TNG: making %U work again for logon path et. al.

Luke Kenneth Casson Leighton lkcl at samba.org
Tue Feb 22 02:46:07 GMT 2000


On 21 Feb 2000, Patrick J. LoPresti wrote:

> Luke Kenneth Casson Leighton <lkcl at samba.org> writes:
> 
> > patrick, i added your patch in already.
> 
> Look again.  This is a different patch.

oo.  then can you do a cvs update, _then_ do a diff?

> 
> > and the correct fix is to make get_sec_ctx() read the right
> > vuser_key so that standard_sub_vuser() can "grab" the right info.
> > 
> > which means a bit of a catch-22 situation, as it's confusing to
> > create the right info at the right point.
> 
> Right, we kind of want this information before the user has
> authenticated...

urr, the problem is that the \PIPE\NETLOGON conncetion is done
anonymously.

therefore ,  the standard_subxxx() substitutions will substitute
anonymous-user for %U etc.

i described this in great detail on samba tech, last month.  see archives
for details.
 
> > for preference, the %U etc should be substituted in srv_netlogon.c
> > in the netr_sam_logon function, but THAT means we need a Unicode
> > version of standard_sub_vuser() and standard_sub_basic()!!!
> 
> Yuck.  Couldn't the Unicode conversion be the final step?  So the
> sequence would be 1) authenticate, 2) perform substitutions, 3)
> convert to Unicode...

nope.  1) there isn't any "authentication", not in the SMB-sense of the
word.  _this_ is the authentication that SMB-session-authentication
*uses*!

2) the NETLOGON API is unicode (because NT is unicode).  therefore it's
not OK to convert to ascii, perform substs, then convert to unicode,
either.




More information about the samba-technical mailing list