CVS update: samba/source/rpc_server
jra at samba.org
Sat Nov 10 00:53:08 GMT 2001
On Sat, Nov 10, 2001 at 02:05:18PM +1100, Andrew Bartlett wrote:
> Note: We do this already. We already have the vuid cache, but I've
> never seen it cleaned. As to read and read-write, I can see that
> getting a little messier.
Yes I know, it should be cleared. We actually need 3 caches,
read-only, read-write and no access.
> Instead, create a separate structure (a sec_ctx_id for arguments sake)
> and just use the vuid to look that sec_ctx_id up.
That's what the 'user_struct' returned by the get_valid_user()
function was meant to be.
> So when a packet comes in, we do a conn & vuid lookup. This gives us a
> pointer (or an id for lookup) to the security context to use, without
> further recalculation. This would need a binary tree I think. If this
> is done right, you could have one 'admin user = ' on a tid while another
> 'normal user' without interference. Hmm...
I don't think we can do this, as we need to know if a vuid has any of the
above (read/read-write/none) access on a conn. And we need to
look this up on a SMB request basis.
I do have an internal design for this as an extension of the
current vuid system. Unfortunately it's in my head right now.
You're definately thinking along the right lines.
BTW: I just wanted to say thanks for the auth re-write you've
done so far. When I was fixing the extra SID group bugs in 2.2
and HEAD it was *so much* easier to do correctly in HEAD as all
the correct information was already being passed around in the
structures you were using. Very impressive bit of design, thanks !
More information about the samba-technical