Plans for pdb_ads and auth_netlogond?

simo idra at samba.org
Wed Jun 20 11:00:32 MDT 2012


On Tue, 2012-06-19 at 23:08 +1000, Andrew Bartlett wrote: 
> On Sun, 2012-06-17 at 01:52 +0200, Michael Adam wrote:
> > simo wrote:
> > > On Sat, 2012-06-16 at 07:33 +0200, Volker Lendecke wrote: 
> > > > On Sat, Jun 16, 2012 at 02:56:43PM +1000, Andrew Bartlett wrote:
> > > > > On Mon, 2012-06-11 at 12:08 +0200, Volker Lendecke wrote:
> > > > > > Hi!
> > > > > > 
> > > > > > I don't think that I can give input that is deemed worth any
> > > > > > consideration on this matter.
> > > > > 
> > > > > Sorry,
> > > > > 
> > > > > I'm not really sure what you mean by that.
> > > > > 
> > > > > Are you OK with the patch, or do you have plans to develop these into
> > > > > something that we use?
> > > > 
> > > > They are still my preferred way to let smbd3 access the
> > > > directory. You have decided that linking instead of ipc is
> > > > the better way to integrate components. Your approach has
> > > > more support in the community than mine,
> > > 
> > > I am not sure that is true. I made it clear earlier that I think the
> > > linking approach is wrong, and I do prefer the forking and executing of
> > > smbd.
> 
> Simo,
> 
> I'm rather confused:  Is this comment related to my patches, or just a general
> concern following up the comments you made last week?  We currently fork() and 
> exec() smbd, and after your clear feedback on the question, there are no current
> proposals to change that.  

That was a general comment, but forking and executing also naturally
means ion the long term we should have separate daemons handling the
separate aspects of samba.

I am *really* uncomfortable about the fact we link everything everywhere
because it makes it impossible to do proper security enforcement by
confining the single daemon.

For example it should be possible to confine the file server so it
doesn't have full access to the password database. Failure to do so
means a bug in the file server will compromise your entire domain
easily. That is not really a good idea. We need to stop letting every
single last remote part of samba require direct access to all that
information.
That's why I think Volker approach is superior.

I am sorry I have no more time to discuss this atm, I will come back to
it later when I have more time.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list