Where to expand BUILTIN or auth_check_password broken...

Andrew Bartlett abartlet at samba.org
Tue Jan 10 21:53:36 GMT 2006


On Tue, 2006-01-10 at 15:39 +0100, Volker Lendecke wrote:
> Hi!
> 
> The subject almost says it all. For local logins to a Samba server we need to
> expand BUILTIN alias membership, for SamLogon and PAC generation we don't. Both
> use the same routine right now. I'm always hesitating a bit to pass binary
> flags down. In particular in Samba 4 this would be at least two flags, one for
> domain local groups and one for builtins. We would not do domlocal groups in
> Samba3, but there we still have that issue. What would be the best solution
> here? Split the token generation from password checking? That's not good
> either.

So, I feel we should do the expansion in two steps.  In Samba4 terms the
auth_sam step should expand global things only.  Then, a later part of
the auth subsystem (auth_generate_session_info()) should convert it from
the global list to the local list. 

You will note that auth_generate_session_info() already adds sids like
'authenticated', and I think it should add local aliases here too.  This
is because the same routine will be called with an *incoming* PAC, which
will of course need the same expansion.

The PAC generation is the result of the 'server_info' only (we need
better names...), and so would correctly not include these BUILTIN
things.

Additionally, as you point out on IRC, the auth_sam code should respect
the level (2 or 6) parameter, and include domain aliases as required.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060111/98cf576a/attachment.bin


More information about the samba-technical mailing list