[Samba] Re: Authentication Question; WAS: installing Samba as non-root user

spamreceptacle at gmail.com spamreceptacle at gmail.com
Wed Sep 26 18:39:04 GMT 2007

See comments below.

On 9/26/07, Adam Tauno Williams <adamtaunowilliams at gmail.com> wrote:
> > Considering I am running this daemon as a non-root user, I am not sure
> how
> > this works, or if it's even possible.  I had another user map her home
> > directory by tunneling to my server, and it worked, however she did not
> have
> > write access to her home directory.  I have added her as a Samba user,
> using
> > smbpasswd.
> > Again, it's not clear to me how the authentication is actually
> happening,
> Samba authentication and behavior are VERY well documented - RTFM.

It's amazing how indignant people get when they think someone hasn't done
his homework.  I've read the man pages in depth, and the official HOWTO.
Unless I overlooked something, no where does it explain the authentication
in the kind of detail that is necessary to understand if there's a way to
have multiple users have proper access to their home directories when the
daemon is not being run as root.

> even if I were to be running the daemon as root.  Since you can add a
> Samba
> > user with smbpasswd with a password other than their Linux or Unix
> password,
> > how is it truly authenticating the user?
> Not "can add a Samba user with smbpasswd", *must* "add a Samba user with
> smbpasswd".  That password is used for authenticating users,  and unless
> you are using some kind of mapping there must be a correspondingly named
> user available from NSS.  All this is explained in the manual.

Of course I know this.  But I was simpling stating that the Samba password
need not be the same as the Unix pasword (hence the use of the word
"can"..."with a password other than").  This is VERY simple English - LTFL
(learn the language).  And even your statement is not true, as you can use
unencrypted password authentication which will authenticate via traditional
Unix /etc/passwd, bypassing the need of smbpasswd.  All this is explained in
the manual.

>   In the case of running the daemon
> > as root, are all actions done by root on behalf of the actual user?  But
> it
> > appears, per the smb.conf man page, that upon every Samba connection, a
> new
> > daemon is spawned for the user of the client that established that
> > connection.  It would then seem that all share accesses are being made
> by
> > the actual user, as it should be, rather than through root.
> A non-root Samba probably can't change it's own privileges or effective
> user id.  This is one of the many reasons your configuration will not
> work.  Samba must run as root or your going to have to jump through
> endless machinations.

Yeah, unfortunately I was hoping that by going to the unencrypted password
authentication that other users would have full access to their respective
home directories.  Afterall, the authentication did in fact work for other
users, despite the smbd daemon running as non-root.  I was hoping that the
subsequent daemon processes that are spawned as a result of another user's
connection, would be run as that user.  But they were run as me, which makes
it obvious how they would not have write access to their files.  This makes
it clear that the assumption is that smbd is run as root, and that allowed
access is done by root on behalf of the user (or that by running smbd as
root, this allows subsequent daemons to be run as the user who established
the connection).


More information about the samba mailing list