CVS update: samba/source/rpc_server
abartlet at pcug.org.au
Fri Nov 9 17:38:03 GMT 2001
Jeremy Allison wrote:
> On Sat, Nov 10, 2001 at 12:01:04PM +1100, Andrew Bartlett wrote:
> > But they don't do multiple tree connects do they?
> > The problem is that the user_ok() code at present doesn't consider the
> > guest user case.
> > (or the NT ACL in tdb for that matter)
> I'm aware of the NT ACL in tdb case (I wrote that
> code remember :-). This involves a significant redesign in
> packet processing. Yes, I'm intending to do it before 3.0 ships.
Is the redesign that significant? I was looking at the problem and I
don't think its that hard:
Basically we already have the concept of a per-connection vuid cache,
and we already correctly move between security contexts. All I am
suggesting is moving the code around a bit, move the access control
stuff into the user_ok() code and make the user_ok() code understand
guest users. The code should also take into account a conn->vuid_locked
property - which can specify that this connection is special (admin user
= and friends) and only allow that vuid to connect.
Then just call user_ok() (or a much better named derivative) in
make_connection() *and* in change_to_user() where we already do it.
There are some small bits to clean up as well - particularly ensuring
that the correct vuid and user are passed down the line (I'm not
convinced that this is correct at the moment). I got pretty close to a
working arrangement before the last CIFS conference, and I was going to
take another stab at it.
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical