refactoring of the auth code

Andrew Bartlett abartlet at samba.org
Thu Jan 12 22:20:25 GMT 2006 

On Thu, 2006-01-12 at 20:32 +0100, Volker Lendecke wrote:
> Hi!
> 
> Right now I'm trying to solve the problem that Samba3 does not properly honour
> domain and builtin aliases. The core is that check_ntlm_password does too much:
> It first checks the passwords and also creates the NT token to use. I think
> this is just two tasks that have to be split. 
> 
> Essentially we call check_ntlm_password in 3 places:
> 
> * Session setup. This is for local access.
> 
> * auth_ntlmssp. This is also session setup as well as pipe bind. Also for local
>   access.
> 
> * srv_netlog_nt.c: This is the problematic one. The two above would have to
>   expand SAM and BUILTIN aliases for the local access, but with this one we
>   can't. Maybe we should expand SAM aliases, these would be domain local
>   groups, but probably this is more a Samba4 thing. But we can *never* expand
>   BUILTIN aliases here.

Correct

> So what I would like to do is to change check_ntlm_password to return not the
> fully expanded token that also contains the unix id's but just a list of SIDs.
> This can very nicely be used then for srv_netlog_nt.c, to create the info3
> struct in the samlogon call.
> 
> sesssetup.c and auth_ntlmssp.c would after having called check_ntlm_password
> call a separate routine that creates the serversupplied_info struct.

I would still go via the serversupplied info structure, but add the
aliases later.

> Essentially, check_ntlm_password should *just* return the info3 struct. This in
> Samba3 is a really ugly structure with UNISTR stuff, but it might be the best
> way to do it. Even in the SAM case we eventually have to create it in the
> srv_netlog_nt case anyway, so why not one step earlier?

I don't think we should create the wire structure that early, but I
agree with your conclusions regarding splitting up of the group
fetching.

I think that the check_ntlm_password call should return the groups as
required for the server_info structure, and that the
password.c:register_vuid() code should transform, rather than copy, the
groups from a domain group list to a full domain and aliases list.  (The
registered vuid is pretty much the same as the session_info in Samba4).

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/627e513e/attachment.bin

More information about the samba-technical mailing list