12.4 TID and UID : Separated at Birth?It would seem logical that the [ V ] UID and TID fields would be somehow related . Both are assigned and managed by the server, and we said before that the SESSION SETUP (where the logon occurs) is supposed to happen before the TREE CONNECT . Well, put all that aside and pay attention to this little story... Storytime
So what the purplebananafish does this have to do with TIDs and UIDs? Well, see, it's like this... Early corporate LANs, such as those in our story, were small and self-contained. The driving goal was to make sure that the data was available to everyone in the office who could legitimately claim to need access. Security was not considered a top priority, so PC OSes (e.g. DOS) did not support complicated minicomputer features like user-based authentication. Given the environment, it is not surprising that the authentication system originally built into SMB was (by today's standards) quite primitive. Passwords, if they were used at all, were assigned to shares not users and everyone who wanted to access the same share would use the same password. This early form of SMB authentication is now known as "Share Level" security. It does not include the concept of user accounts, so the UID field is always zero. The password is included in the TREE CONNECT message, and a valid TID indicates a successfully authenticated connection. In fact, though the UID field is listed in the SMB message format layout described in the ancient COREP.TXT scrolls , it is not mentioned again anywhere else in that document . There is no mention of a SESSION SETUP message either. There are some interesting tricks that add a bit of flexibility to Share Level security. For example, a single share may have multiple passwords assigned, each granting different access rights. It is fairly common, for instance, to assign separate passwords for read-only vs. read/write access to a share. Another interesting fudge is often used to provide access to user home directories. The server (which, in this case, understands user-based authentication even if the protocol and/or client do not) simply offers usernames as share names . When a user connects to the share matching their username, they give their own login password. The server then checks the username/password pair using its normal account validation routines. Thus, user-based authentication can be mapped to Share Level security (see Figure 12.2). Figure 12.2. User-based authentication via Share Level securityEach share name maps to a username (Chico, Groucho, etc.). The server will accept the user's logon password as the TREE CONNECT password.
Share Level security, though still used, is considered deprecated. It has been replaced with "User Level" security which, of course, makes use of username/password instead of sharename/password pairs. Under User Level security, the SESSION SETUP is performed as the authentication step before any TREE CONNECT requests may be sent. If the logon succeeds, the server will assign a valid ( non-zero ) UID . Subsequent TREE CONNECT attempts can use the UID as an authentication token when requesting access to a share. If User Level security is in use, the password field in the TREE CONNECT message will be blank. So, with User Level security, the client must authenticate to get a valid UID , and then present the UID to gain access to shares. Thing is, more than one UID may be generated within a single connection, and the UID used to connect to the share does not need to be the same as the one used to access files within the share. |