrit:

> maybe
> if you access a share on a server as user1 and want to access another share
> on the same server as user2, windows complains that you can't use different
> credentials at the same time (error 1236 ? I think)
---
	Yeah, something similar
> thought this doesn't forbid you to have shares accessed as user1 and runas
> something as user2
----
	I doesn't seem like it should.
> 
> the following works : open a session as user1, access a share, run cmd,
> then "net use" : you will see your share
---
	Yes.
> then runas "cmd" as user2. what will happen is that from user2's command
> prompt "net use" will show an empty list.
---
	Yes.
 but you'll be able to access the
> same or another share from there and "net use" will show it.
----	
	Yes. (had to map local account to remote user 'user1'), as local
user2 didn't exist on the server.

> user1 and user2 will access their shares each with their own credentials
> even on the same server
---
	Yep -- as soon as I created "user2" on the server (:-)).
> 
> the following doesn't work : open a session as user1, access a share
> (implicitely "as" user1), access a share as user2 on the same server (net
> use /user:...), this pops up the credentials error message
---
	Haven't tried that scenario, specifically.  Where I've seen it is
on trying to add sharing permissions on a directory:
- Click "Menu" (right click on my mouse) over a folder to share and choose
"Sharing and Security".
- Select Sharing tab, select "Share this folder", then select "Permissions".
  (You can duplicate the problem using the Security tab as well on an NTFS-based
  directory)
- Click "Add...".  On my computer, the *default* location to select objects
  from is my domain name.  If you are not part of a domain, I'm not sure if
  this error will come up.  I should note that my "file server" in my home
  also functions as the PDC (right now I really only have a 2 computer setup:
  1 server (linux based), 1 client (Win XP-Pro)).
- Select a username from the domain (or the computer you have open share's to).
  (in my case, I chose "user1" using your above examples).
- click "OK"; Now I see a Popup Dialog that says:
***
"Enter Network Password":
Enter the name and password of an account with permissions
for <DOMAINNAME>.
***

I have tried "user1" as well as "Domain\user1".  I get the dual connection
error message here:
***
The following error occured while using the username (user1) and
password you entered:
Multiple connections to a server or shared resource by the same user, using
more than one user name, are not allowed. Disconnect all previous connections
to the server or shared resource and try again.
***

The only way I've gotten around this is by unsharing
(net use [drive|sharename] /d).
...
Hm...ok...now RUNAS is working (though not exactly as I'd like...but can
probably figure that out by consulting my books)...
Seems user at domain doesn't work in simple case -- their example shows:
user at domain.microsoft.com.  Maybe it needs the dots in the domain name?
As for the "\\" syntax...it doesn't want a double slash in front of
the domain name and I have to remember to quote the backslash before
the user, either double \ or single (not double! *kick self*) quotes around
the argument.


> so the only solution I see is : open your session as user1, runas cmd as
> user2 (local program, no problem), access the share where bash is on, then
> run bash from the share
-----
	Bash.exe (cygwin toolset) is on the local machine.  I can now
start bash, but not "explorer".  When I try to start Explorer, I get
no error message and nothing happens (or starts).

	Even though my remote user is listed as being in the Domain Admins
group, trying to run, say the disk defragmenter gives an error about my
remote user not having administrative priviledges.  Well...guess that's
more work to figure out in the future...

> I hoped this too a while ago
> the main difference in such situations is that linux (and other unices)
> sets up "shares" at the system level whereas windows sets them up at the
> user level
----
	Yes, I can see that if I log in as a different user.

Thanks for the things to try...made some progress on this-- just have
to figure out what is needed for remote users to have their remote privileges.

	My original intent was to have my credential information be on
the Domain Server (but cached locally), and to have my home directory on the 
local machine.  What I think I ended up with is a local-only account that 
happens to work with "file-sharing" because the passwords for the two users on 
the two boxes are the same.  I'd wanted "domain based" security and know I had
security=domain in my smb.conf file, but it appears to have been removed,
perhaps by an upgrade in my SuSE version around December of last year.

	Do you happen to know the default for security when a server is setup
to be both a domain master and a domain logon server?

Thanks,
Linda

p.s. -- think I'll take a break;  at least I know how to get "runas" working --
though I still find the requirement to unmount all my drivers to athenticate 
users from the domain.  But I guess that's another windows bug....(?)...