refactoring of the auth code
Volker Lendecke
Volker.Lendecke at SerNet.DE
Thu Jan 12 19:32:21 GMT 2006
Hi!
Right now I'm trying to solve the problem that Samba3 does not properly honour
domain and builtin aliases. The core is that check_ntlm_password does too much:
It first checks the passwords and also creates the NT token to use. I think
this is just two tasks that have to be split.
Essentially we call check_ntlm_password in 3 places:
* Session setup. This is for local access.
* auth_ntlmssp. This is also session setup as well as pipe bind. Also for local
access.
* srv_netlog_nt.c: This is the problematic one. The two above would have to
expand SAM and BUILTIN aliases for the local access, but with this one we
can't. Maybe we should expand SAM aliases, these would be domain local
groups, but probably this is more a Samba4 thing. But we can *never* expand
BUILTIN aliases here.
So what I would like to do is to change check_ntlm_password to return not the
fully expanded token that also contains the unix id's but just a list of SIDs.
This can very nicely be used then for srv_netlog_nt.c, to create the info3
struct in the samlogon call.
sesssetup.c and auth_ntlmssp.c would after having called check_ntlm_password
call a separate routine that creates the serversupplied_info struct.
Essentially, check_ntlm_password should *just* return the info3 struct. This in
Samba3 is a really ugly structure with UNISTR stuff, but it might be the best
way to do it. Even in the SAM case we eventually have to create it in the
srv_netlog_nt case anyway, so why not one step earlier?
Rubbish? Or does that sound reasonable?
It might also be interesting for Samba4.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060112/27d75912/attachment.bin
More information about the samba-technical
mailing list