AFS/DCE/AIX patches for 1.9.17p2
Murray Barrett
murrayb at ca.ibm.com
Wed Nov 12 20:48:55 GMT 1997
I have had several people contact me about this so I am going to post what I
have.
Unfortunately I have not had the time to continue past the stage of getting
things to work,
so there are still some things to clean up and I have done very little
documentation. I do
plan on getting back to it in the few weeks before Christmas, so hopefully I
will have
a more complete package to offer then.
Off the top of my head, the new features are as follows:
- allows sharing of AFS and DFS file space with same binary
- works with AIX's DCE integrated login (DCE registry)
- can authenticate to another cell using service option "cell name"
"cell name = torolab.ibm.com" for AFS share
"cell name = /.../torolab.ibm.com/" for DFS share
- use of more than one DFS share (only started on this, so it's not working yet)
- other minor things that I can't remember right now
These diffs are context type and apply to 1.9.17p2. I have tried 1.9.17p4 but
it seems
that setuid is now screwing up on AIX and I haven't checked through it yet.
I've run
this on AIX 4.1.5 and just started using AIX 4.2.1.
My thanks to the Samba team!
*** Makefile.orig Fri Sep 26 08:44:18 1997
--- Makefile Mon Sep 29 13:56:40 1997
***************
*** 318,323 ****
--- 318,333 ----
# LIBSM = -lc_r -ldce -lpthreads
# CC = cc_r
+ # This is for AIX 4.1.5 with DCE/DFS
+ # FLAGSM = -DAIX -DDFS_AUTH -DSIGCLD_IGNORE -DNO_SIGNAL_TEST
+ # LIBSM = -lc_r -ldce -lpthreads
+ # CC = xlc_r4
+
+ # This is for AIX 4.1.5 with AFS and DCE/DFS
+ # FLAGSM = -DAIX -DAFS_AUTH -DDFS_AUTH -DSIGCLD_IGNORE -DNO_SIGNAL_TEST
+ # LIBSM = -lc_r -ldce -lpthreads
+ # CC = xlc_r4
+
# This is for BSDI
# contributed by tomh at metrics.com
# versions of BSDI prior to 2.0 may need to add -DUSE_F_FSIZE for
*** ipc.c.orig Fri Sep 26 08:44:19 1997
--- ipc.c Mon Sep 29 13:56:40 1997
***************
*** 1351,1356 ****
--- 1351,1357 ----
return(True);
}
+ extern int global_snum;
/****************************************************************************
set the user password
****************************************************************************/
***************
*** 1362,1367 ****
--- 1363,1370 ----
char *p = skip_string(param+2,2);
fstring user;
fstring pass1,pass2;
+
+ global_snum = SNUM( cnum );
fstrcpy(user,p);
*** loadparm.c.orig Fri Sep 26 08:44:19 1997
--- loadparm.c Mon Sep 29 13:56:40 1997
***************
*** 218,223 ****
--- 218,226 ----
char *szMangledMap;
char *szVetoFiles;
char *szHideFiles;
+ #if defined(AFS_AUTH) || defined(DFS_AUTH)
+ char *szCellname;
+ #endif
char *comment;
char *force_user;
char *force_group;
***************
*** 298,303 ****
--- 301,309 ----
NULL, /* szMangledMap */
NULL, /* szVetoFiles */
NULL, /* szHideFiles */
+ #if defined(AFS_AUTH) || defined(DFS_AUTH)
+ NULL, /* szCellname */
+ #endif
NULL, /* comment */
NULL, /* force user */
NULL, /* force group */
***************
*** 559,564 ****
--- 565,573 ----
{"magic script", P_STRING, P_LOCAL, &sDefault.szMagicScript, NULL},
{"magic output", P_STRING, P_LOCAL, &sDefault.szMagicOutput, NULL},
{"mangled map", P_STRING, P_LOCAL, &sDefault.szMangledMap, NULL},
+ #if defined(AFS_AUTH) || defined(DFS_AUTH)
+ {"cell name", P_STRING, P_LOCAL, &sDefault.szCellname, NULL},
+ #endif
{"delete readonly", P_BOOL, P_LOCAL, &sDefault.bDeleteReadonly, NULL},
{NULL, P_BOOL, P_NONE, NULL, NULL}
***************
*** 914,919 ****
--- 923,931 ----
FN_LOCAL_STRING(lp_mangled_map,szMangledMap)
FN_LOCAL_STRING(lp_veto_files,szVetoFiles)
FN_LOCAL_STRING(lp_hide_files,szHideFiles)
+ #if defined(AFS_AUTH) || defined(DFS_AUTH)
+ FN_LOCAL_STRING(lp_cellname,szCellname)
+ #endif
FN_LOCAL_BOOL(lp_alternate_permissions,bAlternatePerm)
FN_LOCAL_BOOL(lp_revalidate,bRevalidate)
*** password.c.orig Fri Sep 5 16:53:49 1997
--- password.c Mon Sep 29 13:56:40 1997
***************
*** 27,32 ****
--- 27,33 ----
extern int DEBUGLEVEL;
extern int Protocol;
+ int global_snum;
/* users from session setup */
static pstring session_users="";
***************
*** 495,501 ****
if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION+KA_USERAUTH_DOSETPAG,
this_user,
(char *) 0, /* instance */
! (char *) 0, /* cell */
password,
0, /* lifetime, default */
&password_expires, /*days 'til it expires */
--- 496,502 ----
if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION+KA_USERAUTH_DOSETPAG,
this_user,
(char *) 0, /* instance */
! lp_cellname( global_snum ), /* cell */
password,
0, /* lifetime, default */
&password_expires, /*days 'til it expires */
***************
*** 502,507 ****
--- 503,510 ----
0, /* spare 2 */
&reason) == 0)
return(True);
+
+ DEBUG(0,("AFS Authentication in cell %s failed with: %s\n", lp_cellname(
global_snum ), reason));
return(False);
}
#endif
***************
*** 524,530 ****
--- 527,538 ----
sec_passwd_rec_t my_dce_password;
sec_login_auth_src_t auth_src = sec_login_auth_src_network;
unsigned char dce_errstr[dce_c_error_string_len];
+ pstring tmp_password, dce_user;
+ /* Make a copy of the password to be trashed by
"sec_login_valid_and_cert_ident" */
+ strcpy( tmp_password, password );
+
+ #ifndef AIX
/*
* We only go for a DCE login context if the given password
* matches that stored in the local password file..
***************
*** 531,556 ****
* Assumes local passwd file is kept in sync w/ DCE RGY!
*/
! if (!strcmp((char *)crypt(password,this_salt),this_crypted) ||
! dcelogin_atmost_once)
return(False);
! if (sec_login_setup_identity(
! (unsigned char *)this_user,
sec_login_no_flags,
&my_dce_sec_context,
&err) == 0)
! {
! dce_error_inq_text(err, dce_errstr, &err2);
! DEBUG(0,("DCE Setup Identity for %s failed: %s\n",
! this_user,dce_errstr));
! return(False);
}
my_dce_password.version_number = sec_passwd_c_version_none;
my_dce_password.pepper = NULL;
my_dce_password.key.key_type = sec_passwd_plain;
! my_dce_password.key.tagged_union.plain = (idl_char *)password;
if (sec_login_valid_and_cert_ident(my_dce_sec_context,
&my_dce_password,
--- 539,570 ----
* Assumes local passwd file is kept in sync w/ DCE RGY!
*/
! if (strcmp((char *)crypt(password,this_salt),this_crypted))
return(False);
+ #endif
! /* Make up full user name */
! strcpy( dce_user, lp_cellname( global_snum ));
! strcat( dce_user, this_user );
!
! if( !dcelogin_atmost_once ){
! if (sec_login_setup_identity(
! (unsigned char *)dce_user,
sec_login_no_flags,
&my_dce_sec_context,
&err) == 0)
! {
! dce_error_inq_text(err, dce_errstr, &err2);
! DEBUG(0,("DCE Setup Identity for %s failed: %s\n",
! dce_user,dce_errstr));
! return(False);
! }
}
my_dce_password.version_number = sec_passwd_c_version_none;
my_dce_password.pepper = NULL;
my_dce_password.key.key_type = sec_passwd_plain;
! my_dce_password.key.tagged_union.plain = (idl_char *)tmp_password;
if (sec_login_valid_and_cert_ident(my_dce_sec_context,
&my_dce_password,
***************
*** 560,566 ****
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n",
! this_user,dce_errstr));
return(False);
}
--- 574,580 ----
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n",
! dce_user,dce_errstr));
return(False);
}
***************
*** 570,576 ****
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,("DCE login failed for principal %s, cant set context: %s\n",
! this_user,dce_errstr));
sec_login_purge_context(my_dce_sec_context, &err);
return(False);
}
--- 584,590 ----
{
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,("DCE login failed for principal %s, cant set context: %s\n",
! dce_user,dce_errstr));
sec_login_purge_context(my_dce_sec_context, &err);
return(False);
}
***************
*** 577,586 ****
else
{
DEBUG(0,("DCE login succeeded for principal %s on pid %d\n",
! this_user, getpid()));
}
! dcelogin_atmost_once = 1;
return (True);
}
--- 591,600 ----
else
{
DEBUG(0,("DCE login succeeded for principal %s on pid %d\n",
! dce_user, getpid()));
}
! dcelogin_atmost_once++;
return (True);
}
***************
*** 590,602 ****
int err2;
unsigned char dce_errstr[dce_c_error_string_len];
! sec_login_purge_context(my_dce_sec_context, &err);
! if (err != error_status_ok )
! {
! dce_error_inq_text(err, dce_errstr, &err2);
! DEBUG(0,("DCE purge login context failed for server instance %d: %s\n",
! getpid(), dce_errstr));
! }
}
#endif
--- 604,618 ----
int err2;
unsigned char dce_errstr[dce_c_error_string_len];
! if ( dcelogin_atmost_once == 1 )
! sec_login_purge_context(my_dce_sec_context, &err);
! if (err != error_status_ok )
! {
! dce_error_inq_text(err, dce_errstr, &err2);
! DEBUG(0,("DCE purge login context failed for server instance %d:
%s\n",
! getpid(), dce_errstr));
! }
! dcelogin_atmost_once--;
}
#endif
***************
*** 775,780 ****
--- 791,805 ----
return (pam_auth(this_user,password));
#endif
+ #if (defined(AFS_AUTH) && defined(DFS_AUTH))
+ if( lp_security() == SEC_USER )
+ return( afs_auth( this_user, password ) | dfs_auth( this_user, password )
);
+ if (strncmp( lp_cellname( global_snum ), "/.../", 5 ))
+ return( afs_auth( this_user, password ) );
+ else
+ return( dfs_auth( this_user, password ) );
+ #endif
+
#ifdef AFS_AUTH
if (afs_auth(this_user,password)) return(True);
#endif
***************
*** 1151,1156 ****
--- 1176,1182 ----
****************************************************************************/
static char *validate_group(char *group,char *password,int pwlen,int snum)
{
+ global_snum = snum;
#ifdef NETGROUP
{
char *host, *user, *domain;
***************
*** 1220,1225 ****
--- 1246,1252 ----
BOOL ok = False;
*guest = False;
+ global_snum = snum;
#if DEBUG_PASSWORD
DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password));
*** proto.h.orig Fri Sep 26 08:44:19 1997
--- proto.h Mon Sep 29 13:56:40 1997
***************
*** 223,228 ****
--- 223,229 ----
char *lp_mangled_map(int );
char *lp_veto_files(int );
char *lp_hide_files(int );
+ char *lp_cellname(int );
BOOL lp_alternate_permissions(int );
BOOL lp_revalidate(int );
BOOL lp_casesensitive(int );
*** server.c.orig Fri Sep 26 08:44:20 1997
--- server.c Mon Sep 29 13:56:41 1997
***************
*** 3223,3228 ****
--- 3223,3233 ----
unbecome_user();
}
+ #ifdef DFS_AUTH
+ if (dcelogin_atmost_once)
+ dfs_unlogin();
+ #endif
+
unbecome_user();
/* execute any "root postexec = " line */
if (*lp_rootpostexec(SNUM(cnum)))
***************
*** 3484,3493 ****
for (i=0;i<MAX_CONNECTIONS;i++)
if (Connections[i].open)
close_cnum(i,(uint16)-1);
- #ifdef DFS_AUTH
- if (dcelogin_atmost_once)
- dfs_unlogin();
- #endif
if (!reason) {
int oldlevel = DEBUGLEVEL;
DEBUGLEVEL = 10;
--- 3489,3494 ----
Murray R. Barrett, IBM Toronto Lab, Development Distributed Services
Phone: (416) 448-6054 - Tieline: 778-6054
Lotus Notes mail: Murray Barrett/Toronto/IBM at IBMCA
IBM internal: murrayb at ibmca - Internet: murrayb at ca.ibm.com
More information about the samba
mailing list