[OpenAFS] Re: Samba & aklog
John P Janosik
jpjanosi@us.ibm.com
Thu, 7 Aug 2014 11:09:48 -0400
This is a multipart message in MIME format.
--=_alternative 00534B7B86257D2D_=
Content-Type: text/plain; charset="US-ASCII"
>
> On Wed, 2014-08-06 at 23:29 -0500, Andrew Deason wrote:
> > However, even if that is working, I would think that setup would only
> > work if samba uses separate processes for connections for different
> > users; I don't know if that's true. You could ask samba for more info
>
> It does; otherwise it'd need to swap uids around between connections,
> which is kinda scary from a security standpoint. In fact I think it may
> be process per connection (client+share) because some shares may force a
> specific Unix uid (`force user`).
With the versions of Samba I have used a new smbd process is forked for
each TCP connection. It has been a long time but I know on some old
Windows Terminal Servers we supported there was only one TCP connection
for all users. Back when we served IBM DFS data via Samba I had to patch
the code in Samba that switched uids to also switch DFS pags via a custom
kernel module. I just checked a fairly recent version of the Samba source
(4.1.5) and the code that switches security contexts is still there, see
source3/smbd/sec_ctx.c.
>
> --
> brandon s allbery kf8nh sine nomine associates
> allbery.b@gmail.com ballbery@sinenomine.net
> unix openafs kerberos infrastructure xmonad http://sinenomine.net
John Janosik
jpjanosi@us.ibm.com
--=_alternative 00534B7B86257D2D_=
Content-Type: text/html; charset="US-ASCII"
<tt><font size=2>> <br>
> On Wed, 2014-08-06 at 23:29 -0500, Andrew Deason wrote:<br>
> > However, even if that is working, I would think that setup would
only<br>
> > work if samba uses separate processes for connections for different<br>
> > users; I don't know if that's true. You could ask samba for more
info<br>
> <br>
> It does; otherwise it'd need to swap uids around between connections,<br>
> which is kinda scary from a security standpoint. In fact I think it
may<br>
> be process per connection (client+share) because some shares may force
a<br>
> specific Unix uid (`force user`).<br>
</font></tt>
<br>
<br><tt><font size=2>With the versions of Samba I have used a new smbd
process is forked for each TCP connection. It has been a long time
but I know on some old Windows Terminal Servers we supported there was
only one TCP connection for all users. Back when we served IBM DFS
data via Samba I had to patch the code in Samba that switched uids to also
switch DFS pags via a custom kernel module. I just checked a fairly
recent version of the Samba source (4.1.5) and the code that switches security
contexts is still there, see source3/smbd/sec_ctx.c.</font></tt>
<br>
<br><tt><font size=2>> <br>
> -- <br>
> brandon s allbery kf8nh
sine nomine associates<br>
> allbery.b@gmail.com
ballbery@sinenomine.net<br>
> unix openafs kerberos infrastructure xmonad </font></tt><a href=http://sinenomine.net/><tt><font size=2>http://sinenomine.net</font></tt></a><tt><font size=2><br>
</font></tt>
<br>
<br><tt><font size=2>John Janosik</font></tt>
<br><tt><font size=2>jpjanosi@us.ibm.com</font></tt>
--=_alternative 00534B7B86257D2D_=--