passdb redesign

Mayers, Philip J p.mayers at ic.ac.uk
Fri Nov 10 09:55:01 GMT 2000 

Hmm. <warning - stream of consciousness follows>

I see two levels of isolation possible:

1) All NT-type information stored in a passdb, SMBD still handling the Unix
side of things

e.g.

setuid(pdb_get_uid(SAM_ACCOUNT_HND*));

2) All information stored in a passdb, SMBD calls generic functions in the
passdb API to do user-related things.

pdb_switchtouser(SAM_ACCOUNT_HND*);



It's worth noting that in one years time, I predict the majority of
authentications to Samba will be SNEGO-based, with GSSAPI tokens. I'm making
good progress on that - more details in a few days.

The design of the current passdb API or the new one will restrict what can
be done. It's important to distinguish getting user *information* from
actually authenticating and authorising a user. I believe they are separate
and have very little inter-dependency.

I suggest you drop all password/authtoken checking capabilities from your
current passdb API, and make it purely an informational one. But bear in
mind, the authentication API (which is basically going to need to be an
extended GSSAPI-style API) will have some interactions with the
informational data.

If you haven't already, look at the SSPI or GSSAPI (they're functionally
identical, just different APIs) for a good start of how to authenticate a
user with a given API. I envisage something where the server uses an
SNEGO-capable GSSAPI implementation purely for auth purposes. To support
downlevel clients, we fake up an NTLMSSP token using the information
available. For really downlevel clients, we have the plaintext password
available, and I have no problem with defining a GSSAPI plaintext mechanism
- suitable use of the word MUST with respect to not using it across
non-secure channels ought to do it.

One thing the SSPI has that GSSAPI doesn't is (effectively) a setuid call.
We would want a UseSecurityContext function (or equivalent) to drop down to
the given user. So, our SNEGO/GSSAPI library will have to call the user
information db to get the local username it should be using... There's more
crossover in one direction than another.

The advantage of that being that we can plug in additional mechanisms
completely independently of Microsoft - how about a PGP auth mechanism for
Samba? Easy, specify a GSSAPI mechanism for it. SecureID? Easy too.

So, we'd use an SNEGO/GSSAPI mechanism for authentication. When the user is
finally logged in, we get the information back from the auth API using the
aname and sname functions, and any informational data (required for PDC
support, for example) comes from there.

My 2 pence.


Regards,
Phil

+----------------------------------+
| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |
+----------------------------------+  

-----Original Message-----
From: Gerald Carter [mailto:gcarter at valinux.com]
Sent: 09 November 2000 19:52
To: samba-technical at samba.org
Subject: RFC: passdb redesign


Here is my current stat of mind wrt passdb/*


Problems
--------
  o current samba code is filled by functions that half
    use passdb backend and half use lp_..() defaults from
    smb.conf

  o two structure are used to represent an account entry.
    smb_passwd {} and sam_passwd{}.  These are used 
    inconsistently through the code.  The major differences 
    exist between the rpc subsystem and normal file/print 
    serving operations.


The Proposal
------------

  o Introduction of new smb.conf parameter to specify the
    shared library to be used for accessing account information.

	passdb module path = <filemname>

  o removeal of smb_passwd {} struct all together and 
    replacement of universal use of sam_passwd {} via an 
    opaque handle.

  o removal of passdb_ops {} structure.  This struct is for
    defining a set of functions pointers which currently 
    implement the passdb API.  This was previously needed
    as passdb backend support was chosen at compile time.
    This will be replaced by a well defined and documented
    interface shared between the passdb API and the loadable
    backend modules.  More on this in a minute.

  o Implement support for the following backends

      - smbpasswd 	(file)
      - TDBPWB 		(local DB)
      - LDAP 		(using AD schema)

    This means the experiemental NIS+ support  
    will be removed.  I think the general stand on NIS+
    is that it is dying (at least that is my opinion).


Advantages
----------

  o experiement with shared libraries for future use relating 
    to MS-RPC pipe support

  o a single interface allows a single tool to access/update
    all passdb backends without recompiling.  The same tool
    can put from smbpasswd and push to LDAP.

  o fewer compile time descisions (except on platforms 
    that do not support shared libraries of course).

  o More flexibility. For example, you can use 
    include parameters to validate clear text logons 
    against /etc/passwd and encrypted logons against LDAP
    from the same server.


Proposed Interface
------------------

Functions for manipulating sam_passwd struct (common to all
backends)

   pdb_get...(SAM_ACCOUNT_HND *hnd)
   pdb_set...(SAM_ACCOUNT_HND *hnd)

Backend storage access functions which must be implemented
by each passdb module

   /* search functions */
   SAM_ACCOUNT_HND* pdb_getsampwnam (char* username);
   SAM_ACCOUNT_HND* pdb_getsampwuid (uid_t uid);
   SAM_ACCOUNT_HND* pdb_getsampwrid (uint32 rid);
   SAM_ACCOUNT_HND* pdb_getsampwent ();


   /* create a new (and empty) sam_passwd struct */
   SAM_ACCOUNT_HND* pdb_new_sam_account ();


   /* write change to persistent storage */
   /* add a new acount*/
   BOOL pdb_add_sam_account (SAM_ACCOUNT_HND *hnd);
   /* update an account entry */
   BOOL pdb_update_sam_account (SAM_ACCOUNT_HND *hnd);
   /* delete an account entry */
   BOOL pdb_delete_sam_account (SAM_ACCOUNT_HND *hnd);

  

Note that certain functions have been left out of 
the interface (e.g. getsamdispnam()) as these are often 
convienence functions and can easily be added to the basic
passdb.c general interface.

I have started working on this already.  It is the 
first step to implementing group mapping and LDAP support
(officially).  Comments welcome.






Cheers, jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com/  VA Linux Systems   gcarter at valinux.com
       http://www.samba.org/       SAMBA Team          jerry at samba.org
       http://www.plainjoe.org/                     jerry at plainjoe.org

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list