libsmbclient: how to see if authentication succeeded - Samba

This is a discussion on libsmbclient: how to see if authentication succeeded - Samba ; [repost at samba-technical@ instead of samba@] Hello, I'm looking for a way in libsmbclient to see if authentication succeeded or not. Not finding libsmbclient documentation except examples, I started looking at code and found some doing a trivial operation (stat ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: libsmbclient: how to see if authentication succeeded

  1. libsmbclient: how to see if authentication succeeded

    [repost at samba-technical@ instead of samba@]

    Hello,

    I'm looking for a way in libsmbclient to see if authentication
    succeeded or not. Not finding libsmbclient documentation except
    examples, I started looking at code and found some doing a trivial
    operation (stat on a known-readable path for example). However, in my
    case there is no guarenteed-readable directory or file.

    I did find a workaround though, but it's a bit of a kludge that may
    break in a future libsmbclient release if internals are changed.
    libsmbclient calls user-supplied functions to handle connection caches
    and adds an item only if a connection succeeded. So in this way I can
    see if just the authentication worked out, independent of the
    operation's result (like stat). But as it's a kludge, I'd like to find a
    better approach.

    So my question is: did I miss something in the API, or could an addition
    be made to check authentication? The latter could be done by introducing
    another return value for authentication-failed, or exposing the
    login-function (which would remain optional to call, as it is now).

    I hope you'll be able to shed some light on this.

    Kind regards,
    - Willem van Engen


  2. Re: libsmbclient: how to see if authentication succeeded

    On Mon, 2008-05-26 at 20:18 +0200, Willem van Engen wrote:
    > [repost at samba-technical@ instead of samba@]
    >
    > Hello,
    >
    > I'm looking for a way in libsmbclient to see if authentication
    > succeeded or not.


    Perhaps we should move up a layer here. Why do you need to know if
    authentication succeeded?

    Andrew Bartlett

    --
    Andrew Bartlett http://samba.org/~abartlet/
    Authentication Developer, Samba Team http://samba.org
    Samba Developer, Red Hat Inc. http://redhat.com


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)

    iD8DBQBIO4nBz4A8Wyi0NrsRAtlqAJ4xkSNK6vnz06G9rxGxAG Ku+p6PZQCdG5SO
    4JtehVjCxEWItJpORWVOVYQ=
    =BLKi
    -----END PGP SIGNATURE-----


  3. Re: libsmbclient: how to see if authentication succeeded

    Hi Andrew,

    Thanks for your quick reply.

    On Tue, 2008-05-27 at 14:10 +1000, Andrew Bartlett wrote:
    > On Mon, 2008-05-26 at 20:18 +0200, Willem van Engen wrote:
    > > I'm looking for a way in libsmbclient to see if authentication
    > > succeeded or not.

    >
    > Perhaps we should move up a layer here. Why do you need to know if
    > authentication succeeded?


    Gnome's new virtual filesystem layer gvfs first opens a connection
    before any file access is done, similar to mounting a filesystem. Here
    connections are cached (not only smb but also other protocols), a fuse
    filesystem is mounted optionally, and the connection appears in the gui.
    This would be a sensible place to error out if authentication fails,
    inform the user, and cancel the mount. If merely a directory is
    unreadable, it still makes sense to have the connection opened. Or at
    least the user should be able to know the difference.

    What would be the correct direction to proceed, exposing a login
    function as I described in the previous mail?

    Kind regards,
    - Willem van Engen


  4. Re: libsmbclient: how to see if authentication succeeded

    Willem van Engen wrote:
    > Hi Andrew,
    >


    Hi,

    >
    > Gnome's new virtual filesystem layer gvfs first opens a connection
    > before any file access is done, similar to mounting a filesystem. Here
    > connections are cached (not only smb but also other protocols), a fuse
    > filesystem is mounted optionally, and the connection appears in the gui.


    If it opens a connection it has to try if it can open the directory you're
    trying to access. So you should do a smbc_opendir() on the share or directory.

    > This would be a sensible place to error out if authentication fails,
    > inform the user, and cancel the mount. If merely a directory is
    > unreadable, it still makes sense to have the connection opened. Or at
    > least the user should be able to know the difference.


    If the authentication fails libsmbclient calls the auth_fn callback.

    >
    > What would be the correct direction to proceed, exposing a login
    > function as I described in the previous mail?
    >


    I suggest to use smbc_opendir() to check if you can access the share. If
    you're not authenticated or the username/password are wrong the auth_fn will
    be called.

    > Kind regards,
    > - Willem van Engen
    >
    >


    -- andreas


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.9 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org

    iEYEARECAAYFAkg7060ACgkQYZ3sMXvCEKs17wCeJxfFBFAQXE Y1QGSk2krA7cJJ
    Kz4An1GUL1gKYRppdvZ0ZDmHsEuVAGnF
    =pkvt
    -----END PGP SIGNATURE-----


  5. Re: libsmbclient: how to see if authentication succeeded

    On Tue, 2008-05-27 at 11:26 +0200, Andreas Schneider wrote:
    > Willem van Engen wrote:
    > > What would be the correct direction to proceed, exposing a login
    > > function as I described in the previous mail?

    >
    > I suggest to use smbc_opendir() to check if you can access the share. If
    > you're not authenticated or the username/password are wrong the auth_fn will
    > be called.


    Ok, that's clear. I'll have to dive into the code again to see how it
    exactly interacts with libsmbclient again.
    Thanks, I just may get there in a proper way using the current api.

    Regards,
    - Willem


  6. Re: libsmbclient: how to see if authentication succeeded

    On Wed, 2008-05-29 at 09:05:38 GMT, Willem van Engen wrote:
    > On Tue, 2008-05-27 at 11:26 +0200, Andreas Schneider wrote:
    > > I suggest to use smbc_opendir() to check if you can access the share. If
    > > you're not authenticated or the username/password are wrong the auth_fn will
    > > be called.

    >
    > Ok, that's clear. I'll have to dive into the code again to see how it
    > exactly interacts with libsmbclient again.
    > Thanks, I just may get there in a proper way using the current api.


    Indeed I can check if authentication succeeded in the way you indicated.
    Some abbreviated code to clarify:

    void auth_fn() {
    auth_called = TRUE;
    fill_in_credentials();
    }

    boolean my_smb_login() {
    res = smbc_stat();
    // if share's root is readable, we have access
    if (res==0) return TRUE;

    // if share's root isn't readable, we need to try again
    auth_called = FALSE;
    res = smbc_stat();
    if (res==0) assert(0);
    if (!auth_called) return TRUE;

    return FALSE;
    }

    There is one downside though: if the password is wrong, smbc_stat() will
    try to login twice and use two password attempts. The user will find out
    that his account is locked out sooner than expected.

    That brings me back to the initial question (same thread May 2008).
    I could use the connection cache to check if authentication succeeded
    (see thread), but only with your (the samba people) approval as
    supported use. Either that, or libsmbclient's login function could be
    exposed.

    So, what is the best direction? I hope you can help me here.

    Kind regards,
    - Willem


  7. Re: libsmbclient: how to see if authentication succeeded

    On Wed, Jun 4, 2008 at 9:01 AM, Willem van Engen <
    dev-list-samba@willem.engen.nl> wrote:

    > On Wed, 2008-05-29 at 09:05:38 GMT, Willem van Engen wrote:
    > > On Tue, 2008-05-27 at 11:26 +0200, Andreas Schneider wrote:
    > > > I suggest to use smbc_opendir() to check if you can access the share.

    > If
    > > > you're not authenticated or the username/password are wrong the auth_fn

    > will
    > > > be called.

    > >
    > > Ok, that's clear. I'll have to dive into the code again to see how it
    > > exactly interacts with libsmbclient again.
    > > Thanks, I just may get there in a proper way using the current api.

    >
    > Indeed I can check if authentication succeeded in the way you indicated.
    > Some abbreviated code to clarify:
    >
    > void auth_fn() {
    > auth_called = TRUE;
    > fill_in_credentials();
    > }
    >
    > boolean my_smb_login() {
    > res = smbc_stat();
    > // if share's root is readable, we have access
    > if (res==0) return TRUE;
    >
    > // if share's root isn't readable, we need to try again
    > auth_called = FALSE;
    > res = smbc_stat();
    > if (res==0) assert(0);
    > if (!auth_called) return TRUE;
    >
    > return FALSE;
    > }
    >
    > There is one downside though: if the password is wrong, smbc_stat() will
    > try to login twice and use two password attempts. The user will find out
    > that his account is locked out sooner than expected.
    >
    > That brings me back to the initial question (same thread May 2008).
    > I could use the connection cache to check if authentication succeeded
    > (see thread), but only with your (the samba people) approval as
    > supported use. Either that, or libsmbclient's login function could be
    > exposed.
    >
    > So, what is the best direction? I hope you can help me here.
    >



    libsmbclient has, to date, been a intended for POSIX-like functionality.
    Since there is no login function that would be emulated, there's been no
    reason for such a function. We have, however, recently had some requests
    for non-POSIX-like features. I recently reorganized the libsmbclient code
    with a couple of things in mind, one of them being additional ease of adding
    non-POSIX-like functionality.

    In your case I'm not sure it's necessary, though. libsmbclient itself does
    not issue two separate authentication attempts. If it doesn't find an
    existing connection, it calls your registered authentication function to
    retrieve username/password data. There is no initial call across the wire
    with invalid or "anonymous" authentication information. If you're seeing
    multiple requests, I believe that's probably your application doing it, not
    libsmbclient. I just confirmed the behavior I'm describing using wireshark
    and the examples/libsmbclient/testacl test.

    Maybe I'm not understanding the issue correctly?

    Cheers,

    Derrell
    libsmbclient maintainer


+ Reply to Thread