mod_auth_smb.c

Luke Kenneth Casson Leighton lkcl at switchboard.net
Tue Mar 17 19:04:09 GMT 1998 

jason,

i'm taking the liberty of posting this to samba-technical, bcc'ing you on
the reply.

> > > > hi jason,
> > > > 
> > > > just found out about your mod_auth_smb system: have we spoken before?  i
> > > > would like to write a mod_auth_ntdom system (now!) and also wanted to keep
> > > > in contact with you.
> > 
> > do you understand the mod_auth system completely?  i want to do a "login"
> > and a "logout", and i want to allocate a per-connection structure.  are
> > there any memory allocation caveats?
> >  
> I'm not sure I follow here (It's probably my lack of knowlege about how
> samba and NT work).  Wouldn't ntdom and smb be the same?

nt domains is some procedure calls implemented as dce/rpc over SMB.

>  The way my
> module works is to take a username/password/sharename and attempt to open
> a connection to it.  If it is sucessful, then it assumes the password was
> correct and provides access (just like mod_auth).  If it fails, it doesn't
> let the user in.

the way that ntdom \PIPE\NETLOGON works is that you take either an
anonymous or username/password connection to IPC$ (an existing open one
will do, and nt workstation often maintains one for exactly this purpose),
opens a dce/rpc pipe named \PIPE\NETLOGON over the SMBtrans on IPC$, and
then issues a NetrSamLogon call over that dce/rpc pipe.

when the user logs out, a NetrSamLogoff is called.  there is also an
overhead in establishing a credential chain, which every call is verified
with (making it more secure).  [except that there is a bug in the
protocol: the credential chain is secure (man-in-the-middle is not easily
possible), but you can still hack the data in the packet, and leave the
credential chain as-is - in other words, it's not signed...]

> Apache has all kindsa memory functions, but for the most part you can
> ignore them.  My module uses their string allocation stuff and a little
> more, but the smblib code is largely unmodified (except that I found a bug
> or two in it ;), and it uses standard malloc.  The nice thing about apache
> is that you can force it to kill the child processes after handling so
> many requests (therefore malloc'd memory will get freed).

ok...

so does the code have to be re-entrant?

can i allocate myself a single static smb client connection structure, or
will i have to do one of these on a per-authentication basis?

luke

<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk"       > Samba and Network Consultancy </a>

More information about the samba-technical mailing list