auditing patch for samba

Andrew Bartlett abartlet at
Thu Feb 21 21:26:01 GMT 2002

ThwartedEfforts wrote:
> On topic:
> Well, if I have the time to mess with the samba code again (or have a
> need for auditing again) I'll research adding auditing with some kind of
> VFS-like hooks.  As far as I'm concerned, the VFS sample audit.c doesn't
> provide anything other than proof-of-concept auditing, nothing I'd use
> in a production environment (might as well read the debug logs for
> auditing information).  

I think it was a quick hack to keep people quiet.  

> Can you give me a starting place in the code to
> learn about the new auth subsystem you've added (like I said, I've been
> away from the code for a while).

Most of the code paths start with a make_auth_context_subsystem().

This creates a structure, including pointers to the various auth
methods.  (At this stage we are talking about NTLM/plaintext
authentication only).  There is a check_ntlm_password method, which is
just a pointer to check_ntlm_password in auth.c.  This does the actual
password checking.  With a little bit of work, you could use the
NTSTATUS value found at the bottom of this function in an audit
capacity.  (The little bit of work is becouse currently modules can
'fail' if they are unable to auth the user, but this isn't the real
reason for the failure.).

See rpc_server/srv_netlog_nt.c, smbd/sessetup.c smbd/negprot.c
smbd/password.c and auth/auth_util.c for code that calls these

> and off topic:
> Andrew Bartlett wrote:
> >>All this is academic though if you've already removed it and your new
> >>auth scheme is in there and %U and %G still work all the time.
> >>
> >They probably don't - but I won't allow another patch like that one into
> >the tree if I can help it.  Its just too ugly.
> >
> >>I
> >>suspose another solution to the macro expansion issue would be to
> >>iterate over the vuser (?) array's elements and try expanding all macros
> >>for each vuser connected.  I don't remember why this solution wasn't
> >>used at the time.
> >>
> >I think I understand what it was for - and I still think its an ugly
> >hack.
> >
> Oh, I fully agree, but it was the only way I could get the functionality
> I wanted (and the documented functionality at that -- the documentation
> actually said (at least at the time) to use %U and %G to do nifty things
> with allowing shares to appear based on username and group).  It did
> have too many trade offs though what with the machine account auth
> issues if it was turned on.  I suspect that perhaps Luke suggested that
> name because he didn't fully understand how it was different than the
> registry entry of the same name -- I'll leave that as an exercise for
> the reader though.


> If %U and %G expansions can not be reliable, can that at least be
> documented?  The %U and %G macro expansions are useless unless you can
> predict their values through the entire logon session of a user, and you
> can't if NT is going to be browsing anonymously and samba rereads it's
> config files at every new (even virtual/multiplexed) connection.

Now I see the problem!

Becouse the config file is global, if things like %U and %G are used in
'include = ' and the like you can get some really weird suff between
users.  Slow solution:  reload_services() on every change in vuid.  Fast
solution: ????

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list