VFS Implementation and user authentication

Nicolas Williams Nicolas.Williams at ubsw.com
Fri Sep 8 20:07:09 GMT 2000

> I think it would be *fantastic* to see --with-vfs in the next release of
> Samba.

Same here.

> While there's been some discussion about releasing VFS as a feature, my hope
> was to address the issue of authentication and the VFS. David Collier-Brown
> mentioned that Sun and Linux don't have authentication in their VFS. Tim
> Potter thought that Samba could utilize a generic authorisation
> interface.

VFS, what Solaris, BSD, Linux all provide, is an in-kernel interface
between the system call layer and the file systems. Obviously there's no
authentication in that interface. Authentication happens elsewhere.

But, in the case of client-side VFS modules for accessing remote shares
(think NFS), the kernel VFS modules may have to get at the users'
credentials. For example, NFS can require GSS-API authentication using
RPCSEC_GSS, Sun's standard for doing GSS auth in ONC RPC, and it can
require GSS mechanisms such as Kerberos V, Sun's Diffie-Hellman NIS+
system, etc...

In such cases there's usually a mechanism by which the kernel can get
at the users' credentials caches.

> I like the idea of the generic authorisation interface. When might something
> along these lines be developed? I'm assuming there are no plans for this at
> the current time.

What are you thinking of? File ACLs? Or coarser account authorization?

> In the mean time, I must pass username and password to a third party for
> authentication/authorisation. Would someone be able to enlighten me as to
> how I might modify Samba to pass the user's password up to the VFS?

Samba should store authentication information in the session handle
which I imagine it must pass around in the VFS. Then you could get at
the remote user's forwarded credentials, wether they be passwords or
Kerberos TGTs.

Smbfs should work the way Solaris 8's NFS client code does wrt getting
at Kerberos credentials. Of course, that requires an appropriate kernel
interface which Linux probably doesn't yet have. Heck, I've yet to find
docs on how Solaris does it.

See my other response in this thread, about my upcoming attempt to
specify how applications, PAM and PAM modules should interact with
respect to NTLM/Kerberos/SRP/SASL/GSS-API/etc...

> Thanks for any help on this,
> Brad


More information about the samba-technical mailing list