New SMB2/3 features and SMB_VFS_* and connection_struct...

Stefan (metze) Metzmacher metze at
Tue May 29 06:23:07 MDT 2012

Hi Simo,

>> We should also impersonate more correctly, so that all operations
>> on a file handle run as the same user, including TCP disconnects.
>> To do this sanely we need to have an tevent_context wrapper,
>> which impersonates before calling any event handler.
>> See
>> Comments, please:-)
> I see how you become the desired user, but there is no way to go 'back'.
> This seem to imply you cannot mix tevent_impersonate with any other
> tevent call, as the process will change user and will not change it back
> once done.
> Where is the trick/technical detail I am missing ?

Currently 'smbd' also changes the user only if needed.
It doesn't change back to root in every event loop.
There're explicit 'change_to_root()' calls if really needed.

That's why we'd have 3 types of tevent_context pointers:
1. the raw tevent_context that doesn't do any impersonation
2. a tevent_context that runs the handlers as root
3. a tevent_context that runs as the correct user
   Note: that this also needs to call set_current_service()

And I think the SMB_VFS modules should only have access to 3.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list