"storing" username/sid/group id after authentication

[mogambo]

The metadata server needs the sid and the list of groups it belongs to for
enforcing access list, which is set based on the sids.  For access from
regular clients running our filesystem driver, the password is passed to the
metadata server, which uses ntlm_auth to authenticate with the ADS.  We have
patched ntlm_auth to extract sid and groups information upon successful
authentication.  When the gateway server is configured in ADS security mode,
I need to extract the same information.  Is the uid/gid <-> sid mapping
easily available from the idmap system?  Also, given the sid, is there a way
to get the list of groups the sid belongs to?

Also, where can I find more documentation on ntlm_auth, other than the
manpage?  I am a little confused about the different protocol helpers,
specifically the ntlmssp-client-1.

Thanks,
-s.

On Tue, Mar 9, 2010 at 10:59 AM, Volker Lendecke
<Volker.Lendecke at sernet.de>wrote:

> On Tue, Mar 09, 2010 at 10:23:19AM -0800, mogambo wrote:
> > Ideally, I would like to delegate the authentication to the remote
> > metadata server.  It already talks to the ADS via ntlm_auth in
> > ntlm-server-1 mode and passes in the username/password when accessing
> > from a regular client.  As a side question, if I can get the encrypted
> > password to the metadata server, is there a way to use ntlm_auth to
> > play challenge/response game for authentication?  It seemed possible
> > from a few posts on the list, but I was unable to find documentation
> > other than the manpage.
>
> Sorry, but the CIFS authentication protocols don't allow
> this kind of operation. In no step of the authentication a
> file server acting as an AD member has access to the
> encrypted password. Members pass on the whole exchange to
> the DC via encrypted NETLOGON calls and let the DC take care
> of it.
>
> > If the above is not possible, I am wondering if I can use mode =
> ADS/server
> > on the gateway server and add the user id or security token of the
> validated
> > user to the default mount point which is same across all users.  The
> > interface between the filesystem driver and the metadata server is still
> > being worked upon.  I want to identify the information and how to extract
> it
> > from Samba server.
>
> That's essentially what the numeric Unix uid and gid(s) are
> for. You might also be aware that a single smbd will have to
> take care of potentially many users, switching between those
> uids. So this is not really a one-time thing to switch to
> some user, we might have to change this on a per-request
> basis.
>
> What do you need beyond the Unix uid/gid? Given the right
> nss modules these should be mappable 1:1 to names if that
> suits you better. You might want to look at the file
> source3/lib/util_sec.c for the routines we use to change
> those ID's, you might want to plug in there. But be aware
> that we assume these operations are pretty fast.
>
> Volker
>
> >
> > I do not have any prior experience with Samba, so I may not be asking the
> > right questions, or giving enough information. Thank you very much for
> your
> > help.
> >
> > -s.
> >
> > On Tue, Mar 9, 2010 at 3:13 AM, Volker Lendecke
> > <Volker.Lendecke at sernet.de>wrote:
> >
> > > On Mon, Mar 08, 2010 at 07:09:38PM -0800, mogambo wrote:
> > > > I need to make an ioctl call into my vfs plugin to store the
> successfully
> > > > authenticated username and other info into an internal data structure
> on
> > > the
> > > > mount point.  This is in order to be able to manage access
> permissions,
> > > etc.
> > > >  What would be an ideal place in Samba to make this call?  Ideally, I
> > > would
> > > > like a place that is independent of authentication mode.
> > >
> > > Can you describe in a bit more detail what you are trying to
> > > achieve? A bit more about the "big picture"?
> > >
> > > Thanks,
> > >
> > > Volker
> > >
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v1.4.9 (GNU/Linux)
> > >
> > > iEYEARECAAYFAkuWLWAACgkQbZMKAi3WUkllNgCfSOUWGeqQ9JalULGxUtrPiGi6
> > > sNMAnRsEweA+T3wAMgNyV5kAz3MvugPY
> > > =i31B
> > > -----END PGP SIGNATURE-----
> > >
> > >
>
> --
> SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
> phone: +49-551-370000-0, fax: +49-551-370000-9
> AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
>