[Samba] force re-authentication when accessing different shares

Mon Jan 21 14:24:53 UTC 2019

hello & thx for your fast response!

i need a way to create samba shares without creating system user accounts:

- add users via smbpasswd with unique password
- no need for a corresponding useraccount in /etc/passwd
- access to the corresponding shares should be independent from any domain
(i.e. the share should be accessable
via windows client)

to come around the useraccount-restriction (as samba is getting information
via getpwnam_r()) i think a nss module for database 'passwd' is necessary.
i am starting to think that my implementation of
_nss_<sourcename>_getpwnam_r() is wrong

nevertheless, if you can think of any other solution without the need of
interfacing with getpwnam - plz let me know!

thx
hari

On Mon, Jan 21, 2019 at 10:37 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Mon, 21 Jan 2019 09:36:13 +0100
> Harald Glanzer via samba <samba at lists.samba.org> wrote:
>
> > thats interesting. shouldn't samba force to authenticate every
> > distinct username, accessing different shares?
>
> From different clients, yes, but as Samba tries to work just like
> Windows, not from the same client. Windows only allows one user at once
> to log in, so it only allows one connection to Samba from the Windows
> computer.
>
> >
> > as written, if i want to access directory /data/samba/username_a, i
> > need to supply the correct password for username_a, as hashed
> > in smbpasswd.
>
> That's another thing, you shouldn't be using the smbpasswd passdb, you
> should be using tdbsam.
>
> >
> > smb.conf:
> > -------- 8< -------
> > ...
> > valid users = %S
> > path = /data/samba/%S
> > ...
> > -------- 8< -------
> >
> > if in the next step i want to access /data/samba/username_b, samba
> > should know that the client which is connecting has not been
> > authenticated for accessing this different share, and should require
> > authentication.
>
> If you are connecting from a Windows computer that already has a
> connection open, it will use that connection.
>
> >
> > the selft written nss source (/etc/nsswitch.conf, additional source
> > for database 'passwd') installs a handler for getpwnam_r() and returns
> > a passwd struct. i am confident that the module is not the culprit
> > for this issue as the password(hash) needs to be checked by smbpasswd
> > backend anyway.
> >
>
> You appear to be trying to do the reverse of what 'idmap_nss' does, can
> I ask why ?
> Are the Windows computers part of a domain ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba