mod_auth_smb.c
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Tue Mar 17 19:04:09 GMT 1998
jason,
i'm taking the liberty of posting this to samba-technical, bcc'ing you on
the reply.
> > > > hi jason,
> > > >
> > > > just found out about your mod_auth_smb system: have we spoken before? i
> > > > would like to write a mod_auth_ntdom system (now!) and also wanted to keep
> > > > in contact with you.
> >
> > do you understand the mod_auth system completely? i want to do a "login"
> > and a "logout", and i want to allocate a per-connection structure. are
> > there any memory allocation caveats?
> >
> I'm not sure I follow here (It's probably my lack of knowlege about how
> samba and NT work). Wouldn't ntdom and smb be the same?
nt domains is some procedure calls implemented as dce/rpc over SMB.
> The way my
> module works is to take a username/password/sharename and attempt to open
> a connection to it. If it is sucessful, then it assumes the password was
> correct and provides access (just like mod_auth). If it fails, it doesn't
> let the user in.
the way that ntdom \PIPE\NETLOGON works is that you take either an
anonymous or username/password connection to IPC$ (an existing open one
will do, and nt workstation often maintains one for exactly this purpose),
opens a dce/rpc pipe named \PIPE\NETLOGON over the SMBtrans on IPC$, and
then issues a NetrSamLogon call over that dce/rpc pipe.
when the user logs out, a NetrSamLogoff is called. there is also an
overhead in establishing a credential chain, which every call is verified
with (making it more secure). [except that there is a bug in the
protocol: the credential chain is secure (man-in-the-middle is not easily
possible), but you can still hack the data in the packet, and leave the
credential chain as-is - in other words, it's not signed...]
> Apache has all kindsa memory functions, but for the most part you can
> ignore them. My module uses their string allocation stuff and a little
> more, but the smblib code is largely unmodified (except that I found a bug
> or two in it ;), and it uses standard malloc. The nice thing about apache
> is that you can force it to kill the child processes after handling so
> many requests (therefore malloc'd memory will get freed).
ok...
so does the code have to be re-entrant?
can i allocate myself a single static smb client connection structure, or
will i have to do one of these on a per-authentication basis?
luke
<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk" > Samba and Network Consultancy </a>
More information about the samba-technical
mailing list