Where to expand BUILTIN or auth_check_password broken...
abartlet at samba.org
Tue Jan 10 21:53:36 GMT 2006
On Tue, 2006-01-10 at 15:39 +0100, Volker Lendecke wrote:
> The subject almost says it all. For local logins to a Samba server we need to
> expand BUILTIN alias membership, for SamLogon and PAC generation we don't. Both
> use the same routine right now. I'm always hesitating a bit to pass binary
> flags down. In particular in Samba 4 this would be at least two flags, one for
> domain local groups and one for builtins. We would not do domlocal groups in
> Samba3, but there we still have that issue. What would be the best solution
> here? Split the token generation from password checking? That's not good
So, I feel we should do the expansion in two steps. In Samba4 terms the
auth_sam step should expand global things only. Then, a later part of
the auth subsystem (auth_generate_session_info()) should convert it from
the global list to the local list.
You will note that auth_generate_session_info() already adds sids like
'authenticated', and I think it should add local aliases here too. This
is because the same routine will be called with an *incoming* PAC, which
will of course need the same expansion.
The PAC generation is the result of the 'server_info' only (we need
better names...), and so would correctly not include these BUILTIN
Additionally, as you point out on IRC, the auth_sam code should respect
the level (2 or 6) parameter, and include domain aliases as required.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060111/98cf576a/attachment.bin
More information about the samba-technical