refactoring of the auth code
abartlet at samba.org
Thu Jan 12 22:20:25 GMT 2006
On Thu, 2006-01-12 at 20:32 +0100, Volker Lendecke wrote:
> Right now I'm trying to solve the problem that Samba3 does not properly honour
> domain and builtin aliases. The core is that check_ntlm_password does too much:
> It first checks the passwords and also creates the NT token to use. I think
> this is just two tasks that have to be split.
> Essentially we call check_ntlm_password in 3 places:
> * Session setup. This is for local access.
> * auth_ntlmssp. This is also session setup as well as pipe bind. Also for local
> * srv_netlog_nt.c: This is the problematic one. The two above would have to
> expand SAM and BUILTIN aliases for the local access, but with this one we
> can't. Maybe we should expand SAM aliases, these would be domain local
> groups, but probably this is more a Samba4 thing. But we can *never* expand
> BUILTIN aliases here.
> So what I would like to do is to change check_ntlm_password to return not the
> fully expanded token that also contains the unix id's but just a list of SIDs.
> This can very nicely be used then for srv_netlog_nt.c, to create the info3
> struct in the samlogon call.
> sesssetup.c and auth_ntlmssp.c would after having called check_ntlm_password
> call a separate routine that creates the serversupplied_info struct.
I would still go via the serversupplied info structure, but add the
> Essentially, check_ntlm_password should *just* return the info3 struct. This in
> Samba3 is a really ugly structure with UNISTR stuff, but it might be the best
> way to do it. Even in the SAM case we eventually have to create it in the
> srv_netlog_nt case anyway, so why not one step earlier?
I don't think we should create the wire structure that early, but I
agree with your conclusions regarding splitting up of the group
I think that the check_ntlm_password call should return the groups as
required for the server_info structure, and that the
password.c:register_vuid() code should transform, rather than copy, the
groups from a domain group list to a full domain and aliases list. (The
registered vuid is pretty much the same as the session_info in Samba4).
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060113/627e513e/attachment.bin
More information about the samba-technical