PATCH rpc server

Andrew Bartlett abartlet at pcug.org.au
Sat Jan 26 16:25:02 GMT 2002 

Nigel Williams wrote:
> 
> Andrew,
> 
> I wasn't aware of any issues.  Tim would prefer not to see the silly_ptr
> members in the future but changing that now would require a wholesale
> rewrite of the share management client/server code.  IMHO the ptr members
> reflect the structure seen on the wire and effectively document the NDR.
> Wouldn't removing these members force the use of pointers to most top level
> members in Q/R structures.  I'm thinking of the unmarshalling of the enum
> structure.  The ptrs for all enumerated shares come first followed by the
> data (strings etc) for all enumerated shares.  The value of the unmarshalled
> ptr indicates whether data should be unmarshalled later. That information
> has to be stored somewhere so we either have have a pointer to say the
> UNISTR2 structure at the top level and allocate the structure if required or
> some flag (ptr variable).

Ok, I'll probably look to get it in as-is - unless tpot or someone wants
to comment further.  But I'll have to see what happens when I test it...

> If you are all busy.  Maybe I can help with something?

Well, for the record (and my own memory) this is the current todo list:

 - Add RAW NTLMSSP support to samba

   Currently Samba only implements NTLMSSP within an SPNEGO blob.  When
we don't specify a kerberos principal name we get it back outside that
blob.  Currently we hack to always send a principal name, but I think
this might be the cause of the Win2k domain join bug (which requires use
spnego = false).

 - Look at mangling more. 

   There remain a number of issues with name mangling - I couldn't get
an MS Office installation (with some weird pathname components) to
complete.  It looked like we were mangling the file mask.  This whole
are needs a good beating.

 - Support non-ascii chars in usernames. 

   Currently our paranoia prevents non-ascii usernames from being used
(due to % macro issues).  Look into allowing these usernames along 'safe
paths' in the auth subsystem to allow their mapping to saner unix names
(as raised my Micheal Lightfoot) and to allow it to pass unaltered to
the auth backend (like the DC or smbpasswd).  If they approve it, then
return the name in the 'server_info' for later use.

 - User input DEBUG() paranoia.  Currently we DEBUG() various unchecked
user input.  This includes the share the user specified.  This has been
used in a local samba root exploit (the %m bug), and we probably should
'dump_data' rather than 'DEBUG()' some of these variables.  

 - authorise_login().  The rather ugly function (and the whole
make_connection()) area needs a good cleanup.  In particular we need to
get a nice straight code-path for the user level case, and come up with
a sane way to deal with the ugly hack we know as 'share level
security'.  In particular we need proper NTSTATUS error returns here.

 - Get_Pwnam/getpwuid elimination:  We are moving Samba away from static
getpw* returns.  I' ve eliminated all getpwnam() calls in favor of
getpwnam_alloc(), but the getpwuid and the case-insensitve Get_Pwnam()
version need work.  This is a pretty simple job, but takes a bit of time
and testing.

 - Build farm testing/test failures:  Write some more build farm tests,
and chase down why the heck we are failing the two password change
tests.  This one has me a little stumped.

My current area I'm working in is non-unix-accounts and some changes to
HEAD's LDAP support (I'll post my current diff for comment shortly). 
This is for my Network admin job - we have students arriving in about a
weeks time... :-)

Longer term todos:

 - Look at trusted domain support.  Much of the auth work is already
done, and I'm told that there isn't much more to be done - but it would
be nice for a Samba PDC to be trusting/trusted.

Any person at all interested in taking on any of these can either e-mail
me or catch me on #samba-technical (irc.openprojects.net).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list