VFS Implementation and user authentication

[Nicolas Williams]

On Fri, Sep 08, 2000 at 05:33:56PM -0700, Brad Sahr wrote:
> > In such cases there's usually a mechanism by which the kernel can get
> > at the users' credentials caches.
> 
> This is what our VFS implementation needs.

When I said "credentials" I meant something like "forwarded Kerberos
TGTs", not "passwords."

> Samba passes a vfs_connection_struct to the VFS when the client
> connects to the Samba share. The user related information in the
> struct is username, user id, group id, groups, and also an
> NT user token. User password is missing. The make_connection()
> function in the service.c module populates the vfs_connection_struct
> prior to passing it to the VFS. Getting password information into
> this struct could be a challenge. If someone could provide me
> some guidance?, perhaps this will happen.

You don't seem to get it. Windows systems don't authenticate users to
servers by passing the users' passwords to the servers. Therefore you
can't get passwords in the session context structure.

You could configure all your Windows clients to send cleartext
passwords, but that would greatly reduce security in your environment.
See the FAQs.

In a Kerberized world you might get a Kerberos TGT from the client,
which you can view as a temporary password, of sorts. But I don't know
if Windows 2000 clients forward TGTs when connecting to [Windows 2000]
SMB servers; MS's PAC-in-Kerberos-tickets would essentially allow them
to not have to bother forwarding users' TGTs to file servers.

Looks like you'll have to re-think what you're doing.

> Brad

Good luck,

Nico
--