CVS update: samba/source/rpc_server
Andrew Bartlett
abartlet at pcug.org.au
Fri Nov 9 17:38:03 GMT 2001
Jeremy Allison wrote:
>
> On Sat, Nov 10, 2001 at 12:01:04PM +1100, Andrew Bartlett wrote:
> >
> > But they don't do multiple tree connects do they?
> >
> > The problem is that the user_ok() code at present doesn't consider the
> > guest user case.
> >
> > (or the NT ACL in tdb for that matter)
>
> I'm aware of the NT ACL in tdb case (I wrote that
> code remember :-). This involves a significant redesign in
> packet processing. Yes, I'm intending to do it before 3.0 ships.
>
> Jeremy.
Is the redesign that significant? I was looking at the problem and I
don't think its that hard:
Basically we already have the concept of a per-connection vuid cache,
and we already correctly move between security contexts. All I am
suggesting is moving the code around a bit, move the access control
stuff into the user_ok() code and make the user_ok() code understand
guest users. The code should also take into account a conn->vuid_locked
property - which can specify that this connection is special (admin user
= and friends) and only allow that vuid to connect.
Then just call user_ok() (or a much better named derivative) in
make_connection() *and* in change_to_user() where we already do it.
There are some small bits to clean up as well - particularly ensuring
that the correct vuid and user are passed down the line (I'm not
convinced that this is correct at the moment). I got pretty close to a
working arrangement before the last CIFS conference, and I was going to
take another stab at it.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list