[PATCHES] authenticating users during short disconnects from AD
Volker Lendecke
vl at samba.org
Wed Dec 28 10:27:36 UTC 2016
Hi, Uri!
Thanks for those patches! Going over them closely now. I would like to
skip the Patches 1-4 for the moment because I'm in the process of
reworking the getpwnam code completely. I think I'll be able to
present something very soon. One of the main things is that the new
code completely skips the getgrsid call, this is just not needed.
Without that, I need to revisit the offline operation requirements.
Ok?
Volker
On Tue, Dec 27, 2016 at 09:26:30PM +0200, Uri Simchoni wrote:
> Hi,
>
> The following patch set allows Samba, running as an AD member file
> server, to authenticate new users using Kerberos without contacting AD.
> This helps operating in sites with frequent short disconnects from AD,
> e.g. if someone moves between rooms, the connection needs to be
> re-established, and the client has a cached ticket to the server.
>
> With Windows servers, it is possible for a file server to authenticate
> using Kerberos and serve files without an AD connection - because all
> the required info is in the PAC.
>
> With Samba, there's the added step of converting the NT access token to
> a POSIX process token - to a list of POSIX id's associated with the
> session. This may or may not be possible without a connection to AD,
> depending on the idmap backends involved.
>
> The patch set enables offline operation using passdb and rid backends.
> Other backends currently require to know the sid type, at least in the
> cased where they allocate a new mapping.
>
> Patches 1-4 - an assortment of barriers towards offline operation that
> were removed - each one is independent
>
> Patches 5-19 - while translating sid->unix ID, skip the sid lookup if
> the idmap backend allows this. This includes adding a mechanism that
> allows the winbindd parent process to query idmap backends whether they
> require sid lookup prior to sid->unix id mapping. The final 5 patches
> can probably be squashed together - it just seems easier to follow this way.
>
> Review appreciated,
> Uri.
>
More information about the samba-technical
mailing list