"storing" username/sid/group id after authentication

Volker Lendecke Volker.Lendecke at SerNet.DE
Tue Mar 9 11:59:38 MST 2010


On Tue, Mar 09, 2010 at 10:23:19AM -0800, mogambo wrote:
> Ideally, I would like to delegate the authentication to the remote
> metadata server.  It already talks to the ADS via ntlm_auth in
> ntlm-server-1 mode and passes in the username/password when accessing
> from a regular client.  As a side question, if I can get the encrypted
> password to the metadata server, is there a way to use ntlm_auth to
> play challenge/response game for authentication?  It seemed possible
> from a few posts on the list, but I was unable to find documentation
> other than the manpage.

Sorry, but the CIFS authentication protocols don't allow
this kind of operation. In no step of the authentication a
file server acting as an AD member has access to the
encrypted password. Members pass on the whole exchange to
the DC via encrypted NETLOGON calls and let the DC take care
of it.

> If the above is not possible, I am wondering if I can use mode = ADS/server
> on the gateway server and add the user id or security token of the validated
> user to the default mount point which is same across all users.  The
> interface between the filesystem driver and the metadata server is still
> being worked upon.  I want to identify the information and how to extract it
> from Samba server.

That's essentially what the numeric Unix uid and gid(s) are
for. You might also be aware that a single smbd will have to
take care of potentially many users, switching between those
uids. So this is not really a one-time thing to switch to
some user, we might have to change this on a per-request
basis.

What do you need beyond the Unix uid/gid? Given the right
nss modules these should be mappable 1:1 to names if that
suits you better. You might want to look at the file
source3/lib/util_sec.c for the routines we use to change
those ID's, you might want to plug in there. But be aware
that we assume these operations are pretty fast.

Volker

> 
> I do not have any prior experience with Samba, so I may not be asking the
> right questions, or giving enough information. Thank you very much for your
> help.
> 
> -s.
> 
> On Tue, Mar 9, 2010 at 3:13 AM, Volker Lendecke
> <Volker.Lendecke at sernet.de>wrote:
> 
> > On Mon, Mar 08, 2010 at 07:09:38PM -0800, mogambo wrote:
> > > I need to make an ioctl call into my vfs plugin to store the successfully
> > > authenticated username and other info into an internal data structure on
> > the
> > > mount point.  This is in order to be able to manage access permissions,
> > etc.
> > >  What would be an ideal place in Samba to make this call?  Ideally, I
> > would
> > > like a place that is independent of authentication mode.
> >
> > Can you describe in a bit more detail what you are trying to
> > achieve? A bit more about the "big picture"?
> >
> > Thanks,
> >
> > Volker
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.9 (GNU/Linux)
> >
> > iEYEARECAAYFAkuWLWAACgkQbZMKAi3WUkllNgCfSOUWGeqQ9JalULGxUtrPiGi6
> > sNMAnRsEweA+T3wAMgNyV5kAz3MvugPY
> > =i31B
> > -----END PGP SIGNATURE-----
> >
> >

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100309/e0d9741d/attachment.pgp>


More information about the samba-technical mailing list