[RFC] Authentication Rewrite
abartlet at pcug.org.au
Tue Jul 3 13:56:30 GMT 2001
Attached is a basic attempt to let people know what I am intending to do
with my 'Authentication Rewrite'. It is by no means a formal document
(particularly given its title :-), but I hope it might draw some
For ideas on what the implementaion might look like: it will look much
like my 'authenticaiton rewrite' patches, but it won't have the same
ties to the RPC structures.
abartlet at pcug.org.au
abartlet at samba.org
-------------- next part --------------
The Great Authentication Rewrite of 2001
Over a the last little while I have been looking at the current state
of Samba's authentication. Its a mess and in desperate need of a
rewrite, and has been the cause of inconsistent policy and security
holes in the past (null passwords). This attempts to address the
situation, by implementing a standard interface.
The interface is implemetd in terms of data structures, where these
are filled in as much as possible by the calling process. These
structures bear a remarkable similarly to the RPC structures I used in
my previous efforts in this area, but are notably different - and as a
core system component are defined within Samba, and not subject to
To authenticate a user in reply.c / srv_netlogon_nt.c / chpasswd.c and
wherever else we are checking passwords, simply call
where user_info is an RPC like struct containing things like:
- the challenge,
- requested username (it matters for NTLMv2),
- domain, requested domain (likewise)
- and the passwords.
The user_info can contain multiple password schemes in the one
structure, but only those indicated as valid will be processed. This
allows the existing password_ok() interface to function, as it doesn't
have any idea what type NTLM/LM password it is, so it can just fill in
both. This may not been needed and might change.
The server_info struct will contain stuff like:
- the user's Full Name
- a pamh for making setcred and session calls on (the setup and
account calls will be done by then)
- the session key (for srv_netlogon_nt.c)
- and anything else I decide the authentication client code needs
In particular it will contain the NT_STATUS code returned by the
authentication server. I may also include a pointer to the actual
returns from the domain logon attempt, if we end up using this for a
(Note on proxy-DC ideas: If we have the authenticion info from a
client, even via a domain logon, there is nothing to stop us shipping
this off to another domain, and this code will make this VERY easy.
This also may already be implemented, but I can't see it in my CVS...)
I hope the interface will also deal with Trusted domains, but I need
some more info on how that works.
So as to further avoid code duplication, another even more abstract
interface will be available:
will allow the username and domain mapping to be abstracted away,
which should avoid things like the bug in chgpasswd.c where the
username is simply lowercased, not GetPwnam()ed. Calls to this
function will take the same structure, only the requested fields need
be filled in.
The implementation will deal with all authentications, including SHARE
level (outside code will still need to determine the username), USER
level, SERVER level (small hack required, specified challenge must be
one sent by server) and DOMAIN level security. Fallback to local can
be arranged as normal.
I have created a few new files, to separate this functionality into a
single logical component.
include/auth.h contains the type definitions, and smbd/auth.c contains
the interface and functionality.
au th.c may be split into 4, the generic interface, and the 3
authentication back ends.
This design allow for a lot of flexibility in the implementation -
including default domains/no default domains as per the team's
Andrew Bartlett 1-Jul-2001
More information about the samba-technical