Bill Shannon <[EMAIL PROTECTED]>wrote: > Alan.M.Wright wrote: >> Share-level access may well solve Bill's requirements as well but it is >> different >> from null sessions/anonymous access. > > I guess I'm not understanding the difference.
The authentication models for user-level access and share-level access are different. When you map a share, first an SMB session is established then a tree is connected. A tree connection represents a mapped share. If you map multiple shares via the Windows GUI, you typically have one session with multiple tree connections. With user-level authentication, you are authenticated once (using the supplied name and password) when the session is established, and you can map as many shares (create as many tree connections) as you like (subject to ACLs) without being authenticated again. With share-level authentication, there is no authentication during session setup. Each time you map a share, the password you supply will be checked against the passwords on the share. There is no user-specific authentication, the SMB server creates the same fake credentials for everyone who knows each password and once you've passed the password check there is essentially no security between those accessing the shares, i.e. if an ACL grants you access to a file, it will also grant access to everyone else who knows the password. > Using Samba I'm configuring it for guest access on a per-share basis. Then you're not really looking for anonymous logon, you want share-level access. > Under Windows I share a directory and choose whether a password is > required. > > In both cases I choose whether the share is read/write or read-only. > > From a user's point of view, what's the difference between share-level > access that doesn't require a password and anonymous access? Anonymous logon is an unauthenticated connection (empty login and empty password) called a null session, which is typically used to connect to a special hidden share in order to make MSRPC calls. When you establish a null session, an SMB server will not look for read-only or read-write passwords on shares because it's a user-level authentication construct. The rules about one-time user-level authentication described above apply and, once you're through the gate, no tree connection password checks. With share-level access, an SMB server will always look for read-only and read-write passwords each time you map a share. The passwords may be empty but the server will always check for them. Alan _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
