[Samba] Re: Authentication Question; WAS: installing Samba as non-root user

Wed Sep 26 00:52:39 GMT 2007

I've played around with this some more.

Ideally I'd like to have other users in my group map their home directories
using the samba server that I have daemonized on my Linux machine, as some
don't have their own Linux boxes.

Considering I am running this daemon as a non-root user, I am not sure how
this works, or if it's even possible.  I had another user map her home
directory by tunneling to my server, and it worked, however she did not have
write access to her home directory.  I have added her as a Samba user, using
smbpasswd.

Again, it's not clear to me how the authentication is actually happening,
even if I were to be running the daemon as root.  Since you can add a Samba
user with smbpasswd with a password other than their Linux or Unix password,
how is it truly authenticating the user?  In the case of running the daemon
as root, are all actions done by root on behalf of the actual user?  But it
appears, per the smb.conf man page, that upon every Samba connection, a new
daemon is spawned for the user of the client that established that
connection.  It would then seem that all share accesses are being made by
the actual user, as it should be, rather than through root.

If this is true, how then is the user really being authenticated, since
never is the Linux password being provided (just the smb password)?  Because
it would seem that I could set up a user map file to map my Windows username
to someone else's Linux username.  I could then add that Linux username to
Samba using smbpasswd and pick some password for me to know.  This would
then allow me to access his files.  Of course this doesn't work (because
I've tried it), so either some true Linux authentication is happening in the
background (but how could it without providing it the user's Linux
password), or are all share accesses being done by root on behalf of the
user, and the assumption is that root would setup the Samba configuration to
never allow the kind of unwarranted access that I've described.  If the
latter is true, then is there anyway to have Samba authenticate a user by
checking against the regular Linux password and not the Samba smbpasswd?
Essentially, since I am not running the daemon as root, I would need an
authentication mechanism that is somehow detached from from local non-root
daemon, such as an external authentication server.

If all else fails, I suppose I can have each user install Samba in a public
directory on my Linux box (again, since not everyone has his own Linux
machine) and launch an individual daemon with their Linux user account to be
run on my machine, each with a different port number.  This is quite
convoluted, which is why I'm hoping someone can offer a solution.

Thanks,
Ben

On 9/25/07, spamreceptacle at gmail.com <spamreceptacle at gmail.com> wrote:
>
> Hi,
>
> I was able to actually get this to work!  I successfully mapped my Linux
> home directory within Windows on a non-root smb install.
>
> I was able to get smbd to run OK with the non-standard ports.
>
> I then needed to do ssh tunneling to forward port 139 on a Windows
> Loopback Network device to the non-standard port of 1139 on my Linux box.  I
> used a method similar to this.
>
> http://smithii.com/map_a_network_drive_over_ssh_in_windows
>
> I'm now in business.
>
> My next question is, can I have other users in my group map their own home
> directories by using my smbd server that's running on my Linux box?
>
> I'm assuming I'd need to add the users to the smbpasswd file.
>
> But how does that all work?  If I were to add another user and choose my
> own password for that user, I'm assuming I can't just map his home drive and
> have full privileges to it (which is not what I want).  Does the smbpasswd
> have to match the Linux password for the user?  If not, wow else would it
> grant proper access to files, if it would seem I can masquerade as this user
> and use an smb password that is different from his own Linux password.
>
> Thanks