auditing patch for samba
Andy Bakun
abakun at thwartedefforts.org
Thu Feb 21 18:52:14 GMT 2002
FYI, anywhere I mention NT in this message, I'm talking about Windows NT
4.0 Service Pack 6.
>The 'restrict anonymous' paramater has been removed from HEAD, as I
>broke it during the auth-rewrite and could not find the rationale behind
>it. In particular, its highly confusing name (conflicting with the NT
>Registry key of the same name) didn't help.
>
Most discussion on it can be found by searching marc.theaimsgroup.com's
samba-technical for 'restrict anonymous', discussion took place mostly
around the end of 1998. Note the conversations on the %U and %G
expansions. It's actually named 'restrict anonymous' (I notice in your
notes on the removal of it that it is misnamed) as Luke Kenneth Casso
suggested that name, and it was the only name for that parameter that
really got anyone's attention on the problem I was having with %U and %G
expansions. History lesson time: I had shares defined in include files,
named based on the user name and group name, and they would randomly
disappear on the client. Turned out that the NT client was browsing the
server anonymously (even though it had an already authed connection) and
smbd would reread the config files and would include other files because
there is no user name associated with an anonymous connection.
I don't know which copy of the source you were reading :) , but if my
memory serves, it did exactly what it should do based on its name -- if
an anonymous connection was attempted over a connection that already had
been authed, it was denied. This has the (intended) effect of making
the NT client try again, but this time with the username and password.
2.2.3a's smbd/reply.c (I've removed my comments)
if (done_sesssetup && lp_restrict_anonymous()) {
if (!*user && !*smb_apasswd && !*domain) {
DEBUG(0, ("restrict anonymous is True and anonymous connection attempted. Denying access.\n"));
END_PROFILE(SMBsesssetupX);
return(ERROR_DOS(ERRDOS,ERRnoaccess));
}
}
The meat of the functionality being the second line above (879 of reply.c)
Unfortunately, this also caused problems with NT clients reauthing their
machine accounts after logout, because in MS's infinite braindeadness
(my judgement call), they updated the profile over a NEW connection
(authed as the user) after closing the logged on connection and sending
the LOGOFF signal to the server (the sending of which wasn't even
reliable in my experience). So now a new connection had been
established to update the profile, and the machine account auth attempt
fails because an anonymous connection is attempted first in order to do
that.
All this is academic though if you've already removed it and your new
auth scheme is in there and %U and %G still work all the time. I
suspose another solution to the macro expansion issue would be to
iterate over the vuser (?) array's elements and try expanding all macros
for each vuser connected. I don't remember why this solution wasn't
used at the time.
Forgive me if I'm getting the terms wrong (ie, LOGOFF signal, vuser
struct), it's been over two years since I've dealt with the samba source
on a daily basis!
>>I really don't think auditing should be an add-on VFS module. Bugs in
>>other VFS modules (assuming they will eventually be nested) might keep
>>it from working. I'm of the opinion that it should be integrated.
>>
>I don't find this a convincing argument. If your module is first in the
>stack (which is where an audit module should be) then no other module
>should be able to affect it.
>
...
>Auditing is an interesting area - and I don't object to the idea of
>including this functionality in Samba - but I think it is best to use
>the VFS interface. (This should not preclude inclusion in the tree
>however - but I'm not exactly sure how it would work).
>
True. But the example VFS code, audit.c, doesn't audit logons and
logoffs, or reasons for failed logons, nor can it, nor could it handle
other events that don't fit within the file-access scheme (I can't think
of any others right now -- maybe using NT User Manager to change account
settings, etc). I suspose more function pointers could be added to the
tail of struct vfs_ops -- this would also require changes to the rest of
the source to use the VFS interface/modules at those points. But the
more things like that that are added, the percentage of FS in VFS goes
down, lest we just allow random function overloading at run time from
the environment (precident: smbsh), or change the name from VFS, or keep
it (precident: restrict anonymous being misnamed). :)
Andy Bakun
abakun at thwartedefforts.org
More information about the samba-technical
mailing list