Hello Larry,
Thanks for these pointers...
If you have any further information, I would really appreciate it!
Ok. The primer I referred to is below. Note that solid info on this stuff
and the SMB protocol under Windows (which is the subject of your post) is
hard to come by IMO. One very good source however is "Programming Windows
Security" by Keith Brown. It's getting old now but still very relevant.
There's a chapter on this very subject in fact. Good luck.
"Here's the (simplified) story (believe it or not). In Windows or any other
OS that implements the
SMB (Server Message Block) protocol (which drives the following scenario),
whenever any
logon session on machine A tries to access a shared resource on any machine
B for the first time
(trying to access a file or folder usually), the file server on machine B
will first try to
authenticate the incoming user so it knows who they are and can therefore
determine what
local resources (file, folders, etc.) they're allowed to access. Note that
the file server runs as a
Windows service and is normally available on all Windows machines (you can
just think of this
as the program that provides access to shared resources on each machine -
"authentication" is
really just the process of logging onto this server for all intents and
purposes). By default the
"user" will be the user associated with the calling thread on machine A and
that normally just
refers to the user who's currently logged onto machine A (though the story
actually runs deeper).
So, for instance, if I log onto "MachineA" as "CA005\lsmith" (my domain
account in the CA005
domain) and I then try to access any file or folder on
"\\MachineB\SomeShare" using Explorer
for instance, the file server on "MachineB" will first try to authenicate
"CA005\lsmith" to
determine that it's really me (otherwise just anyone could come along and
access "MachineB" so
where's the security?). Since I'm a member of a trusted domain ("MachineB"
trusts the CA005
domain controller to vouch for all users in that domain), "MachineB" will
then send my
credentials ("CA005\lsmith") to the CA005 domain controller (where my domain
account is
stored) and the domain controller will then authenticate me accordingly
(verifying that I am in
fact who I claim to be - note that my password is never actually sent across
the wire for security
reasons but how it all works is another story). Once authenticated
(remember, "MachineB" trusts
the CA005 domain controller to do this and authentication is all about
trust), a network logon
session is then created on "MachineB" for "CA005\lsmith" and for all intents
and purposes I'm
now logged onto "MachineB" as if I walked up to it and logged on (even
though I'm still sitting
in front of "MachineA" - note that it's not quite the same as logging onto
"MachineB" directly
since a "network" logon session now exists opposed to an "interactive" logon
session but again,
this is the simple story). Now I can access anything on "MachineB" that
"CA005\lsmith" is
allowed to access and I can do it while still sitting in front of "MachineA"
(so I can now access
all files and folders under "\\MachineB\SomeShare" that "CA005\lsmith" is
allowed to access).
Now, lets' say I log off "MachineA" and logon again using a local account
instead ("swhite" for
instance which is no longer a domain account found on the domain controller
but a local account
created on "MachineA" itself). I'm therefore logged onto "MachineA" as
"MachineA\swhite"
instead of "CA005\lsmith" (all programs I run will then assume this
identity). If I now try to
access "\\MachineB\SomeShare" again, the file server on "MachineB" can no
longer authenticate
me because it now sees someone called "MachineA\swhite" trying to logon and
it doesn't trust
"MachineA" to vouch for "swhite" (like it does the "CA005" domain controller
to vouch for
"lsmith"- the "swhite" account exists on some machine called "MachineA"
which "MachineB"
may have never even heard of and doesn't trust regardless - this is the way
things work in a
Windows domain). "MachineB" will therefore fail to authenticate me and our
old nemesis
"Access Denied" will rear its ugly head on "MachineA" (telling me that
"MachineB" doesn't trust
"MachineA" to vouch for "MachineA\swhite"). To get around this problem you
can generally do
one of three basic things:
1) Create a matching "swhite" account on "MachineB" with the same password
as the "swhite"
account on "MachineA". "MachineB" will then try to authenticate me using the
local account
database (on "MachineB") and so long as the passwords on "MachineA" and
"MachineB" are
kept synchronized, I'll be successfully authenticated (this is how the
Windows file server deals
with accounts whose authorities it doesn't recognize or trust - as long as a
matching account
name and password exist on the local machine, the file server treats the
incoming user as that
particular local user and can log them on) . A network logon session will
then be created as
described earlier but now you'll be running as "MachineB\swhite" instead of
"CA005\lsmith"
(see earlier discussion). You're now effectively logged onto "MachineB" as
if you walked up to it
and logged on as the local "swhite" user (again, a network logon session is
created instead of an
"interactive" logon session however). You can therefore access anything on
that machine that
"MachineB\swhite" is normally allowed to access (even though you're now
doing this on
"MachineA").
2) Activate the "Guest" account on MachineB (disabled by default) and log on
as a "Guest". Let
me know if you want details but it's neither practical nor a secure
alternative.
3) Access "MachineB" using a "NULL Session" but again, it's neither
practical nor secure.
For local accounts, option 1 is therefore your only practical alternative at
a customer site. Also
note that depending on the nature of the application, you can prompt the
user for the credentials
necessary to access MachineB (on the fly) or retrieve them from some secure
source.
"MachineA" can then programatically access "Machine B" using any credentials
it wants (i.e.,
they need not be the credentials of the calling thread which is merely the
default behaviour).
Programming this isn't difficult BTW (once you understand how authentication
works) but let
me know if you want further details (as if this wasn't enough
"
