[Samba] Can someone explain SMB passwords?

Volker Lendecke Volker.Lendecke at SerNet.DE
Mon Jul 22 00:25:01 MDT 2013 

On Sun, Jul 21, 2013 at 11:41:17AM -0700, Paul D. DeRocco wrote:
> (This is an embedded box, so, short of taking a screwdriver and opening the
> unit, there is no other access besides this share.)
> 
> Thanks for taking the time to try to explain this. The fog is starting to
> lift a little.
> 
> I assume "force user = root" means "ignore the username provided by the
> client, and pretend all clients are username root instead". So what password
> does the client need to provide? The root Unix password, or some password
> entered into the SMB password database by the smbpasswd command? Does Samba
> use an SMB password if it finds an appropriate username in its own database,
> and fall back to using the Unix password if it doesn't find the username in
> its own database? If so, is the purpose of the SMB password to provide an
> alternate namespace, so that one can use a different password (and perhaps
> username) than has no analog among local user accounts?

"force user" happens after any user authentication. Samba
uses the client provided username to find the entry in the
smbpasswd file. After that succeeded, when connecting to the
share, it will switch back to root for accessing files. But
the local user must exist for Samba to let the user in at
all.

> For instance, if my root account has the password "blahblah", can I invent
> an arbitrary username like "foobar" that doesn't correspond to any local
> Unix user account, put that into the SMB password database with the password
> "yadayada", and then put "force user = foobar" in smb.conf? Will all
> external clients then be able to log in with any username and "yadayada", so
> I don't need to reveal "blahblah" to anyone? Or will Samba be unable (or
> unwilling) to access the files owned by root without somehow being given the
> "blahblah" password?

No, Samba will require a local user foobar.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba mailing list