domain_client_validate

[Luke Kenneth Casson Leighton]

On Wed, 29 Apr 1998, Jeremy Allison wrote:

> Luke,
> 
> 	Thanks for all your comments - I hadn't *actually*
> finished all the code yet, just committed it, so some of
> them are unjustified :-). Note I hadn't yet *announced* it
> was working, I just committed it for safe keeping.
> 
> > the passwords from smbclient are only LM hash provided, not the NT hash.
> > therefore, the test if (lmlen != 24 || ntlen !=24) breaks down when it
> > should not.
> 
> Lets fix smbclient :-).

done that, in BRANCH_NTDOM.  it uses the pwd_cache module, which i know
you're not keen on.

> > the LUID we don't care about at the moment: however we _should_ internally
> > use it as an index into a shared memory table.  this will inform all smbd
> > processes that user "xyz" with LUID "NNNN" is "logged in to the domain".
> >
> > they will then have access rights (as "Domain Users") that can be
> > distinguished from other rights.  also, the administrator has the option
> > to kick them off in real time, by forcing the smbd daemon to close their
> > IPC$ connection to \PIPE\NETLOGON.
> 
> Yes I know. The random luid value was what I call a 'hack', maybe
> you've used them occasionally :-). Seriously though, you are correct,
> I just didn't want to make the exact decision what to put there until
> I thought about it some more, so I just punted with a random value
> (which I knew wouldn't do any harm) for now.
> 
> > your modification to cli_nt_session_open() was to hide the fnum in the
> > struct cli_state (which i'm not keen on).  however, you then do
> > cli_close(&cli, cli.nt_pipe_fnum) which is inconsistent with the hiding in
> > cli_nt_session_open().
> >
> > this is more of a crime :-)  can you put it one way or the other!
> 
> Well, I could always wrap it in a 'cli_nt_session_close()' if it
> makes you happier

it would.

> - but that'll only do the same thing.

good, but if further developers look at this they will start wondering
what nt_pipe_fnum is when they don't need to know, or will modify it
themselves or something horrible :-)


> I'll do
> it so the pipe gets closed at the same layer as it was opened, ok
> (picky, picky - did I offend your object orientation ? :-).

you damn right!  he he

> > the "here we get loads of info which we could check things on" - it's
> > important to check:
> >
> > - the ACB_DISABLED flag isn't enabled
> > - the ACB_NORMAL flag is true
> > - the expiry time on the account hasn't passed
> > - anything else that would warrant being a problem / possible security
> > hole.
> 
> *Very* good point. I'll look at putting some checks here.
> 
> Anything else you want to throw bricks at :-) :-) ?

security glass.