> > On Wed, 2014-08-06 at 23:29 -0500, Andrew Deason wrote: > > However, even if that is working, I would think that setup would only > > work if samba uses separate processes for connections for different > > users; I don't know if that's true. You could ask samba for more info > > It does; otherwise it'd need to swap uids around between connections, > which is kinda scary from a security standpoint. In fact I think it may > be process per connection (client+share) because some shares may force a > specific Unix uid (`force user`).
With the versions of Samba I have used a new smbd process is forked for each TCP connection. It has been a long time but I know on some old Windows Terminal Servers we supported there was only one TCP connection for all users. Back when we served IBM DFS data via Samba I had to patch the code in Samba that switched uids to also switch DFS pags via a custom kernel module. I just checked a fairly recent version of the Samba source (4.1.5) and the code that switches security contexts is still there, see source3/smbd/sec_ctx.c. > > -- > brandon s allbery kf8nh sine nomine associates > allber...@gmail.com ballb...@sinenomine.net > unix openafs kerberos infrastructure xmonad http://sinenomine.net John Janosik jpjan...@us.ibm.com
