"storing" username/sid/group id after authentication

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Mar 14 06:17:39 MDT 2010


On Thu, Mar 11, 2010 at 05:16:53PM -0800, mogambo wrote:
> The metadata server needs the sid and the list of groups it belongs to for
> enforcing access list, which is set based on the sids.  For access from
> regular clients running our filesystem driver, the password is passed to the
> metadata server, which uses ntlm_auth to authenticate with the ADS.  We have
> patched ntlm_auth to extract sid and groups information upon successful
> authentication.  When the gateway server is configured in ADS security mode,
> I need to extract the same information.  Is the uid/gid <-> sid mapping
> easily available from the idmap system?  Also, given the sid, is there a way
> to get the list of groups the sid belongs to?

When the authentication in smbd happens, for other purposes
I have already designed the "log nt token command" that
passes all the SIDs of a user to an external command. You
might want to either use this or hook into the same place
where this is called.

But still, be aware that this is only at login time, it will
still happen that within the same process we have to serve
different sets of login credentials per command.

> Also, where can I find more documentation on ntlm_auth, other than the
> manpage?  I am a little confused about the different protocol helpers,
> specifically the ntlmssp-client-1.

Sorry, don't really know about that.

Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100314/1e64d908/attachment.pgp>


More information about the samba-technical mailing list