Security and authentication

Authentication effectively starts when the user logs into the Windows PC with a particular username. This username is the name by which the PC knows the user, and it plays an important part in authenticating the user to the VisionFS server.

This is because VisionFS uses user-level security: the user must be authenticated by the server (logged in) before access is granted, but once authenticated can connect to any shares on the server, assuming the access rights for each share allow it. The Windows username is sent to the server during authentication, as described below.

User-level security contrasts with share-level security, which allows for different passwords for each share, and doesn't involve usernames. This means that actions aren't associated with a particular user, making it impossible to distinguish between users. For example, Windows for Workgroups operates in share-level security.

In general, authentication involves these steps:

1. The user tries to connect to the VisionFS server in some way, for example displaying the list of shares or trying to access a share.

2. If another server is being used to authenticate users, this VisionFS server acts as a ``go-between'' for Windows and the authentication server: this VisionFS server passes user and password information from Windows to the authentication server, and sends responses from the authentication server back to Windows.

3. Windows and the authentication server negotiate the details of the connection, including whether or not to encrypt passwords on the network. Encrypted passwords are used if the authentication server is Windows NT, or a VisionFS server using VisionFS passwords. Unencrypted passwords are used if the authentication server is a VisionFS server using UNIX passwords.

4. Windows and the authentication server attempt to authenticate the user, taking into account the current authentication method and (if the authentication server is a VisionFS server in UNIX password mode) whether or not the user has a Windows-to-UNIX username mapping. Windows might prompt the user for a password, or the user might be denied access.

   In some cases, Windows doesn't give the user the option to enter a password if the passwords it tries aren't accepted. For example, File Manager on Windows for Workgroups displays an Access Denied dialog if you try to list the shares on a server before you've been authenticated. In general, if you connect to a share by name (using \\server\share), Windows either authenticates you or prompts for a password.