New group mapping and the auth subsystem

Andrew Bartlett abartlet at pcug.org.au
Sat Dec 1 12:46:01 GMT 2001 

Jean Francois Micouleau wrote:
> 
> On Sat, 1 Dec 2001, Andrew Bartlett wrote:
> 
> > SAM-backed passwords are now checked in auth/auth_sam.c and I would hope
> > that the new group code could be called by each auth back-end as
> > appropriate.
> >
> > Does this sound sane?
> 
> no offence intended (or I missed something (probably)), but it doesn't
> sound sane. I think that's the reverse you want, or more exactly as soon
> as users get privileges like groups, you'll want to add to the auth_sam.c
> code a check to verify if the user that's authenticating has the privilege
> to connect to the server.
> 
> I guess you'll be more interested in the account policy work I did last
> week. It fits perfectly in the sam_account_ok() function.
> 
>         J.F.

Yes, I'm interested in the account policy stuff, and I'll look into
adding that kind of thing to the sam_account_ok checks, but I think you
miss my point.

If I want to conduct a privileged action on the server (like adding a
machine account, changing a share's properties), when (and how) will it
be checked that I have the privileged to conduct this operation?

And when is the privileges list for this check calculated?  (The
NT_USER_TOKEN).

This token needs to be generated at some point.  

Furthermore, this token (or its constituent parts) is not always
generated by the group mapping code, but can be generated by the PDC,
and passed to a domain member by means of a PAC or an info3 in a
samlogon reply.

This token needs to be carried from the authentication backend (where we
get it, by hook or by crook) into the rest of samba where it can be
associated with a user when they request these actions.

The reason I want to do it like this is because if follows the model NT
uses very closely, and it makes maximum use of the available
information.  Much of my work in the auth subsystem has been aimed at
simply *not* throwing away information if we can avoid it.

In any case, how did you propose obtaining this privilege information
from the DC (given samba as a member server)?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list