Opportunities for Samba4 based CIFS proxies

Love lha at kth.se
Wed Nov 2 17:41:08 GMT 2005

Andrew Bartlett <abartlet at samba.org> writes:

> With the work I now have in the Samba4 tree, we can now operate as a
> CIFS proxy, potentially modifying the data stream in the process.  We do
> so with the administrators permission (based on kerberos delegation),
> but it does open up an interesting area of research for somebody wanting
> to construct:
>  - CIFS virus scanner
>  - CIFS accelerator
>  - CIFS aggregation server

And even better, the store-afs-keyfile-in-ldb hack can go away,
assuming Heimdal and libkafs (or libkrbafs), and be replaced with:

if (delegated_credential && k_hasafs()) {
   char cell[64];
   k_afs_cell_of_file(homedir, cell, sizeof(cell));
   krb5_afslog(context, delegated_credential, cell, NULL);

The good thing about doing it this way is that you don't give
away your whole afs-site when your samba problems have security
problems, just the users that logged in to the samba gateway.

Nice work,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051102/d71fb628/attachment.bin

More information about the samba-technical mailing list