libwbclient - wbcLogoffUser() & wbcLookupDomainController

Gerald (Jerry) Carter jerry at samba.org
Wed May 7 23:08:03 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stefan (metze) Metzmacher wrote:
> Hi Jerry,
> 
> here're some comments about the design of the new calls.
> However see also my next mail about deferring all this...
> 
>> 1. wbcErr wbcLogoffUser(const char *username,
>>                          const char *ccfilename);
>>
>> Some explanations.  There is no current LogonUser pipe call.
>> This is implicit in the Authenticate call.  So I've not added
>> a wbcLogonUser().
> 
> This is not true, wbcAuthenticateUserEx() doesn't provide 
> the ability to handle local logons as needed by pam_winbind
> and it should not.
>
> I think we should have a wbcLogonUser() and pam_winbind
> should be able to use it later (in v3-3).

So you think wbcLogonUser() should be the equivalent of
pam_sm_open_session()?  That is currently a no-op in pam_winbind.c.
Also see my follow up question below.

> 
> I'm not yet sure about the prototype of wbcLogonUser()...
> ...but I think we should use arrays of a structure like this:
> 
> struct {
> 	const char *name;
> 	bool critical;
> 	struct {
> 		uint32_t length;
> 		uint8_t *data;
> 	} value;
> }
> 
> to pass extra data, e.g. needed for AFS krb5 logons in and out
> of wbcLogonUser().

I'm not quite following you.  What extra data are you passing?


>>  I debated dropping the cred cache pathood
>> and having the library look up the default. This might still
>> be a good idea to help relieve the burden on the application
>> developer.  But it can bet set to NULL to it's not that bad.
> 
> I think the wbcLogoffUser() call should also get the uid.

Internally the cal gets the uid from getpwnam().  I just
don't think.  The calling application should have to do that.

> I think we can skip the ccache filename, as it's produced 
> by the LOGON call, so winbind should be able to reproduce it.

The current winbindd_pam.c code relies upon having the
cache location to remove it.

> 
>> 2.  wbcErr wbcLookupDomainController(const char *domain,
>>                struct wbcDomainControllerInfo *dc_info);
>>
>>
>> Comments?
> 
> Something like this looks good, but maybe we need 
> an uint32_t flags as input? Günther, you may have
> some additional comments here? Maybe we should return
> the same as what we will store in gencache...

So add a uint32_t flags field marked as "reserved for future
use"?  Right now the winbindd pipe call only returns the
DC name.  That can change of course for v3-3.






cheers, jerry
- --
=====================================================================
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIIjZTIR7qMdg1EfYRAuToAJ97u2tEdasJHK3/wWRwJwsxQfs4WgCcCBkx
YNdoqBw2qMW4+p4aki+sslw=
=ntQd
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list