possible solution for "outsourcing" authentication from samba 4
to samba 3
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Sat Dec 11 14:00:51 GMT 2004
On Sat, Dec 11, 2004 at 01:49:40PM +0000, Luke Kenneth Casson Leighton wrote:
> a whole boat-load of code was therefore removed from smbd in samba tng -
> the entire authentication subsystem ripped out and replaced pretty much
> with a single function call.
> well, actually that's not _quite_ true - the authentication subsystem
> "slipped sideways" into samrd, to be replaced with a single function
> call.
i should point out of course that the pam session code remains
in smbd [but all the special-casing of security=user,
security=domain, security=server etc. just all disappeared.]
the only essential thing to do which would, of course, be taken care of
by an RPC runtime library automatically _if_ FreeDCE was used, is for
the msrpc netlogon client-side authentication function to return you
the SChannel "session key", which needs to be stored in the
vuid_struct, which is then later on passed over to the DCE/RPC services
via the named pipe channel, and in fact, in samba tng, the "session
key" is never actually touched by smbd at all!
it only ever gets bandied about, passed _from_ nt services /
dce/rpc-client-side code _to_ nt services / dce/rpc-client-side code.
which is, imo, the way it should [mostly] be.
... but that's another story for another time.
l.
p.s. exception to "mostly" - see ImpersonateNamedPipeClient and its RPC
equivalent which does, iirc, exist as an "official" dce/rpc function as well
as an MSRPC one. ImpersonateNamedPipeClient is "equivalent" to
become_user(). sort-of!
More information about the samba-technical
mailing list