[Samba] force re-authentication when accessing different shares

Mon Jan 21 14:43:35 UTC 2019

On 1/21/19 10:24 AM, Harald Glanzer via samba wrote:
> hello & thx for your fast response!
> 
> i need a way to create samba shares without creating system user accounts:
> 
> - add users via smbpasswd with unique password
> - no need for a corresponding useraccount in /etc/passwd
> - access to the corresponding shares should be independent from any domain
> (i.e. the share should be accessable
> via windows client)

Is't this a reimplementation on winbind nss interface?. Why not just use 
winbind with one of it's mapping strategies. I am pretty sure it should 
work for standalone servers.

> 
> to come around the useraccount-restriction (as samba is getting information
> via getpwnam_r()) i think a nss module for database 'passwd' is necessary.
> i am starting to think that my implementation of
> _nss_<sourcename>_getpwnam_r() is wrong
> 
> nevertheless, if you can think of any other solution without the need of
> interfacing with getpwnam - plz let me know!
> 
> thx
> hari
> 
> 
> On Mon, Jan 21, 2019 at 10:37 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
> 
>> On Mon, 21 Jan 2019 09:36:13 +0100
>> Harald Glanzer via samba <samba at lists.samba.org> wrote:
>>
>>> thats interesting. shouldn't samba force to authenticate every
>>> distinct username, accessing different shares?
>>
>>  From different clients, yes, but as Samba tries to work just like
>> Windows, not from the same client. Windows only allows one user at once
>> to log in, so it only allows one connection to Samba from the Windows
>> computer.
>>
>>>
>>> as written, if i want to access directory /data/samba/username_a, i
>>> need to supply the correct password for username_a, as hashed
>>> in smbpasswd.
>>
>> That's another thing, you shouldn't be using the smbpasswd passdb, you
>> should be using tdbsam.
>>
>>>
>>> smb.conf:
>>> -------- 8< -------
>>> ...
>>> valid users = %S
>>> path = /data/samba/%S
>>> ...
>>> -------- 8< -------
>>>
>>> if in the next step i want to access /data/samba/username_b, samba
>>> should know that the client which is connecting has not been
>>> authenticated for accessing this different share, and should require
>>> authentication.
>>
>> If you are connecting from a Windows computer that already has a
>> connection open, it will use that connection.
>>
>>>
>>> the selft written nss source (/etc/nsswitch.conf, additional source
>>> for database 'passwd') installs a handler for getpwnam_r() and returns
>>> a passwd struct. i am confident that the module is not the culprit
>>> for this issue as the password(hash) needs to be checked by smbpasswd
>>> backend anyway.
>>>
>>
>> You appear to be trying to do the reverse of what 'idmap_nss' does, can
>> I ask why ?
>> Are the Windows computers part of a domain ?
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba