CVS update: samba/source/rpc_server

Andrew Bartlett abartlet at
Fri Nov 9 17:38:03 GMT 2001

Jeremy Allison wrote:
> On Sat, Nov 10, 2001 at 12:01:04PM +1100, Andrew Bartlett wrote:
> >
> > But they don't do multiple tree connects do they?
> >
> > The problem is that the user_ok() code at present doesn't consider the
> > guest user case.
> >
> > (or the NT ACL in tdb for that matter)
> I'm aware of the NT ACL in tdb case (I wrote that
> code remember :-). This involves a significant redesign in
> packet processing. Yes, I'm intending to do it before 3.0 ships.
> Jeremy.

Is the redesign that significant?  I was looking at the problem and I
don't think its that hard:

Basically we already have the concept of a per-connection vuid cache,
and we already correctly move between security contexts.  All I am
suggesting is moving the code around a bit, move the access control
stuff into the user_ok() code and make the user_ok() code understand
guest users.  The code should also take into account a conn->vuid_locked
property - which can specify that this connection is special (admin user
= and friends) and only allow that vuid to connect.

Then just call user_ok() (or a much better named derivative) in
make_connection() *and* in change_to_user() where we already do it.  

There are some small bits to clean up as well - particularly ensuring
that the correct vuid and user are passed down the line (I'm not
convinced that this is correct at the moment).  I got pretty close to a
working arrangement before the last CIFS conference, and I was going to
take another stab at it.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Samba Team member, Build Farm maintainer        abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list