Question about groups

Johan Hedin johanh at fusion.kth.se
Tue Mar 14 13:16:28 GMT 2000 

I have a question about how the groups are handled in Samba. The reson
for asking is because of the AFS renewable ticket patch I made. I works
like a charm with Samba pre-3.0.0 combined with Samba TNG until a few
weeks ago. I give a short orientation for those who have not been using
AFS.

An AFS file server will not give the user a access to a file unless the
users has a valid token. These tokens are obtained through using the
clear text passwords or Kerberos V tickets (problem I). Of course these
passwords are not transmitted in clear over the net. The tokens have a
limited lifetime. The user must then renew the token (problem II). All
file access is controlled by the token. The uid is not used for file
access. A token is passed on from a PID to its forked childs. By creating
a pag, a new token can be used from the current PID and forked childs. The
pag is identified by setting two aux groups.

The patch addresses problem I & II, but storing the users password on file
on the Samba server. Encrypted passwords can the be used from the
SMB-clients, and still a token can be obtained. The patch also forks a
process who renews the token in the pag before is expires.

Now for the problem. Connecting with a combination of Samba pre 3.0.0 and
TNG works. I can browse the shares, create directories and delete
directories. However, double clicking on a Power Point presentation, the
tocken somehows gets destroyed. In a pure TNG configuration, it's get
destroyed right away. I think this is due to that the two aux groups
gets "unset", and hence the smbd server process loses it's pag. It falls
then back to the pag of the process who started the server, potantially
dangerous. This is also an issue for the clear text login using a PAM
giving a token.

Is the groups of the users set in Samba? Is it modified during the
connection? Can I disable it? Do any other daemon besides smbd need user
file access and thereby a pag and a tocken?

TIA

Johan Hedin

/---------------------------------------------------------------------\
| Johan Hedin                      | johanh at fusion.kth.se             |
| Ph.D. Student and System Manager | http://www.fusion.kth.se/~johanh |
\---------------------------------------------------------------------/

More information about the samba-ntdom mailing list