VFS Implementation and user authentication
bsahr at macromedia.com
Sat Sep 9 00:33:56 GMT 2000
> From: Nicolas Williams [mailto:Nicolas.Williams at ubsw.com]
> Sent: Friday, September 08, 2000 1:07 PM
> But, in the case of client-side VFS modules for accessing remote shares
> (think NFS), the kernel VFS modules may have to get at the users'
> credentials. For example, NFS can require GSS-API authentication using
> RPCSEC_GSS, Sun's standard for doing GSS auth in ONC RPC, and it can
> require GSS mechanisms such as Kerberos V, Sun's Diffie-Hellman NIS+
> system, etc...
Our VFS implementation is more like what you describe here,
with file data coming from a possibly remote server.
> In such cases there's usually a mechanism by which the kernel can get
> at the users' credentials caches.
This is what our VFS implementation needs.
> > I like the idea of the generic authorisation interface. When
> might something
> > along these lines be developed? I'm assuming there are no plans
> for this at
> > the current time.
> What are you thinking of? File ACLs? Or coarser account authorization?
Coarse username/password authentication (my apologies if I'm
mixing up authentication with authorization). At this time,
we're interested in username/password.
> > In the mean time, I must pass username and password to a third party for
> > authentication/authorisation. Would someone be able to
> enlighten me as to
> > how I might modify Samba to pass the user's password up to the VFS?
> Samba should store authentication information in the session handle
> which I imagine it must pass around in the VFS. Then you could get at
> the remote user's forwarded credentials, wether they be passwords or
> Kerberos TGTs.
Samba passes a vfs_connection_struct to the VFS when the client
connects to the Samba share. The user related information in the
struct is username, user id, group id, groups, and also an
NT user token. User password is missing. The make_connection()
function in the service.c module populates the vfs_connection_struct
prior to passing it to the VFS. Getting password information into
this struct could be a challenge. If someone could provide me
some guidance?, perhaps this will happen.
More information about the samba-technical