[OpenAFS] Re: Samba & aklog

John P Janosik jpjanosi@us.ibm.com
Thu, 7 Aug 2014 11:09:48 -0400


This is a multipart message in MIME format.
--=_alternative 00534B7B86257D2D_=
Content-Type: text/plain; charset="US-ASCII"

> 
> On Wed, 2014-08-06 at 23:29 -0500, Andrew Deason wrote:
> > However, even if that is working, I would think that setup would only
> > work if samba uses separate processes for connections for different
> > users; I don't know if that's true. You could ask samba for more info
> 
> It does; otherwise it'd need to swap uids around between connections,
> which is kinda scary from a security standpoint. In fact I think it may
> be process per connection (client+share) because some shares may force a
> specific Unix uid (`force user`).


With the versions of Samba I have used a new smbd process is forked for 
each TCP connection.  It has been a long time but I know on some old 
Windows Terminal Servers we supported there was only one TCP connection 
for all users.  Back when we served IBM DFS data via Samba I had to patch 
the code in Samba that switched uids to also switch DFS pags via a custom 
kernel module.  I just checked a fairly recent version of the Samba source 
(4.1.5) and the code that switches security contexts is still there, see 
source3/smbd/sec_ctx.c.

> 
> -- 
> brandon s allbery kf8nh                           sine nomine associates
> allbery.b@gmail.com                              ballbery@sinenomine.net
> unix openafs kerberos infrastructure xmonad        http://sinenomine.net


John Janosik
jpjanosi@us.ibm.com
--=_alternative 00534B7B86257D2D_=
Content-Type: text/html; charset="US-ASCII"

<tt><font size=2>&gt; <br>
&gt; On Wed, 2014-08-06 at 23:29 -0500, Andrew Deason wrote:<br>
&gt; &gt; However, even if that is working, I would think that setup would
only<br>
&gt; &gt; work if samba uses separate processes for connections for different<br>
&gt; &gt; users; I don't know if that's true. You could ask samba for more
info<br>
&gt; <br>
&gt; It does; otherwise it'd need to swap uids around between connections,<br>
&gt; which is kinda scary from a security standpoint. In fact I think it
may<br>
&gt; be process per connection (client+share) because some shares may force
a<br>
&gt; specific Unix uid (`force user`).<br>
</font></tt>
<br>
<br><tt><font size=2>With the versions of Samba I have used a new smbd
process is forked for each TCP connection. &nbsp;It has been a long time
but I know on some old Windows Terminal Servers we supported there was
only one TCP connection for all users. &nbsp;Back when we served IBM DFS
data via Samba I had to patch the code in Samba that switched uids to also
switch DFS pags via a custom kernel module. &nbsp;I just checked a fairly
recent version of the Samba source (4.1.5) and the code that switches security
contexts is still there, see source3/smbd/sec_ctx.c.</font></tt>
<br>
<br><tt><font size=2>&gt; <br>
&gt; -- <br>
&gt; brandon s allbery kf8nh &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sine nomine associates<br>
&gt; allbery.b@gmail.com &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ballbery@sinenomine.net<br>
&gt; unix openafs kerberos infrastructure xmonad &nbsp; &nbsp; &nbsp; &nbsp;</font></tt><a href=http://sinenomine.net/><tt><font size=2>http://sinenomine.net</font></tt></a><tt><font size=2><br>
</font></tt>
<br>
<br><tt><font size=2>John Janosik</font></tt>
<br><tt><font size=2>jpjanosi@us.ibm.com</font></tt>
--=_alternative 00534B7B86257D2D_=--